GDI Utilities: Taking Screenshots of Memory Dumps

I've posted about this before (twice!), but somehow never gotten around to releasing functioning code. Here (click), for your downloading pleasure, is a set of plugins designed to extract information about on-screen (graphical) windows from Windows XP SP2/3 memory images. This includes:
  • window_list - give a text listing of the window hierarchy, with each window's on-screen coordinates, current style, and its class (Button, Window, etc.). Here's some example output to whet your appetite.
  • screenshot - save a wireframe "screenshot" of the on-screen windows in a memory image. See later in this post for some examples. Requires PIL.
  • wndmon - continuously monitor a memory image and provide an updating view of the on-screen windows. Works best in a live environment, e.g. with XenAccess and PyXa. Requires PyGame. (This is what I used for the video demo).
All three plugins require the distorm disassembly library to work. I had a bit of trouble getting it to work under Linux, so here's the steps required so you don't have to go through the pain:
  1. Get distorm3 from its Google Code site.
  2. Go into build/linux and type "make".
  3. Copy the resulting libdistorm3.so into the Python directory.
  4. Rename the Python directory to "distorm" and move it somewhere in your Python path (I use Debian, and found that /usr/local/lib/python2.6/dist-packages/ worked well).
Hopefully this is a bit simpler under Windows, but I don't have a Windows box handy so I can't test that at the moment.

Have fun with the code. If you go exploring in the source, you may find some interesting things -- there's more functionality there than is exposed through the plugins, including some functions and data structures that can extract HTML content from IE in memory... ;)

Anyway, to wrap things up, here's an example of the output from the screenshot plugin, running on the two NIST memory images:

From the 6/25 image:



From the 7/4 image:



And that, my friends, is the power of memory analysis.

Comments

Paul Bobby said…
This is the error I get when running

$ python volatility window_list -f ram.dd

Traceback (most recent call last):
File "volatility", line 219, in
main()
File "volatility", line 215, in main
command.execute()
File "memory_plugins/windowlist.py", line 142, in execute
UserAtomTableHandle = read_value(addr_space, 'pointer', atom_table_off)
File "/cygdrive/d/Downloads/Volatility-1.3_Beta/forensics/object.py", line 71, in read_value
AttributeError: 'NoneType' object has no attribute 'read'
July 16, 2010 at 1:09 PM
Paul Bobby said…
This comment has been removed by the author.
August 21, 2010 at 12:20 AM
Paul Bobby said…
I get the error because I was trying this against an SP3 memory image and not SP2
August 21, 2010 at 12:33 AM
VM Forensics said…
I'm trying this against SP3 as well. Does anyone know the offsets?
September 30, 2010 at 4:44 PM
Sherif Eldeeb said…
root@bt:/pentest/forensics/volatility# ./volatility screenshot -f ~/CH3/Windows\ XP\ Professional.vmem
Traceback (most recent call last):
File "./volatility", line 219, in
main()
File "./volatility", line 215, in main
command.execute()
File "memory_plugins/screenshot.py", line 113, in execute
atom_table_off = find_atomtable(addr_space, types, symtab, theProfile)
File "/pentest/forensics/volatility/forensics/win32/findatomtable.py", line 94, in find_atomtable
uaa_addr = find_UserAddAtom(thrd.vm, reg_addr)
File "/pentest/forensics/volatility/forensics/win32/findatomtable.py", line 55, in find_UserAddAtom
asm = Decode(reg_addr, fn_data, Decode32Bits)
File "/usr/lib/python2.5/distorm/__init__.py", line 440, in Decode
return list( DecodeGenerator(offset, code, type) )
File "/usr/lib/python2.5/distorm/__init__.py", line 408, in DecodeGenerator
p_code = byref(code_buf, instruction_off)
TypeError: byref() takes exactly one argument (2 given)

=======================
Steps taken - linux "BackTrack4R2"
1- downloaded http://distorm.googlecode.com/files/distorm3.zip
2- unzip && cd include && cp * ../
I did that because of error complaining about missing files
3- cd ../make/linux && make
the result was libdistorm3.so
4- put libdistorm3.so & __init__.py in one directory called "distorm" && cp /usr/lib/python2.5/

thanks in advance for the help, and thanks for your excellent tools that have proven to be life-savers...
March 15, 2011 at 1:15 AM
Sherif Eldeeb said…
Sorry, was using python 2.5, and the tool asks for 2.6 minimum.

