## Tuesday, October 4, 2011

### Analyzing the Windows pagefile.sys from GNU/Linux

Problem: Given a pagefile.sys, how much information can you gain about the victim?

Hints: The pagefile.sys is stored as a bunch of 4k blocks. It is "virtual memory".

strings pagefile.sys | grep -i "^[a-z]:\\\\" | sort | uniq | less #List all paths in pagefile

NOTE: You could find a lot of paths referencing "d:\nt\base\random\path\to\src.c". These seem to be related to the drivers being loaded into memory and being pushed to the pagefile.

---------------

strings pagefile.sys | grep -i "^[a-zA-Z09_]*=.*" | sort -u | uniq | less #print env vars

You will invariably get a lot of false positives with this one. But a lot of good information as well.

----------------

strings pagefile.sys | egrep '([[:alnum:]_.-]{1,64}+@[[:alnum:]_.-]{2,255}+?\.[[:alpha:].]{2,4})' #print all email addresses.

There is a lot of good information that can be found that regular expressions simply can't pick up (or I just didn't think of).

-----------

One thing you can do to help protect youself is looking at this kb on how to wipe your pagefile on shutdown. A simple registry tweak is all it takes.

If you have shell on the victim, using meterpreter you can find out the values of this key using this:

reg enumkey -k HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session\ Manager\\Memory Management

FTA:

Change the data value of the ClearPageFileAtShutdown value in the following registry key to a value of 1:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
If the value does not exist, add the following value:
Value Name: ClearPageFileAtShutdown
Value Type: REG_DWORD
Value: 1