Tracing suspicious mutex back to it's respective process or binary
by macubergeek
All
I've had great success using recipes out of the Malware Analyst Cookbook. I particularly like the recipe involving mutantscandb and compare the mutexes in a binary under investigation with those in my sqlite3 database.
Can anyone tell me how to trace the observed suspicious mutexes in a mutantscandb scan with the process/binary that owns that mutex?
Jim
~~~~~~~~~~~~~~~~~~~~~~
ACK and you shall receive
13 years, 3 months
- 2
- 1
Process Memory - memdmp
by Derek Lee
Hi all,
I'm using "Volatility-1.3_Beta" in a college project. I have a question
regarding the 'memdmp' module.
I use a 1GB memory dump from Windows XP SP2. Dumped using the tool win32dd.
After extracting the list of running processes, I dump the addressable
memory for each process using the command:
python volatility memdmp -f *my_1GB_memory_dump *-p 1234
The output for each process is a very large PID.dmp. On average each PID.dmp
is about 200MB.
So, after extracting the memory for the first 5 processes (out of a total of
64 processes), I have already exceeded the size of the RAM dump (1 GB).
I know that some processes will use DLL's and that this may become part of
the addressable memory for that process.
But can anyone explain to me why the dump files are so large? Is it possible
to just extract memory for each process so that the total is approx. equal
to the RAM dump?
Looking at the code for mem_dump, I can see:
File: vmodules.py
mem_dump(...)
...
entries = process_address_space.get_available_pages()
for entry in entries:
data = process_address_space.read(entry[0],entry[1])
ohandle.write("%s"%data)
File: forensics/x86.py
def get_available_pages(self):
page_list = []
pgd_curr = self.pgd_vaddr
for i in range(0,ptrs_per_pgd):
start = (i * ptrs_per_pgd * ptrs_per_pte * 4)
entry = self.read_long_phys(pgd_curr)
pgd_curr = pgd_curr + 4
if self.entry_present(entry) and self.page_size_flag(entry):
page_list.append([start, 0x400000])
elif self.entry_present(entry):
pte_curr = entry & ~((1 << page_shift)-1)
for j in range(0,ptrs_per_pte):
pte_entry = self.read_long_phys(pte_curr)
pte_curr = pte_curr + 4
if self.entry_present(pte_entry):
page_list.append([start + j * 0x1000, 0x1000])
return page_list
I'm not a Python programmer, but it appears that the method:
get_available_pages() is searching across the 4KB page files, looking for
physical addresses belonging to the specific process. Then the data at these
physical addresses is extracted. The lower level details of these commands
are currently beyond my reach.
Any help is greatly appreciated,
Regards,
Derek.
13 years, 3 months
- 2
- 1