April 2014 - Vol-users - volatilityfoundation.org

by Sebastian Biedermann

Hi guys, I would like to extract the files which are temporary cached by the Linux page cache from an Ubuntu memory image. When I read a file in Linux for the first time, it gets read from the hard drive but gets also cached. A second read of the same file then goes faster. Same for writing. /proc/sys/vm/dirty_expire_centiseconds defines how long data remains in the page cache until it is written to disk. First I thought I could use Linux_find_file command of volatility, however this command is only targeting the tmpfs, right? Is there another way of extracting files from the Linux page cache? Thank you! Sebastian

10 years, 7 months

2
1
0 0

Building a Decoder for the CVE-2014-0502 Shellcode

by Andrew Case

Hello All, I have published a new blog post analyzing the encrypted shellcode from the main CVE-2014-0502 attack: http://volatility-labs.blogspot.com/2014/04/building-decoder-for-cve-2014-0… It goes through some functionality of the malicious Flash file followed by analysis of the shellcode used within the encrypted GIF. This attack's particular use of a malicious Flash file along with an "encrypted" GIF shows some of the complexity of modern attacks, and highlights the diverse set of skills needed to analyze the attacks (Flash reversing, binary shellcode reversing, and understanding exploitation techniques, such as ROP, ALSR bypass, etc.). This particular attack was also noticeable because of how many different companies published public research on it (I have references in the blog). I hope that you enjoy the blog post and potentially learn something from it. I am happy that my anonymous friend allowed me to publish the research. -- Thanks, Andrew (@attrc)

