On 23-10-13 17:28, david nardoni wrote:
> Also I would try netscan instead of connscan for win7. But it sounds like a problem with the
> memory dump
>
Yeah I suppose the memorydump is *****ed... but wanted to make sure
since I heard some rumours about having problems with *large* dumps on x64.
And indeed I meant netscan, instead of connscan. My bad.
@MHL: Thanks. indeed, old svn version... I'm using too many machines I
guess. Just updated and reinstalled from trunk.
On 23-10-13 17:37, Jamie Levy wrote:
> You must have admin in order to acquire memory... How did you manage
> to get a sample without having admin? If you have a virtualized
> environment then you can acquire the memory from outside the machine
> without having admin privileges on the acquired machine, however
> (vmsn/vmss on esx for example).
Actually, I do not know. I wasn't involved in the actual incident until
some other guys decided to ask me.
It's a bare metal box, so no hypervisor involved. Furthermore, they
might have had admin but I'll probably create some new memory samples
tomorrow and getting admin in a timely manner is quite hard. Currently
the box is next to me so I can take some time to create a good sample.
On 23-10-13 17:30, Andrew Case wrote:
> Nice to hear from someone from our class =)
Nice to see all three teachers reply on-list. Hope you enjoyed teaching
the class as much as I did attending it.
>
> A few things about your post...
>
> 8GB on x64 is where several acquisition tools seem to break, so it is
> may be that and your output seems to indicate so.
Since the box is actually idling, I might remove a DIMM and thereby
create a nice 4GB environment. The reason for keeping the 8gigs in is
that it will improve my chances of having trace still in memory instead
of having those swapped/overwritten.
Is there a fast way to tell the image is bad? (yup I think my current
one is bad, but I'm going to need to test again by tomorrow) And, is the
slowness being indicative of having a bad image?
> Also, you are using Volatility 2.2 which is quite old at this point. I
> would recommend using the latest through SVN. Not only is there many
> bugfixes, but also new plugins, such as iehist
Yup. That's the plugin I was looking for. Guess I downloaded the release
version of volatility on this box, instead of getting it from SVN. Fixed
it, thanks!
> Also, we have full support for networking information on Windows 7
> x64, you just have to use the netscan plugin and not the others
> (sockets, sockscan, etc.).
Indeed.
> Do you have any other acquisition tools you can use or are your
> machines virtualized?
I can use whatever free tools I like, and am probably allowed to spend a
moderate amount of money in order to buy stuff. Buying tools will take
time though (boss has to acknowledge the order etc etc etc) so getting
free stuff is preferred.
The infected machines are not virtualised and the malware is probably
virtualisation-aware, so that's not an option I'm afraid.
Anybody got some more useful stuff? I used volatility quite a couple of
times but never created my own images on hardware (used either somebody
else's samples or VMs).
Cheers,
Boudewijn Ector
Hi guys,
Currently I've got a sample of an infected win7 machine with enough
memory (8gb) which is not being used by anything except for 'the
malware' (no running office etc) so quite a lot of stuff should not
have been swapped out of memory yet.
Strangely, I can't dump the process:
; vol.py -f dump.raw --profile=Win7SP1x64 procexedump -p 4932
--dump-dir results/4932.bin
Volatile Systems Volatility Framework 2.2
Process(V) ImageBase Name Result
------------------ ------------------ -------------------- ------
Okay so it might be not in memory anymore... fine. So let's scan for
network activity using connscan.
This does not yield any results either.... just like svcscan.
Also the image is very very slow... on a regular machine (core i5 2400,
20gb mem) running imageinfo on the 8gb images takes about 10 minutes.
Also malfind mentions :
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x05140000, instantiating _MMADDRESS_NODE
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x05140000, instantiating _MMADDRESS_NODE
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x21A4C320A, instantiating _MMADDRESS_NODE
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x21A4C320A, instantiating _MMADDRESS_NODE
Psxview says al processes are like this:
0x000000021a841060 <PROCESSNAME> 6640 False True False
False False
Isn't that just weird? (yes it's because psscan is the only module being
able to retrieve data from memory... but isn't that strange)
This makes me presume my memory images are broken. My collaegue
probably (!) used winpmem -f for doing this. What's the best way to
create a memory image on a windows7 x64 box without having admin? (these
boxes are remotely managed and it takes a looooot of time to make sure
an admin will do something).
