4.1.1 Examining the _EPROCESS Structure

To examine the _EPROCESS structure and the kind of information it contains, you can use a kernel debugger such as WinDbg. WinDbg helps in exploring and understanding the operating system data structures, which is often an important aspect of Memory forensics. To install WinDbg, you need to install the "Debugging Tools for Windows" package, which is included as part of Microsoft SDK (refer to https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/index for different installation types). Once the installation is complete, you can find WinDbg.exe in the installation directory (in my case, it is located in C:Program Files (x86)Windows Kits8.1Debuggersx64). Next, download the LiveKD utility from Sysinternals (https://docs.microsoft.com/en-us/sysinternals/downloads/livekd), extract it, and then copy livekd.exe into the installation directory of WinDbg. LiveKD enables you to perform local kernel debugging on a live system. To launch WinDbg via livekd, open Command Prompt (as Administrator), navigate to the WinDbg installation directory, and run livekd with the -w switch, as shown here. You can also add the Windbg installation directory to the path environment variable so that you can launch LiveKD from any path:

C:Program Files (x86)Windows Kits8.1Debuggersx64>livekd -w

The livekd -w command automatically launches Windbg, loads the symbols, and presents you with a kd> prompt that's ready to accept commands, as shown in the following screenshot. To explore the data structures (such as _EPROCESS), you will type the appropriate command into the Command Prompt (next to kd>):

Now, going back to our discussion of the _EPROCESS structure, to explore the _EPROCESS structure, we will use the Display Type command (dt). The dt command can be used to explore a symbol that represents a variable, a structure, or a union. In the following output, the dt command is used to display the _EPROCESS structure defined in the nt module (the name of the kernel executive). The EPROCESS structure consists of multiple fields, storing all sorts of metadata of a process. Here is what it looks like for a 64-bit Windows 7 system (some of the fields have been removed to keep it small):

kd> dt nt!_EPROCESS
   +0x000 Pcb : _KPROCESS
   +0x160 ProcessLock : _EX_PUSH_LOCK
   +0x168 CreateTime : _LARGE_INTEGER
   +0x170 ExitTime : _LARGE_INTEGER
   +0x178 RundownProtect : _EX_RUNDOWN_REF
   +0x180 UniqueProcessId : Ptr64 Void
   +0x188 ActiveProcessLinks : _LIST_ENTRY
   +0x198 ProcessQuotaUsage : [2] Uint8B
   +0x1a8 ProcessQuotaPeak : [2] Uint8B
   [REMOVED]
   +0x200 ObjectTable : Ptr64 _HANDLE_TABLE
   +0x208 Token : _EX_FAST_REF
   +0x210 WorkingSetPage : Uint8B
   +0x218 AddressCreationLock : _EX_PUSH_LOCK
   [REMOVED]
   +0x290 InheritedFromUniqueProcessId : Ptr64 Void
   +0x298 LdtInformation : Ptr64 Void
   +0x2a0 Spare : Ptr64 Void
   [REMOVED]
   +0x2d8 Session : Ptr64 Void
   +0x2e0 ImageFileName : [15] UChar
   +0x2ef PriorityClass : UChar
   [REMOVED]

The following are some of the interesting fields in the _EPROCESS structure that we will use for this discussion:

  • CreateTime: Timestamp that indicates when the process was first started
  • ExitTime: Timestamp that indicates when the process exited
  • UniqueProcessID: An integer that references the process ID (PID) of the process
  • ActiveProcessLinks: A double linked list that links all the active processes running on the system
  • InheritedFromUniqueProcessId: An integer that specifies the PID of the parent process
  • ImageFileName: An array of 16 ASCII characters which store the name of the process executable

With an understanding of how to examine the _EPROCESS structure, let's now take a look at the _EPROCESS structure of a specific process. To do that, let's first list all active processes using WinDbg. You can use the !process extension command to print metadata of a particular process or all processes. In the following command, the first argument, 0, lists metadata of all the processes. You can also display the information of a single process by specifying the address of the _EPROCESS structure. The second argument indicates the level of detail:

kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS fffffa806106cb30
    SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
    DirBase: 00187000 ObjectTable: fffff8a0000016d0 HandleCount: 539.
    Image: System

PROCESS fffffa8061d35700
    SessionId: none Cid: 00fc Peb: 7fffffdb000 ParentCid: 0004
    DirBase: 1faf16000 ObjectTable: fffff8a0002d26b0 HandleCount: 29.
    Image: smss.exe

PROCESS fffffa8062583b30
    SessionId: 0 Cid: 014c Peb: 7fffffdf000 ParentCid: 0144
    DirBase: 1efb70000 ObjectTable: fffff8a00af33ef0 HandleCount: 453.
    Image: csrss.exe

[REMOVED]
For detailed information on WinDbg commands, refer to the Debugger.chm help, which is located in the WinDbg installation folder. You can also refer to the following online resources: http://windbg.info/doc/1-common-cmds.html and http://windbg.info/doc/2-windbg-a-z.html.

From the preceding output, let's look at the second entry, which describes smss.exe. The address, fffffa8061d35700, next to the PROCESS, is the address of the _EPROCESS structure associated with this instance of smss.exe. The Cid field, which has a value of 00fc (252 in decimal), is the process ID, and ParentCid, which has a value of 0004, represents the process ID of the parent process. You can verify this by examining the values in the fields for the _EPROCESS structure of smss.exe. You can suffix the address of the _EPROCESS structure at the end of the Display Type (dt) command, as shown in the following code. In the following output, notice the values in the fields UniqueProcessId (process ID), InheritedFromUniqueProcessId (parent process ID), and ImageFileName (process executable name). These values match with the results that you determined previously from the !process 0 0  command:

kd> dt nt!_EPROCESS fffffa8061d35700
   +0x000 Pcb : _KPROCESS
   +0x160 ProcessLock : _EX_PUSH_LOCK
   +0x168 CreateTime : _LARGE_INTEGER 0x01d32dde`223f3e88
   +0x170 ExitTime : _LARGE_INTEGER 0x0
   +0x178 RundownProtect : _EX_RUNDOWN_REF
   +0x180 UniqueProcessId : 0x00000000`000000fc Void
   +0x188 ActiveProcessLinks : _LIST_ENTRY [ 0xfffffa80`62583cb8 - 0xfffffa80`6106ccb8 ]
   +0x198 ProcessQuotaUsage : [2] 0x658
   [REMOVED]
   +0x290 InheritedFromUniqueProcessId : 0x00000000`00000004 Void
   +0x298 LdtInformation : (null) 
   [REMOVED]
   +0x2d8 Session : (null) 
   +0x2e0 ImageFileName : [15] "smss.exe"
   +0x2ef PriorityClass : 0x2 ''
   [REMOVED]

So far, we know that the operating system keeps all kinds of metadata information about a process in the _EPROCESS structure, which resides in the kernel memory. This means that if you can find the address of the _EPROCESS structure for a particular process, you can get all the information about that process. Then, the question is, how do you get information about all the processes running on the system? For that, we need to understand how active processes are tracked by the Windows operating system.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.137.223.190