October 2014 - Vol-users - volatilityfoundation.org

by Brian Keefer

I built LiME from the tarball on the project site (not latest svn) and was able to dump memory successfully (type=lime). After many trials and tribulations I was able to get the Volatility profile built for CentOS 5.3x64 (had to remove pmem from the Makefile). I put the profile in the correct directory, and vol.py --info lists it as expected, however when I try to use the profile with the memory image I get an error. chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ vol.py --profile=LinuxCentOS_5_3x64 -f /fun/ir/geriatrix.lime linux_lsmod Volatile Systems Volatility Framework 2.3_alpha WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in vtypes No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space JKIA32PagedMemoryPae: No base Address Space AMD64PagedMemory: No base Address Space JKIA32PagedMemory: No base Address Space IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled MachOAddressSpace: MachO Header signature invalid MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53 WindowsCrashDumpSpace32: Header signature invalid JKIA32PagedMemoryPae: Incompatible profile LinuxCentOS_5_3x64 selected AMD64PagedMemory: Failed valid Address Space check JKIA32PagedMemory: Incompatible profile LinuxCentOS_5_3x64 selected IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled FileAddressSpace: Must be first Address Space ArmAddressSpace: Incompatible profile LinuxCentOS_5_3x64 selected On a hunch I checked the directory I built the profile in (copied headers & source from the target system): chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ grep cpuinfo * System.map-2.6.18-128.el5:ffffffff8006f328 t show_cpuinfo System.map-2.6.18-128.el5:ffffffff80103251 t cpuinfo_open System.map-2.6.18-128.el5:ffffffff8020eadb t show_cpuinfo_max_freq System.map-2.6.18-128.el5:ffffffff8020eafa t show_cpuinfo_min_freq System.map-2.6.18-128.el5:ffffffff8020f759 t show_cpuinfo_cur_freq System.map-2.6.18-128.el5:ffffffff802f0bc0 D cpuinfo_op System.map-2.6.18-128.el5:ffffffff80308420 d proc_cpuinfo_operations System.map-2.6.18-128.el5:ffffffff803319a0 d cpuinfo_cur_freq System.map-2.6.18-128.el5:ffffffff80331b20 d cpuinfo_min_freq System.map-2.6.18-128.el5:ffffffff80331b60 d cpuinfo_max_freq Platform running Volatility (2.3_alpha, latest from svn): Linux hydra 3.2.0-35-generic #55-Ubuntu SMP Wed Dec 5 17:42:16 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux Source of memory image: Linux geriatrix.smtps.net 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux What am I missing? -- chort

9 years, 7 months

3
6
0 0

The results of the 2014 Volatility plugin contest are now available!

by Andrew Case

We are happy to announce that the results of the 2014 Volatility plugin contest are now available: http://volatility-labs.blogspot.com/2014/10/announcing-2014-volatility-plug… Congrats to the winners and we would like to again thank Facebook for their donation that doubled the contest's prize money! -- Thanks, Andrew (@attrc)

10 years

1
0
0 0

RE: [Detailed analysis of Kaspersky hooks including analysis....