10 years, 7 months

2
1
0 0

Re: [Vol-users] KDBG errors

by Michael Ligh

Ah, the good old “here’s a partial memory dump for you to analyze” Sadly, this happens quite often. Thanks for the update! Michael -------------------------------------------------- Michael Ligh (@iMHLv2) GPG: http://mnin.org/gpg.pubkey.txt Blog: http://volatility-labs.blogspot.com Training: http://memoryanalysis.net On Apr 7, 2014, at 4:45 PM, Carlos Angeles <cangeles(a)gmail.com> wrote: > Andrew, Michael, > > The person that captured the image hasn't been in the office for a > while and I was finally able to ask him about the capture. He used > FTK Imager, but he doesn't know the exact version but it's 3.1.x. I > now know what the problem was/is with image. He told me that he was > only able to capture 4GB because of a limitation of the tool. Kind of > wish that information was passed on to me before I started working on > it. ;-D > > Also, Michael, your suggestion to use psscan did reveal some > processes. It looked rather small, and now I know why. > > Thanks for your help! > Carlos > > > On Sun, Apr 6, 2014 at 1:18 PM, Michael Ligh <michael.ligh(a)mnin.org> wrote: >> Hi Carlos, >> >> There are a few things going on. First, there's a bug in imageinfo which causes Volatility to crash when parsing the CPU addresses - I'll send you a fix for that separately, but it won't affect the rest of your analysis. >> >> When a KDBG structure can be found, but there are 0 processes and 0 modules, it almost always indicates a corrupt memory dump. In particular, the acquisition tool probably didn't acquire *all* physical memory ranges (or it failed to align them in the output file properly). Recently, I looked at a similar case where the virtual address of PsActiveProcessHead translated to a physical offset that was higher than the number of bytes in the memory dump (thus the memory dump file was truncated and missing some data). >> >> I'd be interested if psscan shows you a partial list of processes. If so, you may be able to perform limited analysis, by passing the physical offsets of the _EPROCESS structures to plugins like handles, dlllist, vaddump, etc (the -o/--offset option). >> >> Talk to you soon, >> MHL >> >> -------------------------------------------------- >> Michael Ligh (@iMHLv2) >> GPG: http://mnin.org/gpg.pubkey.txt >> Blog: http://volatility-labs.blogspot.com >> Training: http://memoryanalysis.net >> >> On Apr 6, 2014, at 2:29 PM, Andrew Case <atcuno(a)gmail.com> wrote: >> >>> Hello, >>> >>> Do you know which tool was used to acquire memory? Also, how much RAM >>> does the system have? >>> >>> Thanks, >>> Andrew (@attrc) >>> >>> On 4/2/2014 4:45 PM, Carlos Angeles wrote: >>>> Hello, >>>> >>>> I'm getting some KDBG errors when examining a Windows Server 2008 R2 >>>> server memory image. I saw a similar post to this list back in August >>>> 2012 (http://lists.volatilityfoundation.org/pipermail/vol-users/2012-August/00056…) >>>> >>>> Here's the output from a few plugins. It was captured by another >>>> person and I don't know what tool or version he used. >>>> >>>> Does it look like the memory image is corrupted? >>>> >>>> Thanks, >>>> Carlos >>>> >>>> >>>> $ vol.py -f memdump.mem imageinfo >>>> Volatility Foundation Volatility Framework 2.3.1 >>>> Determining profile based on KDBG search... >>>> >>>> Suggested Profile(s) : Win7SP0x64, Win7SP1x64, >>>> Win2008R2SP0x64, Win2008R2SP1x64 >>>> AS Layer1 : AMD64PagedMemory (Kernel AS) >>>> AS Layer2 : FileAddressSpace (memdump.mem) >>>> PAE type : No PAE >>>> DTB : 0x187000L >>>> KDBG : 0xf80001def0a0 >>>> Number of Processors : 8 >>>> Image Type (Service Pack) : 1 >>>> KPCR for CPU 0 : 0xfffff80001df0d00L >>>> Traceback (most recent call last): >>>> File "/usr/local/bin/vol.py", line 5, in <module> >>>> pkg_resources.run_script('volatility==2.3.1', 'vol.py') >>>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script >>>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", >>>> line 183, in <module> >>>> main() >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", >>>> line 174, in main >>>> command.execute() >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py", >>>> line 121, in execute >>>> func(outfd, data) >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/imageinfo.py", >>>> line 35, in render_text >>>> for k, v in data: >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/imageinfo.py", >>>> line 100, in calculate >>>> yield ('KPCR for CPU {0}'.format(kpcr.ProcessorBlock.Number), >>>> hex(kpcr.obj_offset)) >>>> TypeError: hex() argument can't be converted to hex >>>> $ >>>> $ >>>> $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 pslist >>>> Volatility Foundation Volatility Framework 2.3.1 >>>> Offset(V) Name PID PPID Thds Hnds >>>> Sess Wow64 Start Exit >>>> ------------------ -------------------- ------ ------ ------ -------- >>>> ------ ------ ------------------------------ >>>> ------------------------------ >>>> Traceback (most recent call last): >>>> File "/usr/local/bin/vol.py", line 5, in <module> >>>> pkg_resources.run_script('volatility==2.3.1', 'vol.py') >>>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script >>>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", >>>> line 183, in <module> >>>> main() >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", >>>> line 174, in main >>>> command.execute() >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py", >>>> line 121, in execute >>>> func(outfd, data) >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/taskmods.py", >>>> line 140, in render_text >>>> for task in data: >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/win32/tasks.py", >>>> line 70, in pslist >>>> for