Volatile Week (New Plugins)
by AAron Walters
vol-users,
In case any subscribers don't follow the Volatility tumblr
(http://volatility.tumblr.com/) I wanted to highlight some new
tools/plugins.
Michael Hale Ligh just released a new Volatility plug-in, malfind.py to
find and extract hidden and/or injected code from physical memory samples.
He even provides a video demonstrating how it works. Shouts to MHL!
http://mnin.blogspot.com/2009/01/malfind-volatility-plug-in.html
http://www.mnin.org/code/malfind.py
http://www.mnin.org/video/malfind/malfind.html
Brendan Dolan-Gavitt released a new plugin for Volatility called moddump.
Moddump allows a memory forensics analyst to extract kernel modules from
physical memory. Simply add it to your memory_plugins directory and start
dumping kernel modules. Shouts to Brendan!
http://moyix.blogspot.com/2008/10/plugin-post-moddump.html
http://kurtz.cs.wesleyan.edu/~bdolangavitt/memory/moddump.py
Finally, Gleeda publicly released vol2html. vol2html is a Perl script that
takes the output of Volatility and creates an html report. Shouts to
Gleeda!
http://gleeda.blogspot.com/2008/11/vol2html-perl-script.html
Thanks,
AW
15 years, 10 months
- 1
- 0
Re: [Vol-users] 64bit memory images
by Jesse Kornblum
Hi Brian,
There is no such thing as a stupid question; don't worry. To my knowledge nobody
has published much information about doing memory analysis on 64-bit systems, so
the following is mostly conjecture.
When working in 64-bit mode Intel processors use a different method of
translating the virtual addresses used by programs and the operating system into
the physical addresses in RAM where data really lives. As such there are going to
be several differences in the operating system for a) keeping track of where data
lives and b) virtual to physical address translation. You can read much more
about these difference in the Intel Architecture Software Developer's Manuals,
http://www.intel.com/products/processor/manuals/. BTW, Intel will mail you hard
copies of those books for free. Really! As many as you'd like of whichever ones
you'd like. Enjoy!
As for the differences in anything else, like I said, I don't think anybody has
published on those yet. You could be the first!
cheers,
--
Jesse
jessek(a)speakeasy.net
15 years, 10 months
- 2
- 1
64bit memory images
by Brian McKinney
Hi all,
Forgive me if this is a stupid question, i'm a bit new to physical memory
analysis.
Is the structure of physical memory on a 64bit operating system different
than that of a 32bit operating system, and if so does volatility have the
capability to parse 64bit images?
v/r
--
-Brian
15 years, 10 months
- 2
- 1