Difference between pages "Rekall" and "Executable"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Linux)
 
 
Line 1: Line 1:
{{Infobox_Software |
+
{{expand}}
  name = Rekall |
+
  maintainer = [[Michael Cohen]] |
+
  os = {{Cross-platform}} |
+
  genre = {{Memory analysis}}, {{Memory imaging}} |
+
  license = {{GPL}} |
+
  website = [https://code.google.com/p/rekall/ code.google.com/p/rekall/] |
+
}}
+
  
Rekall is the stand-alone continuation of the [[Volatility]] Technology Preview (TP) version, aka the scudette branch.
+
An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.
  
One of Rekalls goals is to provide better integration with [[GRR]] by improved modularity of the framework and having memory acquisition capability.[http://docs.rekall.googlecode.com/git/overview.html#_history]
+
There are multiple families of executable files:
 +
* Scripts; e.g. shell scripts, batch scripts (.bat)
 +
* DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE
 +
  * EFI fat binary
 +
* ELF
 +
* Mach-O
  
== Memory acquisition drivers ==
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Executable Wikipedia: Executable]
 +
* [ftp://ftp.cs.wisc.edu/paradyn/papers/Rosenblum10prov.pdf Extracting Compiler Provenance from Program Binaries], by Nathan E. Rosenblum, Barton P. Miller, Xiaojin Zhu, June 2010
  
The drivers can be found under:
+
=== ELF ===
<pre>
+
* [http://robinhoksbergen.com/papers/howto_elf.html Manually Creating an ELF Executable], by Robin Hoksbergen
rekall/tools/linux
+
rekall/tools/osx
+
rekall/tools/windows
+
</pre>
+
  
=== Linux ===
+
=== MZ, PE/COFF ===
In rekall RC11 the advanced Linux acquisition tool (LMAP) was added. lmap allows to inject the pmem functionality into existing kernel modules to bypass having to build a pmem kernel module for every different kernel version. See the corresponding DFRWS EU 2014 paper for more information about LMAP.
+
* [http://en.wikipedia.org/wiki/Portable_Executable Wikipedia: Portable Executable]
 +
* [http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx Microsoft PE and COFF Specification]
 +
* [http://msdn.microsoft.com/en-us/magazine/ms809762.aspx Peering Inside the PE: A Tour of the Win32 Portable Executable File Format], by Matt Pietrek, March 1994
 +
* [http://www.microsoft.com/msj/0797/hood0797.aspx Under the Hood], by Matt Pietrek, July 1997
 +
* [http://msdn.microsoft.com/en-us/magazine/cc301805.aspx An In-Depth Look into the Win32 Portable Executable File Format], by Matt Pietrek, February 2002
 +
* [https://googledrive.com/host/0B3fBvzttpiiSd1dKQVU0WGVESlU/Executable%20(EXE)%20file%20format.pdf MZ, PE-COFF executable file format (EXE)], by the [[libexe|libexe project]], October 2011
 +
* [http://seclists.org/fulldisclosure/2013/Oct/157 The Internal of Reloc .text], Full Disclosure Mailing list, October 21, 2013
 +
* [http://ho.ax/posts/2012/02/carving-up-efi-fat-binaries/ Carving up EFI fat binaries], by snare, February 24, 2012
  
==== pmem ====
+
=== DBG, PDB ===
To build the kernel module for the current kernel version, make sure you have a working build environment and the kernel headers installed. Change into this directory and run make:
+
* [http://en.wikipedia.org/wiki/Program_database Wikipedia: Program database]
<pre>
+
* [http://www.debuginfo.com/articles/debuginfomatch.html Matching Debug Information], by debuginfo.com
cd rekall/tools/linux/
+
* [http://support.microsoft.com/kb/121366 Description of the .PDB files and of the .DBG files], by [[Microsoft]]
make
+
* [http://msdn.microsoft.com/en-us/library/ff553493(v=vs.85).aspx Public and Private Symbols], by [[Microsoft]]
</pre>
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms679293(v=vs.85).aspx DbgHelp Structures], by [[Microsoft]]
 +
* [http://web.archive.org/web/20070915060650/http://www.x86.org/ftp/manuals/tools/sym.pdf Internet Archive: Microsoft Symbol and Type Information], by [[Microsoft]]
 +
* [http://pierrelib.pagesperso-orange.fr/exec_formats/MS_Symbol_Type_v1.0.pdf Microsoft Symbol and Type Information]
 +
* [https://code.google.com/p/pdbparse/wiki/StreamDescriptions Stream Descriptions], [https://code.google.com/p/pdbparse/ pdbparse project]
 +
* [http://sourceforge.net/p/mingw-w64/code/HEAD/tree/experimental/tools/libmsdebug/ libmsdebug], by the [[MinGW|MinGW project]]
 +
* [http://moyix.blogspot.com/2007/10/types-stream.html The Types Stream], by [[Brendan Dolan-Gavitt]], October 4, 2007
  
