ESPwinblue

RekallForensicsDocumentationRelease1.
7.
2TheRekallTeamJan29,2018Contents:1EFilter-AquerylanguageforRekall.
11.
1WhatisEFilter11.
2DescribingPlugins21.
3Operatorrules.
31.
4Pluginarguments.
31.
5EFilterfunctions.
41.
6Examples52PluginReference92.
1Memory92.
2Live1322.
3Filesystem1362.
4General1373Indicesandtables165iiiCHAPTER1EFilter-AquerylanguageforRekall.
TheRekallframeworkispluginbased.
Thisiswhatmakesitsoextensible.
Developerscanaddmanydifferentpluginstoimplementdifferentanalysistechniquesandproducedifferentdata.
Historically,pluginshadnorestrictionoverthetypeofoutputtheyproduced.
Whilesomepluginsputthoughtintoproducingstructuredoutput,othersproducedoutputwhichwasonlyusablebyhumans,sinceitwaslargelyunstruc-tured.
Astheneedsforautomationincreased,itsoonbecameobviousthatpluginoutputneedstobemachineparseableinsomeway.
Forexample,considerthehumblepslist(APIPslist)plugin-asimplepluginwhichjustdisplaysthelistofrunningprocessesintabularform.
Initiallythispluginproducedanumberofcolumnssuchasprocessname,pidetc.
Someusersrequiredthebinarypath,andthatwasadded.
Thensomeusersrequiresrestricingthelistedprocessedbyvariousmeans,suchasalistofpids,processnameregularexpression,starttimeetc.
Thensomeuserswantedtocombinetheoutputfromseveralpluginsinsomeway.
Forexample,showallthevadregionsfromathe"chrome"process.
Itsoonbecameobviousthatwecouldnotjustkeepaddingmoreandmoreagstoeachplugintocontrolthewaythepluginworked.
Thesamekindoflteringwasrepeatinginmanyplugins(e.
g.
lterbyprocessnames)anditwasdifculttoanticipatehowuserswouldliketocombinepluginsinthefuture.
Wewantedtocreateamechanismthatgaveuserscontroloverwhichresultstheywantedtosee,howtoltertheoutputandhowtocombinetheoutputfromseveralpluginstogether.
Theideaofbuildingaframeworktofacilitatearbitraryquerieswasborn.
WechosetomodelthequerylanguageafterSQLwhichiswidelyunderstood,andthisishowEFilterwasborn.
1.
1WhatisEFilterEFilterisanSQLlikequerylanguageforcombining,lteringandcustomizingtheoutputofRekallplugins.
JustlikeinSQL,EFilterqueriesareusedtogenerateacustomizedoutput,however,unlikeadatabasequery,EFilterrunsRekallpluginstogeneratedatadynamically,ratherthanlookatstoreddata.
LetslookatasimpleEFilterquery:1RekallForensicsDocumentation,Release1.
7.
2selectproc.
name,pidfrompslist()wherepid>4Thisquerycontainsthreemainparts:1.
Thepslist()pluginwillbeexecutedandproduceasetofrows.
Eachrowcontainsseveralcolumns.
2.
Thelterconditionfollowsthe"where"operatorandspeciesacondition.
EFilterwillevaluatetheconditiononeachrowemittedfromthepluginandonlymatchingrowswillbedisplayed.
3.
Theoutputisthenproducedintwocolumnswhicharederivedfromeachemittedrow.
1.
2DescribingPluginsInorderforEFiltertowork,eachpluginmustproducestructuredoutputinaspeciedformat.
Wehaveseenbeforethatpluginsproduceasequenceofrows,witheachrowhavingseveralcolumns.
Eachcellisaspecictypeofobject.
Letusexaminethepslist()pluginagain.
Togetinformationabouteachpluginoutputwecanusethedescribe(De-scribe)plugin:[1]Live(API)16:18:50>describepslist,max_depth=1FieldTypeprocLiveProcess.
as_dictmethod.
cmdlinelist.
connectionslist.
cpu_affinitylist.
cpu_percentfloat.
cpu_timespcputimes.
create_timefloat.
cwdstr.
environdict.
exestr.
get_process_address_spacemethod.
gidspgidsNamestrpidintppidintThdsintwow64boolstartUnixTimeStampIntheaboveexample,weseethattheplugingeneratesaNamecolumenwithatypeofstring,pidandppidcolumnswhichareintegersaswellasamorecomplextype,suchasaUnixTimeStamp.
WecanalsoseetheeldprocwhichisoftypeLiveProcess.
Thismorecomplextypeislikeapythondictionaryitself,andcontainsmultiplemembers.
Note:InRekalleachpluginisfreetoproduceanyoutput-theoutputtypesofeachpluginarenotdenedinadvance(sincetheymightchangedependingontheprole,OSversionetc).
Thereforeitisdifculttopredictinadvancewhateachcolumnwillcontain.
Thedescribepluginthereforeneedstoactuallyrunthepluginanditinspectstheoutputoftherstrowproduced.
Whilethisworksmostofthetime,itisoftennotpossibletogetasensibleresultwithoutsupplyingproperarguments.
Forexample,considertheglob(IRGlob)plugin.
Whenrunwithnoargumentsitdoesnotproduceanyresults(sincethereisnothingtoglob).
Thereforedescribe(Describe)willproduceincorrectresults.
2Chapter1.
EFilter-AquerylanguageforRekall.
RekallForensicsDocumentation,Release1.
7.
2Tosolvethispredicamentitispossibletorunthedescribe()pluginwiththeargsparameter,whichshouldbeapythondictofparameterstobepassedtotheplugin.
Thiswaythepluginmayberunwithreasonableparametersandproducereasonableresults.
Wecanapplyoperatorsonthecellsemittedbyaspecicplugintogeneratethedesiredoutput.
Forexample,supposewewantedtoshowthecommandlineforeachrunningprocess.
Wecanseetheprocobjectcontainsacmdlineeld,andsowecansimplyissue:selectproc.
name,proc.
cmdlinefrompslist()Notethatthecmdlineisalist(itistheprocess'sargv),andsoRekallwilldisplayitassuchusingthespecialannotation:[1]Live(API)16:32:48>selectproc.
name,proc.
cmdlinefrompslist()whereproc.
name→=~"rekall"cmdlinename-0:rekall/home/mic/projects/Dev/bin/python3-1:/home/mic/projects/Dev/bin/rekall-2:-v-3:--live-4:API1.
3Operatorrules.
EFilteristypeawareandwilltrytodotherightthingwitheachtypeifitmakessense.
Whentheuserappliesanoperatoronatype,theoperatorwillattempttodosomethingsensible(orelseitwilljustreturnNone).
Theoperatorshouldneverraiseanerror.
Forexampleconsiderthe=~operatorwhichmeansaregularexpressionmatch.
Whenweapplythisoperatoronasinglestring,weexpectthatitmatchthatstring:select*frompslist()whereproc.
name=~"rekall"Ifhoweverweappliedthisoperatoronalist,weexpecttherowtomatchifanyofthelistitemsmatches:select*frompslist()whereproc.
cmdline=~"--live"Notethatitisnotanerrortotrytoapplyaregularexpressiontoanon-string-itsimplywillnevermatch.
Thereforethefollowingquerywillalwaysreturntheemptyset,sinceanintegercannevermatcharegularexpression:select*frompslist()whereproc.
pid=~"foobar"1.
4Pluginarguments.
Inthequeriesabovewejustranthepslistpluginwithnoarguments.
MostRekallplugins,however,takesomeformofarguments.
Wecanseetheargumentsthataplugintakesbyconsultingtheplugindocumentationorbyappending""tothenameoftheplugin:1.
3.
Operatorrules.
3RekallForensicsDocumentation,Release1.
7.
2[1]Live(API)21:12:35>pslistfile:rekall-core/rekall/plugins/response/processes.
pyPlugin:APIPslist(pslist):ThisisaTypedPlugin.
PositionalArgs:pids:Oneormorepidsofprocessestoselect.
(type:→ArrayIntParser)KeywordArgs:profile:Nameoftheprofiletoload.
Thisisthefilenameoftheprofilefound→intheprofilesdirectory.
Profilesaresearchedintheprofilepathorder(If→specifiedwedisableautodetection).
proc_regex:Aregextoselectaprocessbyname.
(type:RegEx)verbosity:Anintegerreflectingtheamountofdesiredoutput:0=quiet,10=→noisy.
(type:IntParser)Itispossibletofeedtheresultofanelterqueryintotheparametersfromanotherplugin.
Hereisatrivialexample:[1]Live(API)21:19:53>select*frompslist(pids:(selectpidfrompslist()where→proc.
name=~"rekall"))procNamepidppidThdsHndswow64start→binaryrekall(7826)rekall78267746105False2018-01-27→05:12:20Z/home/mic/projects/Dev/bin/python3Notethefollowingaboutthesubselectsyntax:1.
Argumentnamesareprovidedtothepluginwiththe":"operator.
Thisassignstheoutputofthesub-selectasalistintotheparameter.
2.
Thesubselectmustyieldasinglecolumn.
Ifthesubselectyieldsmorethanonecolumn,itisnotclearwhichcolumnshouldbeassignedtothepluginparameterandRekallwillissueanerror:[1]Live(API)21:19:43>select*frompslist(pids:(select*frompslist()where→proc.
name=~"rekall"))2018-01-2621:19:43,526:CRITICAL:rekall.
1:InvalidArgs:pidsinvalid:Argpids→mustbealistofintegers.
3.
Theargassigmentoperatortriestoconvertthesubselectcolumnintothetyperequiredbytheparameter.
Thismeansthatiftheparameterexpectsanintegerthenthesubselectshouldyieldsomethingwhichshouldbeconvertibletoaninteger:[1]Live(API)21:26:02>select*frompslist(pids:(selectproc.
namefrom→pslist()whereproc.
name=~"rekall"))2018-01-2621:26:02,643:CRITICAL:rekall.
1:InvalidArgs:pidsinvalid:invalid→literalforint()withbase10:'rekall'.
1.
5EFilterfunctions.
WehaveseenthatEFilteroffersoperatorstoworkoncolumns.
Inthissectionweseesomeofthemorecommonfunctionsandoperatorsthelanguageprovides.
4Chapter1.
EFilter-AquerylanguageforRekall.
RekallForensicsDocumentation,Release1.
7.
21.
5.
1timestampThetimestampfunctionconvertsitsargumentintoatimestampobject.
ThisallowsRekalltooperateonthetimestampinatimezoneawareway,compareittoothertimesetc.
1.
6ExamplesThefollowingareexamplequerieswhichdemonstratehowsomepluginsmaybestringedtogethertoachievepowerfulcombinations.
1.
6.
1FindingProcesseslaunchedbyacertainuser.
Rekallhasthetokens(GetSIDs)pluginwhichdisplaysalltheauthorizationtokenspossessedbyeachprocess.
Rekallalsoautomaticallyresolvesthetoken'sSIDtoausername.
[1]hank.
aff422:54:29>tokens()ProcessSidComment→----0xfa8000c9e040System4S-1-5-18LocalSystem0xfa8000c9e040System4S-1-5-32-544Administrators0xfa8000c9e040System4S-1-1-0Everyone0xfa8000c9e040System4S-1-5-11AuthenticatedUsers0xfa8000c9e040System4S-1-16-16384SystemMandatoryLevelLetsseealltheprocessesstartedby"jessie":[1]hank.
aff422:56:14>select*fromtokens()whereComment=~'User:jessie'ProcessSid→Comment0xfa8002418440regsvr32.
exe884S-1-5-21-4270721788-567995706-2532315982-1003→User:jessie0xfa8001417720explorer.
exe1512S-1-5-21-4270721788-567995706-2532315982-1003→User:jessie0xfa8000f95b30VBoxTray.
exe1964S-1-5-21-4270721788-567995706-2532315982-1003→User:jessie0xfa8000fdc780miranda64.
exe2208S-1-5-21-4270721788-567995706-2532315982-1003→User:jessie0xfa80022e2230dwm.
exe2520S-1-5-21-4270721788-567995706-2532315982-1003→User:jessie0xfa8000f7d1b0taskhost.
exe2596S-1-5-21-4270721788-567995706-2532315982-1003→User:jessie0xfa8002376060taskhost.
exe2848S-1-5-21-4270721788-567995706-2532315982-1003→User:jessieLetsvieweachprocesscreationtimeanditsfullcommandline.
TheProcesscolumnisnotsimplyastring.
ItisafullblownRekallobjectwhichrepresentsthekernel's_EPROCESSstruct.
Wethereforecandereferenceindividualmembersof_EPROCESSandretrieveadditionalinformation.
[1]hank.
aff422:59:13>selectProcess,Process.
CreateTime,Comment,Process.
Peb.
→ProcessParameters.
CommandLinefromtokens()whereComment=~'User:jessie'ProcessCreateTimeComment→CommandLine1.
6.
Examples5RekallForensicsDocumentation,Release1.
7.
20xfa8002418440regsvr32.
exe8842015-08-1002:00:45ZUser:jessie0xfa8001417720explorer.
exe15122015-08-1002:00:41ZUser:jessie→C:\Windows\Explorer.
EXE0xfa8000f95b30VBoxTray.
exe19642015-08-1002:01:05ZUser:jessie→"C:\Windows\System32\VBoxTray.
exe"0xfa8000fdc780miranda64.
exe22082015-08-1002:01:37ZUser:jessie"C:\Program→Files(x86)\MirandaIM\miranda64.
exe"0xfa80022e2230dwm.
exe25202015-08-1002:00:41ZUser:jessie→"C:\Windows\system32\Dwm.
exe"0xfa8000f7d1b0taskhost.
exe25962015-08-1002:13:51ZUser:jessie"taskhost.
exe"0xfa8002376060taskhost.
exe28482015-08-1002:00:40ZUser:jessie"taskhost.
→77exe"1.
6.
2Findlesmodiedinthelast2days.
WhenRekallisruninlivemode,itcanexaminelesonthelocallesystem.
Thisisusefulforincidentresponsesituations.
Oneofthemoreusefulpluginsavailableinlivemodeistheglob(IRGlob)pluginwhichenumeratelesonthelocallesystembasedononeormoreglobexpressions(similartotheshellglob).
Accordingtotheplugindocumentation,weseethatthepluginacceptsarepeatedparametercalled"globs"foralltheglobexpressions.
Let'sseeallthelesinthe/etc/directory:[1]Live(API)23:49:05>select*fromglob(globs:"/etc/*")path/etc/papersize/etc/logrotate.
d/etc/mime.
types/etc/kbdAlthoughtheoutputappearstoonlycontainasinglecolumn("path"),wecanseethatthepathisactuallyanobjectwhichcontainsalotofinformationabouteachle.
[1]Live(API)00:16:03>describeglob,args=dict(globs=["/etc/*"])FieldTypepathFileInformation.
filenameFileSpec.
.
filesystemstr.
.
namestr.
.
path_sepstr.
session-.
st_atimefloat.
st_ctimefloat.
st_devint.
st_gidGroup.
.
gidint.
.
group_namestr.
.
sessionNoneType.
st_inoint.
st_modePermissions.
st_mtimefloat.
st_nlinkint.
st_sizeint.
st_uidUser6Chapter1.
EFilter-AquerylanguageforRekall.
RekallForensicsDocumentation,Release1.
7.
2.
.
homedirstr.
.
sessionNoneType.
.
shellstr.
.
uidint.
.
usernamestrInparticularweseethatthepath.
st_mtimeisaoatdescribingthele'smodicationtime:[1]Live(API)00:29:08>selectpath.
st_mtime,pathfromglob(globs:"/etc/*")st_mtimepath1516590897.
1290069/etc/papersize1516687780.
2982903/etc/logrotate.
d1446219570.
0/etc/mime.
typesSincetheeldisaoat,Rekalldoesnotunderstandthatitisactuallyatimestamp,andthereforewecannotdoanytimearithmeticonit.
Wethereforeneedtoexplitelyconvertthemodicationtimetoatimestampusingthetimestampfunction.
[1]Live(API)00:31:50>selecttimestamp(path.
st_mtime)asmtime,pathfrom→glob(globs:"/etc/*")wheremtime>"2daysago"mtimepath2018-01-2906:11:15Z/etc/resolv.
conf2018-01-2906:11:15Z/etc/timezone1.
Notetheexplicitconversiontoatimestamp.
ThisallowsRekalltoapplytimerelatedoperatorsonthiscolumn.
2.
Thecolumnisaliasedas"mtime",whichappearsasthetitleoftherstcolumn.
Moreimportantly,thealiascanbeusedinfurthercalculations(specicallyinsidethewhereclause).
3.
Notethehumanreadabletimespecication"2daysago".
Rekallsupportssuchconvenientexpressions,aswellasexactlyformattedtimes.
1.
6.
Examples7RekallForensicsDocumentation,Release1.
7.
28Chapter1.
EFilter-AquerylanguageforRekall.
CHAPTER2PluginReference2.
1Memory2.
1.
1Windowsanalyze_struct(AnalyzeStruct)Aplugintoanalyzeamemorylocation.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
offsetSymbolAddressAvirtualaddresstoanalyze.
searchIntParserHowfarbacktosearchforpooltag.
sizeIntParserHowmanyelementstoidentify.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
TheWindowskernelallocatesmemoryfrom"poolspace".
Toeasedebuggingmemoryleaks,thekernelusesaunique"PoolTag"totagmanyallocations.
Eachkernelsubsystemordriverwoulduseaspecictagtokeeptrackofitsallocation.
Wecanusethisfactwhenwelookatsomeundocumented,orunknownmemoryregion.
Thisiswhattheanalyze_structplugindoes:1.
Itrstsearchedbackfromtheaddressofinteresttodetermineifthisaddressispartofapoolallocation.
Thepluginwillreportthepooltagofthisallocationaswellasitssizeandstartingoffset.
2.
Foreachslotinthestruct,thepluginassumesitisapointertosomething,andchecksifwhateveritispointingtoisapoolallocationoraknownaddress.
Wecanusethistogetanideaofwhatexistsatthismemorylocationanditsstructlayout.
Inthebelowexample,wepickan_EPROCESSfromtheoutputofpslistandsearchforpointerstoitsomewhereinkernelmemory(Therearemanypointers!
Wejustpickedoneforthisexample.
).
Wethenusetheanalyze_structplugintodiscoverthatthepointerresidesinanallocationwiththepooltag'ObHd'.
Wecansearchthekerneldisassemblyto9RekallForensicsDocumentation,Release1.
7.
2realizethisisanObjectHandle.
Notehowweusegreptosearchforthelittleendianrepresentationofthe_EPROCESSaddress.
[1]win7.
elf23:14:38>pslist_EPROCESSNamePIDPPIDThdsHndsSessWow64→StartExit.
.
.
.
0xfa8002ad0190cmd.
exe264426162661True2012-→10-0114:40:20Z-[1]win7.
elf23:14:55>grepkeyword="\x90\x01\xad\x02\x80\xfa".
.
.
.
OffsetData→Comment0xf8a0013d8ad86040a90280faffff01000000000000000xf8a0013d8ae89001ad0280faffff01000000000000000xf8a0013d8af800000000000000000000000000000000.
.
.
[1]win7.
elf23:17:20>analyze_struct0xf8a0013d8ae80xf8a0013d8ae8isinsidepoolallocationwithtag'ObHd'(0xf8a0013d8a30)andsize→0x100OffsetContent0x0Data:0xfa8002ad0190Tag:Pro\xe3@0xfa8002ad0190(0x530)0x8Data:0x10x10Data:0x00x18Data:0x00x20Data:0x00x28Data:0x00x30Data:0xfa80017f9060Tag:Pro\xe3@0xfa80017f9060(0x530)0x38Data:0x10x40Data:0x730061006c0x48Data:0x744e034d01100x50Data:0x490053004c0x58Data:0xa48012807020x60Data:0x981e0x68Data:0x1000000000x70Data:0x0[1]win7.
elf23:22:25>hex(struct.
unpack("'0x6448624f'[1]win7.
elf23:22:33>dis"nt!
ObpInsertHandleCount"dis("nt!
ObpInsertHandleCount")AddressRelOpCodesInstruction→Comment→------------nt!
ObpInsertHandleCount------:0xf800029760100xf800029760100x048895c2408movqwordptr[rsp+8],rbx0xf800029760150x548896c2410movqwordptr[rsp+0x10],rbp.
.
.
.
0xf800029760890x7941b84f624864movr8d,0x6448624f0xf8000297608f0x7fe83cd3e4ffcall0xf800027c33d0→nt!
ExAllocatePoolWithTag10Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
20xf800029760940x844885c0testrax,rax0xf800029760970x870f84dacd0400je0xf800029c2e77→nt!
ExpProfileCreate+0x9d570xf8000297609d0x8d458bc5movr8d,r13datomscan(AtomScan)Poolscannerfor_RTL_ATOM_TABLEPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayInt-ParserKerneladdressesofeprocessstructs.
limitIntParserThelengthofdatatosearchineachselectedregion.
methodChoiceArrayMethodtolistprocesses.
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
scan_kernelBooleanScantheentirekerneladdressspace.
scan_kernel_codeBooleanScanthekernelimageandloadeddrivers.
scan_kernel_nonpaged_poolBooleanScanthekernelnon-pagedpool.
scan_kernel_paged_poolBooleanScanthekernelpagedpool.
scan_kernel_session_poolsBooleanScansessionpoolsforallprocesses.
scan_physicalBooleanScanthephysicaladdressspaceonly.
scan_process_memoryBooleanScanallofprocessmemory.
Usesprocessselectorstonarrowdownselections.
sort_byStringSortby[offset|atom|refcount]verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
atoms(Atoms)Printsessionandwindowstationatomtables.
From:http://msdn.
microsoft.
com/en-us/library/windows/desktop/ms649053.
aspxAnatomtableisasystem-denedtablethatstoresstringsandcorrespondingidentiers.
Anapplicationplacesastringinanatomtableandreceivesa16-bitinteger,calledanatom,thatcanbeusedtoaccessthestring.
Astringthathasbeenplacedinanatomtableiscalledanatomname.
Theglobalatomtableisavailabletoallapplications.
Whenanapplicationplacesastringintheglobalatomtable,thesystemgeneratesanatomthatisuniquethroughoutthesystem.
Anyapplicationthathastheatomcanobtainthestringitidentiesbyqueryingtheglobalatomtable.
(Theglobalatomtablesareonlyglobalwithineachsession).
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Usingthispluginyoucanndregisteredwindowmessages,rogueinjectedDLLpaths,windowclassnames,etc.
Sampleoutput:2.
1.
Memory11RekallForensicsDocumentation,Release1.
7.
2Offset(P)SessionWindowStationAtomRefCountHIndex→PinnedName0xf8a0028710200WinSta00xc00111→TrueStdExit0xf8a0028710200WinSta00xc00212→TrueStdNewDocument0xf8a0028710200WinSta00xc00313→TrueStdOpenDocument0xf8a0028710200WinSta00xc00414→TrueStdEditDocument0xf8a0028710200WinSta00xc00515→TrueStdNewfromTemplate0xf8a0028710200WinSta00xc00616→TrueStdCloseDocument0xf8a0028710200WinSta00xc00717→TrueStdShowItem0xf8a0028710200WinSta00xc00818→TrueStdDoVerbItem0xf8a0028710200WinSta00xc00919→TrueSystem0xf8a0028710200WinSta00xc00a110→TrueOLEsystem0xf8a0028710200WinSta00xc00b111→TrueStdDocumentName0xf8a0028710200WinSta00xc00c112→TrueProtocols0xf8a0028710200WinSta00xc00d113→TrueTopics0xf8a0028710200WinSta00xc00e114→TrueFormats0xf8a0028710200WinSta00xc00f115→TrueStatus0xf8a0028710200WinSta00xc010116→TrueEditEnvItems0xf8a00281102000xc045269→FalseMSUIM.
Msg.
LBUpdate0xf8a00281102000xc046270→FalseMSUIM.
Msg.
MuiMgrDirtyUpdate0xf8a00281102000xc047171→FalseC:\Windows\system32\wls0wndh.
dll0xf8a00281102000xc0482772→False{FB8F0821-0164-101B-84ED-08002B2EC713}0xf8a00281102000xc049273→FalseMMDEVAPIcallback_scan(CallbackScan)Printsystem-widenoticationroutinesbyscanningforthem.
Notethispluginisquiteinefcient-considerusingthecallbacksplugininstead.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
12Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2callbacks(Callbacks)Enumeratecallbackroutines.
Thispluginjustenumeratesinstalledcallbackroutinesfromvarioussources.
Itdoesnotscanforthem.
ThispluginislooselybasedontheoriginalVolatilitypluginofthesamenamebutmuchexpandedusingnewinfor-mation.
Reference:PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
TheWindowskernelhasafacilitytoregistercallbacksforcertainevents.
Thisisoftenmisusedbymalwareinordertogainpersistence.
Thecallbackspluginenumeratesthesecallbacks.
SinceRekallhasanaddressresolver,wecanoftensaymoreaboutwhatexistsateachofthecallbacklocations.
NormallyRekallonlytrackstheproleforcertainbinaries(suchasthekernel).
Inthebelowexamplethecallbackspluginsresolvestheaddressofkernelsymbolspreciselysinceithasthekernelproleloaded.
Othersymbolsaregiveapproximatelyastheirdistancefromthemodule'sexporttable.
Supposewewanttoverifywhatisthecallbackinthe"wdf01000"driver.
WecaninstructtheaddressresolvertodownloadtheprolefromtheMicrosoftsymbolserver.
Oncetheproleisdownloaded,Rekallcandeterminetheexactfunctionnameregistered(wdf01000!
FxpBugCheckCallback).
[1]win7.
elf00:59:59>callbackscallbacks()TypeOffsetCallback→SymbolDetailsnt!
PspLoadImageNotifyRoutine0xf8000283e4a00xf800029acb68nt!
→EtwpTraceLoadImagent!
PspCreateProcessNotifyRoutine0xf8000283e7200xf8000265af28nt!
→ViCreateProcessCallbacknt!
PspCreateProcessNotifyRoutine0xf8000283e7280xf88001211330ksecdd!
→AcceptSecurityContext+0x230nt!
PspCreateProcessNotifyRoutine0xf8000283e7300xf8800112b910cng!
→SystemPrng+0x6a0nt!
PspCreateProcessNotifyRoutine0xf8000283e7380xf8800164c390tcpip!
→CreateProcessNotifyRoutineExnt!
PspCreateProcessNotifyRoutine0xf8000283e7400xf88000d01b94ci!
→CiFreePolicyInfo+0xce84nt!
KeBugCheckCallbackListHead0xfa80019c3ea00xf880014548f0ndis!
→NdisGetSharedDataAlignment+0x10Ndisminnt!
KeBugCheckCallbackListHead0xfa80019a4ea00xf880014548f0ndis!
→NdisGetSharedDataAlignment+0x10Ndisminnt!
KeBugCheckCallbackListHead0xfa80019a1ea00xf880014548f0ndis!
→NdisGetSharedDataAlignment+0x10Ndisminnt!
KeBugCheckCallbackListHead0xf80002c254000xf80002c0eef4hal!
→HalQueryMaximumProcessorCount+0x54cACPIx64nt!
KeBugCheckReasonCallbackListHead0xfa80026549f80xf88000efd054wdf01000+0x7a054→PEAUTHnt!
KeBugCheckReasonCallbackListHead0xfa8000927f880xf88000efd054wdf01000+0x7a054→monitor2.
1.
Memory13RekallForensicsDocumentation,Release1.
7.
2[1]win7.
elf02:04:35>address_resolver"wdf01000"address_resolver("wdf01000")|Tryingtofetchhttp://msdl.
microsoft.
com/download/symbols/wdf01000.
pdb/→99521C1B360441A9A1EAECC9E5087A251/wdf01000.
pd_Tryingtofetchhttp://msdl.
microsoft.
com/download/symbols/wdf01000.
pdb/→99521C1B360441A9A1EAECC9E5087A251/wdf01000.
pd_Extractingcabinet:/tmp/tmpnOmJvR/wdf01000.
pd_extractingWdf01000.
pdbAlldone,noerrors.
OutPlugin:address_resolver1]win7.
elf02:05:08>callbackscallbacks()TypeOffsetCallback→SymbolDetailsnt!
PspLoadImageNotifyRoutine0xf8000283e4a00xf800029acb68nt!
→EtwpTraceLoadImagent!
PspCreateProcessNotifyRoutine0xf8000283e7200xf8000265af28nt!
→ViCreateProcessCallbacknt!
PspCreateProcessNotifyRoutine0xf8000283e7280xf88001211330ksecdd!
→AcceptSecurityContext+0x230nt!
PspCreateProcessNotifyRoutine0xf8000283e7300xf8800112b910cng!
→SystemPrng+0x6a0nt!
PspCreateProcessNotifyRoutine0xf8000283e7380xf8800164c390tcpip!
→CreateProcessNotifyRoutineExnt!
PspCreateProcessNotifyRoutine0xf8000283e7400xf88000d01b94ci!
→CiFreePolicyInfo+0xce84nt!
KeBugCheckCallbackListHead0xfa80019c3ea00xf880014548f0ndis!
→NdisGetSharedDataAlignment+0x10Ndisminnt!
KeBugCheckCallbackListHead0xfa80019a4ea00xf880014548f0ndis!
→NdisGetSharedDataAlignment+0x10Ndisminnt!
KeBugCheckCallbackListHead0xfa80019a1ea00xf880014548f0ndis!
→NdisGetSharedDataAlignment+0x10Ndisminnt!
KeBugCheckCallbackListHead0xf80002c254000xf80002c0eef4hal!
→HalQueryMaximumProcessorCount+0x54cACPIx64nt!
KeBugCheckReasonCallbackListHead0xfa80026549f80xf88000efd054wdf01000!
→FxpBugCheckCallbackPEAUTHnt!
KeBugCheckReasonCallbackListHead0xfa8000927f880xf88000efd054wdf01000!
→FxpBugCheckCallbackmonitornt!
KeBugCheckReasonCallbackListHead0xfa80021f54b00xf88003edaf40mouhid+0x3f40→mouhidcertscan(CertYaraScan)Scancerticatesinwindowsmemoryregions.
14Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptionbinary_stringStringAbinarystring(encodedashex)tosearchfor.
e.
g.
000102[1-200]0506contextIntParserContexttoprintafterthehit.
dtbIntParserTheDTBphysicaladdress.
eprocessArrayInt-ParserKerneladdressesofeprocessstructs.
hitsIntParserTotalnumberofhitstoreport.
limitIntParserThelengthofdatatosearchineachselectedregion.
methodChoiceArrayMethodtolistprocesses.
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
pre_contextIntParserContexttoprintbeforethehit.
proc_regexRegExAregextoselectaprocessbyname.
scan_kernelBooleanScantheentirekerneladdressspace.
scan_kernel_codeBooleanScanthekernelimageandloadeddrivers.
scan_kernel_nonpaged_poolBooleanScanthekernelnon-pagedpool.
scan_kernel_paged_poolBooleanScanthekernelpagedpool.
scan_kernel_session_poolsBooleanScansessionpoolsforallprocesses.
scan_physicalBooleanScanthephysicaladdressspaceonly.
scan_process_memoryBooleanScanallofprocessmemory.
Usesprocessselectorstonarrowdownselections.
stringStringAverbatimstringtosearchfor.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
yara_expressionStringyara_leStringcheck_pehooks(CheckPEHooks)Checksapelemappedintomemoryforhooks.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
im-age_baseSymbolAd-dressThebaseaddressofthepeimageinmemory.
thoroughBooleanBydefaultwetakesomeoptimization.
Thisagsforcesthoroughbutslowerchecks.
typeChoiceTypeofhooktodisplay.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
clipboard(Clipboard)Extractthecontentsofthewindowsclipboard2.
1.
Memory15RekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
cmdscan(CmdScan)Extractcommandhistorybyscanningfor_COMMAND_HISTORYPluginTypeDescriptiondtbInt-ParserTheDTBphysicaladdress.
max_historyInt-ParserValueofhistorybuffersize.
SeeHKEY_CURRENT_USERConsoleHistoryBufferSizefordefault.
verbosityInt-ParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Thecmdscanpluginsearchesthememoryofcsrss.
exeonXP/2003/Vista/2008andconhost.
exeonWindows7forcommandsthatattackersenteredthroughaconsoleshell(cmd.
exe).
Thisisoneofthemostpowerfulcommandsyoucanusetogainvisibilityintoanattackersactionsonavictimsystem,whethertheyopenedcmd.
exethroughanRDPsessionorproxiedinput/outputtoacommandshellfromanetworkedbackdoor.
ThispluginndsstructuresknownasCOMMAND_HISTORYbylookingforaknownconstantvalue(MaxHistory)andthenapplyingsanitychecks.
ItisimportanttonotethattheMaxHistoryvaluecanbechangedbyrightclickinginthetopleftofacmd.
exewindowandgoingtoProperties.
ThevaluecanalsobechangedforallconsolesopenedbyagivenuserbymodifyingtheregistrykeyHKCUConsoleHistoryBufferSize.
Thedefaultis50onWindowssystems,meaningthemostrecent50commandsaresaved.
Youcantweakitifneededbyusingthe–max_history=NUMBERparameter.
Thestructuresusedbythispluginarenotpublic(i.
e.
MicrosoftdoesnotproducePDBsforthem),thusthey'renotavailableinWinDBGoranyotherforensicframework.
TheywerereverseengineeredbyMichaelLighfromtheconhost.
exeandwinsrv.
dllbinaries.
Inadditiontothecommandsenteredintoashell,thispluginshows:Thenameoftheconsolehostprocess(csrss.
exeorconhost.
exe)Thenameoftheapplicationusingtheconsole(whateverprocessisusingcmd.
exe)Thelocationofthecommandhistorybuffers,includingthecurrentbuffercount,lastaddedcommand,andlastdisplayedcommandTheapplicationprocesshandleDuetothescanningtechniquethispluginuses,ithasthecapabilitytondcommandsfrombothactiveandclosedconsoles.
###NotesThispluginisprettyfragilesinceitreliesonreversedstructuresinundocumentedcode.
Weareworkingonimprovingthesituationherebutthereisamoderatechancethatitwillproducenoresultsorgarbageresults.
###SampleOutput16Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2ThefollowingshowinganoperatorusingthewinpmemacquisitiontooltoanalysethelivememoryofaWindows7machine.
win7.
elf22:15:39>cmdscancmdscan()CommandProcess:conhost.
exePid:2652CommandHistory:0x7ea40Application:cmd.
exeFlags:Allocated,ResetCommandCount:3LastAdded:2LastDisplayed:2FirstCommand:0CommandCountMax:50ProcessHandle:0x5cCmdAddressText00x00000005ea70cd\Users\a\Desktop10x00000005b920winpmem_1.
1-write.
exe-w-l20x0000000b3e70vol.
exe--profileWin7SP1x64--file\\.
\pmem150x000000040158160x00000007d3b0CommandProcess:conhost.
exePid:2652CommandHistory:0xb40c0Application:vol.
exeFlags:AllocatedCommandCount:0LastAdded:-1LastDisplayed:-1FirstCommand:0CommandCountMax:50ProcessHandle:0xd4CmdAddressText00x0000001f77e030x000000060ef050x0000001f77e080x000000060ef0100x0000001f77e0130x0000ffd96238140x00000007ec20150x0000001f7720230x0000000610a0240x0000000974e0CommandProcess:conhost.
exePid:2652CommandHistory:0xb4410Application:vol.
exeFlags:AllocatedCommandCount:0LastAdded:-1LastDisplayed:-1FirstCommand:0CommandCountMax:50ProcessHandle:0xd8CmdAddressTextconnscan(ConnScan)ScanPhysicalmemoryfor_TCPT_OBJECTobjects(tcpconnections)2.
1.
Memory17RekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayInt-ParserKerneladdressesofeprocessstructs.
limitIntParserThelengthofdatatosearchineachselectedregion.
methodChoiceArrayMethodtolistprocesses.
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
scan_kernelBooleanScantheentirekerneladdressspace.
scan_kernel_codeBooleanScanthekernelimageandloadeddrivers.
scan_kernel_nonpaged_poolBooleanScanthekernelnon-pagedpool.
scan_kernel_paged_poolBooleanScanthekernelpagedpool.
scan_kernel_session_poolsBooleanScansessionpoolsforallprocesses.
scan_physicalBooleanScanthephysicaladdressspaceonly.
scan_process_memoryBooleanScanallofprocessmemory.
Usesprocessselectorstonarrowdownselections.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Similartothe[connections](Connections.
html)plugin,thispluginsearchesfrom_TCP_OBJECTstructs.
However,itemployspoolscanningtechniques.
###Notes1.
ThispluginonlyworksonversionsofwinsowspriortoWin7.
2.
Sincethepluginmayrecoverfreedpoolmemory,thedatamayhavebeenoverwritten.
Thismightproducegarbageresultsforterminatedconnections.
###Sampleoutput.
Notethenonsensicalconnectionforlocaladdress3.
0.
48.
2andtheincorrectpidnumberbelow.
xp-laptop-2005-06-25.
img23:00:29>connscanconnscan()Offset(P)LocalAddressRemoteAddressPid0x01370e70192.
168.
2.
7:1115207.
126.
123.
29:8019160x01ed1a503.
0.
48.
2:1798566.
179.
81.
245:2008442879332000x01f0e358192.
168.
2.
7:116466.
179.
81.
247:809440x01f11e70192.
168.
2.
7:1082205.
161.
7.
134:8023920x01f35cd0192.
168.
2.
7:1086199.
239.
137.
200:8019160x01f88e70192.
168.
2.
7:1162170.
224.
8.
51:8019160x020869b0127.
0.
0.
1:1055127.
0.
0.
1:10562160connections(Connections)Printlistofopenconnections[WindowsXPOnly]Thismoduleenumeratestheactiveconnectionsfromtcpip.
sys.
NotethatifyouareusingahibernatedimagethismightnotworkbecauseWindowsclosesallsocketsbeforehiber-nating.
Youmightnditmoreeffectivetodoconscaninstead.
18Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2ActiveTCPconnectionsarefoundinahashtable.
TheHashtableisgivenbythe_TCBTablesymbol.
Thesizeofthehashtableisfoundinthe_MaxHashTableSizevariable.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
PriortoWindows7,thewindowsTCP/IPstackusesobjectsoftype_TCP_OBJECTtotrackTCPendpoints.
Thesearetheobjectsparsedbythismodule,hencethismodulewillonlybeavailableonimagesfromwindowsXP.
Thismodulewalksthe_TCP_OBJECThashtablesanddisplaysinformationrelatedtotheTCPendpoints.
###Notes1.
Thisplugindependsonexporteddebuggingsymbols,andthereforerequiresthecorrecttcpipproletobeloadedfromtheprolerepository.
Seethe[FAQ](/faq.
html#prole)ifyouneedtogenerateaprole.
2.
Forlaterversionsofwindowsusethe[netscan](Netscan.
html)orthe[netstat](Netstat.
html)modules.
###Sampleoutputxp-laptop-2005-06-25.
img23:00:24>connectionsconnections()Offset(V)LocalAddressRemoteAddressPid0x820869b0127.
0.
0.
1:1055127.
0.
0.
1:105621600xffa2baf0127.
0.
0.
1:1056127.
0.
0.
1:105521600x8220c008192.
168.
2.
7:107764.
62.
243.
144:8023920x81f11e70192.
168.
2.
7:1082205.
161.
7.
134:8023920x8220d6b8192.
168.
2.
7:1066199.
239.
137.
200:802392consolescan(ConsoleScan)Extractcommandhistorybyscanningfor_CONSOLE_INFORMATIONPluginTypeDescriptiondtbInt-ParserTheDTBphysicaladdress.
his-tory_buffersInt-ParserValueofhistorybuffersize.
SeeHKEY_CURRENT_USERConsoleHistoryBufferSizefordefault.
max_historyInt-ParserValueofhistorybuffersize.
SeeHKEY_CURRENT_USERConsoleHistoryBufferSizefordefault.
verbosityInt-ParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
consoles(Consoles)Enumeratecommandconsoles.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
1.
Memory19RekallForensicsDocumentation,Release1.
7.
2Similarto[cmdscan](CmdScan.
html)theconsolespluginndscommandsthatattackerstypedintocmd.
exeorex-ecutedviabackdoors.
However,insteadofscanningforCOMMAND_HISTORY,thispluginscansforCON-SOLE_INFORMATION.
Themajoradvantagetothispluginisitnotonlyprintsthecommandsattackerstyped,butitcollectstheentirescreenbuffer(inputandoutput).
Forinstance,insteadofjustseeing"dir",you'llseeexactlywhattheattackersaw,includingalllesanddirectorieslistedbythe"dir"command.
Additionally,thispluginprintsthefollowing:TheoriginalconsolewindowtitleandcurrentconsolewindowtitleThenameandpidofattachedprocesses(walksaLIST_ENTRYtoenumerateallofthemifmorethanone)Anyaliasesassociatedwiththecommandsexecuted.
Forexample,attackerscanregisteranaliassuchthattyping"hello"actuallyexecutes"cdsystem"Thescreencoordinatesofthecmd.
execonsole.
###NotesThispluginisprettyfragilesinceitreliesonreversedstructuresinundocumentedcode.
Weareworkingonimprovingthesituationherebutthereisamoderatechancethatitwillproducenoresultsorgarbageresults.
###SampleOutputwin7.
elf22:23:10>consolesConsoleProcess:conhost.
exePid:2652Console:0xffd96200CommandHistorySize:50HistoryBufferCount:4HistoryBufferMax:4OriginalTitle:Console2commandwindowTitle:Administrator:Console2commandwindow-vol.
exe--profileWin7SP1x64--file→\\.
