I need to analyse some malware that I have on a vmware image (vmware is a virtual machine), in particular I need to do a full dump of a certain process. I know that vmware,on pausing, writes the whole RAM into a .vmem file. The platform the image is taken of is Windows XP. I know that there are certain tools that do this but they are mostly closed source or don't work for Windows XP. I need it to be done in reasonable time (under one second if that is possible somehow) and to run it from my own C++ program, any help would be really appreciated.
You seem to be asking to interact with processes and their memory from a suspended VM.
Give some forensic tools a shot. This one looks promising:
http://code.google.com/p/volatility/
Related
I've been going through the windows documentation for the Dism API with the goal of writing an exe in C++ (or whatever language can accomplish this) that can create a WIM image while running in Windows PE. I found a .NET Wrapper for the Dism API that seems like it might be useful for this purpose, but I'm unsure if a .NET app will successfully run in Windows PE. Overall, my problem is that I don't see a function that can create--and doesn't simply modify--a wim file.
If I didn't care about encapsulating this in an .exe file, the Dism documentation does show how to initially create a wim--which makes me curious why a similar function wouldn't exist within the api. Please advise if the simplest solution is to have my code call a function such as system() within the code.
To summarize, I'm looking for a way to create a wim file programmatically (called from executing an exe file) from within Windows PE.
As always, thank you for the help and advice.
I work on a project that works with DISM in WinPE quite a bit. We configure WinPE with all the .net packages as described here. Then WinPE can be configured to start an application.
I use c#, but you can do managed apps in c++ as I'm sure you know. I find putting c# code into WinPE substantially easier, but that's more a function of my experience, I suppose.
The main way we use to interact with DISM is run a command using System.Diagnostics.Process. The process runs in a separate thread, but the API is simple, and you can wait on (and/or timeout) your process for synchronization purposes. This just uses the DISM command line interface, although you can also use powershell cmdlets if you've added that package to your WinPE image. It may seem like a hacky "interface" from your app to DISM, but it works reliably, and you can keep the process window from showing up on the screen. This makes for a decent asynchronous platform for running bunches of windows imaging utilities, such as DISKPART, DISM and BCDEDIT.
The principal way you'd capture a new image is with DISM /Capture-Image. Sounds like you've already discovered this fact. Lots of options that are somewhat beyond the scope of this q/a, but I hope this gets you on a useful path.
Even though this post is a bit older, here is a possibly still relevant resource for you. Perhaps this one will help.
I've written a small GUI-based tool, project-named WIM-Backup, that uses the Windows Imaging Format (WIM) to create full backups of computer systems (operating system images) within WinPE and then restore them.
The application is hosted on GitHub, is open source, and is offered under the Apache 2.0 license.
In addition, the repository includes an illustrated step-by-step guide to help get it up and running.
Brief summary:
WIM-Backup always requires an external bootable media such as a USB flash drive.
From this drive WinPE is booted to perform a backup or restore to or from an external medium (e.g. a USB hard drive).
On the bootable USB flash drive the WinPE must be set up before (is documented illustrated in the readme).
After completion of the respective operation, a status message is displayed whether the operation was successful or failed.
After restoring a backup, you can boot normally from the destination drive.
Both the backup and restore process are relatively simple (not "rocket science").
To set up the solution, you need about 30 minutes time in the best case due to the necessary downloads (e .g. ADK)
Last but not least: it has a permissive license (non-proprietary) and is open source.
The project can be found here: WIM-Backup
Preface:
We are using a Windows-7-Embedded image, for making client-ready copies of our software.
The flow is pretty standard:
Take a blank hard-drive.
Restore an in-house Windows-7-Embedded image on the hard-drive.
Install additional software on-top.
Hard-drive ready!
The Problem:
Sometimes, probably due to system crashes, some configurations that are already configured inside the image - reset.
My current problem is with a 'Disable Write Caching' option on the disk.
In the image, the option is off.
Sometimes, it just resets and turns on.
My Question:
How can I programmatically disable the disk write caching property?
Design Restrictions:
Can run an .exe on startup. The system is mostly c++ so that is that would be the optimal language for a code based solution.
Can run a .bat file.
can run a .vbs file. Not sure which version our current infrastructure are compatible with.
Images (Inside Image -> After Crash):
Clarifications:
Did my research. did not find anything related to windows write caching option in SO or SE as a whole. Did find a bunch of linux related questions.
The system crashes are by-design, at the moment. This is the obvious root cause, but cannot be fixed due to design restrictions and budget issues.
There is a registry setting EnableCache you may try to experiment with. It applies to FAT file systems and setting it to 0 shall theoretically disable disk caching. Though I have not tested it.
