Hello dear volatility community,
I am a ISE master student at Ben Gurion University in Israel.
And I need you help.
My research deals with extracting many features from a windows memory dump
taken from vSphere snapshots. (Mostly Windows 2012 R2).
In order to extract as many features as possible I am using volatility
framework which helps me to receive the most basic features I need.
I want to leverage volatility framework even more so I can extract more
valuable features.
Here is the list of features I want to try to extract from the memory:
- Achieving the stack of all processes. or any thing that can be deduced by
it, for example call sequence or function's parameters etc.
- Gathering information about reading or writing actions that were
happening while the snapshot was taken or before.
- Find / detect usages of cryptography keys in the memory, especially
asymmetric keys.
- Find / detect changes in the registry.
I hope this post is not too abstract, and that maybe you can help me start.
I want to first know if what I am trying to do is even possible? Is
volatility the right tool?
If it is, where should I begin?
Appreciate your help!
Thanks,
Yuval
That's great! Thank you so much :)
On 24 May 2016 at 16:06, wyatt roersma <wyattroersma(a)gmail.com> wrote:
> Yes I do. Here is the link the the exe and user guide.
> https://drive.google.com/folderview?id=0Bz3L4ZnVlUY8TFdBcUljeTc4VFk
> On May 24, 2016 7:13 AM, "Michael Ligh" <michael.ligh(a)mnin.org> wrote:
>
>> Wyatt - do you still have a copy of vm2dmp around?
>>
>> MHL
>>
>> On 5/24/16 5:55 AM, Bridgey theGeek wrote:
>> > Hi all,
>> >
>> > I've been given a .vsv and a .bin from a Server 2008R2 box.
>> > vm2dmp supposedly supported converting this into a raw image, but it
>> > seems to have disappeared off the face of the planet.
>> >
>> > Does anybody have:
>> >
>> > a) A copy of vm2dmp that they're allowed to share.
>> > and/or
>> > b) Recommendations for an alternative tool.
>> >
>> > Thanks!
>> > Adam
>> >
>> >
>> > _______________________________________________
>> > Vol-users mailing list
>> > Vol-users(a)volatilityfoundation.org
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >
>>
>>
Hi all,
I've been given a .vsv and a .bin from a Server 2008R2 box.
vm2dmp supposedly supported converting this into a raw image, but it seems
to have disappeared off the face of the planet.
Does anybody have:
a) A copy of vm2dmp that they're allowed to share.
and/or
b) Recommendations for an alternative tool.
Thanks!
Adam
Hello,
I am starting to play with Volatility (2.5) and I am currently working
on a Win2008R2 image (memory dump with winpmem). I would like to
understand what is causing some network connections initiated by the
"System" process.
netscan shows those connections and I would like to be able to find
references to the IP addresses in the memory dump. I have tried
"yarascan -Y" plugin with the IP string, with the IP to integer value
(converted to Hex) but no luck finding IPs that , however, I can see in
the netscan result...
Either I am wrong with the yarascan syntax or there is something I don't
know regarding how Win2008 stores IP...
Any hints ?
Thanks,
Laurent
Hello again,
I managed to get something that guess the OS of a memory dump. I was
planning to call imageinfo from it in the case of a Windows dump or
get_mac_profile in case of an OSX dump (will figure out Linux later).
So my questions are:
- Does this kind of feature fits into Volatility, or do you prefer that
the plugins follow the Single Responsability Principle ?
- If not, what is the cleanest way to call a plugin from another one ?
Thank you !
--
Stanislas 'P1kachu' Lejay
EPITA - LSE
If you're sleeping, you're doing it wrong.
Hello,
I am having some trouble loading a simple plugin with the '--plugins=.'
option. It seems to be loaded (there were some errors that were fixed
thanks to volatility displaying them) but it doesn't appear in the
--info list. If I try this option in one of the community folder, it
works (the plugins appear).
What is the basic requirement for a plugin to be recognized, and what
could I miss ? I started mine based on one from the
community folder (CsabaBarta/usnjrnl.py)
Thank you,
--
Stanislas 'P1kachu' Lejay
EPITA - LSE
If you're sleeping, you're doing it wrong.
Hi all,
Doing some work with the windows plugin for VistaSP1x86.
I have the following two fragments from the output:
Window Handle: #20130 at 0xfe817078, Name:
ClassAtom: 0xc052, Class: ConsoleProgmanHandle
SuperClassAtom: 0xc018, SuperClass: Edit
pti: 0xfde11e90, Tid: 3432 at 0x839714e0
ppi: 0xff54be50, Process: explorer.exe, Pid: 2528
Visible: Yes
Left: 82, Top: 456, Bottom: 379, Right: 473
Style Flags: WS_CHILD,WS_OVERLAPPED,WS_VISIBLE
ExStyle Flags: WS_EX_LTRREADING,WS_EX_RIGHTSCROLLBAR,WS_EX_LEFT
Window procedure: 0x7520d0d4
Window Handle: #100bc at 0xfe807390, Name:
ClassAtom: 0xc052, Class: ConsoleProgmanHandle
SuperClassAtom: 0xc018, SuperClass: Edit
pti: 0xfe44d660, Tid: 2552 at 0x837c8778
ppi: 0xff54be50, Process: explorer.exe, Pid: 2528
Visible: No
Left: 11, Top: 542, Bottom: 229, Right: 559
Style Flags: WS_CHILD,WS_OVERLAPPED
ExStyle Flags:
WS_EX_CLIENTEDGE,WS_EX_LTRREADING,WS_EX_RIGHTSCROLLBAR,WS_EX_LEFT
Window procedure: 0x751f01c6
Both are from the same instance of explorer.exe.