It works! :)

thanks again, and again, your tool made me look good...
March 16, 2011 at 4:16 AM
Mic said…
Is there a new version for Volatility 2.0 available?
August 17, 2011 at 11:00 AM
Mic said…
Using Volatility 1.3 I got window_list to work: Great Stuff!
I use a Win7 system and the solution for getting distorm imported was copying

c:\Python27\Lib\site-packages\distorm3\ to

c:\Python27\Lib\site-packages\distorm\

Sadly screenshot as the most impressive feature caused an error:

c:\Micha\Forensics\Volatility-1.4>python volatility screenshot -f D:\X-Ways-Images\RAMHans_RipperFRES.001
Saving screenshot to 624.81d64980.png
Traceback (most recent call last):
File "volatility", line 219, in
main()
File "volatility", line 215, in main
command.execute()
File "c:\Micha\Forensics\Volatility-1.4\memory_plugins/screenshot.py", line 152, in execute
gdi.traverse_windows(win, fun=draw_win, do_node=gdi.is_visible)
File "c:\Micha\Forensics\Volatility-1.4\forensics\win32\gdi.py", line 306, in traverse_windows
traverse_windows(cur.pChildWindow,fun=fun,do_node=do_node,level=level+1)
File "c:\Micha\Forensics\Volatility-1.4\forensics\win32\gdi.py", line 306, in traverse_windows
traverse_windows(cur.pChildWindow,fun=fun,do_node=do_node,level=level+1)
File "c:\Micha\Forensics\Volatility-1.4\forensics\win32\gdi.py", line 303, in traverse_windows
fun(cur, level)
File "c:\Micha\Forensics\Volatility-1.4\memory_plugins/screenshot.py", line 138, in draw_win
text = gdi.get_editbox_text(win)
File "c:\Micha\Forensics\Volatility-1.4\forensics\win32\gdi.py", line 427, in get_editbox_text
return ed.hBuf
File "c:\Micha\Forensics\Volatility-1.4\forensics\object2.py", line 96, in __getattribute__
return object.__getattribute__(self, attr)
File "c:\Micha\Forensics\Volatility-1.4\memory_objects\Windows/gdi.py", line 163, in getBuf
s = RtlRunDecodeUnicodeString(self.encKey, s)
File "c:\Micha\Forensics\Volatility-1.4\forensics\object2.py", line 109, in __getattribute__
off = self.get_member_offset(attr, relative=True)
File "c:\Micha\Forensics\Volatility-1.4\forensics\object2.py", line 200, in get_member_offset
thisMemberType = self.type.get_member(memname)
File "c:\Micha\Forensics\Volatility-1.4\forensics\object2.py", line 413, in get_member
return self.members[memname]
KeyError: 'encKey'

Any help appreciated...
August 18, 2011 at 10:21 AM
Mic said…
With me as his guinea pig Brendan he has checked out a typo (BEnckey instead of encKey) and I have maneged it to port screenshot to windows: Cool stuff. THX a lot or the support.
@Brendan: The Vol2.0-version will be launched this week, right? ;-)
August 22, 2011 at 4:21 AM
Post a Comment

Popular posts from this blog

Someone’s Been Messing With My Subnormals!

Image
TL;DR: After noticing an annoying warning, I went on an absurd yak shave, and discovered that because of a tiny handful of Python packages built with an appealing-sounding but dangerous compiler option, more than 2,500 Python packages—some with more than a million downloads per month—could end up causing any program that uses them to compute incorrect numerical results. Once Upon a Time in My Terminal Recently, whenever I tried to import certain Python packages (notably, some models from Huggingface Transformers), I would see this weird and unsightly warning: Python 3.8.10 (default, Jun 22 2022, 20:18:18)   Type 'copyright', 'credits' or 'license' for more information IPython 8.4.0 -- An enhanced Interactive Python. Type '?' for help. In [ 1 ]: from transformers import CodeGenForCausalLM /home/moyix/.virtualenvs/sfcodegen/lib/python3.8/site-packages/numpy/core/getlimits.py:498: UserWarning: The value of the smallest subnormal for <class 'numpy.
Read more

Decrypting LSA Secrets

The LSA secrets store is a protected storage area used the the Local Security Authority (LSA) system in Windows to keep important pieces of information safe from prying eyes. As with Syskey, however, we will see that these secrets are only obfuscated, and once the mechanism is known, we can extract them from the registry with ease. Even without knowing the obfuscation algorithm, however, it is possible to read the values of this data using the LsarQuerySecret function exported by lsasrv.dll, but only if one has the LocalSystem privilege (for example, if the process is running under the SYSTEM account). What kind of data is stored in these secrets? Here are a few that I've come across: $MACHINE.ACC : has to do with domain authentication, see KB175468 DefaultPassword : password used to logon to Windows if auto-logon is enabled NL$KM : secret key used to encrypt cached domain passwords L$RTMTIMEBOMB_[...] : FILETIME giving the date when an unactivated copy of Windows w
Read more

SysKey and the SAM

The Security Accounts Manager The Security Accounts Manager , or SAM, has been used by Windows since the days of NT to store information on local user accounts (or, in the case of a domain controller, the accounts for all users on the domain). It takes the form of a registry hive, and is stored in %WINDIR%\system32\config . Generally, two types of hash are stored in the SAM: the LanMan hash and the NT hash. The LanMan hash has many flaws: It is not salted, and is thus vulnerable to precomputed dictionary attacks such as rainbow tables . The hash is split into two 7-byte pieces, which allows attacks to be performed against each piece at the same time. This also means that if the password is shorter than 7 characters, the last half of the hash will be a constant value. The password is converted to uppercase before hashing, which reduces the keyspace. The LM hash is computed by padding or truncating the password to 14 characters, splitting it into two halves, and then usin
Read more