by Michael Chaves

I've used malfind and memscan on a suspected POS infected system and I get a ton of false positive hits on AV processes. Any way to white list some of these or use --silent to filter out some of these false positives? On the other side, is it likely malware is using AV processes to do their deed? Mike Det. Michael Chaves Monroe Police Department 7 Fan Hill Road Monroe, CT 06468 203.452.2831 x1307 (desk) 203.261.3622 (w) 203.650.7997 (c) *** NOTE: If you are sending me an attachment, rename the extension to .txt or .jpg, otherwise, due to filters, I will not get it *** -----Original Message----- From: vol-users-bounces(a)volatilityfoundation.org [mailto:vol-users-bounces@volatilityfoundation.org] On Behalf Of vol-users-request(a)volatilityfoundation.org Sent: Tuesday, October 28, 2014 1:00 PM To: vol-users(a)volatilityfoundation.org Subject: [BULK] Vol-users Digest, Vol 76, Issue 6 Send Vol-users mailing list submissions to vol-users(a)volatilityfoundation.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.volatilityfoundation.org/mailman/listinfo/vol-users or, via email, send a message with subject or body 'help' to vol-users-request(a)volatilityfoundation.org You can reach the person managing the list at vol-users-owner(a)volatilityfoundation.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Vol-users digest..." Today's Topics: 1. Detailed analysis of Kaspersky hooks including analysis with Volatility (Andrew Case) ---------------------------------------------------------------------- Message: 1 Date: Tue, 28 Oct 2014 02:16:58 -0500 From: Andrew Case <atcuno(a)gmail.com> Subject: [Vol-users] Detailed analysis of Kaspersky hooks including analysis with Volatility To: "'vol-users(a)volatilityfoundation.org'" <vol-users(a)volatilityfoundation.org> Message-ID: <544F42EA.9020500(a)gmail.com> Content-Type: text/plain; charset=ISO-8859-1 A really well done writeup & analysis: https://quequero.org/2014/10/kaspersky-hooking-engine-analysis/ -- Thanks, Andrew (@attrc) ------------------------------ _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users End of Vol-users Digest, Vol 76, Issue 6 ****************************************

10 years

2
1
0 0

LiME and Intel Atom (x86) AVD

by masdif

Hi, I'm trying to compile LiME for a given Android Virtual Device (AVD) Platform 4.4.2 API Level 19 CPU Intel Atom (x86) I have no information about how the AVD was created. Does in this case investigation with LiME/Volatility make sense at all? Should LiME be able to handle the Atom-Processor? If yes: Should Volatility be able to handle the LiME dump? If any answer up to now was no: No further reading necessary. :-( But please enlighten me. ;-) If this in principle is not an impossible plan then how do I have to handle the following warnings/errors? (a) LiME compiles but gives me a WARNING: Symbol version dump ~/android/kernel/goldfish/Module.symvers is missing; modules will have no dependencies and modversions. (b) insmod fails insmod: init_module '/sdcard/lime.ko' failed (No such file or directory) (but of course there is a '/sdcard/lime.ko') (c) dmesg reports lime: Unknown symbol _GLOBAL_OFFSET_TABLE_ (err 0) lime: Unknown symbol kmap (err 0) lime: Unknown symbol kunmap (err 0) Is it correct to expect, that (b) and (c) are a result from (a)? What is to be done? Compiling the kernel and hope the Module.symvers fits to the AVD symbols? The LiME documentation does not mention a need for compiling the Android kernel. Or do I have to work on the kernel's .config? As always there is no /proc/config.gz on the phone/AVD. (At least I have not seen any /proc/config.gz on my devices so far.) Instead in this case I worked on the goldfish/arch/x86/configs/i386_defconfig until the AVD accepted the version magic. Just in case it is useful, here is in detail what I did so far: ________________________________________ ### the AVD ### cat /proc/version Linux version 3.4.0+ (nnk(a)nnk.mtv.corp.google.com) (gcc version 4.7 (GCC) ) #1 PREEMPT Wed Jul 10 09:55:37 PDT 2013 ________________________________________ ### Goldfish kernel 3.4.0+ for LiME compilation ### $ mkdir -p ~/android/kernel && cd $_ $ git clone https://android.googlesource.com/kernel/goldfish.git $ cd goldfish $ git branch -a $ git checkout origin/android-goldfish-3.4 -b goldfish-3.4 $ git log --pretty=oneline | grep -i 'linux 3.4$' $ git checkout 76e10d1 -b goldfish-3.4-76e10d1 $ cp arch/x86/configs/i386_defconfig .config ________________________________________ ### modify .config in order to get correct version ### ### magic: '3.4.0+ preempt mod_unload CORE2 ' ### $ diff arch/x86/configs/i386_defconfig .config 39c39,41 < CONFIG_SMP=y --- > CONFIG_SMP=n > CONFIG_MCORE2=y > CONFIG_PREEMPT=y 43c45 < CONFIG_PREEMPT_VOLUNTARY=y --- > CONFIG_PREEMPT_VOLUNTARY=n ________________________________________ ### prepare kernel for module compilation ### $ make ARCH=x86 CROSS_COMPILE=~/android/ndk/toolchains/ x86-4.9/prebuilt/linux-x86_64/bin/i686-linux-android- modules_prepare ________________________________________ ### LiME Makefile ### obj-m := lime.o lime-objs := tcp.o disk.o main.o KDIR_GOLD := ~/android/kernel/goldfish/ CCPATH := ~/android/ndk/toolchains/x86-4.9/prebuilt/linux-x86_64/bin PWD := $(shell pwd) default: # cross-compile for Android emulator $(MAKE) ARCH=x86 CROSS_COMPILE=$(CCPATH)/i686-linux-android- -C $(KDIR_GOLD) M=$(PWD) modules $(CCPATH)/i686-linux-android-strip --strip-unneeded lime.ko mv lime.ko lime-goldfish.ko $(MAKE) tidy tidy: rm -f *.o *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd \.*.ko.cmd \.*.o.d rm -rf \.tmp_versions clean: $(MAKE) tidy rm -f *.ko ________________________________________ Thanks, Philipp

