Vol-users December 2011

vol-users@lists.volatilityfoundation.org

2 participants
1 discussions

by malware monna

Hi All, i'm new to Volatility, i was trying to analyze a spyeye sample, and while running apihooks i got the below output, it looks like there is inline api hook and i see jump into this 0xba.....location.... i would like to know the DLL that is associated with a JMP, in this case it shows unknown............how can i determine the dll? and how can dump the dll from the memory?.....any information would be helpful, sorry this could be a stupid question. VMwareUser.exe[636] inline wininet.dll!InternetReadFile[0x7806abb4] 0x7806abb4 JMP 0xbaf140c (UNKNOWN) VMwareUser.exe[636] inline wininet.dll!InternetReadFileExA[0x78082ae2] 0x78082ae2 JMP 0xbaf1526 (UNKNOWN) VMwareUser.exe[636] inline wininet.dll!InternetWriteFile[0x78073645] 0x78073645 JMP 0xbaf2d4b (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!NtEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!NtQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20 (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!NtResumeThread[0x7c90db20] 0x7c90db20 JMP 0xbaf625c (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!NtSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6 (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!NtVdmControl[0x7c90df00] 0x7c90df00 JMP 0xbae4fd6 (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!ZwEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!ZwQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20 (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!ZwResumeThread[0x7c90db20] 0x7c90db20 JMP 0xbaf625c (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!ZwSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6 (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!ZwVdmControl[0x7c90df00] 0x7c90df00 JMP 0xbae4fd6 (UNKNOWN) VMwareUser.exe[636] inline crypt32.dll!PFXImportCertStore[0x77aeff8f] 0x77aeff8f JMP 0xbae0b02 (UNKNOWN) VMwareUser.exe[636] inline user32.dll!TranslateMessage[0x7e418bf6] 0x7e418bf6 JMP 0xbadc47f (UNKNOWN) VMwareUser.exe[636] inline advapi32.dll!CryptEncrypt[0x77dee340] 0x77dee340 JMP 0xbaeda23 (UNKNOWN) VMwareUser.exe[636] inline ws2_32.dll!send[0x71ab4c27] 0x71ab4c27 JMP 0xbaee35d (UNKNOWN) ctfmon.exe[768] inline ntdll.dll!NtClose[0x7c90cfd0] 0x7c90cfd0 JMP 0xa003b2 (UNKNOWN) ctfmon.exe[768] inline ntdll.dll!ZwClose[0x7c90cfd0] 0x7c90cfd0 JMP 0xa003b2 (UNKNOWN) wmiprvse.exe[1876] inline ntdll.dll!NtEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN) wmiprvse.exe[1876] inline ntdll.dll!NtQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20 (UNKNOWN) wmiprvse.exe[1876] inline ntdll.dll!NtResumeThread[0x7c90db20] 0x7c90db20 JMP 0xbaf625c (UNKNOWN) wmiprvse.exe[1876] inline ntdll.dll!NtSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6 (UNKNOWN) wmiprvse.exe[1876] inline ntdll.dll!NtVdmControl[0x7c90df00] 0x7c90df00 JMP 0xbae4fd6 (UNKNOWN) wmiprvse.exe[1876] inline ntdll.dll!ZwEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN) Thanks

14 years

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users December 2011