The shortest anti-forensics code in the world

January 21, 2012 in Anti-Forensics

Everyone knows about anti-forensics… from timestomping, secure deletions, wiping out internet history and event logs to monitoring I/O requests in order to provide fake data (e.g. original content of MBR sector) and Shadow Walker… there are some excellent presentations out there with the fantastic work of Bill Blunden from BH 2009 nicely wrapping it all up.

Many of our IR/forensics activities rely on enumerating list of processes from an investigated system. The tools we use often show command line arguments of all processes. Process Explorer, Task Manager in Vista+ and command line tools e.g. tlist.exe or cmdline.exe show the content of processes’ command lines by copying the command line buffers directly from these processes’ address space.

Enter the smallest anti-forensics code in the world.

It wipes out the content of the command line buffers stored under addresses returned by GetCommandLineA/GetCommandLineW. It takes 25 bytes of code.

CleanupCMDLineArg:
call GetCommandLineA
call Cleanup
call GetCommandLineW
Cleanup:
cld
xchg eax,edi
xor  eax,eax
xor  ecx,ecx
dec  cl
rep  stosb
retn

Once the code is ran, command line arguments are no longer visible in any of the aforementioned tools.

I had a silly idea to demonstrate it by writing a command line arguments scroller for Task Manager and Process Explorer. The way I envisioned it would work is that I would be changing the content of buffers storing command line arguments of my process every second or so. The assumption was that anytime Task Manager or Process Explorer would refresh the list of the processes, they would copy the buffer containing my scrolled text and show it on their GUI. By manipulating the buffers I would be able to achieve the scrolling effect. Well, it didn’t work out as it seems the command line arguments are not updated anytime the process list is updated by these tools. A bug or a feature?

Comments are closed.