Rekalling the Times I Played with Windows

Created in October 22, 2017

2017 Ā  Ā· Ā  memory Ā  hacking Ā  rekall Ā  forensics Ā  windows Ā  Ā· Ā  blog

Windows Chan Windows-Chan

The more and more you learn about Information Security, the more you learn about how insecure things are. From your personal devices that you are to protect, to devices in our environment. I remember reading my CompTIA Sec+ book back when I was a youngling, and remembered a story in there that described a raid where a hacker took a shotgun and shot his hard drive before the Feds grabbed him and separated him from his computer.

Another Reason for RAM Acquisition

Hawkeye Hawkeye

Another reason as to why the Feds separate hackers from their computers is because their RAM holds valuable information so long as the computer is on. That information includes all passwords, websites, and other types or what forensics people call ā€œartifacts.ā€ A few of the artifacts one can acquire from a memory acquisition:
Benjamin Caudill Benjamin Caudill (Slide by Benjamin Caudill)

Experimenting with Memory Acquisition

After playing around with some Reverse Engineering challenges, Iā€™ve been wanting to get deeper and deeper. Down the rabbit hole we go.

Tools Used:

A few days ago, I wanted to see if I could take an image of my RAM. The test was conducted on my MacBook Air, so I looked for tools to do this. Rekall, created by Google, has a tool called osxpmem which will take an image of your RAM. I wrote a script to make this a bit easier. Root privileges ARE required. Jonathon Poling goes deeper into how to do this in his terrific article.

#!/bin/sh

# Create directories
mkdir /tmp/mem
mkdir /tmp/mem/Memory_Captures

# Takes us to our work env
cp osxpmem_2.0.1.zip /tmp/mem
cd /tmp/mem
unzip osxpmem_2.0.1.zip

# Required to use utilities
sudo chown -R root:wheel osxpmem.app/
sudo osxpmem.app/osxpmem -o Memory_Captures/mem.aff4
sudo osxpmem.app/osxpmem -e /dev/pmem -o Memory_Captures/mem.raw Memory_Captures/mem.aff4

# Unload our kernel extension
sudo osxpmem.app/osxpmem -u

I posted my code on GitHub for your convenience and for the commits. No shame in my commit game. memory example 1

I sent this to Rekall and got some problems with profiles. More learning!

Profiles areā€¦ research

ā€œA Mac profile includes the structure definitions for the specific kernel version as well as the addresses of important global variables used in analysis.ā€
ā€” The Art of Memory Forensics (pg. 784)

Since Mac profiles are pretty big, they arenā€™t included with all the fun installs of Volatility; however, some are located on their GitHub. Rekall also has profiles as well on their GitHub. This is kinda what it looks like when you donā€™t have the correct profiles.

Switching to Windows for Memory Acquisition

memory example 2 So, I put my Mac image down and picked up the other computer next to meā€”a family memberā€™s Windows 7 computer. Just like Iā€™m sure the rest of you do, I reinstalled the OS for my family because someone who studies Computer Science means I can help remove your malware and spyware you got installed from just doing ā€œnormal computer stuff.ā€ šŸ˜’

I set a password via login and wanted to take an image of a Windows computer to see if I could get the login password from it!

Initially, I was worried and thought taking an image might be difficult, or maybe Iā€™d have to dive pretty deep into a tool to figure out the password. I am very grateful for the heroes and heroines that took on this frontier.

ā€œIf I have seen further than others, it is by standing upon the shoulders of giants.ā€
ā€” Isaac Newton

Windows Memory Acquisition

I accomplished this goal with two lines. But first, the image:

  1. Get winpmem (at the time of writing, winpmem-2.1.post4.exe).
  2. Open cmd.exe as Administrator (Right-Click and click ā€œRun as Administratorā€).
  3. Run the following command: 
    winpmem -o Win7Image.aff4

ram dump

Got RAM?! YEAH BITCH!

Alright, so now letā€™s open it up in Rekall. Rekall is very well-documented on how to set up their environment.

$ virtualenv /tmp/MyEnv

New python executable in /tmp/MyEnv/bin/python
Installing setuptools, pip...done.

$ source /tmp/MyEnv/bin/activate
$ pip install --upgrade setuptools pip wheel
$ pip install rekall-agent rekall

If you donā€™t have virtualenv, install it with:

sudo pip install virtualenv

Assuming you got it installed, check it out:

We got it loaded in! Now what are those two lines? Wellā€¦loading was one of them.

Now use the plugin mimikatz:

rekall -f Win7Image.aff4 mimikatz

Profit

If you have any questions, as I wrote this pretty late and ran through it, please feel free to contact me!

The quickest way would be Twitter. Send me more things to play with or correct me if Iā€™m wrong!

Until next time, hackers!

References



Enjoy Reading This Article?

Here are some more articles you might like to read next:

  • Hello Skid post
  • Bypassing ASLR Damn Heroes and their defenses
  • Creating Yara Rules for Malware Detection
  • Injecting a Running Process
  • Bypassing NX/DEP