Category Archives: Forensic Analysis

Non-debugging uses of CDB

Posted on by

Catching up with another tweet from 3 months ago.

VMWare Workstation installs cdb.exe debugger for you – you can play around with its features if you happen to find it during engagement. Other than the obvious “I can run and manipulate other processes with it”, here are 2 other ideas:

AeDebug setup

Using -iae -iaec options you can use cdb.exe to install itself as a AeDebug debugger. So, if you do so, cdb.exe will be the signed Microsoft binary doing the dirty deed for you, and you can then swap it with your malicious cdb.exe.

-iae install as AeDebug debugger
-iaec install as AeDebug debugger with given command tail

Launch programs via COMSPEC abuse

Cdb allows us to switch to shell temporarily, a bit like ftp.exe, and lo-and-behold, it relies on COMSPEC environment variable too. Hence we can launch a program via it e.g. like this:

The obvious question is – why – after all, cdb.exe is a debugger and we can launch programs anyway. Apart from the obvious “why not” – this way we can launch a program w/o debugging flags (e.g. DEBUG_ONLY_THIS_PROCESS).

SleepStudy logs

Posted on by

Update

After I posted it, Bryan linked to this article which explains how to generate SleepStudy report. Thx!

Old Post

A few days ago I came across ETL logs I have not seen before. They are residing inside c:\WINDOWS\System32\SleepStudy and I posted about them on Twitter. Not sure if anyone looked at them from a forensic perspective in the past – quick Twitter and Google search returned nothing of interest, hence decided to quickly describe it here.

The logs originate from “Microsoft-Windows-Kernel-Power” and “Microsoft-Windows-UserModePowerService” ETW providers. Files that can be found inside the directory are as follows:

  • c:\WINDOWS\System32\SleepStudy\
    • ScreenOn\ScreenOnPowerStudyTraceSession-YYYY-MM-DD-HH-MM-SS.etl
    • UserNotPresentSession.etl
    • user-not-present-trace-YYYY-MM-DD-HH-MM-SS.etl

These marked with a YYYY-MM-DD-HH-MM-SS patterns include timestamps, meaning multiple files following the same file naming pattern exist in the folder.

The user* files can be quickly converted from ETL to XML format by using the following commands:

tracerpt.exe <etlfile>

or

tracerpt.exe -of csv

if you prefer CSV output. The resulting files are dumpfile.xml or dumpfile.csv.

What triggered my interest was the fact we can see both paths and timestamps inside the output user* files:

I don’t know exactly what these log mean, but it can be yet another source of process execution telemetry.