Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Winpmem may appear to be a simple a memory acquisition tool, but it is really much more.   In yesterday's diary I gave a brief introduction to the tool and showed how you can use it to create a raw memory image.  If you didn't see that article check it out for the background needed for today's installment.   You can read it here.

One of my favorite parts of Winpmem is that it has the ability to analyze live memory on a running computer.  Rather than dumping the memory and analyzing it in two seperate steps you can search for memory on a running system.  Of course this will affect other forensics artifacts so you only want to use this on backup copies of your evidence.  But this is also useful outside of forensics.   There are all kinds of useful ways to use this tool.   Searching for memory is useful to security reasearchers.  You can search memory for strings that are in common pieces of malware.  Do software vendors tell you that they encrypt sensative data in memory?   You can use this tool to see if that is really true.  So how do you do it?

Winpmem allows you to install the memory access device driver and then use it in your own Python scripts.  To install the device driver run winpmem with the -L option like so:

Once the driver is installed it will create a \\.\pmem device object that you can open with Python.  You will notice that it also reports 3 memory ranges.  These are the ranges of physical memory addreses where the operating system stores data.   In this case the first memory range starts at 0x1000 and has a length of 0x9e000.  So it ends at memory address 0x9f000.  The second range starts at 0x100000 and has a length of 0x3fdf0000.   This leaves a conspicuous gap between the ranges.   These gaps are used by the processor and other chipsets on your computer and aren't directly addressible by the Windows memory manager.    Memory acquisition tools will only dump those ranges of memory used by the OS.  This could lead to some interesting research where malware hides in those memory blind spots.  Winpmem also has the ability to read those reserved areas of memory but doing so may lock up your machine. 

To read memory it will require a little bit of Python code, but winpmem does the hard part for you.    You can read memory with only 4 lines of Python code.  All we have to do is import winpmem, create a handle to a file with win32file.CreateFile (the "fd" variable in the program below).  Then use win32file.SetFilePointer() to point to the address you want to read.   Finally call win32file.ReadFile() to read the bytes at that memory location.   Thats it!   So I threw together a quick script to allow me to search memory.  I called this script "memsearch.py" when I saved it to my computer.

from winpmem import *

def readmem(fd, start, size):
    win32file.SetFilePointer(fd, start, 0 )
    x,data = win32file.ReadFile(fd, size)
    return data


def memsrch(fd, srchstr,start, end, numtofind=1, margins=20,verbose=False,includepython=False):
    srchres=[]
    for curloc in range(start, end, 1024*1024):
        x=readmem(fd, curloc,1024*1024)
        if srchstr in x and (includepython or not "msrch(" in x):
            offset=x.index(srchstr)
            if verbose:print curloc+offset,str(x[offset-margins:offset+len(srchstr)+margins])
            srchres.append(curloc+x.index(srchstr))
        if srchstr.encode("utf-16le") in x and (includepython or not "msrch(".encode("utf-16le") in
x):
            offset=x.index(srchstr.encode("utf-16le"))
            if verbose:print curloc+offset,str(x[offset-margins:offset+(len(srchstr)*2)+margins])
            srchres.append(curloc+x.index(srchstr.encode("utf-16le")))
        if srchstr.encode("utf-16be") in x and (includepython or not "msrch(".encode("utf-16be") in
x):
            offset=x.index(srchstr.encode("utf-16be"))
            if verbose:print curloc+offset,str(x[offset-margins:offset+(len(srchstr)*2)+margins])
            srchres.append(curloc+x.index(srchstr.encode("utf-16be")))
        if len(srchres)>=numtofind:
            break
    return srchres

fd = win32file.CreateFile(r"\\.\pmem",win32file.GENERIC_READ |
win32file.GENERIC_WRITE,win32file.FILE_SHARE_READ |
win32file.FILE_SHARE_WRITE,None,win32file.OPEN_EXISTING,win32file.FILE_ATTRIBUTE_NORMAL,None)

After writing the program I run python with the "-i" option so that I am dropped into an interactive shell with the new modules and variables already defined.   I'll get an interactive Python prompt that I can use to call the memsrch() and readmem() functions.   Because it is in a shell I can run multiple searches with different options until I find what I am looking for.  Here is a short example calling each function once,   In this case I read 100 bytes of memory starting at 18352196.   Then I search for 5 occurences of the word "password" beginning at the address 0x100000. 

readmem() is used to read data from memory.   The readmem() function takes 3 parameters.  The first is fd.  This is the file handle that points to the \\.\pmem device created by the winpmem device driver.   The 2nd parameter is the address to start reading from and the 3rd parameter is how much data to read.  

memsrch() can be used to search memory for the string you specify.  The memsrch() function takes several options.   The first is again fd.   The 2nd parameter is the search tearm to find in memory.   The 3rd parameter is the starting address to being searching and the 4th parameter is the ending address.  The rest of the parameters are optional.   The 5th parameter is the number of matches to find in memory.    The 6th parameter is used to turn on Verbose searching.  If verbose is true the matching strings are printed to the screen.  The last argument is the "includepython" argument.  If includepython is set to True then it will allow the Python script to find itself as it searches through memory for matches. 