Look into:
HKEY_LOCAL_MACHINE\SYSTEM\StorageManager\FATFS or HKEY_LOCAL_MACHINE\SYSTEM\StorageManager\EXFAT
I want to write a program that will monitor memory in a driver and print the memory contents every so often.
However, I'm not finding any resources in the Windows API that seem to allow me to grab a pointer (Handle) to a specific driver.
I'd appreciate any answer either from User space OR kernel space.
If you want to know exactly what I'm doing, I'm attempting to duplicate the results from this paper except on Windows. After I gain the ability to monitor a buffer in a basic windows console program, I intend to monitor from the GPU.
[For the record: I am a Graduate Student who is pursuing this as a summer project... this is ethical malware research.]
============UPDATE ==================
This might technically be better suited as an answer, but not really until I have a working solution.
My initial plan of attack is to use WinDbg to do dynamic analysis on the keyboard driver when it gets loaded, so I can get some idea about normal loading/unloading behavior. I'm using chapter 10 of this book, to guide setting up my testbed and once I understand more about the keyboard structure and its buffer, I'll work backwards towards getting a permanent reference to this structure and see about passing it into the graphics card and monitoring it with DMA as the original paper did on Linux.
You won't solve this problem by "grabbing a pointer to a specific driver". You need to locate the specific buffer used by the keyboard driver that resides on top of the USB driver.
You will have to actually grok the keyboard and USB drivers for Windows. At least part of which is probably available if you have a DDK (driver development kit) [aka WDK, Windows Driver Kit]. You will definitely need a graphics driver for this part of the project.
You will also have to develop a driver mechanism to map an arbitrary (kernel) lump of memory to your graphics driver - which means you need access to the source code for the graphics driver. (In theory, you could perhaps hack about in the page-tables, but Windows itself isn't too keen on software messing with the page-tables, and you'd definitely need to be VERY careful if the system is SMP, since modifying page-tables in an SMP system requires that you flush the TLB's of the "other" CPU(cores) in the system after updates).
To me, this seems like a rather interesting project, but a really tough one in a closed source system like Windows. At least in Linux, the developer has the source-code to read. When it comes to Windows, most of the relevant source code is completely unavailable (unless your school has special license to the MS Source code - I think there are some that do).
G'Day!
I have an executable (Unix or Windows - it should be cross-compiling). If one opens this executable by any editor and write some stuff to the end - the application would still run perfect.
On execution, the application with all its data loads to the RAM. So, the user-written part of file is also loaded into memory.
Is there any chance to read this data?
I need this data in fast access. Other workarounds are not OK, because it takes too much time:
Reading directly from file (on hard disk) or mapping it is not fine, because the application have to read this file on each run, but this application has lots of launches per sec.
Using shared memory with another process (something like server, which holds data) is not cross-compiling
Using pipes between app and so-called server is not fast enough, imho.
That's why I decided to write some stuff to the end of application.
Thanks in advance!
Are you re-inventing
exe packers (see http://en.wikipedia.org/wiki/Executable_compression)
embedded resources? A portable approach was described here Is there any standard way of embedding resources into Linux executable image?
I also think you're might be optimizing the wrong things.
Reading directly from file (on hard disk) or mapping it is not fine, because the application have to read this file on each run, but this application has lots of launches per sec.
The kernel[1] is way smarter than we are and is perfectly capable of caching the mapped stuff. Heck, if you map it READ-ONLY there will be no difference with directly accessing data from your program's base image.
[1]: this goes for both WIndows and Unix
I am looking to get into operating system kernel development and figured and have been reading books on operating systems (Tannenbaum) as well as studying how BSD and Linux have tackled this challenge but still am stuck on several concepts.
If I wanted to mimic the Windows Blue Screen of Death on an operating system, would I simply put this logic in the panic kernel method?
Are there ways to improve upon how Windows currently performs this functionality?
I'm not exactly sure where to look in the source but you might want to look into ReactOS, an open source Windows clone which has BSOD already.
BSDs actually handled this much better then Windows with DDB :)
Here's another link to FreeBSD Kernel Debugging docs.
You can emulate Windows's bugcheck functionality wherever you want. Most Linux systems put it in XScreenSaver.
However, I doubt that this is what you're really asking about. Are you asking how to generate a dump file?
To improve Windows bugchecks, Windows driver developers can use KeRegisterBugCheckReasonCallback() to record more information about the state of their drivers in the generated minidump. This potentially may improve the effectiveness of post-mortem debugging when full kernel/memory dumps are not enabled.