Wednesday, March 30, 2011

Update: Volatility printkey Plugin

You don't have to use the printkey plugin I released to get bruteforce action. It has been incorporated into the Volatility SVN (thanks to Mike Auty :-)).

So by default you don't have to issue an offset anymore:


$ python vol.py -f ds_fuzz_hidden_proc.img printkey -K 'ControlSet001\Control\ComputerName\ComputerName'
Volatile Systems Volatility Framework 1.4_rc1
Legend: (S) = Stable (V) = Volatile

----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: ComputerName (S)
Last updated: 2008-10-21 17:48:29

Subkeys:

Values:
REG_SZ ComputerName : (S) GINEVRA



And keys from multiple hives will also appear with a separator:


$ python vol.py -f ds_fuzz_hidden_proc.img printkey -K 'Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
Volatile Systems Volatility Framework 1.4_rc1
Legend: (S) = Stable (V) = Volatile

----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
Key name: Winlogon (S)
Last updated: 2008-11-26 07:38:23

Subkeys:

Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\default
Key name: Winlogon (S)
Last updated: 2008-11-26 07:39:40

Subkeys:

Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
Key name: Winlogon (S)
Last updated: 2008-11-26 07:38:53

Subkeys:

Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\moyix\NTUSER.DAT
Key name: Winlogon (S)
Last updated: 2008-09-19 20:29:52

Subkeys:

Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600

Friday, March 25, 2011

Modified Volatility printkey Plugin

As a lot of you already know, Volatility has some pretty cool registry plugins. You can use hivescan to look for registry hives (CMHIVE), hivelist to locate virtual and physical addresses of registry hives and printkey to print out keys for a specified hive, whose virtual address is found from hivelist.

In Volatility 1.3, you had to specify CMHIVE offset (obtained from hivescan) for hivelist in order to get the virtual address for a hive to use with printkey. In Volatility 1.4, hivelist inherits hivescan and obtains the CMHIVE offsets removing one extra step and making it easier for the user.

We still have to provide a virtual address (obtained by hivelist) to printkey in order to print a key from a particular registry. Suppose you don't know which registry contains the key, or you are a little clumsy about which offset you gave printkey, or maybe you want the same key from multiple hives (like all users for example). Well, I know I've personally had some of these issues and I'm sure others have as well ;-)

Recently I modified printkey to include a "brute-force" option to try to obtain a particular key from all hives and thought I'd share this in case anyone else might find it useful. The idea works similar to how hivelist was written to inherit from hivescan; printkey inherits hivelist and can obtain the offsets for all hives if run in brute-force mode. It also retains the previous usage so you can specify an offset.

Let's see some examples. So suppose we want to get the computer name from this image. How do we get that? So normally you have to get a list of registry hives:


$ python vol.py -f ds_fuzz_hidden_proc.img hivelist
Volatile Systems Volatility Framework 1.4_rc1
Virtual Physical Name
0xe1ada008 0x0b46c008 \Device\HarddiskVolume1\Documents and Settings\moyix\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1ad0880 0x0b339880 \Device\HarddiskVolume1\Documents and Settings\moyix\NTUSER.DAT
0xe1ac09e8 0x0b21b9e8 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1a9f008 0x0b28b008 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
0xe1797a60 0x0951da60 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1790820 0x0960f820 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
0xe1534820 0x032a9820 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe1536820 0x032ab820 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe14771f8 0x07fc91f8 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe1482008 0x07f93008 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe13725b8 0x0241d5b8 [no name]
0xe1018388 0x02200388 \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe1008b60 0x020c4b60 [no name]
0x80670a8c 0x00670a8c [no name]


From the SYSTEM registry we need this key: ControlSet001\Control\ComputerName\ComputerName We find the virtual offset and specify that in the commandline along with the key:


$ python vol.py -f ds_fuzz_hidden_proc.img printkey -o 0xe1018388 -K 'ControlSet001\Control\ComputerName\ComputerName'
Volatile Systems Volatility Framework 1.4_rc1
Legend: (S) = Stable (V) = Volatile

Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: ComputerName (S)
Last updated: 2008-10-21 17:48:29

Subkeys:

Values:
REG_SZ ComputerName : (S) GINEVRA



Nice. Ok, suppose you didn't know you needed to get this information from the SYSTEM registry. You can use the brute-force option (-b):

