{"id":9767,"date":"2024-12-28T23:32:09","date_gmt":"2024-12-28T23:32:09","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=9767"},"modified":"2024-12-30T19:15:15","modified_gmt":"2024-12-30T19:15:15","slug":"wimmountdata-ads","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2024\/12\/28\/wimmountdata-ads\/","title":{"rendered":"WIMMOUNTDATA ADS"},"content":{"rendered":"\n<p>In <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/03\/26\/good-alternate-data-streams-ads\/\" data-type=\"post\" data-id=\"841\">my old post<\/a> I listed a number of &#8216;good Alternate Data Streams (ADS)&#8217;, and one of them was called  $WIMMOUNTDATA.<\/p>\n\n\n\n<p>I just came across the very same ADS again during one of my procmon tests, so I decided to bite. Googling around for this string doesn&#8217;t bring much other than some reports and complains related to suspected malware and issues with the <em>dism.exe<\/em> program.<\/p>\n\n\n\n<p>After confirming the ADS is referenced by the <em>wimgapi.dll!WIMMountImage<\/em> API I created a quick &amp; dirty test wim file, and then mounted it using <em>dism.exe<\/em>:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/WIMMOUNTDATA_1.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/WIMMOUNTDATA_1.png\" alt=\"\" class=\"wp-image-9768\" width=\"520\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/WIMMOUNTDATA_1.png 709w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/WIMMOUNTDATA_1-260x300.png 260w\" sizes=\"(max-width: 709px) 100vw, 709px\" \/><\/a><\/figure>\n\n\n\n<p>The list of commands is listed below:<\/p>\n\n\n\n<ul>\n<li>md foo<\/li>\n\n\n\n<li>echo test &gt; c:\\foo\\bar.txt<\/li>\n\n\n\n<li>Dism \/Capture-Image \/ImageFile:&#8221;foo.wim&#8221; \/CaptureDir:C:\\foo \/Name:Foo<\/li>\n\n\n\n<li>md testmountwim<\/li>\n\n\n\n<li>Dism \/Mount-Image \/ImageFile:&#8221;foo.wim&#8221; \/MountDir:C:\\testmountwim<\/li>\n\n\n\n<li>dir \/r testmountwim<\/li>\n<\/ul>\n\n\n\n<p>The $WIMMOUNTDATA ADS created as a result of these commands looks like this:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/WIMMOUNTDATA_2.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/WIMMOUNTDATA_2.png\" alt=\"\" class=\"wp-image-9769\" width=\"520\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/WIMMOUNTDATA_2.png 630w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/WIMMOUNTDATA_2-300x138.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/WIMMOUNTDATA_2-500x230.png 500w\" sizes=\"(max-width: 630px) 100vw, 630px\" \/><\/a><\/figure>\n\n\n\n<p>The first DWORD is obviously a size (0x00000128=296), then there are a few fields that i have not deciphered yet, including  a potential hash at 0x10, and finally a few structures where first 3 are just Unicode (16-bit) strings and the rest are unknown data structures &#8212; all of them prefixed by their lengths (DWORD), and these prefixed by their record indexes(also DWORD), so we can interpret it as follows:<\/p>\n\n\n\n<ul>\n<li>@0x00 &#8211; 0x00000128 &#8211; length of the whole ADS<\/li>\n\n\n\n<li>@0x04 &#8211; ?<\/li>\n\n\n\n<li>@0x08 &#8211; ?<\/li>\n\n\n\n<li>@0x10 &#8211; hash (?) &#8211;&gt; mount GUID=e242237c-66ed-4958-b9ec-c49b07eaeeb5 (see below)<\/li>\n\n\n\n<li>@0x20 &#8211; ?<\/li>\n\n\n\n<li>@0x28 &#8211; 0x00000001, 0x00000016 (rounded up to 8 bytes boundary) <em><strong>C:\\foo.wim<\/strong><\/em><\/li>\n\n\n\n<li>@0x48 &#8211; 0x00000002, 0x00000020 (rounded up to 8 bytes boundary) <em><strong>C:\\testmountwim<\/strong><\/em><\/li>\n\n\n\n<li>@0x70 &#8211; 0x00000003, 0x0000004C (rounded up to 8 bytes boundary) <strong><em>C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\<\/em><\/strong><\/li>\n\n\n\n<li>@0xC8 &#8211; 0x00000004, 0x00000008 ?<\/li>\n\n\n\n<li>@0xD8 &#8211; 0x00000005, 0x00000048 ? &#8211; the last part is the <strong><em>C:\\WINDOWS\\Logs\\DISM\\dism.log<\/em><\/strong> path (also aligned to 8 bytes boundary)<\/li>\n<\/ul>\n\n\n\n<p>The last string referenced in the ADS is a log file name that is actively being used, and is a forensic gold mine as it includes a lot of very detailed logs coming directly from the <em>dism.exe<\/em> tool. An excerpt from the log helps us to make sense of the &#8216;hash&#8217; we have observed at @0x10 &#8212; it&#8217;s actually a mount guid!<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">2024-12-28 14:25:40, Info                  DISM   DISM.EXE: Executing command line: Dism  \/Mount-Image \/ImageFile:\"foo.wim\" \/MountDir:C:\\testmountwim\n2024-12-28 14:25:40, Info                  DISM   DISM Imaging Provider: PID=3908 TID=244 WIM image specified - CGenericImagingManager::GetImageInfoCollection\n[3908.244] Mounting new image.\nWim:         [C:\\foo.wim]\nImage Index: [1]\nMount Guid:  [e242237c-66ed-4958-b9ec-c49b07eaeeb5]\nMount Path:  [C:\\testmountwim]\n[3908.244] Wimserv process started for mount guid e242237c-66ed-4958-b9ec-c49b07eaeeb5; PID is 2820\n[2820.2864] Registered log file(s) for mount of wim at C:\\foo.wim.\n[2820.2864] Mount complete.<\/pre>\n\n\n\n<p>Analysis of this default dism log file may bring a lot of interesting information about the mounting and unmounting activities happening on the system, so it may be a valuable forensic artifact to collect, parse, and interpret.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my old post I listed a number of &#8216;good Alternate Data Streams (ADS)&#8217;, and one of them was called $WIMMOUNTDATA. I just came across the very same ADS again during one of my procmon tests, so I decided to &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2024\/12\/28\/wimmountdata-ads\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[19],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9767"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=9767"}],"version-history":[{"count":6,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9767\/revisions"}],"predecessor-version":[{"id":9780,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9767\/revisions\/9780"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=9767"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=9767"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=9767"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}