- Vol-users - volatilityfoundation.org

RE: [Vol-users] DPC procedure localization

by BRTAN Jaroslav

Thanks both of you for your help and advice. I will try to verify if the memory is allocated. I have to convert the memory image to the crash dmp. The --base switch works very well. I overlooked it in the help. Thanks Jaro Od: "Michael Hale Ligh" <michael.hale(a)gmail.com<mailto:michael.hale@gmail.com>> Datum: po, 6. 3, 2013 16:48 Předmět: [Vol-users] DPC procedure localization Komu: "George M. Garner Jr." <ggarner_online(a)gmgsystemsinc.com<mailto:ggarner_online@gmgsystemsinc.com>> Kopie: "vol-users" <vol-users(a)volatilesystems.com<mailto:vol-users@volatilesystems.com>> Thanks for the explanation George! Jaroslav - to answer your other question "how can I dump this using the offset 0x80013000?" you can use the moddump plugin with --base= 0x80013000. MHL On Mon, Jun 3, 2013 at 10:43 AM, George M. Garner Jr. < ggarner_online(a)gmgsystemsinc.com<mailto:ggarner_online@gmgsystemsinc.com>> wrote: > Jaroslav, > > Kernel timers come and go at a very high rate which leads to a significant > number of invalid or spurious timer artifacts which result from the fact > that the memory dump was acquired from the system while it was running. > Not that the last two timers are signaled and the periods are not > coherent. It is possible that the last two "timer" objects reside in > memory that once was a kernel timer object and has since been freed and > that some of the timer fields (e.g. the routine address) have been > overwritten with incoherent data. Try running the !pool command on the > last two timer addresses (0x863ead10 and 0x85e451e8) and see if that memory > is currently allocated. (I am assuming that you either have or can convert > your memory dump to MS crashdump format.) > > Regards, > > George. > > > On 6/3/2013 9:15 AM, BRTAN Jaroslav wrote: > >> Hi all, >> >> I'd like to ask you for your help with analysis. The timers module shows >> that there is a strange DPC at 0x8647e4e0. >> >> >> Timers module output: >> >> Offset(V) DueTime Period(ms) Signaled Routine >> Module >> ---------- ------------------------ ---------- ---------- ---------- >> ------ >> 0x873097d0 0x0000002f:0x2db9d0c3 0 - 0xa7386d8e >> arp1394.sys >> 0x85b9a2c8 0x8000002d:0x6d7d7c8e 0 - 0x80538a98 >> ntoskrnl.exe >> 0x8a332b20 0x0000002f:0x2ea5d991 0 - 0xb9ddef1a >> NDIS.sys >> 0x863ead10 0x00010014:0x863ead28 -205...072 Yes 0x8647e4e0 >> UNKNOWN >> 0x85e451e8 0x00010014:0x85e45200 -205...072 Yes 0x8647e4e0 >> UNKNOWN >> >> > ______________________________**_________________ > Vol-users mailing list > Vol-users(a)volatilesystems.com<mailto:Vol-users@volatilesystems.com> > http://lists.volatilesystems.**com/mailman/listinfo/vol-users<http://lists.volatilesystems.com/mailman/listinfo/vol-users> > The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.

