Exploit Monday: 3/11/12

I’m releasing three new tools for Powershell that may be of use for those performing live-memory forensics or for penetration testers trying to pull sensitive information from memory. Dump-Memory will simply dump the contents of memory to stdout or to a raw binary file on disk. Dump-Strings is like Sysinternals Strings but it operates on memory. It will dump the strings of any readable portion of memory in both Ascii and Unicode format. Lastly, Check-MemoryProtection is more of a helper function that will return the memory page protections of any address. All of these scripts operate entirely within memory unless you explicitly choose to write to disk.

Note: For Dump-Memory and Dump-Strings to work, the Check-MemoryProtection function must be defined. It is used to ensure that an access violation doesn’t occur if you try to access an inaccessible portion of memory.

Download here: Memory-Tools.ps1

I’m always open to feature requests. Just leave a comment if there is a feature you want implemented and I will try to make that happen. For example, one feature I might consider adding is a ‘-Force’ switch that would forcibly change the protections on the requested range of memory. Currently, these tools use only the minimum level of privilege needed to query the memory of a remote process.

Here are the help files for each tool:

Dump-Memory

NAME
    Dump-Memory

SYNOPSIS
    Dumps memory contents to stdout or to disk.

    Author: Matthew Graeber (@mattifestation)
    License: GNU GPL v2

SYNTAX
    Dump-Memory [-Address] <IntPtr> [-Offset] <Int32> [-ProcessId <Int32>] [-Width <Int32>] [-DumpToFile <String>] [<CommonParameters>]

DESCRIPTION
    The Dump-Memory cmdlet displays the contents of memory to stdout. You also have the option to dump raw memory to disk.

PARAMETERS
    -Address <IntPtr>
        Specifies the base address of memory that is to be dumped.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -Offset <Int32>
        Specifies the number of bytes to dump.

        Required?                    true
        Position?                    2
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -ProcessId <Int32>
        Dumps the memory of the process whose ID was specified.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -Width <Int32>
        Specifies how many bytes to print per line when outputting to stdout

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -DumpToFile <String>
        Specifies the path to the output file.

        When this option is specified, memory will not be displayed on stdout.

        This parameter can be in the for of an absolute or relative file path.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        "get-help about_commonparameters".

    -------------------------- EXAMPLE 1 --------------------------

    C:\PS>$proc = ps cmd
    C:\PS>$module = $proc.MainModule
    C:\PS>$base = $module.BaseAddress
    C:\PS>Dump-Memory $base 0x98 -ProcessId $proc.Id

    00000000h  4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..........ÿÿ..
    00000010h  B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ,.......@.......
    00000020h  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00000030h  00 00 00 00 00 00 00 00 00 00 00 00 F0 00 00 00  ............d...
    00000040h  0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68  ..º..'.I!,.LI!Th
    00000050h  69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F  is.program.canno
    00000060h  74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20  t.be.run.in.DOS.
    00000070h  6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00  mode....$.......
    00000080h  4D 7C A4 8A 09 1D CA D9 09 1D CA D9 09 1D CA D9  M|☼...EU..EU..EU
    00000090h  00 65 4E D9 08 1D CA D9                          .eNU..EU

    Description
    -----------
    This command dumps the first 0x98 bytes of the main module of cmd.exe to stdout.


    -------------------------- EXAMPLE 2 --------------------------

    C:\PS>$proc = [System.Diagnostics.Process]::GetCurrentProcess()
    C:\PS>$module = $proc.MainModule
    C:\PS>$base = $module.BaseAddress
    C:\PS>Dump-Memory $base 0x120

