Hints: The pagefile.sys is stored as a bunch of 4k blocks. It is "virtual memory".
strings pagefile.sys | grep -i "^[a-z]:\\\\" | sort | uniq | less #List all paths in pagefile
NOTE: You could find a lot of paths referencing "d:\nt\base\random\path\to\src.c". These seem to be related to the drivers being loaded into memory and being pushed to the pagefile.
---------------
strings pagefile.sys | grep -i "^[a-zA-Z09_]*=.*" | sort -u | uniq | less #print env vars
You will invariably get a lot of false positives with this one. But a lot of good information as well.
----------------
strings pagefile.sys | egrep '([[:alnum:]_.-]{1,64}+@[[:alnum:]_.-]{2,255}+?\.[[:alpha:].]{2,4})' #print all email addresses.
There is a lot of good information that can be found that regular expressions simply can't pick up (or I just didn't think of).
-----------
One thing you can do to help protect youself is looking at this kb on how to wipe your pagefile on shutdown. A simple registry tweak is all it takes.
If you have shell on the victim, using
meterpreter you can find out the values of this key using this:
reg enumkey -k
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session\ Manager\\Memory Management
FTA:
Change the data value of the ClearPageFileAtShutdown value in the following registry key to a value of 1:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
If the value does not exist, add the following value:
Value Name: ClearPageFileAtShutdown
Value Type: REG_DWORD
Value: 1
No comments:
Post a Comment