February 2013 - Vol-users - volatilityfoundation.org

by Brian Keefer

I built LiME from the tarball on the project site (not latest svn) and was able to dump memory successfully (type=lime). After many trials and tribulations I was able to get the Volatility profile built for CentOS 5.3x64 (had to remove pmem from the Makefile). I put the profile in the correct directory, and vol.py --info lists it as expected, however when I try to use the profile with the memory image I get an error. chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ vol.py --profile=LinuxCentOS_5_3x64 -f /fun/ir/geriatrix.lime linux_lsmod Volatile Systems Volatility Framework 2.3_alpha WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in vtypes No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space JKIA32PagedMemoryPae: No base Address Space AMD64PagedMemory: No base Address Space JKIA32PagedMemory: No base Address Space IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled MachOAddressSpace: MachO Header signature invalid MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53 WindowsCrashDumpSpace32: Header signature invalid JKIA32PagedMemoryPae: Incompatible profile LinuxCentOS_5_3x64 selected AMD64PagedMemory: Failed valid Address Space check JKIA32PagedMemory: Incompatible profile LinuxCentOS_5_3x64 selected IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled FileAddressSpace: Must be first Address Space ArmAddressSpace: Incompatible profile LinuxCentOS_5_3x64 selected On a hunch I checked the directory I built the profile in (copied headers & source from the target system): chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ grep cpuinfo * System.map-2.6.18-128.el5:ffffffff8006f328 t show_cpuinfo System.map-2.6.18-128.el5:ffffffff80103251 t cpuinfo_open System.map-2.6.18-128.el5:ffffffff8020eadb t show_cpuinfo_max_freq System.map-2.6.18-128.el5:ffffffff8020eafa t show_cpuinfo_min_freq System.map-2.6.18-128.el5:ffffffff8020f759 t show_cpuinfo_cur_freq System.map-2.6.18-128.el5:ffffffff802f0bc0 D cpuinfo_op System.map-2.6.18-128.el5:ffffffff80308420 d proc_cpuinfo_operations System.map-2.6.18-128.el5:ffffffff803319a0 d cpuinfo_cur_freq System.map-2.6.18-128.el5:ffffffff80331b20 d cpuinfo_min_freq System.map-2.6.18-128.el5:ffffffff80331b60 d cpuinfo_max_freq Platform running Volatility (2.3_alpha, latest from svn): Linux hydra 3.2.0-35-generic #55-Ubuntu SMP Wed Dec 5 17:42:16 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux Source of memory image: Linux geriatrix.smtps.net 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux What am I missing? -- chort

11 years

3
6
0 0

Creating profile for android

by Pasquale Stirparo

Hi All, I'm trying to make a profile for android device. I did a memory dump with LiME of an HTC One X (Android 4.0.3, HTC Sense 4.0, kernel 2.6.39.4-g6b459dc). Now, following the instruction here https://code.google.com/p/volatility/wiki/LinuxMemoryForensics , I was trying to understand how to modify the makefile under volatility/tools/linux/ , in order to point to my kernel source. The thing is that in from my kernel source folder I couldn't find a proper value for KDIR and KVER (although they should be pretty straightforward according to their name) that would fit with the path for make command as from the following source code: pmem: pmem.c $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) modules dwarf: module.c $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build CONFIG_DEBUG_INFO=y M=$(PWD) modules dwarfdump -di module.ko > module.dwarf $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) clean Did anyone ever created an android profile? Any hint? I've seen in the mailing list archive a thread "Profile (ZIP) for Android 4.0.3" from Mike (in Cc), any news about that? Thank you P. -- Pasquale Stirparo, MEng GCFA, OPST, OWSE, ECCE European Commission - JRC Joint Research Centre Institute for the Protection and Security of the Citizen (IPSC) Digital Citizen Security Unit Via E. Fermi, 2749 - TP 361 21027 Ispra (VA) - Italy PGP Key: 0x4C589FB2 Fingerprint: 776D F072 3F43 D5DE CB55 86D2 55FF 14A7 4C58 9FB2 Disclaimer: The views expressed are purely those of the writer and may not in any circumstance be regarded as stating an official position of the European Commission.

