Reverse engineering windows systems nowadays involves looking at static data, such as executables, symbols, pdbs, and/or dynamic data when debugging with a tool like windbg. Determining data structures and the meaning of their content has proven to be time consuming, especially when dealing with undocumented objects. This presentation tackles the problem by describing a novel approach, which utilizes the Volatility Framework and F-response to monitor changes taking place on a live system’s RAM that appear as a result of manipulating the targeted structures’ content. The technique is used in the discovery of the process privileges on Windows operating systems and the development of a new plugin. The presentation also provides examples of how the new plugin is used to discover malicious activity.
The privileges plugin can be found in the latest version of the Volatility Framework.