    00000000h  4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..........ÿÿ..
    00000010h  B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ,.......@.......
    00000020h  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00000030h  00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00  ................
    00000040h  0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68  ..º..'.I!,.LI!Th
    00000050h  69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F  is.program.canno
    00000060h  74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20  t.be.run.in.DOS.
    00000070h  6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00  mode....$.......
    00000080h  FF 54 CD 72 BB 35 A3 21 BB 35 A3 21 BB 35 A3 21  ÿTIr»5£!»5£!»5£!
    00000090h  9C F3 D8 21 B9 35 A3 21 B2 4D 36 21 BA 35 A3 21  .óO!.5£!.M6!º5£!
    000000A0h  B2 4D 27 21 AB 35 A3 21 B2 4D 30 21 AA 35 A3 21  .M'!«5£!.M0!ª5£!
    000000B0h  BB 35 A2 21 20 35 A3 21 B2 4D 20 21 FF 35 A3 21  »5¢!.5£!.M.!ÿ5£!
    000000C0h  B2 4D 29 21 BD 35 A3 21 9C F3 DD 21 BA 35 A3 21  .M)!.5£!.óY!º5£!
    000000D0h  B2 4D 37 21 BA 35 A3 21 B2 4D 32 21 BA 35 A3 21  .M7!º5£!.M2!º5£!
    000000E0h  52 69 63 68 BB 35 A3 21 00 00 00 00 00 00 00 00  Rich»5£!........
    000000F0h  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00000100h  50 45 00 00 64 86 05 00 F3 C7 5B 4A 00 00 00 00  PE..d...óÇ[J....
    00000110h  00 00 00 00 F0 00 22 00 0B 02 09 00 00 DC 00 00  ....d."......Ü..

    Description
    -----------
    This command dumps the first 0x120 bytes of the main module of the currently loaded process (powershell.exe) to stdout.


    -------------------------- EXAMPLE 3 --------------------------

    C:\PS>$proc = [System.Diagnostics.Process]::GetCurrentProcess()
    C:\PS>$module = $proc.MainModule
    C:\PS>$size = $module.ModuleMemorySize
    C:\PS>$base = $module.BaseAddress
    C:\PS>Dump-Memory $base $size -DumpToFile .\out.exe

    Description
    -----------
    This command dumps the entire memory image of powershell.exe to disk in binary format.

    Note: Execution of the dumped memory image requires fixing up the PE header.

Dump-Strings

NAME
    Dump-Strings

SYNOPSIS
    Retrieves strings from memory.

    Author: Matthew Graeber (@mattifestation)
    License: GNU GPL v2

SYNTAX
    Dump-Strings [-Address] <IntPtr> [-Offset] <Int32> [-ProcessId <Int32>] [-Encoding <String>] [-MinimumLength <Int32>] [-StringOffset] [<CommonParameters>]

DESCRIPTION
    The Dump-Strings cmdlet retrieves strings from the memory of any process.

    Dump-Strings will print both ASCII and Unicode strings to stdout. Its functionality is similar to Sysinternals strings.exe but it operates in memory.

PARAMETERS
    -Address <IntPtr>
        Specifies the memory base address.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -Offset <Int32>
        Specifies the number of bytes to process.

        Required?                    true
        Position?                    2
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -ProcessId <Int32>
        Dumps the strings of the process whose ID was specified. Not specifying a process ID will result in querying the address space of powershell.exe.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -Encoding <String>
        Specifies the string encoding to use. The default option is 'DEFAULT' which will return both ASCII and Unicode. The other options are 'ASCII' and 'UNIC
        ODE'

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -MinimumLength <Int32>
        Specifies the minimum length string to return. The default length is 3.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -StringOffset [<SwitchParameter>]
        Specifies the offset in memory where the string occurs.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        "get-help about_commonparameters".


    -------------------------- EXAMPLE 1 --------------------------

    C:\PS>$proc = Get-Process cmd
    C:\PS>$module = $proc.MainModule
    C:\PS>$size = $module.ModuleMemorySize
    C:\PS>$base = $module.BaseAddress
    C:\PS>Dump-Strings $base $size -MinimumLength 20 -ProcessId $proc.Id

    !This program cannot be run in DOS mode.
    api-ms-win-core-processthreads-l1-1-0.DLL
    SetConsoleInputExeNameW
    APerformUnaryOperation: '%c'
    APerformArithmeticOperation: '%c'
    NtQueryInformationProcess
    SaferComputeTokenFromLevel
    ImpersonateLoggedOnUser
    SaferRecordEventLogEntry
    CreateProcessAsUserW
    GetSecurityDescriptorOwner
    WNetCancelConnection2W
    __C_specific_handler
    RtlLookupFunctionEntry
    ...

    Description
    -----------
    This command prints all Ascii and Unicode strings of length > 19 in the memory space of the main module of cmd.exe.


