Dear all,
I am Andri Heriyanto. I am just starting to use Volatility as the tools
for analyzing the memory. I am using Python-2.7.3 and already installed
Volatility ver 2.1 on both OS: Windows 7 64-bit and Linux Ubuntu 12.04 LTS
32-bit, unfortunately I could not resolve the problem on pycrypto.
Especially on the Linux Ubuntu 12.04 LTS, there is always a notification
of an error like this:
ERROR : root : code for hash sha224 was not found.
Traceback (most recent call last):
File "/usr/local/lib/python2.7/hashlib.py", line 139, in <module>
globals()[__func_name] = __get_hash(__func_name)
File "/usr/local/lib/python2.7/hashlib.py", line 91, in
__get_builtin_constructor
raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha224
ERROR : root : code for hash sha256 was not found.
Traceback (most recent call last):
File "/usr/local/lib/python2.7/hashlib.py", line 139, in <module>
globals()[__func_name] = __get_hash(__func_name)
File "/usr/local/lib/python2.7/hashlib.py", line 91, in
__get_builtin_constructor
raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha256
ERROR : root : code for hash sha384 was not found.
Traceback (most recent call last):
File "/usr/local/lib/python2.7/hashlib.py", line 139, in <module>
globals()[__func_name] = __get_hash(__func_name)
File "/usr/local/lib/python2.7/hashlib.py", line 91, in
__get_builtin_constructor
raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha384
ERROR : root : code for hash sha512 was not found.
Traceback (most recent call last):
File "/usr/local/lib/python2.7/hashlib.py", line 139, in <module>
globals()[__func_name] = __get_hash(__func_name)
File "/usr/local/lib/python2.7/hashlib.py", line 91, in
__get_builtin_constructor
raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha512
Sorry for my simple question, but I've tried googling to sort this things
out, but I still could not solve it.
Thank you very much in advance for any support and suggestion.
Cheers
https://code.google.com/p/volatility/
We are very excited to announce the official release of Volatility 2.1!
While the main goal of this release was to get x64 support into an
official release, we also sneaked in a number of interesting new
capabilities! Highlights of this release include:
New Address Spaces (AMD64PagedMemory, WindowsCrashDumpSpace64)
Majority of Existing Plugins Updated with x64 Support
Merged Malware Plugins into Volatility Core with Preliminary x64 Support (see FeaturesByPlugin21)
WindowsHiberFileSpace32 Overhaul (also includes x64 Support)
Expanded Operating System Profiles:
Windows XP SP1, SP2 and SP3 x86
Windows XP SP1 and SP2 x64 (there is no SP3 x64)
Windows Server 2003 SP0, SP1, and SP2 x86
Windows Server 2003 SP1 and SP2 x64 (there is no SP0 x64)
Windows Vista SP0, SP1, and SP2 x86
Windows Vista SP0, SP1, and SP2 x64
Windows Server 2008 SP1 and SP2 x86 (there is no SP0)
Windows Server 2008 SP1 and SP2 x64 (there is no SP0)
Windows Server 2008 R2 SP0 and SP1 x64
Windows 7 SP0 and SP1 x86
Windows 7 SP0 and SP1 x64
Plugin Additions (Now Over 70+ Analysis Plugins!):
Printing Process Environment Variables (envvars)
Inspecting the Shim Cache (shimcache)
Profiling Command History and Console Usage (cmdscan, consoles)
Converting x86 and x64 Raw Dumps to MS CrashDump (raw2dmp)
Plugin Enhancements:
Verbose details for kdbgscan and kpcrscan
idt/gdt/timers plugins cycle automatically for each CPU
apihooks detects LSP/winsock procedure tables
New Output Formatting Support (Table Rendering)
New Mechanism for Profile Modifications
New Registry API Support
New Volshell Commands
Updated Documentation and Command Reference
In particular, I also wanted to take this opportunity to recognize those
on the development team who helped push to make this release possible:
Mike Auty, Andrew Case, Michael Cohen, Michael Hale Ligh, and Jamie Levy.
These are the people who make a number of sacrifices in their own personal
lives to continue to bring you the most advanced memory forensics
framework in the world! If you appreciate the hard work they put into
Volatility, I encourage you to Support Open Source Forensics Developers
(SOSFD). Finally, shoutz to the Volatility Community for their continued
support and feedback!
As an added bonus, we will also be releasing Volatility 2.2 at the Open
Memory Forensics Workshop 2012 on October 2. This will be your only
opportunity to learn about all the new features in 2.1 and 2.2 from the
actual Volatility development team. Please register early. Seats are
filling up fast!
The Volatility Project
This may just be an "aspect" of the Windows version.
Win7, Python 2.7.3, Volatility 2.1 RC3.
After receiving MLH's direction on getting "conf-file" to work on
Windows, I set the profile and location in my conf file.
Works fine:
python <pathTo>\vol.py --conf-file="<my conf file>"
--plugins="<pathToMyPlugins>" someSillyPlugin
Does NOT work:
python <pathTo>\vol.py --plugins="<pathToMyPlugins>"
--conf-file="<my conf file>" someSillyPlugin
The error:
__main__ : Please specify a location (-l) or filename (-f)
I don't know if this is also true on non-Windows systems.
Skippy
Just tried the 2.1 RC3 version and got the errors below.
Then did the 'python setup.py clean' command followed by repeating the
install command 'python setup.py install'.
Still no difference. No errors produced during install. Egg was
built and copied.
Using Win7 and Python 2.7.3.
D:\Forensics>python %PYTHON_SCRIPTS%\vol.py -h
Volatile Systems Volatility Framework 2.1_rc3
*** Failed to import
volatility.plugins.overlays.windows.win2k8_sp1_x86 (AttributeError:
'module' object has no attribute 'xpsp2_types')
*** Failed to import volatility.plugins.overlays.windows.win7_sp0_x86
(AttributeError: 'module' object has no attribute 'xpsp2_types')
*** Failed to import
volatility.plugins.overlays.windows.win2k3_sp1_x86 (AttributeError:
'module' object has no attribute 'xpsp2_types')
*** Failed to import volatility.plugins.overlays.windows.vista_sp1_x86
(AttributeError: 'module' object has no attribute 'xpsp2_types')
*** Failed to import volatility.plugins.overlays.windows.win7_sp1_x86
(AttributeError: 'module' object has no attribute 'xpsp2_types')
*** Failed to import volatility.plugins.overlays.windows.vista_sp2_x86
(AttributeError: 'module' object has no attribute 'xpsp2_types')
*** Failed to import volatility.plugins.overlays.windows.xp_sp3_x86
(AttributeError: 'module' object has no attribute 'xpsp2_types')
*** Failed to import
volatility.plugins.overlays.windows.win2k3_sp0_x86 (AttributeError:
'module' object has no attribute 'xpsp2_types')
*** Failed to import volatility.plugins.overlays.windows.xp_sp2_x86
(AttributeError: 'module' object has no attribute 'xpsp2_types')
*** Failed to import volatility.plugins.overlays.windows.vista_sp0_x86
(AttributeError: 'module' object has no attribute 'xpsp2_types')
*** Failed to import
volatility.plugins.overlays.windows.win2k3_sp2_x86 (AttributeError:
'module' object has no attribute 'xpsp2_types')
*** Failed to import
volatility.plugins.overlays.windows.win2k8_sp2_x86 (AttributeError:
'module' object has no attribute 'xpsp2_types')
Usage: Volatility - A memory forensics analysis platform.
Hi,
I'm trying to analyze linux memory dumps with scudettesbranch r2040, but it
doesn't seems to work.
Is there something I do wrong?
*Ubuntu 11.04 64bit (acquired with lime, padded format)*
H:\Volatility\Scudette>h:\Python27\python.exe vol.py
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)]
Type "copyright", "credits" or "license" for more information.
IPython 0.13 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
Welcome to the volatility interactive shell!
To get help, type 'vhelp()'
In [1]: session.filename = "N:\Lime\Ubuntu-11.04-64-bit\u64.padded"
In [2]: session.profile_file = "N:\Lime\Ubuntu-11.04-64-bit\myprofile.zip"
In [3]: session.profile = profiles.Linux64
In [4]: vol plugins.pslist
------> vol(plugins.pslist)
WARNING:root:comm has no offset in object task_struct. Check that vtypes
has a concrete definition for it.
WARNING:root:name has no offset in object net_device. Check that vtypes has
a concrete definition for it.
WARNING:root:s_id has no offset in object super_block. Check that vtypes
has a concrete definition for it.
WARNING:root:sun_path has no offset in object sockaddr_un. Check that
vtypes has a concrete definition for it.
WARNING:root:x86_model_id has no offset in object cpuinfo_x86. Check that
vtypes has a concrete definition for it.
WARNING:root:x86_vendor_id has no offset in object cpuinfo_x86. Check that
vtypes has a concrete definition for it.
WARNING:root:name has no offset in object module. Check that vtypes has a
concrete definition for it.
Offset Name Pid Uid
ERROR:root:Error: Type task_struct has no member tasks
---------------------------------------------------------------------------
AttributeError Traceback (most recent call last)
<ipython-input-4-a5edbfb3c155> in <module>()
----> 1 vol(plugins.pslist)
H:\Volatility\Scudette\volatility\session.pyc in vol(self, plugin_cls,
*args, **kwargs)
217 result = plugin_cls(*args, **kwargs)
218 try:
--> 219 result.render(ui_renderer)
220 except KeyboardInterrupt:
221 self.report_progress("Aborted!\r\n", force=True)
H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in render(self,
outfd)
49 "Offset", "Name", "Pid", "Uid"))
50
---> 51 for task in self.pslist():
52 outfd.write("0x{0:08x} {1:20s} {2:15s}
{3:15s}\n".format(
53 task.obj_offset, task.comm, str(task.pid),
str(task.uid)))
H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in pslist(self)
42
43 # walk the ->tasks list, note that this will *not* display
"swapper"
---> 44 for task in init_task.tasks:
45 yield task
46
H:\Volatility\Scudette\volatility\obj.pyc in __getattr__(self, attr)
921 if attr not in self.members:
922 raise AttributeError("Type {0} has no member
{1}".format(
--> 923 self.obj_name, attr))
924
925 return self.m(attr)
AttributeError: Type task_struct has no member tasks
*Ubuntu 11.04 64bit (acquired with lime, raw format)*
*
*
H:\Volatility\Scudette>h:\Python27\python.exe vol.py
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)]
Type "copyright", "credits" or "license" for more information.
IPython 0.13 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
Welcome to the volatility interactive shell!
To get help, type 'vhelp()'
In [1]: session.filename = "N:\\Lime\\Ubuntu-11.04-64-bit\\u64.raw"
In [2]: session.profile_file =
"N:\\Lime\\Ubuntu-11.04-64-bit\\myprofile.zip"
In [3]: session.profile = profiles.Linux64
In [4]: vol plugins.pslist
------> vol(plugins.pslist)
WARNING:root:comm has no offset in object task_struct. Check that vtypes
has a concrete definition for it.
WARNING:root:name has no offset in object net_device. Check that vtypes has
a concrete definition for it.
WARNING:root:s_id has no offset in object super_block. Check that vtypes
has a concrete definition for it.
WARNING:root:sun_path has no offset in object sockaddr_un. Check that
vtypes has a concrete definition for it.
WARNING:root:x86_model_id has no offset in object cpuinfo_x86. Check that
vtypes has a concrete definition for it.
WARNING:root:x86_vendor_id has no offset in object cpuinfo_x86. Check that
vtypes has a concrete definition for it.
WARNING:root:name has no offset in object module. Check that vtypes has a
concrete definition for it.
Offset Name Pid Uid
Out[4]: <volatility.plugins.linux.pslist.LinuxPsList at 0x2e50930>
*Fedora 15 32bit (acquired with lime, raw format)*
H:\Volatility\Scudette>h:\Python27\python.exe vol.py
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)]
Type "copyright", "credits" or "license" for more information.
IPython 0.13 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
Welcome to the volatility interactive shell!
To get help, type 'vhelp()'
In [1]: session.filename = "N:\\Lime\\Fedora-15-32bit\\f32.raw"
In [2]: session.profile_file = "N:\\Lime\\Fedora-15-32bit\\myprofile.zip"
In [3]: session.profile = profiles.Linux32
In [4]: vol plugins.pslist
------> vol(plugins.pslist)
ERROR:root:Fatal Error: invalid literal for int() with base 10: 'Attribute'
ERROR:root:Failed running plugin pslist: kernel_address_space not specified.
In [5]: session.kernel_address_space = "standard"
In [6]: vol plugins.pslist
------> vol(plugins.pslist)
Offset Name Pid Uid
ERROR:root:Error: 'init_task'
---------------------------------------------------------------------------
KeyError Traceback (most recent call last)
<ipython-input-6-a5edbfb3c155> in <module>()
----> 1 vol(plugins.pslist)
H:\Volatility\Scudette\volatility\session.pyc in vol(self, plugin_cls,
*args, **kwargs)
217 result = plugin_cls(*args, **kwargs)
218 try:
--> 219 result.render(ui_renderer)
220 except KeyboardInterrupt:
221 self.report_progress("Aborted!\r\n", force=True)
H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in render(self,
outfd)
49 "Offset", "Name", "Pid", "Uid"))
50
---> 51 for task in self.pslist():
52 outfd.write("0x{0:08x} {1:20s} {2:15s}
{3:15s}\n".format(
53 task.obj_offset, task.comm, str(task.pid),
str(task.uid)))
H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in pslist(self)
35 def pslist(self):
36 """A generator of task_struct objects for all running
tasks."""
---> 37 init_task_addr = self.profile.constants["init_task"]
38
39 init_task = self.profile.Object(theType="task_struct",
KeyError: 'init_task'
*Fedora 15 32bit (virtual box snapshot)*
*
*
H:\Volatility\Scudette>h:\Python27\python.exe vol.py
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)]
Type "copyright", "credits" or "license" for more information.
IPython 0.13 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
Welcome to the volatility interactive shell!
To get help, type 'vhelp()'
In [1]: session.filename = "V:\\VM\\Fedora Core 15
32-bit\\Snapshots\\2012-07-17T14-50-40-994836400Z.sav"
In [2]: session.profile_file = "N:\\Lime\\Fedora-15-32bit\\myprofile.zip"
In [3]: session.profile = profiles.Linux32
In [4]: vol plugins.pslist
------> vol(plugins.pslist)
ERROR:root:Fatal Error: invalid literal for int() with base 10: 'Attribute'
ERROR:root:Failed running plugin pslist: kernel_address_space not specified.
In [5]: session.kernel_address_space = "vboxelf"
In [6]: vol plugins.pslist
------> vol(plugins.pslist)
Offset Name Pid Uid
ERROR:root:Error: 'init_task'
---------------------------------------------------------------------------
KeyError Traceback (most recent call last)
<ipython-input-7-a5edbfb3c155> in <module>()
----> 1 vol(plugins.pslist)
H:\Volatility\Scudette\volatility\session.pyc in vol(self, plugin_cls,
*args, **kwargs)
217 result = plugin_cls(*args, **kwargs)
218 try:
--> 219 result.render(ui_renderer)
220 except KeyboardInterrupt:
221 self.report_progress("Aborted!\r\n", force=True)
H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in render(self,
outfd)
49 "Offset", "Name", "Pid", "Uid"))
50
---> 51 for task in self.pslist():
52 outfd.write("0x{0:08x} {1:20s} {2:15s}
{3:15s}\n".format(
53 task.obj_offset, task.comm, str(task.pid),
str(task.uid)))
H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in pslist(self)
35 def pslist(self):
36 """A generator of task_struct objects for all running
tasks."""
---> 37 init_task_addr = self.profile.constants["init_task"]
38
39 init_task = self.profile.Object(theType="task_struct",
KeyError: 'init_task'
*The analysis works with Windows XP SP3*
H:\Volatility\Scudette>h:\Python27\python.exe vol.py
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)]
Type "copyright", "credits" or "license" for more information.
IPython 0.13 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
Welcome to the volatility interactive shell!
To get help, type 'vhelp()'
In [1]: session.filename = "W:\XP SP3\XP SP3-Snapshot7.vmem"
In [2]: session.profile = profiles.WinXPSP3x86
In [3]: vol plugins.pslist
------> vol(plugins.pslist)
Offset (V) Name PID PPID Thds Hnds Sess Wow64
Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------
-------------------- --------------------
0x867c49c8 System 4 0 54 216 ------ False
- -
0x8656b020 smss.exe 556 4 3 17 ------ False
2008-11-19 19:30:19 -
[...]
Out[3]: <volatility.plugins.windows.taskmods.WinPsList at 0x21668f0>
Thanks in advance for your help!
Sebastien
Hey everyone,
The 2.1 RC1 downloads are now available [1]. Per the usual, there are zip
and tar archives of the source code, a windows module installer, and a
standalone windows executable (with python and all dependencies
build-in). We ask that you test vigorously over the next 2 weeks,
especially with any x64 images, and let us know via the issue tracker [2]
if you run into any bugs. At the end of July, we'll announce the official
release of 2.1.
Also, a lot of the documentation [3] has been updated, including the FAQ,
command reference, features by plugin matrix, and roadmap, so that may be a
useful resource to you when using 2.1.
Thank you very much!
[1]. http://code.google.com/p/volatility/downloads/list
[2]. http://code.google.com/p/volatility/issues/list
[3]. http://code.google.com/p/volatility/w/list
Hi folks,
Testing impscan with zeus.vmem I have a little question about the
capabilities of impscan:
Malfind finds 2 regions with injected code as seen many times:
C:\Micha\Forensics\Volatility-2.1a>python vol.py malfind -f
D:\X-Ways-Images\zeus.vmem -p 1724
Volatile Systems Volatility Framework 2.1_rc1
Process: explorer.exe Pid: 1724 Address: 0x1600000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x01600000 b8 35 00 00 00 e9 cd d7 30 7b b8 91 00 00 00 e9
.5......0{......
.
Process: explorer.exe Pid: 1724 Address: 0x15d0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 38, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x015d0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00
MZ..............
.
Base 0x015d0000 is a "real" exe-module and impscan can detect the hooked
calls very well:
C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f
D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x015d0000
Volatile Systems Volatility Framework 2.1_rc1
IAT Call Module Function
---------- ---------- -------------------- --------
0x015d1000 0x77dea43c ADVAPI32.dll CryptGetHashParam
0x015d1004 0x77dd7535 ADVAPI32.dll RegCreateKeyExW
0x015d1008 0x77de8546 ADVAPI32.dll CryptReleaseContext
0x015d100c 0x77dd6fc8 ADVAPI32.dll RegQueryValueExW
0x015d1010 0x77dd778e ADVAPI32.dll InitializeSecurityDescriptor
0x015d1014 0x77df986b ADVAPI32.dll GetSidSubAuthorityCount
0x015d1018 0x77dd77b3 ADVAPI32.dll SetSecurityDescriptorDacl
0x015d101c 0x77df1285 ADVAPI32.dll SetNamedSecurityInfoW
0x015d1020 0x77dfcaf6 ADVAPI32.dll LookupPrivilegeValueW
0x015d1024 0x77dea2f9 ADVAPI32.dll CryptCreateHash
0x015d1028 0x77de2cde ADVAPI32.dll
ConvertStringSecurityDescriptorToSecurityDescriptorW
0x015d102c 0x77dd6a78 ADVAPI32.dll RegOpenKeyExW
.
Base 0x01600000 contains jump instructions to other addresses:
0x1600000 b835000000 MOV EAX, 0x35
0x1600005 e9cdd7307b JMP 0x7c90d7d7
0x160000a b891000000 MOV EAX, 0x91
0x160000f e94fdf307b JMP 0x7c90df63
0x1600014 8bff MOV EDI, EDI
0x1600016 55 PUSH EBP
0x1600017 8bec MOV EBP, ESP
0x1600019 e9ef17c175 JMP 0x7721180d
So it seems to be consistent that impscan is unable to find hooked calls
there:
C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f
D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x01600000
Volatile Systems Volatility Framework 2.1_rc1
IAT Call Module Function
---------- ---------- -------------------- --------
Traceback (most recent call last):
File "vol.py", line 185, in <module>
main()
File "vol.py", line 176, in main
command.execute()
File "C:\Micha\Forensics\Volatility-2.1a\volatility\commands.py", line
111, in execute
func(outfd, data)
File
"C:\Micha\Forensics\Volatility-2.1a\volatility\plugins\malware\impscan.py",
line 358, in render_text
for iat, call, mod, func in data:
File
"C:\Micha\Forensics\Volatility-2.1a\volatility\plugins\malware\impscan.py",
line 338, in calculate
forward = True)
File
"C:\Micha\Forensics\Volatility-2.1a\volatility\plugins\malware\impscan.py",
line 130, in _vicinity_scan
start_addr = sortedlist[0]
IndexError: list index out of range
Or does the error message mean something other? Looked at the first jump
target there is the "detoured" call as expected:
C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f
D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x7c90d7d7
Volatile Systems Volatility Framework 2.1_rc1
IAT Call Module Function
---------- ---------- -------------------- --------
0x7c97d280 0x7c832b5c kernel32.dll BaseQueryModuleData
So impscan is not able to directly handle such trampoline calls, is it?
Following the trace of the jump targets there are two imports of
BaseQueryModuleData:
C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f
D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x7c90df63
Volatile Systems Volatility Framework 2.1_rc1
IAT Call Module Function
---------- ---------- -------------------- --------
0x7c97d280 0x7c832b5c kernel32.dll BaseQueryModuleData
Also the next jump targets import the same api calls:
C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f
D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x7721180d
Volatile Systems Volatility Framework 2.1_rc1
IAT Call Module Function
---------- ---------- -------------------- --------
0x77261000 0x77dd761b ADVAPI32.dll RegOpenKeyExA
0x77261004 0x77dfd4c9 ADVAPI32.dll GetUserNameA
0x77261034 0x77dfc41b ADVAPI32.dll RegOpenKeyA
.
C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f
D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x771c76bd
Volatile Systems Volatility Framework 2.1_rc1
IAT Call Module Function
---------- ---------- -------------------- --------
0x77261000 0x77dd761b ADVAPI32.dll RegOpenKeyExA
0x77261004 0x77dfd4c9 ADVAPI32.dll GetUserNameA
0x77261034 0x77dfc41b ADVAPI32.dll RegOpenKeyA
.
I have no clue why theses api-call are hooked twice. Does anybody have an
idea?
Regards
Michael
Hi list,
I believe that one of my lab VM is owned by a sophisticated rootkit.
There are many signs of that:
Rootkit in my lab?
Rootkit in my lab? (part II)
Live analysis was a dead end. Needless to say that common live analysis tools and AV found nothing.
So I have been focussed for days on analyzing the RAM with Volatility. And I found absolutely nothing.
I am just afraid that now it is beyond my skills at this moment.
If some of you are curious, do not hesitate to have a look. Of course, I would love to learn more and get some tips and feedbacks.
I can provide more volatility output if necessary, or even the dump.
Thank you!
--- phocean
