Skip to content

Golden Virtual Machine Protection Agentless memory integrity monitoring

Jump to bottom Edit New page
ktwo/ShaneK2 edited this page Jul 23, 2017 · 1 revision

Quick Setup

This is a brief introduction into how to setup a secure hash database that delivers strong memory protection guarantee's. By using a golden image, the guesswork of determining if you're dealing with a compromised system/malware/bad actors or anything else is not a problem.

Build you're database

There are actually 3 databases;

The Hash DB (HDB)

The hash DB contains portions of the secure hash output (by default 64 hash values are generated per 4096 byte block) and also enables you to reference the metadata database. That is useful if you are faced with a partial match and want to know what code is not behaving.

The Meta DB (MDB)

The MetaDB is an XML file that contain's records of all the input files that built you're HDB. In particular the file attributes, name, path, access time and detailed file version information from associated binary resource sections.

The Bitmap DB (BDB)

The BDB is used to accelerate the verification procedure and can be used when you're looking for quick information that does not require meta data lookup. Most of the time you can simply use bitmap checks to get an idea about the level of memory integrity or misbehaving software. The BDB inform up to very small changes (64 or 128 byte slices).

DBLoad.py included in the application folder

Simply configure the mount point or folder that you would like to build the check list from. Below is a commented set of python commands to enter into "quickdumps" shell to build the DB.

#
# The folder you are loading from 
#
importFolder = "F:\\"

#
# 16GB = 1 BILLION entries (keep this around 75% full max)
#
DBSize = 1024*1024*1024*16

#
# aBufferCount can be as large as you have sufficient RAM
# The loading procedure is designed to run very quickly, usually 
# the limiting speed is you're hard drive.
#
aBufferCount = 60000000

#
# Setup a MetaDB Folder, smallest block size (the smaller you make it, the larger the DB)
# 

WorkingFolder = "c:\\temp\\inVtero.net"
SmallestBlock = 128
mdb = MetaDB(WorkingFolder, aBufferCount, SmallestBlock, aBufferCount)

#
# This will start extracting the hash information from you're hard drive and compiling the HDB/BDB/MDB
#
fl = mdb.Loader
fl.LoadFromPath(importFolder)


#
# Save the MDB
#
mdb.Save()
`

That's it! You can now validate the snapshots of the system you loaded the image from (or any other system with the same software).
x64 Release
Build status
Add a custom sidebar
Clone this wiki locally