Hi List
I am writing a Volatility plugin for Cuckoobox:
https://github.com/Thorsten-Sick/cuckoo/tree/volatility
That allows us to automate Malware analysis. Cuckoobox runs the malware
and creates a memory snapshot. Volatility extracts the information,
Cuckoobox afterwards generates nice reports from that.
These are ready for statistics and automated processing.
I hope to get the changes into the next Cuckoobox 0.7.
But at the moment using Volatility 2.2 I had to duplicate some code from
the Volatility plugins in Cuckoobox. I need data (python dict), not a
text log. Instead of duplicating code I would love to have a method in
the voaltility plugins that returns the data instead of some text log. I
would code that and (if you want) re-create the render_text methods to
also use the data from this method.
* What do you think ?
* Where to submit it for fast review and integration ?
* Any other requirements ?
* For which volatility version should I code (as far as I know you are
about to release 2.3 soonish)
Cheers
Thorsten Sick
--
Thorsten Sick, Research
Avira Operations GmbH & Co. KG
Kaplaneiweg 1
88069 Tettnang
Germany
Phone: +49 7542-500 0
Fax: +49 7542-500 3000
Internet: http://www.avira.com
Hi developers and enthusiasts,
A while ago I introduced myself here, as I am doing a study into user
space memory forensics.
My goal is to develop a general method to extract information from
user space, from any process. The past few months I have worked on
some proof of concepts, and some basic experimentation. This has all
been fairly easy, but I want to do something more complex. Today I am
mailing you to ask for some ideas and suggestions.
To give you an idea of what I have done so far (and the level I'm
working on), here's a short list:
- Extract register contents from the process kernel stack
- Determine the exact locations of stack frames
- Make a list of all process threads and access their stacks
- Walk a list of pointers and do heuristic search on small structs,
such as common networking structs
(NOTE: All using a linux dump)
All of this worked fairly well, and it was fun, but not exactly
groundbreaking. I thought it would be best to ask the advice from
professionals before I continue.
The direction I would like to take is doing something more foolproof
than a heuristic search, I would rather derive the location of
structures using information in memory.
One idea I had was to identify the whole stack trace (i.e. including
function names) and use this to find struct locations. Since there is
always the issue of missing symbols, I would somehow have to
reintroduce these, and also figure out how dynamic symbols work. I am
especially interested in common libraries with this approach, since
something I can apply to libraries, I can apply to many processes.
Another idea I had would be to use the source/headers of the
application, maybe similar to the way volatility uses the symbols for
the kernel.
Now I don't really have a question about this, I am just looking for
ideas. Please tell me if you think my ideas are good, or bad. If you
read this and wonder why I don't do X instead of Y, please ask me.
Feel free to mention any problems you see coming. I am really looking
for a discussion here. The only requirements I have at this moment are
that it stays roughly the same topic and it is academically relevant.
That last part also means that if you know about somebody doing
exactly this, do let me know, so I can do something else.
If you know of any technical documentation or scientific research in
the area, I'm also interested in that. The most relevant paper (in the
whole topic of user space memory forensics) I have read so far is
"Digging for Data Structures", Cozzie et al (thanks emdel for showing
me that one).
I permanently reside on IRC, Freenode/#volatility, if anyone cares to
chat some more about the topic.
Cheers,
Edwin
All,
This is my first post in this forum, and I am also very new to this
website, so please excuse my ignorance.
This is a fantastic project no doubt.
Now, coming to my questions:
1. Is it possible to run volatility on a running 'live' VM's memory? That
is, assuming that I have vmware work station running, can I use the live
vmem file as input and get reliavble outputs?
2. If one is possible, then is it possible to generate a breakpoint or get
a call back when a particular memory location is hit? I ask this because,
assuming that an executable is loaded in certain pages inside the vmem, and
I want to get notified when a particular function of that loaded executable
is called, this wuld mean that when the virtual CPU executes the first
instruction of that function I need a callback, is that possible?
thanks in advance...
--
- ab
Hi all,
I'm wondering that I can use volatile to get the free memory pages of
the operating system. I have looked up wiki pages but couldn't find
any primitive operation that returns a list of free memory pages.
