Pages

Friday, June 23, 2017

Difference between pslist and psscan

Difference between pslist and psscan





pslist:
"pslist" module utilizes the same algorithm as the tasklist command that would be executed on the live computer. And also, Windows Task Manager uses the same approach as well.
The above mentioned command "pslist" traverses the list of active process structures that the Windows kernel maintains.

The windows kernel uses the EPROCESS data structure to describe each running process. Contents of the EPROCESS structure allow the OS to determine where in memory the code and process address space is located and specifies the threads associated with the process. This structure also contains pointers to the structure that allows Windows( and memory analysis tools) to map from virtual memory to physical memory. In addition, the EPROCESS data structure contains pointers, which make up a doubly-linked circular list of active processes.  A forward pointer from one process EPROCESS structure points to the next process EPROCESS structure; a backward pointer specifies the address of the previous process EPROCESS structure. And, this doubly linked list of EPROCESS structure is pointed by PsActiveProcessHead

Fig. 1
The linked list as shown in fig.1 is used by tools such as Windows Task Manager,tasklist and Volatilitys pslist to display the running processes to the system.
However, malicious process can remove EPROCESS block from this list,while continuing to run. This list is not used by the kernel scheduler to actually change context and execute the process.Therefore, one method used by rootkits to hide processes is simply to unlink the process from the active process list. Once unlinked , rootkit nicely hides the process from most standard process enumeration tools.
Unlinked process continues to run normally even after the modification to the list, because scheduling in the Windows kernel is based on threads, not processes.Manipulating kernel structures in memory to hide the process is called as Direct Kernel Object Manipulation (DKOM). Hence, psscan came into existence. 
Usage:
python vol.py -f ~/Downloads/unknown.img pslist
Fig. 2
psscan:
The psscan module doesnt trust the linked list of the processes, and, instead, searches memory by heuristically looking for EPROCESS structure that represent processes.Hence, it lists all processes that are even hidden by rootkit and not shown by pslist command of volatility or tasklist command of windows. Any discrepancy between process list shown by pslist and psscan suggests that rootkit is installed.
psscan2 is optimized version of psscan and finds hidden process by scanning memory using a signature for the process data structure. But even signature scans can be evaded by crafty attackers. Signatures typically rely on "magic" values found in the process data structure. For example, in Windows XP, process data structure always begin with "x03x00x1bx00", which makes it pretty easy to find them in memory images.
But what if attaker just overwrites those four bytes with zeroes? Windows will keep running the process. Hence, the process using this technique evades the psscan2 too and giving birth to psscan3 command.
psscan3 scans is based on signature that are hard for an attacker to mess with.
Usage:
python vol.py -f ~/Downloads/unknown.img psscan


Ref: http://moyix.blogspot.in/2010/07/plugin-post-robust-process-scanner.html

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.