p in get_kdbg(addr_space).processes(): >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/overlays/windows/kdbg_vtypes.py", >>>> line 42, in processes >>>> raise AttributeError("Could not list tasks, please verify your >>>> --profile with kdbgscan") >>>> AttributeError: Could not list tasks, please verify your --profile with kdbgscan >>>> $ >>>> $ >>>> $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 kdbgscan >>>> Volatility Foundation Volatility Framework 2.3.1 >>>> ************************************************** >>>> Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) >>>> Offset (V) : 0xf80001def0a0 >>>> Offset (P) : 0x1def0a0 >>>> KDBG owner tag check : True >>>> Profile suggestion (KDBGHeader): Win7SP1x64 >>>> Version64 : 0xf80001def068 (Major: 15, Minor: 7601) >>>> Service Pack (CmNtCSDVersion) : 1 >>>> Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. >>>> PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) >>>> PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) >>>> KernelBase : 0xfffff80001c00000 (Matches MZ: True) >>>> Major (OptionalHeader) : 6 >>>> Minor (OptionalHeader) : 1 >>>> KPCR : 0xfffff80001df0d00 (CPU 0) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> >>>> ************************************************** >>>> Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) >>>> Offset (V) : 0xf80001def0a0 >>>> Offset (P) : 0x1def0a0 >>>> KDBG owner tag check : True >>>> Profile suggestion (KDBGHeader): Win2008R2SP1x64 >>>> Version64 : 0xf80001def068 (Major: 15, Minor: 7601) >>>> Service Pack (CmNtCSDVersion) : 1 >>>> Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. >>>> PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) >>>> PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) >>>> KernelBase : 0xfffff80001c00000 (Matches MZ: True) >>>> Major (OptionalHeader) : 6 >>>> Minor (OptionalHeader) : 1 >>>> KPCR : 0xfffff80001df0d00 (CPU 0) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> >>>> ************************************************** >>>> Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) >>>> Offset (V) : 0xf80001def0a0 >>>> Offset (P) : 0x1def0a0 >>>> KDBG owner tag check : True >>>> Profile suggestion (KDBGHeader): Win2008R2SP0x64 >>>> Version64 : 0xf80001def068 (Major: 15, Minor: 7601) >>>> Service Pack (CmNtCSDVersion) : 1 >>>> Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. >>>> PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) >>>> PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) >>>> KernelBase : 0xfffff80001c00000 (Matches MZ: True) >>>> Major (OptionalHeader) : 6 >>>> Minor (OptionalHeader) : 1 >>>> KPCR : 0xfffff80001df0d00 (CPU 0) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> >>>> ************************************************** >>>> Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) >>>> Offset (V) : 0xf80001def0a0 >>>> Offset (P) : 0x1def0a0 >>>> KDBG owner tag check : True >>>> Profile suggestion (KDBGHeader): Win7SP0x64 >>>> Version64 : 0xf80001def068 (Major: 15, Minor: 7601) >>>> Service Pack (CmNtCSDVersion) : 1 >>>> Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. >>>> PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) >>>> PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) >>>> KernelBase : 0xfffff80001c00000 (Matches MZ: True) >>>> Major (OptionalHeader) : 6 >>>> Minor (OptionalHeader) : 1 >>>> KPCR : 0xfffff80001df0d00 (CPU 0) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> $ >>>> $ >>>> $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 hivescan >>>> Volatility Foundation Volatility Framework 2.3.1 >>>> Offset(P) >>>> ------------------ >>>> 0x0000000000431010 >>>> 0x00000000051a4010 >>>> 0x000000000f1d7010 >>>> 0x0000000013e15410 >>>> 0x0000000015875410 >>>> 0x000000005a517410 >>>> 0x000000006e434410 >>>> 0x000000007ddce410 >>>> 0x00000000a143e410 >>>> 0x00000000a7f8c410 >>>> 0x00000000c3b83010 >>>> 0x00000000cbb17410 >>>> 0x00000000d0768410 >>>> $ >>>> $ >>>> $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 svcscan >>>> Volatility Foundation Volatility Framework 2.3.1 >>>> Traceback (most recent call last): >>>> File "/usr/local/bin/vol.py", line 5, in <module> >>>> pkg_resources.run_script('volatility==2.3.1', 'vol.py') >>>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script >>>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", >>>> line 183, in <module> >>>> main() >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", >>>> line 174, in main >>>> command.execute() >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py", >>>> line 121, in execute >>>> func(outfd, data) >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/malware/svcscan.py", >>>> line 360, in render_text >>>> for rec in data: >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/malware/svcscan.py", >>>> line 275, in calculate >>>> for task in tasks.pslist(addr_space): >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/win32/tasks.py", >>>> line 70, in pslist >>>> for p in get_kdbg(addr_space).processes(): >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/overlays/windows/kdbg_vtypes.py", >>>> line 42, in processes >>>> raise AttributeError("Could not list tasks, please verify your >>>> --profile with kdbgscan") >>>> AttributeError: Could not list tasks, please verify your --profile with kdbgscan >>>> _______________________________________________ >>>> Vol-users mailing list >>>> Vol-users(a)volatilityfoundation.org >>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >>>> >>> _______________________________________________ >>> Vol-users mailing list >>> Vol-users(a)volatilityfoundation.org >>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >>