Keep in mind that you are searching Physical memory.   This is much different that virtual OS memory.  Things may move around and you may find things in places where you do not expect them.   To get a better understanding of how memory is being used by the OS read this excellent paper that accompanies the tool.

http://dfrws.org/2013/proceedings/DFRWS2013-13.pdf

Still not convinced of winpmem's awesomeness?  There is more to it.  I'll look at more tomorrow.

Do you want to learn how to do all sorts of cook stuff with Python?   Check out SEC573 Python for Penetration testers!  I am teaching it in Reston VA March 17th!  Click HERE for more information.

Follow me on twitter?  @MarkBaggett

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
In a little booth tucked in the corner of the SC13 supercomputing conference here this week may be the next Intel.
 
A U.S. judge has shut down an online business listing operation that allegedly bilked more than US$14 million from U.S. small businesses and churches.
 
Samsung requested a mistrial be declared in its trial with Apple over remarks made by an attorney working for Apple in the final moments of closing arguments in the case on Tuesday.
 
Intersystems Cache Remote Code Execution (via Default 'Minimal Security' Install)
 

Earlier this year, we reported on how the competitive video gaming community E-Sports Entertainment Association (ESEA) secretly updated its client software with Bitcoin-mining code that tapped players' computers to mint more than $3,600 worth of the digital currency.

The site took full responsibility, blaming a rogue employee, and ended up immediately liquidating the bitcoins and donating the $3,713.55 to the American Cancer Society. For good measure, ESEA kicked in another $3,713.55.

But the story didn’t end there. On Tuesday, New Jersey announced that it had come to a $1 million settlement (PDF) with ESEA as a way to end a criminal case that state prosecutors had brought against the company.

Read 3 remaining paragraphs | Comments


    






 

It sounds like the premise of a Philip K. Dick story, but it's not. A blogger has offered evidence that his Internet-connected television has been transmitting detailed information about his family's viewing habits, including the times and channels they watch and even the names of computer video files stored on connected USB drives.

The blogger didn't identify himself by name or specify the television model, except to say it's a new LG Smart TV. But he did provide screenshots of data packets he said he captured showing the information his TV sent unencrypted over the Internet. The data appeared to show a device ID unique to his set, along with the name of the channel it was tuned to. In his tests, the information was sent in the clear every time the channel was changed. Even more remarkable, he said, the smart TV sent the data even after he waded through the system preferences and set the "Collection of watching info" setting to "off" (it was on by default).

But the logging didn't stop there. Included in the traffic sent over the Internet were the names of files stored on a USB drive connected to the LG television. For dramatic purposes and to ensure he chose a file name not likely used by the firmware, he created a mock video file called Midget_Porn_2013.avi, loaded it onto a USB drive and plugged it into his TV. Sure enough, the file name was transmitted unencrypted in HTTP traffic sent to the address GB.smartshare.lgtvsdp.com. In some cases, he said, file names for an entire folder were transmitted, and other times nothing at all was sent. He never determined the rules that controlled when data was or wasn't sent.

Read 8 remaining paragraphs | Comments


    






 
Google Chrome CVE-2013-2926 Use After Free Remote Code Execution Vulnerability
 
XADV-2013003 Linux Kernel fbdev Driver arcfb_write() Overflow
 
XADV-2013008 Linux Kernel 3.11.7 <= sk_attach_filter Kernel Heap Corruption
 
pineapp mailsecure remote no authenticated privilege escalation & remote execution code
 
Google opened gadget showrooms in six U.S. cities as the holiday shopping season quickly approaches.
 
Unknown attackers have successfully hijacked and redirected Internet traffic belonging to financial services companies, VoIP providers and governments many times over the past year.
 
The Cryptolocker Trojan is an evolution of "ransomware," not a revolutionary change from past criminal attempts to extort money from PC owners, a security expert said today.
 
Helping scientific supercomputing take advantage of emerging big-data technologies, high-performance computing manufacturer Cray is releasing a set of packages promising to optimize the process of running Hadoop on the its XC30 machines.
 
