As we previously sent to the list, the Volatility team will be holding
training sessions in San Diego in January and London in June:
http://volatility-labs.blogspot.com/2013/09/2014-malware-and-memory-forensi…
We have now also finalized plans for a training in NYC in May:
http://volatility-labs.blogspot.com/2013/10/2014-malware-and-memory-forensi…
These will be the only public trainings through August of next year,
and we have already received substantial interest in each one. If you
plan to attend do not wait until the last minute to contact us as for
our last several trainings we have had to turn away people once the
classroom fills. If your company is interested in a private training
or hosting a public training in exchange for a few free seats then
please let us know ASAP as these opportunities for 2014 will likely be
taken by other companies over the next month or two.
Finally, the Volatility team would like to thank everyone who came out
to OMFW and to those of you who attended our OSDFC talk and showed
support for the project. Over the next couple weeks we will be sending
out slides and updates from OMFW, and please reach out to us if you
have questions for any of the speakers that you did not get to ask in
person.
Thanks,
Andrew (@attrc)
Hi,
I'd been looking forward to the new dumpfiles plugin for a while, so I immediately downloaded it and tried it out as soon as possible after I saw it had finally been committed to the source tree the other day. (I'm freely admitting I'm using the thing without any documentation, since that still hasn't been committed, and probably have no idea what I'm really doing.) Now, I have a dumb question. The names of the dumped files are all of the format:
file.<number>.<hex number>.< dat |img |vacb>
In addition, the dumping process produces a bunch of output, of the form:
<DataSectionObject|ImageSectionObject|SharedCacheMap> <hex number> <number> <file path>
with no column header or other indication of what exactly these values refer to. (If I had to guess, maybe the hex value is the data offset within the image?)
Looking at this format (without knowing for sure exactly what the numbers are referring to) would lead me to expect that the <number> and <hex number> fields from the output should correspond to the ones in the dumped filenames, and thus the file paths should have some correspondence to the dumped file data, if the values match up. Not necessarily being the contents of exact file to which the path corresponds, but being related in some way.
But I'm not seeing the same hex value show up anywhere in the output and in ANY filename...
Trying for a specific correspondence, I went looking through the dumped files, and was able to positively identify the Software registry hive. The associated filename was file.4.0x8697a2b8.vacb. Looking through the output for entries associated with this file identified the following two entries:
DataSectionObject 0x89291f90 4 \Device\HarddiskVolume1\WINDOWS\system32\config\software
SharedCacheMap 0x89291f90 4 \Device\HarddiskVolume1\WINDOWS\system32\config\software
I'm probably just completely misinterpreting the output, but could somebody throw me a bone?
Thanks much
John
After quickly selling out our recent course in Reston, we have now
scheduled another training there in November:
http://volatility-labs.blogspot.com/2013/06/memory-forensics-training-resto…
This course is taught directly by Volatility developers, and provides
intense training in memory forensics for incident response, malware
analysis, and digital forensic investigation.
We already have quite a few people signed up and had to turn away
people last time, so please contact us ASAP if you are interested in
taking it.
Thanks,
Andrew (@attrc)
Hi List
I am writing a Volatility plugin for Cuckoobox:
https://github.com/Thorsten-Sick/cuckoo/tree/volatility
That allows us to automate Malware analysis. Cuckoobox runs the malware
and creates a memory snapshot. Volatility extracts the information,
Cuckoobox afterwards generates nice reports from that.
These are ready for statistics and automated processing.
I hope to get the changes into the next Cuckoobox 0.7.
But at the moment using Volatility 2.2 I had to duplicate some code from
the Volatility plugins in Cuckoobox. I need data (python dict), not a
text log. Instead of duplicating code I would love to have a method in
the voaltility plugins that returns the data instead of some text log. I
would code that and (if you want) re-create the render_text methods to
also use the data from this method.
* What do you think ?
* Where to submit it for fast review and integration ?
* Any other requirements ?
* For which volatility version should I code (as far as I know you are
about to release 2.3 soonish)
Cheers
Thorsten Sick
--
Thorsten Sick, Research
Avira Operations GmbH & Co. KG
Kaplaneiweg 1
88069 Tettnang
Germany
Phone: +49 7542-500 0
Fax: +49 7542-500 3000
Internet: http://www.avira.com
Hi developers and enthusiasts,
A while ago I introduced myself here, as I am doing a study into user
space memory forensics.
My goal is to develop a general method to extract information from
user space, from any process. The past few months I have worked on
some proof of concepts, and some basic experimentation. This has all
been fairly easy, but I want to do something more complex. Today I am
mailing you to ask for some ideas and suggestions.
To give you an idea of what I have done so far (and the level I'm
working on), here's a short list:
- Extract register contents from the process kernel stack
- Determine the exact locations of stack frames
- Make a list of all process threads and access their stacks
- Walk a list of pointers and do heuristic search on small structs,
such as common networking structs
(NOTE: All using a linux dump)
All of this worked fairly well, and it was fun, but not exactly
groundbreaking. I thought it would be best to ask the advice from
professionals before I continue.
