Hi All,
I was looking at the Stuxnet footprint blog post (who is excellent btw) and
I was interested by the userhandles plugin.
./vol.py userhandles -t TYPE_WINDOW
http://mnin.blogspot.com/2011/06/examining-stuxnets-footprint-in-memory.html
I can't find this plugin for volatility... Does it comes with another
plugin? Where can I download it?
Thanks in advance,
Sebastien
Glad I could help!
Yep, I've seen this before many times ;-)
All the best,
-gleeda
-----Original Message-----
From: Mike Lambert <dragonforen(a)hotmail.com>
Date: Mon, 27 Feb 2012 17:02:15
To: <jamie.levy(a)gmail.com>
Subject: RE: [Vol-users] stings input file format question
My thanks! Well you called that one! I was using Encase's "Export" to output a text file of the offsets of the hits from the search result tab. Encase outputs unicode text.
I just need to put a new step in the process, convert it to ANSI before running it with the strings command.
And it does have a funky befinning of file marker....
You must have seen this before?
Best,
Mike
> Date: Mon, 27 Feb 2012 16:39:08 -0500
> Subject: Re: [Vol-users] stings input file format question
> From: jamie.levy(a)gmail.com
> To: dragonforen(a)hotmail.com
>
> hrmmmmm I don't see anything obviously wrong here... But since you
> said these offsets are from EnCase, how were they obtained? By
> EnScript to a file, copy+paste from the console or some other method?
> I'm just curious if the offsets were exported in ASCII or EnCase's
> default UTF-16. Also sometimes when exporting in unicode, there's a
> funky corrupt BOM that EnCase uses that might be messing things up...
> I'm just trying to think of things that might have gone wrong here.
>
> Maybe you could try copy and pasting a few of these "Ypycub" entries
> into a new text file and running the strings plugin again to see.
>
> All the best,
>
> -gleeda
>
>
> On Mon, Feb 27, 2012 at 4:06 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote:
> > I am mystified why I see the following: in one case I get output from
> > strings and the other I get an input file format error. I have tried this
> > with 1.3 and 2.0 and get the same result. It takes 1.3 a looonnngg time to
> > return the error, 2.0 returs the error quickly.
> >
> > I thought the reason may be length, so I broke up the Ypycub offsets into
> > increasingly smaller input files; no success was achived with the smaller
> > input files.
> > I don't see a format difference in these 2 files.
> >
> > The offsets come from an Encase search of 120225b.mem. It is a 458MB
> > WinXPSP3x86 image converted from hiberfil.sys.
> >
> >
> > Vol 1.3 example: The same result is seen with Vol 2.0
> >
> > The input file is:
> >
> > 357229672:Glows
> > 280642408:Glows
> > 257105340:Glows
> > 113457472:Glows
> > 357230696:Glows
> >
> >
> > C:\Python27\Volatility-1.3_Beta>python volatility strings -f
> > e:\tests\120225b\IRinfo\120225b.mem -s 120225b_Glows_offsets.txt
> >
> > 357229672 [kernel:df864468 ] Glows
> > 280642408 [1456:45b8368 ] Glows
> > 257105340 [kernel:e1ec1dbc ] Glows
> > 113457472 [1456:2ac0940 ] Glows
> > 357230696 [kernel:df864868 ] Glows
> >
> > ----------------------cut-here-------------------------
> > The input file is:
> >
> > 7744388:Ypycub
> > 10830274:Ypycub
> > 70385414:Ypycub
> > 70918297:Ypycub
> > 70918649:Ypycub
> > 73375514:Ypycub
> > 91390974:Ypycub
> > 104879126:Ypycub
> > 104879154:Ypycub
> > 132968006:Ypycub
> > 215776800:Ypycub
> > 232868024:Ypycub
> > 232869190:Ypycub
> > 237434963:Ypycub
> > 237434991:Ypycub
> > 256642118:Ypycub
> > 285030170:Ypycub
> > 310449659:Ypycub
> > 310449687:Ypycub
> > 314178656:Ypycub
> > 325974496:Ypycub
> > 327972307:Ypycub
> > 327972335:Ypycub
> > 338814062:Ypycub
> > 338814854:Ypycub
> > 339229856:Ypycub
> > 339763304:Ypycub
> > 339763544:Ypycub
> > 339893168:Ypycub
> > 340101984:Ypycub
> > 343215259:Ypycub
> > 343215287:Ypycub
> > 357229759:Ypycub
> > 361836122:Ypycub
> > 367889650:Ypycub
> > 455348611:Ypycub
> > 455348639:Ypycub
> >
> >
> > C:\Python27\Volatility-1.3_Beta>python volatility strings -f
> > e:\tests\120225b\IRinfo\120225b.mem -s 120225b_Ypycub_offsets.txt
> >
> > Usage: strings [options] (see --help)
> > volatility: error: String file format invalid.
