Diagnosing Malware with Resource Monitor
Window’s Resource Monitor is a hidden gem within the OS that can be very useful to an incident responder in a crunch. It isn’t as comprehensive as SysInternals Process Monitor but it is built in to Windows so you can use it on a computer with no internet connection. It lacks the depth of WMIC but it does have a very nice GUI (if you are into that sort of thing). In short, resource monitor is a worthy addition to the incident responders toolkit. Resource Monitor isn’t a separate program, but rather it is an operational mode for Performance Monitor (Perfmon.exe). If you start Performance Monitor with the "/res" option you will see the Resource Monitor interface. Click START->Run and type “Perfmon.exe /res” and press Enter. Here is what it looks like.
It has a series of Tabs across the top (Number 1) for Overview, CPU, Memory, Disk and Network. Each of the tabs is broken down into sections that can be expanded or collapsed by clicking the arrow on each section's header (Number 2). The top section on each tab allows you to check a box next to a process names that will apply a filter to the other sections of the tab. So by checking the box next to “Firefox.exe” you will only see disk, memory and network resources associated with the Firefox process. The disk section shows you files that are open by the process. The networking section will show you the fully qualified DNS name for each of the TCP and UDP connections in use by that process. The memory section gives you a quick look at how much memory is in use by the process. That’s about it for the Overview tab. If that didn't tell you everything you wanted you can refer to the CPU, Memory, Disk and Network tabs for more information. Lets take a look at the CPU tab.
The CPU tab has some nice features. By selecting a process you can see all of the OS Handles in use by the process (number 4). It even has a search feature that allows you search all of the open handles. The Modules section (number 5) will show you all of the DLLs that are in use by the process.
I’ll leave the remaining tabs for you to explore on your own. I think you will find that in a pinch resource monitor is a good way for a first responder to get a first look at what is happening on a computer.
Performance monitor used Performance counters and Event Tracing for Windows to capture data from various sources. The "/res" option is one of performance monitors way of displaying that information to you. If you are curious what other modes Performance Monitor has give “perfmon.exe /report” a try. If your want to see how a penetration tester might use Event tracing check out this article.
Join me for SANS 504 Hacker Techniques, Exploits and Incident response in San Antonio Texas November 27th - December 2nd 2012 in San Antonio Texas!
Mark Baggett
On Twitter @markbaggett
A Heap of Overflows?
The heap is a section of memory where applications can dynamically allocate and free memory space. Heap Overflows occur when a computer application is able to overwrite the operating system's data structure at the beginning of a block of heap memory and then free that memory. That data structure contains a double link lists with pointers to the previous and next block of memory. When the memory block is freed an "unlink" function is called that uses those two overwritten pointers to find the previous and next blocks of allocated memory and change their pointer so they point to one another and no longer point to the block being freed. To "safely unlink" a block of memory the OS should verify the pointers on previous and next blocks tpoint to the block being freed before it is unlinked. WIthout this check an attacker can use the overwritten pointers to change a value in the memory location of their choosing to the value of their choosing and in most cases gain control of the program's execution.
Ben Hawkes did some analysis of the unlink functions inside the DLLs that are in Windows 8 and found that most of the core libraries in Windows are in fact verifying those pointers and safely unlinking the blocks. That is good news! The bad news is he found many instances of DLLs that are not using those core libraries and not safely unlinking memory.
What does this mean? I don't know. But the research is pretty cool. Mr Hawkes provided a list of DLL's that are not using safe unlinking. They may or may not be exploitable. That is yet to be seen. It is worth a read. http://www.inertiawar.com/win8_unlink/
Join me for SANS 504 Hacker Techniques, Exploits and Incident response in San Antonio Texas November 27th - December 2nd 2012 in San Antonio Texas!
Mark Baggett
On Twitter @markbaggett
Comments