12 years

1
0
0 0

DPC procedure localization

by BRTAN Jaroslav

Hi all, I'd like to ask you for your help with analysis. The timers module shows that there is a strange DPC at 0x8647e4e0. Timers module output: Offset(V) DueTime Period(ms) Signaled Routine Module ---------- ------------------------ ---------- ---------- ---------- ------ 0x873097d0 0x0000002f:0x2db9d0c3 0 - 0xa7386d8e arp1394.sys 0x85b9a2c8 0x8000002d:0x6d7d7c8e 0 - 0x80538a98 ntoskrnl.exe 0x8a332b20 0x0000002f:0x2ea5d991 0 - 0xb9ddef1a NDIS.sys 0x863ead10 0x00010014:0x863ead28 -205...072 Yes 0x8647e4e0 UNKNOWN 0x85e451e8 0x00010014:0x85e45200 -205...072 Yes 0x8647e4e0 UNKNOWN I am not able to identify where this procedure belongs to. I've been searching through Volatility documentation project for a hint, but with no luck so far. Volshell show me that: >>> dis(0x8647e4e0, length=32) 0x8647e4e0 e0e4 LOOPNZ 0x8647e4c6 0x8647e4e2 47 INC EDI 0x8647e4e3 86e0 XCHG AL, AH 0x8647e4e5 e447 IN AL, 0x47 0x8647e4e7 86e8 XCHG AL, CH 0x8647e4e9 e447 IN AL, 0x47 0x8647e4eb 86e8 XCHG AL, CH 0x8647e4ed e447 IN AL, 0x47 0x8647e4ef 8600 XCHG [EAX], AL 0x8647e4f1 803b99 CMP BYTE [EBX], 0x99 0x8647e4f4 00403b ADD [EAX+0x3b], AL 0x8647e4f7 99 CDQ 0x8647e4f8 00b0fd7f0000 ADD [EAX+0x7ffd], DH 0x8647e4fe 0000 ADD [EAX], AL ... ... 0x8647e4c6 0000 ADD [EAX], AL 0x8647e4c8 d00a ROR BYTE [EDX], 0x1 0x8647e4ca 93 XCHG EBX, EAX 0x8647e4cb 8a00 MOV AL, [EAX] 0x8647e4cd 0000 ADD [EAX], AL 0x8647e4cf 20c8 AND AL, CL 0x8647e4d1 db12 FIST DWORD [EDX] 0x8647e4d3 8726 XCHG [ESI], ESP 0x8647e4d5 ad LODSD 0x8647e4d6 74e1 JZ 0x8647e4b9 0x8647e4d8 06 PUSH ES 0x8647e4d9 007000 ADD [EAX+0x0], DH 0x8647e4dc 0000 ADD [EAX], AL 0x8647e4de 0000 ADD [EAX], AL 0x8647e4e0 e0e4 LOOPNZ 0x8647e4c6 0x8647e4e2 47 INC EDI 0x8647e4e3 86e0 XCHG AL, AH 0x8647e4e5 e447 IN AL, 0x47 0x8647e4e7 86e8 XCHG AL, CH 0x8647e4e9 e447 IN AL, 0x47 0x8647e4eb 86e8 XCHG AL, CH 0x8647e4ed e447 IN AL, 0x47 0x8647e4ef 8600 XCHG [EAX], AL 0x8647e4f1 803b99 CMP BYTE [EBX], 0x99 0x8647e4f4 00403b ADD [EAX+0x3b], AL 0x8647e4f7 99 CDQ 0x8647e4f8 00b0fd7f0000 ADD [EAX+0x7ffd], DH 0x8647e4fe 0000 ADD [EAX], AL 0x8647e500 60 PUSHA 0x8647e501 793b JNS 0x8647e53e >>> dis(0x8647e53e) 0x8647e53e 3e869ec7130008 XCHG [ESI+0x80013c7], BL 0x8647e545 1000 ADC [EAX], AL 0x8647e547 0410 ADD AL, 0x10 0x8647e549 b268 MOV DL, 0x68 0x8647e54b 8a10 MOV DL, [EAX] 0x8647e54d b268 MOV DL, 0x68 0x8647e54f 8ad8 MOV BL, AL So I looked around and found that at offset 0x80013000 is a executable file >>> db(0x80013000, length=512) 0x80013000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 0x80013010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0x80013020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x80013030 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 ................ 0x80013040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ........!..L.!Th 0x80013050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is.program.canno 0x80013060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t.be.run.in.DOS. 0x80013070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode....$....... 0x80013080 5d ed 0b 95 19 8c 65 c6 19 8c 65 c6 19 8c 65 c6 ].....e...e...e. 0x80013090 19 8c 64 c6 30 8c 65 c6 da 83 38 c6 1e 8c 65 c6 ..d.0.e...8...e. 0x800130a0 da 83 6a c6 1b 8c 65 c6 da 83 3b c6 18 8c 65 c6 ..j...e...;...e. 0x800130b0 da 83 3a c6 1c 8c 65 c6 da 83 3f c6 18 8c 65 c6 ..:...e...?...e. 0x800130c0 52 69 63 68 19 8c 65 c6 00 00 00 00 00 00 00 00 Rich..e......... 0x800130d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x800130e0 50 45 00 00 4c 01 07 00 b4 52 02 48 00 00 00 00 PE..L....R.H.... 0x800130f0 00 00 00 00 e0 00 0e 01 0b 01 07 0a 00 1d 00 00 ................ 0x80013100 00 08 00 00 00 00 00 00 d3 1c 00 00 00 03 00 00 ................ 0x80013110 00 0e 00 00 00 30 01 80 80 00 00 00 80 00 00 00 .....0.......... 0x80013120 05 00 01 00 05 00 01 00 01 00 0a 00 00 00 00 00 ................ 0x80013130 00 28 00 00 00 03 00 00 e6 f1 00 00 01 00 00 24 .(.............$ 0x80013140 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 ................ 0x80013150 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................ 0x80013160 1c 1d 00 00 50 00 00 00 00 22 00 00 f8 03 00 00 ....P...."...... 0x80013170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x80013180 00 26 00 00 1c 01 00 00 b0 0e 00 00 1c 00 00 00 .&.............. 0x80013190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x800131a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x800131b0 00 00 00 00 00 00 00 00 00 0e 00 00 ac 00 00 00 ................ 0x800131c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x800131d0 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 .........text... 0x800131e0 84 0a 00 00 00 03 00 00 00 0b 00 00 00 03 00 00 ................ 0x800131f0 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 68 ...............h , but this one seems to be battc.sys driver (how can I dump this using the offset 0x80013000?) 0x80015180 7a 65 44 65 76 69 63 65 00 00 42 41 54 54 43 2e zeDevice..BATTC. 0x80015190 53 59 53 00 46 ec 25 ff 00 3d 00 00 74 03 e9 03 SYS.F.%..=..t... I also tried to look around the offset 0x8647e4e0 for some strings 0x864716a0 00 00 00 00 00 00 00 00 00 00 00 00 43 3a 5c 50 ............C:\P 0x864716b0 72 6f 67 72 61 6d 20 46 69 6c 65 73 5c 57 61 76 rogram.Files\Wav 0x864716c0 65 20 53 79 73 74 65 6d 73 20 43 6f 72 70 5c 53 e.Systems.Corp\S 0x864716d0 65 72 76 69 63 65 73 20 4d 61 6e 61 67 65 72 5c ervices.Manager\ 0x864716e0 44 6f 63 4d 67 72 5c 62 69 6e 5c 64 6f 63 6d 67 DocMgr\bin\docmg 0x864716f0 72 2e 65 78 65 00 00 00 00 00 00 00 00 00 00 00 r.exe........... google: DocMgr from Wave Systems Corp. 0x86471890 00 00 00 00 43 3a 5c 57 49 4e 44 4f 57 53 5c 73 ....C:\WINDOWS\s 0x864718a0 74 73 79 73 74 72 61 2e 65 78 65 00 00 00 00 00 tsystra.exe..... google: Sigmatel Audio system tray application 0x86474ce0 00 00 00 00 00 00 00 00 00 f0 c1 9c 53 62 54 72 ............SbTr 0x86474cf0 61 79 4d 61 6e 61 67 65 72 2e 65 00 00 00 00 00 ayManager.e..... google: known as the Safe Boot Tray Manager software 0x8647db30 0d 00 04 0a 56 69 47 63 65 00 78 00 70 00 6c 00 ....ViGce.x.p.l. 0x8647db40 6f 00 72 00 65 00 72 00 2e 00 65 00 78 00 65 00 o.r.e.r...e.x.e. Could it be that the unknown timer was registered by the battc.sys? If anybody can push me the right direction, I'll be more than thankful. Thank you Jaro The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.