The acquisition driver is named pmem.ko.
+
=== Minidump ===
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms680378(v=vs.85).aspx MSDN: MINIDUMP_HEADER structure]
 +
* [https://code.google.com/p/google-breakpad/source/browse/trunk/src/google_breakpad/common/minidump_format.h minidump_format.h], by [[Google]], 2006
 +
* [http://moyix.blogspot.com/2008/05/parsing-windows-minidumps.html Parsing Windows Minidumps], by [[Brendan Dolan-Gavitt]], May 7, 2008
 +
* [http://web.archive.org/web/20110814041817/http://www.stackhash.com/blog/post/Format-of-a-minidump-(mdmp)-file.aspx Format of a minidump (mdmp) file], Internet Archive: StackHash blog, May 16, 2011
  
To load the driver:
+
=== Mach-O ===
<pre>
+
* [http://en.wikipedia.org/wiki/Mach-O Wikipedia: Mach-O]
sudo insmod pmem.ko
+
</pre>
+
  
To check if the driver is running:
+
=== Packers ===
<pre>
+
* [http://www.woodmann.com/crackz/Packers.htm Packers & Unpackers]
sudo lsmod
+
</pre>
+
  
The driver create a device file named:
+
== Tools ==
<pre>
+
/dev/pmem
+
</pre>
+
  
To unload the driver:
+
=== MZ, PE/COFF ===
<pre>
+
* [https://code.google.com/p/pefile/ pefile], multi-platform Python module to read and work with Portable Executable (aka PE) files
sudo rmmod pmem
+
</pre>
+
  
To read acquire the memory just read from the device file. e.g.
+
=== PDB ===
<pre>
+
* [https://code.google.com/p/pdbparse/ pdbparse], Open-source parser for Microsoft debug symbols (PDB files)
dd if=/dev/pmem of=image.raw
+
</pre>
+
  
For more information see:
+
=== Minidump ===
<pre>
+
* [http://support.microsoft.com/kb/315271 Dumpchk.exe], by [[Microsoft]]
rekall/tools/linux/README
+
* [http://amnesia.gtisc.gatech.edu/~moyix/minidump.py minidump.py], by [[Brendan Dolan-Gavitt]]
</pre>
+
 
+
=== Mac OS X ===
+
 
+
For more information see:
+
<pre>
+
rekall/tools/osx/OSXPMem/README
+
</pre>
+
 
+
=== Windows ===
+
Since recent versions of Windows require a signed driver rekall comes with both pre-built (signed binary) and source versions of the driver.
+
 
+
Both the i386 and amd64 binary version of the driver can be found in the directory:
+
<pre>
+
rekall/tools/windows/winpmem/binaries
+
</pre>
+
 
+
E.g.
+
<pre>
+
rekall/tools/winpmem/binaries/amd64/winpmem.sys
+
</pre>
+
 
+
A standalone tool for imaging memory that uses an embedded copy of the pmem driver can be found as winpmem.exe in:
+
<pre>
+
rekall/tools/winpmem/executables/Release/
+
</pre>
+
 
+
To load the driver:
+
<pre>
+
winpmem.exe -l
+
</pre>
+
 
+
The device filename is (This can not be changed without recompiling):
+
<pre>
+
\\.\pmem
+
</pre>
+
 
+
Note that running dd directly on this device file can crash the machine.
+
Use the winpmem.exe tool instead because it handles protected memory regions.
+
 
+
To read and acquire the physical memory and write it to image.raw:
+
<pre>
+
winpmem.exe image.raw
+
</pre>
+
 
+
To unload the driver:
+
<pre>
+
winpmem.exe -u
+
</pre>
+
 
+
For more information see:
+
<pre>
+
rekall/tools/windows/README
+
</pre>
+
 
+
== See Also ==
+
* [[Memory analysis]]
+
* [[Memory Imaging]]
+
* [[Volatility]]
+
 
+
== External Links ==
+
* [https://code.google.com/p/rekall/ Project site]
+
* [http://docs.rekall.googlecode.com/git/index.html Project documentation]
+
* [http://rekall-forensic.blogspot.com/ Rekall Memory Forensics blog]
+
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2013.html Anti-forensic resilient memory acquisition]] by [[Johannes Stüttgena]] [[Michael Cohen]], August 2013
+
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2014EU.html Robust Linux memory acquisition with minimal target impact], [[Johannes Stüttgena]] [[Michael Cohen]], May 2014
+

Revision as of 03:53, 25 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.

There are multiple families of executable files:

  • Scripts; e.g. shell scripts, batch scripts (.bat)
  • DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE
 * EFI fat binary
  • ELF
  • Mach-O

External Links

ELF

MZ, PE/COFF

DBG, PDB

Minidump

Mach-O

Packers

Tools

MZ, PE/COFF

  • pefile, multi-platform Python module to read and work with Portable Executable (aka PE) files

PDB

  • pdbparse, Open-source parser for Microsoft debug symbols (PDB files)

Minidump