- Vol-users - volatilityfoundation.org

Detailed analysis of Kaspersky hooks including analysis with Volatility

by Andrew Case

A really well done writeup & analysis: https://quequero.org/2014/10/kaspersky-hooking-engine-analysis/ -- Thanks, Andrew (@attrc)

11 years, 3 months

1
0
0 0

Working of ldrmodules ?

by Jamison Bosco

Hello Group, So am not sure, if I understood, the working of ldrmodules correctly, but in short, for each process, I imagine it looks at the VAD; and for each dll found there compares it with the 3 lists in the process PEB and reports back on any discrepancy. A snippet, from vadinfo for a process with pid 12128, I can see a dll mapped VAD node @ 0xfffffa80088378c0 Start 0x0000000000040000 End 0x0000000000040fff Tag Vad Flags: Protection: 7, VadType: 2 Protection: PAGE_EXECUTE_WRITECOPY Vad Type: VadImageMap ControlArea @fffffa8006a86c40 Segment fffff8a00021d4e0 Dereference list: Flink 00000000, Blink 00000000 NumberOfSectionReferences: 1 NumberOfPfnReferences: 1 NumberOfMappedViews: 119 NumberOfUserReferences: 120 WaitingForDeletion Event: 00000000 Control Flags: File: 1, Image: 1 FileObject @fffffa80069c5250, Name: \Windows\System32\apisetschema.dll First prototype PTE: fffff8a00021d5a8 Last contiguous PTE: fffffffffffffffc Flags2: Inherit: 1 But ldrmodules (or dlllist) over the image, does not show that dll. cat ldrmodules.txt | grep -i apiset cat dlllist.txt | grep -i apiset The process in question has a pid of 12128, so on a frequency count, there is a large discrepancy, that I don't understand why. cat ldrmodules.txt | grep 12128 | wc -l 54 cat vadinfo-12128.txt | grep dll | wc -l 130 Any pointers to a link I should read up on to understand the concepts here. Should not have ldrmodules, reported on all the dlls that were found as mapped files in the VAD ? Thanks, JB

11 years, 3 months

1
0
0 0

Mac sleepimage

by Jarle Thorsen

Does Volatility support the analysis of Mac /var/vm/sleepimage? I did not see it mentioned in "The Art of Memory Forensics", and I seem to have trouble even doing a simple mac_pslist against it... -- Jarle Thorsen

11 years, 3 months

1
0
0 0

Reminder: OMFW 2014 Registration Closes Oct 24

by AAron Walters

vol-users, The registration for the Open Memory Forensics Workshop (OMFW) 2014 closes on Oct 24. If you are still planning to attend, I recommend sending a request as soon as possible. There are less than 10 open seats remaining! For those who have already requested an invitation, please let us know if you have not received your registration details. Reserve your seat by sending an email to info [at] volatilityfoundation.org or using the contact form on the Foundation's website. Thanks, The Volatility Foundation www.volatilityfoundation.org

11 years, 3 months

1
0
0 0

AttributeError: 'linux_mount' object has no attribute 'parse_mnt' error when trying to list tmpfs in Linux/Windows using Volatility 2.4

