Carv, Looking back over my mail, I do not see that anyone has responded to this post. So I will attempt a response. If you are investigating a box that is running Microsoft Windows XP or later, you are in luck. Windows XP includes a mechanism for loading different versions of shared assemblies "side-by-side." To insure that a specific assembly is loaded with your forensic application, specify an application manifest for the application. An application manifest is an xml data structure that describes an application and the names and versions of shared and private side-by-side assemblies that the application binds to at run time. A manifest may include hashes and hash algorithms in the description of dependent assemblies. Applications manifests may be installed in two locations: They may be bound to the application as a resource. Or they may be installed as a separate file in the same directory as the application. The following is an example of an application manifest taken from the Microsoft Platform SDK, August 2001 Edition, sub voce "Application Manifest:" <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="myOrganization.myDivision.mySampleApp" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" /> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly> Versions of Microsoft operating systems prior to Windows XP do not support side-by-side assemblies. At this point it is important to note the limitations of the method. Even on Windows XP, the success of this strategy will depend upon the level at which the subject system has been compromised. On Windows NT and its progeny, code executes at one of two privilege levels: user mode (ring three in Intel terminology) or kernel mode (ring zero in Intel terminology). Application manifests are designed to ensure the integrity of user mode library that are dynamically linked with an application. User mode code does not directly call kernel mode code, however. In addition, most device drivers do not export any symbols. You communicate with them via IOCTL codes. You cannot link with a files system or keyboard driver, for example. If a kernel mode root kit has been installed on your system you are toast, application manifests or not. Regards, George. -----Original Message----- From: H C [mailto:keydet89at_private] Sent: Friday, October 19, 2001 8:31 PM To: forensicsat_private; focus-msat_private Subject: Flushing DLLs from memory I've been looking into 'live' forensics issues on NT/2K, and one thing I'm not having any luck with is how to flush DLLs from memory. Looking at Rob Lee's page, he's working on statically-linked binaries for the *nix platforms. This is an interesting issue, but perhaps not as simple for NT/2K. I know how to check for which DLLs a particular program depends on, and I know that the program and it's DLLs can be loaded onto a CD...the program can be run from a command prompt after supplying 'PATH="."'. However, how does one flush the currently loaded DLLs from memory such that only the 'known good' DLLs from the CD are used? Thanks, Carv __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 23 2002 - 13:43:09 PST