12 years

4
3
0 0

Second Week of Month of Volatility Plugins II is posted

by Andrew Case

We are writing as the second week of the second installment of the Month of Volatility Plugins is now posted. Volatility 2.3 is currently in beta, and the blog posts are focusing on new features in this version. This week's posts discussed a number of new and updated plugins used to analyze Windows systems. The first post discussed recovering RSA Private Keys and SSL Certificates from memory: http://volatility-labs.blogspot.com/2013/05/movp-ii-21-rsa-private-keys-and… The second post discussed recovering information about unloaded kernel modules from memory: http://volatility-labs.blogspot.com/2013/05/movp-ii-22-unloaded-windows-ker… The third post showed how to create timelines with in-memory data using Volatility: http://volatility-labs.blogspot.com/2013/05/movp-ii-23-creating-timelines-w… The fourth post demonstrated how to recover MFT entries and utilize them during investigations: http://volatility-labs.blogspot.com/2013/05/movp-ii-24-reconstructing-maste… The last post highlighted a number of new and updated plugins that are very useful during investigations: http://volatility-labs.blogspot.com/2013/05/movp-ii-25-new-and-improved-win… We hope you enjoy the posts, and the third week of posts will begin tomorrow and cover a number of new plugins to help analyze Linux and Android samples. If you have any questions or comments please comment on an individual blog post or reply to this email. Thanks, Andrew (@attrc)

12 years

1
0
0 0

Automated Volatility Plugin Generation with Dalvik Inspector

by Joe Sylve

Hello, We wanted to take the opportunity to point you to a blog post which gives a preview of some of the research we've been working on at 504ENSICS Labs in the area of Android memory analysis. This time we are demoing a feature that will allow automatted volatility plugin generation with our Dalvik Inspector tool. We think our results will be of great interest to the DFIR community and look forward to your feed back. We plan on releasing the tool this year at Black Hat. The blog post can be found here: http://www.504ensics.com/automated-volatility-plugin-generation-with-dalvik… --- *Joe T. Sylve, M.S.* Co-Founder 504ENSICS Labs (504) 210-8270 (Office) http://www.504ensics.com PGP Key: http://www.504ensics.com/pgp_keys/joesylve.asc