$ python vol.py -f ds_fuzz_hidden_proc.img printkey -b -K 'ControlSet001\Control\ComputerName\ComputerName'
Volatile Systems Volatility Framework 1.4_rc1
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of S-1-5-21-725345543-1292428093-2147272213-1003_Classes
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of $$$PROTO.HIV
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of S-1-5-19_Classes
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of $$$PROTO.HIV
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of S-1-5-20_Classes
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of $$$PROTO.HIV
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of $$$PROTO.HIV
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of SECURITY
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of $$$PROTO.HIV
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of SAM
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of HARDWARE
Legend: (S) = Stable (V) = Volatile

Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: ComputerName (S)
Last updated: 2008-10-21 17:48:29

Subkeys:

Values:
REG_SZ ComputerName : (S) GINEVRA

WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of REGISTRY



Hrmmmm.... notice that you get a lot of debug warnings in addition to the correct output for this key. This is because normally you would want to know if the key is not found and as each hive is queried for the key, failed attempts appear in output. However in this case, we know it's not going to be found in all of the registries, so we don't care about these warnings. You could comment out the piece of code in volatility/win32/rawreg.py that gives this warning, or you could use another plugin supplied by Mike Auty called disablewarnings.py This plugin (disablewarnings.py) is located in the "contrib/plugins" folder when you first download Volatility from the Google SVN. In order to use it, you must first move it to your plugins directory. So from the Volatility root folder do the following:


$ mv contrib/plugins/disablewarnings.py volatility/plugins


Now we can run the printkey plugin with brute-force option and disable debug statements with two extra switches: -d -W:


$ python vol.py -f ds_fuzz_hidden_proc.img printkey -b -d -W -K 'ControlSet001\Control\ComputerName\ComputerName'
Volatile Systems Volatility Framework 1.4_rc1
Legend: (S) = Stable (V) = Volatile

Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: ComputerName (S)
Last updated: 2008-10-21 17:48:29

Subkeys:

Values:
REG_SZ ComputerName : (S) GINEVRA



Want to see output from multiple hives? Let's look at the Software\Microsoft\Windows NT\CurrentVersion\WinLogon key from user hives:


$ python vol.py -f ds_fuzz_hidden_proc.img printkey -K 'Software\Microsoft\Windows NT\CurrentVersion\WinLogon' -b -d -W
Volatile Systems Volatility Framework 1.4_rc1
Legend: (S) = Stable (V) = Volatile

Registry: \Device\HarddiskVolume1\Documents and Settings\moyix\NTUSER.DAT
Key name: Winlogon (S)
Last updated: 2008-09-19 20:29:52

Subkeys:

Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600
Legend: (S) = Stable (V) = Volatile

Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
Key name: Winlogon (S)
Last updated: 2008-11-26 07:38:53

Subkeys:

Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600
Legend: (S) = Stable (V) = Volatile

Registry: \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
Key name: Winlogon (S)
Last updated: 2008-11-26 07:38:23

Subkeys:

Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600
Legend: (S) = Stable (V) = Volatile

Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\default
Key name: Winlogon (S)
Last updated: 2008-11-26 07:39:40

Subkeys:

Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600



Notice that the output is also slightly different, since printkey specifies which hive it got the information from (Registry: [Path])

Update: this modification is now in the SVN see here.

Tuesday, March 22, 2011

John Jay Center for Cybercrime Studies Talk: 3/29/11 2PM

There's an upcoming talk at The Center for Cybercrime Studies, John Jay College of Criminal Justice next week (Tuesday March 29th, 2011 2:00 PM) that may interest some of you in the NYC area:


Cyber Criminals: Who are they? Why are they successful? How do we respond?

Kim Peretti

Director, Forensic Services Practices
PricewaterhouseCoopers LLP

Formerly Senior Counsel
US Dept. of Justice, Criminal Division
Computer Crime and Intellectual Property Section

This session will walk through recent prosecutions of sophisticated hacking rings in order to provide insight into the individuals behind these types of crimes and why they are successful. This presentation will also discuss the emerging area of cyber forensics and methods by which entities can better prevent, detect, and respond to cyber attacks on their systems.


Events will take place at
John Jay College of Criminal Justice
899 Tenth Avenue
Room 630T, Haaren Hall

(between 58th and 59th Streets.)
RSVP to Nicole Daniels (ndaniels@jjay.cuny.edu: 212.237.8920).

Volatility 1.4 get_plugins Script

For those who can't wait for the official release of 1.4: I've updated the Volatility Full Dev Installation Wiki to include installation on Linux.

In case you want to automate installation you can use the new get_plugins script. I've only tested it on Mac OSX and Ubuntu, but it should still install dependencies and Volatility 1.4 on other Linux distributions (provided that you have your supporting libraries like libpcre installed already). Feel free to look at the code before running however :-)

Caveat: There is still an issue with the Distorm3 library on Mac OSX and you'll have to compile and install that one manually.