> >
> >
> > Thanks for any assistance.
> >
> > Mike
> >
> >
> >
> >
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users(a)volatilesystems.com
> > http://lists.volatilesystems.com/mailman/listinfo/vol-users
> >
>
>
>
> --
> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
Sorry I meant for this to go to the list also:
On Mon, Feb 27, 2012 at 4:39 PM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
> hrmmmmm I don't see anything obviously wrong here... But since you
> said these offsets are from EnCase, how were they obtained? By
> EnScript to a file, copy+paste from the console or some other method?
> I'm just curious if the offsets were exported in ASCII or EnCase's
> default UTF-16. Also sometimes when exporting in unicode, there's a
> funky corrupt BOM that EnCase uses that might be messing things up...
> I'm just trying to think of things that might have gone wrong here.
>
> Maybe you could try copy and pasting a few of these "Ypycub" entries
> into a new text file and running the strings plugin again to see.
>
> All the best,
>
> -gleeda
>
>
> On Mon, Feb 27, 2012 at 4:06 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote:
>> I am mystified why I see the following: in one case I get output from
>> strings and the other I get an input file format error. I have tried this
>> with 1.3 and 2.0 and get the same result. It takes 1.3 a looonnngg time to
>> return the error, 2.0 returs the error quickly.
>>
>> I thought the reason may be length, so I broke up the Ypycub offsets into
>> increasingly smaller input files; no success was achived with the smaller
>> input files.
>> I don't see a format difference in these 2 files.
>>
>> The offsets come from an Encase search of 120225b.mem. It is a 458MB
>> WinXPSP3x86 image converted from hiberfil.sys.
>>
>>
>> Vol 1.3 example: The same result is seen with Vol 2.0
>>
>> The input file is:
>>
>> 357229672:Glows
>> 280642408:Glows
>> 257105340:Glows
>> 113457472:Glows
>> 357230696:Glows
>>
>>
>> C:\Python27\Volatility-1.3_Beta>python volatility strings -f
>> e:\tests\120225b\IRinfo\120225b.mem -s 120225b_Glows_offsets.txt
>>
>> 357229672 [kernel:df864468 ] Glows
>> 280642408 [1456:45b8368 ] Glows
>> 257105340 [kernel:e1ec1dbc ] Glows
>> 113457472 [1456:2ac0940 ] Glows
>> 357230696 [kernel:df864868 ] Glows
>>
>> ----------------------cut-here-------------------------
>> The input file is:
>>
>> 7744388:Ypycub
>> 10830274:Ypycub
>> 70385414:Ypycub
>> 70918297:Ypycub
>> 70918649:Ypycub
>> 73375514:Ypycub
>> 91390974:Ypycub
>> 104879126:Ypycub
>> 104879154:Ypycub
>> 132968006:Ypycub
>> 215776800:Ypycub
>> 232868024:Ypycub
>> 232869190:Ypycub
>> 237434963:Ypycub
>> 237434991:Ypycub
>> 256642118:Ypycub
>> 285030170:Ypycub
>> 310449659:Ypycub
>> 310449687:Ypycub
>> 314178656:Ypycub
>> 325974496:Ypycub
>> 327972307:Ypycub
>> 327972335:Ypycub
>> 338814062:Ypycub
>> 338814854:Ypycub
>> 339229856:Ypycub
>> 339763304:Ypycub
>> 339763544:Ypycub
>> 339893168:Ypycub
>> 340101984:Ypycub
>> 343215259:Ypycub
>> 343215287:Ypycub
>> 357229759:Ypycub
>> 361836122:Ypycub
>> 367889650:Ypycub
>> 455348611:Ypycub
>> 455348639:Ypycub
>>
>>
>> C:\Python27\Volatility-1.3_Beta>python volatility strings -f
>> e:\tests\120225b\IRinfo\120225b.mem -s 120225b_Ypycub_offsets.txt
>>
>> Usage: strings [options] (see --help)
>> volatility: error: String file format invalid.
>>
>>
>> Thanks for any assistance.
>>
>> Mike
>>
>>
>>
>>
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>
>
>
> --
> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
When imaging memory on a live VM system to do analysis for malware
Volatililty does not recognize it (see below). Is there anyone on this
mailing list that has the knowledge on how I can remedy this without
shutting the system down and grabbing the VMEM file?
Is it possible to substitute a valid DTB from another image into the
memdump of a live VM machine with a Hex editor? And if it can be done does
anyone know the addresses of that space to take out and substitute? I hope
that made sense......
