Infosavvy Security

and IT
Management Training

Understanding EProcess Structure

CHFI / By Tushar Panhalkar

Understanding EProcess Structure in Each process on the Windows operating system is associated with an executive process or
Eprocess block. It is the basic data structure that stores various attributes of the process and the pointer to the other attributes and
data structures related to the process. The investigator can read this data structure. The data structure is essentially a sequence of
bytes, with each sequence having a particular meaning. The size and even the values of the structures change not only between
operating system versions but also between service packs of the same version of the operating system.

It is relatively easy to view the contents of the EProcess structure. First, download and install the Microsoft debugging tools and the
correct symbols for operating system and service pack. Then download LiveKD.exe, copy it into the same directory as the
debugging took. Once this is done, open a command prompt, change to the directory where the debugging tool is installed, and type
the following command: debug>livekd -w

This command will open WinDbg, the GU1 interface to the debugger tools. To see the entire contents of an EProcess block, type dt
-a -b —v _EPROCESS into the command window, and press Enter. The —a flag shows each array element on a new line, with its
index. The —b switch displays blocks recursively. The -v flag creates a more verbose output, telling the overall size of each
structure.
 The process environment block, or PEB is an important element of all processes which is pointed to by the EProcess structure. This
Infosavvy Security
structure
and IT contains a great deal of information, but the elements that are important to forensic investigators are:
Management Training

A pointer to the loader data (referred to as PPEB_LDR_DATA) structure that includes pointers or references to modifies
(DLLs) used by the process.
A pointer to the image base address where an investigator expects to find the beginning of the executable image file
A pointer to the process parameter structure, which itself maintains the DLL path, the path to the executable image, and the
command line used to launch the process Parsing this information from a dump file can be useful to the investigator.

Related Product : Computer Hacking Forensic Investigator | CHFI

Process Creation Mechanism

There are a number of steps that are followed when a process Ls created, These steps can be broken down into six stages:

1. The image (.exe) file to be executed is opened. During this stage, the appropriate subsystem (Posix, MS-DOS, Win 16, etc.)
is identified, the Image File Execution Options registry key is checked to see if there is a debugger value, and if there is, the
process starts over.
2. The EProcess object is created. The kernel process block (KProcess), the process environment block, and the initial address
space are also set up.
3. The initial thread is created.
4. The Windows subsystem is notified of the creation of the new process and thread, along with the ID of the process’ creator
and a flag to identify whether the process belongs to a Windows process.
5. Execution of the initial thread starts. At this point, the process environment has been set up and resources have been
allocated for the process’s thread(s) to use.
6. The initialization of the address space is completed in the context of the new process and thread.

The process has at least one thread and may begin consuming additional memory resources as the process executes itself.

Parsing Memory Contents

The tools that parse memory contents usually employ the methodology of locating and enumerating the active process list using
specific values/offsets (derived from system files) to identify the beginning of the list. Then the tools use the same methodology for
walking through the double linked list, until all the active processes have been identified. The location of the offset for the beginning
of the active process list was derived from one of the important system files, ntoskrnl.exe. Lsproc.pl Lsproc (short for list processes)
locates processes but not threads. It takes single argument, the path, and name, to a RAM dump file:

Example: c: \perl \memory>lsproc pl d: \dumps \ drfws1-mem.dmp

The output of Isproc.pl appears at the console (i.e., STDOUT) in six columns. Lspd.pl

Ispd.pl is a command-line Perl script that relies on the output of Isproc.pl to obtain its information, Specifically,
Ispd.pl takes two arguments: the path and name of the dump file and the offset from the lsproc.pl output of the
process that the investigators are interested in.

The command line to use Ispd.pl is: c:\perl\memory>lspd.pl d:\dumps\dfrwsl-mem.dmp 0x0414dd60

Lspd.pl also retrieves a list of the names of various modules (DLLs) used by the process and whatever available handles (file
handles and so on) it can find in memory.

Also Read : What is Memory Dump?

 Parsing Process Memory
Infosavvy Security
and IT
Management Training
In the past, investigators have used tools such as strings.exe or grep searches to parse through the contents of a RAM dump and
look for interesting strings (passwords), IP or email addresses, URLs, etc. However, when investigators are parsing through a file
which is about half a megabyte in size, there is not a great deal of context to the information.