SKIDATA RFID Freemotion.Gate Unauthenticated Web Service Aribtrary Remote Command Execution
 
[ MDVSA-2013:267 ] java-1.7.0-openjdk
 
[ MDVSA-2013:266 ] java-1.6.0-openjdk
 
16TH AVAR INTERNATIONAL SECURITY CONFERENCE 2013 - (4th-7th Dec'13, Chennai. India)
 

Obamacare website 'either hacked or will be soon', warns infosec expert
Register
Hackers have thrown multiple attacks at US President Obama's medical insurance bazaar HealthCare.gov since it went live in October, according to a senior US government official. Acting assistant Homeland Security secretary Roberta Stempfley told a ...

and more »
 
In his last appearance at a Microsoft shareholder meeting as CEO, Steve Ballmer said he's completely certain the company is in very good shape to succeed in the next decade under someone else's captainship.
 
Nokia's shareholders voted to approve Microsoft's acquisition of the company's Devices & Services business. The deal marks the end of an era that has produced many iconic phones.
 
A jury in California will begin deliberating over how much money Samsung should pay to Apple for the infringement of several patents in multiple models of Samsung smartphones. Apple wants just under $380 million, but Samsung argues it shouldn't pay more than $52 million.
 
Boston Limited has announced a new server based on ARM processors and certified to run Ubuntu Linux 13.10, a move that could further stir up growing interest in ARM servers.
 
The Retina iPad Mini's "secretive" launch was driven by severe shortages, which have not improved since Apple started selling the smaller tablet a week ago, a financial analyst said today.
 
Senior technology industry executives from Adobe, VMware and others diagnose the problems in troubled Healthcare.gov, citing the ambitious scope of the project and endemic flaws in broader government contracting apparatus.
 
Google replaced the SSL certificates for its online services with new ones that use stronger, 2048-bit RSA keys, making encrypted connections to its sites safer against so-called brute-force attacks.
 
What can you say about a user conference that weighs in at 120,000 attendees and has a total budget rivaling a small city? Choose your technical sessions wisely and approach 'lessons learned' discussions with caution.
 
More than 99 percent of Nokia's shareholders have voted to approve Microsoft's acquisition of the Finnish company's Devices & Services business.
 
Privacy rights advocates and legal experts this week said they were disappointed but not surprised with the U.S. Supreme Court's denial of a petition challenging the legality of the National Security Agency's phone metadata collection program.
 
If you posted selfies on Facebook, Instagram or Twitter this past year, you helped make "selfie" the Oxford Dictionaries' international Word of the Year for 2013
 
In the rush to exascale computing, Intel is making a small change that could have a big impact on system design with its upcoming Xeon Phi chip.
 
As government organizations continue to deal with an increasing number of cyber threats, one thing has become clear to those who protect our digital assets: there is no silver bullet.
 
Any effort to rein in the National Security Agency after its widespread spy activities were revealed in leaked documents must focus on more than simply limiting what personal data can be collected.
 
Open Flash Chart 'get-data' Parameter Cross-Site Scripting Vulnerability
 
LinuxSecurity.com: New mozilla-firefox packages are available for Slackware 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New samba packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New openssh packages are available for Slackware 14.1 and -current to fix a security issue. [More Info...]
 
LinuxSecurity.com: Multiple vulnerabilities have been found in GraphicsMagick, allowing remote attackers to execute arbitrary code or cause a Denial of Service condition.
 
LinuxSecurity.com: Several security issues were fixed in NSS.
 
LinuxSecurity.com: Updated openstack-glance packages that fix one security issue and several bugs are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated nagios packages that fix two security issues are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated openstack-keystone packages that fix one security issue and several bugs are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
Load balancing isn't just for websites that expect surges in traffic any more. Companies of all sizes, and in all verticals, find load balancing an effective way to address disaster recovery, scalability, failover and application virtualization needs.
 
RETIRED: Drupal Quiz Module Multiple Access Bypass Vulnerabilities
 
Mozilla Network Security Services CVE-2013-5606 Certificate Validation Security Bypass Vulnerability
 
MIT Kerberos 5 CVE-2013-6800 Remote Denial of Service Vulnerability
 
Mozilla Network Security Services CVE-2013-1741 Integer Overflow Vulnerability
 
libjpeg-turbo CVE-2013-6630 Memory Corruption Vulnerability
 
libjpeg/libjpeg-turbo Library CVE-2013-6629 Memory Corruption Vulnerability
 
Attackers are actively exploiting a known vulnerability to compromise JBoss Java EE application servers that expose the HTTP Invoker service to the Internet in an insecure manner.
 
The U.S. Supreme Court denied the Electronic Privacy Information Center's petition to review a National Security Agency phone record data collection program.
 
Customers of Salesforce.com who want their own dedicated infrastructure within the vendor's cloud will now be able to get one through a partnership with Hewlett-Packard.
 
Six more alleged participants were arrested Monday in a US$45 million global ATM fraud, including one man who was photographed stuffing $800,000 into a suitcase, federal prosecutors in New York said.
 
