Category Archives: Anti-Forensics

Process “Timestomping”

Posted on by

This post is about thing so obvious that you will probably scratch your head why I am even writing about it. I think it is good to confirm your assumptions, test (and sometimes double test) stuff and I just happened to do it today, so since I have already done the homework, I thought it would be good to at least mention it just in case someone doesn’t know about it. So, you have been warned 🙂

Now, for the obvious part.

File timestomping is a well-known process of modifying timestamps of a file in order to hide its presence by ‘blending’ with the legitimate files.

Timestomping can be also applied to processes – malware can temporarily change the current date/time before it runs a hijacked process e.g. iexplore.exe, svchost.exe. Interestingly (but not surprisingly), the resulting process creation timestamp will be preserved by the system and tools retrieving this data, both live and offline memory analysis tools will all show the timestomped value.

In an example presented below, I changed the date on the system to 2008/1/1 and executed notepad.exe.

Both Process Explorer, and tools I used on an acquired memory dump (memoryze, volatility and red line) shown the timestomped process creation timestamp.

The shortest anti-forensics code in the world

Posted on by

Everyone knows about anti-forensics… from timestomping, secure deletions, wiping out internet history and event logs to monitoring I/O requests in order to provide fake data (e.g. original content of MBR sector) and Shadow Walker… there are some excellent presentations out there with the fantastic work of Bill Blunden from BH 2009 nicely wrapping it all up.

Many of our IR/forensics activities rely on enumerating list of processes from an investigated system. The tools we use often show command line arguments of all processes. Process Explorer, Task Manager in Vista+ and command line tools e.g. tlist.exe or cmdline.exe show the content of processes’ command lines by copying the command line buffers directly from these processes’ address space.

Enter the smallest anti-forensics code in the world.

It wipes out the content of the command line buffers stored under addresses returned by GetCommandLineA/GetCommandLineW. It takes 25 bytes of code.

CleanupCMDLineArg:
call GetCommandLineA
call Cleanup
call GetCommandLineW
Cleanup:
cld
xchg eax,edi
xor  eax,eax
xor  ecx,ecx
dec  cl
rep  stosb
retn

Once the code is ran, command line arguments are no longer visible in any of the aforementioned tools.

I had a silly idea to demonstrate it by writing a command line arguments scroller for Task Manager and Process Explorer. The way I envisioned it would work is that I would be changing the content of buffers storing command line arguments of my process every second or so. The assumption was that anytime Task Manager or Process Explorer would refresh the list of the processes, they would copy the buffer containing my scrolled text and show it on their GUI. By manipulating the buffers I would be able to achieve the scrolling effect. Well, it didn’t work out as it seems the command line arguments are not updated anytime the process list is updated by these tools. A bug or a feature?