Hey all,
Does the netscan plugin work against Windows 7 64-bit memory samples?
When I'm running it with the latest build (1574), I get the following:
Computer:volatility-read-only $ python vol.py -f
../Documents/Cases/Testing/memory.raw --profile=Win7SP1x64 netscan
Volatile Systems Volatility Framework 2.1_alpha
*** Failed to import volatility.plugins.evtlogs (AttributeError:
'module' object has no attribute 'LdrModules')
*** Failed to import volatility.plugins.timeliner (AttributeError:
'module' object has no attribute 'LdrModules')
Offset(P) Proto Local Address Foreign Address
State Pid Owner Created
0x11747cef0 TCPv4 0.0.0.0:62887 0.0.0.0:0
LISTENING 3212 svchost.exe
0x11785da10 TCPv4 0.0.0.0:3389 0.0.0.0:0
LISTENING 1260 svchost.exe
0x117894ef0 TCPv4 0.0.0.0:3389 0.0.0.0:0
LISTENING 1260 svchost.exe
0x117894ef0 TCPv6 :::3389 :::0
LISTENING 1260 svchost.exe
0x117a00670 TCPv4 0.0.0.0:49601 0.0.0.0:0
LISTENING 2412 vmware-convert
0x117a1ee00 TCPv4 0.0.0.0:62870 0.0.0.0:0
LISTENING 568 services.exe
0x117a1ee00 TCPv6 :::62870 :::0
LISTENING 568 services.exe
WARNING : volatility.obj : Cant find object _IN_ADDR in profile
<volatility.plugins.overlays.windows.win7.Win7SP1x64 object at
0x10b5be390>?
Traceback (most recent call last):
File "vol.py", line 173, in <module>
main()
File "vol.py", line 164, in main
command.execute()
File "/Users/e18529/volatility-read-only/volatility/commands.py",
line 101, in execute
func(outfd, data)
File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
line 266, in render_text
for offset, proto, laddr, lport, raddr, rport, state, p, ctime in data:
File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
line 212, in calculate
for ver, laddr, raddr, owner in self.enumerate_listeners(tcpentry):
File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
line 183, in enumerate_listeners
inaddr = LocalAddr.pData.dereference().dereference().v()
AttributeError: 'NoneType' object has no attribute 'v'
All the other plugins are working, this is the only one I'm having
issues with....I know about the first two "Failed to import" lines...
And I did remember to do a "make clean" after updating this time.... :)
Thanks,
Tom
One thing we need to do is search the registries for the keys that autorun malware.
Does anyone know of a free tool that will do that? I'm currently using Encase to do that but it is and expensive solution.
Harlan's RegRipper will dump some registry entries and sometimes it works, but it does not search.
Mike
Mike,
Have you tried any of the following?:
YARU (Yet Another Registry Utility) -
http://www.tzworks.net/prototype_page.php?proto_id=3
Regdecoder - http://code.google.com/p/registrydecoder/
Autoruns -
http://computer-forensics.sans.org/blog/2010/06/28/autoruns-dead-forensics/
Today's Topics:
>
> 1. searching registries (Mike Lambert)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 15 May 2012 17:38:58 -0500
> From: Mike Lambert <dragonforen(a)hotmail.com>
> Subject: [Vol-users] searching registries
> To: Volatility List <vol-users(a)volatilityfoundation.org>
> Message-ID: <SNT118-W5182DD5900ED6A56B23C3FAE1B0(a)phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> One thing we need to do is search the registries for the keys that autorun
> malware.
>
> Does anyone know of a free tool that will do that? I'm currently using
> Encase to do that but it is and expensive solution.
>
> Harlan's RegRipper will dump some registry entries and sometimes it works,
> but it does not search.
>
> Mike
>
>
I created a SpyEye VM infection for a presentation. (usexxxxxxxx.exe)
I lucked out and found that it is an example of "The Mis-leading 'Active' in PsActiveProcessHead and ActiveProcessLinks" (thank you MHL)
http://mnin.blogspot.com/2011/03/mis-leading-active-in.html
This makes it a great example to use in my presentation!! I've attached imageinfo, pslist, psscan, and psxview for anyone interested in seeing it.
(BTW, if you are going to the presentation, don't give it away until I give you a chance near the end. I'll let you explain it. (let someone else notice the 'wierd' stuff and wonder why)
I will make a package of this available if someone wants a copy. I can put it on my web site for download.
The package would consist of:
1. the incident response batch file output with win32dd imaging (I like win32dd, great for times, info and MD5)
2. 512MB memory image
3. E01 disk image of the 10GB disk
MHL, in this case is this a bug in SpyEye? OR does it have anything to do with injecting into your parent? <g>
Have a good day all!
Mike
PS. Thanks Jamie for linking to MHL's explanation in the Command Reference
I've got a memory forensics presentation coming up next week and I'd like to use a sample that will illustrate a crossview example.
Specifically, I'd like to use an example that hides from pslist on the running system (don't want a DKOM example) but we can find it using Volatility.
I'd like it to be something running and not a process injection sample.
Does someone have a suggestion which one may provide a good illustration?
Thanks,
Mike