Lspm.pI takes the same arguments as Ispd.pl (the name and path of the dump file, and the physical offset within the file of the
process structure) and extracts the available pages from the dump file, and writes them to a file within the current working directory.
To run lspm.pl against the dd.exe process, use the following command line:

c:\perl\memory>lspm.pl d:\dumps\dfrwsl-mem.dmp 0x0414dd60

The output looks like this:

Name: dd.exe -> 0x01d9e000

There are 372 pages (1523712 bytes) to process.

Dumping process memory to dd.dmp…

Done.

Extracting the Process Image

When a process is launched, the executable file is read into memory. One of the pieces of information that can be obtained from the
process details (via Ispd.pl) is the offset within the dump file to the Image Base Address. Lspd.pl can do a quick check to see
whether an executable image can be found in that location. To further develop this information, the PE file header can be parsed to
see whether it is possible to extract the entire contents of the executable image from the dump file.

Extracting the Process Image (Cont’d)

Lspi.pl can’t reassemble the file if any of the memory pages have been marked as invalid and are no longer located in memory. A
file extracted from the memory dump will not be exactly the same as the original executable file. This is due to the fact that some of
the file’s sections are writeable, and those sections changes during the process execution step.

As the process executes, various elements of the executable code (addresses, variables, and so on) change based on the
environment and the stage of execution. However, there are a couple of ways to determine the nature of a file and get some
information about its purpose. One of those ways is to see whether the file has any file version information compiled into it, as is
done with most files created by legitimate software companies. As noticed from the section headers of the image file, there is a
section named .rsrc, which is the name often used for a resource section of a PE file. This section can contain a variety of
resources, such as dialogs and version strings, and is organized like a file system. The file hashing option can also be used to get
this information.

Collecting Process Memory

During an investigation, the investigator is usually interested in only particular processes rather than a list of all processes, and
would like more than just the contents of process memory available in RAM dump file. For example, the investigator might have
quickly identified processes of interest that required no additional extensive investigation.

There are ways to collect all the memory used by a process not just what is in physical memory but what is in virtual memory or the
page file as well. The pmdurnp.exe tool allows dumping the contents of process memory without stopping the process. This allows
 the process to continue and the contents of memory to change while being written to a file, thereby creating a “smear” of process
Infosavvy Security
memory.
and IT Also, prndurnp.exe does not create an output file that can be analyzed with the debugging tools.
Management Training

Another method for dumping the contents of process memory is called Process Dumper. It dumps the entire process space along
with additional metadata and the process environment to the console (STDOUT), so that the output can be redirected to a file or a
socket.

Userdump.exe allows dumping of any process, without attaching a debugger and without terminating the process once the dump
has been completed. Also, the dump file generated by userdump.exe can be read by the MS debugging tools. However, working of
the userdump.exe command requires system installation of its specific driver. Once done with the dumping process, use debugging
tools to analyze the dump files. Other helpful tools include:

1. Volatility

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for
the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely
independent of the system being investigated but offers visibility into the runtime state of the system. The framework is intended to
introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and
provide a platform for further work into this exciting area of research.

2. BinText

It can extract text from a file and find plain ASCII text, Unicode (double byte ANSI) text, and Resource strings, providing useful
information for each item in the optional “advanced” view mode. Its comprehensive filtering helps prevent listing of unwanted. The
gathered list can be searched and saved to a separate file as either a plain text file or in informative tabular format.

3. Handle

Handle is a utility that displays information about open handles for any process in the system. You can use it to see the programs
that have open files or to see the object types and names of all the handles of a program.

4. ListDLLs.exe

It is a utility that reports the DLLs loaded into processes. It lists all DLLs loaded into all processes, or into a specific process. It can
also list the processes that have a particular DLL loaded. ListDLLs can also display full version information for DLLs, including their
digital signature, and it can be used to scan processes for unsigned DLLs.

Questions related to this topic

1. How do I open a memory dump file?

2. How do you analyze memory dump files?
3. Is it safe to delete a memory DMP file?
4. Where are windows dump files stored?

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute,
Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com