Or is this just perfectly normal behaviour and is win7x64 just being
badly supported by volatility? (I know the networkbased plugins don't
work but that's okay... it's being mentioned in the docs)
Furthermore: during our recent volatility training (in amsterdam), we
used a plugin for getting data from internet explorer history. I had a
look online and didn't find it, is it non-public?
Cheers,
Boudewijn Ector
Dear all,
I tried to create a Linux profile according to [1].
Which packages are needed for an Ubuntu profile? I downloaded linux-headers-2.6.32-41_2.6.32-41.91_all.deb, extracted the file on a CentOS machine and pointed the Makefile to the header's path.
The error message was: /tmp/header/usr/src/linux-headers-2.6.32-41/lib/modules/2.6.32-41/build was not found.
1. Do I have to download any other packages?
2. Is it possible to compile module.c on another distribution or do I need a running Ubuntu 10?
Thank you in advance!
Chris
[1] http://code.google.com/p/volatility/wiki/LinuxMemoryForensics
Greetings,
Vol 2.3 built from svn. Yara built from yara-project. OS is OS X 10.8.5. I tore out all the old copies of volatility while trying to get this to work.
praha:mem kovar$ vol.py -f xp-base-44f9a302.vmem --profile WinXPSP3x86 yarascan -Y 'foo'
Volatility Foundation Volatility Framework 2.3
ERROR : volatility.plugins.malware.malfind: Please install Yara from code.google.com/p/yara-project
praha:mem kovar$ yara -v
yara 2.0 (rev:223)
bash-3.2# ls -l /usr/local/lib/libyara*
lrwxr-xr-x 1 root admin 15 Oct 12 12:36 /usr/local/lib/libyara.0.0.0.dylib -> libyara.0.dylib
-rwxr-xr-x 1 root admin 113736 Oct 12 12:36 /usr/local/lib/libyara.0.dylib
-rw-r--r-- 1 root admin 393560 Oct 12 12:36 /usr/local/lib/libyara.a
lrwxr-xr-x 1 root admin 15 Oct 12 12:36 /usr/local/lib/libyara.dylib -> libyara.0.dylib
-rwxr-xr-x 1 root admin 938 Oct 12 12:36 /usr/local/lib/libyara.la
-David
Greetings,
I had the 1.6 version installed. I tore it out and tried to build 1.7 but that is failing:
bash-3.2# python setup.py build
running build
running build_ext
building 'yara' extension
cc -fno-strict-aliasing -fno-common -dynamic -I/usr/local/include -I/usr/local/opt/sqlite/include -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -I/usr/local/include -I/usr/local/Cellar/python/2.7.3/Frameworks/Python.framework/Versions/2.7/include/python2.7 -c yara-python.c -o build/temp.macosx-10.8-x86_64-2.7/yara-python.o
yara-python.c:259: error: expected specifier-qualifier-list before ‘YARA_CONTEXT’
yara-python.c:321: error: expected declaration specifiers or ‘...’ before ‘YARA_CONTEXT’
yara-python.c: In function ‘process_externals’:
yara-python.c:338: warning: implicit declaration of function ‘yr_define_integer_variable’
yara-python.c:338: error: ‘context’ undeclared (first use in this function)
yara-python.c:338: error: (Each undeclared identifier is reported only once
yara-python.c:338: error: for each function it appears in.)
yara-python.c:342: warning: implicit declaration of function ‘yr_define_boolean_variable’
yara-python.c:346: warning: implicit declaration of function ‘yr_define_string_variable’
yara-python.c: At top level:
yara-python.c:358: error: expected declaration specifiers or ‘...’ before ‘YARA_CONTEXT’
yara-python.c: In function ‘Rules_new_from_file’:
Shall see if I can figure that out and then come back to Volatility.
-David
On Oct 12, 2013, at 12:43 PM, Lorenzo Cantoni <lorenzo.cantoni86(a)gmail.com> wrote:
> Did you installed also the python bindings? (yarapython)
>
> Il 12/ott/2013 19:37 "David Kovar" <dkovar(a)gmail.com> ha scritto:
> Greetings,
>
> Vol 2.3 built from svn. Yara built from yara-project. OS is OS X 10.8.5. I tore out all the old copies of volatility while trying to get this to work.
