Results 1 to 2 of 2

Thread: Vmware snapshot and SSDT

  1. #1
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17

    Vmware snapshot and SSDT

    Some time ago I blogged about Vmware snapshots (http://zairon.wordpress.com/2007/08/31/find-out-hidden-files-comparing-vmwares-snapshots/) introducing a way to recognize hidden files by simply comparing two snapshots. I wanted to extend my research on the subject a little bit more, but I didn’t. I got the opportunity to put my hands on some snapshots again in these days. I haven’t anything on my mind, but I was surprised by some coincidences. Look at the information below:
    [code]
    80544bc0: 804fc624 00000000 0000011c 804fca98
    80544bd0: bf995ba8 00000000 0000029a bf98f5f8
    80544be0: 00000000 00000000 00000000 00000000
    80544bf0: 00000000 00000000 00000000 00000000

    00544BC0: 24C6 4F80 0000 0000 1C01 0000 98CA 4F80 $.O………..O.
    00544BD0: A85B 99BF 0000 0000 9A02 0000 F8F5 98BF .[..............
    00544BE0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    00544BF0: 0000 0000 0000 0000 0000 0000 0000 0000 ................

    [/code]

    First 4 lines are taken from Windbg while I was debugging an XP sp1 virtual machine running under Vmware; last 4 lines are taken from a saved Vmware snapshot (same os of course).
    Do you see anything useful? These are KeServiceDescriptorTable[0],[1],[2],[3] and they have of course the same bytes, but there’s something else. There’s a connection between the addresses on the first lines and the offsets on the second ones, just remove the first 2 digits from the address. Do you see it? Look here: 80544BC0/544BC0, 80544BD0/544BD0, 80544BE0/544BE0, 80544BF0/544BF0.

    Seems like the kernel memory is stored inside the snapshot. It’s not totally true indeed, there’s only a part of the kernel memory stored inside a Vmware’s snapshot. All the KeServiceDescriptorTable entries are present btw.
    SSDT is inside the snapshot I have and it’s complete; SSDT Shadow seems to be inside the snapshot too, but there’s no real connection between kernel memory/snapshot addresses and it’s not complete (it needs some more research btw).

    Is it only a coincidence? I tried with some XP machines and the result is the same, it’s possible to obtain real information of SSDT. According to Kayaker’s test it should work on win2k (don’t remember the service pack he was using. Thx K.).

    With this new information it’s pretty easy to code a SSDT revealer. I gave it a try and here is a result:



    You can use the program to display SSDT entries and to find out modified entries too by simply comparing an original snapshot with another one.

    To retrieve information from a snapshot you have to provide the address of KeServiceDescriptorTable[0] (something like 80544BC0, no “0x” prefix), and you have to select the OS of the virtual machine. After that you can:
    1. save an untouched SSDT using the button labelled “Create untouched SSDT”
    2. retrieve SSDT information from a snapshot by simply pushing the button labelled “Get snapshot SSDT”. Checking “Load untouched SSDT data” you can compare the original table (previously saved) with the one from the snapshot you’ll select. If a service has been changed you’ll read the word “YES” in the last column.

    I got the name of the services from this table: http://metasploit.com/users/opcode/syscalls.html
    I can’t test all the OS, if you find one or more errors drop me a mail.
    Following this method it’s also possible to get the list of the running processes/modules, more about this later.

    SSDT from snapshot available here: http://www.box.net/shared/static/bun81inksk.zip

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Cool! I really like your VMware snapshot research ZaiRoN, it's a very good way to get god-like "Ring -1" access in many aspects, which is very cool! Keep up the good work!
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

Similar Threads

  1. windbg and SSDT
    By WaxfordSqueers in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: July 7th, 2013, 01:32
  2. Why ollydbg stopped run trace (with a snapshot)
    By blueflycn in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: January 24th, 2013, 13:10
  3. Hiding Processes - Tried SSDT not able to perform
    By ronnie291983 in forum The Newbie Forum
    Replies: 7
    Last Post: June 17th, 2010, 15:29
  4. SSDT Hooks
    By azfk in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: February 19th, 2010, 09:39
  5. SSDT Hooking + AV
    By bruno in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: December 6th, 2007, 12:31

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •