Topic says it...here's what I'm looking at:
Volatile Systems Volatility Framework 2.2
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 186, in <module>
main()
File "/usr/local/bin/vol.py", line 168, in main
command = cmds[module](config)
File "/opt/volatility-2.2/volatility/plugins/malware/malfind.py",
line 347, in __init__
help = 'Match wide (unicode) strings')
File "/opt/volatility-2.2/volatility/conf.py", line 364, in
add_option
self.optparser.add_option("-{0}".format(short_option),
"--{0}".format(option), **args)
File "/usr/lib/python2.7/optparse.py", line 1020, in add_option
self._check_conflict(option)
File "/usr/lib/python2.7/optparse.py", line 995, in _check_conflict
option)
optparse.OptionConflictError: option -W/--wide: conflicting option
string(s): -W
Any hints on how to get yarascan to run? Thank you.
James
Thanks,
looking forward for your reply :)
On Wed, Mar 20, 2013 at 3:18 PM, david nardoni <dnardoni(a)gmail.com> wrote:
> I will get you all those details today, except the full snapshot. I can
> not share that
>
> Happy to run whatever you need and provide output
>
> Sent from my iPhone
>
> On Mar 20, 2013, at 3:31 AM, nir izraeli <nirizr(a)gmail.com> wrote:
>
> Hi Dave,
>
> a few questions if you don't mind,
> what's the VM version (vmware has numbered versions for their file
> formats, you can usually look it up in the VM's properties)?
> could you share the output of psscan?
> what other plugins you've tried running? could you share the output?
> will it be possible to upload the VMware snapshot somewhere so i could
> look into it?
>
> Thanks,
> - Nir.
>
>
>
> On Tue, Mar 19, 2013 at 2:31 AM, david nardoni <dnardoni(a)gmail.com> wrote:
>
>> I think I have some issues with a 8+gb VMware snapshot. I can get
>> psscan and thrdscan output but no other output from other plugins.
>>
>> Any suggestions from the group on troubleshooting the image.
>>
>> Fyi I can see all the data when I view it in hbgary responder pro.
>>
>> Thanks
>>
>> Dave
>>
>> Sent from my iPhone
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>
>
Hello,
We wanted to take the opportunity to point you to a blog post which gives a
preview of some of the research we've been working on at 504ENSICS Labs in
the area of Android memory analysis. We think our results will be of great
interest to the DFIR community and look forward to your feed back.
The blog post can be found here:
http://www.504ensics.com/android-application-dalvik-memory-analysis-the-chu…
---
Joe T. Sylve, M.S.
Co-Founder
504ENSICS Labs
www.504ensics.com | (504) 210-8270
Hi,
I was wondering: did anyone ever managed to do an analysis with a real
device? I know the answer is Yes.
The thing is that I've seen around many nice examples and tutorials
working... but all of them with the emulator. The only real device sample
"in the wild" seems to be the Evo4GRodeo samples from DFWRS Challenge.
This time I'm pretty sure I did (almost?) everything right. Although if it
doesn't work, probably it's not.
I've tried also with another smartphone other than the HTC One X, the
Galaxy Nexus, getting the correct kernel version. No compilation errors, no
module errors, no lime module crashing on the phone, no volatility profiles
error, nothing. Everything (looks) right.
But still, when trying to run volatility I still keep getting empty results
like this:
hydra:volatility-read-only paco$ python vol.py
--profile=LinuxGalaxyNexus-3_0_1x86 -f ~/memdump/test-lime-4.7.lime
linux_pslist
Volatile Systems Volatility Framework 2.3_alpha
WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present
in vtypes
Offset Name Pid Uid Gid DTB
Start Time
---------- -------------------- --------------- --------------- ------
---------- ----------
Now I start wondering two things:
- Is it my lime dump the issue? the header looks fine, if I look inside
with hexdump it seems reasonable, if I strings it I find my data.
- Is it the volatility profile? Maybe, because I've event tried to dump the
memory of my Galaxy Nexus with FROST (which uses LiME) and the result looks
the same. So I started believing my problem is in the profile, although I
cannot seem to find any other way to understand where the problem could be.
So if anyone who successfully analyzed Android memory dumps from any real
life device is willing to share his experience and/or Volatility profile,
it would be great.
Thanks
P.
--
Pasquale Stirparo, MEng
GCFA, OPST, OWSE, ECCE
Brian,
You must be talking about Jesse's rawmoddump plugin. Its interesting to see
how people go about solving problems. Rather than typing 3 lines into the
existing volshell plugin, he re-implemented the same functionality into a
70 line file and then blogged about it as if it was some ground breaking
new capability...lol.
Anyway, there are a few possible explanations for finding a legitimate
driver at an offset from the base address reported by modscan. One is that
modscan found an _LDR_DATA_TABLE_ENTRY structure in physical memory that
represents a driver that was once loaded at address XXXXXXXX but has since
moved or unloaded. In that case, the kernel would be allowed to map another
driver into that available space (starting at either the exact same or a
nearby address).
Another plausible scenario is that modscan found an _LDR_DATA_TABLE_ENTRY
for a module that is still loaded at its original address (check with
modlist which will show currently loaded modules). The driver has another
driver embedded in its resources section that it installed or planned to
install. In that case you would expect to find another PE file somewhere
near the base of the first one.
Hope this helps,
MHL
On Fri, Mar 22, 2013 at 12:28 AM, Brian Keefer <chort(a)effu.se> wrote:
> Michael,
>
> Yes, modscan showed the file as being
> from C:\Users\Bob\ApplicationData\dumpme.sys -like path. It's great to
> learn this can be done via volshell, which is not something I've explored
> yet. Someone else sent me a plugin off-list that essentially wraps that
> functionality.
>
> It looks like the legitimate driver is at an offset from the base address
> reported by modscan (is it typical for drivers to load from a user
> directory?). I'm not sure what the padding is before it. Could it perhaps
> be instructions, or maybe an XOR'd PE header? Not sure exactly.
>
> --
> chort
>
>
>
> On Mar 21, 2013, at 8:53 PM, Michael Hale Ligh wrote:
>
> Hey Brian,
>
> You can use volshell to extract an arbitrary region of memory from any
> address space (in this case kernel memory if you're trying to acquire a
> kernel module). However, what do you mean "reference a file in user's
> AppData"? Is that the driver's path on disk (i.e.
> C:\Users\Bob\ApplicationData\dumpme.sys)?
>
> You would use volshell like this:
>
> >>> data = self.addrspace.zread(assumed_base_address, assumed_module_size)
> >>> with open('file.dmp', 'wb') as f:
> ...... f.write(data)
> >>>
>
> Cheers,
> MHL
>
>
> On Thu, Mar 21, 2013 at 5:32 PM, Brian Keefer <chort(a)effu.se> wrote:
>
>> Working with a ransomware infection, trying to dump one of the modules
>> that looks suspicious (the only one to reference a file in user's AppData).
>> I'm trying to dump it via the base address found through modscan, but
>> getting:
>> moddump Error: e_magic 8D4C is not a valid DOS signature.
>>
>> I tried -u. Is there any other way to dump it?
>>
>> --
>> chort
>>
>>
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>
>
>
My Malware Analysts Cookbook refers to this module and I found a couple
of videos on how to use it; I just can't seem to locate the module itself.
Has it perhaps been deprecated by some other plugin or process?
Thanks!
-=[ Steve ]=-
> Hello,It seems you have identified some issues while the rest of the
output is explainable. 1) linux_check_afinfoBeing empty means that > nothing
is hooked (this is good)2) linux_check_creds, linux_pidhashtable,
linux_psxview
> These are missing support for your kernel version. Can you please paste
the output of uname -a on your machine along with the specific > version of
centos that you are using?
> 3) linux_check_evt_arm & linux_check_syscall_arm
> These only support ARM based computers (e.g. Android) and I assume your
memory sample is from an Intel based computer. We will soon > have a patch
that allows plugins to check what architecture they are being run against
and then these plugins will report they are ARM only instead of having
exceptions.
> 4) linux_check_ttyThis seems like a bug we will have to fix.Thank you for
your report and please get us the kernel & centos version so > we can
attempt to fix some of them.Thanks,Andrew (@attrc)
>
Hi Andrew,
I am sorry but it's my mistake because the os is not real centos but a
derived. The os is clearos (infact centos based) distro for firewalls.
Anyway:
# uname -a
Linux fw2.mycompany.local 2.6.18-308.1.1.v5 #1 SMP Sun Mar 11 18:15:19 MDT
2012 i686 i686 i386 GNU/Linux
# cat /etc/issue
ClearOS Enterprise Edition release 5.2
# cat /etc/redhat-release
CentOS release 5.4 (Final)
Thanks very much and I am sorry for the mistake.
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
autenticato? GRATIS solo con Email.it: http://www.email.it/f
Sponsor:
Trascorri la Pasqua all'Hotel Maestri di Riccione a due passi dal mare, da
Viale Ceccarini e dal nuovo lungomare pedonale. 2 giorni pensione completa a
Euro 170 in doppia a persona, un bambino fino
ai 6 anni in camera con due adulti gratuito
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12790&d=20130325
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
Sponsor:
Last minute giugno in all inclusive all'Hotel Fior di Loto di Rimini per due persone, una settimana, Euro 686 a coppia, pensione completa, bevande ai pasti, servizio spiaggia
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12774&d=25-3
> Hello,It seems you have identified some issues while the rest of the
output is explainable. 1) linux_check_afinfoBeing empty means that > nothing
is hooked (this is good)2) linux_check_creds, linux_pidhashtable,
linux_psxview
> These are missing support for your kernel version. Can you please paste
the output of uname -a on your machine along with the specific > version of
centos that you are using?
> 3) linux_check_evt_arm & linux_check_syscall_arm
> These only support ARM based computers (e.g. Android) and I assume your
memory sample is from an Intel based computer. We will soon > have a patch
that allows plugins to check what architecture they are being run against
and then these plugins will report they are ARM only instead of having
exceptions.
> 4) linux_check_ttyThis seems like a bug we will have to fix.Thank you for
your report and please get us the kernel & centos version so > we can
attempt to fix some of them.Thanks,Andrew (@attrc)
>
Hi Andrew,
I am sorry but it's my mistake because the os is not real centos but a
derived. The os is clearos (infact centos based) distro for firewalls.
Anyway:
# uname -a
Linux fw2.mycompany.local 2.6.18-308.1.1.v5 #1 SMP Sun Mar 11 18:15:19 MDT
2012 i686 i686 i386 GNU/Linux
# cat /etc/issue
ClearOS Enterprise Edition release 5.2
# cat /etc/redhat-release
CentOS release 5.4 (Final)
Thanks very much and I am sorry for the mistake.
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
autenticato? GRATIS solo con Email.it: http://www.email.it/f
Sponsor:
Pasqua all'hotel Stella di Riccione, pernottamento e colazione, 2 gg Euro
106 a persona in doppia, bimbo fino a 3 anni GRATIS. Biglietti per i parchi
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12791&d=20130325
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
Sponsor:
Riduzione del 10% sulle tariffe di pensione per le prenotazioni pervenute entro il 30 aprile 2013 all'Hotel Embassy di Pesaro
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12769&d=25-3
Hi,
I am trying to analyze a memory dump from a Centos server but I have got
some problems.
------ Plugin linux_check_afinfo ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
Symbol Name Member
Address
------------------------------------------ ------------------------------
----------
------ Plugin linux_check_creds ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
PIDs
--------
ERROR : volatility.plugins.linux.check_creds: This command is not
supported in this profile.
------ Plugin linux_check_evt_arm ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
Check PASS/FAIL Info
------------------------------ --------- ------------------------------
SWI Offset Instruction FAIL -
------ Plugin linux_check_syscall_arm ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
Index Address Symbol
---------- ---------- ------------------------------
Traceback (most recent call last):
File "vol.py", line 186, in <module>
main()
File "vol.py", line 177, in main
command.execute()
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/common.py", line
55, in execute
commands.Command.execute(self, *args, **kwargs)
File "/root/vltlt/volatility-read-only/volatility/commands.py", line 111,
in execute
func(outfd, data)
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/check_syscall_arm.py",
line 88, in render_text
for (i, call_addr, hooked) in data:
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/check_syscall_arm.py",
line 66, in calculate
num_syscalls = self._get_syscall_table_size()
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/check_syscall_arm.py",
line 38, in _get_syscall_table_size
opcode = obj.Object("unsigned int", offset = vector_swi_addr, vm =
self.addr_space)
File "/root/vltlt/volatility-read-only/volatility/obj.py", line 169, in
Object
offset = int(offset)
TypeError: int() argument must be a string or a number, not 'NoneType'
------ Plugin linux_check_tty ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
Name Address Symbol
---------------- ---------- ------------------------------
Traceback (most recent call last):
File "vol.py", line 186, in <module>
main()
File "vol.py", line 177, in main
command.execute()
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/common.py", line
55, in execute
commands.Command.execute(self, *args, **kwargs)
File "/root/vltlt/volatility-read-only/volatility/commands.py", line 111,
in execute
func(outfd, data)
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/tty_check.py",
line 59, in render_text
for name, call_addr in data:
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/tty_check.py",
line 52, in calculate
recv_buf = tty_dev.ldisc.ops.receive_buf
File "/root/vltlt/volatility-read-only/volatility/obj.py", line 735, in
__getattr__
return self.m(attr)
File "/root/vltlt/volatility-read-only/volatility/obj.py", line 717, in m
raise AttributeError("Struct {0} has no member
{1}".format(self.obj_name, attr))
AttributeError: Struct ldisc has no member ops
------ Plugin linux_pidhashtable ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
ERROR : volatility.plugins.linux.pidhashtable: calculate_v2: This profile
is currently unsupported by this plugin. Please file a bug report on our
issue tracker to have supprot added.
Offset Name Pid Uid Gid DTB
Start Time
---------- -------------------- --------------- --------------- ------
---------- ----------
------ Plugin linux_psxview ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
ERROR : volatility.plugins.linux.pidhashtable: calculate_v2: This profile
is currently unsupported by this plugin. Please file a bug report on our
issue tracker to have supprot added.
Offset(V) Name PID pslist pid_hash kmem_cache
---------- -------------------- ------ ------ -------- ----------
The others plugins work fine.
Bye.
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
autenticato? GRATIS solo con Email.it: http://www.email.it/f
Sponsor:
Una PASQUA in famiglia, in un hotel sul mare. L'Hotel Adelphi Riccione
propone un'offerta con ingresso ai parchi inclusi e i bimbi gratis fino a
tre anni. Piano famiglia a partire da 3 notti in mezza o pensione completa
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12777&d=20130322
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
Sponsor:
Last minute giugno in all inclusive all'Hotel Fior di Loto di Rimini per due persone, una settimana, Euro 686 a coppia, pensione completa, bevande ai pasti, servizio spiaggia
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12774&d=22-3
Working with a ransomware infection, trying to dump one of the modules that looks suspicious (the only one to reference a file in user's AppData). I'm trying to dump it via the base address found through modscan, but getting:
moddump Error: e_magic 8D4C is not a valid DOS signature.
I tried -u. Is there any other way to dump it?
--
chort
