- Vol-users - volatilityfoundation.org

Impact on memory images when suspending a virtual machine

by Stefan Vömel

Hi everyone, in prior threads, Michael and Aaron pointed out changes in memory structures when suspending a virtual machine. I think this is an important observation and would therefore suggest moving the respective discussion to a separate thread. I have summarized the relevant passages below. ---- Michael H. Ligh (http://lists.volatilityfoundation.org/pipermail/vol-users/2012-June/000441.…) > Also, if you're analyzing a memory dump by suspending the VM, that has > significant impact on the lifetime and availability of network > structures. When you suspend/pause a VMware guest, VMware tools runs a > bat script on the guest (I think its vm-suspend.bat) which forcefully > closes TCP/UDP and frees the IP. Jesse Bowling (http://lists.volatilityfoundation.org/pipermail/vol-users/2012-July/000470.…) > This was a VMWare 4.1 virtual machine that was paused, and the vmss file > copied out. > Much later I head referenced that pausing the virtual machine actually > causes a lot of information to be removed from memory due to the way VMWare > prepares the OS to pause... :( (Can you or anyone speak to the truth-iness > of this?) AAron Walters (http://lists.volatilityfoundation.org/pipermail/vol-users/2012-July/000473.…) > This is definitely something to take in consideration with this particular > acquisition method. I think you are referring to a comment that MHL made > previously about vmware tools. A similar thing happens when people > attempt to use hibernation files. Intuitively, what does it mean to resume > a network connection that disappeared hours, if not days, earlier? In some > instances, it is possible to still extract associated artifacts from > unallocated regions, a technique most debuggers don't handle very well. ---- Last year, I wrote a survey article about memory acquisition and analysis techniques (http://www.sciencedirect.com/science/article/pii/S1742287611000508) and stated in a short section about virtual machines that, by suspending a system, a memory snapshot with a high level of atomicity and correctness could be produced. With respect to the issues raised by Michael, this statement is maybe a bit too optimistic now?! I have recently done a lot of research in the area of memory acquisition, specifically with regard to software-based utilities. We have tried to formalize criteria for sound memory imaging in a different paper (http://www.sciencedirect.com/science/article/pii/S1742287612000254) and I'm currently working on a platform that may help evaluating the correctness, impact, etc. of a utility more accurately. As the discussion about virtual machines roughly touches my research interests, I would like to know if there's any more information on this topic. Specifically: - Has anyone ever measured the impact on a memory image when suspending a system? - I have briefly looked at the vm-suspend-default.bat file which is located in the folder of the VMware tools. It just includes an "ipconfig /release" command, so it appears "only" network-related information would be affected. Is anyone aware of any other structures that would be changed/destroyed when going into suspensed mode? - Is the batch script (or similar operations) actually executed every time a machine is suspended? I have just run a quick google query on the file and only saw that its use was optional? I would very much appreciate if anyone had some more details on this or could share some references. Best regards, Stefan

12 years, 4 months

2
1
0 0

Stuxnet "Are you there?" mutant

by Mike Lambert

I want to check to see if my test computer is infected with Stuxnet. I have not finished the forensics on it and do not want to know any answers. I don't want to check the behaviorial data yet because that would give too much away. My hash and signature analysis says it is not infected. I don't want to waste time if it is not infected. I think the simplest way to determine if it is infected is to see if the "Are you there?" mutant is there. If you know the mutant, please let me know. There is a lot of analysis of it on the internet and I have kept away from it. No fun to get the answer from someone else. Thanks, Mike

12 years, 4 months

1
0
0 0

Option 2 for injected malware extraction

by Mike Lambert

I am looking at a sample of the Pilleuz worm that infects USB. I ran malfind and was not successful extracting a sample Is there another option for extracting injected code? Is there a way to dump threads? Thanks, Mike

