Information Security News
Winpmem may appear to be a simple a memory acquisition tool, but it is really much more. In yesterday's diary I gave a brief introduction to the tool and showed how you can use it to create a raw memory image. If you didn't see that article check it out for the background needed for today's installment. You can read it here.
One of my favorite parts of Winpmem is that it has the ability to analyze live memory on a running computer. Rather than dumping the memory and analyzing it in two seperate steps you can search for memory on a running system. Of course this will affect other forensics artifacts so you only want to use this on backup copies of your evidence. But this is also useful outside of forensics. There are all kinds of useful ways to use this tool. Searching for memory is useful to security reasearchers. You can search memory for strings that are in common pieces of malware. Do software vendors tell you that they encrypt sensative data in memory? You can use this tool to see if that is really true. So how do you do it?
Winpmem allows you to install the memory access device driver and then use it in your own Python scripts. To install the device driver run winpmem with the -L option like so:
Once the driver is installed it will create a \\.\pmem device object that you can open with Python. You will notice that it also reports 3 memory ranges. These are the ranges of physical memory addreses where the operating system stores data. In this case the first memory range starts at 0x1000 and has a length of 0x9e000. So it ends at memory address 0x9f000. The second range starts at 0x100000 and has a length of 0x3fdf0000. This leaves a conspicuous gap between the ranges. These gaps are used by the processor and other chipsets on your computer and aren't directly addressible by the Windows memory manager. Memory acquisition tools will only dump those ranges of memory used by the OS. This could lead to some interesting research where malware hides in those memory blind spots. Winpmem also has the ability to read those reserved areas of memory but doing so may lock up your machine.
To read memory it will require a little bit of Python code, but winpmem does the hard part for you. You can read memory with only 4 lines of Python code. All we have to do is import winpmem, create a handle to a file with win32file.CreateFile (the "fd" variable in the program below). Then use win32file.SetFilePointer() to point to the address you want to read. Finally call win32file.ReadFile() to read the bytes at that memory location. Thats it! So I threw together a quick script to allow me to search memory. I called this script "memsearch.py" when I saved it to my computer.
from winpmem import *
def readmem(fd, start, size):
win32file.SetFilePointer(fd, start, 0 )
x,data = win32file.ReadFile(fd, size)
def memsrch(fd, srchstr,start, end, numtofind=1, margins=20,verbose=False,includepython=False):
for curloc in range(start, end, 1024*1024):
if srchstr in x and (includepython or not "msrch(" in x):
if verbose:print curloc+offset,str(x[offset-margins:offset+len(srchstr)+margins])
if srchstr.encode("utf-16le") in x and (includepython or not "msrch(".encode("utf-16le") in
if verbose:print curloc+offset,str(x[offset-margins:offset+(len(srchstr)*2)+margins])
if srchstr.encode("utf-16be") in x and (includepython or not "msrch(".encode("utf-16be") in
if verbose:print curloc+offset,str(x[offset-margins:offset+(len(srchstr)*2)+margins])
fd = win32file.CreateFile(r"\\.\pmem",win32file.GENERIC_READ |
After writing the program I run python with the "-i" option so that I am dropped into an interactive shell with the new modules and variables already defined. I'll get an interactive Python prompt that I can use to call the memsrch() and readmem() functions. Because it is in a shell I can run multiple searches with different options until I find what I am looking for. Here is a short example calling each function once, In this case I read 100 bytes of memory starting at 18352196. Then I search for 5 occurences of the word "password" beginning at the address 0x100000.
readmem() is used to read data from memory. The readmem() function takes 3 parameters. The first is fd. This is the file handle that points to the \\.\pmem device created by the winpmem device driver. The 2nd parameter is the address to start reading from and the 3rd parameter is how much data to read.
memsrch() can be used to search memory for the string you specify. The memsrch() function takes several options. The first is again fd. The 2nd parameter is the search tearm to find in memory. The 3rd parameter is the starting address to being searching and the 4th parameter is the ending address. The rest of the parameters are optional. The 5th parameter is the number of matches to find in memory. The 6th parameter is used to turn on Verbose searching. If verbose is true the matching strings are printed to the screen. The last argument is the "includepython" argument. If includepython is set to True then it will allow the Python script to find itself as it searches through memory for matches.