\pmemAttachedProcess:vol.
exePid:2920Handle:0xd8AttachedProcess:vol.
exePid:2912Handle:0xd4AttachedProcess:cmd.
exePid:2644Handle:0x5c----CommandHistory:0xb4410Application:vol.
exeFlags:AllocatedCommandCount:0LastAdded:-1LastDisplayed:-1FirstCommand:0CommandCountMax:50ProcessHandle:0xd8----CommandHistory:0xb40c0Application:vol.
exeFlags:AllocatedCommandCount:0LastAdded:-1LastDisplayed:-1FirstCommand:0CommandCountMax:50ProcessHandle:0xd4----CommandHistory:0xb3ee0Application:winpmem_1.
1-write.
exeFlags:CommandCount:0LastAdded:-1LastDisplayed:-1FirstCommand:0CommandCountMax:50ProcessHandle:0x0----CommandHistory:0x7ea40Application:cmd.
exeFlags:Allocated,ResetCommandCount:3LastAdded:2LastDisplayed:2FirstCommand:0CommandCountMax:50ProcessHandle:0x5cCmd#0at0x5ea70:cd\Users\a\DesktopCmd#1at0x5b920:winpmem_1.
1-write.
exe-w-lCmd#2at0xb3e70:vol.
exe--profileWin7SP1x64--file\\.
\pmem----Screen0x60ef0X:117Y:500Dump:20Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2MicrosoftWindows[Version6.
1.
7600]Copyright(c)2009MicrosoftCorporation.
Allrightsreserved.
C:\Windows\system32>cd\Users\a\DesktopC:\Users\a\Desktop>winpmem_1.
1-write.
exe-w-lWillenablewritemodeLoadedDriver.
C:\Users\a\Desktop>vol.
exe--profileWin7SP1x64--file\\.
\pmemPython2.
7.
3(default,Apr102012,23:31:26)[MSCv.
150032bit(Intel)]Type"copyright","credits"or"license"formoreinformation.
IPython0.
12.
1--AnenhancedInteractivePython.
->IntroductionandoverviewofIPython'sfeatures.
%quickref->Quickreference.
help->Python'sownhelpsystem.
object->Detailsabout'object',use'object'forextradetails.
TheVolatilityMemoryForensicFrameworktechnologypreview(3.
0_tp2).
NOTE:Thisispre-releasesoftwareandisprovidedforevauationonly.
Pleasecheckathttp://volatility.
googlecode.
com/forofficiallysupportedversions.
Thisprogramisfreesoftware;youcanredistributeitand/ormodifyitunderthetermsoftheGNUGeneralPublicLicense.
Win7SP1x64:pmem07:41:08>pslistpslist()Offset(V)NamePIDPPIDThdsHndsSessWow64Start→Exit----0xfa80008959e0System4085502------False2012-→10-0121:39:51-0xfa8001994310smss.
exe2724229------False2012-→10-0121:39:51-dlldump(DLLDump)DumpDLLsfromaprocessaddressspacePluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
dump_dirStringPathsuitablefordumpingles.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
out_fdStringAlelikeobjecttowritetheoutput.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
regexRegExARegularexpressionforselectingthedllstodump.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
1.
Memory21RekallForensicsDocumentation,Release1.
7.
2ToextractaDLLfromaprocess'smemoryspaceanddumpittodiskforanalysis,usethedlldumpcommand.
Alltheusualprocessselectorsaresupported.
AdditionallyaregularexpressioncanbespeciedfortheDLLnametodump.
###Note1.
InordertodumpanyPElefrommemoryweneedthePEheadertobememoryresident.
Oftenthisisnotthecase,andtheheaderisushedoutofvirtualmemory.
InthiscaseitisstillpossibletodumppartsofthePEimageusingthe[vaddump](VADDump.
html)plugin.
2.
Whendumpinganybinaryfrommemory,itisnotusuallyaperfectbinary(i.
e.
youcannotjustrunit).
ThisisbecausetheImportAddressTable(IAT)reectsthepatchedversioninmemoryandsomepagesmaybemissing.
TheresultantbinaryisprobablyonlyusefultoanalysesusingatoollikeIDApro.
###Sampleoutputwin8.
1.
raw14:51:37>dlldumpproc_regex="winpmem",dump_dir="/tmp/"dlldump(proc_regex="winpmem",dump_dir="/tmp/")_EPROCESSNameBaseModuleDumpFile0xe0000204a900winpmem_1.
5.
2.
0x000000020000winpmem_1.
5.
2.
exemodule.
2628.
→3d04a900.
20000.
winpmem_1.
5.
2.
exe0xe0000204a900winpmem_1.
5.
2.
0x7ff87f320000ntdll.
dllmodule.
2628.
→3d04a900.
7ff87f320000.
ntdll.
dll0xe0000204a900winpmem_1.
5.
2.
0x000076f50000wow64.
dllmodule.
2628.
→3d04a900.
76f50000.
wow64.
dll0xe0000204a900winpmem_1.
5.
2.
0x000076fa0000wow64win.
dllmodule.
2628.
→3d04a900.
76fa0000.
wow64win.
dll0xe0000204a900winpmem_1.
5.
2.
0x000077010000wow64cpu.
dllmodule.
2628.
→3d04a900.
77010000.
wow64cpu.
dlldtbscan(DTBScan)ScansthephysicalmemoryforDTBvalues.
ThisplugincancomparetheDTBsfoundagainstthelistofknownprocessestondhiddenprocesses.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
limitIntParserStopscanningafterthismanymb.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
ThePFNdatabasecanbeusedtoresolveaphysicaladdresstoitsvirtualaddressintheprocessaddressspace.
Sinceprocessesmusthaveuniquepagetables,andthereforeauniqueDTB,wecanenumeratealluniquepagetablesonthesystem.
Usingthistechniqueallowsustolocatehiddenprocesses.
WesimplycheckeachphysicalpageandlocateitsDTB(orpagetabledirectorybase)offset.
WethenmatchtheDTBtoaknownprocessDTB.
IftheDTBisnotknownthisisastrongindicationthattheprocessishidden.
###Sampleoutputwin8.
1.
raw16:23:50>dtbscandtbscan()22Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2DTBVAddr_EPROCESSImageNameKnown0x0000001a70000xf6fb7dbed0000xe00000074580SystemTrue0x0000118a30000xf6fb7dbed0000xe00002073900explorer.
exeTrue0x00000923e0000xf6fb7dbed0000xe000020ea900svchost.
exeTrue0x000036ea30000xf6fb7dbed0000xe000006208c0taskhost.
exeTrue0x000004c010000xf6fb7dbed0000xe000000ce080wininit.
exeTrue0x00000d0a40000xf6fb7dbed0000xe000022c6900MsMpEng.
exeTrue0x0000093c40000xf6fb7dbed0000xe000020df080svchost.
exeTrue0x0000348c60000xf6fb7dbed0000xe00001e2f700dwm.
exeTrue0x0000115040000xf6fb7dbed0000xe000007a3080svchost.
exeTrue0x000007c940000xf6fb7dbed0000xe00001f22080cmd.
exeTrue0x00002fe030000xf6fb7dbed0000xe00002043900conhost.
exeTrue0x00002f8ce0000xf6fb7dbed0000xe00001299900SearchIndexer.
True0x0000207b90000xf6fb7dbed0000xe00002645080VBoxTray.
exeTruedevicetree(DeviceTree)Showdevicetree.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayInt-ParserKerneladdressesofeprocessstructs.
limitIntParserThelengthofdatatosearchineachselectedregion.
methodChoiceArrayMethodtolistprocesses.
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
scan_kernelBooleanScantheentirekerneladdressspace.
scan_kernel_codeBooleanScanthekernelimageandloadeddrivers.
scan_kernel_nonpaged_poolBooleanScanthekernelnon-pagedpool.
scan_kernel_paged_poolBooleanScanthekernelpagedpool.
scan_kernel_session_poolsBooleanScansessionpoolsforallprocesses.
scan_physicalBooleanScanthephysicaladdressspaceonly.
scan_process_memoryBooleanScanallofprocessmemory.
Usesprocessselectorstonarrowdownselections.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Windowsusesalayereddriverarchitecture,ordriverchainsothatmultipledriverscaninspectorrespondtoanIRP.
Rootkitsofteninsertdrivers(ordevices)intothischainforlteringpurposes(tohideles,hidenet-workconnections,stealkeystrokesormousemovements).
Thedevicetreepluginshowstherelationshipofadriverobjecttoitsdevices(bywalking_DRIVER_OBJECT.
DeviceObject.
NextDevice)andanyattacheddevices(_DRIVER_OBJECT.
DeviceObject.
AttachedDevice).
###NotesInthecurrentimplementationthispluginusesscanningmethodstolocatethedriveranddeviceobjects.
Thisisaninefcientmethodwhichisalsosusceptibletofalsepositivesandactivesubversion.
Weareworkingonconvertingthisplugintousethe[object_tree](ObjectTree.
html)plugintodirectlyparsekerneldriverstructures.
###Sampleoutput2.
1.
Memory23RekallForensicsDocumentation,Release1.
7.
2[snip]DRV0x2bb31060\Driver\winpmem---|DEV0xfa80019ba060pmemFILE_DEVICE_UNKNOWNDRV0x2bb36600\Driver\TermDD---|DEV0xfa80019ff040-FILE_DEVICE_8042_PORT------|ATT0xfa80019ff980--\Driver\mouclassFILE_DEVICE_MOUSE---|DEV0xfa80019e2040-FILE_DEVICE_8042_PORT------|ATT0xfa80019e2960--\Driver\kbdclassFILE_DEVICE_KEYBOARD[snip]Intheabovewecanseethatthewinpmemdriverhasadevicecalled"pmem".
Wealsocanseethemouseandkeyboarddriversattachedtotheterminalservicesdriver.
driverirp(DriverIrp)DriverIRPhookdetectionPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayInt-ParserKerneladdressesofeprocessstructs.
limitIntParserThelengthofdatatosearchineachselectedregion.
methodChoiceArrayMethodtolistprocesses.
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
regexRegExAnalyzedriversmatchingREGEXscan_kernelBooleanScantheentirekerneladdressspace.
scan_kernel_codeBooleanScanthekernelimageandloadeddrivers.
scan_kernel_nonpaged_poolBooleanScanthekernelnon-pagedpool.
scan_kernel_paged_poolBooleanScanthekernelpagedpool.
scan_kernel_session_poolsBooleanScansessionpoolsforallprocesses.
scan_physicalBooleanScanthephysicaladdressspaceonly.
scan_process_memoryBooleanScanallofprocessmemory.
Usesprocessselectorstonarrowdownselections.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
WindowsdriversexportatableoffunctionscalledtheIRPMajorFunctiontable.
Inthattable,thedriverinstallsfunctionhandlerstohandleverioustypesofrequestsfromuserspace.
Acommonwaytohookalegitimatedriveristoreplacethesefunctionpointerswithamaliciousfunction.
ManydriversforwardtheirIRPfunctionstootherdriversforlegitimatepurposes,sodetectinghookedIRPfunctionsbasedoncontainingmodulesisnotagoodmethod.
Instead,weprinteverythingandletyoubethejudge.
ThecommandalsochecksforInlinehooksofIRPfunctionsandoptionallyprintsadisassemblyoftheinstructionsattheIRPaddress(pass–verbositytoenablethis).
Thiscommandoutputsinformationforalldrivers,unlessyouspecifyaregularexpressionlter.
###NotesInthecurrentimplementationthispluginusesscanningmethodstolocatethedriveranddeviceobjects.
Thisisaninefcientmethodwhichisalsosusceptibletofalsepositivesandactivesubversion.
Weareworkingonconvertingthisplugintousethe[object_tree](ObjectTree.
html)plugintodirectlyparsekerneldriverstructures.
24Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2###SampleoutputInthebelowweseethatthepmemdriverhandlestheIRP_MJ_CREATE,IRP_MJ_CLOSE,IRP_MJ_READandIRP_MJ_DEVICE_CONTROLIRPtypes.
win8.
1.
raw16:15:36>driverirpregex="pmem"driverirp(regex="pmem")DriverName:pmemDriverStart:0xf800025ca000DriverSize:0x10000DriverStartIo:0x0-FuncNameFuncAddrModule0IRP_MJ_CREATE0xf800025cb210\→\C:\Users\test\AppData\Local\Temp\pmeA86F.
tmp1IRP_MJ_CREATE_NAMED_PIPE0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe2IRP_MJ_CLOSE0xf800025cb270\→\C:\Users\test\AppData\Local\Temp\pmeA86F.
tmp3IRP_MJ_READ0xf800025cbfa0\→\C:\Users\test\AppData\Local\Temp\pmeA86F.
tmp4IRP_MJ_WRITE0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe5IRP_MJ_QUERY_INFORMATION0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe6IRP_MJ_SET_INFORMATION0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe7IRP_MJ_QUERY_EA0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe8IRP_MJ_SET_EA0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe9IRP_MJ_FLUSH_BUFFERS0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe10IRP_MJ_QUERY_VOLUME_INFORMATION0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe11IRP_MJ_SET_VOLUME_INFORMATION0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe12IRP_MJ_DIRECTORY_CONTROL0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe13IRP_MJ_FILE_SYSTEM_CONTROL0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe14IRP_MJ_DEVICE_CONTROL0xf800025cb300\→\C:\Users\test\AppData\Local\Temp\pmeA86F.
tmp15IRP_MJ_INTERNAL_DEVICE_CONTROL0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe16IRP_MJ_SHUTDOWN0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe17IRP_MJ_LOCK_CONTROL0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe18IRP_MJ_CLEANUP0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe19IRP_MJ_CREATE_MAILSLOT0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe20IRP_MJ_QUERY_SECURITY0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe21IRP_MJ_SET_SECURITY0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe22IRP_MJ_POWER0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe2.
1.
Memory25RekallForensicsDocumentation,Release1.
7.
223IRP_MJ_SYSTEM_CONTROL0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe24IRP_MJ_DEVICE_CHANGE0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe25IRP_MJ_QUERY_QUOTA0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe26IRP_MJ_SET_QUOTA0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exe27IRP_MJ_PNP0xf802d31131b8→\SystemRoot\system32\ntoskrnl.
exedriverscan(DriverScan)Scanfordriverobjects_DRIVER_OBJECTPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayInt-ParserKerneladdressesofeprocessstructs.
limitIntParserThelengthofdatatosearchineachselectedregion.
methodChoiceArrayMethodtolistprocesses.
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
scan_kernelBooleanScantheentirekerneladdressspace.
scan_kernel_codeBooleanScanthekernelimageandloadeddrivers.
scan_kernel_nonpaged_poolBooleanScanthekernelnon-pagedpool.
scan_kernel_paged_poolBooleanScanthekernelpagedpool.
scan_kernel_session_poolsBooleanScansessionpoolsforallprocesses.
scan_physicalBooleanScanthephysicaladdressspaceonly.
scan_process_memoryBooleanScanallofprocessmemory.
Usesprocessselectorstonarrowdownselections.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Tond_DRIVER_OBJECT**sinphysicalmemoryusingpooltagscanning,usethisplugin.
Thisisanotherwaytolocatekernelmodules,althoughnotallkernelmoduleshaveanassociated**_DRIVER_OBJECT.
TheusualwayformalwaretoenterRing0isvialoadingakerneldriverofsomesort.
AmaliciouskerneldriverisastrongindicationthatmalwareisrunninginRing0.
###Notes1.
Likeotherpoolscanningplugins,thispluginmayproducefalsepositivessinceitessentiallycarves_DRIVER_OBJECTstructuresoutofmemory.
Ontheotherhand,thispluginmayrevealdriverswhichhavebeenunloaded.
###Sampleoutputwin8.
1.
raw16:17:29>driverscandriverscan()Offset(P)#Ptr#HndStartSizeServiceKeyName→DriverName26Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2.
.
.
0x00003e569c60300xf80000b140000x10000pcwpcw→\Driver\pcw0x00003e569e60300xf80000aeb0000x29000VBoxGuest→VBoxGuest\Driver\VBoxGuest0x00003e59e5901700xf80000c260000x118000NDISNDIS→\Driver\NDIS0x00003e5a1060800xf80000ec50000x27f000TcpipTcpip→\Driver\Tcpip0x00003eb8d870300xf800025ca0000x10000pmempmem→\Driver\pmem0x00003f066e60300xf80001c690000xe000monitormonitor→\Driver\monitor.
.
.
.
dumples(DumpFiles)Dumplesfrommemory.
TheinterfaceislooselybasedontheVolatilitypluginofthesamename,althoughtheimplementationisquitedifferent.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
dump_dirStringPathsuitablefordumpingles.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
le_objectsArrayIntParserKerneladdressesof_FILE_OBJECTstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
hooks_eat(EATHooks)DetectEAThooksinprocessandkernelmemoryPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
vacbs(EnumerateVacbs)Enumerateallblockscachedinthecachemanager.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
1.
Memory27RekallForensicsDocumentation,Release1.
7.
2evtlogs(EvtLogs)ExtractWindowsEventLogs(XP/2003only)PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Theevtlogscommandextractsandparsesbinaryeventlogsfrommemory.
BinaryeventlogsarefoundonWindowsXPand2003machines,thereforethispluginonlyworksonthesearchitectures.
TheselesareextractedfromVADoftheservices.
exeprocess,parsedandshownasoutput.
###Notes1.
ThispluginwillonlyworkonWindowsXP/2003.
Modernwindowssystemsuseevtxeventlogformat.
Wearestillworkingonsupportingtheselogs.
###Sampleoutputxp-laptop-2005-06-25.
img16:43:19>evtlogsevtlogs()TimeWrittenFilenameComputerSidSourceEventIdEventTypeMessage2004-05-0519:36:55+0000SecEvent.
EvtMOIT-A-PHXMOD2S-1-5-18Security612Success'-MOIT-A-→PHXMOD2$';'BALTIMORE';'(0x0,0x3E7)'2004-05-0519:36:56+0000SecEvent.
EvtMOIT-A-PHXMOD2S-1-5-18Security618Success→'MOIT-A-PHXMOD2$';'BALTIMORE';'(0x0,0x3E7)';'PolEfDat:(none);'2004-05-0519:37:03+0000SecEvent.
EvtMOIT-A-PHXMOD2S-1-5-18Security537Failure→'AJ.
Morning';'BALTIMORE';'11';'User32';'Negotiate';'MOIT-A-PHXMOD2';'0xC000005E';→'0x0'2004-05-0519:37:03+0000SecEvent.
EvtMOIT-A-PHXMOD2S-1-5-21-487349131-2095749132-→2248483902-19753Security528Success'AJ.
Morning';'BALTIMORE';'(0x0,0x113AD)';'2';→'User32';'Negotiate';'MOIT-A-PHXMOD2';'{5c92d34f-85d3-2f5d-d036-759d7c97bfd7}'2004-05-0519:37:32+0000SecEvent.
EvtMOIT-A-PHXMOD2S-1-5-19Security528Success→'LOCALSERVICE';'NTAUTHORITY';'(0x0,0x3E5)';'5';'Advapi';'Negotiate';'';'→{00000000-0000-0000-0000-000000000000}'2004-05-0519:37:33+0000SecEvent.
EvtMOIT-A-PHXMOD2S-1-5-21-487349131-2095749132-→2248483902-19753Security596Failure'619be804-cde6-484f-aff4-2a5e588d6eef';'';'';→'0x57'lescan(FileScan)ScanPhysicalmemoryfor_FILE_OBJECTpoolallocations28Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayInt-ParserKerneladdressesofeprocessstructs.
limitIntParserThelengthofdatatosearchineachselectedregion.
methodChoiceArrayMethodtolistprocesses.
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
scan_kernelBooleanScantheentirekerneladdressspace.
scan_kernel_codeBooleanScanthekernelimageandloadeddrivers.
scan_kernel_nonpaged_poolBooleanScanthekernelnon-pagedpool.
scan_kernel_paged_poolBooleanScanthekernelpagedpool.
scan_kernel_session_poolsBooleanScansessionpoolsforallprocesses.
scan_physicalBooleanScanthephysicaladdressspaceonly.
scan_process_memoryBooleanScanallofprocessmemory.
Usesprocessselectorstonarrowdownselections.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
TondFILE_OBJECTsinphysicalmemoryusingpooltagscanning,usethelescancommand.
ThiswillndopenlesevenifarootkitishidingthelesondiskandiftherootkithookssomeAPIfunctionstohidetheopenhandlesonalivesystem.
Thepluginalsoresolvesbackthe_FILE_OBJECTintotheownningprocess.
Thisworksonlyifthe_FILE_OBJECTisactuallyinuse(itdoesnotworkforclosedles).
###Notes1.
Likeotherpoolscanningplugins,thispluginmayproducefalsepositivessinceitessentiallycarves_FILE_OBJECTstructuresoutofmemory.
Ontheotherhand,thispluginmayrevealleswhichhavebeenclosedorfreed.
2.
Wheninspectingtheoutput,the#Hndcolumnindicatesthenumberofhandlestothis_FILE_OBJECT.
Ob-jectsinusewillhaveanonzerovaluehereandarelikelytonotbefreed.
3.
Theplugindisplaysthephysicaladdressofthe_FILE_OBJECTfound.
Itmaybepossibletoderivetheirvirtualaddressusingthe[ptov](PtoV.
html)plugin.
Alternatively,specifythescan_in_kerneloption,toensurescanningoccursinthekerneladdressspace.
###Sampleoutputwin8.
1.
raw16:55:44>filescanscan_in_kernel=Truefilescan(scan_in_kernel=True)Offset#Ptr#HndAccessOwnerOwnerPidOwnerNameName0xe000000421e0170RW-rwdDirectory0xe00000057d70140R--rwd→\Windows\System32\AuthBroker.
dll0xe000000599d0327581R--rw-0xe000000745804System→\Windows\CSC\v2.
0.
60xe000000686e0190RW-rwdDirectory0xe0000006a1f0190RW-rwdDirectory0xe0000006b5a0160R--r-d→\Windows\Fonts\modern.
fon0xe0000006d8c040R--r-d→\Windows\System32\negoexts.
dll2.
1.
Memory29RekallForensicsDocumentation,Release1.
7.
20xe0000006dc40160R--r-→\Windows\Fonts\meiryob.
ttc0xe0000006e1f0296171------0xe0000204a9002628winpmem_1.
5.
2.
\Connect0xe0000006edd0160R--rwd→\Windows\System32\msctf.
dll0xe00000079270160R--r-→\Windows\Cursors\aero_up.
cur0xe0000007abc0120R--rwd→\Windows\System32\puiobj.
dll0xe0000007ba90180RW-rwdDirectory0xe0000007e07030R--r-→\Windows\Fonts\segoeui.
ttf0xe0000007e36040RW-rwd→$ConvertToNonresident0xe0000007e89070R--r-d→\Windows\System32\usbmon.
dll0xe0000007f360327681R--r-d0xe000000ce080432wininit.
exe→\Windows\System32\en-GB\user32.
dll.
mui0xe0000007f98040R--r-d→\Windows\System32\KBDUK.
DLL0xe000000b1d90170RW-rwdDirectory0xe000000b1f2050R--r-d→\Windows\System32\AppXDeploymentServer.
dll0xe000000b4610120R--rwd→\Windows\SysWOW64\winmmbase.
dll0xe000000b682011RWD---0xe000000745804System→\Windows\System32\config\RegBack\SECURITY0xe000000b6a50327661RW----0xe000000745804System→\Windows\System32\config\SECURITY.
LOG2show_referrer_alloc(FindReferenceAlloc)Showallocationsthatrefertoanaddress.
PluginTypeDescriptionaddressIntParserTheaddresstodisplaydtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
gahti(Gahti)DumptheUSERhandletypeinformation.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
tokens(GetSIDs)PrinttheSIDsowningeachprocesstoken.
30Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
InwindowsaprocessrunswithasetofTokens.
ThesetokensareusedtoenforceWindowsMandatoryACLsystem.
Fromaforensicpointofviewitisinterestingtoseewhattokensaprocessisrunningwith.
Fornonsystemprocesses,theprocesswillalsopossessthetokenoftheuserwhostartedit.
###SampleoutputInthebelowwecanseethatthiscmd.
exeprocesswasstartedbytheusertestwithSIDS-1-5-21-1077689984-2177008626-1601812314-1001.
win8.
1.
raw22:41:01>tokenstokens()ProcessPidSidComment.
.
.
cmd.
exe888S-1-5-21-1077689984-2177008626-1601812314-1001User:testcmd.
exe888S-1-5-21-1077689984-2177008626-1601812314-513DomainUserscmd.
exe888S-1-1-0Everyonecmd.
exe888S-1-5-114cmd.
exe888S-1-5-21-1077689984-2177008626-1601812314-1002cmd.
exe888S-1-5-32-544→Administratorscmd.
exe888S-1-5-32-545Userscmd.
exe888S-1-5-4Interactivecmd.
exe888S-1-2-1Console→Logon(Userswhoareloggedontothephysicalconsole)cmd.
exe888S-1-5-11→AuthenticatedUserscmd.
exe888S-1-5-15This→Organizationcmd.
exe888S-1-5-113cmd.
exe888S-1-5-5-0-126935Logon→Sessioncmd.
exe888S-1-2-0Local→(Userswiththeabilitytologinlocally)cmd.
exe888S-1-5-64-10NTLM→Authenticationcmd.
exe888S-1-16-12288High→MandatoryLevel.
.
.
getservicesids(GetServiceSids)GetthenamesofservicesintheRegistryandreturnCalculatedSIDPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
1.
Memory31RekallForensicsDocumentation,Release1.
7.
2ThegetservicesidscommandcalculatestheSIDsforservicesonamachine.
Theservicenamesaretakenfromtheregistry("SYSTEMCurrentControlSetServices")###Sampleoutputwin8.
1.
raw16:58:23>getservicesidsgetservicesids()SIDServiceNameS-1-5-80-3476726845-1218940557-3240126423-1396283824-3706223860.
NETCLRDataS-1-5-80-3749761688-76038143-2425834820-4129736068-309120712.
NETCLR→NetworkingS-1-5-80-4151353957-356578678-4163131872-800126167-2037860865.
NETCLR→Networking4.
0.
0.
0S-1-5-80-603392709-3706100282-1779817366-3290147925-2109454977.
NETData→ProviderforOracleS-1-5-80-1168016597-2140435647-491797002-352772175-817350590.
NETData→ProviderforSqlServerS-1-5-80-1135273183-3738781202-689480478-891280274-255333391.
NETMemory→Cache4.
0S-1-5-80-255220978-1106536095-1636044468-311807000-281316439.
NETFrameworkS-1-5-80-799694863-4024754253-4060439485-3284853837-28520707361394ohciS-1-5-80-3459415445-2224257447-3423677131-2829651752-42576659473wareS-1-5-80-550892281-1246201444-2906082186-2301917840-2280485454ACPIS-1-5-80-2670625634-2386107419-4204951937-4094372046-2600379021acpiexS-1-5-80-3267050047-1503497915-401953950-2662906978-1179039408acpipagrguess_guid(GuessGUID)Trytoguesstheexactversionofakernelmodulebyusinganindex.
PluginTypeDescriptiondtbInt-ParserTheDTBphysicaladdress.
mini-mal_matchInt-ParserTheminimalnumberofcomparisonpointstobeconsidered.
Sometimesnotallcomparisonpointscanbeusedsincetheymaynotbemapped.
moduleStringThenameofthemoduletoguess.
verbosityInt-ParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
handles(Handles)PrintlistofopenhandlesforeachprocessPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
named_onlyBooleanOutputonlyhandleswithaname.
object_typesArrayStringParserTypesofobjectstoshow.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
32Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2Thisplugindisplaysthehandletableofprocesses.
Thehandletableintheprocessstoressecurablekernelobjects.
Whenausermodeprocessobtainsasecurablekernelobject,theyreceiveahandletoit-i.
e.
anintegerwhichisthelocationinthehandletable,ratherthantherawkernellevelpointer.
Userprocessesthenusethehandletooperateofthekernellevelobject.
Forexample,ifaprocessopensalethe_FILE_OBJECTwillbestoredinthehandletable,andtheuserspacecodewillreceivetheoffsetintothehandletable.
Thispluginisespeciallyusefultondallresourcesthatareopenedbyauserspaceprogram,suchasopenles,registrykeysetc.
Infactanyoftheobjectsshownbythe[object_types](ObjectTypes.
html)pluginarestoredinthehandletableascanbeseenbythismodule.
Alltheusualprocessselectorsaresupported.
Additionally,itispossibletoltertheoutputbyusingacommaseparatedlistofhandletypes(ascanbeseenbythe[object_types](ObjectTypes.
html)plugin.
###SampleoutputInthefollowingoutputweseethewinpmemacquisitiontool'shandletable.
NotethatithasanopenletotherawdeviceDevicepmemandtheoutputleofDeviceHarddiskVolume2tempwin8.
1.
raw.
win8.
1.
raw18:00:43>handlesproc_regex="winpmem"handles(proc_regex="winpmem")Offset(V)PidHandleAccessTypeDetails0xe00001f82f2026280x40x12019fFile→\Device\ConDrv\Reference0xe00001d17e0026280x100x100020File→\Device\HarddiskVolume2\Windows0xe00001f546b026280x180x12019fFile→\Device\ConDrv\Input0xe00001eef80026280x1c0x12019fFile→\Device\ConDrv\Output0xe00001eef80026280x200x12019fFile→\Device\ConDrv\Output0xe00001d0db8026280x240x100020File→\Device\HarddiskVolume2\temp0xe0000006e1f026280x280x12019fFile→\Device\ConDrv\Connect0xe0000063748026280x300x1f0001ALPCPort0xe000006bd29026280x340x1f0003Event0xe00001ed606026280x380x1WaitCompletionPacket0xe00001ecd08026280x3c0x1f0003IoCompletion0xe00001ec706026280x400xf00ffTpWorkerFactory0xe0000077832026280x440x100002IRTimer0xe00001ecfb8026280x480x1WaitCompletionPacket0xe00001a629d026280x4c0x100002IRTimer0xe00001ec8f9026280x500x1WaitCompletionPacket0xe0000204897026280x540x804EtwRegistration0xe0000077dd0026280x580x100003Semaphore0xe00001d1b34026280x5c0x100001File\Device\CNG0xe000006b82c026280x600x100003Semaphore0xe00001d0c6e026280x640x120196File→\Device\HarddiskVolume2\temp\win8.
1.
raw0xe000007db2f026280x740x1f0003Event0xe000023eda6026280x780x804EtwRegistration0xe000024c56c026280x7c0x804EtwRegistration0xe00001f803e026280x800x804EtwRegistration0xe0000081333026280x840x1f0003Event0xe0000125444026280x880x1fffffThreadTID3420PID26280xe0000061ebb026280x8c0x1f0001ALPCPort0xe00001d0c34026280x900x12019fFile\Device\pmem2.
1.
Memory33RekallForensicsDocumentation,Release1.
7.
2hivedump(HiveDump)PrintsoutahivePluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
hives(Hives)Listalltheregistryhivesonthesystem.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
hooks_iat(IATHooks)DetectIAT/EAThooksinprocessandkernelmemoryPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
imageinfo(ImageInfo)Listoverviewinformationaboutthisimage.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Thispluginprintsanoverviewofcertainparametersoftheimage.
###Notes1.
SinceRekalldoesnotrequireuserstoselecttheprolesmanuallythispluginisnotrequiredtoberunpriortoanyanalysis.
Infactthepluginitselfneedstohaveaccurateprolesloaded.
Itthereforedoesnotserverthesamepurposeasinpreviousversionofthesoftware.
###Sampleoutputwin8.
1.
raw18:00:48>imageinfoimageinfo()FactValueKernelDTB0x1a700034Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2NTBuild9600.
winblue_gdr.
130913-2141NTBuildEx9600.
16404.
amd64fre.
winblue_gdr.
130913-2141SignedDrivers-Time(UTC)2014-01-2421:20:05+0000Time(Local)2014-01-2421:20:05+0000SecSinceBoot764.
359375NtSystemRootC:\WindowsPhysicalLayoutPhysicalStartPhysicalEndNumberofPages0x0000000010000x00000009f0001580x0000001000000x00000010200020x0000001030000x00003fff0000261869impscan(ImpScan)Scanforcallstoimportedfunctions.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
###Sampleoutputwin8.
1.
raw18:30:34>impscanproc_regex="dwm.
exe"impscan(proc_regex="dwm.
exe")Processdwm.
exePID692IATCallModuleFunction0x7ff7474f40000x7ff87f2c369csechost.
dll→ConvertStringSecurityDescriptorToSecurityDescriptorW0x7ff7474f40300x7ff87b48beb0uxtheme.
dllCloseThemeData0x7ff7474f40380x7ff87b4bfc80uxtheme.
dllOpenThemeData0x7ff7474fa0200x7ff87e4b5d34msvcrt.
dll3820x7ff7474fa0300x7ff87e4b5f18msvcrt.
dll4100x7ff7474fa0500x7ff87e4b9948msvcrt.
dll1440x7ff7474fa0580x7ff87e4babc0msvcrt.
dll1290x7ff7474fa0e00x7ff87e4b468cmsvcrt.
dll350x7ff7474fa0e80x7ff87e4b1cd4msvcrt.
dll360x7ff7474fa1200x7ff87f38f85cntdll.
dll12520x7ff7474fa1280x7ff87f36e384ntdll.
dll12290x7ff7474fa1300x7ff87c9a3decKERNELBASE.
dll1700x7ff7474fa1380x7ff87f33c31cntdll.
dll8150x7ff7474fa1480x7ff87f383270ntdll.
dllRtlInitializeCriticalSection0x7ff7474fa1580x7ff87f36d100ntdll.
dllRtlAcquireSRWLockShared0x7ff7474fa1680x7ff87f36b810ntdll.
dllRtlLeaveCriticalSection0x7ff7474fa1700x7ff87c9a24f4KERNELBASE.
dll1570x7ff7474fa1800x7ff87f36e50cntdll.
dll12280x7ff7474fa1880x7ff87f35db60ntdll.
dllRtlAcquireSRWLockExclusive0x7ff7474fa1900x7ff87f36b550ntdll.
dll8672.
1.
Memory35RekallForensicsDocumentation,Release1.
7.
20x7ff7474fa1a00x7ff87c9a14a0KERNELBASE.
dll6350x7ff7474fa1c80x7ff87c9a1440KERNELBASE.
dll4810x7ff7474fa1e80x7ff87f37c7c0ntdll.
dllRtlSetLastWin32Error0x7ff7474fa1f80x7ff87f366b90ntdll.
dll9280x7ff7474fa2000x7ff87f3620d0ntdll.
dllRtlAllocateHeap0x7ff7474fa2080x7ff87c9ac960KERNELBASE.
dll6840x7ff7474fa2180x7ff87c9a14e0KERNELBASE.
dll5540x7ff7474fa2300x7ff87edd3184KERNEL32.
DLLGetStartupInfoW0x7ff7474fa2380x7ff87edd3074KERNEL32.
DLLSetPriorityClasshooks_inline(InlineHooks)DetectAPIhooksinprocessandkernelmemoryPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
inspect_heap(InspectHeap)Inspecttheprocessheap.
Thisprintsalotofinterestingfactsabouttheprocessheap.
Itisalsothefoundationtomanyotherpluginswhichndthingsintheprocessheaps.
NOTE:CurrentlyweonlysupportWindows764bit.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
freeBooleanAlsoshowfreedchunks.
heapsArrayIntParserOnlyshowtheseheaps(defaultshowall)methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
kdbgscan(KDBGScan)Scanforpossible_KDDEBUGGER_DATA64structures.
Thescannerisdetailedhere:http://moyix.
blogspot.
com/2008/04/nding-kernel-global-variables-in.
htmlTherelevantstructuresaredetailedhere:http://doxygen.
reactos.
org/d3/ddf/include_2psdk_2wdbgexts_8h_source.
htmlWecanseethat_KDDEBUGGER_DATA64.
Headeris:36Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2typedefstruct_DBGKD_DEBUG_DATA_HEADER64{LIST_ENTRY64List;ULONGOwnerTag;ULONGSize;}Weessentiallysearchforanownertagof"KDBG",thenoverlaythe_KDDEBUGGER_DATA64structonit.
WetestforvaliditybyreectingthroughtheHeader.
Listmember.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
full_scanBooleanScanthefulladdressspace.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Windowskeepsastoreofsomeusefulglobalvariablesinastructurecalled_KDDEBUGGER_DATA64.
Thisinfor-mationisusedbythemicrosoftkerneldebuggerinordertobootstaptheanalysisofacrashdump.
RekallnolongerusestheKernelDebuggerBlockforanalysis-insteadaccurateglobalsymbolinformationarefetchedfromMicrosoftPDBlescontainingdebuggingsymbols.
###Notes1.
PreviousversionsofRekallusedtheKDBGheavilyforanalysis,andbyextensionusedthisplugin.
CurrentlytheKDBGisnotusedbyRekallatallsothispluginisnotallthatuseful.
kpcr(KPCR)AplugintoprintallKPCRblocks.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Windowsmaintainsper-processorinformationforeachphysicalCPUinthesystem.
Thisplugindisplaysthisinfoma-tion.
###Sampleoutputwin8.
1.
raw21:15:09>kpcrkpcr()PropertyValueOffset(V)0xf802d3307000KdVersionBlockPointerto-IDT0xf802d4a43080GDT0xf802d4a43000CurrentThread:0xe00001254440TID3420(winpmem_1.
5.
2.
:2628)IdleThread:0xf802d335fa80TID0(System:0)Details:CPU0(GenuineIntel@2517MHz)CR3/DTB:0x1a70002.
1.
Memory37RekallForensicsDocumentation,Release1.
7.
2ldrmodules(LdrModules)DetectunlinkedDLLsPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
TherearemanywaystohideaDLL.
OneofthewaysinvolvesunlinkingtheDLLfromone(orall)ofthelinkedlistsinthePEB.
However,whenthisisdone,thereisstillinformationcontainedwithintheVAD(VirtualAddressDescriptor)whichidentiesthebaseaddressoftheDLLanditsfullpathondisk.
Tocross-referencethisinformation(knownasmemorymappedles)withthe3PEBlists,usetheldrmodulescommand.
ForeachmemorymappedPEle,theldrmodulescommandprintsTrueorFalseifthePEexistsinthePEBlists.
win8.
1.
raw22:17:36>ldrmodulesproc_regex="winpmem"ldrmodules(proc_regex="winpmem")PidProcessBaseInLoadInInitInMemMappedPath2628winpmem_1.
5.
2.
0x0000753b0000FalseFalseFalse→\Windows\SysWOW64\KernelBase.
dll2628winpmem_1.
5.
2.
0x000000020000TrueFalseTrue\temp\winpmem_1.
5.
2.
exe2628winpmem_1.
5.
2.
0x000076c30000FalseFalseFalse→\Windows\SysWOW64\kernel32.
dll2628winpmem_1.
5.
2.
0x000074a40000FalseFalseFalse→\Windows\SysWOW64\cryptbase.
dll2628winpmem_1.
5.
2.
0x000074a50000FalseFalseFalse→\Windows\SysWOW64\sspicli.
dll2628winpmem_1.
5.
2.
0x000077010000TrueTrueTrue→\Windows\System32\wow64cpu.
dll2628winpmem_1.
5.
2.
0x000076f50000TrueTrueTrue→\Windows\System32\wow64.
dll2628winpmem_1.
5.
2.
0x000076fa0000TrueTrueTrue→\Windows\System32\wow64win.
dll2628winpmem_1.
5.
2.
0x000075250000FalseFalseFalse→\Windows\SysWOW64\rpcrt4.
dll2628winpmem_1.
5.
2.
0x7ff87f320000TrueTrueTrue→\Windows\System32\ntdll.
dll2628winpmem_1.
5.
2.
0x000077020000FalseFalseFalse→\Windows\SysWOW64\ntdll.
dll2628winpmem_1.
5.
2.
0x0000749e0000FalseFalseFalse→\Windows\SysWOW64\bcryptprimitives.
dll2628winpmem_1.
5.
2.
0x000074ff0000FalseFalseFalse→\Windows\SysWOW64\advapi32.
dll2628winpmem_1.
5.
2.
0x000076f10000FalseFalseFalse→\Windows\SysWOW64\sechost.
dll2628winpmem_1.
5.
2.
0x000074d80000FalseFalseFalse→\Windows\SysWOW64\msvcrt.
dllSincethePEBandtheDLLliststhatitcontainsallexistinusermode,itsalsopossibleformalwaretohide(orobscure)aDLLbysimplyoverwritingthepath.
ToolsthatonlylookforunlinkedentriesmaymissthefactthatmalwarecouldoverwriteC:bad.
dlltoshowC:windowssystem32kernel32.
dll.
Soyoucanalsopasstheverbosity=10parametertoldrmodulestoseethefullpathofallentries.
38Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2Forconcreteexamples,see[ZeroAccessMisleadsMemory-FileLink](http://blogs.
mcafee.
com/mcafee-labs/zeroaccess-misleads-memory-le-link)and[QuickPost:Flame&Volatility](http://mnin.
blogspot.
com/2012/06/quickpost-ame-volatility.
html).
win8.
1.
raw22:17:41>ldrmodulesproc_regex="winpmem",verbosity=10ldrmodules(proc_regex="winpmem",verbosity=10)PidProcessBaseInLoadInInitInMemMappedPath2628winpmem_1.
5.
2.
0x0000753b0000FalseFalseFalse→\Windows\SysWOW64\KernelBase.
dll2628winpmem_1.
