September 2012 - Vol-users - volatilityfoundation.org

by David Bramer

Hi, Have a memory dump which I have obtained via DumpIt, I'm then pretty happy and can use Volatility to find out some of the answers to my questions. However when I have run Strings on the memory dump I find a string of great interest. I would like to figure out a means by which I could find out what created this string. So far I've created a basic Yara rule and used malfind to no avail. Is there anything else I could try? Cheers David

12 years, 1 month

3
2
0 0

Fw: Re: Fwd: [Vol-users] problem with linux_check_afinfo and others rootkit plugins

by bellissimopython＠email.it

> 1) Where did you gert the Ubuntu profile? It says its missing the > tcp_seq_afino structure. # uname -a Linux luigi-Vostro-3500 3.2.0-30-generic #48-Ubuntu SMP Fri Aug 24 16:54:40 UTC 2012 i686 i686 i386 GNU/Linux # zip volatility/plugins/overlays/linux/Ubuntu1204.zip tools/linux/module.dwarf /boot/System.map-3.2.0-30-generic But I copied the tools/linux directory from 2.2_alpha > Thanks, > Andrew > Thanks Luigi -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it: http://www.email.it/f Sponsor: Approfitta della speciale offerta 7 giorni al prezzo di 6 all'Hotel Cala Rosa di Stintino a due passi dall'Asinara dal 10 Settembre al 30 Settembre.Bambini 0-6 anni gratuiti Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12632&d=20120914 -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: In forma con il Nordic Walking! Offerte hotel per il Festival Nordic Walking di Riccione e Misano del 7/8/9 settembre. Contattaci per maggiori info 0541607636 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12612&d=14-9

12 years, 2 months

1
0
0 0

Fwd: [Vol-users] problem with linux_check_afinfo and others rootkit plugins

by Andrew Case

Replying to the list this time ;) ---------- Forwarded message ---------- From: Andrew Case <atcuno(a)gmail.com> Date: Thu, Sep 13, 2012 at 12:22 PM Subject: Re: [Vol-users] problem with linux_check_afinfo and others rootkit plugins To: bellissimopython(a)email.it Hello, 1) Where did you gert the Ubuntu profile? It says its missing the tcp_seq_afino structure. 2) Yes, no output means nothing was detected 3) For check_idt and check_syscall, the output will say HOOKED instead of the symbol name if an entry is hooked. Write back if you have anymore questions. Thanks, Andrew On Thu, Sep 13, 2012 at 12:13 PM, <bellissimopython(a)email.it> wrote: > Hi, > I have the folloing problem: > > # python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86 > linux_check_afinfo > Volatile Systems Volatility Framework 2.2_rc1 > Symbol Name Member > Address > ------------------------------------------ ------------------------------ > ---------- > WARNING : volatility.obj : Cant find object tcp_seq_afinfo in profile > <volatility.plugins.overlays.linux.linux.LinuxUbuntu1204x86 object at > 0x9bbc5ac>? > Traceback (most recent call last): > File "vol.py", line 186, in <module> > main() > File "vol.py", line 177, in main > command.execute() > File > "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/common.py", > line 51, in execute > commands.Command.execute(self, *args, **kwargs) > File > "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/commands.py", > line 111, in execute > func(outfd, data) > File > "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py", > line 82, in render_text > for (what, member, address) in data: > File > "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py", > line 73, in calculate > for (name, member, address) in self.check_afinfo(global_var_name, > global_var, op_members, seq_members, modules): > File > "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py", > line 41, in check_afinfo > for (hooked_member, hook_address) in self.check_members(var.seq_fops, > var_name, op_members, modules): > AttributeError: 'NoneType' object has no attribute 'seq_fops' > > > Also I want report that the volatility-2.2-rc1 package does not have the > tools/linux folder. So that it is not possible build dwarf module. Anyway I > have copied it from the git/alpha release. > > And finally I want ask something about rootkit detection plugins. For > example the following means that everything is ok ? > > # python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86 > linux_check_creds > Volatile Systems Volatility Framework 2.2_rc1 > PIDs > -------- > # > > > and the following: > > # python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86 > linux_check_idt > Volatile Systems Volatility Framework 2.2_rc1 > Index Address Symbol > ---------- ---------- ------------------------------ > 0x0 0xc1575024 divide_error > 0x1 0xc15750bc debug > 0x2 0xc1575114 nmi > 0x3 0xc1575234 int3 > 0x4 0xc1574fd4 overflow > 0x5 0xc1574fe0 bounds > 0x6 0xc1574fec invalid_op > 0x7 0xc1574fc0 device_not_available > 0x8 0x00000000 VDSO32_PRELINK > 0x9 0xc1574ff8 coprocessor_segment_overrun > 0xa 0xc1575004 invalid_TSS > 0xb 0xc157500c segment_not_present > 0xc 0xc1575014 stack_segment > 0xd 0xc157526c general_protection > 0xe 0xc1575048 page_fault > 0xf 0xc157503c spurious_interrupt_bug > 0x10 0xc1574fa8 coprocessor_error > 0x11 0xc157501c alignment_check > 0x12 0xc1575030 machine_check > 0x13 0xc1574fb4 simd_coprocessor_error > 0x80 0xc15749b8 system_call > # > > Thanks very much > luigi > > -- > Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP > autenticato? GRATIS solo con Email.it: http://www.email.it/f > > Sponsor: > Speciale Settembre all'hotel Gigliola di Rimini, 7 giorni di pensione > completa, 2 adulti Euro 420, all inclusive Euro 560 > Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12638&d=20120913 > > > > > -- > Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f > > Sponsor: > Tour culturali nell'entroterra romagnolo con le proposte tutto compreso di Costahotels. Alla scoperta dei borghi medievali e delle tipicita' gastronomiche della zona > Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12622&d=13-9 > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

