Scriptable Anti Live Forensics – POC

Posted: June 25, 2009 in (anti)Forensics
Tags: , , , , , , , ,

In short this + python support. I’ve finally decided to build alpha POC code for the idea I already blogged about. Some of you might wonder why I choose to support python, seeing that I previously wrote about it and I hate/loved it. Well because afaik it’s the easiest language to embed inside C. Oh and the reason why I added support for a scripting language is because some things are just so much easier when done in a scripting language. So let’s see the actual code(make sure u read my previous blog post else the next stuff might sound like total gibberish).

For the visual ones, for example detect the following:

http://www.youtube.com/watch?v=erq4TO_a3z8
http://www.youtube.com/watch?v=-G8sEYCOv-o

The code is made for win32 and it has been tested on windows xp sp3 with python 2.6 installed.

The C file
The H file
The INI file

That’s all you need to get this going, just a couple of things you should watch out for.

  • make sure your include path points to where the python header files are (c:\python26\include)
  • make sure your lib path points to where the python lib files are (c:\python26\libs)
  • make sure u compile in release mode, this because if you compile in debug mode it will complain about not finding some python debug file.

So what does this produce(you should know it if you read my previous post)?

Starting SALF – Scriptable Anti Live Forensics
POC by DiabloHorn – https://diablohorn.wordpress.com
[*] pluginpath: E:\CProjects\plugins\
[*] dll filter: *_ALF.dll
[*] python filter: *_ALF.py
[*] refreshping: 30000
[*] Searching for plugins
[*] Starting to load plugins
[*] dll_plugins: 1
[*] Found: E:\CProjects\plugins\PingLock_ALF.dll
[*] py_plugins: 1
[*] Found: E:\CProjects\plugins\RemoteMac_ALF.py
[*] Running DLL plugins
[**] ALERT!!!
[*] Running Python plugins
[*] Sleeping: 30 seconds
[*] Running DLL plugins
[**] ALERT!!!
[*] Running Python plugins
[*] Sleeping: 30 seconds
[*] Running DLL plugins

Because it’s  POC code it only prints “ALERT!!!” you can easily change this to support locking your screen or any other action you prefer. Here is an example of building a “gateway mac address checker” in python:

RemoteMac_ALF.py

With the support for python there really are a lot of things possible, with just a few lines of code; for example think of the endless possibilities you can implement with scapy.

There is still a lot to improve upon and a lot of bugs to fix. But hey it’s a start and in my little test lab it worked fine. I got some more ideas of how it should finally look like and what it’s functionality should be. If i have some spare time I’ll write a paper about it to make it all clear with some pretty pictures.

For the ones wondering how to lock your workstation in C:


//define these somewhere
typedef int (__stdcall * MyLockWorkStation)();
MyLockWorkStation LockWorkStation;

//then just call this function and all should be ok
void SetupLockFunc(){
 hinstLibUser32 = LoadLibrary("USER32.DLL");
 if (hinstLibUser32){
 LockWorkStation = (MyLockWorkStation) GetProcAddress(hinstLibUser32, "LockWorkStation");
 }else{
 printf("LoadLibrary() failed on user32.dll Error LoadLibrary()");
 exit(1);
 }

 if(LockWorkStation == NULL){
 printf("GetProcAddress() failed on user32.dll Error GetProcAddress()");
 exit(1);
 }
}

//you can run it like
LockWorkStation();

IF YOU DECIDE TO USE THIS TO PROTECT YOUR COMPUTER MAKE SURE U REVIEW THE SOURCECODE. I AM NOT RESPONSIBLE IF THIS DOESN’T WORK ON YOUR PARTICULAR CONFIGURATION.

Sorry for the above “warning” but some people just don’t understand that alpha code is buggy and not ready for production.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s