5.
2.
0x000000020000TrueFalseTrue\temp\winpmem_1.
5.
2.
exeLoadPath:C:\temp\winpmem_1.
5.
2.
exe:winpmem_1.
5.
2.
exeMemPath:C:\temp\winpmem_1.
5.
2.
exe:winpmem_1.
5.
2.
exe2628winpmem_1.
5.
2.
0x000076c30000FalseFalseFalse→\Windows\SysWOW64\kernel32.
dll2628winpmem_1.
5.
2.
0x000074a40000FalseFalseFalse→\Windows\SysWOW64\cryptbase.
dll2628winpmem_1.
5.
2.
0x000074a50000FalseFalseFalse→\Windows\SysWOW64\sspicli.
dll2628winpmem_1.
5.
2.
0x000077010000TrueTrueTrue→\Windows\System32\wow64cpu.
dllLoadPath:C:\Windows\system32\wow64cpu.
dll:wow64cpu.
dllInitPath:C:\Windows\system32\wow64cpu.
dll:wow64cpu.
dllMemPath:C:\Windows\system32\wow64cpu.
dll:wow64cpu.
dll2628winpmem_1.
5.
2.
0x000076f50000TrueTrueTrue→\Windows\System32\wow64.
dllLoadPath:C:\Windows\SYSTEM32\wow64.
dll:wow64.
dllInitPath:C:\Windows\SYSTEM32\wow64.
dll:wow64.
dllMemPath:C:\Windows\SYSTEM32\wow64.
dll:wow64.
dll2628winpmem_1.
5.
2.
0x000076fa0000TrueTrueTrue→\Windows\System32\wow64win.
dllLoadPath:C:\Windows\system32\wow64win.
dll:wow64win.
dllInitPath:C:\Windows\system32\wow64win.
dll:wow64win.
dllMemPath:C:\Windows\system32\wow64win.
dll:wow64win.
dll2628winpmem_1.
5.
2.
0x000075250000FalseFalseFalse→\Windows\SysWOW64\rpcrt4.
dll2628winpmem_1.
5.
2.
0x7ff87f320000TrueTrueTrue→\Windows\System32\ntdll.
dllLoadPath:C:\Windows\SYSTEM32\ntdll.
dll:ntdll.
dllInitPath:C:\Windows\SYSTEM32\ntdll.
dll:ntdll.
dllMemPath:C:\Windows\SYSTEM32\ntdll.
dll:ntdll.
dll2628winpmem_1.
5.
2.
0x000077020000FalseFalseFalse→\Windows\SysWOW64\ntdll.
dll2628winpmem_1.
5.
2.
0x0000749e0000FalseFalseFalse→\Windows\SysWOW64\bcryptprimitives.
dll2628winpmem_1.
5.
2.
0x000074ff0000FalseFalseFalse→\Windows\SysWOW64\advapi32.
dll2628winpmem_1.
5.
2.
0x000076f10000FalseFalseFalse→\Windows\SysWOW64\sechost.
dll2628winpmem_1.
5.
2.
0x000074d80000FalseFalseFalse→\Windows\SysWOW64\msvcrt.
dll###Notes1.
Wow64processes(i.
e.
32bitprocesseson64bitwindows)willnotshowany32bitDLLsinanyoftheloaderlists.
Thisisnormal(andyouwillseetheDllsloadedfromtheWindowsWow64directory.
2.
1.
Memory39RekallForensicsDocumentation,Release1.
7.
2load_prole(LoadWindowsProle)Loadstheproleintothesession.
Iftheproledoesnotexistintherepositories,fetchandbuilditfromthesymbolserver.
Thispluginallowstheusertochangeresolutionofselectedbinariesbyforcingthefetchingofsymbollesfromthesymbolserverinteractively.
PluginTypeDescriptionguidStringTheguidofthemodule.
module_nameStringThenameofthemodule(withoutthe.
pdbextensilon).
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
malnd(Malnd)FindhiddenandinjectedcodePluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
dump_dirStringPathsuitablefordumpingles.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Themalndcommandhelpsndhiddenorinjectedcode/DLLsinusermodememory,basedoncharacteristicssuchasVADtagandpagepermissions.
Note:malnddoesnotdetectDLLsinjectedintoaprocessusingCreateRemoteThread->LoadLibrary.
DLLsinjectedwiththistechniquearenothiddenandthusyoucanviewthemwithdlllist.
ThepurposeofmalndistolocateDLLsthatstandardmethods/toolsdonotsee.
HereisanexampleofusingittodetectthepresenceofZeus.
Therstmemorysegment(startingat0x2aa0000)wasdetectedbecauseitisexecutable,markedasprivate(notsharedbetweenprocesses)andhasaVadStag.
.
.
whichmeansthereisnomemorymappedlealreadyoccupyingthespace.
Basedonadisassemblyofthedatafoundatthisaddress,itseemstocontainsomeAPIhooktrampolinestubs.
Thesecondmemorysegment(startingat0x3080000)wasdetectedbecauseitcontainedanexecutablethatisn'tlistedinthePEB'smodulelists.
Ifyouwanttosaveextractedcopiesofthememorysegmentsidentiedbymalnd,justsupplyanoutputdirectorywiththedump_dirparameter.
Inthiscase,anunpackedcopyoftheZeusbinarythatwasinjectedintoexplorer.
exewouldbewrittentodisk.
zeus2x4.
vmem22:53:43>malfindproc_regex="explorer"malfind(proc_regex="explorer")fpid1752Process:explorer.
exePid:1752Address:0x2aa0000VadTag:VadSProtection:EXECUTE_READWRITEFlags:CommitCharge:1,MemCommit:1,PrivateMemory:1,Protection:60x2aa0000b835000000e9a9d1e679686c020000e9.
5.
.
.
.
.
.
.
yhl.
.
.
.
0x2aa0010b463e7798bff558bece97c11d7798bff.
c.
y.
.
U.
.
.
|.
.
y.
.
0x2aa0020558bece9013277748bff558bece97c60U.
.
.
.
2wt.
.
U.
.
.
|`0x2aa003072748bff558bece9cae972748bff558brt.
.
U.
.
.
.
.
rt.
.
U.
40Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
20x02aa0000b835000000MOVEAX,0x350x02aa0005e9a9d1e679JMP0x7c90d1b30x02aa000a686c020000PUSHDWORD0x26c0x02aa000fe9b463e779JMP0x7c9163c80x02aa00148bffMOVEDI,EDI0x02aa001655PUSHEBP0x02aa00178becMOVEBP,ESP0x02aa0019e97c11d779JMP0x7c81119a0x02aa001e8bffMOVEDI,EDI0x02aa002055PUSHEBP0x02aa00218becMOVEBP,ESP0x02aa0023e901327774JMP0x772132290x02aa00288bffMOVEDI,EDI0x02aa002a55PUSHEBP0x02aa002b8becMOVEBP,ESP0x02aa002de97c607274JMP0x771c60ae0x02aa00328bffMOVEDI,EDI0x02aa003455PUSHEBP0x02aa00358becMOVEBP,ESP0x02aa0037e9cae97274JMP0x771cea060x02aa003c8bffMOVEDI,EDI0x02aa003e55PUSHEBP0x02aa003f8becMOVEBP,ESP0x02aa0041e9e8327774JMP0x7721332e0x02aa00468bffMOVEDI,EDI0x02aa004855PUSHEBP0x02aa00498becMOVEBP,ESP0x02aa004be9494d7274JMP0x771c4d990x02aa00508bffMOVEDI,EDI0x02aa005255PUSHEBP0x02aa00538becMOVEBP,ESP0x02aa0055e99d827274JMP0x771c82f70x02aa005a8bffMOVEDI,EDI0x02aa005c55PUSHEBP0x02aa005d8becMOVEBP,ESP0x02aa005fe9ef927574JMP0x771f93530x02aa00648bffMOVEDI,EDI0x02aa006655PUSHEBP0x02aa00678becMOVEBP,ESP0x02aa0069e9fe897374JMP0x771d8a6c0x02aa006e6a2cPUSH0x2c0x02aa007068187b1c77PUSHDWORD0x771c7b180x02aa0075e957797274JMP0x771c79d10x02aa007a8bffMOVEDI,EDI0x02aa007c55PUSHEBP0x02aa007d8becMOVEBP,ESP0x02aa007fe9ac3d016fJMP0x71ab3e300x02aa00848bffMOVEDI,EDI0x02aa008655PUSHEBP0x02aa00878becMOVEBP,ESP0x02aa0089e99e4b016fJMP0x71ab4c2c0x02aa008e8bffMOVEDI,EDI0x02aa009055PUSHEBP0x02aa00918becMOVEBP,ESP0x02aa0093e96768016fJMP0x71ab68ff0x02aa00988bffMOVEDI,EDI0x02aa009a55PUSHEBP2.
1.
Memory41RekallForensicsDocumentation,Release1.
7.
20x02aa009b8becMOVEBP,ESP0x02aa009de9598b977bJMP0x7e418bfb0x02aa00a28bffMOVEDI,EDI0x02aa00a455PUSHEBP0x02aa00a58becMOVEBP,ESP0x02aa00a7e9130d997bJMP0x7e430dbf0x02aa00ac8bffMOVEDI,EDI0x02aa00ae55PUSHEBPProcess:explorer.
exePid:1752Address:0x3080000VadTag:VadSProtection:EXECUTE_READWRITEFlags:CommitCharge:52,MemCommit:1,PrivateMemory:1,Protection:60x30800004d5a90000300000004000000ffff0000MZ.
0x3080010b80000000000000040000000000000000x3080020000000000000000000000000000000000x3080030000000000000000000000000c00000000x030800004dDECEBP0x030800015aPOPEDX0x0308000290NOP0x030800030003ADD[EBX],AL0x030800050000ADD[EAX],AL0x03080007000400ADD[EAX+EAX],AL0x0308000a0000ADD[EAX],AL0x0308000cffDB0xff0x0308000dff00INCDWORD[EAX]0x0308000f00b800000000ADD[EAX+0x0],BH0x030800150000ADD[EAX],AL0x03080017004000ADD[EAX+0x0],AL0x0308001a0000ADD[EAX],AL0x0308001c0000ADD[EAX],AL0x0308001e0000ADD[EAX],ALmftdump(MftDump)EnumerateMFTentriesfromthecachemanager.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
mimikatz(Mimikatz)ExtractanddecryptpasswordsfromtheLSASecurityService.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
42Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2miranda(Miranda)Amixinforpluginswhichrequireavalidkerneladdressspace.
Args:dtb:Apotentialdtbtobeused.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
modscan(ModScan)ScanPhysicalmemoryfor_LDR_DATA_TABLE_ENTRYobjects.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayInt-ParserKerneladdressesofeprocessstructs.
limitIntParserThelengthofdatatosearchineachselectedregion.
methodChoiceArrayMethodtolistprocesses.
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
scan_kernelBooleanScantheentirekerneladdressspace.
scan_kernel_codeBooleanScanthekernelimageandloadeddrivers.
scan_kernel_nonpaged_poolBooleanScanthekernelnon-pagedpool.
scan_kernel_paged_poolBooleanScanthekernelpagedpool.
scan_kernel_session_poolsBooleanScansessionpoolsforallprocesses.
scan_physicalBooleanScanthephysicaladdressspaceonly.
scan_process_memoryBooleanScanallofprocessmemory.
Usesprocessselectorstonarrowdownselections.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
ThemodscancommandndsLDR_DATA_TABLE_ENTRYstructuresbyscanningphysicalmemoryforpooltags.
Thiscanpickuppreviouslyunloadeddriversanddriversthathavebeenhidden/unlinkedbyrootkits.
###Notes1.
Likeotherpoolscanningplugins,thispluginmayproducefalsepositivessinceitessentiallycarves_LDR_DATA_TABLE_ENTRYstructuresoutofmemory.
Ontheotherhand,thispluginmayrevealleswhichhavebeenclosedorfreed.
###SampleoutputInthisexamplewecanidentifythepmemdriverwhichwasloadedfromatemporarylocation.
win8.
1.
raw23:27:24>modscanmodscan()Offset(P)NameBaseSizeFile0x000001ce507e0x20c4834838240xebc08b440x00003ce163b0mrxsmb.
sys0xf800021740000x6d000→\SystemRoot\system32\DRIVERS\mrxsmb.
sys0x00003ce17610mrxsmb20.
sys0xf800020000000x39000→\SystemRoot\system32\DRIVERS\mrxsmb20.
sys2.
1.
Memory43RekallForensicsDocumentation,Release1.
7.
20x00003ce1e830mpsdrv.
sys0xf8000215d0000x17000→\SystemRoot\System32\drivers\mpsdrv.
sys0x00003ce4cf30Ndu.
sys0xf800022cd0000x1d000→\SystemRoot\system32\drivers\Ndu.
sys0x00003ce4df20mrxsmb10.
sys0xf800022820000x4b000→\SystemRoot\system32\DRIVERS\mrxsmb10.
sys0x00003ce80170peauth.
sys0xf800022ea0000xa9000→\SystemRoot\system32\drivers\peauth.
sys0x00003ce8b010srvnet.
sys0xf8000239e0000x43000→\SystemRoot\System32\DRIVERS\srvnet.
sys0x00003ce8bc20secdrv.
SYS0xf800023930000xb000→\SystemRoot\System32\Drivers\secdrv.
SYS0x00003ceae280tcpipreg.
sys0xf800023e10000x12000→\SystemRoot\System32\drivers\tcpipreg.
sys0x00003ceae520srv2.
sys0xf800024ec0000xad000→\SystemRoot\System32\DRIVERS\srv2.
sys0x00003cec9ee00x6656020500060x00x00003ceede60srv.
sys0xf800024000000x98000→\SystemRoot\System32\DRIVERS\srv.
sys0x00003cf44eb0mslldp.
sys0xf800024980000x16000→\SystemRoot\system32\DRIVERS\mslldp.
sys0x00003d144160rspndr.
sys0xf80001caf0000x18000→\SystemRoot\system32\DRIVERS\rspndr.
sys0x00003d145a50lltdio.
sys0xf80001c9b0000x14000→\SystemRoot\system32\DRIVERS\lltdio.
sys0x00003d18c850HTTP.
sys0xf800020430000xfa000→\SystemRoot\system32\drivers\HTTP.
sys0x00003d29b010pmeA86F.
tmp0xf800025ca0000x10000\→\C:\Users\test\AppData\Local\Temp\pmeA86F.
tmp0x00003d655520HdAudio.
sys0xf80001d450000x66000→\SystemRoot\system32\drivers\HdAudio.
sys0x00003d6593e0tunnel.
sys0xf800024ae0000x2d000→\SystemRoot\system32\DRIVERS\tunnel.
sysversion_modules(ModVersions)Trytodeterminetheversionsforallkerneldrivers.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
name_regexRegExFiltermodulenamesbythisregex.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
EachtimeawindowsbinaryisbuiltusingtheMicrosoftVisualStudiocompilersuiteanewuniqueGUIDisgeneratedforthisle.
TheGUIDisusedtolinktheexecutableandthepdble(whichcontainsdebuggingsymbols).
TheGUIDisembeddedintheexecutableinanRSDSrecord(i.
e.
therecordhasasignaturestartingwiththelettersRSDS).
Rekallcanscanforthissignatureinordertoidentifytheexecutableversion.
Thispluginscansfortheversionstringforeachloadedkernelmodule.
Usethe[version_scan](VersionScan.
html)moduletosearchforRSDSsignaturesinphysicalmemory.
###Sampleoutputwin7_trial_64bit.
dmp.
E0123:48:26>version_modulesOffset(V)NameGUID/VersionPDB44Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
20xf800027f4b0cntoskrnl.
exeC07170995AA8441B952E3B9AE3F3754B2ntkrnlmp.
pdb0xf8000262deb4hal.
dll0C72B43B8AC64E22AB88B564E69330372hal.
pdb0xf88002d34af4wanarp.
sys7BA2309F029F4DE7878AED80636C2D132wanarp.
pdb0xf8800183eed4TDI.
SYSC519554437F04B63BC39FF4E69578DC42tdi.
pdb0xf88000d95b24volmgrx.
sysC047BA32ABCB4A948CBB8930F352B1032volmgrx.
pdb0xf88003de7c60dump_dumpfve.
sysA2CC4DFB86424750871BCB8E1E841E3C1dumpfve.
pdb0xf880019d4e00watchdog.
sys79ACBD31D1BD428A8311AD9D5DCDEAA61watchdog.
pdb0xf8800111004ccng.
sysF0AA00E320D4468A9D3F7078E2AE2BF52cng.
pdb0xf88002c2e648csc.
sys56B7C3B9040B47D9821E6A57E6A5AE4A1csc.
pdb0xf88000c02f48CI.
dll5F1BDC2205AC402CB0F09FC7CF17A3701ci.
pdb0xf88003c3f2dcUSBD.
SYSBE6200B21204452DADDF85CED51A5BDE1usbd.
pdb0xf88002d0a1fcnetbios.
sys084EB51DBDE844CF9EAD3B5FDFABDC721netbios.
pdb0xf88000cc80a0mcupdate.
dll8C7A27566CD54FB9A00AF26B5BF941651mcupdate_→GenuineIntel.
pdb0xf8800145c920ndis.
sys40D6C85AC9F74887A652601839A1F56D2ndis.
pdb0xf880019eb04crdpencdd.
sysC299649119AC4CC888F37C32A216781A1RDPENCDD.
pdb0xf88003814d08srv.
sys20C4A475BE954C10997EAD2C623E40C32srv.
pdb0xf88003a52c10raspptp.
sysC9106AFB80474EFCAF9384DA26CC35622raspptp.
pdb0xf880019b42ecVIDEOPRT.
SYS1B0FC2CC31FE41CEBEAC4ABB7375EA481videoprt.
pdb0xf88000fda340PCIIDEX.
SYS2C4F146DA2774ACEA1D5499284DDDB271pciidex.
pdb0xf88003c2962cHIDCLASS.
SYS1815DD7E268B4BB9BCD5226204CFEC9C1hidclass.
pdb0xf88000fd105cintelide.
sysB72598DF61A84806B7AC593BA128300C1intelide.
pdb0xf88003a37320raspppoe.
sys39B224364B9042649CA0CDB8270762931raspppoe.
pdb0xf88000e040ecatapi.
sys4E82D8C0AB5A41799B979539D280167D1atapi.
pdb0xf88002cba464netbt.
sys840D3E3C828C4D60A905DC82D8CBF8FA2netbt.
pdb0xf880011f647ckbdclass.
sysD5F7E088FAF44B60A3774197A9ADEEC01kbdclass.
pdb0xf88000e361f0amdxata.
sys8D1A5FFBAEEA4D388F8B7B3B9378C3671amdxata.
pdb0xf880031abb04srvnet.
sys608D364BC5524794BD70C89773BD51EF2srvnet.
pdb0xf880028fa614bowser.
sys26FAC99A52F8439E9A5B8B4B37F90D5B1bowser.
pdb0xf88002ddb6f4dfsc.
sys827F5D478C94478299C7FEC7FEE4DAFA1dfsc.
pdb0xf880011bf9dcfvevol.
sys2FBEA7856251499B87C65A29FC51E6191fvevol.
pdb0xf80000bc13b0kdcom.
dllACC6A823A2844D22B68CD5D48D42381F2kdcom.
pdb0xf88000fbe5a4volmgr.
sys39E92F60716140C38C723CDF21B956CD2volmgr.
pdb0xf88000f5c108msisadrv.
sys09A612E6691847ED98E4F36F3CC9EE641msisadrv.
pdb0xf8800183127ctdx.
sysFB912A34EB1A44EC9F65E250879944B52tdx.
pdb0xf8800119f10crdyboost.
sys20E6E50C6F9B42589E18D96AD84608DB1rdyboost.
pdbmodules(Modules)Printlistofloadedkernelmodules.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
name_regexRegExFiltermodulenamesbythisregex.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Toviewthelistofkerneldriversloadedonthesystem,usethemodulescommand.
Thiswalksthedoubly-linkedlistof_LDR_DATA_TABLE_ENTRYstructurespointedtobyPsLoadedModuleList.
Itcannotndhidden/unlinkedkerneldrivers,however[modscan](ModScan.
html)servesthatpurpose.
Also,sincethispluginuseslistwalkingtechniques,youtypicallycanassumethattheorderthemodulesaredisplayedintheoutputistheordertheywereloadedonthesystem.
###Notes2.
1.
Memory45RekallForensicsDocumentation,Release1.
7.
21.
TheBaseaddressisthelocationwherethekernelmodule'sPEheaderismapped.
Forexampleyoucanexamineinformationaboutthemodule'sIAT/EATusingthe[peinfo](PEInfo.
html)plugin,providingthebaseaddress.
###Sampleoutputwin8.
1.
raw23:35:19>modulesmodules()Offset(V)NameBaseSizeFile0xe00000057620ntoskrnl.
exe0xf802d30190000x781000→\SystemRoot\system32\ntoskrnl.
exe0xe00000057530hal.
dll0xf802d379a0000x6f000→\SystemRoot\system32\hal.
dll0xe000000557c0storahci.
sys0xf800006d90000x1d000→\SystemRoot\System32\drivers\storahci.
sys0xe0000149ade0mssmbios.
sys0xf800018c40000xc000→\SystemRoot\System32\drivers\mssmbios.
sys0xe000013871e0Npfs.
SYS0xf800008ba0000x14000→\SystemRoot\System32\Drivers\Npfs.
SYS0xe00000055d50volmgrx.
sys0xf800003930000x5f000→\SystemRoot\System32\drivers\volmgrx.
sys0xe00002145a50lltdio.
sys0xf80001c9b0000x14000→\SystemRoot\system32\DRIVERS\lltdio.
sys0xe00000055e40volmgr.
sys0xf8000045d0000x15000→\SystemRoot\System32\drivers\volmgr.
sys0xe00000054950fwpkclnt.
sys0xf800011440000x6c000→\SystemRoot\System32\drivers\fwpkclnt.
sys0xe00000054c60NETIO.
SYS0xf80000d3e0000x79000→\SystemRoot\system32\drivers\NETIO.
SYS0xe000014b3500kbdclass.
sys0xf80001a1f0000x10000→\SystemRoot\System32\drivers\kbdclass.
sys0xe00001339b50drmk.
sys0xf80001c000000x1c000→\SystemRoot\system32\drivers\drmk.
sys0xe00000054b70ksecpkg.
sys0xf80000db70000x34000→\SystemRoot\System32\Drivers\ksecpkg.
sys0xe00000054100CLASSPNP.
SYS0xf800008000000x56000→\SystemRoot\System32\drivers\CLASSPNP.
SYSmutantscan(MutantScan)Scanformutantobjects_KMUTANT46Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayInt-ParserKerneladdressesofeprocessstructs.
limitIntParserThelengthofdatatosearchineachselectedregion.
methodChoiceArrayMethodtolistprocesses.
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
scan_kernelBooleanScantheentirekerneladdressspace.
scan_kernel_codeBooleanScanthekernelimageandloadeddrivers.
scan_kernel_nonpaged_poolBooleanScanthekernelnon-pagedpool.
scan_kernel_paged_poolBooleanScanthekernelpagedpool.
scan_kernel_session_poolsBooleanScansessionpoolsforallprocesses.
scan_physicalBooleanScanthephysicaladdressspaceonly.
scan_process_memoryBooleanScanallofprocessmemory.
Usesprocessselectorstonarrowdownselections.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Thispluginusespoolscanningtechniquestond_KMUTANTobjects.
Mutantsimplementa"namedsemaphore"inwindows.
Thisisusedbymalwaretoensureonlyasinglecopyofthemalwareisrunningatthesametime.
ByanalyzingthenameoftheMutantthataspecicmalwarestrandisusingitispossibletotellimmediatelyifthemalwareisrunningonthemachine.
Formoreinformation,seeAndreasSchuster's[SearchingforMutants](http://computer.
forensikblog.
de/en/2009/04/searching_for_mutants.
html).
###Notes1.
Likeotherpoolscanningplugins,thispluginmayproducefalsepositivessinceitessentiallycarves_KMU-TANTstructuresoutofmemory.
2.
Itismoreefcienttosearchfornamedmutantsusingthe[object_tree](ObjectTree.
html)plugin-sinceitdoesnotusepoolscanningtechniques.
3.
Wheninspectingtheoutput,the#Hndcolumnindicatesthenumberofhandlestothis_KMUTANT.
Objectsinusewillhaveanonzerovaluehereandarelikelytonotbefreed.
###Sampleoutputwin8.
1.
raw23:46:56>mutantscanscan_in_kernel=1mutantscan(scan_in_kernel=1)Offset(P)#Ptr#HndSignalThreadCIDName0xe0000007f8103210x000000000000→C::Users:test:AppData:Local:Microsoft:Windows:Explorer:thumbcache_sr.
db!
dfMaintainer0xe0000007f8d03210x000000000000→C::Users:test:AppData:Local:Microsoft:Windows:Explorer:thumbcache_1600.
db!
→dfMaintainer0xe000000b8d0032722110x000000000000BcdSyncMutant0xe0000062424032769100xe00000624700556:1396F659A567-8ACB-4E4A-92A7-→5C2DD1884F720xe000006f4a6032768100xe000006dc0802332:2460Instance2:ESENT→PerformanceDataSchemaVersion2550xe0000125308032768100xe000007fd080880:3144Instance3:ESENT→PerformanceDataSchemaVersion2552.
1.
Memory47RekallForensicsDocumentation,Release1.
7.
20xe000012623602110x000000000000ARC_AppRepSettings_Mutex0xe000012725305410x000000000000→C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_1024.
db!
→dfMaintainer0xe000012725f05410x000000000000→C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_256.
db!
dfMaintainer0xe000012726b05410x000000000000→C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_96.
db!
dfMaintainer0xe000012727705410x000000000000→C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_48.
db!
dfMaintainer0xe00001272ac0131007410x000000000000→C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_32.
db!
dfMaintainer0xe0000128e1e0131005410x000000000000→C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_16.
db!
dfMaintainer0xe0000129a2c032734110x000000000000SmartScreen_AppRepSettings_→Mutex0xe000012c7950131061410x000000000000→C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.
db!
→IconCacheInit0xe000012c7a105410x000000000000→C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_wide_alternate.
db!
→dfMaintainer0xe000012c7ad05410x000000000000→C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_exif.
db!
→dfMaintainer0xe000012c7b905410x000000000000→C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_wide.
db!
→dfMaintainer0xe000012c7c505410x000000000000→C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_sr.
db!
dfMaintainer.
.
.
object_tree(ObjectTree)Visualizethekernelobjecttree.
Ref:http://msdn.
microsoft.
com/en-us/library/windows/hardware/ff557762(v=vs.
85).
aspxPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
type_regexRegExFilterthetypeofobjectsshown.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
ThewindowskernelhasthenotionofaKernelObject.
ObjectsaremanagedbythekernelthroughadedicatedAPI.
KernelObjectsaretypicallyusedtomanageresourceswhichthekernelmanagesonbehalfofuserspace,forexample,openlesaremanagedviathe_FILE_OBJECTobject.
Objectscanbenamedusingadirectorystructurenotunlikealesystem.
Objectsareplacedinsidean_OB-JECT_DIRECTORYobjectwhichcontainsotherobjects,includingotherdirectories.
Thismeansthatnamedkernelobjectsformatreeinmemory.
Itispossibletodiscoverallcurrentlyin-usenamedobjectsbyfollowingthisobjecttreeinmemory,whichiswhatthisplugindoes.
Thisisanalternativetothescanningapproachemployedbypluginslikepsscan,driverscanetc.
###Notes48Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
21.
Theobjecttreeonlytracksnamedobjects.
SoforexampleProcessobjectsaretypicallynottrackedhere,butMutants,SymbolicLinksetcare.
2.
Itispossibletolterobjectsbytypes.
SoforexampletoenumerateallMutantsonewouldusethetype_regex="Mutant"option.
3.
SymbolicLinksalsocontainthetimestampwhentheywerecreated.
NotethatSymbolicLinksaretypicallyusedtoprovideuserspaceaccesstoakerneldriver(viatheCreateFileapi),soatimestamphereisagoodindicationofwhenadriverwasloaded.
###Sampleoutput#Enumeatealldriverswin7.
elf01:25:12>object_treetype_regex="Driver"object_tree(type_regex="Driver")_OBJECT_HEADERTypeName0xfa80025e5d10Driver.
mrxsmb100xfa80025e1190Driver.
mrxsmb0xfa8001953940Driver.
mrxsmb20.
.
.
.
#Wecanexamineaspecificobjectusingthevirtualoffset.
win7.
elf01:28:18>x=profile.
_OBJECT_HEADER(0xfa80019fb8d0)win7.
elf01:28:34>printx.
get_object_type()Driver#Wecandereferencetheexactobjectcontainedinthisheader(inthiscase#_DRIVER_OBJECT.
win7.
elf01:28:40>printx.
Object[_DRIVER_OBJECT_DRIVER_OBJECT]@0xFA80019FB9000x00Type[short:Type]:0x000000040x02Size[short:Size]:0x000001500x08DeviceObject0x10Flags[unsignedlong:Flags]:0x000000120x18DriverStart0x20DriverSize[unsignedlong:DriverSize]:0x0000B0000x28DriverSection0x30DriverExtension0x38DriverName[_UNICODE_STRINGDriverName]@0xFA80019FB938(\Driver\rdpbus)0x48HardwareDatabase0x50FastIoDispatch0x58DriverInit0x60DriverStartIo0x68DriverUnload0x70MajorFunctionwin7.
elf01:29:01>printx.
Object.
DriverName\Driver\rdpbusInthenextexamplewesearchforSymbolicLinksforthepmemdeviceanddiscoverwhenthepmemdriverwasloaded.
win7.
elf01:38:53>object_treetype_regex="Symbolic"0xf8a0003a58a0SymbolicLink.
Root#MS_PPPOEMINIPORT#0000#{cac88484-7515-4c03-→82e6-71a87abac361}->\Device\00000034(2012-10-0121:39:55+0000)0xf8a0003c1030SymbolicLink.
Root#*ISATAP#0000#{ad498944-762f-11d0-8dcb-→00c04fc3358c}->\Device\00000001(2012-10-0121:39:51+0000)2.
1.
Memory49RekallForensicsDocumentation,Release1.
7.
20xf8a00007fda0SymbolicLink.
WMIAdminDevice->\Device\WMIAdminDevice(2012-→10-0121:39:45+0000)0xf8a0056e8dd0SymbolicLink.
pmem->\Device\pmem(2012-10-0114:40:44+0000)0xf8a0001111c0SymbolicLink.
Root#MS_NDISWANIP#0000#{cac88484-7515-4c03-82e6-→71a87abac361}->\Device\00000032(2012-10-0121:39:55+0000)0xf8a0003bef20SymbolicLink.
Root#MS_NDISWANBH#0000#{cac88484-7515-4c03-82e6-→71a87abac361}->\Device\00000031(2012-10-0121:39:55+0000)0xf8a000006f40SymbolicLink.
Global->\GLOBAL(2012-10-0121:39:45+0000)object_types(Objects)DisplaysallobjectTypesonthesystem.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
ThewindowskernelhasthenotionofaKernelObject.
ObjectsaremanagedbythekernelthroughadedicatedAPI.
KernelObjectsaretypicallyusedtomanageresourceswhichthekernelmanagesonbehalfofuserspace,forexample,openlesaremanagedviathe_FILE_OBJECTobject.
Thereisaxednumberofkernelobjects,eachisdescribedbyan_OBJECT_TYPEstructure,theaddressofwhichcanbefoundattheObpObjectTypessymbol.
###Notes1.
Eachtimeanewobjectiscreatedbythekernel,theNumberofObjectscountincreases.
Foreveryfree'sobject,thisnumberdecreases.
Thecounterthereforerepresentsthetotalnumberofactiveinstancesofthisobjecttype.
2.
Thenumberofkernelobjectsvariesbetweenwindowskernelversion.
InordertondthesizeoftheObpOb-jectTypesarray,RekallusesthereferencecountontheTypeobjecttype-eachkernelobjecttypehasaunique_OBJECT_TYPEstructure.
3.
TheNumberofObjectscountalsohasforensicsignicance.
ForexamplethetotalnumberofProcessobjectsrepresentsthetotalnumberof_EPROCESSstructuresincurrentuse(Notethataprocessmaybeterminatedbutthe_EPROCESSisstillkeptinuse).
###SampleoutputThebelowoutputindicatesthatthereshouldbe41processesactive,and548threads.
win7.
elf01:39:36>object_typesobject_types()IndexNumberObjectsPoolTypeName242NonPagedPoolType340PagedPoolDirectory4173PagedPoolSymbolicLink5704PagedPoolToken63NonPagedPoolJob741NonPagedPoolProcess8548NonPagedPoolThread90NonPagedPoolUserApcReserve101NonPagedPoolIoCompletionReserve.
.
.
50Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2pedump(PEDump)DumpaPEbinaryfrommemory.
PluginTypeDescriptionaddress_spaceAddressSpaceTheaddressspacetouse.
dtbIntParserTheDTBphysicaladdress.
image_baseSymbolAddressTheaddressoftheimagebase(dosheader).
out_fdStringAlelikeobjecttowritetheoutput.
out_leStringThelenametowrite.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Windowsexecutableles(PEFiles)aremappedintomemoryfromdisk.
ThisplugincandumparbitraryPElesfrommemory(whethertheyareexecutables,DLLs,kernelmodulesetc).
AllwerequireisthePEle'smappedbaseaddresses(i.
e.
thelocationinthevirtualaddressspacewheretheMZheaderresides.
Theimage_baseoffsetcanbespeciedusinganamedaddressasusual.
Soforexample,tospecifyakernelmoduleitissufcienttojustnameit(e.
g.
pedump"nt"-willdumpthekernelimage).
Thispluginisusedbythedlldump,moddump,procdumpetcplugins.
###Note1.
InordertodumpanyPElefrommemoryweneedthePEheadertobememoryresident.
Oftenthisisnotthecase,andtheheaderisushedoutofvirtualmemory.
InthiscaseitisstillpossibletodumppartsofthePEimageusingthe[vaddump](VADDump.
html)plugin.
2.
Whendumpinganybinaryfrommemory,itisnotusuallyaperfectbinary(i.
e.
youcannotjustrunit).
ThisisbecausetheImportAddressTable(IAT)reectsthepatchedversioninmemoryandsomepagesmaybemissing.
TheresultantbinaryisprobablyonlyusefultoanalysesusingatoollikeIDApro.
pfn(PFNInfo)PrintsinformationaboutanaddressfromthePFNdatabase.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
pfnIntParserThePFNtoexamine.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
psscan(PSScan)ScanPhysicalmemoryfor_EPROCESSpoolallocations.
Statusags:E:Aknown_EPROCESSaddressfrompslist.
P:Aknownpidfrompslist.
2.
1.
Memory51RekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayInt-ParserKerneladdressesofeprocessstructs.
limitIntParserThelengthofdatatosearchineachselectedregion.
methodChoiceArrayMethodtolistprocesses.
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
scan_kernelBooleanScantheentirekerneladdressspace.
scan_kernel_codeBooleanScanthekernelimageandloadeddrivers.
scan_kernel_nonpaged_poolBooleanScanthekernelnon-pagedpool.
scan_kernel_paged_poolBooleanScanthekernelpagedpool.
scan_kernel_session_poolsBooleanScansessionpoolsforallprocesses.
scan_physicalBooleanScanthephysicaladdressspaceonly.
scan_process_memoryBooleanScanallofprocessmemory.
Usesprocessselectorstonarrowdownselections.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Poolscanningisatechniquefordiscoveringkerneldatastructuresbasedonsignatures.
Itisessentiallythememoryforensicequivalentofcarving.
Thepsscanplugincarvesfor_EPROCESSstructuresinmemory.
Bydefaultthepluginscansinthephysicaladdressspace.
Anyhitsareresolvedintothevirtualaddressspacebyfollowingthelists.
Ifscan_in_kernelisspecied,thescanningoccursinkernelspace.
###Notes1.
Likeotherpoolscanningplugins,thispluginmayproducefalsepositivessinceitessentiallycarves_EPRO-CESSstructuresoutofmemory.
Ontheotherhand,thispluginmayrevealleswhichhavebeenclosedorfreed.
2.
Theplugindisplaysthephysicaladdressofthe_EPROCESSfound.
Itmaybepossibletoderivetheirvirtualaddressusingthe[ptov](PtoV.
html)plugin.
Alternatively,specifythescan_in_kerneloption,toensurescanningoccursinthekerneladdressspace.
pstree(PSTree)PrintprocesslistasatreePluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Thisplugindisplaysallknownprocessesinatreeform(i.
e.
theprocessparentswiththeirchildren).
Thisisusefultoseewhichprocesslaunchedanotherprocess.
###Notes52Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2Sometimesmalwarewilllaunchaprocessescalled"lsass.
exe"or"csrss.
exe".
Thispluginhelpstohighlightdiscrepenciessincetheseprocessesarenormallyonlylaunchedfromknownprocesses.
Usingtheverbose=1agwillalsoprintthecommandlinesofeachprocessasdeter-minedbythreemethods:-cmd:task.
Peb.
ProcessParameters.
CommandLine-path:**task.
Peb.
ProcessParameters.
ImagePathName-audit:**task.
SeAuditProcessCreationInfo.
ImageFileName.
Name###Sampleoutputwin7.
elf14:55:19>pstreeverbose=1NamePidPPidThdsHndsTime→-------0xFA8002259060:csrss.
exe34834094362012-10-01→21:39:57+0000cmd:%SystemRoot%\system32\csrss.
exeObjectDirectory=\WindowsSharedSection=1024,→20480,768Windows=OnSubSystemType=WindowsServerDll=basesrv,1→ServerDll=winsrv:UserServerDllInitialization,3→ServerDll=winsrv:ConServerDllInitialization,2ServerDll=sxssrv,4ProfileControl=Off→MaxRequestThreads=16path:C:\Windows\system32\csrss.
exeaudit:\Device\HarddiskVolume2\Windows\System32\csrss.
exe0xFA8000901060:wininit.
exe3843403752012-10-01→21:39:57+0000cmd:wininit.
exepath:C:\Windows\system32\wininit.
exeaudit:\Device\HarddiskVolume2\Windows\System32\wininit.
exe.
0xFA800206D5F0:services.
exe480384112082012-10-01→21:39:58+0000cmd:C:\Windows\system32\services.
exepath:C:\Windows\system32\services.
exeaudit:\Device\HarddiskVolume2\Windows\System32\services.
exe.
.
0xFA80024F85D0:svchost.
exe236480194552012-10-01→14:40:01+0000cmd:C:\Windows\system32\svchost.
exe-kLocalServicepath:C:\Windows\system32\svchost.
exeaudit:\Device\HarddiskVolume2\Windows\System32\svchost.
exepageles(Pageles)Reportalltheactivepageles.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
pool_tracker(PoolTracker)Enumeratepooltagusagestatistics.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
1.
Memory53RekallForensicsDocumentation,Release1.
7.
2TheWindowskernelallocatesmemoryfromasharedpool.
Inordertotrackmemoryleaksandtoaidindebugging,poolallocationstypicallyhavexedtagsindicatingthecomponentwhichallocatedthememory.
Forexample,inwindows8,allocatingan_EPROCESSstructwillresultinapoolallocationwithatagofProc.
Toaidindebugging,WindowstrackspoolallocationinaspecialtablefoundbythesymbolPoolTrackTable.
Thistablecanshowthetotalnumberofallocationanddeallocationsassociatedwithaparticularpooltag.
Fromaforensicpointofview,thisinformationcanbeusefultoassessthenumberofoutstandingallocations.
Forexamplewecanseehowmanyliveprocessesweexpecttobepreset.
###Notes1.
Justbecausetheprocessisterminateddoesnotmeanthe_EPROCESSstructureisimmediatelydeallocated.
Windowsmightkeepthesestructuresaliveforsometimeforvariousreasons.
Adiscrepancyhereisatbestahintthatsomethingdoes'ntaddup.
###Sampleoutputwin8.
1.
raw15:29:07>pool_trackerTagNPAllocNPBytesPAllocPBytesDMV1(0)00(0)080426(4)404812(0)0ACPI4(0)00(0)0AFGp1(0)00(0)0ALPC3211(770)4342400(0)0ARFT0(0)0151(3)192AcpA2(2)1600(0)0AcpB0(0)0121(0)0.
.
.
Pprl0(0)03(0)0Ppsu0(0)01394(223)18512Prcr5(4)544013(0)0Proc137(48)913280(0)0PsFn136(0)00(0)0.
.
.
win8.
1.
raw15:36:40>pslistpslist()Offset(V)NamePIDPPIDThdsHndsSessWow64Start→ExitDEBUG:root:Listed48processesusingPsActiveProcessHeadDEBUG:root:Listed43processesusingCSRSSDEBUG:root:Listed47processesusingPspCidTableDEBUG:root:Listed45processesusingSessionsDEBUG:root:Listed45processesusingHandles.
.
.
Intheaboveexampleweseethatthereare48outstanding_EPROCESSobjectsandthereare48membersinthePsActiveProcessHeadlist.
pools(Pools)Printsinformationaboutsystempools.
Ref:http://illmatics.
com/Windows%208%20Heap%20Internals.
pdfhttps://media.
blackhat.
com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.
pdfhttps://immunityinc.
com/inltrate/archives/kernelpool_54Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2inltrate2011.
pdfhttp://gate.
upm.
ro/os/LABs/Windows_OS_Internals_Curriculum_Resource_Kit-ACADEMIC/WindowsResearchKernel-WRK/WRK-v1.