13 years

3
10
0 0

RE: [Vol-users] Finding injected code

by James Lay

On 2013-02-27 13:51, Ayers, Robert wrote: > By name alone I'd bet a beer that this is a malicious executable > > 0x89152020 qegyas.exe 2364 2236 0 -------- 0 > 0 2013-02-27 15:08:35 2013-02-27 15:08:44 Thanks for the quick response. I believe that qegyas.exe is the injector (according to my procmon at least). Also, that process has exited, so I'm out of luck for taking a peak at it (in memory at least...happily the malware left the file on the drive :)) James

13 years

3
3
0 0

Finding injected code

by James Lay

Hey all. Got a naughty email sent with malicious links, so I ran it in my sendbox and got an image. I'm trying to locate the injected code: Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- -------------------- 0x89e23830 System 4 0 76 206 ------ 0 0x89c207e8 smss.exe 640 4 3 19 ------ 0 2013-02-27 22:05:55 0x89c093e0 csrss.exe 712 640 11 369 0 0 2013-02-27 22:05:59 0x89c0ab10 winlogon.exe 748 640 18 516 0 0 2013-02-27 22:06:04 0x89b72020 services.exe 792 748 16 277 0 0 2013-02-27 22:06:05 0x89bc9980 lsass.exe 804 748 18 370 0 0 2013-02-27 22:06:05 0x89d74da0 nvsvc32.exe 996 792 4 200 0 0 2013-02-27 22:06:05 0x89c067e8 svchost.exe 1056 792 19 199 0 0 2013-02-27 22:06:05 0x894dbda0 svchost.exe 1124 792 11 243 0 0 2013-02-27 22:06:05 0x894e8638 svchost.exe 1260 792 69 1188 0 0 2013-02-27 22:06:06 0x89d7a360 svchost.exe 1308 792 6 77 0 0 2013-02-27 22:06:06 0x894fa3e0 svchost.exe 1392 792 4 81 0 0 2013-02-27 22:06:06 0x89cd4c08 explorer.exe 1676 1632 23 529 0 0 2013-02-27 22:06:06 0x89af39e0 rundll32.exe 1760 1676 4 116 0 0 2013-02-27 22:06:06 0x89bdb1d0 Bootcamp.exe 1768 1676 5 246 0 0 2013-02-27 22:06:06 0x89ba7558 RTHDCPL.EXE 1788 1676 4 197 0 0 2013-02-27 22:06:06 0x89bf8c10 rundll32.exe 1800 1676 1 88 0 0 2013-02-27 22:06:06 0x89b78da0 ctfmon.exe 1828 1676 3 145 0 0 2013-02-27 22:06:06 0x89b8e620 svchost.exe 668 792 4 107 0 0 2013-02-27 22:06:17 0x89c0dc10 AppleOSSMgr.exe 716 792 3 39 0 0 2013-02-27 22:06:17 0x89ac32c8 AppleTimeSrv.ex 872 792 1 44 0 0 2013-02-27 22:06:17 0x89aca958 svchost.exe 1088 792 4 86 0 0 2013-02-27 22:06:17 0x89ad7c18 svchost.exe 1304 792 8 141 0 0 2013-02-27 22:06:17 0x89397918 wmiprvse.exe 1896 1056 6 140 0 0 2013-02-27 15:06:42 0x89152020 qegyas.exe 2364 2236 0 -------- 0 0 2013-02-27 15:08:35 2013-02-27 15:08:44 0x89160558 rundll32.exe 3032 1260 0 -------- 0 0 2013-02-27 15:08:49 2013-02-27 15:08:49 0x89399638 ntvdm.exe 3992 1676 0 -------- 0 0 2013-02-27 15:09:42 2013-02-27 15:09:43 0x8951f020 rundll32.exe 4016 1260 0 -------- 0 0 2013-02-27 15:13:51 2013-02-27 15:13:51 0x890fb648 DumpIt.exe 3720 1676 0 -------- 0 0 2013-02-27 15:13:59 2013-02-27 15:14:01 0x89124da0 DumpIt.exe 368 1676 2 68 0 0 2013-02-27 15:14:22 malfind shows the following: Process: csrss.exe Pid: 712 Address: 0x7f6f0000 Process: explorer.exe Pid: 1676 Address: 0x3d920000 Process: explorer.exe Pid: 1676 Address: 0x23f0000 Process: rundll32.exe Pid: 1760 Address: 0xb30000 Process: rundll32.exe Pid: 1760 Address: 0x3d920000 Process: Bootcamp.exe Pid: 1768 Address: 0x10c0000 Process: Bootcamp.exe Pid: 1768 Address: 0x3d920000 Process: RTHDCPL.EXE Pid: 1788 Address: 0x1bd0000 Process: RTHDCPL.EXE Pid: 1788 Address: 0x4af0000 Process: RTHDCPL.EXE Pid: 1788 Address: 0x3d920000 Process: rundll32.exe Pid: 1800 Address: 0xda0000 Process: rundll32.exe Pid: 1800 Address: 0x3d920000 Process: ctfmon.exe Pid: 1828 Address: 0xeb0000 Process: ctfmon.exe Pid: 1828 Address: 0x3d920000 Process: DumpIt.exe Pid: 368 Address: 0x130000 Process: DumpIt.exe Pid: 368 Address: 0x6fff0000 Just how would I go about seeing the injected code? Thanks for the assist. James