    -------------------------- EXAMPLE 2 --------------------------

    C:\PS>$proc = [System.Diagnostics.Process]::GetCurrentProcess()
    C:\PS>$module = $proc.Modules | ? { $_.ModuleName -eq 'ntdll.dll' }
    C:\PS>$size = $module.ModuleMemorySize
    C:\PS>$base = $module.BaseAddress
    C:\PS>Dump-Strings $base $size -StringOffset -Encoding 'UNICODE'

    57416:LdrResFallbackLangList Enter
    57448:LdrResFallbackLangList Exit
    136960:KnownDllPath
    136976:\KnownDlls
    136992:\SystemRoot
    137008:\System32\
    183672:\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
    183736::%u.%u.%u.%u
    183856:%u.%u.%u.%u
    183872::%u
    184048:RtlpResUltimateFallbackInfo Enter
    184088:svchost.exe
    184104:\Registry\Machine\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
    184184:GlobalSession
    184200:\Registry\Machine\Software\Microsoft\SQMClient\Windows\DisabledSessions\

    Description
    -----------
    This command prints all Unicode strings of length > 2 in the loaded module - ntdll.dll within the memory space of powershell.exe.

Check-MemoryProtection

NAME
    Check-MemoryProtection

SYNOPSIS
    Retrieves the memory protections of an arbitrary address.

    Author: Matthew Graeber (@mattifestation)
    License: GNU GPL v2

SYNTAX
    Check-MemoryProtection [-Address] <IntPtr> [[-ProcessId] <Int32>] [[-PageSize] <Int32>] [<CommonParameters>]

DESCRIPTION
    The Check-MemoryProtection cmdlet returns the memory protections of any memory address.

    Check-MemoryProtection is just a wrapper for the Windows API VirtualQuery function that outputs protections in a human-readable format.

PARAMETERS
    -Address <IntPtr>
        Specifies the address whose memory protections are to be queried.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -ProcessId <Int32>
        Queries the memory of the provided process ID.

        Required?                    false
        Position?                    2
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -PageSize <Int32>
        Specifies the memory page size. This can safely be left to its default of 0x1000 bytes.

        Required?                    false
        Position?                    3
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        "get-help about_commonparameters".

OUTPUTS
    Winapi.Kernel32+MEMORY_BASIC_INFORMATION
        By default, Check-MemoryProtection returns a MEMORY_BASIC_INFORMATION structure.


    -------------------------- EXAMPLE 1 --------------------------

    C:\PS>$proc = [System.Diagnostics.Process]::GetCurrentProcess()
    C:\PS>$module = $proc.MainModule
    C:\PS>$base = $module.BaseAddress
    C:\PS>Check-MemoryProtection $base

    BaseAddress       : 5363597312
    AllocationBase    : 5363597312
    AllocationProtect : PAGE_EXECUTE_WRITECOPY
    RegionSize        : 4096
    State             : MEM_COMMIT
    Protect           : PAGE_READONLY
    Type              : MEM_IMAGE

    Description
    -----------
    This command returns the memory protections of the currently loaded process' base address. In this example, the memory address queried is the base addr
    of powershell.exe


    -------------------------- EXAMPLE 2 --------------------------

    C:\PS>$proc = ps cmd
    C:\PS>$base = $proc.MainModule.BaseAddress
    C:\PS>Check-MemoryProtection $base $proc.Id

    BaseAddress       : 1246035968
    AllocationBase    : 1246035968
    AllocationProtect : PAGE_EXECUTE_WRITECOPY
    RegionSize        : 4096
    State             : MEM_COMMIT
    Protect           : PAGE_READONLY
    Type              : MEM_IMAGE

    Description
    -----------
    This command returns the memory protections of cmd.exe.


    -------------------------- EXAMPLE 3 --------------------------

    C:\PS>Check-MemoryProtection 0x00000000

    BaseAddress       : 0
    AllocationBase    : 0
    AllocationProtect : 0
    RegionSize        : 65536
    State             : MEM_FREE
    Protect           : PAGE_NOACCESS
    Type              : 0


    Description
    -----------
    This command returns the memory protections of the null page.

Exploit Monday

Sunday, March 11, 2012

Powershell Live-Memory Analysis Tools: Dump-Memory, Dump-Strings, Check-MemoryProtection