2/base/ntos/ex/pool.
cPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
printkey(PrintKey)Printaregistrykey,anditssubkeysandvaluesPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
privileges(Privileges)Printsprocessprivileges.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
procdump(ProcExeDump)DumpaprocesstoanexecutablelesamplePluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
dump_dirStringPathsuitablefordumpingles.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
out_fdStringAlelikeobjecttowritetheoutput.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
ThisplugindumpsthemappedPElesassociatedwithawindowsprocess.
ItisequivalenttocallingpedumpwithanimagebasecorrespondingtotheVADsectionofthemainprocessexecutable.
Theprocdumppluginisathinwrapperaroundthepedumpplugin.
###Sampleoutput2.
1.
Memory55RekallForensicsDocumentation,Release1.
7.
2win7.
elf14:42:55>procdumpproc_regex="csrss",dump_dir="/tmp/"Dumpingcsrss.
exe,pid:348output:executable.
csrss_exe_348.
exeDumpingcsrss.
exe,pid:396output:executable.
csrss_exe_396.
exeprocinfo(ProcInfo)Dumpdetailedinformationaboutarunningprocess.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Theprocinfoplugindisplaysbasicinformationaboutaprocess.
Ittakesalltheusualprocessselectors(e.
g.
pid,nameetc)andprintsinformationaboutthePEle(usingpeinfo)aswellastheprocessenvironmentstrings.
###Sampleoutputwin7.
elf14:43:15>procinfoproc_regex="csrss"Pid:348csrss.
exeProcessEnvironmentComSpec=C:\Windows\system32\cmd.
exeFP_NO_HOST_CHECK=NONUMBER_OF_PROCESSORS=1OS=Windows_NTPath=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;→C:\Windows\System32\WindowsPowerShell\v1.
0\PATHEXT=.
COM;.
EXE;.
BAT;.
CMD;.
VBS;.
VBE;.
JS;.
JSE;.
WSF;.
WSH;.
MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64Family6Model37Stepping2,GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=2502PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.
0\Modules\SystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Windows\TEMPTMP=C:\Windows\TEMPUSERNAME=SYSTEMwindir=C:\WindowsPEInfomationAttributeValueMachineIMAGE_FILE_MACHINE_AMD64TimeDateStamp2009-07-1323:19:49+0000CharacteristicsIMAGE_FILE_EXECUTABLE_IMAGE,IMAGE_FILE_LARGE_ADDRESS_AWAREGUID/AgeE8979C26A0EE47A69575E54FA6C7F6BE1PDBcsrss.
pdb56Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2MajorOperatingSystemVersion6MinorOperatingSystemVersion1MajorImageVersion6MinorImageVersion1MajorSubsystemVersion6MinorSubsystemVersion1Sections(Relativeto0x497B0000):PermNameVMASizexr-.
text0x0000000010000x000000000c00-rw.
data0x0000000020000x000000000200-r-.
pdata0x0000000030000x000000000200-r-.
rsrc0x0000000040000x000000000800-r-.
reloc0x0000000050000x000000000200DataDirectories:-VMASizeIMAGE_DIRECTORY_ENTRY_EXPORT0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_IMPORT0x0000497b17c40x00000000003cIMAGE_DIRECTORY_ENTRY_RESOURCE0x0000497b40000x0000000007f8IMAGE_DIRECTORY_ENTRY_EXCEPTION0x0000497b30000x00000000003cIMAGE_DIRECTORY_ENTRY_SECURITY0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_BASERELOC0x0000497b50000x00000000000cIMAGE_DIRECTORY_ENTRY_DEBUG0x0000497b10a00x00000000001cIMAGE_DIRECTORY_ENTRY_COPYRIGHT0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_TLS0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x0000497b02b00x000000000030IMAGE_DIRECTORY_ENTRY_IAT0x0000497b10000x000000000098IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_RESERVED0x0000000000000x000000000000ImportDirectory(Original):NameOrdntdll.
dll!
NtSetInformationProcess498ntdll.
dll!
RtlSetHeapInformation1158ntdll.
dll!
RtlSetUnhandledExceptionFilter1179ntdll.
dll!
NtTerminateProcess535ntdll.
dll!
RtlVirtualUnwind1264ntdll.
dll!
RtlLookupFunctionEntry1025ntdll.
dll!
RtlCaptureContext635ntdll.
dll!
NtTerminateThread536ntdll.
dll!
RtlUnhandledExceptionFilter1219ntdll.
dll!
RtlSetProcessIsCritical1166ntdll.
dll!
isspace1900ntdll.
dll!
RtlUnicodeStringToAnsiString1222ntdll.
dll!
RtlAllocateHeap613ntdll.
dll!
RtlFreeAnsiString840ntdll.
dll!
RtlNormalizeProcessParams1041CSRSRV.
dll!
CsrServerInitialization22CSRSRV.
dll!
CsrUnhandledExceptionFilter26ExportDirectory:2.
1.
Memory57RekallForensicsDocumentation,Release1.
7.
2EntryStatOrdNameVersionInformation:keyvalueCompanyNameMicrosoftCorporationFileDescriptionClientServerRuntimeProcessFileVersion6.
1.
7600.
16385(win7_rtm.
090713-1255)InternalNameCSRSS.
ExeLegalCopyrightMicrosoftCorporation.
Allrightsreserved.
OriginalFilenameCSRSS.
ExeProductNameMicrosoftWindowsOperatingSystemProductVersion6.
1.
7600.
16385ptov(PtoV)Convertsaphysicaladdresstoavirtualaddress.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
physical_addressIntParserTheVirtualAddresstoexamine.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
ThispluginusesthePFNDatabasetoconvertaphysicalpagetoitsvirtualaddress.
Itissimilartothepas2vasplugininthisregard,butdoesnotneedtoenumeratealladdressspacespriortorunning(soitisabitfaster).
###Notes1.
Theplugincurrentlyonlyworksforkerneladdressesandfor4kpages.
Soforexamplethiswillnotworkreliablyforpoolmemory(sincePoolisallocatedin2mbpages).
2.
Ifthisplugindoesnotworkforacertainaddress,trytousethepas2vasplugin.
###Sampleoutputwin7.
elf15:22:57>vtop0xfa8002635810vtop(0xfa8002635810)Virtual0xfa8002635810PageDirectory0x271ec000pml4e@0x271ecfa8=0x4000863pdpte@0x4000000=0x4001863pde@0x4001098=0x2ac009e3Largepagemapped0x2ae35810PhysicalAddress0x2ac35810win7.
elf15:23:05>ptov0x2ac35810ptov(0x2ac35810)PhysicalAddress0x2ac35810=>VirtualAddress0xf6fd40035810DTB@0x187000PML4E@0x187f68PDPTE@0x187fa8PDE@0x4000000PTE@0x40011a858Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2raw2dmp(Raw2Dump)Convertthephysicaladdressspacetoacrashdump.
TheWindowsdebugger(Windbg)worksonlywithmemorydumpsstoredintheproprietary'crashdump'leformat.
Thisleformatcontainsthefollowingfeatures:1.
Physicalmemoryrangesarestoredinasparseway-thereisa'Runs'tablewhichspeciesthemappingbetweenthephysicaloffsetandtheleoffsetofeachpage.
Thisallowstheformattoomitunmappedregions(unlikerawformatwhichmustpadthemwithzerotomaintainalignment).
2.
Thecrashdumpheadercontainsmetadataabouttheimage.
Specically,theheadercontainacopyoftheKernelDebuggerDataBlock(AKAtheKDBG).
Thisdataisusedtobootstrapthewindowsdebuggerbyprovidingcriticalinitialhintstothedebugger.
SincetheKDBGblockiscreatedatsystembootandneverused(untilthecrashdumpiswritten)itistrivialformalwaretooverwriteit-makingitreallyhardforresponderssincewindbgwillnotbeabletoreadthele.
Inlaterversionsofwindows,thekdbgisalsoobfuscated(Seethefunction"nt!
KdCopyDataBlock"whichdecryptsit.
).
RekallitselfdoesnotusetheKDBGblockanymore,althougholdermemoryforensictoolsstilldouseit.
Rekallinsteadreliesonaccuratedebuggingsymbolstolocatecriticalkerneldatastructures,reducingtheleveloftrustweplaceontheimageitself(soRekallismoreresilienttomanipulation).
Inordertoensurethatthewindowsdebuggerisabletoreadtheproducedcrashdump,werecreatethekerneldebuggerblockfromthesymbolinformationwealreadyhave.
NOTE:Thecrashdumpleformatcanbededucedby:dis'nt!
IoFillDumpHeader'Thisisthereferenceforthisplugin.
PluginTypeDescriptiondestinationStringThedestinationpathtowritethecrashdump.
dtbIntParserTheDTBphysicaladdress.
rebuildBooleanRebuildtheKDBGdatablock.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
TheWindowsdebugger(Windbg)worksonlywithmemorydumpsstoredintheproprietary'crashdump'leformat.
Thisleformatcontainsthefollowingfeatures:1.
Physicalmemoryrangesarestoredinasparseway-thereisaRunstablewhichspeciesthemappingbetweenthephysicaloffsetandtheleoffsetofeachpage.
Thisallowstheformattoomitunmappedregions(unlikerawformatwhichmustpadthemwithzerotomaintainalignment).
2.
Thecrashdumpheadercontainsmetadataabouttheimage.
Specically,theheadercontainacopyoftheKernelDebuggerDataBlock(AKAtheKDBG).
Thisdataisusedtobootstrapthewindowsdebuggerbyprovidingcriticalinitialhintstothedebugger.
SincetheKDBGblockiscreatedatsystembootandneverused(untilthecrashdumpiswritten)itistrivialformalwaretooverwriteit-makingitreallyhardforresponderssincewindbgwillnotbeabletoreadthele.
Inlaterversionsofwindows,theKDBGisalsoobfuscated(Seethefunctionnt!
KdCopyDataBlockwhichdecryptsit.
).
RekallitselfdoesnotusetheKDBGblockanymore,althougholdermemoryforensictoolsstilldouseit.
Rekallinsteadreliesonaccuratedebuggingsymbolstolocatecriticalkerneldatastructures,reducingtheleveloftrustweplaceontheimageitself(soRekallismoreresilienttomanipulation).
Inordertoensurethatthewindowsdebuggerisabletoreadtheproducedcrashdump,werecreatethekerneldebuggerblockfromthesymbolinformationwealreadyhave.
###Notes:2.
1.
Memory59RekallForensicsDocumentation,Release1.
7.
21.
Thecrashdumpleformatcanbededucedby:.
.
code-block::textdis'nt!
IoFillDumpHeader'Thisisthereferenceforthisplugin.
2.
Thispluginisreallyonlyusefulinordertoproduceanimagecompatiblewiththewindowsdebuggerforthepurposeoffurtherinvestigationbythedebugger.
IfyoundthatthewindowsdebuggerhasausefulfeaturethatRekalldoesnothave,pleaseletusknowsowecanimplementitinRekall.
Weintendtoreplacetheuseofthewindowsdebuggerindigitalforensics.
regdump(RegDump)Dumpallregistryhivesfrommemoryintoadumpdirectory.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
dump_dirStringPathsuitablefordumpingles.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
services(Services)Enumerateallservices.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
sessions(Sessions)Listdetailson_MM_SESSION_SPACE(userlogonsessions).
Windowsusessessionsinordertoseparateprocesses.
Sessionsareusedtoseparatetheaddressspacesofwindowsprocesses.
NotethatthisplugintraversestheProcessListmemberofthesessionobjecttolisttheprocesses-yetanotherlist_EPROCESSobjectsareon.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
shimcachemem(ShimCacheMem)ExtracttheApplicationCompatibilityShimCachefromkernelmemory.
PluginTypeDescriptionverbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
60Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2show_allocation(ShowAllocation)Showtheallocationcontainingtheaddress.
PluginTypeDescriptionaddressArrayIntParserTheaddresstodisplaydtbIntParserTheDTBphysicaladdress.
lengthIntParserHowmanybytesaftertheaddresstodisplay.
preambleIntParserHowmanybytespriortotheaddresstodisplay.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
sockets(Sockets)Printlistofopensockets.
[Windowsxponly]Thismoduleenumeratestheactivesocketsfromtcpip.
sysNotethatifyouareusingahibernatedimagethismightnotworkbecauseWindowsclosesallsocketsbeforehiber-nating.
_ADDRESS_OBJECTarearrangedinahashtablefoundbythe_AddrObjTablesymbol.
Thehashtablehasasizefoundbythe_AddrObjTableSizesymbol.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Thismoduleenumeratestheactivesocketsfromtcpip.
sysNotethatifyouareusingahibernatedimagethismightnotworkbecauseWindowsclosesallsocketsbeforehiber-nating.
_ADDRESS_OBJECTarearrangedinahashtablefoundbythe_AddrObjTablesymbol.
Thehashtablehasasizefoundbythe_AddrObjTableSizesymbol.
svcscan(SvcScan)ScanforWindowsservicesPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Windowsusesservicesforlongrunningprocesses.
Serivcesaremanagedbythe"services.
exe"process.
Thesvc-scanpluginscanstheheapmemoryofthe"services.
exe"processfor_SERVICE_RECORDrecords).
Theserecordsdescribetheserviceswhichareloadedbythesystem,andevenoncetheservicesareunloaded,wemightnd_SER-VICE_RECORDrecords.
###Notes1.
Sinceloadingkernelcodeisusuallydonebyinsertingakerneldriver,andkerneldriversareloadedthroughaservice,thispluginwillalsoshowforensicallysignicantkerneldriversloading.
2.
1.
Memory61RekallForensicsDocumentation,Release1.
7.
22.
Thispluginreliesonmemoryscanningandsoitisnotallthatreliable.
Oftenitwillnotrevealserviceswhichweknowarerunning.
However,itmightalsorevealserviceswhichhavebeendeleted.
3.
Abetterpluginistheservicespluginwhichenumeratesallservicesfromtheregistry.
###SampleoutputThebelowexampleshowsakerneldriverbeingloadedasaservice.
Offset:0x26f7d6a10Order:402ProcessID:-ServiceName:WFPLWFSDisplayName:MicrosoftWindowsFilteringPlatformServiceType:SERVICE_KERNEL_DRIVERServiceState:SERVICE_RUNNINGBinaryPath:\Driver\WFPLWFSsymlinkscan(SymLinkScan)ScanforsymboliclinkobjectsPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayInt-ParserKerneladdressesofeprocessstructs.
limitIntParserThelengthofdatatosearchineachselectedregion.
methodChoiceArrayMethodtolistprocesses.
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
scan_kernelBooleanScantheentirekerneladdressspace.
scan_kernel_codeBooleanScanthekernelimageandloadeddrivers.
scan_kernel_nonpaged_poolBooleanScanthekernelnon-pagedpool.
scan_kernel_paged_poolBooleanScanthekernelpagedpool.
scan_kernel_session_poolsBooleanScansessionpoolsforallprocesses.
scan_physicalBooleanScanthephysicaladdressspaceonly.
scan_process_memoryBooleanScanallofprocessmemory.
Usesprocessselectorstonarrowdownselections.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Asymboliclinkisakernelobjectwhichmapsadevicefromonenameinthekernelobjecttreetoanothername.
Oftenadriverwillsetupasymboliclinktoa"dosdevicename"toallowaccesstoakerneldevicefromuserspace.
Forexample,thepmemdrivermakesasymboliclinkfromGLOBALpmemtoDevicespmemsothatauserspaceprogramcanusetheCreateFileAPItoopenahandleto.
pmem.
Thispluginscansfor_OBJECT_SYMBOLIC_LINKobjectsusingpoolscanningtechniques.
###Notes1.
Likeotherpoolscanningplugins,thispluginmayproducefalsepositivessinceitessentiallycarves_OB-JECT_SYMBOLIC_LINKstructuresoutofmemory.
Ontheotherhand,thispluginmayrevealsymlinkswhichhavebeenclosedorfreed.
62Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
21.
Theinterestingthingaboutasymlinkisthatitcontainsthetimestampofwhenitwascreated.
Thiscanbesignicantwhendeterminingwhenthesystemwascompromised.
2.
Sincethesymlinkscanplugincarvesout_OBJECT_SYMBOLIC_LINKobjectsithasnocontextofwhereintheobjecttreethesymlinkexists.
Henceitisunabletoshowparentobjectdirectories.
Abetterplugintouseisthe[object_tree](ObjectTree.
html)plugin.
###SampleoutputHereweseethesymlinkscanplugindetectingthepmemlink.
Offset(P)#Ptr#HndCreationtimeFromTo0x00000010d470322014-01-2422:07:29+0000HDAUDIO#FUNC_01&VEN_8384&DEV_→7680&SUBSYS_83847680&REV_1034#4&136d1aa0&0&0001#{65e8773e-8f56-11d0-a3b9-→00a0c9223196}\Device\0000001e0x00000040e940102014-01-2422:07:23+0000Psched\Device\Psched0x0000004e9490212014-01-2422:07:32+0000DISPLAY#Default_Monitor#4&→d9dcf0b&0&UID0#{e6f07b5f-ee97-4a90-b076-33f57bf4eaa7}\Device\00000021.
.
.
0x00002be706f0212014-01-2422:07:32+0000AppContainerNamedObjects→\Sessions\1\AppContainerNamedObjects0x00002bf89f20212014-01-2422:07:32+0000Global\BaseNamedObjects0x00002c0b8270212014-01-2422:07:32+00001\Sessions\1\BaseNamedObjects0x00002dbdbe00102014-01-2421:20:05+0000pmem\Device\pmem0x00002f2b7240102014-01-2422:07:26+0000HCD0\Device\USBFDO-0thrdscan(ThrdScan)Scanphysicalmemoryfor_ETHREADobjectsPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayInt-ParserKerneladdressesofeprocessstructs.
limitIntParserThelengthofdatatosearchineachselectedregion.
methodChoiceArrayMethodtolistprocesses.
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
scan_kernelBooleanScantheentirekerneladdressspace.
scan_kernel_codeBooleanScanthekernelimageandloadeddrivers.
scan_kernel_nonpaged_poolBooleanScanthekernelnon-pagedpool.
scan_kernel_paged_poolBooleanScanthekernelpagedpool.
scan_kernel_session_poolsBooleanScansessionpoolsforallprocesses.
scan_physicalBooleanScanthephysicaladdressspaceonly.
scan_process_memoryBooleanScanallofprocessmemory.
Usesprocessselectorstonarrowdownselections.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Poolscanningisatechniquefordiscoveringkerneldatastructuresbasedonsignatures.
Itisessentiallythememoryforensicequivalentofcarving.
Thethrdscanplugincarvesfor_KTHREADstructuresinmemory.
2.
1.
Memory63RekallForensicsDocumentation,Release1.
7.
2Bydefaultthepluginscansinthephysicaladdressspace.
Anyhitsareresolvedintothevirtualaddressspacebyfollowingthelists.
Ifscan_in_kernelisspecied,thescanningoccursinkernelspace.
###Notes1.
Likeotherpoolscanningplugins,thispluginmayproducefalsepositivessinceitessentiallycarves_KTHREADstructuresoutofmemory.
Ontheotherhand,thispluginmayrevealleswhichhavebeenclosedorfreed.
2.
Theplugindisplaysthephysicaladdressofthe_KTHREADfound.
Itmaybepossibletoderivetheirvirtualaddressusingthe[ptov](PtoV.
html)plugin.
Alternatively,specifythescan_in_kerneloption,toensurescanningoccursinthekerneladdressspace.
3.
Thispluginisthepoolscanningvariantofthe[threads](Threads.
html)plugin.
###SampleoutputThebelowisanexampleofrunningthrdscanoverawindowssystem.
Notethatwecanstillseeexitedthreads.
Rekallresolvesthestartaddressofthethread(i.
e.
thefunctionwhichstartedrunninginthisthread).
Thishelpstoidentifywhatthethreadissupposedtobedoing.
win8.
1.
raw18:52:26>thrdscanOffset(P)PIDTIDStartAddressCreateTimeExitTime→ProcessSymbol0x0000001ab080233239760x7ff87f35b5c0--→svchost.
exe\Windows\System32\ntdll.
dll!
TpPostWork+0x4a00x000000230880239232120x7ff6670fd0bc-2014-01-24→21:18:44+0000VBoxTray.
exe\Windows\System32\VBoxTray.
exe!
+0xd0bc0x00000025e080364410680x7ff7a4831070--→conhost.
exe\Windows\System32\conhost.
exe!
+0x10700x00000026108088024400x7ff866dbaf44--→svchost.
exe\Windows\System32\wuaueng.
dll!
+0x3af440x00000026188088035120x7ff87f35b5c0--→svchost.
exe\Windows\System32\ntdll.
dll!
TpPostWork+0x4a00x0000002d6080364436880x7ff7a4833060--→conhost.
exe\Windows\System32\conhost.
exe!
+0x30600x0000002e108097639320x7ff877104924-2014-01-24→21:18:37+0000svchost.
exe\Windows\System32\sysmain.
dll!
+0x949240x0000002e188088033240x7ff87f35b5c0--→svchost.
exe\Windows\System32\ntdll.
dll!
TpPostWork+0x4a00x00000035d08088017520x7ff866dbaf44--→svchost.
exe\Windows\System32\wuaueng.
dll!
+0x3af440x00000055808088035240x7ff87f35b5c0--→svchost.
exe\Windows\System32\ntdll.
dll!
TpPostWork+0x4a00x00000061308088034960x7ff866dbaf44--→svchost.
exe\Windows\System32\wuaueng.
dll!
+0x3af440x000000613880340036480x7ff87f35b5c0--→MpCmdRun.
exe\Windows\System32\ntdll.
dll!
TpPostWork+0x4a00x00000066808088035240x7ff87f35b5c0--→svchost.
exe\Windows\System32\ntdll.
dll!
TpPostWork+0x4a00x0000006c008088036920x7ff8733911b0--→svchost.
exe\Windows\System32\aelupsvc.
dll!
+0x11b00x0000006ce08088031800x7ff866d81f3c--→svchost.
exe\Windows\System32\wuaueng.
dll!
+0x1f3c0x000002bd208088037360x7ff866dbaf44--→svchost.
exe\Windows\System32\wuaueng.
dll!
+0x3af440x00000370a08097639320x7ff877104924-2014-01-24→21:18:37+0000svchost.
exe\Windows\System32\sysmain.
dll!
+0x9492464Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
20x00000370a88088033240x7ff87f35b5c0--→svchost.
exe\Windows\System32\ntdll.
dll!
TpPostWork+0x4a00x000004eef08088036920x7ff8733911b0--→svchost.
exe\Windows\System32\aelupsvc.
dll!
+0x11b00x0000051a48742124654303184130xffe800000000--0x000005d8a08088036920x7ff8733911b0--→svchost.
exe\Windows\System32\aelupsvc.
dll!
+0x11b00x000009f5d080233239280x7ff87f35b5c0--→svchost.
exe\Windows\System32\ntdll.
dll!
TpPostWork+0x4a00x00000cbde080239238800x7ff6670fd0bc-2014-01-24→21:18:24+0000VBoxTray.
exe\Windows\System32\VBoxTray.
exe!
+0xd0bc0x00000dbdb080239240840x7ff6670fd0bc-2014-01-24→21:19:27+0000VBoxTray.
exe\Windows\System32\VBoxTray.
exe!
+0xd0bc0x00000f34508088015320x7ff866dbaf44--→svchost.
exe\Windows\System32\wuaueng.
dll!
+0x3af440x00000f34588088029320x7ff87f35b5c0--→svchost.
exe\Windows\System32\ntdll.
dll!
TpPostWork+0x4a00x00000f413080431760xf802d3613418--→Systemnt!
MiStoreEvictThreadthreads(Threads)Enumeratethreads.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Thethreadspluginiteratesoverallprocessesandlistsallthreadsinallprocesses.
Thisisthelistwalkingversionofthe[thrdscan](ThrdScan.
html)plugin.
###Sampleoutput_ETHREADPIDTIDStartAddressProcessSymbol0xe00000089880480xf802d3509ec8Systemnt!
Phase1Initialization0xe0000011f0404120xf802d3154c04Systemnt!
PopIrpWorkerControl0xe0000011f8804160xf802d312f868Systemnt!
PopIrpWorker0xe0000011e0404200xf802d312f868Systemnt!
PopIrpWorker0xe0000011e8804240xf802d31551c0Systemnt!
PopFxEmergencyWorker0xe0000011d0404280xf802d3520f14Systemnt!
→ExpWorkerThreadBalanceManager0xe0000011d8804320xf802d30533a8Systemnt!
ExpWorkerThread0xe0000011c8804360xf802d314cb04Systemnt!
→ExpWorkerFactoryManagerThread0xe000001200404400xf802d3146fdcSystemnt!
KiExecuteDpc0xe000001208804440xf802d314f764Systemnt!
→MiDereferenceSegmentThread0xe000001240404480xf802d3151a8cSystemnt!
MiModifiedPageWriter0xe000001248804520xf802d314de28Systemnt!
KeBalanceSetManager2.
1.
Memory65RekallForensicsDocumentation,Release1.
7.
20xe000001230404560xf802d314bc18Systemnt!
KeSwapProcessOrStack0xe000001220404640xf802d314cd68Systemnt!
→CcQueueLazyWriteScanThread0xe000001228804680xf802d3154b9cSystemnt!
FsRtlWorkerThread0xe000001210404720xf802d3154b9cSystemnt!
FsRtlWorkerThread0xe000001330404760xf802d3492540Systemnt!
EtwpLogger0xe000001338804800xf802d30533a8Systemnt!
ExpWorkerThread0xe000001370404840xf802d314c94cSystemnt!
MiMappedPageWriter.
.
.
.
timers(Timers)PrintkerneltimersandassociatedmoduleDPCs.
Ref:http://computer.
forensikblog.
de/en/2011/10/timers-and-times.
htmlPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
ThewindowskernelhasamechanismfordriverstoscheduleDeferredProcedureCalls(DPCs)witherperiodicallyorinafuturetime.
Thismechanismisusefulformalwarewhichwantstoremainpersistant,butnotnecessarilyrunatalltimes(Thisreducesthemalware'sfootprint).
Thekerneluses_KTIMERobjectstokeeptrackoftheseDPCs.
DependingontheexactOSversion,thetimersarearrangedinslightlydifferentdatastructures:OnWindowXPthereisasymbolKiTimerTableListHeadwhichenumeratesalltimerhashtables.
Onwindows7,thetimerlistisat_KPCR.
PrcbData.
TimerTable.
TimerEntries.
SinceWindows7,PatchGuardwasintroduced.
Thisusesthetimertabletoscheduleperiodicruns.
MicrosoftfeltitwasnecessarytoprotectPatchGuardbyobfuscatingallDPCpointersinthetimertable.
Thisunfortunatelyalsoobfuscatesallothertimers,includingonespossiblyusedbymalware.
Rekallisabletode-obfuscatetheseDPCaddressandresolvethembacktotheircorrectmodule.
Rekallwillalsoindicatewhenthetimerisduetogooff.
###Sampleoutputwin8.
1.
raw22:25:53>timersTableOffsetDueTime(H)DueTimePeriod(ms)SignaledRoutine→Module20xe00001a587080x0000000001f0df8a922014-01-2421:21:14+00001000→Yes0xf80000298480wdf01000+0x848080xf802d32ecd000x0000000001c789ad302014-01-2421:20:05+00000-→0xf802d311b194nt!
CcScanDpc90xf802d32bcce00x0000010c0d9d7675292015-01-0100:00:00+00000-→0xf802d32467b4nt!
ExpNextYearDpcRoutine90xf802d32ac9200x0000000001e478b3c52014-01-2421:20:53+00000-→0xf802d3116abcnt!
CmpLazyFlushDpcRoutine130xf800021466600x0000000001f33024112014-01-2421:21:18+000043348→Yes0xf80002140c44bowser+0x3c44150xf8000072e3200x00000000c877502ee72014-01-2521:02:20+00000-→0xf80000719230storport+0x2323066Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2170xf800024cbb280x0000000001fdfb093c2014-01-2421:21:36+000028348→Yes0xf800024af550tunnel+0x1550180xe0000127ff400x0000000002f06baf462014-01-2421:28:23+00000-→0xf80000b31394volsnap+0x2394210xe0000137bb400x0000000001f0df8a922014-01-2421:21:14+00001000→Yes0xf8000194a860usbport+0x2860240xe00000203b880x0000000002534bd8cd2014-01-2421:23:59+00000-→0xf80001a930a4battc+0x10a4380xe000014932780x0000000001f1249ec92014-01-2421:21:14+00000-→0xf80000c2ac30ndis+0x4c30380xe000023272280x00000000024c651b422014-01-2421:23:47+0000944848-→0xf8000249cbb4mslldp+0x4bb4380xe000013f7ef80x00000000324d6021232014-01-2503:07:25+000021600000-→0xf80001491cf0dxgkrnl+0x19cf0380xf802d32ea2500x0000000001d163bc042014-01-2421:20:21+000060000→Yes0xf802d3116bacnt!
IopIrpStackProfilerTimer400xf80000e981c00x0000000002840a55a82014-01-2421:25:21+00000-→0xf80000e94c9cmup+0x1c9cunloaded_modules(UnloadedModules)Printalistofrecentlyunloadedmodules.
Ref:http://volatility-labs.
blogspot.
de/2013/05/movp-ii-22-unloaded-windows-kernel_22.
htmlPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Fordebuggingpurposeswindowskeepsalistofthelastfewkernelmodulestohavebeenunloaded.
Sometimesifmalwareinsertsakernelcomponent,andthenremovesitthiswillleavetracesinthislist.
###SampleoutputThebelowsampleshowsthatwin32ddwasusedtoacquirethissample,andthattheHoneynetproject's[cap-turetools](https://projects.
honeynet.
org/capture-hpc/browser/capture-hpc/branches/dev/capture-client/KernelDrivers/CaptureKernelDrivers)wereused.
130115b.
w3222:53:17>unloaded_modulesINFO:root:Detectedkernelbaseat0x804D7000-NameStartEndTimeSfloppy.
SYS0xf83830000xf83860002013-01-1522:06:06+0000Cdaudio.
SYS0xf89c20000xf89c70002013-01-1522:06:06+0000processr.
sys0xf88aa0000xf88b30002013-01-1522:06:06+0000splitter.
sys0xf8bc60000xf8bc80002013-01-1522:06:41+0000aec.
sys0xb1be60000xb1c090002013-01-1522:06:41+0000swmidi.
sys0xb1d060000xb1d140002013-01-1522:06:41+0000DMusic.
sys0xb1cf60000xb1d030002013-01-1522:06:41+0000drmkaud.
sys0xf8c9f0000xf8ca00002013-01-1522:06:41+0000kmixer.
sys0xb1b1b0000xb1b460002013-01-1522:06:51+0000kmixer.
sys0xb14df0000xb150a0002013-01-1522:08:04+0000kmixer.
sys0xb14df0000xb150a0002013-01-1522:09:21+0000win32dd.
sys0xb160a0000xb16160002013-01-1522:27:39+0000fastdumpx86.
sys0xf89420000xf89480002013-01-1522:30:55+0000CaptureFileMonitor.
sys0xb1c3a0000xb1c3d0002013-01-1522:35:48+00002.
1.
Memory67RekallForensicsDocumentation,Release1.
7.
2CaptureRegistryMonitor.
sys0xf8c1e0000xf8c200002013-01-1522:39:51+0000CaptureProcessMonitor.
sys0xf8c0e0000xf8c100002013-01-1522:39:52+0000CaptureFileMonitor.
sys0xb15ba0000xb15bd0002013-01-1522:39:52+0000userassist(UserAssist)PrintuserassistregistrykeysandinformationPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
userhandles(UserHandles)DumptheUSERhandletablesPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
freeBooleanAlsoincludefreehandles.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
typeRegExFilterhandletypebythisRegularExpression.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
users(Users)Enumerateallusersofthissystem.
Ref:samparse.
plfromRegRipper.
#copyright2012QuantumAnalyticsResearch,LLC#Author:H.
Carvey,keydet89@yahoo.
comPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
vad(VAD)ConcisedumpoftheVAD.
Similartowindbg's!
vad.
68Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
offsetIntParserOnlyprintthevadcorrespondingtothisoffset.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
regexRegExAregularexpressiontolterVADlenames.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
ThewindowskernelmanagesprocessmemoryusingtheVirtualAddressDescriptortree.
TheVADisatreeofmappedmemoryregionsintotheprocessaddressspace.
TheVADregionsareusedtomanagetheprocessaddressspace(i.
e.
itspagetables).
Thevadplugindisplaysallthevadregionsintheprocessandtheirproperties.
###Notes1.
Thestartandendcolumnsrefertothepagenumberoftheregion.
Toconvertfromanaddresstopagenumbersimplymultiply(ordivide)by0x1000.
2.
Ifamemoryregionismappedfromale(e.
g.
viathemmapcall)thelenamewillbeshown.
3.
Mostexecutables(e.
g.
dlls)aremappedwiththeEXECUTE_WRITECOPYpermission.
Thisissothattheexecutablepagesaresharedbetweenallprocesses.
AssoonasaprocessattemptstowritetothatregionthebinarywillbemappedEXECUTE_READWRITE.
4.
Whenadllismappedintothevad,thePEheaderisplacedatthevad'sstartaddress.
Thismeansthatyoucandumpthedllbysimplypassingthevad'sstartaddressto[pedump](PEDump.
html)astheimagebase.
###Sampleoutputwin7_trial_64bit.
dmp.
E0123:10:34>vad1232Pid:1232grrservice.
exeVADlevstartendcom--Protect→Filename0xfa80020877a010x736600x736bb6MappedExeEXECUTE_WRITECOPY→\Windows\System32\wow64win.
dll0xfa8002083a5020x4000x4278MappedExeEXECUTE_WRITECOPY→\Python27\grrservice.
exe0xfa800207fd8030x2900x2930MappedREADONLY→Pagefile-backedsection0xfa800205a6d040x500x8f7PrivateREADWRITE0xfa80020848f050x400x400MappedExeEXECUTE_WRITECOPY→\Windows\System32\apisetschema.
dll0xfa800208b59060x100x1f0MappedREADWRITE→Pagefile-backedsection0xfa800206630050x900x28f3PrivateREADWRITE0xfa800208acd040x2b00x3160MappedREADONLY→\Windows\System32\locale.
nls0xfa800208247050x2a00x2a01PrivateREADWRITE0xfa80020aaad050x3600x39f7PrivateREADWRITE0xfa80020a017060x3a00x3df7PrivateREADWRITE0xfa800207e18030x8300x92f28PrivateREADWRITE0xfa800208aa3040x5800x58f3PrivateREADWRITE2.
1.
Memory69RekallForensicsDocumentation,Release1.
7.
20xfa800209f6d050x4300x4af1PrivateREADWRITE0xfa80020590f050x5f00x66f6PrivateREADWRITE0xfa8001fea86040x735d00x7361a4MappedExeEXECUTE_WRITECOPY→\Windows\SysWOW64\apphelp.
dll0xfa80020a01c050xb300xd2f3PrivateREADWRITE0xfa800209f68060xd300xf2f3PrivateREADWRITE0xfa8002087f0050x736500x736572MappedExeEXECUTE_WRITECOPY→\Windows\System32\wow64cpu.
dll0xfa80020838a020x7efb00x7efd20MappedREADONLY→Pagefile-backedsection0xfa8002087c0030x760a00x7619f3MappedExeEXECUTE_WRITECOPY→\Windows\SysWOW64\kernel32.
dll0xfa800208af8040x74b500x74b953MappedExeEXECUTE_WRITECOPY→\Windows\SysWOW64\KernelBase.
dll0xfa8002087cb050x74a700x74a7b2MappedExeEXECUTE_WRITECOPY→\Windows\SysWOW64\cryptbase.
dll0xfa8002085e3060x736c00x736fe3MappedExeEXECUTE_WRITECOPY→\Windows\System32\wow64.
dll0xfa800208a90060x74a800x74adf2MappedExeEXECUTE_WRITECOPY→\Windows\SysWOW64\sspicli.
dll0xfa800208b90050x760000x7609f5MappedExeEXECUTE_WRITECOPY→\Windows\SysWOW64\advapi32.
dll0xfa800208643040x76ce00x76dfe0PrivateExeEXECUTE_READWRITE0xfa80020874f050x767b00x7685b8MappedExeEXECUTE_WRITECOPY→\Windows\SysWOW64\msvcrt.
dll0xfa800208aaf060x763b00x7649f2MappedExeEXECUTE_WRITECOPY→\Windows\SysWOW64\rpcrt4.
dll0xfa800208b1d060x768600x768784MappedExeEXECUTE_WRITECOPY→\Windows\SysWOW64\sechost.
dll0xfa80020839c050x771b00x7735b12MappedExeEXECUTE_WRITECOPY→\Windows\System32\ntdll.
dll0xfa8001d4749060x76f500x770490PrivateExeEXECUTE_READWRITE0xfa800208393060x773900x7750f9MappedExeEXECUTE_WRITECOPY→\Windows\SysWOW64\ntdll.
dll0xfa800209f5e070x7efad0x7efaf3PrivateREADWRITE0xfa800204f6b030x7f0e00x7ffdf0PrivateREADONLY0xfa800208498040x7efde0x7efde1PrivateREADWRITE0xfa800208435050x7efdb0x7efdd3PrivateREADWRITE0xfa800209f9b060x7efd50x7efd73PrivateREADWRITE0xfa800208380050x7efdf0x7efdf1PrivateREADWRITE0xfa800208b26060x7efe00x7f0df0MappedREADONLY→Pagefile-backedsection0xfa800207c84040x7ffe00x7ffef-1PrivateREADONLY0xfa80020810b050x7fff00x7fffffef-1PrivateREADONLYvaddump(VADDump)Dumpsoutthevadsectionstoale70Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
dump_dirStringPathsuitablefordumpingles.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
offsetIntParserOnlyprintthevadcorrespondingtothisoffset.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
regexRegExAregularexpressiontolterVADlenames.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Althoughyoucandumpaprocessexecutableusingthe[procdump](ProcDump.
html)plugin,thisonlydumpsthemainexecutable.
Forfurtheranalysisofaprocessitisusefultodumpitsentireaddressspace.
Sincetheaddressspaceisdiscontiguousitisbesttodumpitoutonevadsegmentatatime.
###Sampleoutputwin7_trial_64bit.
dmp.
E0123:45:01>vaddumppid=1232,dump_dir="/tmp"grrservice.
exe(1232)StartEndLengthFilename→Comment0x0000736600000x0000736bbfff0x5bfffgrrservice.
exe.
2f684a70.
73660000-→736bbfff.
dmp\Windows\System32\wow64win.
dll0x0000004000000x000000427fff0x27fffgrrservice.
exe.
2f684a70.
00400000-→00427fff.
dmp\Python27\grrservice.
exe0x0000002900000x000000293fff0x3fffgrrservice.
exe.
2f684a70.
00290000-→00293fff.
dmpPagefile-backedsection0x0000000500000x00000008ffff0x3ffffgrrservice.
exe.
2f684a70.
00050000-→0008ffff.
dmp0x0000000400000x000000040fff0xfffgrrservice.
exe.
2f684a70.
00040000-→00040fff.
dmp\Windows\System32\apisetschema.
dll0x0000000100000x00000001ffff0xffffgrrservice.
exe.
2f684a70.
00010000-→0001ffff.
dmpPagefile-backedsection0x0000000900000x00000028ffff0x1fffffgrrservice.
exe.
2f684a70.
00090000-→0028ffff.
dmp0x0000002b00000x000000316fff0x66fffgrrservice.
exe.
2f684a70.
002b0000-→00316fff.
dmp\Windows\System32\locale.
nls0x0000002a00000x0000002a0fff0xfffgrrservice.
exe.
2f684a70.
002a0000-→002a0fff.
dmp0x0000003600000x00000039ffff0x3ffffgrrservice.
exe.
2f684a70.
00360000-→0039ffff.
dmp0x0000003a00000x0000003dffff0x3ffffgrrservice.
exe.
2f684a70.
003a0000-→003dffff.
dmp0x0000008300000x00000092ffff0xfffffgrrservice.
exe.
2f684a70.
00830000-→0092ffff.
dmp0x0000005800000x00000058ffff0xffffgrrservice.
exe.
2f684a70.
00580000-→0058ffff.
dmp0x0000004300000x0000004affff0x7ffffgrrservice.
exe.
2f684a70.
00430000-→004affff.
dmp0x0000005f00000x00000066ffff0x7ffffgrrservice.
exe.
2f684a70.
005f0000-→0066ffff.
dmp0x0000735d00000x00007361afff0x4afffgrrservice.
exe.
2f684a70.
735d0000-→7361afff.
dmp\Windows\SysWOW64\apphelp.
dll0x000000b300000x000000d2ffff0x1fffffgrrservice.
exe.
2f684a70.
00b30000-→00d2ffff.
dmp2.
1.
Memory71RekallForensicsDocumentation,Release1.
7.
20x000000d300000x000000f2ffff0x1fffffgrrservice.
exe.
2f684a70.
00d30000-→00f2ffff.
dmp0x0000736500000x000073657fff0x7fffgrrservice.
exe.
2f684a70.
73650000-→73657fff.
dmp\Windows\System32\wow64cpu.
dll0x00007efb00000x00007efd2fff0x22fffgrrservice.
exe.
2f684a70.
7efb0000-→7efd2fff.
dmpPagefile-backedsection0x0000760a00000x00007619ffff0xfffffgrrservice.
exe.
2f684a70.
760a0000-→7619ffff.
dmp\Windows\SysWOW64\kernel32.
dll0x000074b500000x000074b95fff0x45fffgrrservice.
exe.
