Tuesday, October 2, 2012

MoVP 4.2 Taking Screenshots from Memory Dumps

Month of Volatility Plugins 

Open Memory Forensics Workshop 2012 is currently in progress, thus today's MoVP post will be short and sweet. However, it will still introduce an exciting new capability exclusive to Volatility.

One of Brendan Dolan Gavitt’s early GDI utilities for Volatility included a screenshot plugin. The plugin drew “wire-frame” rectangles of windows according to their positions on the desktop. Its far from a real screenshot, but nonetheless is very exciting from a memory forensics perspective. BDG also wrote a plugin using VM introspection and PyGame to actively trace user’s mouse movements and window interactions based on the changes they made in physical memory. These are both major developments that show abstract ways you can leverage the power of Volatility.

For the upcoming release of Volatility 2.2, I took the liberty of updating BDG’s screenshot plugin to work with the latest core code base and include support for all major windows versions. Since the original plugin only worked on XP x86, there was no need to examine multiple desktops at that time (it was before session 0 isolation). However, nowadays, the plugin will output one screenshot for each desktop – including the desktops seen via RDP and multiple logged-on users.

The Screenshots Plugin

The inner workings of the plugin are quite simple. It enumerates windows for each desktop in their Z-Order (front-to-back focus) just as described in MoVP 2.2 Malware In Your Windows. It takes the left, right, top and bottom coordinates of each window from the tagWND structure and draws rectangles with PIL (Python Imaging Library).

To demonstrate, two users logged into the same Windows 7 box with fast-user switching. Each user left various windows open. Then memory was acquired and the screenshots plugin was run. As shown below, you just pass it a -D/--dump-dir parameter for the PNG files to be saved.

$ python vol.py -f users.vmem --profile=Win7SP1x86 screenshot -D shots/
Volatile Systems Volatility Framework 2.1_alpha
Wrote shots/session_0.Service-0x0-3e4$.Default.png
Wrote shots/session_0.Service-0x0-3e5$.Default.png
Wrote shots/session_0.msswindowstation.mssrestricteddesk.png
Wrote shots/session_0.Service-0x0-3e7$.Default.png
Wrote shots/session_1.WinSta0.Default.png
Wrote shots/session_1.WinSta0.Disconnect.png
Wrote shots/session_1.WinSta0.Winlogon.png
Wrote shots/session_0.WinSta0.Default.png
Wrote shots/session_0.WinSta0.Disconnect.png
Wrote shots/session_0.WinSta0.Winlogon.png
Wrote shots/session_2.WinSta0.Default.png
Wrote shots/session_2.WinSta0.Disconnect.png
Wrote shots/session_2.WinSta0.Winlogon.png

Many of the screenshots will be blank, since windows aren’t displayed on all desktops. Why should they be, after all? There's only one interactive window station (WinSta0), so it wouldn't make sense to display windows inside desktops of other window stations, because there's no user to see them. But we output an image anyway, just in case there's some odd situation that may help you during an investigation.

As you'll see, Session1\WinSta0\Default (for the first user to log on) and Session2\WinSta0\Default (for the second user) seem to match well when aligned with thumbnails of the real screen appearance. In the image below, the first user's screen is in the top left pane and the plugin output is in the bottom left. The second user's screen is in the top right, just above the plugin-generated version of the screen shot.

You may notice above that the wire-frame screen shots are missing window titles. Unfortunately the window titles didn't make the Volatility 2.2 release cut, but the feature is available already in the 2.3 development branch. Window titles give you a much better depiction of what's currently going on, as you'll notice in the next example which is from a real compromised machine using the window labeling code:

If you click the image to enlarge it, you'll see there's an alert about 2 virus infections from Trend Micro's OfficeScan at 9:27 PM. This is a new type of timeline - seeing the click tick via memory analysis.


There's still some work to be done in the realm of producing more life-like screen shots from memory dumps, including labeled buttons and displayed text from toolbars and edit boxes; not to mention colors and gradients. However, we've got the foundation built. The decision to write Volatility in Python turned out to be a good one, so it can easily interface with libraries like PIL, PyGame, and the thousands of other modules out there for security, reverse engineering, and forensics.

More information on the screenshot plugin and its usages in forensic investigations will be presented at Open Memory Forensics Workshop (OMFW) 2012.

1 comment:

  1. MHL and Volatility Crew:

    This is so cool! You guys never cease to amaze me. I really appreciate all the cool stuff you do and how you've helped me do my work and testing.