13 years

1
0
0 0

Mac support vanished in latest alpha?

by David Kovar

Greetings, I was adding OS X support to my copy of Volatility per the instructions on https://code.google.com/p/volatility/wiki/MacMemoryForensics. It went well but I thought I'd pull the most recent version while I was at it. Mac support went away when I did so. setup.py is now missing: "volatility.plugins.overlays.mac", Even when I add that back, vol.py --info doesn't show the OS X profiles. Is this intentional? Is there a different version that I should be using? Thanks! -David

13 years

3
9
0 0

Memory Collection on Windows NT

by Myerchin, Terrie A

Hi there We are looking to collect memory on an old Windows NT box. Of course, the tools we utilize are too recent to be compatible with Windows NT. Does anyone have any workaround suggestions or tools that may assist with this memory collection? Regards, Terrie

13 years, 1 month

2
1
0 0

Linux Profiles

by Kevin Marker

Group, I have a memory image file for a Red Hat 6.3 box with 2.6.32-279.el6.x86_x64 kernel. Is it ok to use the CentOS 6.3 x64 (2.6.32-279.el6.x86_x64) example profile, given it's for the same kernel, or do I need to build a new profile? Thanks for the help. Kevin Marker ACE, CCE, CISSP, EnCE

13 years, 1 month

2
1
0 0

Profile or kdbg incorrect

by David Kovar

Greetings, I'm unable to run scan tasks against a memory image and get "AttributeError: Could not list tasks, please verify your --profile with kdbgscan". I'm using 2.3_alpha updated just a moment ago. imageinfo: Suggested Profile(s) : Win7SP0x64, Win7SP1x64, Win2008R2SP0x64, Win2008R2SP1x64 AS Layer1 : AMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/usr/local/malware/XXXXXXX/XXXX-memdump.mem) PAE type : PAE DTB : 0x187000L KDBG : 0xf80002ff70a0 Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xf80002ff8d00 KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2013-02-01 17:40:54 UTC+0000 Image local date and time : 2013-02-01 09:40:54 -0800 kdbgscan: Praha:Memory Image kovar$ vol.py --profile=Win7SP1x64 kdbgscan -f *.mem Volatile Systems Volatility Framework 2.3_alpha ************************************************** Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80002ff70a0 Offset (P) : 0x2ff70a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP1x64 Version64 : 0xf80002ff7068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.17944.amd64fre.win7sp1_gdr. PsActiveProcessHead : 0xf8000302d370 (0 processes) PsLoadedModuleList : 0xf8000304b670 (0 modules) KernelBase : 0xfffff80002e07000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xf80002ff8d00 (CPU 0) ************************************************** Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80002ff70a0 Offset (P) : 0x2ff70a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP0x64 Version64 : 0xf80002ff7068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.17944.amd64fre.win7sp1_gdr. PsActiveProcessHead : 0xf8000302d370 (0 processes) PsLoadedModuleList : 0xf8000304b670 (0 modules) KernelBase : 0xfffff80002e07000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xf80002ff8d00 (CPU 0) ************************************************** Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80002ff70a0 Offset (P) : 0x2ff70a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP1x64 Version64 : 0xf80002ff7068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.17944.amd64fre.win7sp1_gdr. PsActiveProcessHead : 0xf8000302d370 (0 processes) PsLoadedModuleList : 0xf8000304b670 (0 modules) KernelBase : 0xfffff80002e07000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xf80002ff8d00 (CPU 0) ************************************************** Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80002ff70a0 Offset (P) : 0x2ff70a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP0x64 Version64 : 0xf80002ff7068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.17944.amd64fre.win7sp1_gdr. PsActiveProcessHead : 0xf8000302d370 (0 processes) PsLoadedModuleList : 0xf8000304b670 (0 modules) KernelBase : 0xfffff80002e07000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xf80002ff8d00 (CPU 0) Thanks for any help you might be able to offer. -David