2f684a70.
74b50000-→74b95fff.
dmp\Windows\SysWOW64\KernelBase.
dll0x000074a700000x000074a7bfff0xbfffgrrservice.
exe.
2f684a70.
74a70000-→74a7bfff.
dmp\Windows\SysWOW64\cryptbase.
dll0x0000736c00000x0000736fefff0x3efffgrrservice.
exe.
2f684a70.
736c0000-→736fefff.
dmp\Windows\System32\wow64.
dll0x000074a800000x000074adffff0x5ffffgrrservice.
exe.
2f684a70.
74a80000-→74adffff.
dmp\Windows\SysWOW64\sspicli.
dll0x0000760000000x00007609ffff0x9ffffgrrservice.
exe.
2f684a70.
76000000-→7609ffff.
dmp\Windows\SysWOW64\advapi32.
dll0x000076ce00000x000076dfefff0x11efffgrrservice.
exe.
2f684a70.
76ce0000-→76dfefff.
dmp0x0000767b00000x00007685bfff0xabfffgrrservice.
exe.
2f684a70.
767b0000-→7685bfff.
dmp\Windows\SysWOW64\msvcrt.
dll0x0000763b00000x00007649ffff0xeffffgrrservice.
exe.
2f684a70.
763b0000-→7649ffff.
dmp\Windows\SysWOW64\rpcrt4.
dll0x0000768600000x000076878fff0x18fffgrrservice.
exe.
2f684a70.
76860000-→76878fff.
dmp\Windows\SysWOW64\sechost.
dll0x0000771b00000x00007735bfff0x1abfffgrrservice.
exe.
2f684a70.
771b0000-→7735bfff.
dmp\Windows\System32\ntdll.
dll0x000076f500000x000077049fff0xf9fffgrrservice.
exe.
2f684a70.
76f50000-→77049fff.
dmp0x0000773900000x00007750ffff0x17ffffgrrservice.
exe.
2f684a70.
77390000-→7750ffff.
dmp\Windows\SysWOW64\ntdll.
dll0x00007efad0000x00007efaffff0x2fffgrrservice.
exe.
2f684a70.
7efad000-→7efaffff.
dmp0x00007f0e00000x00007ffdffff0xefffffgrrservice.
exe.
2f684a70.
7f0e0000-→7ffdffff.
dmp0x00007efde0000x00007efdefff0xfffgrrservice.
exe.
2f684a70.
7efde000-→7efdefff.
dmp0x00007efdb0000x00007efddfff0x2fffgrrservice.
exe.
2f684a70.
7efdb000-→7efddfff.
dmp0x00007efd50000x00007efd7fff0x2fffgrrservice.
exe.
2f684a70.
7efd5000-→7efd7fff.
dmp0x00007efdf0000x00007efdffff0xfffgrrservice.
exe.
2f684a70.
7efdf000-→7efdffff.
dmp0x00007efe00000x00007f0dffff0xfffffgrrservice.
exe.
2f684a70.
7efe0000-→7f0dffff.
dmpPagefile-backedsection0x00007ffe00000x00007ffeffff0xffffgrrservice.
exe.
2f684a70.
7ffe0000-→7ffeffff.
dmp0x00007fff00000x07fffffeffff0x7ff7fffffffgrrservice.
exe.
2f684a70.
7fff0000-→7fffffeffff.
dmp.
.
.
win7_trial_64bit.
dmp.
E0123:45:13>peinfoexecutable="/tmp/grrservice.
exe.
2f684a70.
→760a0000-7619ffff.
dmp"AttributeValueMachineIMAGE_FILE_MACHINE_I386TimeDateStamp2011-07-1604:33:08+0000CharacteristicsIMAGE_FILE_32BIT_MACHINE,IMAGE_FILE_DLL,72Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2IMAGE_FILE_EXECUTABLE_IMAGEGUID/Age0EB73428EC4E430FB8EDD94C5946855B2PDBwkernel32.
pdbMajorOperatingSystemVersion6MinorOperatingSystemVersion1MajorImageVersion6MinorImageVersion1MajorSubsystemVersion6MinorSubsystemVersion1Sections(Relativeto0x760A0000):PermNameVMASizexr-.
text0x0000000100000x0000000c0000-rw.
data0x0000000d00000x000000010000-r-.
rsrc0x0000000e00000x000000010000-r-.
reloc0x0000000f00000x000000010000DataDirectories:-VMASizeIMAGE_DIRECTORY_ENTRY_EXPORT0x00007615f7280x00000000aa1aIMAGE_DIRECTORY_ENTRY_IMPORT0x00007616a1440x0000000001f4IMAGE_DIRECTORY_ENTRY_RESOURCE0x0000761800000x000000000520IMAGE_DIRECTORY_ENTRY_EXCEPTION0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_SECURITY0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_BASERELOC0x0000761900000x00000000ad3cIMAGE_DIRECTORY_ENTRY_DEBUG0x00007616feb80x000000000038IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_TLS0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x0000761233300x000000000040IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_IAT0x0000760b00000x000000000ddcIMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_RESERVED0x0000000000000x000000000000ImportDirectory(Original):NameOrdAPI-MS-Win-Core-RtlSupport-L1-1-0.
dll!
RtlUnwind3API-MS-Win-Core-RtlSupport-L1-1-0.
dll!
RtlCaptureContext0API-MS-Win-Core-RtlSupport-L1-1-0.
dll!
RtlCaptureStackBackTrace1ntdll.
dll!
NtCreateEvent227ntdll.
dll!
NtDuplicateObject275ntdll.
dll!
RtlConvertSidToUnicodeString686ntdll.
dll!
NtNotifyChangeKey337ntdll.
dll!
RtlRunOnceInitialize1151vadmap(VADMap)InspecteachpageintheVADandreportitsstatus.
ThisallowsustoseetheaddresstranslationstatusofeachpageintheVAD.
2.
1.
Memory73RekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
endIntParserStopreadingatthisoffset.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
startIntParserStartreadingfromthispage.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
vtop(VtoP)Printsinformationaboutthevirtualtophysicaltranslation.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Thisplugindisplaysallthepagetranslationstepsneededtoresolveavirtualaddresstoaphysicaladdress.
###Notes1.
Thepluginusesthecurrentdefaultaddressspacetocalculatethemapping.
Ifyouwanttoresolvethevirtualaddressinaprocessspaceyouwillneedtoswitchtheprocesscontextrst(i.
e.
usethe[cc](SetProcessContext.
html)plugin.
###Sampleoutputwin7_trial_64bit.
dmp.
E0123:52:53>vtop0xfa8000a2d060Virtual0xfa8000a2d060PageDirectory0x00187000pml4e@0x187fa8=0x3c00863pdpte@0x3c00000=0x3c01863pde@0x3c01028=0x30c009e3Largepagemapped0x30e2d060PhysicalAddress0x30c2d060win32k_autodetect(Win32kAutodetect)Automaticallydetectwin32kstructlayout.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
dns_cache(WinDNSCache)DumpthewindowsDNSresolvercache.
74Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
hashtableStringOptionallyprovidethehashtableno_indexBooleanShouldwenotusetheindexverbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
desktops(WinDesktops)Printinformationoneachdesktop.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
dlllist(WinDllList)Printsalistofdllmodulesmappedintoeachprocess.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
ListsdllmodulesloadedintoaprocessbyfollowingthedoublylinkedlistofLDR_DATA_TABLE_ENTRYstoredinin_EPROCESS.
Peb.
Ldr.
InLoadOrderModuleList.
DLLsareautomaticallyaddedtothislistwhenaprocesscallsLoadLibrary(orsomederivativesuchasLdrLoadDll)andtheyaren'tremoveduntilFreeLibraryiscalledandthereferencecountreacheszero.
Alltheusualprocessselectorsaresupported.
###Note1.
Wow64processes(i.
e.
32bitbinariesrunningon64bitwindows)loaddllsthroughadifferentmechanism.
2.
SincetheInLoadOrderModuleListismaintainedintheprocessaddressspace,itissimpletomanipulatefromRing3(withoutkernelaccess).
ThismeansthatthispluginmaynotshowallthelinkedinDLLs.
3.
Abetterplugintouseisthe[ldrmodules](LdrModules.
html)plugin,whichusestheVADtoenumeratedlls.
TheVADismaintainedinkernelmemoryandthereforecanonlybeaccessedthroughRing0access.
###SampleoutputBelowweseewinpmemusedtoacquiretheimageofthisWindows8.
1system.
Sincewinpmemisa32bitapplication,weseethewow64.
dlldynamicallyloaded.
Notethatinthiscase,the32bitdllswillnotshowintheInLoadOrder-ModuleList.
Usingthe[ldrmodules](LdrModules.
html)pluginrevealsallthe32bitdllsloaded.
win8.
1.
raw15:35:10>dlllistproc_regex="winpmem"dlllist(proc_regex="winpmem")winpmem_1.
5.
2.
pid:2628Commandline:winpmem_1.
5.
2.
exe-2win8.
1.
rawNote:useldrmodulesforlistingDLLsinWow64processes2.
1.
Memory75RekallForensicsDocumentation,Release1.
7.
2BaseSizeLoadReason/CountPath0x0000000200000x2d000LoadReasonStaticDependencyC:\temp\winpmem_1.
5.
2.
exe0x7ff87f3200000x1a9000LoadReasonStaticDependency→C:\Windows\SYSTEM32\ntdll.
dll0x000076f500000x49000LoadReasonDynamicLoad→C:\Windows\SYSTEM32\wow64.
dll0x000076fa00000x68000LoadReasonStaticDependency→C:\Windows\system32\wow64win.
dll0x0000770100000x9000LoadReasonStaticDependency→C:\Windows\system32\wow64cpu.
dllwin8.
1.
raw15:35:51>ldrmodulesproc_regex="winpmem"ldrmodules(proc_regex="winpmem")PidProcessBaseInLoadInInitInMemMappedPath2628winpmem_1.
5.
2.
0x0000753b0000FalseFalseFalse→\Windows\SysWOW64\KernelBase.
dll2628winpmem_1.
5.
2.
0x000000020000TrueFalseTrue\temp\winpmem_1.
5.
2.
exe2628winpmem_1.
5.
2.
0x000076c30000FalseFalseFalse→\Windows\SysWOW64\kernel32.
dll2628winpmem_1.
5.
2.
0x000074a40000FalseFalseFalse→\Windows\SysWOW64\cryptbase.
dll2628winpmem_1.
5.
2.
0x000074a50000FalseFalseFalse→\Windows\SysWOW64\sspicli.
dll2628winpmem_1.
5.
2.
0x000077010000TrueTrueTrue→\Windows\System32\wow64cpu.
dll2628winpmem_1.
5.
2.
0x000076f50000TrueTrueTrue→\Windows\System32\wow64.
dll2628winpmem_1.
5.
2.
0x000076fa0000TrueTrueTrue→\Windows\System32\wow64win.
dll2628winpmem_1.
5.
2.
0x000075250000FalseFalseFalse→\Windows\SysWOW64\rpcrt4.
dll2628winpmem_1.
5.
2.
0x0ff87f320000FalseFalseFalse→\Windows\System32\ntdll.
dll2628winpmem_1.
5.
2.
0x000077020000FalseFalseFalse→\Windows\SysWOW64\ntdll.
dll2628winpmem_1.
5.
2.
0x0000749e0000FalseFalseFalse→\Windows\SysWOW64\bcryptprimitives.
dll2628winpmem_1.
5.
2.
0x000074ff0000FalseFalseFalse→\Windows\SysWOW64\advapi32.
dll2628winpmem_1.
5.
2.
0x000076f10000FalseFalseFalse→\Windows\SysWOW64\sechost.
dll2628winpmem_1.
5.
2.
0x000074d80000FalseFalseFalse→\Windows\SysWOW64\msvcrt.
dlleventhooks(WinEventHooks)Printdetailsonwindowseventhooks76Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
nd_dtb(WinFindDTB)AplugintosearchfortheDirectoryTableBaseforwindowssystems.
ThereareanumberofwaystondtheDTB:Scannermethod:Scanstheimageforaknownkernelprocess,andreadtheDTBfromitsProcessEnvironmentBlock(PEB).
GettheDTBfromtheKPCRstructure.
Notethatthekernelismappedintoeveryprocess'saddressspace(withtheexceptionofsessionspacewhichmightbedifferent)sousinganyprocess'sDTBfromthesamesessionwillworktoreadkerneldatastructures.
Ifthispluginfails,trypsscantondpotentialDTBs.
PluginTypeDescriptionprocess_nameStringThenamesoftheprocessestosearchfor.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
###Notes1.
ThisisaninternallyusedpluginfordiscoveringtheDirectoryTableBase(DTB)onwindowssystems.
Itisunlikelytobeusefultoauserbyitself.
memdump(WinMemDump)Dumpwindowsprocesses.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
dump_dirStringPathsuitablefordumpingles.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Todumpalladdressablememoryinaprocess,usethememdumpplugin.
Thispluginenumeratestheprocesspagetablesandwritesthemoutintoanexternalle.
Anindexleisalsocreatedwhichcanbeusedtondthevirtualaddressofeachbyteintheoutputle.
Youwouldtypicallyusethisoutputleinordertoscanfore.
g.
virussignaturesorotherpatternsintoolswhichdonotunderstandvirtualmemorymappings.
2.
1.
Memory77RekallForensicsDocumentation,Release1.
7.
2Thepluginacceptsalltheusualprocesslteringcommands(e.
g.
bypid,proc_regexetc).
Additionallyifnolteringcommandisspeciedtheplugindumpsthekernel'saddressspace.
(Youcandumpallprocessesbyprovidingaproc_regexof'.
').
###Notes1.
Thispluginisverysimilartothevaddumpplugin,exceptthatitdumpsthepagetable,andnotonlytheVADtree.
Thispluginactuallycontainsallmemorycurrentlyaccessibletotheprocess(despiteanypossiblemanipulationoftheVADtree).
2.
Theprocess'svirtualaddressspaceistypicallyfragmentedandhadlarge,unmappedgapsinit.
Thereforethisplugindoesnotjustzerollthesegaps,ratheritwritesalladdressablememorydirectlytotheoutputle.
Thismeansthatcontiguousmemoryintheoutputleisnotnecessarilycontiguousinmemory.
3.
Tondoutwhereaparticularbyteintheoutputlemapsintheprocessvirtualmemory,checktheindexle(Examplebelow).
4.
Notethatprocessestypicallyalwaymapthekernelintheuppermemoryregion(i.
e.
abovethesymbolMmHigh-estUserAddress.
Thisplugindoesnotdumpthekernelportionoftheaddressspace,unlessthe–allparameterisspecied.
###Sampleoutputwin7.
elf00:30:52>memdumppid=2912,dump_dir="/tmp/"memdump(pid=2912,dump_dir="/tmp/")Writingvol.
exe0xfa8002193060tovol.
exe_2912.
dmpwin7.
elf00:30:55>ls-l/tmp/vol.
exe_2912.
dmp-h-rw-r-----1scudettestaff2.
2MJun1800:30/tmp/vol.
exe_2912.
dmpwin7.
elf00:30:59>less/tmp/vol.
exe_2912.
dmp.
idxFileAddressLengthVirtualAddr0x0000000000000x0000000010000x0000000100000x0000000010000x0000000010000x0000000200000x0000000020000x0000000010000x0000000210000x0000000030000x0000000010000x00000002f0000x0000000040000x0000000010000x0000000400000x0000000050000x0000000010000x0000000500000x0000000060000x0000000010000x000000051000memmap(WinMemMap)Calculatesthememoryregionsmappedbyaprocess.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Toenumeratetheaddressspaceofaprocessusethisplugin.
Itisnotthatusefulinpractice,unlessyouwanttomanuallytranslateaphysicaladdresstoavirtualaddress.
###Notes78Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
21.
Itisnotoftennecessarytodumptheentirepagetablesofeachprocess.
Insteaditispossibletorstswitchtotheprocesscontext(usingtheccplugin),andthenusevtoptotranslatethevirtualaddresstophysicaladdress.
2.
Similartothememdumpplugin,wedonotdumpthekerneladdressspaceportionforprocessesunlesstheallparameterisspecied.
###Sampleoutputwin7.
elf00:54:22>memmappid=2912memmap(pid=2912)Process:'vol.
exe'pid:2912DumpingaddressspaceatDTB0x271ec000VirtualPhysicalSize0x0000000100000x000007c4c0000x10000x0000000200000x00000818f0000x10000x0000000210000x000007e110000x10000x00000002f0000x0000080100000x10000x0000000400000x00002428e0000x10000x0000000500000x000001e6b0000x10000x0000000510000x000007f490000x1000messagehooks(WinMessageHooks)Listdesktopandthreadwindowmessagehooks.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
moddump(WinModDump)Dumpkerneldriversfromkernelspace.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
dump_dirStringPathsuitablefordumpingles.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
out_fdStringAlelikeobjecttowritetheoutput.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
regexRegExARegularexpressionforselectingthedllstodump.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
netscan(WinNetscan)ScanaVista,2008orWindows7imageforconnectionsandsockets2.
1.
Memory79RekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayInt-ParserKerneladdressesofeprocessstructs.
limitIntParserThelengthofdatatosearchineachselectedregion.
methodChoiceArrayMethodtolistprocesses.
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
scan_kernelBooleanScantheentirekerneladdressspace.
scan_kernel_codeBooleanScanthekernelimageandloadeddrivers.
scan_kernel_nonpaged_poolBooleanScanthekernelnon-pagedpool.
scan_kernel_paged_poolBooleanScanthekernelpagedpool.
scan_kernel_session_poolsBooleanScansessionpoolsforallprocesses.
scan_physicalBooleanScanthephysicaladdressspaceonly.
scan_process_memoryBooleanScanallofprocessmemory.
Usesprocessselectorstonarrowdownselections.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
netstat(WinNetstat)EnumerateimageforconnectionsandsocketsPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
pas2vas(WinPas2Vas)Resolvesaphysicaladdresstoavirtualaddrressinaprocess.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
offsetsArrayIntParserAlistofphysicaloffsetstoresolve.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Invirtual(orprotected)mode,theCPUcannotaccessphysicalmemorydirectly.
InsteadeachmemoryaccessmadebytheCPUistranslatedusingtheMMUintoarelevantphysicaladdress.
ThistranslationiscontrolledbypagetablesloadedinthememoryaddresscontrolledbytheCR3register.
Eachprocesseshasauniquepagetablestructure,andthereforeauniqueviewofphysicalmemory.
Inordertoknowwhatphysicaladdressismappedtoeachvirtualaddressyoucanusethevtopplugin.
However,thereversemappingisnotsosimple-therecanbemanyvirtualaddressesmappedtothesamephysicaladdress.
80Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2Thispluginenumeratesallvirtualtophysicalmappingsinoneormoreprocesses.
Itthenbuildsalargelookuptableinmemorytobeabletoreversethemapping.
i.
e.
givenaphysicaladdress,thepluginisabletodeterminethevirtualaddressthatmapstoit,andinwhichprocessesitexists.
Forensicallythiscanbeusedifyoundaninterestingstringinthephysicalimage(e.
g.
withahexeditor)andwanttoknowwhichprocesshasthatphysicalmemorymapped.
Anotherusecaseistodetectsharedmemorybetweenmultipleprocesses.
###Notes1.
Thispluginonlyenumeratestheuserspaceportionoftheprocessaddressspace(sinceallprocessessharethesamekerneladdressspace).
2.
Thepluginmaytakeawhiletorunwhileitbuildsitslookuptable.
Thenexttimeyourunititshouldbeveryfast.
Thelookupmapisalsostoredinthesessioncachesoyoucanusethe-sparametertostorethesessionfornexttime.
###SampleoutputInthefollowingweseethattheprocessvol.
exeisaWow64processandmapsWindowsSysWOW64ws2_32.
dll.
Wewanttoknowwhoelseisusingthisdll.
Werstndthephysicaladdressofthemappeddll(noteweneedtoswitchtothecorrectprocesscontextrst),thenweusethepas2vasplugintodeterminewhichotherprocesshasthatphysicalpagemapped.
win7.
elf12:29:35>pslistOffset(V)NamePIDPPIDThdsHndsSessWow64Start→Exit.
.
.
0xfa8002193060vol.
exe291226441191True2012-→10-0114:41:03+0000-0xfa80017f9060vol.
exe2920291241691True2012-→10-0114:41:03+0000-win7.
elf12:29:59>vad2912vad(2912)Pid:2912vol.
exeVADlevstartendcom--Protect→Filename0xfa80026f9d8010x744000x7443e3MappedExeEXECUTE_WRITECOPY→\Windows\System32\wow64.
dll.
.
.
0xfa80021da20030x766c00x766f42MappedExeEXECUTE_WRITECOPY→\Windows\SysWOW64\ws2_32.
dll0xfa80026eb5e040x75ef00x75fdf2MappedExeEXECUTE_WRITECOPY→\Windows\SysWOW64\rpcrt4.
dll.
.
.
0xfa80028f59d050x7fff00x7fffffef-1PrivateREADONLYwin7.
elf12:30:08>cc2912Switchingtoprocesscontext:vol.
exe(Pid2912@0xfa8002193060)win7.
elf12:32:45>vtop0x766c0000vtop(0x766c0000)Virtual0x766c0000PageDirectory0x271ec000pml4e@0x271ec000=0x70000008844867pdpte@0x8844008=0x80000007845867pde@0x7845d98=0x7b558472.
1.
Memory81RekallForensicsDocumentation,Release1.
7.
2pte@0x7b55600=0x1a58f005PTEmapped@0x7b55600=0x1a58f000PhysicalAddress0x1a58f000win7.
elf12:32:53>pas2vas0x1a58f000PhysicalVirtualPidName0x00001a58f0000x0000766c00002616Console.
exe0x00001a58f0000x0000766c00002920vol.
exe0x00001a58f0000x0000766c00002912vol.
exeWeseethatConsole.
exealsomapsthesamedll-probablysinceitisalsoaWow64processwhichrequiresnetworkaccess.
.
.
_phys_map-WinPhysicalMap-plugin:phys_map(WinPhysicalMap)Printsthebootphysicalmemorymap.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Thispluginwillsimplyprintthekernelsideaofthephysicalmemorylayoutonamachine.
Typicallythephysicaladdressspaceisnotcontiguous(i.
e.
doesnothaveRAMchipmappingalladdressrangesbetween0andthemaximumnumber).
ThisisbecausetheBIOSneedstoleavegapsforDMAdevicestobemapped.
TheBIOSsetsupaninitialmappingandcommunicatesthemappingtothekernelthroughaBIOSservicecall(OrEFIcall)whichcanbedonewhilethekernelstillboots(Inrealmode).
ThekernelthenkeepsthisinformationandreturnsitthroughtheMmGetPhysicalMemoryRanges()function.
###Notes1.
Itisrathereasytomanipulatethisinformationtosubvertacquisition.
MostacquisitiontoolsusethisinformationtodeterminewhereitissafetoreadandtoavoidreadingfromDMAmappedmemory.
###Sampleoutputwin8.
1.
raw15:19:26>phys_mapphys_map()PhysStartPhysEndNumberofPages0x0000000010000x00000009f0001580x0000001000000x00000010200020x0000001030000x00003fff0000261869yarascan_physical(WinPhysicalYaraScanner)Anexperimentalyarascanneroverthephysicaladdressspace.
Yaradoesnotprovideastreaminginterface,whichmeansthatwhenwescanforyararuleswecanonlyevermatchstringswithinthesamebuffer.
Thisisaproblemforphysicaladdressspacescanningbecauseeachpage(althoughitmightappeartobecontiguous)usuallycomesfromadifferentprocess/mappedle.
Thereforeweneedamoreintelligentwaytoapplyyarasignaturesonthephysicaladdressspace:82Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
21.
Theoriginalsetofyararulesisconvertedintoasinglerulewithallthestringsfromalltherulesinit.
Therulehasacondition"anyofthem"whichwillmatchanystringappearinginthescannedbuffer.
2.
Thisruleisthenappliedoverthephysicaladdressspace.
3.
Foreachhitwederiveacontextandaddthehittothecontext.
4.
Finallywetestalltheruleswithinthesamecontextwiththeoriginalruleset.
PluginTypeDescriptioncontextIntParserContexttoprintafterthehit.
hitsIntParserQuitafterndingthismanyhits.
limitIntParserThelengthofdatatosearch.
pre_contextIntParserContexttoprintbeforethehit.
startIntParserStartsearchingfromthisoffset.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
yara_astStringIfprovidedwescanforthisyaraexpressionspeciedintheyaraJSONAST.
yara_expressionStringIfprovidedwescanforthisyaraexpressionspeciedintheyaraDSL.
pslist(WinPsList)Listprocessesforwindows.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Thepslistpluginlistalltheprocessesonwindowsusingavarietyofmethods.
Sinceitisrequiredbyallpluginswhichhasprocessselectors,thispluginwill,bydefault,listprocessesusingallmethods.
Theoutputofthispluginistypicallycachedinthesession,sothersttimeitisruntheremightbeaslightdelaywhileallmethodsareused,butsubsequentinvokationsshouldbealmostinstant.
Currentlythefollowingprocesslistingmethodsareused:PsActiveProcessHead:ThismethodfollowsthedoublylinkedlistfoundbythesymbolPsActiveProcessHead.
Itisthesimplestandfastestmethodforlistingprocesses,butitiseasilysubvertedbysimplyremovingan_EPROCESSstructfromthislist.
CSRSS:Theclient-serverruntimeserviceisresponsibleformonitoringallrunningprocesses.
Itthereforemaintainsopenhandlestorunningprocesses.
Thismethodlocatesthecsrss.
exeprocessandenumeratesitshandletablendingallhandlestoprocesses.
Notethatthiswillnottypicallyndthecsrss.
exeprocesitself,norsystemprocesseswhichwerestartedbeforeit.
PspCidTable:ThePspCidTableisahandletableforprocessandthreadclientIDs[Ref](http://uninformed.
org/index.
cgiv=3&a=7&p=6).
Theprocess'spidistheindexintothistable.
Thismethodenumeratesthetableinordertondallprocesses.
(Notearootkitcaneasilyremoveaprocessfromthistable).
Sessions:Thisenumeratesalltheprocessesinallwindowssessions(SessionProcessLinksmemberof_MM_SESSION_SPACEstruct).
Handles:Theenumeratesallhandletables(WhicharefoundonalistfromthesymbolHandleTableListHead)andcollectstheirowningprocess(TheQuotaProcessmember).
2.
1.
Memory83RekallForensicsDocumentation,Release1.
7.
2###SampleoutputOffset(V)NamePIDPPIDThdsHndsSessWow64Start→ExitDEBUG:root:Listed48processesusingPsActiveProcessHeadDEBUG:root:Listed43processesusingCSRSSDEBUG:root:Listed47processesusingPspCidTableDEBUG:root:Listed45processesusingSessionsDEBUG:root:Listed45processesusingHandles0xe00000074580System4097False2014-→01-2422:07:24+0000-0xe00001499040smss.
exe29242False2014-→01-2422:07:24+0000-0xe0000212c900svchost.
exe372528150False2014-→01-2421:07:51+0000-0xe00001be1280csrss.
exe38037280False2014-→01-2422:07:32+0000-0xe000000ce080wininit.
exe43237210False2014-→01-2422:07:32+0000-0xe000000d9280csrss.
exe44042491False2014-→01-2422:07:32+0000-rammap(WinRammap)Scanallphysicalmemoryandreportpageowners.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
endIntParserPhysicalmemoryaddresstoenddisplaying.
startIntParserPhysicalmemoryaddresstostartdisplaying.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
ssdt(WinSSDT)EnumeratetheSSDT.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
TheSystemServiceDescritorTableisthemaininterfacetothekernelfromuserspace.
Inthepast,malwareusedtoinstallhookinthisSSDTinordertointerceptuserspace->kernelcalls.
InmorerecentversionsofWindows,MicrosofthasimplementedPatchGuardspecicallytopreventthesekindsofhooks.
Therefore,itsveryraretoseethesekindsofhooksanymore.
ThessdtpluginenumeratesthetheSSDTtableandresolvestheaddressesbacktothenamesofthefunctions.
WindowshastwoSSDTs-oneforthekernelandonefortheGUIsubsystem(win32kdriver).
Anintalledssdthookwillappearasafunctioninadifferentmodule(oranunknownmodule).
###Sampleoutput84Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2win7.
elf15:35:25>ssdtTable0@0xf80002691b00EntryTargetSymbol0x00xf80002aa2190nt!
NtMapUserPhysicalPagesScatter0x10xf80002988a00nt!
NtWaitForSingleObject0x20xf80002688dd0nt!
NtCallbackReturn0x30xf800029abb10nt!
NtReadFile0x40xf800029a9bb0nt!
NtDeviceIoControlFile0x50xf800029a4ee0nt!
NtWriteFile0x60xf8000294adc0nt!
NtRemoveIoCompletion0x70xf80002947f10nt!
NtReleaseSemaphore0x80xf8000299fda0nt!
NtReplyWaitReceivePort0x90xf80002a71e20nt!
NtReplyPort.
.
.
0x18c0xf8000297a92cnt!
NtWaitForKeyedEvent0x18d0xf800026a1010nt!
NtWaitForWorkViaWorkerFactory0x18e0xf80002ab0b00nt!
NtWaitHighEventPair0x18f0xf80002ab0b90nt!
NtWaitLowEventPair0x1900xf80002678fc4nt!
NtWorkerFactoryWorkerReadyTable1@0xf960001a1c00EntryTargetSymbol0x00xf96000195580win32k!
NtUserGetThreadState0x10xf96000192630win32k!
NtUserPeekMessage0x20xf960001a3c6cwin32k!
NtUserCallOneParam0x30xf960001b1dd0win32k!
NtUserGetKeyState0x40xf960001ab1acwin32k!
NtUserInvalidateRect0x50xf960001a3e70win32k!
NtUserCallNoParam0x60xf9600019b5a0win32k!
NtUserGetMessage0x70xf9600017fbecwin32k!
NtUserMessageCall.
.
.
0x3340xf96000153b80win32k!
NtUserValidateHandleSecure0x3350xf960001acd9cwin32k!
NtUserWaitForInputIdle0x3360xf960001a6304win32k!
NtUserWaitForMsgAndEvent0x3370xf960001acef0win32k!
NtUserWindowFromPhysicalPoint0x3380xf960001ae06cwin32k!
NtUserYieldTask0x3390xf960001a6b84win32k!
NtUserSetClassLongPtr0x33a0xf96000181ca0win32k!
NtUserSetWindowLongPtrsigscan(WinSigScan)Runsasignaturescansagainstphysical,kernelorprocessmemory.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
1.
Memory85RekallForensicsDocumentation,Release1.
7.
2virt_map(WinVirtualMap)PrintstheWindowsKernelVirtualAddressMap.
Windowsallocatesvirtualaddressrangestovariouspurposes.
Thisplugindeducesthevirtualaddressmap.
On32bitwindows,thekernelvirtualaddressspacecanbemanageddynamically.
Thispluginshowseachregionandwhatitisusedfor.
Notethaton64bitwindowstheaddressspaceislargeenoughtonotworryaboutit.
Inthatcase,theoffsetsandregionsarehardcoded.
http://www.
woodmann.
com/forum/entry.
php219-Using-nt!
_MiSystemVaType-to-navigate-dynamic-kernel-address-space-in-WindowThekerneldebuggershowsthevirtualaddressmapusingthe!
vmextension.
Forexample:>!
vm20SystemRegionBaseAddressNumberOfBytesNonPagedPool:ffff810000000000100000000000Session:ffff9100000000008000000000SpecialPoolPaged:ffff9780000000008000000000SystemCache:ffff988000000000100000000000SystemPtes:ffffae8000000000100000000000UltraZero:ffffc00000000000100000000000PageTables:ffffd400000000008000000000Paged-Pool:ffffd48000000000100000000000SpecialPoolNonPaged:ffffe500000000008000000000PfnDatabase:ffffe8000000000038000000000Cfg:ffffebdd84214da828000000000HyperSpace:ffffee800000000010000000000SystemImages:fffff800000000008000000000Rekallusesthisinformationtoreneitsoperationstoincreasebothefciencyandcorrectness.
Forexample,whenscanningobjectswhichshouldexistinnonpagedpools,bydefault,RekallonlyexaminestheNonPagedPoolregion.
Thisspeedsupoperationsaswellasreducingfalsepositivesfromunrelatedmemoryregions.
Laterkernelversion(Windows10+)useaglobalnt!
MiVisibleStatetomaintainstateinformation,includingthevirtualaddressmap.
Thispluginimplementssupportforvariousversions.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
yarascan(WinYaraScan)Scanusingyarasignatures.
86Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptionbinary_stringStringAbinarystring(encodedashex)tosearchfor.
e.
g.
000102[1-200]0506contextIntParserContexttoprintafterthehit.
dtbIntParserTheDTBphysicaladdress.
eprocessArrayInt-ParserKerneladdressesofeprocessstructs.
hitsIntParserQuitafterndingthismanyhits.
limitIntParserThelengthofdatatosearchineachselectedregion.
methodChoiceArrayMethodtolistprocesses.
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
pre_contextIntParserContexttoprintbeforethehit.
proc_regexRegExAregextoselectaprocessbyname.
scan_kernelBooleanScantheentirekerneladdressspace.
scan_kernel_codeBooleanScanthekernelimageandloadeddrivers.
scan_kernel_nonpaged_poolBooleanScanthekernelnon-pagedpool.
scan_kernel_paged_poolBooleanScanthekernelpagedpool.
scan_kernel_session_poolsBooleanScansessionpoolsforallprocesses.
scan_physicalBooleanScanthephysicaladdressspaceonly.
scan_process_memoryBooleanScanallofprocessmemory.
Usesprocessselectorstonarrowdownselections.
stringStringAverbatimstringtosearchfor.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
yara_expressionStringIfprovidedwescanforthisyaraexpression.
yara_leStringTheyarasignatureletoread.
address_resolver(WindowsAddressResolver)Awindowsspecicaddressresolverplugin.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
symbolArrayStringListofsymbolstolookupverbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
psxview(WindowsPsxView)FindhiddenprocesseswithvariousprocesslistingsPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
1.
Memory87RekallForensicsDocumentation,Release1.
7.
2cc(WindowsSetProcessContext)Accpluginforwindows.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
eprocessArrayIntParserKerneladdressesofeprocessstructs.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
windows_stations(WindowsStations)Displaysallthewindowsstationsbyfollowinglists.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
times(WindowsTimes)Returncurrenttime,asknowntothekernel.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
1.
2Linuxarp(Arp)printtheARPtable.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
arpreturnsthelistofIPv4networkneighbourentriesinthekernelcache.
Rekallusestheneigh_tableskernelsymbolandwalkstheneighbourtablestoshowtheentries.
###SampleoutputWindows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).
ram12:09:00>arparp()IPAddressMACDeviceff02::1:ff57:f71933:33:ff:57:f7:19eth0ff02::1633:33:00:00:00:16eth088Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2192.
168.
239.
200:50:56:e5:38:b6eth0192.
168.
239.
25400:50:56:f7:25:d0eth0banner(Banner)PrintstheLinuxbannerinformation.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
banneroutputprovidesthesameinformationasrunninguname-aonthehost.
###SampleoutputWindows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).
ram12:17:38>bannerbanner()BannerLinuxversion3.
11.
0-12-generic(buildd@allspice)(gccversion4.
8.
1(Ubuntu/Linaro4.
→8.
1-10ubuntu7))#19-UbuntuSMPWedOct916:20:46UTC2013(Ubuntu3.
11.
0-12.
19-→generic3.
11.
3)bash(BashHistory)Scanthebashprocessforhistory.
BasedonoriginalalgorithmbyAndrewCase.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
methodChoiceArrayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
proc_regexRegExTheprocessesweshouldexamine.
scan_entire_address_spaceBooleanScantheentireprocessaddressspace,notonlytheheap.
taskArrayInt-ParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
TheBourneAgainShellmaintainsahistoryahistoryofallcommandsthathavebeenexecutedinthecurrentsessioninmemory.
bashisapluginthatprovidesachronologicallyorderedlistofcommandsexecutedbyeachbashprocess,groupedbypid.
###NotesOnlycommandsexecutedineachbashsessionarestoredinmemory.
Soifyou'relookingforcommandsforexittedbashsessionsyoumaybemoreluckybylookingatthedisk.
bash_historyleifloggingwasn'tdisabled.
###Sampleoutput2.
1.
Memory89RekallForensicsDocumentation,Release1.
7.
2Windows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).
ram12:27:35>bashbash()PidNameTimestampCommand1335bash2014-03-0417:16:31+0000uname-acheck_anfo(CheckAFInfo)Veriestheoperationfunctionpointersofnetworkprotocols.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Thepluginidentiesthelocationofeachfunctionpointerofdifferentnetworkprotocols.
Iflocatedwithinthekerneloraloadedmodule,rekallwillgivesuchinformationaswellasitskernel-spaceaddress.
Ifmalwaredynamicallyallocatesmemoryandcopiescodetheretohandlethesefunctions,theModulecolumnwillappearasUnknown.
###Sampleoutput.
.
code-block::textWindows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).
ram13:51:35>check_anfocheck_anfo()ConstantNameMem-berAddressModuletcp4_seq_anfoseq_fops.
llseek0xffff811c9250Kerneltcp4_seq_anfoseq_fops.
read0xffff811c9460Kerneltcp4_seq_anfoseq_fops.
release0xffff812157d0Kerneludplite6_seq_anfoseq_ops.
show0xffff816a1300Kerneludplite6_seq_anfoseq_fops.
llseek0xffff811c9250Kerneludplite6_seq_anfoseq_fops.
read0xffff811c9460Kerneludplite6_seq_anfoseq_fops.
release0xffff812157d0Kerneludp6_seq_anfoseq_ops.
show0xffff816a1300Kerneludp6_seq_anfoseq_fops.
llseek0xffff811c9250Kerneludp6_seq_anfoseq_fops.
read0xffff811c9460Kerneludp6_seq_anfoseq_fops.
release0xffff812157d0Kerneludplite4_seq_anfoseq_ops.
show0xffff8164f9e0Kerneludplite4_seq_anfoseq_fops.
llseek0xffff811c9250Kerneludplite4_seq_anfoseq_fops.
read0xffff811c9460Kernelud-plite4_seq_anfoseq_fops.
release0xffff812157d0Kerneludp4_seq_anfoseq_ops.
show0xffff8164f9e0Kerneludp4_seq_anfoseq_fops.
llseek0xffff811c9250Kerneludp4_seq_anfoseq_fops.
read0xffff811c9460Kerneludp4_seq_anfoseq_fops.
release0xffff812157d0Kernelcheck_creds(CheckCreds)ChecksifanyprocessesaresharingcredentialstructuresPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
methodChoiceArrayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
taskArrayIntParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Inorderforrootkitstoelevatetheprivilegesofagivenprocess,theyneedtoalterthecurrenteffectiveidentierofaprocess.
Beforekernel2.
6,thiswasdonebysettingacoupleofintegersintheprocesstasktothedesiredID.
90Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2After2.
6,credentialsarehandledinternallyviathetask_struct->credmember.
Likelyduetolazinessorapoorattemptatremainingstealth,somerootkitssimplyreusethecredmemberoftasksthathavethedesiredcredentials(mostoftenID0:root).
Thispluginreportsthelocationofthecredmemberofeachtask.
Whenthisstructureisbeingreused,you'llseemorethanonelineofoutputwiththesamecredaddress.
###SampleoutputWindows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).
ram15:40:12>check_credscheck_creds()CredPIDCommand0x88003b86c900966dbus-daemon0x88003c7664801031systemd-logind0x88003c1a73801056getty0x88003c1d21801103irqbalance0x88003c1d23c01290kauditd0x88003c1a6c001058getty0x880036b2e8401132atd0x88003b96d0801055getty0x88003c7674401335bash0x88003c1a6cc01074sshd0x88003c1d2c001131cron0x88003cbc09001160login0x88003c1831401081acpid0x88003b9ded801042getty0x88003b9dee401049getty0x88003c1a78c01176whoopsie0x88003c69a4801486dnsmasq0x88003cbc14401199libvirtdcheck_idt(CheckIdt)ChecksiftheIDThasbeenalteredPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
ThisplugintriestoidentifythesymbolnameorlocationofeachentryintheInterruptDescriptorTable.
TheIDTholdsalistofgatedescriptors.
Thesedescriptorcanbetask,traporinterruptdescriptors.
InterruptGatesareinvokedviatheintinstruction.
Systemcalls,forexample,canbeinvokedinLinuxwithanint0x80instruction.
TrapGatesarealsoinvokedviatheintinstructionbutdon'tmodifytheIFagintheEFLAGSregister.
TaskGateswereoriginallyintendedtofacilitatetaskswitchingbutaremostlynotusednowadays.
Thepluginprovides6columnsasoutput:__Index__:Thegatenumber.
__Address__:Thekerneladdressofthegatehandler.
__Type__:Whetherthisisanint/trap/taskgate.
__Present__:Ifthegatedescriptorispresent.
2.
1.
Memory91RekallForensicsDocumentation,Release1.
7.
2__DPL__:DescriptorPrivilegeLevel.
Thehighestringthatisallowedtocallthisgate.
__Symbol__:Thekernelsymbolthattheaddresspointsto.
Ifit'sunknownbutwithinthekernelimage,itwillbeKernel.
Otherwise,Unknown.
###NotesAvalueofKernelinthe__Symbol__columnmeans"aspartofthekernelimage",notthatit'sanywhereinthekerneladdressspace.