The direction I would like to take is doing something more foolproof
than a heuristic search, I would rather derive the location of
structures using information in memory.
One idea I had was to identify the whole stack trace (i.e. including
function names) and use this to find struct locations. Since there is
always the issue of missing symbols, I would somehow have to
reintroduce these, and also figure out how dynamic symbols work. I am
especially interested in common libraries with this approach, since
something I can apply to libraries, I can apply to many processes.
Another idea I had would be to use the source/headers of the
application, maybe similar to the way volatility uses the symbols for
the kernel.
Now I don't really have a question about this, I am just looking for
ideas. Please tell me if you think my ideas are good, or bad. If you
read this and wonder why I don't do X instead of Y, please ask me.
Feel free to mention any problems you see coming. I am really looking
for a discussion here. The only requirements I have at this moment are
that it stays roughly the same topic and it is academically relevant.
That last part also means that if you know about somebody doing
exactly this, do let me know, so I can do something else.
If you know of any technical documentation or scientific research in
the area, I'm also interested in that. The most relevant paper (in the
whole topic of user space memory forensics) I have read so far is
"Digging for Data Structures", Cozzie et al (thanks emdel for showing
me that one).
I permanently reside on IRC, Freenode/#volatility, if anyone cares to
chat some more about the topic.
Cheers,
Edwin
Tamas, Nir, Michael,
Thank you all for the replies. I suspected something similar about Vmware
not synching the vmem file too often.
Michael,
WinpMem seems to be a very good method (from the video), I deliberately
didn't look into the source code yet, because I think I need to develop
something similar, and would like to do so from scratch. We cannot use any
existing code. I tried to avoid writing a driver since it complicated
maintenance and release cycles, typically extending them, but if there is
no easy way, perhaps that is the way to go.
For my previous driver experience (and please correct me if I am wrong),
this driver needs to interpret Windows memory management and open sections
of memory and furnish the contents and contexts through IOCTLs to the user
mode service for further analysis.
A few quick questions :
1. This can be done completely agentless? Which means we need to insert
nothing inside the VMs? Everything stays in the hyper-visor.
2. Have you guys tried constructing the call stack for such a break point?
So when one hits a memory location and that is a function call, I would
like to interpret the frames to get a call stack for the function call?
(perhaps this is already mentioned in the video, and I didnt pay enough
attention)
Thanks
amit
On Sat, Jun 1, 2013 at 3:33 AM, Michael Cohen <scudette(a)gmail.com> wrote:
> Hi ab,
> You can use volatility tech preview with live systems by simply loading
> the winpmem driver (using the -l option) and then pointing volatility at
> the live memory (i.e. the \\.\pmem device). You can also turn on write
> support in the driver, and get volatility to write at the memory location.
> It should be quite simple to insert instrumentation stubs into code in that
> case.
>
> See the recent dfir workshop where we did just this:
>
> http://www.youtube.com/watch?v=9aC7yIYwvAY
>
> Michael.
>
>
> On 31 May 2013 17:22, A B <amitrajitb(a)gmail.com> wrote:
>
>> All,
>>
>> This is my first post in this forum, and I am also very new to this
>> website, so please excuse my ignorance.
>>
>> This is a fantastic project no doubt.
>>
>>
>> Now, coming to my questions:
>>
>> 1. Is it possible to run volatility on a running 'live' VM's memory? That
>> is, assuming that I have vmware work station running, can I use the live
>> vmem file as input and get reliavble outputs?
>>
>> 2. If one is possible, then is it possible to generate a breakpoint or
>> get a call back when a particular memory location is hit? I ask this
>> because, assuming that an executable is loaded in certain pages inside the
>> vmem, and I want to get notified when a particular function of that loaded
>> executable is called, this wuld mean that when the virtual CPU executes the
>> first instruction of that function I need a callback, is that possible?
>>
>> thanks in advance...
>>
>> --
>>
>> - ab
>>
>> _______________________________________________
>> Vol-dev mailing list
>> Vol-dev(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
>>
>>
>
--
- ab
All,
This is my first post in this forum, and I am also very new to this
website, so please excuse my ignorance.
This is a fantastic project no doubt.
Now, coming to my questions:
1. Is it possible to run volatility on a running 'live' VM's memory? That
is, assuming that I have vmware work station running, can I use the live
vmem file as input and get reliavble outputs?
2. If one is possible, then is it possible to generate a breakpoint or get
a call back when a particular memory location is hit? I ask this because,
assuming that an executable is loaded in certain pages inside the vmem, and
I want to get notified when a particular function of that loaded executable
is called, this wuld mean that when the virtual CPU executes the first
instruction of that function I need a callback, is that possible?
thanks in advance...
--
- ab
