{"id":416,"date":"2012-01-21T18:14:58","date_gmt":"2012-01-21T18:14:58","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=416"},"modified":"2012-02-20T01:09:12","modified_gmt":"2012-02-20T01:09:12","slug":"the-shortest-anti-forensics-code-in-the-world","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2012\/01\/21\/the-shortest-anti-forensics-code-in-the-world\/","title":{"rendered":"The shortest anti-forensics code in the world"},"content":{"rendered":"<p>Everyone knows about anti-forensics&#8230; from timestomping, secure deletions, wiping out internet history and event logs to monitoring I\/O requests in order to provide fake data (e.g. original content of MBR sector) and Shadow Walker&#8230;\u00a0there are some excellent presentations out there with the\u00a0fantastic work of <a title=\"From The Tunnels Below Gotham - Black Hat\" href=\"http:\/\/www.blackhat.com\/presentations\/bh-usa-09\/BLUNDEN\/BHUSA09-Blunden-AntiForensics-SLIDES.pdf\">Bill Blunden from BH 2009<\/a> nicely wrapping it all up.<\/p>\n<p>Many of our IR\/forensics activities rely on enumerating list of processes from an investigated system. The tools we use often show command line arguments of all processes. <em>Process Explorer<\/em>, <em>Task Manager<\/em> in Vista+ and command line tools e.g. <em>tlist.exe<\/em> or <em>cmdline.exe<\/em> show the content of\u00a0processes&#8217; command lines by copying the command line buffers directly from these processes&#8217; address space.<\/p>\n<p>Enter the smallest anti-forensics code in the world.<\/p>\n<p>It wipes out the content of the command line buffers stored under addresses returned by GetCommandLineA\/GetCommandLineW. It takes 25 bytes of code.<\/p>\n<blockquote>\n<pre>CleanupCMDLineArg:\r\ncall GetCommandLineA\r\ncall\u00a0Cleanup\r\ncall GetCommandLineW\r\nCleanup:\r\ncld\r\nxchg eax,edi\r\nxor\u00a0 eax,eax\r\nxor\u00a0 ecx,ecx\r\ndec  cl\r\nrep\u00a0 stosb\r\nretn<\/pre>\n<\/blockquote>\n<p>Once the code is ran, command line arguments are no longer visible in any of the aforementioned tools.<\/p>\n<p>I had a silly idea to demonstrate it by writing a command line arguments scroller for Task Manager and Process Explorer. The way\u00a0I envisioned it would work is that I would be changing the content of buffers storing command line arguments of\u00a0my process every second or so. The assumption was that anytime Task Manager or Process Explorer would refresh the list of the processes, they would copy the buffer containing my scrolled text and show it on their GUI. By manipulating the buffers I would be able to achieve the scrolling effect. Well, it didn&#8217;t work out as it seems the command line arguments are not updated anytime the process list is updated by these tools. A bug or a feature?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Everyone knows about anti-forensics&#8230; from timestomping, secure deletions, wiping out internet history and event logs to monitoring I\/O requests in order to provide fake data (e.g. original content of MBR sector) and Shadow Walker&#8230;\u00a0there are some excellent presentations out there &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/01\/21\/the-shortest-anti-forensics-code-in-the-world\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[13],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/416"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=416"}],"version-history":[{"count":9,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/416\/revisions"}],"predecessor-version":[{"id":629,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/416\/revisions\/629"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=416"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=416"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=416"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}