10 years, 7 months

1
0
0 0

Linux Memory Grabber/Volatility Linux Profile Builder

by Gibson, Ryan

Sorry for the SPAM if you already knew about this. https://github.com/halpomeranz/lmg Ryan Gibson CISSP, GCFA, GCIH, Security + Office: 858-651-1689 Mobile: 619-804-8736 Senior IT Security Engineer

10 years, 7 months

1
0
0 0

Syscan 2014 presentations are now out

by Andrew Case

Syscan 2014 was last week, and they have now released the slides and white papers from each speaker: http://syscan.org/index.php/download Reading through these presentations will be well worth your time no matter which role(s) you might play in security/forensics. -- Thanks, Andrew (@attrc)

10 years, 7 months

1
0
0 0

aquire RAM from Mac OSX 10.9?

by Thomas

Hi, which tool can be used to aquire a RAM dump from Mac OSX 10.9.x Mavericks? OSXPmem doesn't work. Thanks. Thomas

10 years, 7 months

2
1
0 0

KDBG errors

by Carlos Angeles

Hello, I'm getting some KDBG errors when examining a Windows Server 2008 R2 server memory image. I saw a similar post to this list back in August 2012 (http://lists.volatilityfoundation.org/pipermail/vol-users/2012-August/00056…) Here's the output from a few plugins. It was captured by another person and I don't know what tool or version he used. Does it look like the memory image is corrupted? Thanks, Carlos $ vol.py -f memdump.mem imageinfo Volatility Foundation Volatility Framework 2.3.1 Determining profile based on KDBG search... Suggested Profile(s) : Win7SP0x64, Win7SP1x64, Win2008R2SP0x64, Win2008R2SP1x64 AS Layer1 : AMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (memdump.mem) PAE type : No PAE DTB : 0x187000L KDBG : 0xf80001def0a0 Number of Processors : 8 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80001df0d00L Traceback (most recent call last): File "/usr/local/bin/vol.py", line 5, in <module> pkg_resources.run_script('volatility==2.3.1', 'vol.py') File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in <module> main() File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 174, in main command.execute() File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py", line 121, in execute func(outfd, data) File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/imageinfo.py", line 35, in render_text for k, v in data: File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/imageinfo.py", line 100, in calculate yield ('KPCR for CPU {0}'.format(kpcr.ProcessorBlock.Number), hex(kpcr.obj_offset)) TypeError: hex() argument can't be converted to hex $ $ $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 pslist Volatility Foundation Volatility Framework 2.3.1 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ Traceback (most recent call last): File "/usr/local/bin/vol.py", line 5, in <module> pkg_resources.run_script('volatility==2.3.1', 'vol.py') File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in <module> main() File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 174, in main command.execute() File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py", line 121, in execute func(outfd, data) File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/taskmods.py", line 140, in render_text for task in data: File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/win32/tasks.py", line 70, in pslist for p in get_kdbg(addr_space).processes(): File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/overlays/windows/kdbg_vtypes.py", line 42, in processes raise AttributeError("Could not list tasks, please verify your --profile with kdbgscan") AttributeError: Could not list tasks, please verify your --profile with kdbgscan $ $ $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 kdbgscan Volatility Foundation Volatility Framework 2.3.1 ************************************************** Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80001def0a0 Offset (P) : 0x1def0a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP1x64 Version64 : 0xf80001def068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) KernelBase : 0xfffff80001c00000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80001df0d00 (CPU 0) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) ************************************************** Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80001def0a0 Offset (P) : 0x1def0a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP1x64 Version64 : 0xf80001def068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) KernelBase : 0xfffff80001c00000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80001df0d00 (CPU 0) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) ************************************************** Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80001def0a0 Offset (P) : 0x1def0a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP0x64 Version64 : 0xf80001def068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) KernelBase : 0xfffff80001c00000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80001df0d00 (CPU 0) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) ************************************************** Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80001def0a0 Offset (P) : 0x1def0a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP0x64 Version64 : 0xf80001def068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) KernelBase : 0xfffff80001c00000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80001df0d00 (CPU 0) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) $ $ $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 hivescan Volatility Foundation Volatility Framework 2.3.1 Offset(P) ------------------ 0x0000000000431010 0x00000000051a4010 0x000000000f1d7010 0x0000000013e15410 0x0000000015875410 0x000000005a517410 0x000000006e434410 0x000000007ddce410 0x00000000a143e410 0x00000000a7f8c410 0x00000000c3b83010 0x00000000cbb17410 0x00000000d0768410 $ $ $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 svcscan Volatility Foundation Volatility Framework 2.3.1 Traceback (most recent call last): File "/usr/local/bin/vol.py", line 5, in <module> pkg_resources.run_script('volatility==2.3.1', 'vol.py') File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in <module> main() File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 174, in main command.execute() File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py", line 121, in execute func(outfd, data) File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/malware/svcscan.py", line 360, in render_text for rec in data: File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/malware/svcscan.py", line 275, in calculate for task in tasks.pslist(addr_space): File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/win32/tasks.py", line 70, in pslist for p in get_kdbg(addr_space).processes(): File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/overlays/windows/kdbg_vtypes.py", line 42, in processes raise AttributeError("Could not list tasks, please verify your --profile with kdbgscan") AttributeError: Could not list tasks, please verify your --profile with kdbgscan