In Windows Server 2012 R2 and Windows 8.1, Microsoft has released a combination of operating system updates that we find very compelling. Microsoft has joined much of the rest of the industry in annual release roll-ups with feature additions, and this time, they listened to the critics. More interesting are the one-upmanship features targeted directly at its virtualization and cloud competition. Some were stunning, despite a few strange and perhaps anecdotal basic problems that we found.
 
Mozilla on Monday began rolling out its first major Firefox user interface change in more than three years, seeding early adopters of the "Nightly" build with the new "Australis" revamp.
 
Cloud licensing's become so complex that it's easy to pay too much or get burned later on. Here are some tips to make sure you're getting your money's worth.
 
Mozilla Network Security Services CVE-2013-5605 Remote Arbitrary Code Execution Vulnerability
 
Chainfire SuperSU CVE-2013-6775 Arbitrary Command Execution Vulnerability
 
Multiple Android Superuser Packages Search Path Local Privilege Escalation Vulnerability
 
Multiple Android Superuser Packages CVE-2013-6769 Arbitrary Command Execution Vulnerability
 
ClockWorkMod Superuser Package Environment Search Path Local Privilege Escalation Vulnerability
 
omniauth-facebook Access Token Security Bypass Vulnerability
 

Posted by InfoSec News on Nov 19

http://mainichi.jp/english/english/newsselect/news/20131116p2g00m0bu015000c.html

Mainichi Japan
November 16, 2013

SINGAPORE (Kyodo) -- Government ministers from the Association of
Southeast Asian Nations said Friday they have endorsed Japan's proposal
for cooperation to ensure a "smart" information and communications
technology network in the region.

The telecommunications and information technology ministers, in a joint...
 

Posted by InfoSec News on Nov 19

http://www.informationweek.com/healthcare/security-and-privacy/sloppy-handling-of-patient-data-always-a-danger/d/d-id/899835

By Alex Kane Rudansky
InformationWeek
11/18/2013

The rules of the privacy game have changed and the stakes are higher than
ever before when protecting patient information in transit.

With advancements in both consumer and healthcare technology, protection
of patient information is critically important and equally...
 

Posted by InfoSec News on Nov 19

http://bits.blogs.nytimes.com/2013/11/15/amazon-bares-its-computers/

By QUENTIN HARDY
The New York Times
NOVEMBER 15, 2013

LAS VEGAS -- However big and ambitious you think Amazon’s plan to run the
world’s computing may be, you should probably think bigger.

In a startling talk Thursday evening, a vice president who oversees the
internal engineering of Amazon’s global computing system described how
Amazon is building its own specialized...
 

Posted by InfoSec News on Nov 19

http://www.computerworld.com/s/article/9244109/Hackers_use_zero_day_vulnerability_to_breach_vBulletin_support_forum

By Lucian Constantin
IDG News Service
November 18, 2013

A group of hackers claim to have exploited an undocumented vulnerability
in the vBulletin Internet forum software in order to break into the
MacRumors.com and vBulletin.com forums.

On Friday, vBulletin Solutions, the company behind the vBulletin software,
reset the...
 

Posted by InfoSec News on Nov 19

http://arstechnica.com/security/2013/11/feds-say-thieves-in-atm-heist-nabbed-after-stuffing-800000-in-suitcase/

By Dan Goodin
Ars Technica
Nov 18 2013

Federal authorities have arrested five more men accused of taking part in
a 21st-century bank heist that siphoned a whopping $45 million out of ATMs
around the world in a matter of hours.

Prosecutors said the men charged on Monday were members of the New
York-based cell of a global operation...
 
Drupal Groups, Communities and Co (GCC) Module Access Bypass Vulnerability
 
Drupal Revisioning Module Access Bypass Vulnerability
 
Drupal Node Access Keys Module Access Bypass Vulnerability
 
Paypal Inc Bug Bounty #47 ALYZ - Persistent Search Vulnerability
 
PayPal Inc Bug Bounty #42 - Persistent POST Inject Vulnerability
 
[slackware-security] seamonkey (SSA:2013-322-04)
 
ImageMagick Malformed PCX File Heap Overflow Vulnerability
 
PayPal Inc Bug Bounty #65 China - Redirect Web Vulnerability
 
[slackware-security] samba (SSA:2013-322-03)
 
[slackware-security] openssh (SSA:2013-322-02)
 
[slackware-security] mozilla-firefox (SSA:2013-322-01)
 
ImageMagick TIFF File Integer Overflow Vulnerability
 
Re: Fwd: vulnerability issue for DB2 express
 
[SOJOBO-ADV-13-04] - PHP-Nuke 8.2.4 multiple vulnerabilities
 
Internet Storm Center Infocon Status