RekallcurrentlyonlyvalidatestheIDTattheaddresspointedbythekernelsymbolidt_table.
Notethatonarunningsystem,thecurrentIDTmaybedifferentasitcanbechangedviathex86lidtinstruction.
Entries0x00to0x1FarereservedbyIntelforprocessorexceptions.
###Sampleoutput$pythonrekall/rekal.
py--de-f~/projects/actaeon64/memory_images/Windows7_→VMware\(Win7x64+Ubuntu686\,Ubuntu64\)_VBox\(XPSP3x86\).
ram--profile_path.
.
/rekall-→profiles/--profile_path.
.
/my-profiles/--ept0x17725001Echeck_idtIndexAddressTypePresentDPLSymbol0x00xffff816f697032-bitIntGate10divide_error0x10xffff816ecc8032-bitIntGate10Kernel0x20xffff816ed0b032-bitIntGate10nmi0x30xffff816eccc032-bitIntGate13int30x40xffff816f69a032-bitIntGate13overflow0x50xffff816f69d032-bitIntGate10bounds0x60xffff816f6a0032-bitIntGate10invalid_op0x70xffff816f6a3032-bitIntGate10device_not_available0x80xffff816f6a6032-bitIntGate10double_fault0x90xffff816f6a9032-bitIntGate10coprocessor_segment_overrun0xa0xffff816f6ac032-bitIntGate10invalid_TSS0xb0xffff816f6af032-bitIntGate10segment_not_present0xc0xffff816ecd0032-bitIntGate10stack_segment0xd0xffff816ecdc032-bitIntGate10general_protection0xe0xffff816ecdf032-bitIntGate10page_fault0xf0xffff816f6b2032-bitIntGate10spurious_interrupt_bug0x100xffff816f6b5032-bitIntGate10coprocessor_error0x110xffff816f6b8032-bitIntGate10alignment_check0x120xffff816ece5032-bitIntGate10machine_check0x130xffff816f6bb032-bitIntGate10simd_coprocessor_error0x140xffff81d260b432-bitIntGate10Unknown0x150xffff81d260bd32-bitIntGate10Unknown0x160xffff81d260c632-bitIntGate10Unknown0x170xffff81d260cf32-bitIntGate10Unknown0x180xffff81d260d832-bitIntGate10Unknown0x190xffff81d260e132-bitIntGate10Unknown0x1a0xffff81d260ea32-bitIntGate10Unknown0x1b0xffff81d260f332-bitIntGate10Unknown0x1c0xffff81d260fc32-bitIntGate10Unknown0x1d0xffff81d2610532-bitIntGate10Unknown0x1e0xffff81d2610e32-bitIntGate10Unknown0x1f0xffff81d2611732-bitIntGate10Unknown0x200xffff816f5e0032-bitIntGate10irq_move_cleanup_interrupt0x210xffff816f5a0432-bitIntGate10Kernel0x220xffff816f5a0832-bitIntGate10Kernel0x230xffff816f5a0c32-bitIntGate10Kernel0x240xffff816f5a1032-bitIntGate10Kernel0x250xffff816f5a1432-bitIntGate10Kernel0x260xffff816f5a1832-bitIntGate10Kernel92Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
20x270xffff816f5a2032-bitIntGate10Kernel0x280xffff816f5a2432-bitIntGate10Kernel0x290xffff816f5a2832-bitIntGate10Kernel0x2a0xffff816f5a2c32-bitIntGate10Kernel0x2b0xffff816f5a3032-bitIntGate10Kernel0x2c0xffff816f5a3432-bitIntGate10Kernel0x2d0xffff816f5a3832-bitIntGate10Kernel0x2e0xffff816f5a4032-bitIntGate10Kernel0x2f0xffff816f5a4432-bitIntGate10Kernel0x300xffff816f5a4832-bitIntGate10Kernel0x310xffff816f5a4c32-bitIntGate10Kernel0x320xffff816f5a5032-bitIntGate10Kernel0x330xffff816f5a5432-bitIntGate10Kernel0x340xffff816f5a5832-bitIntGate10Kernel0x350xffff816f5a6032-bitIntGate10Kernel0x360xffff816f5a6432-bitIntGate10Kernel0x370xffff816f5a6832-bitIntGate10Kernel0x380xffff816f5a6c32-bitIntGate10Kernel0x390xffff816f5a7032-bitIntGate10Kernel0x3a0xffff816f5a7432-bitIntGate10Kernel0x3b0xffff816f5a7832-bitIntGate10Kernel0x3c0xffff816f5a8032-bitIntGate10Kernel0x3d0xffff816f5a8432-bitIntGate10Kernel0x3e0xffff816f5a8832-bitIntGate10Kernel0x3f0xffff816f5a8c32-bitIntGate10Kernel0x400xffff816f5a9032-bitIntGate10Kernel0x410xffff816f5a9432-bitIntGate10Kernel0x420xffff816f5a9832-bitIntGate10Kernel0x430xffff816f5aa032-bitIntGate10Kernel0x440xffff816f5aa432-bitIntGate10Kernel0x450xffff816f5aa832-bitIntGate10Kernel0x460xffff816f5aac32-bitIntGate10Kernel0x470xffff816f5ab032-bitIntGate10Kernel0x480xffff816f5ab432-bitIntGate10Kernel0x490xffff816f5ab832-bitIntGate10Kernel0x4a0xffff816f5ac032-bitIntGate10Kernel0x4b0xffff816f5ac432-bitIntGate10Kernel0x4c0xffff816f5ac832-bitIntGate10Kernel0x4d0xffff816f5acc32-bitIntGate10Kernel0x4e0xffff816f5ad032-bitIntGate10Kernel0x4f0xffff816f5ad432-bitIntGate10Kernel0x500xffff816f5ad832-bitIntGate10Kernel0x510xffff816f5ae032-bitIntGate10Kernel0x520xffff816f5ae432-bitIntGate10Kernel0x530xffff816f5ae832-bitIntGate10Kernel0x540xffff816f5aec32-bitIntGate10Kernel0x550xffff816f5af032-bitIntGate10Kernel0x560xffff816f5af432-bitIntGate10Kernel0x570xffff816f5af832-bitIntGate10Kernel0x580xffff816f5b0032-bitIntGate10Kernel0x590xffff816f5b0432-bitIntGate10Kernel0x5a0xffff816f5b0832-bitIntGate10Kernel0x5b0xffff816f5b0c32-bitIntGate10Kernel0x5c0xffff816f5b1032-bitIntGate10Kernel0x5d0xffff816f5b1432-bitIntGate10Kernel0x5e0xffff816f5b1832-bitIntGate10Kernel0x5f0xffff816f5b2032-bitIntGate10Kernel0x600xffff816f5b2432-bitIntGate10Kernel2.
1.
Memory93RekallForensicsDocumentation,Release1.
7.
20x610xffff816f5b2832-bitIntGate10Kernel0x620xffff816f5b2c32-bitIntGate10Kernel0x630xffff816f5b3032-bitIntGate10Kernel0x640xffff816f5b3432-bitIntGate10Kernel0x650xffff816f5b3832-bitIntGate10Kernel0x660xffff816f5b4032-bitIntGate10Kernel0x670xffff816f5b4432-bitIntGate10Kernel0x680xffff816f5b4832-bitIntGate10Kernel0x690xffff816f5b4c32-bitIntGate10Kernel0x6a0xffff816f5b5032-bitIntGate10Kernel0x6b0xffff816f5b5432-bitIntGate10Kernel0x6c0xffff816f5b5832-bitIntGate10Kernel0x6d0xffff816f5b6032-bitIntGate10Kernel0x6e0xffff816f5b6432-bitIntGate10Kernel0x6f0xffff816f5b6832-bitIntGate10Kernel0x700xffff816f5b6c32-bitIntGate10Kernel0x710xffff816f5b7032-bitIntGate10Kernel0x720xffff816f5b7432-bitIntGate10Kernel0x730xffff816f5b7832-bitIntGate10Kernel0x740xffff816f5b8032-bitIntGate10Kernel0x750xffff816f5b8432-bitIntGate10Kernel0x760xffff816f5b8832-bitIntGate10Kernel0x770xffff816f5b8c32-bitIntGate10Kernel0x780xffff816f5b9032-bitIntGate10Kernel0x790xffff816f5b9432-bitIntGate10Kernel0x7a0xffff816f5b9832-bitIntGate10Kernel0x7b0xffff816f5ba032-bitIntGate10Kernel0x7c0xffff816f5ba432-bitIntGate10Kernel0x7d0xffff816f5ba832-bitIntGate10Kernel0x7e0xffff816f5bac32-bitIntGate10Kernel0x7f0xffff816f5bb032-bitIntGate10Kernel0x800xffff816f72e032-bitIntGate13ia32_syscall0x810xffff816f5bb832-bitIntGate10Kernel0x820xffff816f5bc032-bitIntGate10Kernel0x830xffff816f5bc432-bitIntGate10Kernel0x840xffff816f5bc832-bitIntGate10Kernel0x850xffff816f5bcc32-bitIntGate10Kernel0x860xffff816f5bd032-bitIntGate10Kernel0x870xffff816f5bd432-bitIntGate10Kernel0x880xffff816f5bd832-bitIntGate10Kernel0x890xffff816f5be032-bitIntGate10Kernel0x8a0xffff816f5be432-bitIntGate10Kernel0x8b0xffff816f5be832-bitIntGate10Kernel0x8c0xffff816f5bec32-bitIntGate10Kernel0x8d0xffff816f5bf032-bitIntGate10Kernel0x8e0xffff816f5bf432-bitIntGate10Kernel0x8f0xffff816f5bf832-bitIntGate10Kernel0x900xffff816f5c0032-bitIntGate10Kernel0x910xffff816f5c0432-bitIntGate10Kernel0x920xffff816f5c0832-bitIntGate10Kernel0x930xffff816f5c0c32-bitIntGate10Kernel0x940xffff816f5c1032-bitIntGate10Kernel0x950xffff816f5c1432-bitIntGate10Kernel0x960xffff816f5c1832-bitIntGate10Kernel0x970xffff816f5c2032-bitIntGate10Kernel0x980xffff816f5c2432-bitIntGate10Kernel0x990xffff816f5c2832-bitIntGate10Kernel0x9a0xffff816f5c2c32-bitIntGate10Kernel94Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
20x9b0xffff816f5c3032-bitIntGate10Kernel0x9c0xffff816f5c3432-bitIntGate10Kernel0x9d0xffff816f5c3832-bitIntGate10Kernel0x9e0xffff816f5c4032-bitIntGate10Kernel0x9f0xffff816f5c4432-bitIntGate10Kernel0xa00xffff816f5c4832-bitIntGate10Kernel0xa10xffff816f5c4c32-bitIntGate10Kernel0xa20xffff816f5c5032-bitIntGate10Kernel0xa30xffff816f5c5432-bitIntGate10Kernel0xa40xffff816f5c5832-bitIntGate10Kernel0xa50xffff816f5c6032-bitIntGate10Kernel0xa60xffff816f5c6432-bitIntGate10Kernel0xa70xffff816f5c6832-bitIntGate10Kernel0xa80xffff816f5c6c32-bitIntGate10Kernel0xa90xffff816f5c7032-bitIntGate10Kernel0xaa0xffff816f5c7432-bitIntGate10Kernel0xab0xffff816f5c7832-bitIntGate10Kernel0xac0xffff816f5c8032-bitIntGate10Kernel0xad0xffff816f5c8432-bitIntGate10Kernel0xae0xffff816f5c8832-bitIntGate10Kernel0xaf0xffff816f5c8c32-bitIntGate10Kernel0xb00xffff816f5c9032-bitIntGate10Kernel0xb10xffff816f5c9432-bitIntGate10Kernel0xb20xffff816f5c9832-bitIntGate10Kernel0xb30xffff816f5ca032-bitIntGate10Kernel0xb40xffff816f5ca432-bitIntGate10Kernel0xb50xffff816f5ca832-bitIntGate10Kernel0xb60xffff816f5cac32-bitIntGate10Kernel0xb70xffff816f5cb032-bitIntGate10Kernel0xb80xffff816f5cb432-bitIntGate10Kernel0xb90xffff816f5cb832-bitIntGate10Kernel0xba0xffff816f5cc032-bitIntGate10Kernel0xbb0xffff816f5cc432-bitIntGate10Kernel0xbc0xffff816f5cc832-bitIntGate10Kernel0xbd0xffff816f5ccc32-bitIntGate10Kernel0xbe0xffff816f5cd032-bitIntGate10Kernel0xbf0xffff816f5cd432-bitIntGate10Kernel0xc00xffff816f5cd832-bitIntGate10Kernel0xc10xffff816f5ce032-bitIntGate10Kernel0xc20xffff816f5ce432-bitIntGate10Kernel0xc30xffff816f5ce832-bitIntGate10Kernel0xc40xffff816f5cec32-bitIntGate10Kernel0xc50xffff816f5cf032-bitIntGate10Kernel0xc60xffff816f5cf432-bitIntGate10Kernel0xc70xffff816f5cf832-bitIntGate10Kernel0xc80xffff816f5d0032-bitIntGate10Kernel0xc90xffff816f5d0432-bitIntGate10Kernel0xca0xffff816f5d0832-bitIntGate10Kernel0xcb0xffff816f5d0c32-bitIntGate10Kernel0xcc0xffff816f5d1032-bitIntGate10Kernel0xcd0xffff816f5d1432-bitIntGate10Kernel0xce0xffff816f5d1832-bitIntGate10Kernel0xcf0xffff816f5d2032-bitIntGate10Kernel0xd00xffff816f5d2432-bitIntGate10Kernel0xd10xffff816f5d2832-bitIntGate10Kernel0xd20xffff816f5d2c32-bitIntGate10Kernel0xd30xffff816f5d3032-bitIntGate10Kernel0xd40xffff816f5d3432-bitIntGate10Kernel2.
1.
Memory95RekallForensicsDocumentation,Release1.
7.
20xd50xffff816f5d3832-bitIntGate10Kernel0xd60xffff816f5d4032-bitIntGate10Kernel0xd70xffff816f5d4432-bitIntGate10Kernel0xd80xffff816f5d4832-bitIntGate10Kernel0xd90xffff816f5d4c32-bitIntGate10Kernel0xda0xffff816f5d5032-bitIntGate10Kernel0xdb0xffff816f5d5432-bitIntGate10Kernel0xdc0xffff816f5d5832-bitIntGate10Kernel0xdd0xffff816f5d6032-bitIntGate10Kernel0xde0xffff816f5d6432-bitIntGate10Kernel0xdf0xffff816f5d6832-bitIntGate10Kernel0xe00xffff816f5d6c32-bitIntGate10Kernel0xe10xffff816f5d7032-bitIntGate10Kernel0xe20xffff816f5d7432-bitIntGate10Kernel0xe30xffff816f5d7832-bitIntGate10Kernel0xe40xffff816f5d8032-bitIntGate10Kernel0xe50xffff816f5d8432-bitIntGate10Kernel0xe60xffff816f5d8832-bitIntGate10Kernel0xe70xffff816f5d8c32-bitIntGate10Kernel0xe80xffff816f5d9032-bitIntGate10Kernel0xe90xffff816f5d9432-bitIntGate10Kernel0xea0xffff816f5d9832-bitIntGate10Kernel0xeb0xffff816f5da032-bitIntGate10Kernel0xec0xffff816f5da432-bitIntGate10Kernel0xed0xffff816f5da832-bitIntGate10Kernel0xee0xffff816f5dac32-bitIntGate10Kernel0xef0xffff816f5ef032-bitIntGate10apic_timer_interrupt0xf00xffff816f5db432-bitIntGate10Kernel0xf10xffff816f5db832-bitIntGate10Kernelcheck_modules(CheckModules)Comparesmodulelisttosysfsinfo,ifavailable.
Sysfscontainsaksetobjectsforanumberofkernelobjects(kobjects).
Oneoftheksetsisthe"module_kset"whichholdsreferencestoallloadedkernelmodules.
Eachstructmoduleobjectholdswithinitakobjstructforreferencecounting.
Thisobjectisreferencedbothfromthestructmoduleandthesysfskset.
Thisplugintraversestheksetandresolvesthekobjbacktoitscontainingobject(whichisthestructmoduleitself).
Wethencomparethestructmodulewiththelistofknownmodules(whichisobtainedbytraversingthemodule'slistmember).
Soifamoduleweretosimplyunlinkitselffromthelist,itwouldstillbefoundbyitsreferencefromsysfs.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
check_proc_fops(CheckProcFops)Checkstheproclesystemforhookedf_ops.
96Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptionallBooleanSpecifytoseeallthefops,eveniftheyareknown.
dtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
check_proc_fopscheckstheleoperationspointersofeachopenleintheproclesystem.
Somerootkitshooktheseoperationsinordertoimplementprocesshiding.
Inordertodetermineifanoperationpointerishooked,rekallchecksthatthepointerresideswithinaknownmoduleorthekernelimage.
Ifapointerisfoundoutsideofthesebounds,itwillbereported.
###NotesToobtainalistofallcheckedfunctionpointers,usethe–allparameter.
###SampleoutputExpectblankoutputoncleansystems.
pmem15:44:30>check_proc_fopscheck_proc_fops()DirEntryPathMember→AddressModulepmem15:44:35>check_syscall(CheckSyscall)Checksifthesystemcalltablehasbeenaltered.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
check_syscallchecksifeverysyscallhandlerpointstoaknownsymbolintheprole.
Allthedefaultsyscallhandlersforagivenkernelshouldbeexportedalongwiththeproleandifthishandlerischanged,Rekallwilldetectit.
###Notes1.
UnknownsymbolsarereportedasUnknown.
2.
Onlythehandlerpointersarechecked.
Iftheoriginalhandlerisstillbeingusedbutithasbeenpatchedinmemory,nohookdetectionwillbedone.
###Sampleoutputcheck_ttys(CheckTTY)Checksttydevicesforhooks.
Somemalwareinsertahookintotheopsstructofthettydriver.
Thispluginenumeratesalltty_structobjectsandchecksiftheiropshandlershavebeensubverted.
2.
1.
Memory97RekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
check_task_fops(CheckTaskFops)Checkopenlesintasksforf_opsmodications.
PluginTypeDescriptionallBooleanSpecifytoseeallthefops,eveniftheyareknown.
dtbIntParserTheDTBphysicaladdress.
methodChoiceArrayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
taskArrayIntParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
check_task_fopscheckstheleoperationspointersofeachrunningprocess'openles.
Rootkitsmayhookthesefunctionpointersinordertocontroloperationofspecictasks.
Inordertodetermineifanoperationpointerishooked,rekallchecksthatthepointerresideswithinaknownmoduleorthekernelimage.
Ifapointerisfoundoutsideofthesebounds,itwillbereported.
###NotesToobtainalistofallcheckedfunctionpointers,usethe–allparameter.
###SampleoutputExpectblankoutputoncleansystems.
pmem15:44:30>check_task_fopscheck_proc_fops()DirEntryPathMember→AddressModulepmem15:44:35>cpuinfo(CpuInfo)Printsinformationabouteachactiveprocessor.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
###Sampleoutput98Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2[1]Windows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).
ram16:07:43>cpuinfocpuinfo()CPUVendorModel0GenuineIntelIntel(R)Core(TM)i7CPU930@2.
80GHz1GenuineIntelIntel(R)Core(TM)i7CPU930@2.
80GHz2GenuineIntelIntel(R)Core(TM)i7CPU930@2.
80GHz3GenuineIntelIntel(R)Core(TM)i7CPU930@2.
80GHzheapdump(HeapChunkDumper)Dumpsallocated/freedchunksfromselectedprocessesPluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
dump_dirStringPathsuitablefordumpingles.
main_arenaIntParserThemain_arenapointereitherextractedfromthestaticallylinkedELFbinaryorfromthelibclibrary.
mal-loc_parIntParserThemalloc_parpointereitherextractedfromthelinkedELFbinaryorfromthelibclibrary.
methodChoiceAr-rayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
taskArrayInt-ParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
heapobjects(HeapObjects)Printsthestructsofheapobjects(suchasallocatedchunks,arenas,.
.
.
)2.
1.
Memory99RekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
main_arenaIntParserThemain_arenapointereitherextractedfromthestaticallylinkedELFbinaryorfromthelibclibrary.
malloc_parIntParserThemalloc_parpointereitherextractedfromthelinkedELFbinaryorfromthelibclibrary.
methodChoiceAr-rayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
print_allocatedBooleanprintsallallocatedchunkstructsprint_freedBooleanprintsallfreedchunkstructsprint_mallinfoBooleanprintsstatisticinformation,similartoglibc'smallinfoprint_mmappedBooleanprintsallMMAPPEDchunkstructsproc_regexRegExAregextoselectaprocessbyname.
taskArrayInt-ParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
heapinfo(HeapOverview)Triestogatheralistofallarenas/heapsandallallocatedchunks.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
main_arenaIntParserThemain_arenapointereitherextractedfromthestaticallylinkedELFbinaryorfromthelibclibrary.
mal-loc_parIntParserThemalloc_parpointereitherextractedfromthelinkedELFbinaryorfromthelibclibrary.
methodChoiceAr-rayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
taskArrayInt-ParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
heapsearch(HeapPointerSearch)Searchesallchunksforthegivenstring,regexorpointer(s).
100Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptionchunk_addressesArray-Int-ParserExpectsaddress(es)belongingtoachunk(s)ofinterest,andprintsallchunkshavingapointersomewhereintothedatapartofthatchunk(s).
dtbInt-ParserTheDTBphysicaladdress.
main_arenaInt-ParserThemain_arenapointereitherextractedfromthestaticallylinkedELFbinaryorfromthelibclibrary.
mal-loc_parInt-ParserThemalloc_parpointereitherextractedfromthelinkedELFbinaryorfromthelibclibrary.
methodChoiceAr-rayMethodtolistprocesses(Defaultusesallmethods).
pidsArray-Int-ParserOneormorepidsofprocessestoselect.
pointersArray-Int-ParserPrintschunksthatcontainexactlythegivenpointer(s).
Thepointer(s)canbegivenas(hexa)decimalnumbers.
proc_regexRegExAregextoselectaprocessbyname.
regexstrSearchesallchunkswiththegivenregexandprintsallhits.
search_structBooleanIncludesthemalloc_structeldsinthesearchprocesssuchassizeandfd/bkforbinchunks(butnotitsownprev_sizeeld).
Thisisnormallynotdesiredandhencedeactivatedbydefault.
stringstrSearchesallchunksforthegivenstringandprintsallhits.
taskArray-Int-ParserKerneladdressesoftaskstructs.
ver-bosityInt-ParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
heaprefs(HeapReferenceSearch)Examinesthedatapartofthegivenchunkforreferencestootherchunks.
PluginTypeDescriptionchunk_addressesArrayInt-ParserTheaddress(es)belongingtochunksofinterest.
Thosechunksarethenexaminedforreferencestootherchunks.
dtbIntParserTheDTBphysicaladdress.
main_arenaIntParserThemain_arenapointereitherextractedfromthestaticallylinkedELFbinaryorfromthelibclibrary.
malloc_parIntParserThemalloc_parpointereitherextractedfromthelinkedELFbinaryorfromthelibclibrary.
methodChoiceAr-rayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
taskArrayInt-ParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
1.
Memory101RekallForensicsDocumentation,Release1.
7.
2hostname(Hostname)Amixinforthosepluginsrequiringaphysicaladdressspace.
Args:physical_address_space:Thephysicaladdressspacetouse.
Ifnotspeciedweusethefollowingoptions:1.
session.
physical_address_space,2.
Guessusingtheload_as()plugin,3.
Usesession.
kernel_address_space.
base.
PluginTypeDescriptionverbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
iomem(IOmem)mimics/proc/iomem.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
###Sampleoutput[1]Windows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).
ram16:22:13>iomemiomem()ResourceStartEndName0xffff81c3abc00x0000000000000x00ffffffffff0x88003fff9b00.
0x0000000000000x000000000fffreserved0x88003fff9b38.
0x0000000010000x00000009ebffSystemRAM0x88003fff9b70.
0x00000009ec000x00000009ffffreserved0x88003d112200.
0x0000000a00000x0000000bffffPCIBus0000:000xffff81c1aac0.
0x0000000c00000x0000000c7fffVideoROM0x88003fff9ba8.
0x0000000ca0000x0000000cbfffreserved0xffff81c1ab00.
.
0x0000000ca0000x0000000cafffAdapterROM0x88003d112238.
0x0000000d00000x0000000d3fffPCIBus0000:000x88003d112270.
0x0000000d40000x0000000d7fffPCIBus0000:000x88003d1122a8.
0x0000000d80000x0000000dbfffPCIBus0000:000x88003fff9be0.
0x0000000dc0000x0000000fffffreserved0xffff81c1aca0.
.
0x0000000f00000x0000000fffffSystemROM0x88003fff9c18.
0x0000001000000x00003fedffffSystemRAM0xffff81c1a6a0.
.
0x0000010000000x0000016f9945Kernelcode0xffff81c1a6e0.
.
0x0000016f99460x000001d0e7ffKerneldata0xffff81c1a660.
.
0x000001e6d0000x000001fcffffKernelbss0x88003fff9c50.
0x00003fee00000x00003fefefffACPITables0x88003fff9c88.
0x00003feff0000x00003fefffffACPINon-volatileStorage0x88003fff9cc0.
0x00003ff000000x00003fffffffSystemRAM0x88003d1122e0.
0x0000c00000000x0000febfffffPCIBus0000:000x88003d1a0488.
.
0x0000c00000000x0000c0007fff0000:00:0f.
00x88003d1a1488.
.
0x0000c00080000x0000c000bfff0000:00:10.
00x88003d202680.
.
0x0000e5b000000x0000e5bfffff0x88003d1da680.
.
0x0000e5c000000x0000e5cfffffPCIBus0000:1a0x88003d1d2680.
.
0x0000e5d000000x0000e5dfffffPCIBus0000:12102Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
20x88003d1ca680.
.
0x0000e5e000000x0000e5efffff0x88003d201680.
.
0x0000000000000x000000000000-0x88003fff9d30.
0x0000fec000000x0000fec0ffffreserved0x88003fff9e00.
.
0x0000fec000000x0000fec003ffIOAPIC00x88003fff9e80.
0x0000fed000000x0000fed003ffHPET00x88003d2ca500.
.
0x0000fed000000x0000fed003ffpnp00:070xffff81c25cc0.
0x0000fee000000x0000fee00fffLocalAPIC0x88003fff9d68.
.
0x0000fee000000x0000fee00fffreserved0x88003fff9da0.
0x0000fffe00000x0000ffffffffreservedifcong(Ifcong)Gathersactiveinterfaces.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
###Sampleoutput[1]Windows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).
ram16:12:17>ifconfig→ifconfig()InterfaceIpv4AddressMACFlagslo127.
0.
0.
100:00:00:00:00:00IFF_LOOPBACK,IFF_UPeth0192.
168.
239.
12900:0C:29:57:F7:19IFF_BROADCAST,IFF_MULTICAST,→IFF_UPkeepassx(Keepassx)Gatherspasswordentriesforkeepassx.
Theretrievedcontentofthoseentriescomprisestheusername,title,URLandComment.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
main_arenaIntParserThemain_arenapointereitherextractedfromthestaticallylinkedELFbinaryorfromthelibclibrary.
mal-loc_parIntParserThemalloc_parpointereitherextractedfromthelinkedELFbinaryorfromthelibclibrary.
methodChoiceAr-rayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
taskArrayInt-ParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
1.
Memory103RekallForensicsDocumentation,Release1.
7.
2memdump(LinMemDump)Dumptheaddressablememoryforaprocess.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
dump_dirStringPathsuitablefordumpingles.
methodChoiceArrayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
taskArrayIntParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
memmap(LinMemMap)Dumpsthememorymapforlinuxtasks.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
methodChoiceArrayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
taskArrayIntParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
moddump(LinModdump)Dumpsloadedkernelmodules.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
dump_dirStringDumpdirectory.
regexpRegExRegexponthemodulename.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
pstree(LinPSTree)Showstheparent/childrelationshipbetweenprocesses.
Thispluginprintsaparent/childrelationshiptreebywalkingthetask_struct.
childrenandtask_struct.
siblingmembers.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
pas2vas(LinPas2Vas)Resolvesaphysicaladdresstoavirtualaddrressinaprocess.
104Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
methodChoiceArrayMethodtolistprocesses(Defaultusesallmethods).
offsetsArrayIntParserAlistofphysicaloffsetstoresolve.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
taskArrayIntParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
vaddump(LinVadDump)DumptheVMAmemoryforaprocess.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
dump_dirStringPathsuitablefordumpingles.
methodChoiceArrayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
taskArrayIntParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
vtop(LinVtoP)DescribevirtualtophysicaltranslationonLinuxplatforms.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
methodChoiceArrayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
taskArrayIntParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
yarascan(LinYaraScan)Scanusingyarasignatures.
2.
1.
Memory105RekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptionbinary_stringStringAbinarystring(encodedashex)tosearchfor.
e.
g.
000102[1-200]0506contextIntParserContexttoprintafterthehit.
dtbIntParserTheDTBphysicaladdress.
hitsIntParserQuitafterndingthismanyhits.
methodChoiceArrayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
pre_contextIntParserContexttoprintbeforethehit.
proc_regexRegExAregextoselectaprocessbyname.
scan_kernelBooleanScantheentirekerneladdressspace.
scan_physicalBooleanScanthephysicaladdressspaceonly.
scan_process_memoryBooleanScanallofprocessmemory.
Usesprocessselectorstonarrowdownse-lections.
stringStringAverbatimstringtosearchfor.
taskArrayInt-ParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
yara_expressionStringIfprovidedwescanforthisyaraexpression.
yara_leStringTheyarasignatureletoread.
address_resolver(LinuxAddressResolver)ALinuxspecicaddressresolverplugin.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
symbolArrayStringListofsymbolstolookupverbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
dmesg(LinuxDmesg)Gathersdmesgbuffer.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
###Sampleoutput[1]Windows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).
ram16:07:44>dmesgdmesg()TimestampFacilityLevelMessage0.
000LOG_INFOInitializingcgroupsubsyscpuset0.
000LOG_INFOInitializingcgroupsubsyscpu0.
000LOG_INFOInitializingcgroupsubsyscpuacct0.
000LOG_INFOLinuxversion3.
11.
0-12-generic(buildd@allspice)(gcc→version4.
8.
1(Ubuntu/Linaro4.
8.
1-10ubuntu7))#19-UbuntuSMPWedOct916:20:46→UTC2013(Ubuntu3.
11.
0-12.
19-generic3.
11.
3)106Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
20.
000LOG_INFOCommandline:BOOT_IMAGE=/vmlinuz-3.
11.
0-12-genericroot=/→dev/mapper/ubuntu--vmware--vg-rootro0.
000LOG_INFOKERNELsupportedcpus:0.
000LOG_INFOIntelGenuineIntel0.
000LOG_INFOAMDAuthenticAMD0.
000LOG_INFOCentaurCentaurHauls0.
000LOG_INFODisabledfaststringoperations0.
000LOG_INFOe820:BIOS-providedphysicalRAMmap:0.
000LOG_CRITBIOS-e820:[mem0x0000000000000000-0x000000000009ebff]→usable0.
000LOG_CRITBIOS-e820:[mem0x000000000009ec00-0x000000000009ffff]→reserved0.
000LOG_CRITBIOS-e820:[mem0x00000000000ca000-0x00000000000cbfff]→reserved0.
000LOG_CRITBIOS-e820:[mem0x00000000000dc000-0x00000000000fffff]→reserved0.
000LOG_CRITBIOS-e820:[mem0x0000000000100000-0x000000003fedffff]→usable0.
000LOG_CRITBIOS-e820:[mem0x000000003fee0000-0x000000003fefefff]→ACPIdata0.
000LOG_CRITBIOS-e820:[mem0x000000003feff000-0x000000003fefffff]→ACPINVS0.
000LOG_CRITBIOS-e820:[mem0x000000003ff00000-0x000000003fffffff]→usable0.
000LOG_CRITBIOS-e820:[mem0x00000000f0000000-0x00000000f7ffffff]→reserved0.
000LOG_CRITBIOS-e820:[mem0x00000000fec00000-0x00000000fec0ffff]→reserved0.
000LOG_CRITBIOS-e820:[mem0x00000000fee00000-0x00000000fee00fff]→reserved0.
000LOG_CRITBIOS-e820:[mem0x00000000fffe0000-0x00000000ffffffff]→reserved0.
000LOG_INFONX(ExecuteDisable)protection:active0.
000LOG_INFOSMBIOS2.
4present.
0.
000LOG_INFODMI:VMware,Inc.
VMwareVirtualPlatform/440BXDesktop→ReferencePlatform,BIOS6.
0007/31/20130.
000LOG_INFOHypervisordetected:VMware0.
000LOG_CRITe820:update[mem0x00000000-0x00000fff]usable==>→reserved0.
000LOG_CRITe820:remove[mem0x000a0000-0x000fffff]usable0.
000LOG_INFOnd_dtb(LinuxFindDTB)AscannerforDTBvalues.
Handlesboth32and64bits.
ThepluginalsoautodetectswhentheguestisrunningasaXENParaVirtualizedguestandreturnsacompatibleaddressspace.
PluginTypeDescriptionverbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
pslist(LinuxPsList)Gathersactivetasksbywalkingthetask_struct->tasklist.
2.
1.
Memory107RekallForensicsDocumentation,Release1.
7.
2Itdoesnotdisplaytheswapperprocess.
IftheDTBcolumnisblank,theitemislikelyakernelthread.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
methodChoiceArrayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
taskArrayIntParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
psxview(LinuxPsxView)Findhiddenprocessescomparingvariousprocesslistings.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
methodChoiceArrayMethodtolistprocesses.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
taskArrayIntParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
cc(LinuxSetProcessContext)Accpluginforwindows.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
methodChoiceArrayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
taskArrayIntParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
sigscan(LinuxSigScan)Runsasignaturescansagainstphysical,kernelorprocessmemory.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
methodChoiceArrayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
taskArrayIntParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
108Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2vadmap(LinuxVADMap)InspecteachpageintheVADandreportitsstatus.
ThisallowsustoseetheaddresstranslationstatusofeachpageintheVAD.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
endIntParserStopreadingatthisoffset.
methodChoiceArrayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
startIntParserStartreadingfromthispage.
taskArrayIntParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
lsmod(Lsmod)Gathersloadedkernelmodules.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Rekallwalksthelistatkernelsymbolmodulestoprovidethelistofmodules.
###Sampleoutput[1]Windows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).
ram16:22:54>lsmodlsmod()OverviewVirtualCoreStartTotalSizeName0xffffa038d1200xffffa038b00012880ipt_MASQUERADE0xffffa03831800xffffa038100013011iptable_natlsmod_sections(LsmodSections)DisplayalltheELFsectionsofkernelmodules.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
lsmod_parameters(Lsmod_parameters)Displayparametersforallkernelmodules.
2.
1.
Memory109RekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
lsof(Lsof)Listsopenles.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
methodChoiceArrayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
taskArrayIntParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Rekallwalkstheprocesstableanddereferenceseachofthetask.
les.
fdsforeachkerneltask.
###Sampleoutput$pythonrekall/rekal.
py-f~/memory_images/Windows7_VMware\(Win7x64+Ubuntu686,→Ubuntu64\)_VBox\(XPSP3x86\).
ram--ept0x00017725001e-lsof[.
.
.
]libvirtd1199013-0--libvirtd1199014000→socket:/NETLINK[0]libvirtd11990150012987→socket:/UNIX[12987]libvirtd1199016-0-→proclibvirtd1199017000→socket:/NETLINK[0]libvirtd1199018008902/→run/libvirt/network/nwfilter.
leaseslibvirtd1199019007861-bash133500-0--bash133501-0--bash133502-0--bash13350255-0--mcat(Mcat)Returnsthecontentsavailableinmemoryforagivenle.
Rangesofthelethatarenotpresentinmemoryarereturnedblank.
PluginTypeDescriptiondeviceStringNameofthedevicetomatch.
dtbIntParserTheDTBphysicaladdress.
dump_dirStringPathsuitablefordumpingles.
pathStringPathtothele.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
110Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2Youcanndthelistoflesinmemorybyusingthemlsplugin.
mnd(Mnd)Findsalebynameinmemory.
PluginTypeDescriptiondeviceStringNameofthedevicetomatch.
dtbIntParserTheDTBphysicaladdress.
pathStringPathtothele.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
mndcanandwillndmultiplelesifmorethanonelepotentiallymatchesthepath.
Youcanusethe–deviceparametertolteroutbydevicenameifyouwanttotargetaspecicmountpoint.
###Sampleoutput[1]Linux-3.
2.
0-4-686-pae.
E0112:56:58>mfind"/etc/passd"mfind("/etc/passd")[1]Linux-3.
2.
0-4-686-pae.
E0112:58:00>mfind"/etc/passwd"mfind("/etc/passwd")Filesondevice/dev/disk/by-uuid/55bda481-150f-442e-b781-231a904cebd1mountedat/.
Permsuidgidsizemtime→atimectimeinodepath-rw-r--r--009422013-12-0312:21:50+00002014-11-28→10:59:14+00002013-12-0312:21:50+0000128/etc/passwd[1]Linux-3.
2.
0-4-686-pae.
E0112:58:05>mfind"/dev/pts/0"mfind("/dev/pts/0")[1]Linux-3.
2.
0-4-686-pae.
E0112:58:12>mfind"/dev/pts"mfind("/dev/pts")Filesondevicedevptsmountedat/dev/pts.
Permsuidgidsizemtime→atimectimeinodepathdrwxr-xr-x0002014-11-2811:40:08+00002014-11-28→11:40:08+00002014-11-2811:40:08+00001/dev/ptsFilesondeviceudevmountedat/dev.
Permsuidgidsizemtime→atimectimeinodepathdrwxr-xr-x00402014-11-2811:40:08+00002014-11-28→11:40:08+00002014-11-2811:40:08+00001137/dev/ptsmls(Mls)Liststhelesinamountedlesystem.
2.
1.
Memory111RekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondeviceStringNameofthedevicetomatch.
dtbIntParserTheDTBphysicaladdress.
pathStringPathtothele.
recursiveBooleanRecursivelistingunallocatedBooleanShowlesthathavenoinodeinformation.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
###Sampleoutput$PYTHONPATH=.
pythonrekall/rekal.
py-fLinux-3.
2.
0-4-686-pae.
E01--profile_path.
.
/→my-profiles/https://raw.
githubusercontent.
com/google/rekall-profiles/master/-mls→"/"Filesondevice/dev/disk/by-uuid/55bda481-150f-442e-b781-231a904cebd1mountedat/.
Permsuidgidsizemtime→atimectimeinodepath000--→-0/drwxr-xr-x0040962013-12-0312:18:39+00002012-06-01→01:12:42+00002013-12-0312:18:39+0000576/bindrwxr-xr-x0040962013-12-0312:14:16+00002013-12-03→12:19:41+00002013-12-0312:14:16+0000574/devdrwxr-xr-x0040962014-11-2811:40:10+00002014-11-28→11:41:27+00002014-11-2811:40:10+000015/etcdrwxr-xr-x0040962013-12-0313:25:13+00002014-01-28→11:40:22+00002013-12-0313:25:13+0000247/libdrwxr-xr-x0040962013-12-0312:12:06+00002013-12-03→12:15:21+00002013-12-0312:12:06+000017/mediadrwxr-xr-x0040962013-10-0715:25:28+00002013-10-07→15:25:28+00002013-12-0312:12:10+0000571/procdrwx------0040962014-02-2413:05:51+00002014-11-28→11:02:32+00002014-02-2413:05:51+0000570/rootdrwxr-xr-x0040962013-12-0312:20:20+00002013-12-03→12:20:20+00002013-12-0312:20:20+0000569/rundrwxr-xr-x0040962013-12-0312:20:20+00002013-07-18→03:10:56+00002013-12-0312:20:20+0000230/sbindrwxr-xr-x0040962012-06-1007:11:32+00002012-06-10→07:11:32+00002013-12-0312:12:10+0000734/selinuxdrwxr-xr-x0040962013-07-1803:10:52+00002013-07-18→03:10:52+00002013-12-0312:12:11+0000568/sysdrwxrwxrwxt0040962014-11-2811:40:10+00002014-11-28→11:40:09+00002014-11-2811:40:10+0000567/tmpdrwxr-xr-x0040962013-12-0312:12:13+00002014-01-28→12:14:39+00002013-12-0312:12:13+0000168/usrdrwxr-xr-x0040962013-12-0312:12:13+00002013-12-03→12:19:03+00002013-12-0312:12:13+000012/varFilesondevicedevtmpfsmountedat/.
Permsuidgidsizemtime→atimectimeinodepathlrwxrwxrwx0092014-11-2811:40:09+00002014-11-28→11:40:10+00002014-11-2811:40:09+00003464/MAKEDEV112Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2000--→-0/autofs000--→-0/blockcrw-------T0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00003041/btrfs-control000--→-0/busdrwxr-xr-x0024402014-11-2811:40:09+00002014-11-28→11:40:08+00002014-11-2811:40:09+00001184/charcrw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001037/consolelrwxrwxrwx00112014-11-2811:40:09+00002014-11-28→11:40:10+00002014-11-2811:40:09+00003030/core000--→-0/cpucrw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001129/cpu_dma_latency000--→-0/disklrwxrwxrwx00132014-11-2811:40:09+00002014-11-28→11:40:10+00002014-11-2811:40:09+00003034/fdcrw-rw-rw-0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001031/full000--→-0/fusecrw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00003721/hidraw0crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001113/hpetdrwxr-xr-x002602014-11-2811:40:09+00002014-11-28→11:40:10+00002014-11-2811:40:09+00001114/inputcrw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001034/kmsgsrw-rw-rw-0002014-11-2811:40:10+00002014-11-28→11:40:10+00002014-11-2811:40:10+00004761/logcrw-------T0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00003042/loop-control000--→-0/loop0brw-rw----T0602014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00004253/loop1brw-rw----T0602014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00004256/loop2brw-rw----T0602014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00004259/loop3brw-rw----T0602014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00004264/loop4brw-rw----T0602014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00004267/loop5brw-rw----T0602014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00004271/loop6brw-rw----T0602014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00004274/loop7000--→-0/mappercrw-r-----T01502014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001027/mem2.