10 years

1
0
0 0

Detailed analysis of Kaspersky hooks including analysis with Volatility

by Andrew Case

A really well done writeup & analysis: https://quequero.org/2014/10/kaspersky-hooking-engine-analysis/ -- Thanks, Andrew (@attrc)

10 years

1
0
0 0

Working of ldrmodules ?

by Jamison Bosco

Hello Group, So am not sure, if I understood, the working of ldrmodules correctly, but in short, for each process, I imagine it looks at the VAD; and for each dll found there compares it with the 3 lists in the process PEB and reports back on any discrepancy. A snippet, from vadinfo for a process with pid 12128, I can see a dll mapped VAD node @ 0xfffffa80088378c0 Start 0x0000000000040000 End 0x0000000000040fff Tag Vad Flags: Protection: 7, VadType: 2 Protection: PAGE_EXECUTE_WRITECOPY Vad Type: VadImageMap ControlArea @fffffa8006a86c40 Segment fffff8a00021d4e0 Dereference list: Flink 00000000, Blink 00000000 NumberOfSectionReferences: 1 NumberOfPfnReferences: 1 NumberOfMappedViews: 119 NumberOfUserReferences: 120 WaitingForDeletion Event: 00000000 Control Flags: File: 1, Image: 1 FileObject @fffffa80069c5250, Name: \Windows\System32\apisetschema.dll First prototype PTE: fffff8a00021d5a8 Last contiguous PTE: fffffffffffffffc Flags2: Inherit: 1 But ldrmodules (or dlllist) over the image, does not show that dll. cat ldrmodules.txt | grep -i apiset cat dlllist.txt | grep -i apiset The process in question has a pid of 12128, so on a frequency count, there is a large discrepancy, that I don't understand why. cat ldrmodules.txt | grep 12128 | wc -l 54 cat vadinfo-12128.txt | grep dll | wc -l 130 Any pointers to a link I should read up on to understand the concepts here. Should not have ldrmodules, reported on all the dlls that were found as mapped files in the VAD ? Thanks, JB

10 years

1
0
0 0

Mac sleepimage

by Jarle Thorsen

Does Volatility support the analysis of Mac /var/vm/sleepimage? I did not see it mentioned in "The Art of Memory Forensics", and I seem to have trouble even doing a simple mac_pslist against it... -- Jarle Thorsen

10 years

1
0
0 0

Reminder: OMFW 2014 Registration Closes Oct 24

by AAron Walters

vol-users, The registration for the Open Memory Forensics Workshop (OMFW) 2014 closes on Oct 24. If you are still planning to attend, I recommend sending a request as soon as possible. There are less than 10 open seats remaining! For those who have already requested an invitation, please let us know if you have not received your registration details. Reserve your seat by sending an email to info [at] volatilityfoundation.org or using the contact form on the Foundation's website. Thanks, The Volatility Foundation www.volatilityfoundation.org