10 years, 7 months

3
2
0 0

Pid=1260 not founded through any plugin

by Nouman Zia

Hey, In images (tigger.vmem, sality.vmem and black energy) the connscan plugin gives an output which shows these images are making connection with some IP and also tells the PID of process which are making such connections but when I used PSLIST, PSSCAN and PSXVIEW plugins then none of them shows the process which is having such PID(which is making connection). P.S: In all the above mentioned images the process id is same i.e. PID=1260 So the problem is why its not showing any detail about PID=1260???

10 years, 7 months

3
2
0 0

help to investigate

by mediomen27

Hi, gmer has found something of suspicious. I have a screenshot of partial logs, here: http://postimg.org/image/bgx0u5xt9/ Now the server looks mysteriously clean thus the only clues I have are that screenshot and the vmware snapshot. Anyone could help me to investigate more deeply ? The following is what I have done alone: # vol pslist|grep logon Volatility Foundation Volatility Framework 2.3.1 0x8967d158 winlogon.exe 412 332 18 535 0 0 2013-06-26 09:16:14 UTC+0000 0x88ea0918 winlogon.exe 9088 332 19 258 1 0 2013-10-30 14:33:34 UTC+0000 # vol dlllist -p 412|grep -i klogon 0x10000000 0x36000 0x1 C:\WINDOWS\system32\klogon.dll klogon looks a kaspersky logon module # vol dlldump -b 0x10000000 -D /root/dumpprocess/ and the dumped dll looks really something about kaspersky.. # vol filescan|grep VC80 Volatility Foundation Volatility Framework 2.3.1 0x08d295d8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x08e684f0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x08f0b920 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x0905a530 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x090822d0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09175a90 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x09181e50 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09496250 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09509cc8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09555808 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcr80.dll 0x0958f860 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x095cd168 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x095f76a0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x0960b668 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x0961d9d8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x0961e6c8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x096cda10 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x096f1db0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x096f2d10 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x097c52d0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x097fbb10 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09809e90 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09836350 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09843c68 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x0985aa50 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09872738 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x0987b340 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09a0fea8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x09a3ada8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x09a82f90 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x09bf9ef8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x09d95428 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09dadd18 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 Thanks for any help.

10 years, 7 months

2
3
0 0

Memory forensics training by the Volatility Team is going to Australia!

by Andrew Case

We are happy to announce that we will be bringing our memory forensics and malware analysis training to Australia in August: http://www.memoryanalysis.net/#!New-Event-in-Canberra-AU-August-24th---29th… For information on the course please see: http://www.memoryanalysis.net/#!memory-forensics-training/c1q3n You can also find a number of past reviews of the course here: http://www.memoryanalysis.net/#!testimonials/c1dos This is the only time we will be in Australia until at least 2015, and we have already received significant interest in this offering so please contact us as soon as possible if you would like to attend. Thanks, Andrew (@attrc)

10 years, 7 months

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users April 2014