Keep in mind that you are searching Physical memory. This is much different that virtual OS memory. Things may move around and you may find things in places where you do not expect them. To get a better understanding of how memory is being used by the OS read this excellent paper that accompanies the tool.
Still not convinced of winpmem's awesomeness? There is more to it. I'll look at more tomorrow.
Do you want to learn how to do all sorts of cook stuff with Python? Check out SEC573 Python for Penetration testers! I am teaching it in Reston VA March 17th! Click HERE for more information.
Follow me on twitter? @MarkBaggett
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
by Cyrus Farivar
Earlier this year, we reported on how the competitive video gaming community E-Sports Entertainment Association (ESEA) secretly updated its client software with Bitcoin-mining code that tapped players' computers to mint more than $3,600 worth of the digital currency.
The site took full responsibility, blaming a rogue employee, and ended up immediately liquidating the bitcoins and donating the $3,713.55 to the American Cancer Society. For good measure, ESEA kicked in another $3,713.55.
But the story didn’t end there. On Tuesday, New Jersey announced that it had come to a $1 million settlement (PDF) with ESEA as a way to end a criminal case that state prosecutors had brought against the company.
It sounds like the premise of a Philip K. Dick story, but it's not. A blogger has offered evidence that his Internet-connected television has been transmitting detailed information about his family's viewing habits, including the times and channels they watch and even the names of computer video files stored on connected USB drives.
The blogger didn't identify himself by name or specify the television model, except to say it's a new LG Smart TV. But he did provide screenshots of data packets he said he captured showing the information his TV sent unencrypted over the Internet. The data appeared to show a device ID unique to his set, along with the name of the channel it was tuned to. In his tests, the information was sent in the clear every time the channel was changed. Even more remarkable, he said, the smart TV sent the data even after he waded through the system preferences and set the "Collection of watching info" setting to "off" (it was on by default).
But the logging didn't stop there. Included in the traffic sent over the Internet were the names of files stored on a USB drive connected to the LG television. For dramatic purposes and to ensure he chose a file name not likely used by the firmware, he created a mock video file called Midget_Porn_2013.avi, loaded it onto a USB drive and plugged it into his TV. Sure enough, the file name was transmitted unencrypted in HTTP traffic sent to the address GB.smartshare.lgtvsdp.com. In some cases, he said, file names for an entire folder were transmitted, and other times nothing at all was sent. He never determined the rules that controlled when data was or wasn't sent.
Obamacare website 'either hacked or will be soon', warns infosec expert
Hackers have thrown multiple attacks at US President Obama's medical insurance bazaar HealthCare.gov since it went live in October, according to a senior US government official. Acting assistant Homeland Security secretary Roberta Stempfley told a ...
Posted by InfoSec News on Nov 19http://mainichi.jp/english/english/newsselect/news/20131116p2g00m0bu015000c.html
Posted by InfoSec News on Nov 19http://www.informationweek.com/healthcare/security-and-privacy/sloppy-handling-of-patient-data-always-a-danger/d/d-id/899835
Posted by InfoSec News on Nov 19http://bits.blogs.nytimes.com/2013/11/15/amazon-bares-its-computers/
Posted by InfoSec News on Nov 19http://www.computerworld.com/s/article/9244109/Hackers_use_zero_day_vulnerability_to_breach_vBulletin_support_forum
Posted by InfoSec News on Nov 19http://arstechnica.com/security/2013/11/feds-say-thieves-in-atm-heist-nabbed-after-stuffing-800000-in-suitcase/