The equivalent of TeamViewer-dumper for memory forensics analysts is Adam Bridge's EditBox plugin for Volatility. Adam's submission won 3rd place in last years Volatility Plugin Contest, but I still feel like many people don't realize the full potential of this plugin. While TeamViewer-dumper is specific to TV, the EditBox plugin recovers text from editbox controls for all applications (that depend on Microsoft Common Controls) across all user sessions (local or remote via RDP/VNC), even for "special" editboxes that contain passwords and show up as asterisks on the screen.
Here's an example of the editbox plugin's output when TV is running:
As you can see, the ID, password, computer name, and various other fields are recovered. This is a powerful way to reconstruct the state of the user interface from memory. Although technically you could also find the values by brute force string scanning in process memory, but there's no need to brute force when you can use a structured, focused approach. Kudos to Adam for creating such a useful extension to last year's plugin contest.$ python vol.py -f memory.dmp --profile=Win7SP1x64 editbox Volatility Foundation Volatility Framework 2.4 41 processes to check. ******************************************************* Wnd context : 1\WinSta0\Default Window title : - pointer-to tagWND : 0xfffff900c062b510 [0x67dc6510] pid : 2524 imageFileName : TeamViewer.exe wow64 : Yes atom_class : 6.0.7601.17514!Edit address-of cbwndExtra: 0xfffff900c062b5f8 [0x67dc65f8] value-of cbwndExtra : 4 (0x4) address-of WndExtra : 0xfffff900c062b638 [0x67dc6638] value-of WndExtra : 0x46e0480 [0x67302480] pointer-to hBuf : 0x46af000 [0x67e28000] hWnd : 0x10228 parenthWnd : 0x1020a nChars : 6 (0x6) selStart : 0 (0x0) selEnd : 0 (0x0) text_md5 : 7a62c5fa901ff86a1562b9c7075674f8 isPwdControl : No q16jp7 ******************************************************* Wnd context : 1\WinSta0\Default Window title : - pointer-to tagWND : 0xfffff900c062b150 [0x67dc6150] pid : 2524 imageFileName : TeamViewer.exe wow64 : Yes atom_class : 6.0.7601.17514!Edit address-of cbwndExtra: 0xfffff900c062b238 [0x67dc6238] value-of cbwndExtra : 4 (0x4) address-of WndExtra : 0xfffff900c062b278 [0x67dc6278] value-of WndExtra : 0x46a0f98 [0x689d7f98] pointer-to hBuf : 0x46bf390 [0x6769d390] hWnd : 0x10224 parenthWnd : 0x1020a nChars : 11 (0xb) selStart : 0 (0x0) selEnd : 0 (0x0) text_md5 : b45dfe635940d5490276a5ae41e1422f isPwdControl : No 567 744 114 ******************************************************* Wnd context : 1\WinSta0\Default Window title : - pointer-to tagWND : 0xfffff900c0631a50 [0x552cea50] pid : 2524 imageFileName : TeamViewer.exe wow64 : Yes atom_class : 6.0.7601.17514!Edit address-of cbwndExtra: 0xfffff900c0631b38 [0x552ceb38] value-of cbwndExtra : 4 (0x4) address-of WndExtra : 0xfffff900c0631b78 [0x552ceb78] value-of WndExtra : 0x4781678 [0x6648b678] pointer-to hBuf : 0x46fac80 [0x68493c80] hWnd : 0x801aa parenthWnd : 0x70186 nChars : 15 (0xf) selStart : 0 (0x0) selEnd : 0 (0x0) text_md5 : 2cbe388f82d11af92a8d4950e24db799 isPwdControl : No WIN-948O8I1DO91 [snip]
No comments:
Post a Comment