Vol-users October 2011

vol-users@lists.volatilityfoundation.org

3 participants
3 discussions

Re: [Vol-users] how does malfind plugin work

by malware monna

Hi Curt/Michael, Thanks for the reponse, i need little bit of help, as i'm new to memory forensics...i need your help in understanding how to interpret the results ....any material on additional information on this topic will be helpful Thanks, Monnappa On Tue, Oct 25, 2011 at 9:55 AM, Curt Wilson <research(a)perpetualhorizon.org>wrote: > > > Michael Ligh responded, but it's possible that you might need more > explanation. While I'm not an expert, I'm getting better and would be glad > to try to help you understand the assembly if necessary. Let me know and > I'll see if I can help, if you don't already have it down. > > > > > > > On 10/22/2011 3:17 PM, malware monna wrote: > > Hi All, > > I'm new to volatility and i was reading one of the article on the > internet and found the below output, so i was curious to know what does > below ouput mean?, can anybody please help me understand the malfind pluging > and the below ouput, any info would be useful. > > > --------------------------------------------------------------------------------------------------------------------------------------- > > VMwareTray.exe 432 0x00e30000 0xe30fff00 VadS 0 > PAGE_EXECUTE_R > EADWRITE > Dumped to: c:\re\zeus_demo\VMwareTray.exe.4be97e8.00e30000-00e30fff.dmp > 0x00e30000 b8 35 00 00 00 e9 cd d7 ad 7b b8 91 00 00 00 e9 > .5.......{...... > > 0x00e30010 4f df ad 7b 8b ff 55 8b ec e9 ef 17 3e 76 8b ff > O..{..U.....>v.. > > 0x00e30020 55 8b ec e9 95 76 39 76 8b ff 55 8b ec e9 be 53 > U....v9v..U....S > > 0x00e30030 3a 76 8b ff 55 8b ec e9 d6 18 3e 76 8b ff 55 8b > :v..U.....>v..U. > > 0x00e30040 ec e9 14 95 39 76 8b ff 55 8b ec e9 4f 7e 3c 76 > ....9v..U...O~<v > > 0x00e30050 8b ff 55 8b ec e9 0a 32 3a 76 8b ff 55 8b ec e9 > ..U....2:v..U... > > 0x00e30060 7d 61 39 76 6a 2c 68 b8 8d 1c 77 e9 01 8c 39 76 > }a9vj,h...w...9v > > 0x00e30070 8b ff 55 8b ec e9 c4 95 c8 70 8b ff 55 8b ec e9 > ..U......p..U... > > Disassembly: > 00e30000: b835000000 MOV EAX, 0x35 > 00e30005: e9cdd7ad7b JMP 0x7c90d7d7 > 00e3000a: b891000000 MOV EAX, 0x91 > 00e3000f: e94fdfad7b JMP 0x7c90df63 > 00e30014: 8bff MOV EDI, EDI > 00e30016: 55 PUSH EBP > 00e30017: 8bec MOV EBP, ESP > 00e30019: e9ef173e76 JMP 0x7721180d > 00e3001e: 8bff MOV EDI, EDI > 00e30020: 55 PUSH EBP > > --------------------------------------------------------------------------------------------------------------------------------------------- > > Thanks > > > _______________________________________________ > Vol-users mailing listVol-users@volatilityfoundation.orghttp://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > > > -- > Curt Wilson > Research Analyst, Arbor Networks ASERT cwilson(a)arbor.net > Personal Security Research: research(a)perpetualhorizon.org > >

13 years

Need some assistance with strings output

by Tom Yarrish

Hello all, I'm looking for some guidance on next steps with some data I have from a memory analysis. I was following the steps on using strings to look for processes that might have malicious IP's or URL's in memory: https://code.google.com/p/volatility/wiki/CommandReference#strings The issue I'm having now is where to proceed with the output I have. So for example in my URL.txt file I have this: 1b64666b7 [2632:834520759] http://ghc.ru 1b646674d [2632:834520909] http://rst.void.ru Now my understanding of the output is [PID:Address Space]. The particular PID in this instance refers to: 0x89c82020 WINWORD.EXE 2632 2284 11 943 2011-10-11 15:07:13 So how do I go deeper in to looking at why winword.exe may be making http requests? And what does the first value (ex 1b64666b7) refer to? Is that the virtual address in the memory dump file or something else? If there's any additional docs online I could look at to explain this further that would be helpful as well. Thanks ahead of time, Tom

13 years

how does malfind plugin work

by malware monna

Hi All, I'm new to volatility and i was reading one of the article on the internet and found the below output, so i was curious to know what does below ouput mean?, can anybody please help me understand the malfind pluging and the below ouput, any info would be useful. --------------------------------------------------------------------------------------------------------------------------------------- VMwareTray.exe 432 0x00e30000 0xe30fff00 VadS 0 PAGE_EXECUTE_R EADWRITE Dumped to: c:\re\zeus_demo\VMwareTray.exe.4be97e8.00e30000-00e30fff.dmp 0x00e30000 b8 35 00 00 00 e9 cd d7 ad 7b b8 91 00 00 00 e9 .5.......{...... 0x00e30010 4f df ad 7b 8b ff 55 8b ec e9 ef 17 3e 76 8b ff O..{..U.....>v.. 0x00e30020 55 8b ec e9 95 76 39 76 8b ff 55 8b ec e9 be 53 U....v9v..U....S 0x00e30030 3a 76 8b ff 55 8b ec e9 d6 18 3e 76 8b ff 55 8b :v..U.....>v..U. 0x00e30040 ec e9 14 95 39 76 8b ff 55 8b ec e9 4f 7e 3c 76 ....9v..U...O~<v 0x00e30050 8b ff 55 8b ec e9 0a 32 3a 76 8b ff 55 8b ec e9 ..U....2:v..U... 0x00e30060 7d 61 39 76 6a 2c 68 b8 8d 1c 77 e9 01 8c 39 76 }a9vj,h...w...9v 0x00e30070 8b ff 55 8b ec e9 c4 95 c8 70 8b ff 55 8b ec e9 ..U......p..U... Disassembly: 00e30000: b835000000 MOV EAX, 0x35 00e30005: e9cdd7ad7b JMP 0x7c90d7d7 00e3000a: b891000000 MOV EAX, 0x91 00e3000f: e94fdfad7b JMP 0x7c90df63 00e30014: 8bff MOV EDI, EDI 00e30016: 55 PUSH EBP 00e30017: 8bec MOV EBP, ESP 00e30019: e9ef173e76 JMP 0x7721180d 00e3001e: 8bff MOV EDI, EDI 00e30020: 55 PUSH EBP --------------------------------------------------------------------------------------------------------------------------------------------- Thanks

13 years

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users October 2011