Windows Process Internals : A few Concepts to know before jumping on Memory Forensics
I have been revising memory forensics lately and realized that there are very important concepts related to Windows Internals that need to be explained and understood in the perspective of memory forensics to digest the memory forensics in a better way than just to run a tool on a memory dump. Though, there is plethora of information available on Windows Internals, this article provides the necessary conceptual information about Windows Process Internals in the context of memory forensics.
Volatility plugins like pslist, pstree, psxview, dlllist,ldrmodules ,hollowfind,getsids,handles and many others are relying on a few key process related data structures like EPROCESS, Process Environment Block(PEB),Virtual Address Descriptor(VAD) etc.These volatility modules parse these structures and substructures within them and represent us a beautiful tabular view for our analysis.
Following is the table where I have mapped a few volatility modules against the data structures. This list is no way near to be comprehensive, this is just to highlight the mapping between volatility plugin and the data structures.
Table 1. Mapping between Volatility Plugins and OS data structures
We will talk about EPROCESS and Process Environment Block (PEB) today as many of the modules rely on information stored in these critical data structures.
What _EPROCESS & Process Environment Block?
Each Windows process is represented by an executive process structure called _EPROCESS. EPROCESS contains many attributes related to process and it also points to a number of other related data structures.
Process Environment Block (PEB) is one of the structures that EPROCESS points to. PEB contains many process-related information like image name, loaded modules(dlls), image file path, command line parameters passed with the process etc.
One of the fields in EPROCESS data structure is ActiveProcessLinks which is a pointer to a circular doubly link list that tracks all active processes. The modules like pslist picks up this point and traverse through this series of pointers to get the list of the active processes.
Let us look at the EPROCESS Data Structure through Windows Kernel Debugger(kd). dt command is used to view the fields that make up any structure. These fields in turn point to the data structures. Hence, to check the structure of EPROCESS type the following command in kernel debugger.
This command shows the entire structure of EPROCESS data structures including all the fields that make the structure of EPROCESS.
Please see the following snippet for the same. You can see that the many fields in turn points to another data structure. For Example, pcb (Process Control Block) is _KPROCESS structure. You can view _KPROCESS by typing dt nt!_KPROCESS in the debugger.
We will focus on the field name “ActiveProcessLinks”.Please see the snippet below that shows the “ActiveProcessLinks”. It is a “LIST_ENTRY” structure. Please note the offset (0x2f0) of this field from the top of the _EPROCESS structure. We will be using this offset later in the article.
Kernel uses doubly link list to track the processes. Each Process has this doubly link list which is pointed by ActiveProcessLinks field of the previous process. All EPROCESS blocks are connected in a circular way by DoublyLinkList. Hence, by traversing this list we can get all the active processes on the system.
ActiveProcessLinks is a LIST_ENTRY structure and it is a circular doubly link list pointing to the node in the next EPROCESS for a different process.
Figure 1. _EPROCESS Structure & ActiveProcessLinks field
You can see other fields in the EPROCESS structure. The other important structure in this context are PEB & VAD. Please see the following snippets.
Figure 2. Other Important Fields PEB in the _EPROCESS
Figure 3. VAD related fields in the _EPROCESS
How does pslist get the list of all current process?
Get all the active process by traversing through the doubly link lists.
!PsActiveProcessHead is the pointer to the doubly linked list (ActiveProcessLinks) of the EPROCESS of the Process “System”, the first process. By getting a pointer to one of the nodes in the doubly linked list, we can traverse through all the active processes connected via doubly linked list.
Following are the steps
Step 1. Get the pointer to the doubly linked list using nt!PsActiveProcessHead
Step 2. List the instance of the ActiveProcessLinks of the process pointed by that pointer
Figure 4. Step 1 & 2 nt!PsActiveProcessHead
Step 3. .flink entry at this pointer points to the “ActiveProcessLinks” field of the EPROCESS structure of the next process. If we want to get the other element in that EPROCESS structure, we need to get at the top of the EPROCESS (starting of EPROCESS) and not at the ActiveProcessLinks. Hence,we need to subtract the offset(0x2f0) from the pointer to get to the starting address of EPROCESS.
Figure 5. Step 3 Reach to the Next _EPROCESS and Fetch the field
Step 4. Once, we get to the start of the EPROCESS, we can get any of the element/field of that structure. Here, we have chosen to list the ImageFileName. So, next process (after System) is Registry where System Process is pointing to.
Figure 6. Traversing to the next node
Step 5. Now, we will leverage list capabilities of debugger and traverse through the list. The address used is subtraction of pointer and offset (?0xffff858a`3f6db5f0–0x2f0) to reach to the starting address of EPROCESS.
Figure 7. Traversing through the list and fetch all the current processes
Another way to traverse through the process list is to pick one process and identify its pointer to the circular doubly linked list and traverse through the list.
Step 1: List all the processes and identify any random process to get hold of the pointer to the doubly linked list node. The ActiveProcessLinks of EPROCESS structure for that process will provide us the pointer to the doubly linked list. Please see the snippt below.
Figure 8.List the current Processes and Pick up any random process
Step 2: List flink of field ActiveProcessLinks of EPROCESS structure for this selected process.
Figure 9. List flink of ActiveProcessLinks of the selected process
Step 3. Flink points to the ActiveProcessLinks in the next process. Hence, we need to subtract the offset (as we did earlier). That will take us to the starting of the EPROCESS block of the next process.
Using List capabilities, we can traverse through all the processes as shown below.
Figure 10. Traversing through the list and fetch all the current processes
There are other fields and structures like !peb, lpeb_ldr_data,!ldr_data_table_entry !vad etc. that are also important to understand and illustrate. I will try to cover these structures in next articles.
Do let me know if you want further parts that explains the rest of the important data structures.
That’s it for now, folks !! Happy Hunting, fellas !!