OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: George M. Garner Jr. (gmgarnererols.com)
Date: Tue Jan 22 2002 - 22:12:37 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Carv,

    Looking back over my mail, I do not see that anyone has responded to
    this post. So I will attempt a response.

    If you are investigating a box that is running Microsoft Windows XP or
    later, you are in luck. Windows XP includes a mechanism for loading
    different versions of shared assemblies "side-by-side." To insure that
    a specific assembly is loaded with your forensic application, specify an
    application manifest for the application. An application manifest is an
    xml data structure that describes an application and the names and
    versions of shared and private side-by-side assemblies that the
    application binds to at run time. A manifest may include hashes and
    hash algorithms in the description of dependent assemblies.
    Applications manifests may be installed in two locations: They may be
    bound to the application as a resource. Or they may be installed as a
    separate file in the same directory as the application. The following
    is an example of an application manifest taken from the Microsoft
    Platform SDK, August 2001 Edition, sub voce "Application Manifest:"

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <assembly xmlns="urn:schemas-microsoft-com:asm.v1"
    manifestVersion="1.0">
      <assemblyIdentity type="win32"
                        name="myOrganization.myDivision.mySampleApp"
                        version="6.0.0.0"
                        processorArchitecture="x86"
                        publicKeyToken="6595b64144ccf1df"
      />
      <dependency>
        <dependentAssembly>
          <assemblyIdentity type="win32"
                            name="Microsoft.Windows.Common-Controls"
                            version="6.0.0.0"
                            processorArchitecture="X86"
                            publicKeyToken="6595b64144ccf1df"
                            language="*"
          />
        </dependentAssembly>
      </dependency>
    </assembly>

    Versions of Microsoft operating systems prior to Windows XP do not
    support side-by-side assemblies.

    At this point it is important to note the limitations of the method.
    Even on Windows XP, the success of this strategy will depend upon the
    level at which the subject system has been compromised. On Windows NT
    and its progeny, code executes at one of two privilege levels: user mode
    (ring three in Intel terminology) or kernel mode (ring zero in Intel
    terminology). Application manifests are designed to ensure the
    integrity of user mode library that are dynamically linked with an
    application. User mode code does not directly call kernel mode code,
    however. In addition, most device drivers do not export any symbols.
    You communicate with them via IOCTL codes. You cannot link with a files
    system or keyboard driver, for example. If a kernel mode root kit has
    been installed on your system you are toast, application manifests or
    not.

    Regards,

    George.

    -----Original Message-----
    From: H C [mailto:keydet89yahoo.com]
    Sent: Friday, October 19, 2001 8:31 PM
    To: forensicssecurityfocus.com; focus-mssecurityfocus.com
    Subject: Flushing DLLs from memory

    I've been looking into 'live' forensics issues on
    NT/2K, and one thing I'm not having any luck with is
    how to flush DLLs from memory.

    Looking at Rob Lee's page, he's working on
    statically-linked binaries for the *nix platforms.
    This is an interesting issue, but perhaps not as
    simple for NT/2K. I know how to check for which DLLs
    a particular program depends on, and I know that the
    program and it's DLLs can be loaded onto a CD...the
    program can be run from a command prompt after
    supplying 'PATH="."'. However, how does one flush the
    currently loaded DLLs from memory such that only the
    'known good' DLLs from the CD are used?

    Thanks,

    Carv

    __________________________________________________
    Do You Yahoo!?
    Make a great connection at Yahoo! Personals.
    http://personals.yahoo.com

    -----------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    -----------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com