1.
Memory113RekallForensicsDocumentation,Release1.
7.
2000--→-0/netcrw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001130/network_latencycrw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001131/network_throughputcrw-rw-rw-0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001028/nullcrw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001035/oldmemcrw-r-----T01502014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001029/port000--→-0/pppcrw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001116/psauxcrw-rw-rw-0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001107/ptmxdrwxr-xr-x00402014-11-2811:40:08+00002014-11-28→11:40:08+00002014-11-2811:40:08+00001137/ptscrw-rw-rw-0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001032/randomlrwxrwxrwx0042014-11-2811:40:09+00002014-11-28→11:40:10+00002014-11-2811:40:09+00003731/root000--→-0/rtccrw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001117/rtc0lrwxrwxrwx0082014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00003947/shmcrw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001106/snapshot000--→-0/snd000--→-0/sndstatlrwxrwxrwx00152014-11-2811:40:09+00002014-11-28→11:40:10+00002014-11-2811:40:09+00003040/stderrlrwxrwxrwx00152014-11-2811:40:09+00002014-11-28→11:40:10+00002014-11-2811:40:09+00003036/stdinlrwxrwxrwx00152014-11-2811:40:09+00002014-11-28→11:40:10+00002014-11-2811:40:09+00003038/stdoutcrw-rw-rw-0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001036/ttycrw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001038/tty0crw-------0502014-11-2811:41:20+00002014-11-28→11:41:20+00002014-11-2811:40:16+00001043/tty1crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001052/tty10crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001053/tty11crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001054/tty12crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001055/tty13crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001056/tty14114Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001057/tty15crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001058/tty16crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001059/tty17crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001060/tty18crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001061/tty19crw-rw----0502014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:10+00001044/tty2crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001062/tty20crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001063/tty21crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001064/tty22crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001065/tty23crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001066/tty24crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001067/tty25crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001068/tty26crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001069/tty27crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001070/tty28crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001071/tty29crw-rw----0502014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:10+00001045/tty3crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001072/tty30crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001073/tty31crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001074/tty32crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001075/tty33crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001076/tty34crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001077/tty35crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001078/tty36crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001079/tty37crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001080/tty38crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001081/tty39crw-rw----0502014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:10+00001046/tty4crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001082/tty402.
1.
Memory115RekallForensicsDocumentation,Release1.
7.
2crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001083/tty41crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001084/tty42crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001085/tty43crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001086/tty44crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001087/tty45crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001088/tty46crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001089/tty47crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001090/tty48crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001091/tty49crw-rw----0502014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:10+00001047/tty5crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001092/tty50crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001093/tty51crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001094/tty52crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001095/tty53crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001096/tty54crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001097/tty55crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001098/tty56crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001099/tty57crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001100/tty58crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001101/tty59crw-rw----0502014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:10+00001048/tty6crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001102/tty60crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001103/tty61crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001104/tty62crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001105/tty63crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001049/tty7crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001050/tty8crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001051/tty9crw-rw----T02002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001112/ttyS0116Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2crw-rw----T02002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001109/ttyS1crw-rw----T02002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001110/ttyS2crw-rw----T02002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001111/ttyS3000--→-0/uinputcrw-rw-rw-0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001033/urandomcrw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001039/vcscrw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001041/vcs1crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00003897/vcs2000--→-0/vcs3crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00003907/vcs4crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00003912/vcs5crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00003917/vcs6crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001040/vcsacrw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001042/vcsa1crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00003898/vcsa2crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00003903/vcsa3crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00003908/vcsa4crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00003913/vcsa5crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00003918/vcsa6000--→-0/vda000--→-0/vda1000--→-0/vda2000--→-0/vda5crw-------0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001026/vga_arbiterfrw-r-----0402014-11-2811:40:20+00002014-11-28→11:40:10+00002014-11-2811:40:20+00004753/xconsolecrw-rw-rw-0002014-11-2811:40:09+00002014-11-28→11:40:09+00002014-11-2811:40:09+00001030/zeroNotethatsometimesyoumayhavetospecifytherightdeviceinordertoonlygetthedatayouwant.
Likeinthisexample.
Usethe–deviceparameterinthatcase.
2.
1.
Memory117RekallForensicsDocumentation,Release1.
7.
2$PYTHONPATH=.
pythonrekall/rekal.
py-fLinux-3.
2.
0-4-686-pae.
E01--profile_path.
.
/→my-profiles/https://raw.
githubusercontent.
com/google/rekall-profiles/master/-mls→"/"--device="/dev/disk/by-uuid/55bda481-150f-442e-b781-231a904cebd1"mount(Mount)Liststhemountpoints.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
###Sampleoutput[1]Linux-3.
2.
0-4-686-pae.
E0112:56:57>mountmount()DevicePath→Typeflagsproc/proc→procrw,nodev,noexec,nosuid,relatimedevpts/dev/pts→devptsrw,noexec,nosuid,relatimetmpfs/run/lock→tmpfsrw,nodev,noexec,nosuid,relatimetmpfs/run/shm→tmpfsrw,nodev,noexec,nosuid,relatimeudev/dev→devtmpfsrw,relatimetmpfs/run→tmpfsrw,noexec,nosuid,relatimerpc_pipefs/var/lib/nfs/rpc_pipefs→rpc_pipefsrw,relatime/dev/disk/by-uuid/55bda481-150f-442e-b781-231a904cebd1/→ext4rw,relatimedevtmpfs/→devtmpfsrw,relatimesysfs/sys→sysfsrw,nodev,noexec,nosuid,relatimenetstat(Netstat)Printtheactivenetworkconnections.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
notier_chains(NotierChainPlugin)Outputsandverieskernelnotierchains.
118Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
TheLinuxkernelcannotifymodulesoncertainevents.
Thisisdonebysubscribingtoanotierchain.
Anotierchainisanorderedlistoffunctionsthekernelwillcallwhenaneventistriggered.
Rekallanalyzesthefollowingnotierchainsandshowswhetherthere'sanycallbackfunctionregistered:Thekeyboard_notier_list,whichisusedtonotifyonkeyboardeventsandsomekeyloggersuse.
vt_notier_list,whichisusedtonotifywhenthere'seventsonavirtualterminalandcouldbeusedtoassistinmonitoringttys.
Normally,nocallbackswillberegisteredinanyofthesenotierchainsandRekallwillproducenooutput.
###Sampleoutput$PYTHONPATH=.
pythonrekall/rekal.
py-fLinux-3.
2.
0-4-686-pae.
E01--profile_path.
.
/→my-profiles/https://raw.
githubusercontent.
com/google/rekall-profiles/master/-→notifier_chainsChainsymbolIndexPriorityAddressModule→Symbolpsaux(PSAux)Gathersprocessesalongwithfullcommandlineandstarttime.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
methodChoiceArrayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
taskArrayIntParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
pkt_queues(PacketQueues)Dumpsthecurrentpacketqueuesforallknownopensockets.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
pidhashtable(PidHashTable)Listprocessesbyenumeratingthepidhashtables.
2.
1.
Memory119RekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
methodChoiceArrayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
taskArrayIntParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
maps(ProcMaps)Gathersprocessmapsforlinux.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
methodChoiceArrayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
taskArrayIntParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
###Sampleoutput[1]Windows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).
ram17:18:41>mapsmaps()PidStartEndFlagsPgoffMajorMinorInode→FilePath9660x0000000000000x000000000000---0x00000000000000010310x0000004000000x00000043a000r-x0x000000000000---→-10310x0000006390000x00000063a000r--0x000000039000---→-10310x00000063a0000x00000063b000rw-0x00000003a000---→-10310x0000012be0000x0000012df000rw-0x000000000000000→[heap]10310x0000000000000x000000000000---0x00000000000000010420x0000000000000x000000000000---0x00000000000000010560x0000004000000x000000407000r-x0x000000000000--0→/sbin/getty10560x0000006060000x000000607000r--0x000000006000--0→/sbin/getty10560x0000006070000x000000608000rw-0x000000007000--0→/sbin/getty10560x0000006080000x00000060a000rw-0x00000000000000010560x0000000000000x000000000000---0x00000000000000010580x0000004000000x000000407000r-x0x000000000000--0→/sbin/getty10580x0000006060000x000000607000r--0x000000006000--0→/sbin/getty10580x0000006070000x000000608000rw-0x000000007000--0→/sbin/getty10580x0000006080000x00000060a000rw-0x000000000000000120Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
210580x00000194c0000x00000196d000rw-0x000000000000000→[heap]10580x7f44e0f560000x7f44e1493000r--0x0000000000002520660935→/usr/lib/locale/locale-archive10580x0000000000000x000000000000---0x00000000000000010740x7f8f092790000x7f8f09285000r-x0x000000000000--0→/lib/x86_64-linux-gnu/libnss_files-2.
17.
so10740x7f8f092850000x7f8f09484000---0x00000000c000--0→/lib/x86_64-linux-gnu/libnss_files-2.
17.
so10740x7f8f094840000x7f8f09485000r--0x00000000b000--0→/lib/x86_64-linux-gnu/libnss_files-2.
17.
so10740x7f8f094850000x7f8f09486000rw-0x00000000c000--0→/lib/x86_64-linux-gnu/libnss_files-2.
17.
so10740x7f8f094860000x7f8f09491000r-x0x000000000000---→-10740x7f8f094910000x7f8f09690000---0x00000000b000---→-10740x7f8f096900000x7f8f09691000r--0x00000000a000---→-10740x7f8f096910000x7f8f09692000rw-0x00000000b000---→-[.
.
.
]zsh(Zsh)Extractsthezshcommandhistory,similartotheexistingbashplugin.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
main_arenaIntParserThemain_arenapointereitherextractedfromthestaticallylinkedELFbinaryorfromthelibclibrary.
mal-loc_parIntParserThemalloc_parpointereitherextractedfromthelinkedELFbinaryorfromthelibclibrary.
methodChoiceAr-rayMethodtolistprocesses(Defaultusesallmethods).
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
taskArrayInt-ParserKerneladdressesoftaskstructs.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
1.
3OSXcheck_trap_table(CheckTrapTable)Checksthetrapstableforhooks.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
1.
Memory121RekallForensicsDocumentation,Release1.
7.
2address_resolver(DarwinAddressResolver)ADarwinspecicaddressresolverplugin.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
symbolArrayStringListofsymbolstolookupverbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
allproc(DarwinAllProcCollector)Amixinforpluginswhichrequireavalidkerneladdressspace.
Args:dtb:Apotentialdtbtobeused.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
arp(DarwinArp)Showinformationaboutarptables.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
boot_cmdline(DarwinBootParameters)Printsthekernelcommandline.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
check_syscalls(DarwinCheckSysCalls)Checksthesyscalltable.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
dmesg(DarwinDMSG)Printthekerneldebugmessages.
122Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
dead_leprocs(DarwinDeadFileprocCollector)Amixinforpluginswhichrequireavalidkerneladdressspace.
Args:dtb:Apotentialdtbtobeused.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
dead_procs(DarwinDeadProcessCollector)Listsdeadprocessesusingtheprocallocationzone.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
dumpcompressedmemory(DarwinDumpCompressedPages)Dumpsallcompressedpages.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
dump_dirStringPathsuitablefordumpingles.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
dump_zone(DarwinDumpZone)Dumpsanallocationzone'scontents.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
nd_dtb(DarwinFindDTB)TriestondtheDTBaddressfortheDarwin/XNUkernel.
AstheXNUkerneldevelopedovertheyears,thebestwayofderivingthisinformationchanged.
ThisclassnowoffersmultiplemethodsofndingtheDTB.
Callingnd_dtbshouldautomaticallyselectthebestmethodforthejob,basedontheprole.
ItwillalsoattempttofallbackonlessidealwaysofgettingtheDTBifthebestwayfails.
2.
1.
Memory123RekallForensicsDocumentation,Release1.
7.
2nd_kaslr(DarwinFindKASLR)AscannerforKASLRslidevaluesintheDarwinkernel.
Thescannerworksbylookingupaknowndatastructureandcomparingitsactuallocationtoitsexpectedlocation.
Vericationisasimilarprocess,usingasecondconstant.
Thistakesadvantageofthefactthatbothdatastructuresareinaregionofkernelmemorythatmapstothephysicalmemoryinapredictableway(seeID_MAP_VTOP).
Human-readableoutputincludesvaluesofthekernelversionstring(whichisusedforvalidation)formanualreview,incasetherearefalsepositives.
handles(DarwinHandles)Walksopenlesofeachprocandcollectstheleproc.
Thisisthesamealgorithmaslsof,butaimedatjustcollectingtheleprocs,withoutdoinganythingwiththem,orsorting.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
pidsArrayIntParserOneormorepidsofprocessestoselect.
procArrayIntParserKerneladdressesofprocstructs.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
ip_lters(DarwinIPFilters)CheckIPFiltersforhooks.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
ifcong(DarwinIfnetCollector)Amixinforpluginswhichrequireavalidkerneladdressspace.
Args:dtb:Apotentialdtbtobeused.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
lsmod(DarwinLsmod)Listsallkernelmodules.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
124Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2lsof(DarwinLsof)WalksopenlesofeachprocinorderandprintsPID,FDandthehandle.
Eachprocesshasanarrayofpointerstoleprocstructs-theoffsetintothearrayistheledescriptorandeachleprocstructrepresentsahandleonsomeresource.
Atypeeldintheleprocdeterminesthetypeoftheresourcepointedtofromtheleproc(e.
g.
vnode,socket,pipe.
.
.
).
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
machine_info(DarwinMachineInfo)Showinformationaboutthismachine.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
maps(DarwinMaps)Displaytheprocessmaps.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
pidsArrayIntParserOneormorepidsofprocessestoselect.
procArrayIntParserKerneladdressesofprocstructs.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
memdump(DarwinMemDump)Dumpsthememorymapfordarwintasks.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
dump_dirStringPathsuitablefordumpingles.
pidsArrayIntParserOneormorepidsofprocessestoselect.
procArrayIntParserKerneladdressesofprocstructs.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
memmap(DarwinMemMap)Printsthememorymapfordarwintasks.
2.
1.
Memory125RekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
pidsArrayIntParserOneormorepidsofprocessestoselect.
procArrayIntParserKerneladdressesofprocstructs.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
mount(DarwinMount)Showmountpoints.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
netstat(DarwinNetstat)Printsallopensocketsweknowabout,fromanysource.
Netstatwilldisplayevenconnectionsthatlsofdoesn'tknowabout,becausetheywereeitherrecoveredfromanallo-cationzone,orfoundthroughasecondarymechanism(likesystemcallhandlercache).
Ontheotherhand,netstatdoesn'tknowtheledescriptoror,really,theprocessthatownstheconnection(althoughitdoesknowthePIDofthelastprocesstoaccessthesocket.
)Netstatwillalsotellyou,inthestyleofpsxview,ifasocketwasonlyfoundusingsomeofthemethodsavailable.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
notiers(DarwinNotiers)DetectshooksinI/OKitIONotifyobjects.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
psaux(DarwinPSAUX)Listprocesseswiththeircommandline.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
pidsArrayIntParserOneormorepidsofprocessestoselect.
procArrayIntParserKerneladdressesofprocstructs.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
126Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2pas2vas(DarwinPas2Vas)Resolvesaphysicaladdresstoavirtualaddrressinaprocess.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
offsetsArrayIntParserAlistofphysicaloffsetstoresolve.
pidsArrayIntParserOneormorepidsofprocessestoselect.
procArrayIntParserKerneladdressesofprocstructs.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
pgrphash(DarwinPgrpHashCollector)Amixinforpluginswhichrequireavalidkerneladdressspace.
Args:dtb:Apotentialdtbtobeused.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
phys_map(DarwinPhysicalMap)PrintstheEFIbootphysicalmemorymap.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
pidhash(DarwinPidHashProcessCollector)Amixinforpluginswhichrequireavalidkerneladdressspace.
Args:dtb:Apotentialdtbtobeused.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
pstree(DarwinPsTree)Amixinforpluginswhichrequireavalidkerneladdressspace.
Args:dtb:Apotentialdtbtobeused.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
1.
Memory127RekallForensicsDocumentation,Release1.
7.
2pslist(DarwinPslist)Amixinforpluginswhichrequireavalidkerneladdressspace.
Args:dtb:Apotentialdtbtobeused.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
pidsArrayIntParserOneormorepidsofprocessestoselect.
procArrayIntParserKerneladdressesofprocstructs.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
psxview(DarwinPsxView)Amixinforpluginswhichrequireavalidkerneladdressspace.
Args:dtb:Apotentialdtbtobeused.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
pidsArrayIntParserOneormorepidsofprocessestoselect.
procArrayIntParserKerneladdressesofprocstructs.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
route(DarwinRoute)Showroutingtable.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
dead_sessions(DarwinSessionZoneCollector)Amixinforpluginswhichrequireavalidkerneladdressspace.
Args:dtb:Apotentialdtbtobeused.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
sessions(DarwinSessions)Findssessionsbywalkingtheirglobalhashtable.
128Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
cc(DarwinSetProcessContext)Accpluginforwindows.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
pidsArrayIntParserOneormorepidsofprocessestoselect.
procArrayIntParserKerneladdressesofprocstructs.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
sigscan(DarwinSigScan)Runsasignaturescansagainstphysical,kernelorprocessmemory.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
pidsArrayIntParserOneormorepidsofprocessestoselect.
procArrayIntParserKerneladdressesofprocstructs.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
dead_sockets(DarwinSocketZoneCollector)Amixinforpluginswhichrequireavalidkerneladdressspace.
Args:dtb:Apotentialdtbtobeused.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
open_sockets(DarwinSocketsFromHandles)Looksuphandlesthatpointtoasocketandcollectsthesocket.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
1.
Memory129RekallForensicsDocumentation,Release1.
7.
2sysctl(DarwinSysctl)Dumpsthesysctldatabase.
OnOSXthekernelisconguredthroughthesysctlmechanism.
Thisisanalogousto/procor/sysfsonLinux.
ThecongurationspaceisbrokenintoMIBs-orhierarchicalnamespace.
https://developer.
apple.
com/library/mac/documentation/Darwin/Reference/ManPages/man8/sysctl.
8.
htmlForexample:net.
inet.
ip.
subnets_are_localnet.
inet.
ip.
ttlnet.
inet.
ip.
use_route_genidThisisimplementedviaasinglylinkedlistofsysctl_oidstructs.
Thestructscanbeonthefollowingtypes:CTLTYPE_INTmeansthisMIBwillhandleanint.
CTLTYPE_STRINGmeansthisMIBwillhandleastring.
CTLTYPE_QUADmeansthisMIBwillhandlealonglongint.
CTLTYPE_NODEmeansthisisanodewhichhandlesasublevelofMIBs.
Itisactuallyapointertoanewsysctl_oid_listwhichhandlesthesublevel.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
dead_ttys(DarwinTTYZoneCollector)Amixinforpluginswhichrequireavalidkerneladdressspace.
Args:dtb:Apotentialdtbtobeused.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
tasks(DarwinTaskProcessCollector)Amixinforpluginswhichrequireavalidkerneladdressspace.
Args:dtb:Apotentialdtbtobeused.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
terminals(DarwinTerminals)Listsopenttys.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
130Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2unp_sockets(DarwinUnpListCollector)Walksthegloballistofsocketsinuipc_usrreq.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
vadmap(DarwinVADMap)InspecteachpageintheVADandreportitsstatus.
ThisallowsustoseetheaddresstranslationstatusofeachpageintheVAD.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
endIntParserStopreadingatthisoffset.
pidsArrayIntParserOneormorepidsofprocessestoselect.
procArrayIntParserKerneladdressesofprocstructs.
proc_regexRegExAregextoselectaprocessbyname.
startIntParserStartreadingfromthispage.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
vaddump(DarwinVadDump)DumptheVMAmemoryforaprocess.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
dump_dirStringPathsuitablefordumpingles.
pidsArrayIntParserOneormorepidsofprocessestoselect.
procArrayIntParserKerneladdressesofprocstructs.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
vtop(DarwinVtoP)Describevirtualtophysicaltranslationondarwinplatforms.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
pidsArrayIntParserOneormorepidsofprocessestoselect.
procArrayIntParserKerneladdressesofprocstructs.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
yarascan(DarwinYaraScan)Scanusingyarasignatures.
2.
1.
Memory131RekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptionbinary_stringStringAbinarystring(encodedashex)tosearchfor.
e.
g.
000102[1-200]0506contextIntParserContexttoprintafterthehit.
dtbIntParserTheDTBphysicaladdress.
hitsIntParserQuitafterndingthismanyhits.
pidsArrayInt-ParserOneormorepidsofprocessestoselect.
pre_contextIntParserContexttoprintbeforethehit.
procArrayInt-ParserKerneladdressesofprocstructs.
proc_regexRegExAregextoselectaprocessbyname.
scan_kernelBooleanScantheentirekerneladdressspace.
scan_physicalBooleanScanthephysicaladdressspaceonly.
scan_process_memoryBooleanScanallofprocessmemory.
Usesprocessselectorstonarrowdownse-lections.
stringStringAverbatimstringtosearchfor.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
yara_expressionStringIfprovidedwescanforthisyaraexpression.
yara_leStringTheyarasignatureletoread.
zones(DarwinZoneCollector)Amixinforpluginswhichrequireavalidkerneladdressspace.
Args:dtb:Apotentialdtbtobeused.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
dead_vnodes(DarwinZoneVnodeCollector)Amixinforpluginswhichrequireavalidkerneladdressspace.
Args:dtb:Apotentialdtbtobeused.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
2Live2.
2.
1Generalle_yara(FileYaraScanner)Yarascannerwhichoperatesonles.
132Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptionbinary_stringStringAbinarystring(encodedashex)tosearchfor.
e.
g.
000102[1-200]0506contextIntParserContexttoprintafterthehit.
hitsIntParserQuitafterndingthismanyhits.
pathsArrayPathstoscan.
pre_contextIntParserContexttoprintbeforethehit.
stringStringAverbatimstringtosearchfor.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
yara_expressionStringIfprovidedwescanforthisyaraexpression.
yara_leStringTheyarasignatureletoread.
hexdump_le(IRDump)Hexdumplesfromdisk.
PluginTypeDescriptioncase_insensitiveBoolGlobswillbecaseinsensitive.
lesystemChoicesThevirtuallesystemimplementationtoglobin.
globsArrayStringListofglobstoreturn.
lengthIntParserMaximumlengthtodump.
path_sepStringPathseparatorcharacter(/or)rootStringRootdirectorytoglobfrom.
rowsIntParserNumberofbytesperrowstartIntParserAnoffsettohexdump.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
widthIntParserNumberofbytesperrownd(IRFind)Listlesrecursivelyfromarootpath.
PluginTypeDescriptionrootStringTherootdirectorytostartsearchfrom.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
glob(IRGlob)Searchforlesbylenameglob.
ThiscoderoughlybasedontheGlobowinGRR.
PluginTypeDescriptioncase_insensitiveBoolGlobswillbecaseinsensitive.
lesystemChoicesThevirtuallesystemimplementationtoglobin.
globsArrayStringListofglobstoreturn.
path_sepStringPathseparatorcharacter(/or)rootStringRootdirectorytoglobfrom.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
2.
Live133RekallForensicsDocumentation,Release1.
7.
2hash(IRHash)PluginTypeDescriptionhashChoiceArrayOneormorehashestocalculate.
pathsArrayPathstohash.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
stat(IRStat)PluginTypeDescriptionpathsArrayPathstostat.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
osquery(OSQuery)RunstheOSQueryqueryandemittheresults.
Notethatthecolumnsemitteddependonosqueryitselfsowecannotpredictinadvancethetableformat.
PluginTypeDescriptionosquery_pathStringThepathtotheosquerybinary(defaultosqueryi).
queryStringTheOSQueryquerytorun.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
system_info(SystemInfo)Justemitinformationabouttheagent.
Theoutputformatisessentiallykeyvaluepairs.
Thisisusefulforelterqueries.
PluginTypeDescriptionverbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
2.
2APIlsof(APILsof)Apluginwhichlistsallopenles.
PluginTypeDescriptionpidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
134Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2pslist(APIPslist)AlivepslistpluginusingtheAPIs.
PluginTypeDescriptionpidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
cc(APISetProcessContext)Accpluginforsettingprocesscontexttolivemode.
PluginTypeDescriptionpidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
maps(IRMaps)Examinetheprocessmemorymaps.
PluginTypeDescriptionoffsetSymbolAddressOnlyprintthevadcorrespondingtothisoffset.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
regexRegExAregularexpressiontolterVADlenames.
verbosityIntParserWithhighverbosityprintmoreinformationoneachregion.
vaddump(IRVadDump)DumptheVMAmemoryforaprocess.
PluginTypeDescriptiondump_dirStringPathsuitablefordumpingles.
offsetSymbolAddressOnlyprintthevadcorrespondingtothisoffset.
pidsArrayIntParserOneormorepidsofprocessestoselect.
proc_regexRegExAregextoselectaprocessbyname.
regexRegExAregularexpressiontolterVADlenames.
verbosityIntParserWithhighverbosityprintmoreinformationoneachregion.
address_resolver(LinuxAPIAddressResolver)ALinuxspecicaddressresolverplugin.
PluginTypeDescriptionsymbolArrayStringListofsymbolstolookupverbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
2.
Live135RekallForensicsDocumentation,Release1.
7.
2yarascan(ProcessYaraScanner)YarascanprocessmemoryusingtheReadProcessMemory()API.
PluginTypeDescriptionbinary_stringStringAbinarystring(encodedashex)tosearchfor.
e.
g.
000102[1-200]0506contextIntParserContexttoprintafterthehit.
hitsIntParserQuitafterndingthismanyhits.
pidsArrayIntParserOneormorepidsofprocessestoselect.
pre_contextIntParserContexttoprintbeforethehit.
proc_regexRegExAregextoselectaprocessbyname.
stringStringAverbatimstringtosearchfor.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
yara_expressionStringIfprovidedwescanforthisyaraexpression.
yara_leStringTheyarasignatureletoread.
2.
3Filesystem2.
3.
1NTFSs(FLS)PluginTypeDescriptionpathStringPathtoprintstatsfor.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
fstat(FStat)Printinformationbylename.
PluginTypeDescriptionpathStringPathtoprintstatsfor.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
idump(IDump)DumpapartofanMFTle.
PluginTypeDescriptionidIntParserIdofattributetodump.
mftIntParserMFTentrytodump.
typeIntParserAttributetypetodump.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
136Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2iexport(IExport)ExtractslesfromNTFS.
ForeachspeciedMFTentry,dumptheletothespecieddumpdirectory.
ThelenameistakenasthelongestlenameofthisMFTentry.
PluginTypeDescriptiondump_dirStringPathsuitablefordumpingles.
idIntParserIdofattributetodump.
mftIntParserMFTentrytodump.
typeIntParserAttributetypetodump.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
ils(ILS)ListlesinanNTFSimage.
PluginTypeDescriptionmftsArrayIntParserMFTentriestolist.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
istat(IStat)PrintinformationrelatedtoanMFTentry.
PluginTypeDescriptionmftsArrayIntParserMFTentriestolist.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
4General2.
4.
1Utilitiesaff4acquire(AFF4Acquire)CopythephysicaladdressspacetoanAFF4le.
NOTE:Thisplugindoesnotrequireaworkingprole-unlesstheuseralsowantstocopythepageleormappedles.
Inthatcasewemustanalyzethelivememorytogathertherequiredles.
2.
4.
General137RekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptionalso_mapped_lesBooleanAlsogetmappedoropenedles(requiresaprole)also_memoryBooleanAlsoacquirephysicalmemory.
Ifnotspeciedweacquirephysicalmemoryonlywhennootheroperationisspecied.
also_pageleBooleanAlsogetthepagele/swappartition(requiresaprole)appendBooleanAppendtothecurrentvolume.
compressionStringThecompressiontouse.
destinationStringThedestinationletocreate.
destina-tion_urlStringThedestinationAFF4URLtocreate.
lesAr-rayString-ParserAlsoacquirelesmatchingthefollowingglobs.
gce_credentialsStringTheGCEserviceaccountcredentialstouse.
gce_credentials_pathStringApathtotheGCEserviceaccountcredentialstouse.
max_le_sizeIntParserMaximumlesizetoacquire.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
aff4dump(AFF4Dump)DumptheentireresolvercontentsforanAFF4volume.
PluginTypeDescriptiongce_credentialsStringTheGCEserviceaccountcredentialstouse.
gce_credentials_pathStringApathtotheGCEserviceaccountcredentialstouse.
longBooleanIncludeadditionalinformationabouteachstream.
regexRegExRegexoflenamestodump.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
volumeStringVolumetolist.
aff4export(AFF4Export)ExportsallthestreamsinanAFF4Volume.
PluginTypeDescriptiondump_dirStringPathsuitablefordumpingles.
gce_credentialsStringTheGCEserviceaccountcredentialstouse.
gce_credentials_pathStringApathtotheGCEserviceaccountcredentialstouse.
regexRegExRegexoflenamestodump.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
volumeStringVolumetolist.
aff4ls(AFF4Ls)ListthecontentofanAFF4le.
138Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptiongce_credentialsStringTheGCEserviceaccountcredentialstouse.
gce_credentials_pathStringApathtotheGCEserviceaccountcredentialstouse.
longBooleanIncludeadditionalinformationabouteachstream.
regexRegExRegexoflenamestodump.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
volumeStringVolumetolist.
api(APIGenerator)GeneratethepluginAPIdocument.
PluginTypeDescriptionoutput_leStringIfspeciedwewritetheAPIintothisleinYAML.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
session_api(APISessionGenerator)PluginTypeDescriptionoutput_leStringIfspeciedwewritetheAPIintothisleinYAML.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
artifact_collector(ArtifactsCollector)Collectsartifacts.
PluginTypeDescriptionartifact_lesArrayStringParserAlistofadditionalyamllestoloadwhichcontainartifactdenitions.
artifactsArrayStringParserAlistofartifactnamestocollect.
copy_lesBoolCopylesintotheoutput.
create_timelineBoolAlsogenerateatimelinele.
denitionsArrayStringParserAninlineartifactdenitioninyamlformat.
output_pathStringPathsuitablefordumpingles.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
writerChoicesWriterforartifactresults.
artifact_list(ArtifactsList)Listdetailsaboutallknownartifacts.
2.
4.
General139RekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptionallBoolShowallartifacts.
labelsArrayString-ParserFilterbytheselabels.
regexRegExFiltertheartifactname.
sup-ported_osArrayString-ParserIfspeciedshowfortheseOSs,otherwiseautodetectbasedonthecurrentimage.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
artifact_view(ArtifactsView)PluginTypeDescriptionartifactsArrayStringParserAlistofartifactstodisplayverbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
build_index(BuildIndex)Generateaproleindexlebasedonanindexspecication.
Theindexspecicationiscurrentlyayamllewiththefollowingstructure:base_symbol:(string)#OPTIONALComputeALLoffsetsasrelativetothissymbol.
ThisincludesMaxOffsetandMinOffset.
symbols:(arrayofdicts)#Alistofsymbolstoindex.
-name:(string)#Symbolnamedata:(string)#Datathatshouldbeatthesymbol'soffsetshift:(int)#OPTIONALAdjustsymboloffsetbythisnumberExample:path:win32k.
syssymbols:-#Thenameofthesymbolwetestfor.
name:"_C@_1BO@KLKIFHLC@$AAG$AAU$AAI$AAF$AAo$AAn$AAt$AA4$AAH$AAe→$AAi$AAg$AAh$AAt$AA$AA@"#Thedataweexpecttofindatthatoffset.
data:"47005500490046006f006e0074002e00480065006900670068007400"-name:"wcschr"shift:-1data:"90"Theresultisanindexprole.
Thishasan$INDEXsectionwhichisadict,withkeysbeingtheprolename,andvaluesbeingalistof(offset,match)tuples.
Forexample:{"$INDEX":{"tcpip.
sys/AMD64/6.
0.
6001.
18000/0C1A1EC1D61E4508A33F5212FC1B37202":[[1184600,"495053656344656c657465496e626f756e644f7574626f756e64536150616972"]],140Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2"tcpip.
sys/AMD64/6.
0.
6001.
18493/29A4DBCAF840463298F40190DD1492D02":[[1190376,"495053656344656c657465496e626f756e644f7574626f756e64536150616972"]],"tcpip.
sys/AMD64/6.
0.
6002.
18272/7E79532FC7E349C690F5FBD16E3562172":[[1194296,"495053656344656c657465496e626f756e644f7574626f756e64536150616972"]],},"$METADATA":{"ProfileClass":"Index","Type":"Profile","MaxOffset":546567,"MinOffset":0}}Forexample:{"$INDEX":{"tcpip.
sys/AMD64/6.
0.
6001.
18000/0C1A1EC1D61E4508A33F5212FC1B37202":[[1184600,→"495053656344656c657465496e626f756e644f7574626f756e64536150616972"]],"tcpip.
sys/AMD64/6.
0.
6001.
18493/29A4DBCAF840463298F40190DD1492D02":[[1190376,→"495053656344656c657465496e626f756e644f7574626f756e64536150616972"]],"tcpip.
sys/AMD64/6.
0.
6002.
18272/7E79532FC7E349C690F5FBD16E3562172":[[1194296,→"495053656344656c657465496e626f756e644f7574626f756e64536150616972"]],"$METADATA":{"ProfileClass":"Index","Type":"Profile"}}build_local_prole(BuildProleLocally)Downloadandbuildsaprolelocallyinonestep.
Westoretheproleintherstrepositoryintheprole_pathwhichmustbewritable.
Usuallythisisacachingrepositorysotheprolegoesinthelocalcache.
simple_certdump(CertDump)Dumpcertsfoundbycertscan.
PluginTypeDescriptiondump_dirStringPathsuitablefordumpingles.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
simple_certscan(CertScan)DumpRSAprivateandpublicSSLkeysfromthephysicaladdressspace.
PluginTypeDescriptionverbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Thispluginissimilartothe[cert_vad_scan](CertVadScan.
html)plugin.
ItattemptstodetectDERencodedX509certicatesorRSAprivatekeysinphysicalmemory.
2.
4.
General141RekallForensicsDocumentation,Release1.
7.
2Optionally,ifadumpdirectoryisprovidedtheDERencodedcerticatesarealsodumpedtolesinthespecieddirectory.
###SampleOutputwin8.
1.
raw22:07:35>certscancertscan()AddressTypeLengthDescription0x000000030c95X5091287/C=US/ST=Washington/L=Redmond/O=Microsoft→Corporation/CN=MicrosoftWindows0x00000003119cX5091499/C=US/ST=Washington/L=Redmond/O=Microsoft→Corporation/CN=MicrosoftWindowsProductionPCA20110x000000031b94X5091653/C=US/ST=Washington/L=Redmond/O=Microsoft→Corporation/CN=MicrosoftTime-StampPCA20100x000000032209X5091246/C=US/ST=Washington/L=Redmond/O=Microsoft→Corporation/OU=MOPR/OU=nCipherDSEESN:F528-3777-8A76/CN=MicrosoftTime-Stamp→Service0x00000017114eX5091499/C=US/ST=Washington/L=Redmond/O=Microsoft→Corporation/CN=MicrosoftWindowsProductionPCA20110x000000171b46X5091653/C=US/ST=Washington/L=Redmond/O=Microsoft→Corporation/CN=MicrosoftTime-StampPCA2010collect(Collect)Collectinstancesofstructoftype'type_name'.
Thispluginwillndallotherpluginsthatproduce'type_name'andmergealltheiroutput.
Forexample,runningcollect'proc'willgiveyouarudimentarypsxview.
Thispluginismostlyusedbyotherplugins,likenetstatandpsxview.
PluginTypeDescriptiontype_nameStringThetype(struct)tocollect.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
convert_prole(ConvertProle)ConvertaprolefromanotherprogramtotheRekallformat.
TheRekallproleformatisoptimizedforloadingatruntime.
ThispluginproducesaRekallprolefromavarietyofsources,including:Linuxdebugcompiledkernelmodule(seetool/linux/README)OSXDwarfdumpoutputs.
PluginTypeDescriptionconverterStringThenameoftheconvertertouse.
Ifnotspeciedautoguess.
out_leStringPathforoutputle.
prole_classStringThenameoftheproleimplementationtospecify.
Ifnotspecied,weautodetect.
sourceStringFilenameofproletoread.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
RekallprolesareJSONleswhichcontaininformationspecictoaparticularsoftwareversion.
Forexample,RekallrequiresaLinuxKernelproletobeabletoanalyzeamemoryimageoftheLinuxkernel.
142Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2Theconvert_prolepluginconvertsprolesotherformatstothestandardJSONformatusedbyRekall.
Therearetwomainusecases:1.
IfyouhaveanoldVolatilityprole,thispluginwillparsethat.
2.
WhenbuildingaLinuxkernelprole,thebuildsystemproducesadebugenabledkernelmoduleinsideaZiple.
Inthiscaseyoucanusetheconvert_proleplugintoparsetheDWARFstreamfromthedebugmoduleandproducetheJSONlerequired.
ThebelowexampledemonstrateshowtobuildandconvertaLinuxprolelocallyforliveanalysis:rekall/tools/linux#makeprofilemake-C/usr/src/linux-headers-3.
13.
0-74-genericCONFIG_DEBUG_INFO=yM=`pwd`modulesmake[1]:Enteringdirectory`/usr/src/linux-headers-3.
13.
0-74-generic'Buildingmodules,stage2.
MODPOST2modulesmake[1]:Leavingdirectory`/usr/src/linux-headers-3.
13.
0-74-generic'cpmodule.
komodule_dwarf.
kozip"3.
13.
0-74-generic.
zip"module_dwarf.
ko/boot/System.
map-3.
13.
0-74-generic/→boot/config-3.
13.
0-74-genericupdating:module_dwarf.
ko(deflated65%)updating:boot/System.
map-3.
13.
0-74-generic(deflated79%)updating:boot/config-3.
13.
0-74-generic(deflated75%)rekall/tools/linux#rekalconvert_profile3.
13.
0-74-generic.
zip3.
13.
0-74-generic.
jsonrekall/tools/linux#rekal--profile3.
13.
0-74-generic.
json-f/proc/kcorepslisttask_structNamePIDPPIDUIDGIDDTB→StartTimeBinary0x8804285f0000init10000x000426592000→2016-01-2912:50:31Z/sbin/init0x8804285f1800kthreadd2000-→2016-01-2912:50:31Z-0x8804285f3000ksoftirqd/03200-→2016-01-2912:50:31Z-dt(DT)Printastructorothersymbol.
Reallyjustaconveniencefunctionforinstantiatingtheobjectandprintingallitsmembers.
PluginTypeDescriptionaddress_spaceAddressSpaceTheaddressspacetouse.
member_offsetIntParserIfspeciedweonlyshowthememberatthisoffset.
offsetIntParserNameofastructdenition.
targetStringNameofastructdenition.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Thedtpluginprintsalltheeldswithinadatastructureandoptionally,theircontents.
Intheexamplebelow,wecreatean_EPROCESSinstanceoveraspecicvirtualaddress(thiswastakenfromtheoutputofthepslistplugin).
Thedtplugindisplaysalltheeldsinthestruct.
Ifthereisanestedstruct,thedtpluginshowsatreeviewofthenestedstructaswell.
2.
4.
General143RekallForensicsDocumentation,Release1.
7.
2Notethatifanaddressisnotspecied,the_EPROCESSobjectwillsimplybeinstantiatedoveraddress0andalloffsetswillberelativetothebeginingofthestruct.
Thisisveryusefulwhendecipheringassemblycodewhichdereferencesmembersofthestruct.
Rekallalsouses"virtualmembers"onstructs,mostlyplacedthereforconvenienceortosupportmultipleversionsofthesamestruct.
Wecanseeinthiscasethattheelds"name"and"pid"arevirtualmemberssincetheiroffsetis-1.
Theserepresentthenameandthepidoftheprocessinalloperatingsystems.
[1]win7.
elf19:34:27>dtsession.
profile.
_EPROCESS(0xfa8002a94060)dt(session.
profile.
_EPROCESS(0xfa8002a94060))[_EPROCESS_EPROCESS]@0xfa8002a94060OffsetFieldContent0x-1RealVadRoot[_MMADDRESS_NODEBalancedRoot]@→0xFA8002A944A8.
0xfa8002a9449cTag[String:Tag]:'\x14\xd0\x02\x00'.
0xfa8002a944a8u1[u1]@→0xFA8002A944A8.
.
0xfa8002a944a8Balance[BitField(0-2):Balance]:→0x00000000.
.
0xfa8002a944a8Parent.
0xfa8002a944b0LeftChild.
0xfa8002a944b8RightChild.