Viewing windows.py, it shows that the "Window Handle" is simply the value
of: wnd.head.h
Now consider this from volshell:
>>> o1 = obj.Object('tagWND', offset=0xfe817078,
vm=proc().get_process_address_space())
>>> dd(o1.head.h, length=4)
fe8172a0 00020130
This seems logical: head.h is a void pointer. If we follow the pointer we
get the handle: 20130.
If I do the same with the other one:
>>> o2 = obj.Object('tagWND', offset=0xfe807390,
vm=proc().get_process_address_space())
>>> dd(o2.head.h, length=4)
000100bc 00000000
In this example, the handle is the VALUE of head.h, that is, you shouldn't
follow the pointer.
Volatility seems to know this because it displays the handles as 100bc
rather than 0.
I searched the Volatility code to see if I could find how this is being
done, but I couldn't.
So, how?? What rule don't I know??
Thanks!
Hi all,
I'm quite sure that there is a "standard procedure" in order to
investigate a specific area of the memory once you found something
useful in a specific address, but my research on volatility doc does not
help me much.
Here the problem.
I was able to find out with yarascan and -W option (Andrew and Michael,
thanks again!), where the password of a specific app is stored (see
after my signature for the complete yarascan output). From this output,
I can see that the password is stored from address 0xb2f771f0. I would
like to see:
- what is stored before the password
- if this memory area is related to a specific file
In other words, I would like to investigate how the app stored the
password hoping that the password is always store with some criteria.
Of course, I have several memory dumps, with different passwords set.
The yarascan outputs (that shows me only something *after *the password)
do not help me.
Thanks in advance for all your help,
Massimo
(Here is the yarascan output. The password set is "mypassword2016")
Task: ject.otr.app.im pid 1691 rule r1 addr 0xb2f771f0
0xb2f771f0 6d 00 79 00 70 00 61 00 73 00 73 00 77 00 6f 00 m.y.p.a.s.s.w.o.
0xb2f77200 72 00 64 00 32 00 30 00 31 00 36 00 00 00 00 00 r.d.2.0.1.6.....
0xb2f77210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xb2f77220 00 00 00 00 43 04 00 00 f0 4a b5 b2 00 00 00 00 ....C....J......
0xb2f77230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xb2f77240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xb2f77250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xb2f77260 08 ff f9 b2 00 00 00 00 00 00 00 00 78 df fa b2 ............x...
0xb2f77270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xb2f77280 38 47 ef b2 f0 e8 d8 b2 68 76 f7 b2 00 00 00 00 8G......hv......
0xb2f77290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xb2f772a0 00 00 00 00 00 ed f1 b2 68 9c f9 b2 00 00 00 00 ........h.......
0xb2f772b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xb2f772c0 d8 e4 e2 b2 00 00 00 00 68 01 00 00 00 00 00 00 ........h.......
0xb2f772d0 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ................
0xb2f772e0 ff ff ff ff ff ff ff ff a6 02 00 80 68 01 00 40 ............h..@
On 04.05.2016 19:11, Torres, Geoff (Cyber Security) wrote:
> Hmmm... What does 'lqs2mem -l <snapshot_memfile>' show?
$ lqs2mem -l snapshot.img
Invalid QEMU-savevm magic
Unrecogized file format
$ file snapshot.img
snapshot.img: QEMU suspend to disk image
> When I run the lqs2mem tool, I don't get an ELF image (i.e. 'file <raw_image>' returns 'data'). But the image runs through volatility just fine.
I got the ELF file from running "dump-guest-memory" on the QEMU console after loading the snapshot.
- Thomas
Hi,
I was provided a suspend-to-disk snapshot image along with a copy of the
virtual harddisk file from a QEMU/KVM-based Linux server for analysis.
Analysis of the harddisk is done. Now I'd like to dump running processes etc.
from the server's memory image.
I loaded the snapshot into QEMU and used the QEMU monitor to dump a memory image
using the 'dump-guest-memory' command.
So now I have this:
memory.img: ELF 64-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style
Then, I set up a fresh VM with Debian Linux in the same version the virtual
server was running. Next, I installed the kernel image and related files
extracted from the virtual harddisk on this new VM to get a Linux system
running exactly the same kernel version. On this VM, I created a Volatility
profile using the files provided in /tools/linux/.
Unfortunately, Volatility crashes when running imageinfo on the dumped
memory image file:
=========================================================================
$ python vol.py imageinfo -f /path/to/memory.img
Volatility Foundation Volatility Framework 2.5
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with Server_x64)
AS Layer1 : QemuCoreDumpElf (Unnamed AS)
AS Layer2 : FileAddressSpace (/path/to/memory.img)
PAE type : No PAE
DTB : -0x1L
Traceback (most recent call last):
File "vol.py", line 192, in <module>
main()
File "vol.py", line 183, in main
command.execute()
File "/opt/tools/volatility-master/volatility/commands.py", line 145, in execute
func(outfd, data)
File "/opt/tools/volatility-master/volatility/plugins/imageinfo.py", line 45, in render_text
for k, t, v in data:
File "/opt/tools/volatility-master/volatility/plugins/imageinfo.py", line 103, in calculate
kdbg = volmagic.KDBG.v()
File "/opt/tools/volatility-master/volatility/obj.py", line 748, in __getattr__
return self.m(attr)
File "/opt/tools/volatility-master/volatility/obj.py", line 730, in m
raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBG
=========================================================================
When running other Volatility Plugins on the memory image with the created profile,
it says "No suitable address space mapping found":
=========================================================================
$ python vol.py linux_netstat -f /path/to/memory.img --profile=Server_x64
Volatility Foundation Volatility Framework 2.5
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareMetaAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
[...]
=========================================================================
Any suggestions?
What am I missing?
- Thomas