I believe getting free memory pages will be beneficial to many areas
including VM migration and efficient memory management of the multiple
VMs. Does anyone has idea?
--
Kiryong
Hello,
We wanted to take the opportunity to point you to a blog post which gives a
preview of some of the research we've been working on at 504ENSICS Labs in
the area of Android memory analysis. This time we are demoing a feature
that will allow automatted volatility plugin generation with our Dalvik
Inspector tool. We think our results will be of great interest to the DFIR
community and look forward to your feed back. We plan on releasing the
tool this year at Black Hat.
The blog post can be found here:
http://www.504ensics.com/automated-volatility-plugin-generation-with-dalvik…
---
*Joe T. Sylve, M.S.*
Co-Founder
504ENSICS Labs
(504) 210-8270 (Office)
http://www.504ensics.com
PGP Key: http://www.504ensics.com/pgp_keys/joesylve.asc
For those of you interested in applying memory forensics to your
malware analysis and rootkit detection efforts, we've just posted a
new blog with some exciting news and updates:
http://volatility-labs.blogspot.com/2013/05/whats-happening-in-world-of-vol…
* Volatility 2.3 will enter beta this week and we'll introduce the new
features over the next four weeks (Month of Volatility Plugins II).
* There are three training courses open for registration (Reston in
June, Netherlands in September, Vermont in November). Email
voltraining(a)memoryanalysis.net for details.
* The plugin contest submissions are starting to trickle in. Enter to
win over $2250 in cash or a free seat at an upcoming training.
* This year's Open Memory Forensics Workshop will be in Chantilly VA
on November 4th, alongside OSDFC (Open Source Digital Forensics
Conference). CFP to be announced soon.
All the best,
Jamie / @gleeda
The Volatility Project
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
Hi List,
It's my first post here, so first of all, thanks a lot for this project !
I'm currently working with Volatility 2.2 (testing with 2.3 too) to link it with
DFF [1]. I've almost finished my module but a co-worker provided me a dump
acquired via VirtualBox. Thereferore, I used latest vboxelf.py available in
trunk on the svn but here is the problem:
DFF'API provides some mechanism to represent file mapping: logical offset, size,
physical offset and underlying file for each chunk of data. This is how we are
able to have access to all exe, dlls and modules without having to extract them
with Volatility. Precisely, I adapted the code used by procexedump to be able to
push each chunk. At least, I have the same sha1 than files created with
procexedump even if some chunk are overlapping but this is off topic
So, when having the following layers, everything is ok:
AS Layer 1 JKIA32PagedMemoryPae ( Kernel AS )
AS Layer 2 dffAdressSpace ( /Logical files/ds_fuzz_hidden_proc.img )
__But__ when dealing with the following ones:
AS Layer 1 JKIA32PagedMemoryPae ( Kernel AS )
AS Layer 2 VirtualBoxCoreDumpElf64 ( Unnamed AS )
AS Layer 3 dffAdressSpace ( /Logical files/Window7_2013-04-24_18_51_39.310504 )
Content for each exe, dll and module is wrong. In the code where I push chunk
for each files, I use vtop() method of the corresponding address space but since
there is another level here, I'm missing the last translation of the address.
The vtop() returns what could be seen as a virtual address for the Layer 2.
So I dug the code of vboxelf.py and saw there was a get_addr() method I could
use but it is not a "standardized" method. The issue would be the same with a
dump acquired with Lime for example (which has __get_offset() method itself).
So here is my question, could it be possible to implement a standard method in
each address space plugins to be able to obtain the corresponding address for
the underlying layer ? Finally, either having a global function iterating on
each layer to provide the "absolute" physical address or something like that.
Regards,
[1] http://www.digital-forensic.org/
--
Frédéric Baguelin frederic.baguelin(a)arxsys.fr
ArxSys SAS, Directeur technique
Tél: +33 146 362 522
Hi,
I am trying to get the value of the symbol "bt_proto" using the member
function get_symbol, I checked using gdb that this symbol is a part of the
bluetooth kernel module. But, I get the following error message
"volatility.plugins.overlays.linux.linux: Requested symbol bt_proto not
found in module kernel". Any thoughts why this might be happening?
Thanks!
Regards
Pranjal Jumde