by Srinivasan J

Hi, I am trying to recover tmpfs from a RAM lime dump using volatility 2.4 in Linux/Windows, but I hit the "AttributeError: 'linux_mount' object has no attribute 'parse_mnt'". Is this a known issue? Thanks, Srini [srini@localhost volatility-2.4]$ python /home/srini/vola/setup/volatility-2.4/vol.py --plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f /mnt/data/home/srini/ovf/ramtmpfs.lime linux_tmpfs -L Volatility Foundation Volatility Framework 2.4 Traceback (most recent call last): File "/home/srini/vola/setup/volatility-2.4/vol.py", line 192, in <module> main() File "/home/srini/vola/setup/volatility-2.4/vol.py", line 183, in main command.execute() File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/common.py", line 62, in execute commands.Command.execute(self, *args, **kwargs) File "/home/srini/vola/setup/volatility-2.4/volatility/commands.py", line 127, in execute func(outfd, data) File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py", line 157, in render_text for (i, path) in data: File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py", line 148, in calculate tmpfs_sbs = self.get_tmpfs_sbs() File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py", line 120, in get_tmpfs_sbs for (sb, _dev_name, path, fstype, _rr, _mnt_string) in linux_mount.linux_mount(self._config).parse_mnt(mnts): AttributeError: 'linux_mount' object has no attribute 'parse_mnt' C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s tandalone> C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s tandalone>volatility-2.4.standalone.exe --plugins=profile --profile=Linuxcentos7 x64 -f D:\volat\ramtmpfs.lime linux_tmpfs -L Volatility Foundation Volatility Framework 2.4 Traceback (most recent call last): File "<string>", line 192, in <module> File "<string>", line 183, in main File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.c ommon", line 62, in execute File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.commands", line 127, in execute File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t mpfs", line 157, in render_text File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t mpfs", line 148, in calculate File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t mpfs", line 120, in get_tmpfs_sbs AttributeError: 'linux_mount' object has no attribute 'parse_mnt' C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s tandalone>volatility-2.4.standalone.exe --plugins=profile --profile=Linuxcentos7 x64 -f D:\volat\ramtmpfs.lime linux_cpuinfo Volatility Foundation Volatility Framework 2.4 Processor Vendor Model ------------ ---------------- ----- 0 GenuineIntel Intel(R) Xeon(R) CPU E5-2609 v2 @ 2.50GHz C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s tandalone> [srini@localhost volatility-2.4]$ python /home/srini/vola/setup/volatility-2.4/vol.py --plugins=/mnt/data/home/srini/ovf --profile=Linuxcent os7x64 --info | more Volatility Foundation Volatility Framework 2.4 Profiles -------- Linuxcentos7x64 - A Profile for Linux centos7 x64 VistaSP0x64 - A Profile for Windows Vista SP0 x64 VistaSP0x86 - A Profile for Windows Vista SP0 x86 VistaSP1x64 - A Profile for Windows Vista SP1 x64 VistaSP1x86 - A Profile for Windows Vista SP1 x86 VistaSP2x64 - A Profile for Windows Vista SP2 x64 VistaSP2x86 - A Profile for Windows Vista SP2 x86 [srini@localhost volatility-2.4]$ python /home/srini/vola/setup/volatility-2.4/vol.py --plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f /mnt/data/home/srini/ovf/ramtmpfs.lime linux_cpuinfo Volatility Foundation Volatility Framework 2.4 Processor Vendor Model ------------ ---------------- ----- 0 GenuineIntel Intel(R) Xeon(R) CPU E5-2609 v2 @ 2.50GHz [srini@localhost volatility-2.4]$ python /home/srini/vola/setup/volatility-2.4/vol.py --plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f /mnt/data/home/srini/ovf/ramtmpfs.lime linux_mount Volatility Foundation Volatility Framework 2.4 hugetlbfs /dev/hugepages hugetlbfs rw,relatime devtmpfs /dev devtmpfs rw,nosuid tmpfs /dev/shm tmpfs rw,nosuid,nodev devpts /dev/pts devpts rw,relatime,nosuid,noexec cgroup /sys/fs/cgroup/memory cgroup rw,relatime,nosuid,nodev,noexec tmpfs /sys/fs/cgroup tmpfs rw,nosuid,nodev,noexec proc /proc proc rw,relatime,nosuid,nodev,noexec /dev/mapper/centos-root / xfs rw,relatime tmpfs /run tmpfs rw,nosuid,nodev sysfs /sys sysfs rw,relatime,nosuid,nodev,noexec sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime mqueue /dev/mqueue mqueue rw,relatime debugfs /sys/kernel/debug debugfs rw,relatime selinuxfs /sys/fs/selinux selinuxfs rw,relatime securityfs /sys/kernel/security securityfs rw,relatime,nosuid,nodev,noexec cgroup /sys/fs/cgroup/systemd cgroup rw,relatime,nosuid,nodev,noexec pstore /sys/fs/pstore pstore rw,relatime,nosuid,nodev,noexec cgroup /sys/fs/cgroup/cpuset cgroup rw,relatime,nosuid,nodev,noexec sunrpc /proc/fs/nfsd nfsd rw,relatime tmpfs /mnt/ramdisk tmpfs rw,relatime cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,relatime,nosuid,nodev,noexec configfs /sys/kernel/config configfs rw,relatime cgroup /sys/fs/cgroup/devices cgroup rw,relatime,nosuid,nodev,noexec systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime cgroup /sys/fs/cgroup/freezer cgroup rw,relatime,nosuid,nodev,noexec cgroup /sys/fs/cgroup/net_cls cgroup rw,relatime,nosuid,nodev,noexec cgroup /sys/fs/cgroup/blkio cgroup rw,relatime,nosuid,nodev,noexec /dev/sda1 /boot xfs rw,relatime cgroup /sys/fs/cgroup/perf_event cgroup rw,relatime,nosuid,nodev,noexec cgroup /sys/fs/cgroup/hugetlb cgroup rw,relatime,nosuid,nodev,noexec [srini@localhost volatility-2.4]$ python /home/srini/vola/setup/volatility-2.4/vol.py --plugins=/mnt/data/home/srini/ovf --profile=Linuxcent os7x64 -f /mnt/data/home/srini/ovf/ramtmpfs.lime linux_bash Volatility Foundation Volatility Framework 2.4 Pid Name Command Time Command -------- -------------------- ------------------------------ ------- 15151 bash 2014-10-12 01:35:58 UTC+0000 ./configure 15151 bash 2014-10-12 01:35:58 UTC+0000 yum provides tcpsic 15151 bash 2014-10-12 01:35:58 UTC+0000 ls -ltrh 15151 bash 2014-10-12 01:35:58 UTC+0000 mv lmbench3 lmbench3-3.10 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 cd linux/ 15151 bash 2014-10-12 01:35:58 UTC+0000 yum intall isic 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 yum provides dwarfdump 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 cd 3.10.0-123.el7.x86_64/ 15151 bash 2014-10-12 01:35:58 UTC+0000 uname -a 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 yum install isic 15151 bash 2014-10-12 01:35:58 UTC+0000 cd linux/ 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 make 15151 bash 2014-10-12 01:35:58 UTC+0000 ifconfig 15151 bash 2014-10-12 01:35:58 UTC+0000 cd lmbench3-3.10

