An interesting idea to detect hidden files by a string comparison of VM snapshots:

Find out hidden files comparing VMware’s snapshots
http://zairon.wordpress.com/2007/08/31/find-out-hidden-files-comparing-vmwares-snapshots/


Hope you don't mind me bringing this up here for discussion Zairon. I'm curious, in the examples you've worked on do you have any idea *where* the exposed strings of hidden files/processes originated from?

Say for example a malware has hidden its driver through some DKOM technique such as unlinking from the PsLoadedModuleList. It's hidden from normal API routines and manual tracing of the linked list of loaded modules. However at some point it still has to load so there may be a rogue string buffer on the heap somewhere that was used by LoadDriver, or perhaps when it was extracted as a resource from an exe file.

I assume that's where some of these "traces" of the hidden file presence comes from, various string buffers that haven't yet been purged from memory. That's what makes this technique so clever. Following the preys spoor like a hunter, I love it

I wonder if there's a way of mapping the string back to its original location in memory in what would be the active VM?

Regards,
Kayaker

Hey K!

Not exactly, my first thought was: "there should be something in memory". Your comment about dkom was more or less my second thought. That's why I tried.
At first I wanted to perform a scan over VMware's process memory but the problem was: "what kind of string do I have to search?". Pretty impossible. So, I tried comparing the snapshots obtaining some nice results.

Interesting point. Now we could include the VMware's process memory in the game

bye!

On further study, I'm not so sure.. However I did discover a very interesting fact that opens up a whole new avenue for snapshot forensics.

According to a sample chapter on dumping and analyzing physical memory:



Windows Memory Analysis
http://www.syngress.com/book_catalog/SAMPLE_159749156X.PDF

A similar comparison between a dd-style RAM dump and a .vmem file is mentioned here:

http://windowsir.blogspot.com/2006/09/win2003sp1-and-ram-dump-parsing.html


dd.exe is a well known forensic tool for dumping physical memory:

http://www.gmgsystemsinc.com/fau/


So I thought to apply some of the forensic analysis techniques to either a dd style RAM dump or the VMWare .vmem file.

One of the caveats with dd.exe is that the new version no longer supports the \\.\PhysicalMemory pseudo-device as input, which was the traditional syntax used to generate a RAM dump. I believe the option isn't available because physical memory can't be accessed from user mode in Win2003 or Vista. An older version would be more useful for XP. The alternative is a kernel version KnTTools, but is only available to institutions etc.


Nevertheless I decided to try dumping the physical image of a VMWare session and see what happened. To dump to the VM shared drive you first have to map the network drive to a letter (i.e. \\.host\Shared Folders\VMShared is mapped to Z:.

Usage: dd if=[SOURCE] of=[DESTINATION] [OPTIONS]

The syntax then being:

dd if=\\.\c: of=Z:\VMShared\image1.dmp --localwrt conv=noerror

This created a dump file pretty much the same size as the full 4Gb vmdk VM image. Not particularly useful at the moment but still a nice way of creating a full physical VM snapshot on the fly.


Giving up on DD for the time being I decided to go with the tenet that a .vmem snapshot is similar enough to a dd RAM dump that you could apply the same forensic techniques to it.

In the DFRWS 2005 Forensics Challenge the winning entry used a memparser program to reconstruct process information from a memory dump, including processes hidden by Hacker Defender.

http://dfrws.org/2005/challenge/betzReport.shtml
http://sourceforge.net/projects/memparser

I compiled the memparser source from sourceforge and applied it the .vmem snapshot. Sure enough it parsed correctly through the EPROCESS structures for all processes running when the snapshot was taken. The only glitch with the XP snapshot was that Memparser was created for Win2K so the EPROCESS offset for some of the fields were incorrect. This should easily be fixed through the source files.

Here is the somewhat successful output from a random snapshot I made which at least shows the theory works:




There are various other forensic scripts around that one should be able to apply to the VM snapshot to get more information as well. As well as the previous links I mentioned the following is also indispensable:

http://computer.forensikblog.de/en/


Knowing now that VM snapshots contain such a wealth of information that can succumb to forensic analysis it would be interesting to see what else they can tell us.

Kayaker

Just a small update, Memparser correctly parses a VMWare snapshot from Win2K, including detecting a process (notepad) hidden by FU rootkit. This means the source can be tweaked for OS version specific EPROCESS offsets.

Very interesting work ZaiRoN and Kayaker, keep us posted on any progress!

I got some requests so I decided to make it available for everyone. It's more or less the original program I used for my first test; I wanted to add something more, but it's impossible at the moment... I'm too busy.
Anyway, tell me about everything (bugs/comments/...).

Regards,
Z.