10 years

1
0
0 0

AttributeError: 'linux_mount' object has no attribute 'parse_mnt' error when trying to list tmpfs in Linux/Windows using Volatility 2.4

by Srinivasan J

Hi, I am trying to recover tmpfs from a RAM lime dump using volatility 2.4 in Linux/Windows, but I hit the "AttributeError: 'linux_mount' object has no attribute 'parse_mnt'". Is this a known issue? Thanks, Srini [srini@localhost volatility-2.4]$ python /home/srini/vola/setup/volatility-2.4/vol.py --plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f /mnt/data/home/srini/ovf/ramtmpfs.lime linux_tmpfs -L Volatility Foundation Volatility Framework 2.4 Traceback (most recent call last): File "/home/srini/vola/setup/volatility-2.4/vol.py", line 192, in <module> main() File "/home/srini/vola/setup/volatility-2.4/vol.py", line 183, in main command.execute() File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/common.py", line 62, in execute commands.Command.execute(self, *args, **kwargs) File "/home/srini/vola/setup/volatility-2.4/volatility/commands.py", line 127, in execute func(outfd, data) File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py", line 157, in render_text for (i, path) in data: File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py", line 148, in calculate tmpfs_sbs = self.get_tmpfs_sbs() File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py", line 120, in get_tmpfs_sbs for (sb, _dev_name, path, fstype, _rr, _mnt_string) in linux_mount.linux_mount(self._config).parse_mnt(mnts): AttributeError: 'linux_mount' object has no attribute 'parse_mnt' C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s tandalone> C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s tandalone>volatility-2.4.standalone.exe --plugins=profile --profile=Linuxcentos7 x64 -f D:\volat\ramtmpfs.lime linux_tmpfs -L Volatility Foundation Volatility Framework 2.4 Traceback (most recent call last): File "<string>", line 192, in <module> File "<string>", line 183, in main File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.c ommon", line 62, in execute File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.commands", line 127, in execute File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t mpfs", line 157, in render_text File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t mpfs", line 148, in calculate File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t mpfs", line 120, in get_tmpfs_sbs AttributeError: 'linux_mount' object has no attribute 'parse_mnt' C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s tandalone>volatility-2.4.standalone.exe --plugins=profile --profile=Linuxcentos7 x64 -f D:\volat\ramtmpfs.lime linux_cpuinfo Volatility Foundation Volatility Framework 2.4 Processor Vendor Model ------------ ---------------- ----- 0 GenuineIntel Intel(R) Xeon(R) CPU E5-2609 v2 @ 2.50GHz C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s tandalone> [srini@localhost volatility-2.4]$ python /home/srini/vola/setup/volatility-2.4/vol.py --plugins=/mnt/data/home/srini/ovf --profile=Linuxcent os7x64 --info | more Volatility Foundation Volatility Framework 2.4 Profiles -------- Linuxcentos7x64 - A Profile for Linux centos7 x64 VistaSP0x64 - A Profile for Windows Vista SP0 x64 VistaSP0x86 - A Profile for Windows Vista SP0 x86 VistaSP1x64 - A Profile for Windows Vista SP1 x64 VistaSP1x86 - A Profile for Windows Vista SP1 x86 VistaSP2x64 - A Profile for Windows Vista SP2 x64 VistaSP2x86 - A Profile for Windows Vista SP2 x86 [srini@localhost volatility-2.4]$ python /home/srini/vola/setup/volatility-2.4/vol.py --plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f /mnt/data/home/srini/ovf/ramtmpfs.lime linux_cpuinfo Volatility Foundation Volatility Framework 2.4 Processor Vendor Model ------------ ---------------- ----- 0 GenuineIntel Intel(R) Xeon(R) CPU E5-2609 v2 @ 2.50GHz [srini@localhost volatility-2.4]$ python /home/srini/vola/setup/volatility-2.4/vol.py --plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f /mnt/data/home/srini/ovf/ramtmpfs.lime linux_mount Volatility Foundation Volatility Framework 2.4 hugetlbfs /dev/hugepages hugetlbfs rw,relatime devtmpfs /dev devtmpfs rw,nosuid tmpfs /dev/shm tmpfs rw,nosuid,nodev devpts /dev/pts devpts rw,relatime,nosuid,noexec cgroup /sys/fs/cgroup/memory cgroup rw,relatime,nosuid,nodev,noexec tmpfs /sys/fs/cgroup tmpfs rw,nosuid,nodev,noexec proc /proc proc rw,relatime,nosuid,nodev,noexec /dev/mapper/centos-root / xfs rw,relatime tmpfs /run tmpfs rw,nosuid,nodev sysfs /sys sysfs rw,relatime,nosuid,nodev,noexec sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime mqueue /dev/mqueue mqueue rw,relatime debugfs /sys/kernel/debug debugfs rw,relatime selinuxfs /sys/fs/selinux selinuxfs rw,relatime securityfs /sys/kernel/security securityfs rw,relatime,nosuid,nodev,noexec cgroup /sys/fs/cgroup/systemd cgroup rw,relatime,nosuid,nodev,noexec pstore /sys/fs/pstore pstore rw,relatime,nosuid,nodev,noexec cgroup /sys/fs/cgroup/cpuset cgroup rw,relatime,nosuid,nodev,noexec sunrpc /proc/fs/nfsd nfsd rw,relatime tmpfs /mnt/ramdisk tmpfs rw,relatime cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,relatime,nosuid,nodev,noexec configfs /sys/kernel/config configfs rw,relatime cgroup /sys/fs/cgroup/devices cgroup rw,relatime,nosuid,nodev,noexec systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime cgroup /sys/fs/cgroup/freezer cgroup rw,relatime,nosuid,nodev,noexec cgroup /sys/fs/cgroup/net_cls cgroup rw,relatime,nosuid,nodev,noexec cgroup /sys/fs/cgroup/blkio cgroup rw,relatime,nosuid,nodev,noexec /dev/sda1 /boot xfs rw,relatime cgroup /sys/fs/cgroup/perf_event cgroup rw,relatime,nosuid,nodev,noexec cgroup /sys/fs/cgroup/hugetlb cgroup rw,relatime,nosuid,nodev,noexec [srini@localhost volatility-2.4]$ python /home/srini/vola/setup/volatility-2.4/vol.py --plugins=/mnt/data/home/srini/ovf --profile=Linuxcent os7x64 -f /mnt/data/home/srini/ovf/ramtmpfs.lime linux_bash Volatility Foundation Volatility Framework 2.4 Pid Name Command Time Command -------- -------------------- ------------------------------ ------- 15151 bash 2014-10-12 01:35:58 UTC+0000 ./configure 15151 bash 2014-10-12 01:35:58 UTC+0000 yum provides tcpsic 15151 bash 2014-10-12 01:35:58 UTC+0000 ls -ltrh 15151 bash 2014-10-12 01:35:58 UTC+0000 mv lmbench3 lmbench3-3.10 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 cd linux/ 15151 bash 2014-10-12 01:35:58 UTC+0000 yum intall isic 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 yum provides dwarfdump 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 cd 3.10.0-123.el7.x86_64/ 15151 bash 2014-10-12 01:35:58 UTC+0000 uname -a 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 yum install isic 15151 bash 2014-10-12 01:35:58 UTC+0000 cd linux/ 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 make 15151 bash 2014-10-12 01:35:58 UTC+0000 ifconfig 15151 bash 2014-10-12 01:35:58 UTC+0000 cd lmbench3-3.10

10 years, 1 month

2
2
0 0

New Memory Forensics & Malware Analysis trainings scheduled!

by Andrew Case

We are excited to announce that we now have public trainings scheduled through May of next year. Between now and then we will be visiting Austin (Dec.), San Francisco (Jan.), Brazil (Feb.), Reston, VA (April), and New York (May). A complete listing of course offerings and details can be found at: http://www.memoryanalysis.net/#!memory-forensics-training/c1q3n and: http://volatility-labs.blogspot.com/2014/10/windows-malware-and-memory-fore… Classes fill quickly so please contact us ASAP if you would like to attend! We offer discounts for LEO, government, and full time students as well as group rates for companies. -- Thanks, Andrew (@attrc)

10 years, 1 month

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users October 2014