12 years, 4 months

2
3
0 0

problems dumping a process

by Michael Felber

Hi all, still playing with fire (or a single "Flame" ;-)) I have tried to dump the possibly infected services.exe from a decompressed hiberil.sys but run into an error message: C:\Micha\Forensics\Volatility-2.1a>python vol.py pslist -f D:\X-Ways-Images\flame.mem | egrep -i "(PID|services)" Volatile Systems Volatility Framework 2.1_alpha Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit 0x84cae5a8 services.exe 912 868 37 966 0 0 2012-06-03 07:47:48 C:\Micha\Forensics\Volatility-2.1a>python vol.py procexedump -p 868 -f D:\X-Ways-Images\flame.mem -D C:\temp\VolDumpFlame Volatile Systems Volatility Framework 2.1_alpha ************************************************************************ Dumping winlogon.exe, pid: 868 output: executable.868.exe C:\Micha\Forensics\Volatility-2.1a>python vol.py procexedump -p 912 -f D:\X-Ways-Images\flame.mem -D C:\temp\VolDum pFlame Volatile Systems Volatility Framework 2.1_alpha ************************************************************************ Error: ImageBaseAddress not memory resident for process [912] C:\Micha\Forensics\Volatility-2.1a>python vol.py procexedump -o 0x84cae5a8 -f D:\X-Ways-Images\flame.mem -D C:\temp \VolDumpFlame Volatile Systems Volatility Framework 2.1_alpha ************************************************************************ Error: PEB not memory resident for process [-] Why the PEB header seems to be paged out? Isn't it a strange behavior for such an important process like services.exe? There is really no header: C:\Micha\Forensics\Volatility-2.1a>python vol.py volshell -f D:\X-Ways-Images\flame.mem Volatile Systems Volatility Framework 2.1_alpha Current context: process System, pid=4, ppid=0 DTB=0x39000 Welcome to volshell! Current memory image is: file:///D:/X-Ways-Images/flame.mem >>> cc (offset=0x84cae5a8) Current context: process services.exe, pid=912, ppid=868 DTB=0x13edc000 >>> db(0x84cae5a8) 0x84cae5a8 03 00 1b 00 00 00 00 00 b0 7c b6 84 b0 7c b6 84 .........|...|.. 0x84cae5b8 b8 e5 ca 84 b8 e5 ca 84 00 c0 ed 13 00 50 ee 13 .............P.. 0x84cae5c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x84cae5d8 ac 20 00 00 00 00 00 00 39 0a 00 00 4f 0c 00 00 ........9...O... 0x84cae5e8 e8 e5 ca 84 e8 e5 ca 84 00 00 00 00 00 00 00 00 ................ 0x84cae5f8 58 9f b8 84 d0 51 60 84 00 00 00 00 01 00 00 00 X....Q`......... 0x84cae608 14 00 09 06 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x84cae618 00 f3 e8 2b 5d 41 cd 01 00 00 00 00 00 00 00 00 ...+]A.......... >>> dis(0x84cae5a8) 0x84cae5a8 0300 ADD EAX, [EAX] 0x84cae5aa 1b00 SBB EAX, [EAX] 0x84cae5ac 0000 ADD [EAX], AL 0x84cae5ae 0000 ADD [EAX], AL 0x84cae5b0 b07c MOV AL, 0x7c 0x84cae5b2 b684 MOV DH, 0x84 0x84cae5b4 b07c MOV AL, 0x7c 0x84cae5b6 b684 MOV DH, 0x84 0x84cae5b8 b8e5ca84b8 MOV EAX, 0xb884cae5 0x84cae5bd e5ca IN EAX, 0xca 0x84cae5bf 8400 TEST [EAX], AL 0x84cae5c1 c0ed13 SHR CH, 0x13 . The goal was to find hooks within the code but it seems to be a challenge to find the complete process itself.. What could I do? Regards Mic

12 years, 4 months

2
1
0 0

format of UDP record in memory

by Mike Lambert

I've used 1.3 and 2.0 but neither gives me any "old" UDP artifacts. I know they are there because I have the pcap, so I am looking for them in memory. Can someone tell me the format of a UDP artifact in memory please? For example I'm looking for from a connection UDP 192.168.136.129:1044 to 204.13.161.100:6600 I'm looking at 11 83 89 CO A8 88 81 CC 0D A1 64 04 14 19 C8 that looks like UDP Unk Unk 192.168.136.129 204.13.161.100 1044 6600 The "Unk" means I don't know what they are (the 83 (seems to be constant) and 89 (changes slightly)). I've found this in the kernel 01fb5017 [kernel:2180730903] UDP to 204.13.161.100 This may just be a parameter block that is passed to the OS, but it does show that there was such a packet sent. Tell me what I need to be looking for if I am in the wrong place. Thanks, Mike

12 years, 4 months

4
7
0 0

malware memory forensics using volatility

by malware monna

Hi All, I presented a topic on "malware memory forensics" using Volatility.....the ppt and video can be found in the below link....i hope you will like it :-) http://goo.gl/7bRFK Thanks, Monnappa

12 years, 4 months

3
2
0 0

Volatility branches?

by Roman Daszczyszak

Just curious whether the Volatility 2.0.1 branch is a bugfix for the stable 2.0 branch, or is it something else entirely? -Roman Please cc: this address in addition to the mailing list, as I'm not normally a subscriber.

12 years, 5 months

2
1
0 0

missing apihooks

by Michael Felber

Hi all, I did not use apihooks for a while. Now I am playing around with that flame sample from Mike Lambert (THX a lot!!) and miss that plugin. It may have gone with the integration of the malware plugin directly to the Volatility core. Is it still available somewhere for 2.1a or do I have to reuse an older version? Regards Michael

12 years, 5 months

2
3
0 0

Flame

by Mike Lambert

Is anyone working on Flame? I am too, email me if interested. dragonforen(a)hotmail.com Thanks, Mike

12 years, 5 months

1
0
0 0

Determining the image path of a process

by Michael Felber

Hallo all, According to a hint from Andreas Schuster (THX!!) I have tried to access the _SE_AUDIT_PROCESS_CREATION_INFO-structure which is referenced in _EPROCESS. SeAuditProcessCreationInfo: >>> for proc in win32.tasks.pslist(self.addrspace): ... if proc.UniqueProcessId in (172, 528, 1560): ... print "SeAuditProcessCreationInfo: {0:#x}".format(proc.SeAuditProcessCreationInfo) ... SeAuditProcessCreationInfo: 0x82014964 SeAuditProcessCreationInfo: 0x81c8e6ac SeAuditProcessCreationInfo: 0x81cc1214 So I have displayed the pointers to the _SE_AUDIT_PROCESS_CREATION_INFO-structure. I hoped to find a Unicode-string somewhere containing the path to the imagefile. Sadly a hexdump seems to be useless:: >>> db(0x82014964, length=256) 0x82014964 d0 b8 fe 81 40 b3 27 ff e7 d2 c9 01 00 00 01 00 ....@.'......... 0x82014974 5e 03 00 00 00 03 00 00 00 03 00 00 32 00 00 00 ^...........2... 0x82014984 59 01 00 00 00 30 88 c0 64 3c 22 82 c4 95 ff 81 Y....0..d<"..... 0x82014994 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ... But that's OK, because there should be a only another pointer again: >>> dt("_SE_AUDIT_PROCESS_CREATION_INFO") '_SE_AUDIT_PROCESS_CREATION_INFO' (4 bytes) 0x0 : ImageFileName ['pointer', ['_OBJECT_NAME_INFORMATION']] How can I access this structure via object.method? CU Mic

12 years, 5 months

3
3
0 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users