Hardening Dump Security: beware of PEB data

Previously I wrote about security options in WinDbg but recently discovered that PEB is included with sensitive data for full user dumps despite stack and page cleaning and removing module paths. Module paths are removed indeed from lmv command output but _PEB.Ldr lists contain full module path information:

0:000> dt _PEB Ldr
ntdll!_PEB
   +0x018 Ldr : Ptr64 _PEB_LDR_DATA

0:000> dt _PEB_LDR_DATA
ntdll!_PEB_LDR_DATA
   +0x000 Length           : Uint4B
   +0x004 Initialized      : UChar
   +0x008 SsHandle         : Ptr64 Void
   +0×010 InLoadOrderModuleList : _LIST_ENTRY
   +0×020 InMemoryOrderModuleList : _LIST_ENTRY
   +0×030 InInitializationOrderModuleList : _LIST_ENTRY

   +0×040 EntryInProgress  : Ptr64 Void

0:000> !peb
PEB at 000007fffffdb000
[...]

You can see this in the dump sample saved with /r and /R options:

ftp://dumpanalysis.org/pub/LargeHeapAllocations.zip 

The only options I see currently are:

  • - Custom minidumps: do not save process dumps containing full user space with /ma or /mf option for .dump command 

  • - Include PEB but erase specific sections and regions pointed to like environment blocks. See the previous Data Hiding in Crash Dumps post.

  • - Erase specific ASCII or UNICODE fragments manually using any binary editor. This was done for the dump file above.

  • Do not send dumps but logs. See All at once: postmortem logs and dump files.

Anyway manual inspection of a dump saved with security options is recommended before sending it. 

- Dmitry Vostokov @ DumpAnalysis.org -

Leave a Reply

You must be logged in to post a comment.