7 comments on “Vmware snapshot and SSDT

  1. When you speak of comparing the VMWare snapshots, do you mean that you are comparing .vmem files?

    If so, you’re essentially comparing two full dumps of physical memory. A .vmem file contains a full linear dump of system memory; physical address x will correspond to file address x. Given this, it is not surprising that kernel memory can be found in the snapshot file!

    There are tools that can parse such dumps; my favorite (probably since I’ve contributed a fair amount of code to it) is Volatility (https://www.volatilesystems.com/default/volatility); it can extract lots of information about open files, running processes, loaded kernel modules, etc. from memory dumps such as .vmem files.

    It doesn’t currently have the capability to extract the SSDT; however, this would probably not be too difficult to implement, and having a volatile memory analysis framework available would allow you to reliably locate the SSDT within the VM snapshot (roughly, you would find the loaded kernel image, track down its KeServiceDescriptorTable export, and thus get the virtual address of the SSDT, which you could use directly within Volatility, as Virtual->Physical translation is handled for you).

    There’s a whole field of digital forensics dedicated to examining such dumps of memory, called physical/volatile memory analysis or RAM forensics. Check out http://4tphi.net/fatkit/#links for a good list of papers/articles on the topic!

  2. Hi.
    Thank you very much for the links, seems like there are some nice articles.

    Yes, I’m working on single vmem files.
    If “physical address x will correspond to file address x” it’s relative easy to parse the file looking for various info, the hard part is to locate something else. The big problem of this kind of tools is that most of them are not able to find out hidden processes/modules, which is the interesting part of a static analysis. I tried Volatility (nice framework indeed), but it misses hidden processes/modules. I have to admit I’m far from being an expert in this field, but as far as I tried the only tool able to give out some good info is MemParser by Chris Betz.
    I would like to know if there are some more tools able to discover hidden processes/modules, can you help me with some names?

    Thanks in advance.

  3. Hidden processes and modules can be found within Volatility using “modscan” and “psscan”, which do not rely on processes/modules being in the various linked list structures, as they scan all of memory. The only disadvantages at the moment are that they’re a little slow (things are a *lot* faster in the next release, which will hopefully be out shortly), and it’s vulnerable to “chaff” — someone could put things that look like _EPROCESS structures into memory to throw off scanners.

    Right now there’s no automatic correlation between the output of pslist and the output of psscan to detect discrepancies, however. Again, this would be easy to implement.

    Memparser is cool, but last I saw only works on Win2k, and would be quite difficult to extend to XP and above, since it uses hardcoded offsets in the source code.

    Andreas Schuster’s ptfinder is another great tool for finding hidden processes; however, its output should be the same as Volatility’s psscan. However, it has support for many more versions that Volatility at the moment.

    Hope this helps!

    Also, feel free to drop by #volatility on freenode if you want to learn more; most of the people doing open research in memory forensics hang out there.

  4. Thank you sowhat-x for pointing it out.
    Seems like there are a lot of programs out there able to retrieve really good information from a generic snapshot, Volatility is one of them of course (Thanks Brendan).

  5. Keep your computer running like new.
    Have you been searching for a great antispyware to keep your computer running like new? If so, you will be happy to know that there are some great options out there. I have tried many different types of antispyware only to find that the majority of them find the exact same types of bugs. The biggest difference that you will find between all the different types of antispyware offered is the price. Orbasoft Antispyware is an excellent choice that can be purchased at a lower price than many of the other options available. If you are interested in discovering the benefits offered from antispyware solution from Orbasoft visit http://www.orbasoft.com to learn more.

  6. hi, I’m newbie reverse engineering.
    thanks for your posting :D. nice article

    I have some question. plz answer detail.

    Is vmem file consistent with virtual machine’s physical memory? 1:1?

    if that, we can’t analyze paged memory?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s