>
> praha:mem kovar$ vol.py -f xp-base-44f9a302.vmem --profile WinXPSP3x86 yarascan -Y 'foo'
> Volatility Foundation Volatility Framework 2.3
> ERROR : volatility.plugins.malware.malfind: Please install Yara from code.google.com/p/yara-project
>
> praha:mem kovar$ yara -v
> yara 2.0 (rev:223)
>
> bash-3.2# ls -l /usr/local/lib/libyara*
> lrwxr-xr-x 1 root admin 15 Oct 12 12:36 /usr/local/lib/libyara.0.0.0.dylib -> libyara.0.dylib
> -rwxr-xr-x 1 root admin 113736 Oct 12 12:36 /usr/local/lib/libyara.0.dylib
> -rw-r--r-- 1 root admin 393560 Oct 12 12:36 /usr/local/lib/libyara.a
> lrwxr-xr-x 1 root admin 15 Oct 12 12:36 /usr/local/lib/libyara.dylib -> libyara.0.dylib
> -rwxr-xr-x 1 root admin 938 Oct 12 12:36 /usr/local/lib/libyara.la
>
> -David
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Hi List,
Running volatility-2.2.standalone.exe on Win7 Pro 64bit AMD with 32GB of
RAM.
I'm new to volatility and I'm attempting to use it to troubleshoot apps
that don't play nice with the Windows clipboard. I'm using the steps
here:
http://www.infosecisland.com/blogview/22429-Detecting-Window-Stations-and-C…
I changed my registry to force a complete memory dump by setting
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled
to be 1. (http://support.microsoft.com/kb/969028)
I used System Internal's NotMyFault tool with the /crash switch to
create the dump.
(https://code.google.com/p/volatility/wiki/CrashAddressSpace)
The resulting c:\windows\memory.dmp file is about 34GB in size.
When I launch volatility, this is as far as it gets:
C:\Users\taa\Downloads>volatility-2.2.standalone.exe -f
c:\windows\memory.dmp --profile=Win7SP1x64 wndscan
Volatile Systems Volatility Framework 2.2
It has been showing this for close to 3.75 hours. Task Manager shows two
instances of volatility-2.2.standalone.exe running, one at a constant
1,144K RAM usage, and the other instance with RAM usage constantly
changing in the range of 58MB to 73MB, averaging 13% CPU utilization. To
mean this indicates it is doing /something/ even if it is caught in an
infinite loop.
If it's reasonable for volatility to run this long and longer, I'll just
be patient, though it would be helpful if someone could give me an idea
of how long it might take.
If this is taking too long, what can I do to troubleshoot what it's doing?
Kind regards,
Todd
Hi Guanglin,
thank you for your reply! I'm absolutely newbie, so my questions are probably a bit tedious.
> > Libvmi seems a bit complicated to install, at least compared to the
> > vboxmanage debugvm command. Is libvmi required for KVM or is it possible
> to
> > use virsh dump?
> >
> You should use LibVMI just for "online live" forensics over a virtual
> machine.
>
> If you merely need an offline memory dump of a KVM virtual machine, feel
> free to use virsh dump without LibVMI.
I'm not sure, if I understand the difference. When I run the victim in a VM, I can hit virsh dump in another host terminal window and get a snapshot of the VM at this point in time? When I tried this a little while ago with an Windows 7 x64 SP0 image, it didn't work. So I thought this method is not suitable... The image format respective profile was recognized with imageinfo correctly. The host is CentOS 6.4.
With libvmi I would get continuous updates?
Chris
Hi guys, i'm working on a project to analyze memory dumps of Android devices with Volatility. But it seems that it isn't possible to do so if the source code does not provide me with the System.map file. I can't compile my own System.map file using commands like "make ARCH=arm CROSS_COMPILE=$CCOMPILER" (this would give me inaccurate addresses) nor can i use the /proc/kallsyms (this does not have symbols required for volatility to prepare) file from the Android device itself. I just wanna verify, is it actually still possible for me to use volatility to analyze this memory dump if the System.map file wasn't distributed with the headers/source? Thanks.
Dear all,
sorry, I'm using webmail only and couldn't set an in reply-to header to my last message.
Libvmi seems a bit complicated to install, at least compared to the vboxmanage debugvm command. Is libvmi required for KVM or is it possible to use virsh dump?
Thank you in advance.
- Chris
