Data Hiding in Crash Dumps
Tuesday, June 10th, 2008Suppose we want to send a complete memory dump to a vendor but want to remove certain sensitive details or perhaps the whole process or image from it. In this case we can use f WinDbg command (virtual addresses) or fp (physical addresses) to fill pages with zeroes. Let’s open a complete memory dump and erase environment variables for a process:
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS fffffadfe7afd8e0
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 0014a000 ObjectTable: fffffa8000000c10 HandleCount: 730.
Image: System
PROCESS fffffadfe6edc040
SessionId: none Cid: 0130 Peb: 7fffffdf000 ParentCid: 0004
DirBase: 34142000 ObjectTable: fffffa80009056d0 HandleCount: 19.
Image: smss.exe
[...]
PROCESS fffffadfe67905a0
SessionId: 0 Cid: 085c Peb: 7fffffd4000 ParentCid: 0acc
DirBase: 232e2000 ObjectTable: fffffa8000917e10 HandleCount: 55.
Image: SystemDump.exe
kd> .process /r /p fffffadfe7287610
Implicit process is now fffffadf`e7287610
Loading User Symbols
kd> !peb
PEB at 000007fffffd4000
[...]
Environment: 0000000000010000
kd> dd 10000
00000000`00010000 004c0041 0055004c 00450053 00530052
00000000`00010010 00520050 0046004f 004c0049 003d0045
00000000`00010020 003a0043 0044005c 0063006f 006d0075
00000000`00010030 006e0065 00730074 00610020 0064006e
00000000`00010040 00530020 00740065 00690074 0067006e
00000000`00010050 005c0073 006c0041 0020006c 00730055
00000000`00010060 00720065 002e0073 00320057 0033004b
00000000`00010070 00410000 00500050 00410044 00410054
kd> f 10000 10000+1000 0
Filled 0x1000 bytes
kd> dd 10000
00000000`00010000 00000000 00000000 00000000 00000000
00000000`00010010 00000000 00000000 00000000 00000000
00000000`00010020 00000000 00000000 00000000 00000000
00000000`00010030 00000000 00000000 00000000 00000000
00000000`00010040 00000000 00000000 00000000 00000000
00000000`00010050 00000000 00000000 00000000 00000000
00000000`00010060 00000000 00000000 00000000 00000000
00000000`00010070 00000000 00000000 00000000 00000000
Now we can save the modified complete dump file:
kd> .dump /f c:\Dumps\SecuredDump.dmp
If we want to find and erase read-write pages, for example, we can use !vad WinDbg command to get the description of virtual address ranges:
kd> !process
PROCESS fffffadfe67905a0
SessionId: 0 Cid: 085c Peb: 7fffffd4000 ParentCid: 0acc
DirBase: 232e2000 ObjectTable: fffffa8000917e10 HandleCount: 55.
Image: SystemDump.exe
VadRoot fffffadfe6f293e0 Vads 65 Clone 0 Private 388. Modified 84. Locked 0.
DeviceMap fffffa80020777c0
Token fffffa80008e5b50
ElapsedTime 00:00:06.265
UserTime 00:00:00.031
KernelTime 00:00:00.062
QuotaPoolUsage[PagedPool] 113464
QuotaPoolUsage[NonPagedPool] 5152
Working Set Sizes (now,min,max) (1429, 50, 345) (5716KB, 200KB, 1380KB)
PeakWorkingSetSize 1429
VirtualSize 61 Mb
PeakVirtualSize 63 Mb
PageFaultCount 1555
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 471
kd> !vad fffffadfe6f293e0
VAD level start end commit
fffffadfe682bdf0 ( 6) 10 10 1 Private READWRITE
fffffadfe73a0e10 ( 5) 20 20 1 Private READWRITE
fffffadfe73a0dd0 ( 4) 30 12f 8 Private READWRITE
fffffadfe71a4770 ( 5) 130 134 0 Mapped READONLY
fffffadfe781bbe0 ( 3) 140 141 0 Mapped READONLY
[…]
fffffadfe772d630 (-2) 7fffffdc 7fffffdd 2 Private READWRITE
fffffadfe788e180 (-1) 7fffffde 7fffffdf 2 Private READWRITE
Total VADs: 65 average level: 66076419 maximum depth: -1
In the output start and end columns refer to virtual page numbers (VPN). To get an address we need to multiply by 0×1000, for example, 7fffffde000.
Filling memory with zeroes to hide data with subsequent saving of a modified crash dump is applicable to user dumps too. Please also check for additional security-related flags in .dump command:
Another application for data hiding and modification could be the creation of the customized crash dumps for digital forensics exercises and contests.
- Dmitry Vostokov @ DumpAnalysis.org -