11 years, 3 months

2
2
0 0

New Memory Forensics & Malware Analysis trainings scheduled!

by Andrew Case

We are excited to announce that we now have public trainings scheduled through May of next year. Between now and then we will be visiting Austin (Dec.), San Francisco (Jan.), Brazil (Feb.), Reston, VA (April), and New York (May). A complete listing of course offerings and details can be found at: http://www.memoryanalysis.net/#!memory-forensics-training/c1q3n and: http://volatility-labs.blogspot.com/2014/10/windows-malware-and-memory-fore… Classes fill quickly so please contact us ASAP if you would like to attend! We offer discounts for LEO, government, and full time students as well as group rates for companies. -- Thanks, Andrew (@attrc)

11 years, 3 months

1
0
0 0

Android Analysis

by felipecboeira .

Hi all, I have acquired an android RAM image by using Lime and now I am using volatility to analyze it. I have created a profile and can now list processes, etc. What I need to do is inspect an integer array of a kernel module, which I have the address. I tried using volshell's dd() but I believe it is not showing the correct values. How can I certify that the virtual address is being calculated correctly by volatility? Thanks in advance, Felipe

11 years, 3 months

2
1
0 0

Error in mac_netstat & mac_arp

by Andre DiMino

I have a .vmem file from a Mac OS virtual machine. I'm using profile "MacMountainLion_10_8_2_AMDx64" Using Volatility 2.4, I'm able to run a few mac commands against this image, however I get traceback errors in the 'netstat' and 'arp' commands. I paste below: +++++++++++++++++++++++++++++++++++++++++ forensics@saturn:~/workspace/iworm/memory$ vol -f iworm_run1.vmem --profile=MacMountainLion_10_8_2_AMDx64 mac_ifconfig Volatility Foundation Volatility Framework 2.4 Interface Address ---------- ------- lo0 fe80:1::1 lo0 127.0.0.1 lo0 ::1 gif0 stf0 en0 00:0c:29:ea:9a:27 en0 fe80:4::20c:29ff:feea:9a27 en0 172.16.253.140 +++++++++++++++++++++++++++++++++++++++++ forensics@saturn:~/workspace/iworm/memory$ vol -f iworm_run1.vmem --profile=MacMountainLion_10_8_2_AMDx64 mac_version Volatility Foundation Volatility Framework 2.4 Darwin Kernel Version 12.2.0: Sat Aug 25 00:48:52 PDT 2012; root:xnu-2050.18.24~1/RELEASE_X86_64 +++++++++++++++++++++++++++++++++++++++++ forensics@saturn:~/workspace/iworm/memory$ vol -f iworm_run1.vmem --profile=MacMountainLion_10_8_2_AMDx64 mac_netstat Volatility Foundation Volatility Framework 2.4 Proto Local IP Local Port Remote IP Remote Port State Process ------ -------------------- ---------- -------------------- ----------- -------------------- ------------------------ UNIX - UNIX /var/tmp/launchd/sock UNIX - UNIX /var/run/com.apple.ActivityMonitor.socket UNIX /var/run/mDNSResponder UNIX /var/rpc/ncacn_np/lsarpc UNIX /var/rpc/ncalrpc/lsarpc UNIX /var/rpc/ncacn_np/mdssvc UNIX /var/rpc/ncalrpc/NETLOGON UNIX /var/rpc/ncacn_np/srvsvc UNIX /var/rpc/ncalrpc/srvsvc UNIX /var/rpc/ncacn_np/wkssvc UNIX /var/rpc/ncalrpc/wkssvc Traceback (most recent call last): File "/home/forensics/programs/volatility-2.4/vol.py", line 192, in <module> main() File "/home/forensics/programs/volatility-2.4/vol.py", line 183, in main command.execute() File "/home/forensics/programs/volatility-2.4/volatility/plugins/mac/common.py", line 46, in execute commands.Command.execute(self, *args, **kwargs) File "/home/forensics/programs/volatility-2.4/volatility/commands.py", line 127, in execute func(outfd, data) File "/home/forensics/programs/volatility-2.4/volatility/plugins/mac/netstat.py", line 58, in render_text self.table_row(outfd, proto, lip, lport, rip, rport, state, "{}/{}".format(proc.p_comm, proc.p_pid)) ValueError: zero length field name in format +++++++++++++++++++++++++++++++++++++++++ forensics@saturn:~/workspace/iworm/memory$ vol -f iworm_run1.vmem --profile=MacMountainLion_10_8_2_AMDx64 mac_arp Volatility Foundation Volatility Framework 2.4 Source IP Dest. IP Name Sent Recv Time Exp. Delta ------------------------ ------------------------ ---------- ------------------ ------------------ ------------------------------ ---------- ----- Traceback (most recent call last): File "/home/forensics/programs/volatility-2.4/vol.py", line 192, in <module> main() File "/home/forensics/programs/volatility-2.4/vol.py", line 183, in main command.execute() File "/home/forensics/programs/volatility-2.4/volatility/plugins/mac/common.py", line 46, in execute commands.Command.execute(self, *args, **kwargs) File "/home/forensics/programs/volatility-2.4/volatility/commands.py", line 127, in execute func(outfd, data) File "/home/forensics/programs/volatility-2.4/volatility/plugins/mac/route.py", line 104, in render_text rt.name, File "/home/forensics/programs/volatility-2.4/volatility/obj.py", line 537, in __getattr__ return getattr(result, attr) File "/home/forensics/programs/volatility-2.4/volatility/plugins/overlays/mac/mac.py", line 562, in name return "{}{}".format(self.rt_ifp.if_name.dereference(), self.rt_ifp.if_unit) ValueError: zero length field name in format ++++++++++++++++++++++++++++++ Any thoughts or ideas are very appreciated! -- Andre' M. DiMino DeepEnd Research http://deependresearch.org http://sempersecurus.org "Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else" - 1 Thess 5:15 (NIV)

11 years, 4 months

2
2
0 0

Error with 2.4 Debian Wheezy

by Sean McLinden

I just build a VM with Debian (I needed to install other packages) and when I run this on a memory image I get the following (after about 10 minutes). The pslist.txt file is partially populated though how far it gets differs with each run. The box is Windows 7 Enterprise SP 1. The image was acquired using FTK. The box is believed to be infected with malware. user@host:/mnt/hgfs/288A-LV-2810395/Workspace/QJK1/memory# vol.py pslist > pslist.txt Volatility Foundation Volatility Framework 2.4 Traceback (most recent call last): File "/usr/local/bin/vol.py", line 192, in <module> main() File "/usr/local/bin/vol.py", line 183, in main command.execute() File "/usr/local/lib/python2.7/dist-packages/volatility/commands.py", line 127, in execute func(outfd, data) File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/taskmods.py", line 178, in render_text str(task.ExitTime or ''), File "/usr/local/lib/python2.7/dist-packages/volatility/commands.py", line 219, in table_row outfd.write(self.tablesep.join(reslist) + "\n") IOError: [Errno 22] Invalid argument Thanks for any help. Sean McLinden

11 years, 4 months

2
2
0 0

conflicting argument

by A Musavi

Hi, I think there is still conflicting problem in vol 2.4: optparse.OptionConflictError: option -F/--filter: conflicting option string(s): -F

11 years, 4 months

2
1
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users