12 years, 2 months

1
0
0 0

problem with linux_check_afinfo and others rootkit plugins

by bellissimopython＠email.it

Hi, I have the folloing problem: # python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86 linux_check_afinfo Volatile Systems Volatility Framework 2.2_rc1 Symbol Name Member Address ------------------------------------------ ------------------------------ ---------- WARNING : volatility.obj : Cant find object tcp_seq_afinfo in profile <volatility.plugins.overlays.linux.linux.LinuxUbuntu1204x86 object at 0x9bbc5ac>? Traceback (most recent call last): File "vol.py", line 186, in <module> main() File "vol.py", line 177, in main command.execute() File "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/common.py", line 51, in execute commands.Command.execute(self, *args, **kwargs) File "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/commands.py", line 111, in execute func(outfd, data) File "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py", line 82, in render_text for (what, member, address) in data: File "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py", line 73, in calculate for (name, member, address) in self.check_afinfo(global_var_name, global_var, op_members, seq_members, modules): File "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py", line 41, in check_afinfo for (hooked_member, hook_address) in self.check_members(var.seq_fops, var_name, op_members, modules): AttributeError: 'NoneType' object has no attribute 'seq_fops' Also I want report that the volatility-2.2-rc1 package does not have the tools/linux folder. So that it is not possible build dwarf module. Anyway I have copied it from the git/alpha release. And finally I want ask something about rootkit detection plugins. For example the following means that everything is ok ? # python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86 linux_check_creds Volatile Systems Volatility Framework 2.2_rc1 PIDs -------- # and the following: # python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86 linux_check_idt Volatile Systems Volatility Framework 2.2_rc1 Index Address Symbol ---------- ---------- ------------------------------ 0x0 0xc1575024 divide_error 0x1 0xc15750bc debug 0x2 0xc1575114 nmi 0x3 0xc1575234 int3 0x4 0xc1574fd4 overflow 0x5 0xc1574fe0 bounds 0x6 0xc1574fec invalid_op 0x7 0xc1574fc0 device_not_available 0x8 0x00000000 VDSO32_PRELINK 0x9 0xc1574ff8 coprocessor_segment_overrun 0xa 0xc1575004 invalid_TSS 0xb 0xc157500c segment_not_present 0xc 0xc1575014 stack_segment 0xd 0xc157526c general_protection 0xe 0xc1575048 page_fault 0xf 0xc157503c spurious_interrupt_bug 0x10 0xc1574fa8 coprocessor_error 0x11 0xc157501c alignment_check 0x12 0xc1575030 machine_check 0x13 0xc1574fb4 simd_coprocessor_error 0x80 0xc15749b8 system_call # Thanks very much luigi -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it: http://www.email.it/f Sponsor: Speciale Settembre all'hotel Gigliola di Rimini, 7 giorni di pensione completa, 2 adulti Euro 420, all inclusive Euro 560 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12638&d=20120913 -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: Tour culturali nell'entroterra romagnolo con le proposte tutto compreso di Costahotels. Alla scoperta dei borghi medievali e delle tipicita' gastronomiche della zona Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12622&d=13-9