13 years, 1 month

3
6
0 0

Re: Lime Forensics Question

by Sebastien Bourdon-Richard

Johnny, I will try to answer your question to the best of my knowledge. I have also put the volatility user's mailing list in CC to share your problem with other users and in case somebody have a better answer than mine ;-) *Do you know how to send the memory using a netcat session from machine A to machine B? I tied to do the below, but it did not work. * *Machine B (Start Netcat on BackTrack Server) ------------------------------------------------- root@bt:/var/tmp# nc -l -vvv -p 4444 > lime.dd listening on [any] 4444 ... Machine A (On Metasploitable Server, Trying to send image to BackTrack[192.168.1.107]) ------------------------------------------------- root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=raw" | nc 192.168.1.107 4444* Unlike dd, LiME operates in kernel mode so you can't pipe it to netcat in user mode. I think LiME was created to listen on the target OS (Machine A in your case) and memory acquisition needs to be started with netcat on the acquisition PC (Machine B in your case). I have not try it, but here's how I think it works: 1) insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=lime" 2) nc 192.168.1.107 -p 4444 > mem.lime Also, I suggest you to use the padded format or the lime format to dump memory because I think volatility will not be able to convert virtual to physical addresses with a raw dump and analysis will fail (unless you pad the dump manually). Hope this helps! Sebastien On Mon, Feb 18, 2013 at 5:41 PM, Johnny Shaieb <johnny.shaieb(a)gmail.com>wrote: > Sebastien, > > My name is Johnny. I am trying to figure out how to use Lime with > Volatility. > > My end goal it to take and analyze the memory of a Vulnerable 8.04 VM made > available by the Metasploitable Project. > + Reference Link: > http://sourceforge.net/projects/metasploitable/files/Metasploitable2/ > > I have been able to dump the memory (See Below) > > root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko "path=/var/tmp/memory.dd format=raw" > > root@metasploitable:/var/tmp/LIME/src# ls -l /var/tmp/memory.dd > -r--r--r-- 1 root root 536410112 2013-02-18 14:53 /var/tmp/memory.dd > > > Do you know how to send the memory using a netcat session from machine A > to machine B? I tied to do the below, but it did not work. > > *Machine B* (Start Netcat on BackTrack Server) > ------------------------------------------------- > root@bt:/var/tmp# nc -l -vvv -p 4444 > lime.dd > listening on [any] 4444 ... > *Machine A *(On Metasploitable Server, Trying to send image to BackTrack[192.168.1.107]) > ------------------------------------------------- > root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=raw" | nc 192.168.1.107 4444 > > > Thank you for any guidance, > > Johnny > > -- > Johnny A. Shaieb > > http://www.computersecuritystudent.com > http://www.studentJD.com <http://www.studentjd.com/> > Education > BS: Management Information Systems (Oklahoma State University) > MS: Telecommunications (Oklahoma State University) > MS: Computer Science / Computer Security (University of Tulsa) > > NSTISSI Certified > 4011: Information Security Professional > 4012: Designated Approving Authority > 4013: Administration in Information Systems Security > 4014: Information Systems Security Officer >

13 years, 1 month

2
2
0 0

Memory Forensics / Volatility talk at RSA

by Andrew Case

On Wednesday of RSA I will be giving a talk titled: "Memory Forensics: Defeating Disk Encryption, Skilled Attackers and Malware" This talk will focus on three key points: 1) Showcasing the power and usefulness of memory forensics 2) Distinguishing memory forensics from disk forensics 3) Highlighting why live forensics should not be used and instead analysts should switch to using offline memory forensics Throughout the talk there will be many examples of powerful rootkits, techniques of advanced attackers, looking at Android, and defeating software-based disk encryption. If you are interested in the talk and plan on attending, please add it to your conference calendar: https://ae.rsaconference.com/US13/connect/sessionDetail.ww?SESSION_ID=1885 If you have any questions about the talk or or want to meet up at RSA then please contact me.

13 years, 1 month

2
1
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users February 2013