If you look at a normal image of memory in a hex editor you can clearly see
the difference between that and a VM dump from a live system, there seems
to be some extra padded stuff right up front.
Volatile Systems Volatility Framework 2.0
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature fou
WindowsCrashDumpSpace32: Header signature invali
JKIA32PagedMemory: No valid DTB found
JKIA32PagedMemoryPae: No valid DTB found
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
Thanks
Lou
I recall there being an experimental 64 bit branch up at the Google code
site (not the lin64 one)... But when I just went to grab it , it appears to
be gone. Is it somewhere else?
:: Sent from my mobile phone; please excuse any typos ::
I have a foo.dll loaded in memory. Using `dlllist` I can see that the
physical address is 0x252438. How do I get the virtual address?
--
Eknath Venkataramani
I have a text string that I found in memory and I would like to find out what is using/mapped to that address. (a process, a dll, a buffer, unallocated, etc.)
How do I do that? I'm exploring the docs to see how close I can get; for example dumping what I can with memmap, and then searching for my physical offset. (but that only gets me processes)
Any suggestions appreciated.
Mike Lambert
dragonforen(a)hotmail.com
Thanks Mike,
I got the plugin and put it in the plugin directory.
I looked at the plugin help and did not see how to specify the address to translate. I tried this without a switch:
C:\Python27\volatility-2.0>python vol.py pas2kas -f \mem\120129\120129c.w32 --profile=WinXPSP3x86 0x19248000
Volatile Systems Volatility Framework 2.0
YARA is not installed, see http://code.google.com/p/yara-project/
distorm3 is not installed, see http://code.google.com/p/distorm/
Phys AS KAS
C:\Python27\volatility-2.0>
It seems I am not specifying the address to translate properly. Perhaps you can correct my commandline.
Thanks,
Mike
PS. Yara will not install because it does not see a key for python27 in the registry. Do you know what key I should put in the registry so Yara will install?
> From: scudette(a)gmail.com
> Date: Fri, 3 Feb 2012 23:34:43 -0800
> Subject: Re: [Vol-users] what is at that address
> To: dragonforen(a)hotmail.com
> CC: vol-users(a)volatilityfoundation.org
>
> Mike,
> You could also use the pas2kas module:
>
> http://code.google.com/p/volatility/source/browse/branches/scudette/volatil…
>
> Michael.
>
> On 3 February 2012 15:00, Mike Houston <dragonforen(a)hotmail.com> wrote:
> > I have a text string that I found in memory and I would like to find out
> > what is using/mapped to that address. (a process, a dll, a buffer,
> > unallocated, etc.)
> >
> > How do I do that? I'm exploring the docs to see how close I can get; for
> > example dumping what I can with memmap, and then searching for my physical
> > offset. (but that only gets me processes)
> >
> > Any suggestions appreciated.
> >
> > Mike Lambert
> > dragonforen(a)hotmail.com
> >
> >
> >
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users(a)volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >
Greetings,
I'm seeing the following errors when attempting to run volatility with
'malfind' and referencing yara. This used to work fine on yara 1.4, but
now fails on 1.6. I'm wondering what might have happened and how to
resolve it.
~/vol.py -f purple.vmem --profile=WinXPSP3x86 malfind -D
/home/apollo/workspace/dump_dir/ --yara-rules="http://" -p 1004
Volatile Systems Volatility Framework 2.1_alpha
Name Pid Start End Tag Hits Protect
Traceback (most recent call last):
File "/home/apollo/vol.py", line 135, in <module>
main()
File "/home/apollo/vol.py", line 126, in main
command.execute()
File "/home/sportivo/tools/Volatility/volatility/commands.py", line
101, in execute
func(outfd, data)
File "/home/sportivo/tools/Volatility/volatility/plugins/malware.py",
line 1042, in render_text
for (name,pid,start,end,tag,prx,fname,hits,chunk) in data:
File "/home/sportivo/tools/Volatility/volatility/plugins/malware.py",
line 992, in calculate
for ps_ad, start, end, tag, prx, data in self.get_vads(proc):
File "/home/sportivo/tools/Volatility/volatility/plugins/malware.py",
line 923, in get_vads
yield (ps_ad, start, end, vad.Tag, vad.Flags.Protection >> 24, data)
File "/home/sportivo/tools/Volatility/volatility/obj.py", line 777, in
__getattr__
return self.m(attr)
File "/home/sportivo/tools/Volatility/volatility/obj.py", line 762, in m
raise AttributeError("Struct {0} has no member
{1}".format(self.obj_name, attr))
AttributeError: Struct VadRoot has no member Flags
Any thoughts or ideas are welcome. Thanks!
Andre'
--
Andre' M. DiMino
DeepEnd REsearch
http://deependresearch.orghttp://sempersecurus.org
"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
