Monday, January 21, 2019

Daily Blog #604: New Amcache Resarch Paper you really should read

Hello Reader,
      If you've been following the blog and the test kitchens you would have seen that both myself and Maxim Suhanov have been testing and talking alot about the Amcache which lead to our findings about the Syscache hive. Well, it looks like we are not alone in our quest to truely understand this artifact since Blanche Lagny of the Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) aka the French National Cybersecurity Agency has released today atleast a years worth of research into not only the Amcache structure but also:

  • What processes populate the Amcache
  • What determines the format of the Amcache data (dll versions not windows versions)
  • What determines the behavior of the Amcache storage (again its dll versions)
  • and much more

If you are at all interested in the Amcache and want to understand it at a deeper level I would highly recommend you read this:
http://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf

Please note as with any other paper Lagny has both timing and scope limitations so this paper doesn't include every possible facet of the Amcache,  such as what it does not log or how the latest version of Windows 10 populates it. It's not that she is not aware of the other data points its that they are hopefully going to be covered by future papers. 

No comments:

Post a Comment