Carv,
Looking back over my mail, I do not see that anyone has responded to
this post. So I will attempt a response.
If you are investigating a box that is running Microsoft Windows XP or
later, you are in luck. Windows XP includes a mechanism for loading
different versions of shared assemblies "side-by-side." To insure that
a specific assembly is loaded with your forensic application, specify an
application manifest for the application. An application manifest is an
xml data structure that describes an application and the names and
versions of shared and private side-by-side assemblies that the
application binds to at run time. A manifest may include hashes and
hash algorithms in the description of dependent assemblies.
Applications manifests may be installed in two locations: They may be
bound to the application as a resource. Or they may be installed as a
separate file in the same directory as the application. The following
is an example of an application manifest taken from the Microsoft
Platform SDK, August 2001 Edition, sub voce "Application Manifest:"
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1"
manifestVersion="1.0">
<assemblyIdentity type="win32"
name="myOrganization.myDivision.mySampleApp"
version="6.0.0.0"
processorArchitecture="x86"
publicKeyToken="6595b64144ccf1df"
/>
<dependency>
<dependentAssembly>
<assemblyIdentity type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="X86"
publicKeyToken="6595b64144ccf1df"
language="*"
/>
</dependentAssembly>
</dependency>
</assembly>
Versions of Microsoft operating systems prior to Windows XP do not
support side-by-side assemblies.
At this point it is important to note the limitations of the method.
Even on Windows XP, the success of this strategy will depend upon the
level at which the subject system has been compromised. On Windows NT
and its progeny, code executes at one of two privilege levels: user mode
(ring three in Intel terminology) or kernel mode (ring zero in Intel
terminology). Application manifests are designed to ensure the
integrity of user mode library that are dynamically linked with an
application. User mode code does not directly call kernel mode code,
however. In addition, most device drivers do not export any symbols.
You communicate with them via IOCTL codes. You cannot link with a files
system or keyboard driver, for example. If a kernel mode root kit has
been installed on your system you are toast, application manifests or
not.
Regards,
George.
-----Original Message-----
From: H C [mailto:keydet89at_private]
Sent: Friday, October 19, 2001 8:31 PM
To: forensicsat_private; focus-msat_private
Subject: Flushing DLLs from memory
I've been looking into 'live' forensics issues on
NT/2K, and one thing I'm not having any luck with is
how to flush DLLs from memory.
Looking at Rob Lee's page, he's working on
statically-linked binaries for the *nix platforms.
This is an interesting issue, but perhaps not as
simple for NT/2K. I know how to check for which DLLs
a particular program depends on, and I know that the
program and it's DLLs can be loaded onto a CD...the
program can be run from a command prompt after
supplying 'PATH="."'. However, how does one flush the
currently loaded DLLs from memory such that only the
'known good' DLLs from the CD are used?
Thanks,
Carv
__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 23 2002 - 13:43:09 PST