12 years

1
0
0 0

First week of Month of Volatility Plugins II is posted

by Andrew Case

Hello, We are writing as the first week of the second installment of the Month of Volatility Plugins is now posted. Volatility 2.3 is currently in beta, and the blog posts are focusing on new features in this version. This week's posts discussed a number of new address spaces we have added to support new hardware architectures and file formats. The first one is the MachO address space used to support Mac Memory Reader: http://volatility-labs.blogspot.com/2013/05/movp-ii-11-mach-o-address-space… The second is an address space used to support VirtualBox: http://volatility-labs.blogspot.com/2013/05/movp-ii-12-virtualbox-elf64-cor… The third address space allows for analysis of VMware snapshot files (.vmss and .vmsn): http://volatility-labs.blogspot.com/2013/05/movp-ii-13-vmware-snapshot-and-… The fourth address space supports the hpak format of the HBGary Fast Dump acquisition tool: http://volatility-labs.blogspot.com/2013/05/movp-ii-14-new-hpak-address-spa… The final address space discussed adds support for the ARM architecture. This is leveraged by Volatility's Android support: http://volatility-labs.blogspot.com/2013/05/movp-ii-15-arm-address-space-vo… We hope you enjoy the posts, and the second installment of posts will begin tomorrow and cover a number of new plugins to help analyzing Windows samples. If you have any questions or comments please comment on an individual blog post or reply to this email. Thanks, Andrew (@attrc)

12 years

1
0
0 0

netscan plugin question

by Lou LaRocca

Greetings I am looking at Win 7 x86 SP1 memory and I dont understand why I am seeing "established connections" but no PID or Process with it. 0x2d07480 TCPv4 10.22.41.40:58767 38.126.225.229:43405ESTABLISHED -------- -------------- 0x1367da70 TCPv4 10.22.41.40:59302 151.213.50.211:22031ESTABLISHED -------- -------------- In addition I am seeing stuff "listening" and it contains the PID and Process. 0xdb838178 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 996 svchost.exe 0xdb850ab0 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 1440 spoolsv.exe 0xdb855e78 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 1440 spoolsv.exe So my question is why can I see the listening processes but im not getting the Process that are established? Thanks for the help Lou

12 years

2
1
0 0

Nice semi-old writeup

by James Lay

Might help someone on this list out: http://blog.solutionary.com/blog/bid/92402/Hunting-Malware-with-Memory-Anal… James

12 years

1
0
0 0

Volatility News

by Jamie Levy

For those of you interested in applying memory forensics to your malware analysis and rootkit detection efforts, we've just posted a new blog with some exciting news and updates: http://volatility-labs.blogspot.com/2013/05/whats-happening-in-world-of-vol… * Volatility 2.3 will enter beta this week and we'll introduce the new features over the next four weeks (Month of Volatility Plugins II). * There are three training courses open for registration (Reston in June, Netherlands in September, Vermont in November). Email voltraining(a)memoryanalysis.net for details. * The plugin contest submissions are starting to trickle in. Enter to win over $2250 in cash or a free seat at an upcoming training. * This year's Open Memory Forensics Workshop will be in Chantilly VA on November 4th, alongside OSDFC (Open Source Digital Forensics Conference). CFP to be announced soon. All the best, Jamie / @gleeda The Volatility Project -- PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92

12 years

1
0
0 0

Memory Forensics Training by Volatility Developers is coming to the Netherlands!

by Andrew Case

We are happy to announce that our memory forensics training course will be going to the Netherlands in September: http://volatility-labs.blogspot.com/2013/04/memory-forensics-training-nethe… This course is taught directly by Volatility developers, and will provide intense training in memory forensics for incident response, malware analysis, and digital forensic investigation. This will be our only course outside of the USA in 2013, and we have already had a number of people inquire about attending, so please contact us ASAP if you are interested in taking it. Thanks, Andrew (@attrc)

12 years, 1 month

1
0
0 0

Incorrect addresses in linux_proc_maps

by Edwin Smulders

Hi all, I've just created a profile for my Ubuntu 12.04 (3.5.0-25) and I've dumped the memory using virtualbox guestcoredump. Using the linux_proc_maps plugin I get the following output: http://paste.ubuntu.com/5576450/ I was expecting similar output to "cat /proc/<pid>/maps". As you can see, these "-0x4...000" addresses are obviously wrong. Is this I am doing wrong myself, or is this a bug? It happens for other processes as well. If this is a bug I'll make a new issue in the tracker with the steps I've followed to produce this. Cheers, Edwin

12 years, 1 month

4
31
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users