0xfa8002a944c0StartingVpn[unsignedlonglong:StartingVpn]:→0x00000000.
0xfa8002a944c8EndingVpn[unsignedlonglong:EndingVpn]:→0x000000000x-1dtb1121280000x-1name[String:ImageFileName]:'Console.
→exe\x00'0x-1pid[unsignedint:UniqueProcessId]:→0x00000A380xfa8002a94060Pcb[_KPROCESSPcb]@0xFA8002A94060.
0xfa8002a94060Header[_DISPATCHER_HEADERHeader]@→0xFA8002A94060.
.
0xfa8002a94060Lock[long:Lock]:0x00580003.
.
0xfa8002a94060Type[Enumeration:Type]:0x00000003→(ProcessObject).
.
0xfa8002a94061Abandoned[unsignedchar:Abandoned]:→0x00000000.
.
0xfa8002a94061Absolute[BitField(0-1):Absolute]:→0x00000000.
.
0xfa8002a94061Coalescable[BitField(1-2):Coalescable]:→0x00000000.
.
0xfa8002a94061EncodedTolerableDelay[BitField(3-→8):EncodedTolerableDelay]:0x00000000.
.
0xfa8002a94061KeepShifting[BitField(2-3):KeepShifting]:→0x00000000.
.
0xfa8002a94061Signalling[unsignedchar:Signalling]:→0x00000000.
.
0xfa8002a94061TimerControlFlags[unsigned→char:TimerControlFlags]:0x00000000.
.
0xfa8002a94062CounterProfiling[BitField(2-→3):CounterProfiling]:0x00000000.
.
0xfa8002a94062CpuThrottled[BitField(0-1):CpuThrottled]:→0x00000000144Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2.
.
0xfa8002a94062CycleProfiling[BitField(1-2):CycleProfiling]:→0x00000000.
.
0xfa8002a94062Hand[unsignedchar:Hand]:0x00000058.
.
0xfa8002a94062Reserved[BitField(3-8):Reserved]:→0x0000000B.
.
0xfa8002a94062Size[unsignedchar:Size]:0x00000058.
.
0xfa8002a94062ThreadControlFlags[unsigned→char:ThreadControlFlags]:0x00000058.
.
0xfa8002a94063ActiveDR7[BitField(0-1):ActiveDR7]:→0x00000000.
.
0xfa8002a94063DebugActive[unsignedchar:DebugActive]:→0x00000000.
.
0xfa8002a94063DpcActive[unsignedchar:DpcActive]:→0x00000000.
.
0xfa8002a94063Expired[BitField(7-8):Expired]:→0x00000000describe(Describe)Describetheoutputofaplugin.
PluginTypeDescriptionargsdictargstorunthepluginwith.
max_depthIntParserThemaximumdepthtofollowmappings.
plugin_nameStringApluginorpluginnametodescribe.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
dis(Disassemble)Disassemblethegivenoffset.
PluginTypeDescriptionad-dress_spaceAddressS-paceTheaddressspacetouse.
branchBooleanIfsetwefollowallbranchestocoverallcode.
canoni-calBooleanIfsetemitcanonicalinstructions.
Thesecanbeusedtodevelopsignatures.
endIntParserTheendaddresstodisassembleupto.
lengthIntParserThenumberofinstructions(lines)todisassemble.
modeChoicesDisassembleMode(AMD64orI386).
Defaultsto'auto'.
offsetSymbol-AddressAnoffsettodisassemble.
Thiscanalsobethenameofasymbolwithanoptionaloffset.
Forexample:tcpip!
TcpCovetNetBufferList.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Thispluginisusedtodisassemblememoryregions.
Theoffsettodisassemblemaybegivenas:Anaddressinthecurrentdefaultaddressspace(Seethe[cc](SetProcessContext.
html)pluginforanexplainationofthedefaultaddressspace).
Thenameofakernelmodulewithanoptionalsymbolname.
Thesymbolmaybeanexpertedsymbol,ornon-exportedsymbolasdenedinthepdbleforthatkernelmodule.
###Notes2.
4.
General145RekallForensicsDocumentation,Release1.
7.
21.
Whenusingtheinteractiveconsoleyoucancompletesymbolnamesbydoubletappingthe[tab]key.
Forexampledis"nt!
KiSetTi[tab][tab].
2.
Rekallattemptstoresolveaddressesinthedisassemblybacktoknownsymbolnames.
Additionally,forindirectoperations,Rekallalsoprintsthecurrentvalueofthememorylocation.
Thisfeatureisespeciallyusefulforunderstandingwhereindirectjumpsaregoing-withoutneedingtoconsiderPEimporttablesetc.
ThisworkssincetheIATisalreadypatchedintomemory,henceRekallcancompletelyignoreIATresoltion(unlikeastandalonePEanalyserlikeIDA).
###SampleoutputHerewedisassemblethekernelfunctionKiSetTimerExtoobservetheDPCpointerobfuscationthatPatchGuarduseson64bitWindows7.
Wecanseethenamesofthesymbolsusedandtheircurrentvalues,aswellasthenameofinternallycalledfunctions.
win7.
elf23:48:14>dis"nt!
KiSetTimerEx"dis("nt!
KiSetTimerEx")AddressRelOpCodesInstructionComment------nt!
KiSetTimerEx------0xf8000269d4f0048895c2408MOV[RSP+0x8],RBX0xf8000269d4f554889542410MOV[RSP+0x10],RDX0xf8000269d4faA55PUSHRBP0xf8000269d4fbB56PUSHRSI0xf8000269d4fcC57PUSHRDI0xf8000269d4fdD4154PUSHR120xf8000269d4ffF4155PUSHR130xf8000269d501114156PUSHR140xf8000269d503134157PUSHR150xf8000269d505154883ec50SUBRSP,0x500xf8000269d50919488b05f09b2200MOVRAX,[RIP+0x229bf0]→0x6D7CFFA404933FBBnt!
KiWaitNever0xf8000269d51020488b1dc19c2200MOVRBX,[RIP+0x229cc1]→0x933DD660CFFF8004nt!
KiWaitAlways0xf8000269d517274c8bb424b0000000MOVR14,[RSP+0xb0]0xf8000269d51f2F4933deXORRBX,R140xf8000269d52232488bf1MOVRSI,RCX0xf8000269d52535450fb6f9MOVZXR15D,R9B0xf8000269d52939480fcbBSWAPRBX0xf8000269d52c3C418bf8MOVEDI,R8D0xf8000269d52f3F4833d9XORRBX,RCX0xf8000269d532428bc8MOVECX,EAX0xf8000269d5344448d3cbRORRBX,CL0xf8000269d537474833d8XORRBX,RAX0xf8000269d53a4A450f20c4MOVR12,CR80xf8000269d53e4Eb802000000MOVEAX,0x20xf8000269d54353440f22c0MOVCR8,RAX0xf8000269d5475765488b2c2520000000MOVRBP,[GS:0x20]0xf8000269d5506033d2XOREDX,EDX0xf8000269d55262488bceMOVRCX,RSI0xf8000269d55565e8f6b0ffffCALL0xf80002698650nt!
→KiCancelTimer0xf8000269d55a6A48895e30MOV[RSI+0x30],RBXdump(Dump)Hexdumpanobjectormemorylocation.
146Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2Youcanusethispluginrepeateadelytokeepdumpingmoredatausingthe"p_"(printlastresult)operation:In[2]:dump0x814b13b0,address_space="K"——>dump(0x814b13b0,address_space="K")OffsetHexData0x814b13b003001b0000000000b8134b81b8134b81K.
.
.
K.
Out[3]:In[4]:p_——>p(_)OffsetHexData0x814b144070390000541b0100180a000032590000p9.
.
T.
.
.
.
.
.
.
2Y.
.
0x814b14506c3c0100810a0000180a000000b00f06ldump"nt!
SeTcbPrivilege"dump("nt!
SeTcbPrivilege")OffsetData→Comment0xf80002b590b807000000000000004402010080f9ffff.
.
.
.
.
.
.
.
D.
.
.
.
.
.
.
nt!
→SeTcbPrivilege,nt!
NlsOemToUnicodeData0xf80002b590c800000000000100000000000000000000nt!
→VfRandomVerifiedDrivers,nt!
TunnelMaxEntries,nt!
ExpBootLicensingData0xf80002b590d8bc000000001000000000ff0780f8ffffnt!
→ExpLicensingDescriptorsCount,nt!
CmpStashBufferSize,nt!
ExpLicensingView0xf80002b590e8e8f50000a0f8ffffe8457a05a0f8ffffEz.
.
.
.
.
nt!
→CmpHiveListHead0xf80002b590f81c00000080f9ffff1600000000000000nt!
→NlsAnsiToUnicodeData,nt!
SeSystemEnvironmentPrivilegedwarfparser(DwarfParser)Parsethedwarfleanddumpavtypestructurefromit.
PluginTypeDescriptiondwarf_lenameStringThelenameofthePDBle.
prole_classStringThenameoftheproleimplementation.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
4.
General147RekallForensicsDocumentation,Release1.
7.
2Thispluginismostlyusedbytheconvert_proleplugin.
elf_sections(ELFSections)PluginTypeDescriptionbinary_pathStringPathtotheELFbinary.
header_offsetIntParserOffsettotheELFheader.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
elf_versions_needed(ELFVerNeeded)PluginTypeDescriptionbinary_pathStringPathtotheELFbinary.
header_offsetIntParserOffsettotheELFheader.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
elf_versions_symbols(ELFVerSymbols)PluginTypeDescriptionbinary_pathStringPathtotheELFbinary.
header_offsetIntParserOffsettotheELFheader.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
ewfacquire(EWFAcquire)CopythephysicaladdressspacetoanEWFle.
PluginTypeDescriptiondestinationStringThedestinationletocreate.
Ifnotspeciedwewriteoutput.
E01incurrentdirectory.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Rekallsupportsmanydifferentimageformats.
OneofthepopularformatsistheEWForE01formats.
Itisacompressibleformatforforensicimages.
TheewfacquirepluginwillcopythephysicaladdressspaceintoanEWFle.
Thiscanbeusedtoacquirememory(e.
g.
whenRekallisusedinlivemode)ortoconvertamemoryimagefromanotherformattoEWFformat.
NotethattheEWFformatisnotanopenformat.
ThevariantwrittenbyRekallisnotnecessarilyinterchangeablewithotherimplementations.
Weusuallyrecommendusingaff4acquireoverewfacquirebecausetheAFF4formatcancontainmultiplestreamsandcanalsokeepimportantmetadata.
[1]win7.
elf23:02:22>ewfacquiredestination="/tmp/test.
E01"ewfacquire(destination="/tmp/test.
E01")Writing352Mb148Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2fetch_pdb(FetchPDB)FetchthePDBleforanexecutablefromtheMicrosoftPDBserver.
PluginTypeDescriptiondump_dirStringPathsuitablefordumpingles.
guidStringTheGUIDofthepdble.
Ifprovided,thepdblenamemustbeprovidedinthe–pdb_lenameparameter.
pdb_lenameStringThelenameoftheexecutabletogetthePDBlefor.
verbosityInt-ParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
TheMicrosoftVisualStudiocompilerstoresdebugginginformationforeachbinarybuiltinaPDBle.
EachbinarycontainsauniqueGUIDwhichcanbeusedtofetchthecorrectPDBlefromthepublicMicrosoftsymbolserver.
Thefetch_pdbpluginisusedtofetchthecorrectPDBlefromthesymbolserver.
YouwillneedtoprovidethenameofthePDBleandtheGUID-bothofthesearefoundfromthePEheadersofthebinary.
Notethatthispluginismainlyusedbythebuild_local_prolepluginandbythemanage_repoplugins,butmightalsobeusefulonitsown.
Usuallyyouneedtoparse_pdbafterfetchingitsoaprolecanbegeneratedforRekalltouse.
IntheexamplebelowwendtheGUIDandpdblenameofanexecutablefromtheimage,thenusethefetch_pdbplugintofetchit.
NotethatPDBlesarecompressedusingCABonthesymbolserversoweneedcabextractinstalledlocally.
[1]win7.
elf23:08:40>peinfo"termdd"AttributeValue→-----MachineIMAGE_FILE_MACHINE_AMD64TimeDateStamp2009-07-1400:16:36ZCharacteristicsIMAGE_FILE_DLL,IMAGE_FILE_EXECUTABLE_IMAGE,IMAGE_FILE_LARGE_ADDRESS_AWAREGUID/Age2A530717E88549BB92DBB72C224EC2B11PDBtermdd.
pdbMajorOperatingSystemVersion6MinorOperatingSystemVersion1MajorImageVersion6.
.
.
.
[1]win7.
elf23:09:12>fetch_pdbpdb_filename="termdd.
pdb",guid=→"2A530717E88549BB92DBB72C224EC2B11"Tryingtofetchhttp://msdl.
microsoft.
com/download/symbols/termdd.
pdb/→2A530717E88549BB92DBB72C224EC2B11/termdd.
pd_Tryingtofetchhttp://msdl.
microsoft.
com/download/symbols/termdd.
pdb/→2A530717E88549BB92DBB72C224EC2B11/termdd.
pd_Extractingcabinet:/tmp/tmpXkEgyu/termdd.
pd_extractingtermdd.
pdbAlldone,noerrors.
which_plugin(FindPlugins)Findwhichplugin(s)areavailabletoproducethedesiredoutput.
2.
4.
General149RekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptionproduc-ers_onlyBooleanOnlyincludeproducers:pluginsthatoutputonlythisstructandhavenosideeffects.
type_nameStringThenameofthetypewe'relookingfor.
E.
g.
:'proc'willndpsxview,pslist,etc.
verbosityInt-ParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
grep(Grep)Searchanaddressspaceforkeywords.
PluginTypeDescriptionaddress_spaceAddressSpaceNameoftheaddress_spacetosearch.
contextIntParserContexttoprintaroundthehit.
keywordArrayStringThebinarystringstond.
limitStringThelengthofdatatosearch.
offsetIntParserStartsearchingfromthisoffset.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
Sometimeswewanttosearchforsomedataintheaddressspace.
Althoughwecanuseyarascantodothis,itistypicallyslowerthanjustrunningthegrepplugin.
Notethattheplugincanscantheentireaddressspaceefciently(i.
e.
itwillautomaticallyskipoversparsememoryregions).
Oneofthemoreinterestingusesofthegreppluginislookingforreferences.
Forexample,supposewewantedtoseewhohasareferencetoaparticular_EPROCESSstructure.
Inthebelowexample,wepickan_EPROCESSfromtheoutputofpslistandsearchforpointerstoitsomewhereinkernelmemory(Therearemanypointers!
Wejustpickedoneforthisexample.
).
Wethenusetheanalyze_structplugintodiscoverthatthepointerresidesinanallocationwiththepooltag'ObHd'.
WecansearchthekerneldisassemblytorealizethisisanObjectHandle.
Notehowweusegreptosearchforthelittleendianrepresentationofthe_EPROCESSaddress.
[1]win7.
elf23:14:38>pslist_EPROCESSNamePIDPPIDThdsHndsSessWow64→StartExit.
.
.
.
0xfa8002ad0190cmd.
exe264426162661True2012-→10-0114:40:20Z-[1]win7.
elf23:14:55>grepkeyword="\x90\x01\xad\x02\x80\xfa".
.
.
.
OffsetData→Comment0xf8a0013d8ad86040a90280faffff01000000000000000xf8a0013d8ae89001ad0280faffff01000000000000000xf8a0013d8af800000000000000000000000000000000.
.
.
[1]win7.
elf23:17:20>analyze_struct0xf8a0013d8ae80xf8a0013d8ae8isinsidepoolallocationwithtag'ObHd'(0xf8a0013d8a30)andsize→0x100150Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2OffsetContent0x0Data:0xfa8002ad0190Tag:Pro\xe3@0xfa8002ad0190(0x530)0x8Data:0x10x10Data:0x00x18Data:0x00x20Data:0x00x28Data:0x00x30Data:0xfa80017f9060Tag:Pro\xe3@0xfa80017f9060(0x530)0x38Data:0x10x40Data:0x730061006c0x48Data:0x744e034d01100x50Data:0x490053004c0x58Data:0xa48012807020x60Data:0x981e0x68Data:0x1000000000x70Data:0x0[1]win7.
elf23:22:25>hex(struct.
unpack("'0x6448624f'[1]win7.
elf23:22:33>dis"nt!
ObpInsertHandleCount"dis("nt!
ObpInsertHandleCount")AddressRelOpCodesInstruction→Comment→------------nt!
ObpInsertHandleCount------:0xf800029760100xf800029760100x048895c2408movqwordptr[rsp+8],rbx0xf800029760150x548896c2410movqwordptr[rsp+0x10],rbp.
.
.
.
0xf800029760890x7941b84f624864movr8d,0x6448624f0xf8000297608f0x7fe83cd3e4ffcall0xf800027c33d0→nt!
ExAllocatePoolWithTag0xf800029760940x844885c0testrax,rax0xf800029760970x870f84dacd0400je0xf800029c2e77→nt!
ExpProfileCreate+0x9d570xf8000297609d0x8d458bc5movr8d,r13dimagecopy(ImageCopy)CopiesaphysicaladdressspaceoutasarawDDimageRekallsupportsmanydifferentimageformats.
ImageformatssuchasAFF4andEWFareveryconvenientforlongtermstorageandarchivingofimages.
However,someothermemoryanalysistoolsdonotsupportsucharichselectionofimageformatsandmightnotbeabletodirectlyanalyzesomeoftheseformats.
Sometimeswemightwanttoverifysomethingwithanothertool,andtheRAWimageformatseemstobemostwidelysupported.
TheimagecopyplugincopiesthecurrentphysicaladdressspaceintoaRAWle.
ItpadssparseregionswithNULLbytes.
NotethatRAWimagescannotcontainmultiplestreams(likethepagele),nordotheysupportanymetadata(suchasregisters).
HencetheRAWimageisvastlyinferior.
WedonotrecommendactuallyacquiringtheimageusingtheRAWformatintherstplace(useAFF4orELF).
However,ifRekallisruninlivemode,theimagecopypluginwillproduceaRAWimageoflivememory.
InthefollowingexampleweconvertanEWFimagetorawsoVolatilitycanreadit:2.
4.
General151RekallForensicsDocumentation,Release1.
7.
2[1]win7.
elf.
E0123:36:57>imagecopy"/tmp/foo.
raw"imagecopy("/tmp/foo.
raw")Range0x0-0x2cb00000Range0xe0000000-0x1000000Range0xf0400000-0x400000Range0xf0800000-0x4000Range0xffff0000-0x10000OutPlugin:imagecopy[1]win7.
elf.
E0123:38:06>!
python/home/scudette/projects/volatility/vol.
py--→profileWin7SP1x64-f/tmp/foo.
rawpslistVolatilityFoundationVolatilityFramework2.
5Offset(V)NamePIDPPIDThdsHndsSessWow64→StartExit0xfffffa80008959e0System4084511------0→2012-10-0121:39:51UTC+00000xfffffa8001994310smss.
exe2724229------0→2012-10-0121:39:51UTC+00000xfffffa8002259060csrss.
exe348340943600→2012-10-0121:39:57UTC+0000info(Info)Printinformationaboutvarioussubsystems.
shell(InteractiveShell)AninteractiveshellforRekall.
json_render(JSONParser)Rendersajsonrenderingle,asproducedbytheJsonRenderer.
TheoutputofanyplugincanbestoredtoaJSONleusing:rekall-fimg.
dd–formatjsonplugin_name–outputtest.
jsonThenitcanberenderedagainusing:rekalljson_rendertest.
jsonThispluginimplementstheproperdecodingoftheJSONencodedoutput.
PluginTypeDescriptionleStringThelenametoparse.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
l(Lister)Aplugintolistobjects.
152Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2Sometimesintheinteractiveconsolewereceiveageneratororalist.
Usethelplugintoquicklyprinteachvalueinthelist.
InthebelowexampleweinstantiatethePsActiveProcessHeadHookandwalkthelistofprocesses(thisisoneofthepslistmethods).
[1]win7.
elf23:48:12>head=session.
profile.
get_constant_object("PsActiveProcessHead→","_LIST_ENTRY")[1]win7.
elf23:48:32>lhead.
list_of_type("_EPROCESS","ActiveProcessLinks")l(head.
list_of_type("_EPROCESS","ActiveProcessLinks"))[_EPROCESS_EPROCESS]@0xFA80008959E0(pid=4)0x00Pcb[_KPROCESSPcb]@0xFA80008959E00x160ProcessLock[_EX_PUSH_LOCKProcessLock]@0xFA8000895B400x168CreateTime[WinFileTime:CreateTime]:0x506A0DA7(2012-10-→0121:39:51Z)0x170ExitTime[WinFileTime:ExitTime]:0x00000000(-)0x178RundownProtect[_EX_RUNDOWN_REFRundownProtect]@0xFA8000895B580x180UniqueProcessId[unsignedint:UniqueProcessId]:0x000000040x188ActiveProcessLinks[_LIST_ENTRYActiveProcessLinks]@0xFA8000895B68.
.
.
.
live(Live)LaunchaRekallshellforliveanalysisonthecurrentsystem.
PluginTypeDescriptionmodeChoicesModeforliveanalysis.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
load_as(LoadAddressSpace)Loadaddressspacesintothesessionifitsnotalreadyloaded.
load_plugin(LoadPlugins)Loaduserprovidedplugins.
Thisprobablyisonlyusefulaftertheinteractiveshellstartedsinceyoucanalreadyusethe–plugincommandlineoption.
lookup(Lookup)Lookupaglobalintheprole.
Thispluginletstheuseraskforaspecicglobalconstantintheactiveprole.
PluginTypeDescriptionconstantStringTheconstanttolookupintheprole.
targetStringThetypeoftheconstant.
target_argsStringThetargetargsverbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
4.
General153RekallForensicsDocumentation,Release1.
7.
2manage_repo(ManageRepository)Managestheprolerepository.
PluginTypeDescriptionbuild_targetStringParserAsingletargettobuild.
builder_argsArrayString-ParserOptionalargsforthebuilder.
executableStringThepathtotherekallbinary.
Thisisusedforspawningmultiplepro-cesses.
force_build_indexBooleanForcesbuildingtheindex.
path_to_repositoryStringThepathtotheprolerepositoryprocessesIntParserNumberofconcurrentworkers.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
inspect_vaddr(MemoryTranslation)Inspectthemappingofavirtualaddress.
PluginTypeDescriptionaddressSymbolAddressVirtualaddresstoinspect.
dtbIntParserTheDTBphysicaladdress.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
null(Null)Thisplugindoesabsolutelynothing.
Itisusedtomeasurestartupoverheads.
address_resolver(PEAddressResolver)AsimpleaddressresolverforPEles.
PluginTypeDescriptiondtbIntParserTheDTBphysicaladdress.
symbolArrayStringListofsymbolstolookupverbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
peinfo(PEInfo)PrintinformationaboutaPEbinary.
PluginTypeDescriptionaddress_spaceStringTheaddressspacetouse.
executableStringIfprovidedwecreateanaddressspacefromthisle.
image_baseSymbolAddressThebaseoftheimage.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
154Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2ThepeinfopluginexaminesaPElemappedintomemoryanddisplaysarichvarietyofinformationaboutit:Metadataaboutthele(architecture,builddateetc)ThePDBguidforthele.
ThelistofsectionsandwheretheyaremappedintothevirtualaddressspaceTheimportdirectory.
Theexportdirectory.
Aversionresourcestringsthatmightexistintheexecutable.
###Notes1.
ThisplugindependsonhavingavalidmappedPEheaderintomemory.
Sometimesthisisnotthecase,sinceundermemorypressurethekernelwillunmappedthePEheaders(sincetheyarenotneededafterloading).
2.
Thispluginalsoworksondiskles(PEexecutable).
Simplypassalenameparametertohaveitprintinforma-tionaboutexternalles.
###Sampleoutputwin8.
1.
raw15:11:02>peinfo"nt"peinfo("nt")AttributeValueMachineIMAGE_FILE_MACHINE_AMD64TimeDateStamp2013-09-1408:23:16+0000CharacteristicsIMAGE_FILE_EXECUTABLE_IMAGE,IMAGE_FILE_LARGE_ADDRESS_AWAREGUID/AgeFD3D00D28EDC4527BB922BCC0509D2851PDBntkrnlmp.
pdbMajorOperatingSystemVersion6MinorOperatingSystemVersion3MajorImageVersion6MinorImageVersion3MajorSubsystemVersion6MinorSubsystemVersion3Sections(Relativeto0xF802D3019000):PermNameVMASizexr-.
text0x0000000010000x00000028d600xr-NONPAGED0x00000028f0000x000000000200xr-POOLCODE0x0000002900000x000000002800-rw.
data0x0000002930000x00000000be00-r-.
reloc0x0000007780000x000000008e00.
.
.
DataDirectories:-VMASizeIMAGE_DIRECTORY_ENTRY_EXPORT0xf802d36ab0000x0000000135ffIMAGE_DIRECTORY_ENTRY_IMPORT0xf802d335b7280x00000000012cIMAGE_DIRECTORY_ENTRY_RESOURCE0xf802d375f0000x000000031d20IMAGE_DIRECTORY_ENTRY_EXCEPTION0xf802d331c0000x00000003ed6cIMAGE_DIRECTORY_ENTRY_SECURITY0xf802d3725e000x000000002158IMAGE_DIRECTORY_ENTRY_BASERELOC0xf802d37910000x000000003cd4IMAGE_DIRECTORY_ENTRY_DEBUG0xf802d301a1000x000000000038IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x0000000000000x0000000000002.
4.
General155RekallForensicsDocumentation,Release1.
7.
2IMAGE_DIRECTORY_ENTRY_TLS0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xf802d3033f200x000000000094IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_IAT0xf802d335b0000x000000000728IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x0000000000000x000000000000IMAGE_DIRECTORY_ENTRY_RESERVED0x0000000000000x000000000000ImportDirectory(Original):NameOrdext-ms-win-ntos-werkernel-l1-1-0.
dll!
WerLiveKernelCloseHandle1ext-ms-win-ntos-werkernel-l1-1-0.
dll!
WerLiveKernelOpenDumpFile4ext-ms-win-ntos-werkernel-l1-1-0.
dll!
WerLiveKernelCancelReport0ext-ms-win-ntos-werkernel-l1-1-0.
dll!
WerLiveKernelInitSystem3.
.
.
msrpc.
sys!
MesDecodeBufferHandleCreate11msrpc.
sys!
NdrMesTypeDecode345ExportDirectory:EntryStatOrdName0xf802d30ed1f4M3ntoskrnl.
exe!
AlpcGetHeaderSize(nt!
AlpcGetHeaderSize)0xf802d30ed080M4ntoskrnl.
exe!
AlpcGetMessageAttribute(nt!
→AlpcGetMessageAttribute)0xf802d30ed19cM5ntoskrnl.
exe!
AlpcInitializeMessageAttribute(nt!
→AlpcInitializeMessageAttribute)0xf802d36a4004-6ntoskrnl.
exe!
BgkDisplayCharacter(nt!
BgkDisplayCharacter)0xf802d36a40b8-7ntoskrnl.
exe!
BgkGetConsoleState(nt!
BgkGetConsoleState)0xf802d36a40e0-8ntoskrnl.
exe!
BgkGetCursorState(nt!
BgkGetCursorState)0xf802d36a4108-9ntoskrnl.
exe!
BgkSetCursor(nt!
BgkSetCursor)0xf802d31d23c8M10ntoskrnl.
exe!
CcAddDirtyPagesToExternalCache(nt!
→CcAddDirtyPagesToExternalCache)0xf802d3106888M11ntoskrnl.
exe!
CcCanIWrite(nt!
CcCanIWrite).
.
.
parse_pdb(ParsePDB)ParsethePDBstreams.
PluginTypeDescriptionconciseBooleanSpecifythistoemitlessdetailedinformation.
dump_dirStringPathsuitablefordumpingles.
out-put_lenameStringThenameoftheletostorethisprole.
pdb_lenameStringThelenameofthePDBle.
prole_classStringThenameoftheproleimplementation.
Defaultnameisderivedfromthepdblename.
verbosityInt-ParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
win-dows_versionStringThewindowsversion(major.
minor.
revision)correspondingwiththisPDB.
Forexample,Windows7shouldbegivenas6.
1Rekallusesdebuggingsymbolstoanalyzememory.
EachtimeMicrosoftcompilersgenerateabinary(executableorDLL)theyalsoemitdebugginginformationinaseparatePDBle.
Rekallneedsaproleforeachbinaryofinterest156Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2(AproleisaJSONlecontainingimportantdebugginginformationaboutthebinary).
Usethefetch_pdbplugintofetchthePDBleandtheparse_pdbplugintoparseitandproduceaJSONleforRekalltouse.
Notethatnormallythispluginiscalledbyotherpluginssuchasbuild_local_proleorautomaticallybyRekall.
Sousersdonotneedtocallthisplugindirectlyinmostcases.
[1]win7.
elf23:09:12>fetch_pdbpdb_filename="termdd.
pdb",guid=→"2A530717E88549BB92DBB72C224EC2B11"Tryingtofetchhttp://msdl.
microsoft.
com/download/symbols/termdd.
pdb/→2A530717E88549BB92DBB72C224EC2B11/termdd.
pd_Tryingtofetchhttp://msdl.
microsoft.
com/download/symbols/termdd.
pdb/→2A530717E88549BB92DBB72C224EC2B11/termdd.
pd_Extractingcabinet:/tmp/tmpXkEgyu/termdd.
pd_extractingtermdd.
pdbAlldone,noerrors.
[1]win7.
elf23:55:07>parse_pdbpdb_filename="termdd.
pdb",output_filename="termdd.
→json"OutPlugin:parse_pdb[1]win7.
elf23:55:37>!
headtermdd.
json{"$CONSTANTS":{"ExEventObjectType":41408,"Globals":46144,"HotPatchBuffer":45056,"IcaChannelDispatchTable":45856,"IcaChargeForPostCompressionUsage":46106,"IcaConnectionDispatchTable":45632,"IcaDeviceObject":46848,"IcaDisableFlowControl":46105,p(Printer)Aplugintoprintanobject.
Thispluginisanaliastotheprintpythoncommand.
Useitwhenyouwanttoprintsomethingtotheconsole.
raise_the_roof(RaisingTheRoof)Apluginthatexiststobreakyourtestsandmakeyoucry.
agent(RekallAgent)TheRekallDFIRAgent.
PluginTypeDescriptionverbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
moo(RekallBovineExperience3000)RendersBessythecowandsomebeer.
2.
4.
General157RekallForensicsDocumentation,Release1.
7.
2Thisisatextrendererstress-test.
Itusesmultiplefeaturesatthesametime:Multiplecoloringrulesperline(thiswasadoozy).
Twocolumnswithcolorsnexttoeachother.
Textwithitsownnewlinesisn'trewrapped.
Itstillwrapsifitoverowsthecell.
Bovinereadinessandinternationalspirit.
run(Run)Apluginwhichrunsitsargument(usingeval).
Note:Thispluginisonlydenedandavailablewhenusingthemainentrypoint.
ItisnotavailablewhenRekallisusedasalibrarysinceitallowsarbitrarycodeexecution.
run_ow(RunFlow)Runtheowsspecied.
PluginTypeDescriptionowStringAstringencodingaFlowJSONobject.
ow_lenameStringAlenamecontaininganencodedFlowJSONobject.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
search(Search)Searchesandrecombinesoutputofotherplugins.
SearchallowsyoutousetheEFILTERsearchenginetolter,transformandcombineoutputofmostRekallplugins.
ThemostcommonuseforthisisrunningIOCs.
Someexamples:Findtheprocesswithpid1:select*pslist()whereproc.
pid==1Sortlsofoutputbyledescriptor:select*fromlsof()orderbyfdFilterandsortthroughlsofinonestep:select*fromlsof()whereproc.
name=~"rekall"orderbyfdYouwillprobablyneedtousethedescribeplugintohelpdiscovertheexactcolumnstructure.
regexmatchonarrayofstrings-caseinsensitive.
(Windows)selectproc,proc.
environfrompslist()whereproc.
environ.
TMP=~"temp"158Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2(Linux)selectproc,proc.
environfrompslist()whereproc.
environ.
PATH=~"home"Formatusingthehex()method,usingastonamecolumns.
(Windows)selecthex(VAD.
start)asstart,hex(VAD.
end)asend,Protectfromvad(proc_regex:"rekal")(Linux)selecthex(start)asstart,hex(end)asend,filenamefrommaps(proc_regex:"rekall")Autoselectcolumnnames-secondcolumncannotclashwithrstcolumnname(shouldbehex,column1).
(Windows)selecthex(VAD.
start),hex(VAD.
end),Protectfromvad(proc_regex:"rekal")(Linux)selecthex(start),hex(end),filenamefrommaps(proc_regex:"rekall")Timestampuserfunctionselectproc,timestamp(proc.
create_time)frompslist()Yarascanwithsubqueryselect*fromfile_yara(paths:(selectpath.
filenamefromglob("c:\windows\*.
exe")).
filename,yara_expression:"ruler1{strings:$a="Microsoft"wide""condition:anyofthem}")OnLinux:select*fromfile_yara(paths:(selectpath.
filenamefromglob("/home/*/.
ssh/*")).
filename,yara_expression:"ruler1{strings:$a="ssh-rsa"condition:anyofthem}")Parameterinterpolations:a="select*fromfile_yara(paths:(""selectpath.
filenamefromglob({0})).
filename,yara_expression:{1})"searcha,[r"c:\windows\*.
exe","ruler1{strings:$a="Microsoft"widecondition:anyofthem}"]WMIintegration+unknowneld:selectResult.
Name,Result.
SessionId,Result.
foofromwmi("select*fromWin32_Process")selectResult.
Name,Result.
BootDevicefromwmi("select*fromWin32_OperatingSystem")2.
4.
General159RekallForensicsDocumentation,Release1.
7.
2DescribeWMIdynamicquerydescribewmi,dict(query="select*fromWin32_Process")Substituteasinglestringselectsub("Microsoft","MS",Result.
Name)fromwmi("select*fromWin32_OperatingSystem")Substitureanarrayselectsub("rekal","REKALL",proc.
cmdline)frompslist()PluginTypeDescriptionqueryStringThedotty/EFILTERquerytorun.
query_parametersArrayStringPositionalparametersforparametrizedqueries.
silentBooleanQueriesshouldfailsilently.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
sdel(SessionDelete)Deleteasession.
slist(SessionList)Listthesessionsavailable.
smod(SessionMod)Modiesparametersofthecurrentanalysissession.
Anysessionparameterscanbesethere.
Forexample:smodcolors="no",paging_limit=10,pager="less"snew(SessionNew)Createsanewsessionbycloningthecurrentone.
TheRekallinteractiveconsolemaybeusedtoanalyzeseveralimagesatthesametime.
Wedothisbyswitchingsessions.
Eachimagehasauniquesession,butsincenoneofthesessionsareglobal,wecanswitchfromonesessiontothenext.
Rekall'ssessionmanagementcommandscanbeusedtoswitchbetweensessions.
Theexamplebelowshowsusloadingasecondsessionwithanewimage.
Weswitchtothenewsessionandlistprocessesinit.
Wethenswitchbackanddeletethenewsession.
Notehowthepromptchangesasweswitchfromonesessiontotheother.
[1]win7.
elf23:55:46>snewfilename="/home/scudette/images/win10.
aff4"Createdsession[2]/home/scudette/images/win10.
aff4(2)OutPlugin:snew[2]/home/scudette/images/win10.
aff4(2)23:57:03>pslistpslist()160Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2_EPROCESSNamePIDPPIDThdsHndsSessWow64→StartExit0xe0003486d680System4082--False2015-→06-0306:56:02Z-0xe00035e54040smss.
exe26042--False2015-→06-0306:56:02Z-0xe00035b84080csrss.
exe3323249-0False2015-→06-0306:56:03Z-0xe0003489b280wininit.
exe4003241-0False2015-→06-0306:56:03Z-[2]/home/scudette/images/win10.
aff4(2)23:57:09>sswitch1OutPlugin:sswitch[1]win7.
elf23:57:12>pslistpslist()_EPROCESSNamePIDPPIDThdsHndsSessWow64→StartExit0xfa80008959e0System4084511-False2012-→10-0121:39:51Z-0xfa80024f85d0svchost.
exe236480194550False2012-→10-0114:40:01Z-0xfa8001994310smss.
exe2724229-False2012-→10-0121:39:51Z-0xfa8002259060csrss.
exe34834094360False2012-→10-0121:39:57Z-[2]/home/scudette/images/win10.
aff4(2)23:57:25>slist[1]win7.
elf*[2]/home/scudette/images/win10.
aff4(2)OutPlugin:slist[1]win7.
elf23:57:33>sdel2OutPlugin:sdel[1]win7.
elf00:01:49>slist*[1]win7.
elfOutPlugin:slistsswitch(SessionSwitch)Changesthecurrentsessiontothesessionwithsession_id.
cc(SetPartitionContext)Amixinforthosepluginsrequiringaphysicaladdressspace.
Args:physical_address_space:Thephysicaladdressspacetouse.
Ifnotspeciedweusethefollowingoptions:1.
session.
physical_address_space,2.
Guessusingtheload_as()plugin,3.
Usesession.
kernel_address_space.
base.
2.
4.
General161RekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptionpartition_numberIntParserThepartitiontoswitchto.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
simple_yarascan(SimpleYaraScan)ASimplepluginwhichonlyyarascansthephysicalAddressSpace.
Thispluginshouldnottriggerproleautodetectionandthereforeshouldbeusableonanyleatall.
PluginTypeDescriptionbinary_stringStringAbinarystring(encodedashex)tosearchfor.
e.
g.
000102[1-200]0506contextIntParserContexttoprintafterthehit.
hitsIntParserQuitafterndingthismanyhits.
limitIntParserThelengthofdatatosearch.
pre_contextIntParserContexttoprintbeforethehit.
startIntParserStartsearchingfromthisoffset.
stringStringAverbatimstringtosearchfor.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
yara_expressionStringIfprovidedwescanforthisyaraexpression.
yara_leStringTheyarasignatureletoread.
s(TSKFls)Amixinforthosepluginsrequiringaphysicaladdressspace.
Args:physical_address_space:Thephysicaladdressspacetouse.
Ifnotspeciedweusethefollowingoptions:1.
session.
physical_address_space,2.
Guessusingtheload_as()plugin,3.
Usesession.
kernel_address_space.
base.
PluginTypeDescriptiondir_pathStringDirectorypathtoprintcontentofverbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
mmls(TskMmls)Amixinforthosepluginsrequiringaphysicaladdressspace.
Args:physical_address_space:Thephysicaladdressspacetouse.
Ifnotspeciedweusethefollowingoptions:1.
session.
physical_address_space,2.
Guessusingtheload_as()plugin,3.
Usesession.
kernel_address_space.
base.
162Chapter2.
PluginReferenceRekallForensicsDocumentation,Release1.
7.
2PluginTypeDescriptionverbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
version_scan(VersionScan)ScanthephysicaladdressspaceforRSDSversions.
PluginTypeDescriptionname_regexRegExFiltermodulenamesbythisregex.
scan_lenameStringOptionalletoscan.
Ifnotspeciedwescanthephysicaladdressspace.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
WhentheMicrosoftCompilerscreateabinary(ExecutableorDLL)theyleaveauniqueGUIDinthePEheader,sothatthecorrespondingPDBlecanbelocatedforthisbinary.
TheGUIDisencodedusingaknownsignatureandthereforewecanscanforallGUIDswhichmightappearinthememoryimage.
Thisisusefultolocatetheexactversionofbinariesrunninginthememoryimage.
OftenmalwareauthorsforgettodisablePDBlegenerationinVisualStudioandtheGUIDremainsinthemalware.
InthatcasescanningforaknownmaliciousGUIDcanbeastrongsignature.
Inthebelowexamplewescanthememoryimagefortheexactversionofthewindowskernel.
Notehowhitscanberestrictedbyusingaregularexpression.
[1]win7.
elf00:01:51>version_scanname_regex="krnl"Offset(P)GUID/VersionPDB0x0000027bb5fcF8E2A8B5C9B74BF4A6E4A48F180099942ntkrnlmp.
pdbvmscan(VmScan)Scanthephysicalmemoryattemptingtondhypervisors.
OnceEPTvaluesarefound,youcanusethemtoinspectvirtualmachineswithanyoftherekallmodulesbyusingthe–eptparameterandspecifyingtheguestvirtualmachineprole.
Supportsthedetectionofthefollowingvirtualizationtechonlogies:IntelVT-XwithEPT.
Microarchitectures:+Westmere+Nehalem+Sandybridge+IvyBridge+HaswellIntelVT-XwithoutEPT(unsupportedpagetranslationinrekall).
+PenrynForthespecicprocessormodelsthatsupportEPT,pleasecheck:http://ark.
intel.
com/products/virtualizationtechnology.
PluginTypeDescriptionimage_is_guestBooleanTheimageisforaguestVM,notthehost.
no_nestedBooleanDon'tdonestedVMdetection.
no_validationBoolean[DEBUGSETTING]DisablevalidationofVMs.
offsetIntParserOffsetinthephysicalimagetostartthescan.
quickBooleanPerformquickVMdetection.
show_allBooleanAlsoshowVMsthatfailedvalidation.
verbosityIntParserAnintegerreectingtheamountofdesiredoutput:0=quiet,10=noisy.
2.
4.
General163RekallForensicsDocumentation,Release1.
7.
2164Chapter2.
PluginReferenceCHAPTER3Indicesandtablesgenindexmodindexsearch165