12 years, 2 months

1
0
0 0

Volatility 2.2 RC1 is available!

by Michael Hale Ligh

Volatility 2.2 RC1 is available for download! This release includes over 50 new plugins and the new LiME address space. About 35 plugins are for support of 32- and 64-bit Linux kernels 2.6.11 - 3.5 on distributions such as Ubuntu, CentOS, Fedora, OpenSuSE, and Mandriva. About 14 are for analyzing undocumented kernel data structures in win32k/GUI space on windows. As an added bonus, there are plugins to parse event records structures, calculate service SIDs from the registry, and maybe a few additional surprises before the release. If you haven't checked recently, we've also redone the wiki entirely for better organization and documentation. There are two pages specifically that you should know about for 2.2 - the main release page (with direct downloads to the code) and the linux tutorial: http://code.google.com/p/volatility/wiki/Release22 http://code.google.com/p/volatility/wiki/LinuxMemoryForensics Please note that the 2.2 command reference will remain unfinished until the proper 2.2 release. Enjoy!

12 years, 2 months

1
0
0 0

poison_ivy.py file

by Mike Lambert

Could someone please email me the poison_ivy.py file as an attachment please? My browser mangles it when I try to get it from Andreas Schuster's blog. (Thanks Andreas for the plugin!) Thanks for the assist, Mike

12 years, 2 months

1
0
0 0

Tracking The Volatility Project

by AAron Walters

If you are one of those people who likes to stay up to date on the latest happenings in the world of Volatility, there are a couple of new resources you should definitely check out: Volatility Labs: This blog will now be the official blog of The Volatility Project. To kickstart the new blog and celebrate the upcoming OMFW, we will also be hosting the Month of Volatility Plugins (MoVP). http://volatility-labs.blogspot.com/ @Volatility: For those who want to follow the Volatility Development Team and get the inside track on upcoming events (ie the exiting new training courses), you should check us out on Twitter. https://twitter.com/volatility Thanks, AAron Walters The Volatility Project

12 years, 2 months

1
0
0 0

How to generate a volatility profile for android? It's possible?

by neofito

I'm trying to generate a profile for my android device. This profile just included the System.map file, obtained from /proc/kallsyms. How to get a module.dwarf file? I make a new Makefile for the cross-compilation of module.c and pmem.c for Android but, obviously, is not working. Thanks in advance!

12 years, 2 months

2
3
0 0

reliability phisical memory

by bellissimopython＠email.it

Hi, my question is about the reliability of physical memory acquisition on a runtime system. I mean, it's theoretically possible hijack memory acquisition on an infected system ? If yes, could cold boot attack be useful ? Or are there any other solutions ? thanks -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it: http://www.email.it/f Sponsor: Speciale agriturismo per gli amanti della natura. Offerte tutto compreso per scoprire l'entroterra romagnolo e le tradizioni locali con le proposte di Costahotels Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12620&d=20120904 -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: Vacanze di divertimento con le offerte hotel + parco Oltremare di Riccione. Cogli le proposte degli hotel per famiglie della riviera con ingresso al parco Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12611&d=4-9

12 years, 2 months

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users September 2012