search

qwhai / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

sanity check for tokens (getsids) #176

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Just pasting this here before I forget. Recently I found a process with psscan 
and then passed the physical offset to getsids. The output was scary:

csrss.exe (616): 
S-104-129-0-0-0-0-0-0-0-0-0-0-0-0-2176604832-2176604720-0-0-0-0-0-0-0-0-0-0-0-0-
2176604888-2176604776-0-0-0-0-0-0-0-0-0-0-0-0-2153081672-2176604832-0-0-0-0-0-0-
0-0-0-0-0-0-172949562-3849480276-1-0-2176634016-570425344-1-3774879382-7340038-0
-2176604984-2176604984-2176604992-2176604992-4193005568-4192993280-0-0-419300487
2-1280-385878528-2176605028-2176605028-2176605036-2176605036-2176632880-0-5792-0
-0-0-2176605088-0-2153096256-415066-100663304
WARNING : volatility.obj      : Invalid Address 0x00000000, instantiating _SID
csrss.exe (616): S--129
WARNING : volatility.obj      : Invalid Address 0x00000000, instantiating _SID
csrss.exe (616): S--129
WARNING : volatility.obj      : Invalid Address 0xF9EBF000, instantiating _SID
....
WARNING : volatility.obj      : Array UserAndGroups, Invalid position 113495
csrss.exe (616): S--129
WARNING : volatility.obj      : Array UserAndGroups, Invalid position 113496
....

Apparently the EPROCESS is terminated (though ExitTime is 0), and the 
EPROCESS.Token points to kernel mode (so it passes the Token.is_valid() check). 
However, the address pointed to by EPROCESS.Token is no longer a valid TOKEN 
object. 

Here's a sanity check for the getsids plugin that fixed it in my case. 

tok = task.Token.dereference_as("_TOKEN")

 # sanity check - this is a boolean value 
if tok.TokenInUse not in (0, 1):
     outfd.write("{0} ({1}): Token appears invalid (TokenInUse: {2})\n".format(task.ImageFileName, int(task.UniqueProcessId), tok.TokenInUse))
     continue

In some cases, it would be possible to have an invalid TOKEN but the 
TOKEN.TokenInUse is 0 or 1...causing the plugin to still print garbage, but at 
least there's *less* of a chance of that happening with the sanity check.

Original issue reported on code.google.com by michael.hale@gmail.com on 11 Jan 2012 at 5:21

GoogleCodeExporter commented 9 years ago 
Just FYI, for OS that have a TOKEN.TokenType (I think that's everything except 
XP), we can also use that as an additional sanity check. 

TOKEN.TokenType is 1 (TokenPrimary) or 2 (TokenImpersonation). Anything else is 
invalid. 

If you guys think these checks would be useful additions to the plugin, I will 
draft up a patch.

Original comment by michael.hale@gmail.com on 11 Jan 2012 at 8:35

GoogleCodeExporter commented 9 years ago 
Sounds like it would be worthwhile to me, but it's a low priority issue, so no 
rush...  5;)

Original comment by mike.auty@gmail.com on 11 Jan 2012 at 9:49

GoogleCodeExporter commented 9 years ago 
Fixed in r1550

Original comment by michael.hale@gmail.com on 13 Mar 2012 at 3:07