Just curious whether the Volatility 2.0.1 branch is a bugfix for the
stable 2.0 branch, or is it something else entirely?
-Roman
Please cc: this address in addition to the mailing list, as I'm not
normally a subscriber.
Hi all,
I did not use apihooks for a while. Now I am playing around with that flame
sample from Mike Lambert (THX a lot!!) and miss that plugin.
It may have gone with the integration of the malware plugin directly to the
Volatility core.
Is it still available somewhere for 2.1a or do I have to reuse an older
version?
Regards
Michael
Hallo all,
According to a hint from Andreas Schuster (THX!!) I have tried to access the
_SE_AUDIT_PROCESS_CREATION_INFO-structure which is referenced in _EPROCESS.
SeAuditProcessCreationInfo:
>>> for proc in win32.tasks.pslist(self.addrspace):
... if proc.UniqueProcessId in (172, 528, 1560):
... print "SeAuditProcessCreationInfo:
{0:#x}".format(proc.SeAuditProcessCreationInfo)
...
SeAuditProcessCreationInfo: 0x82014964
SeAuditProcessCreationInfo: 0x81c8e6ac
SeAuditProcessCreationInfo: 0x81cc1214
So I have displayed the pointers to the
_SE_AUDIT_PROCESS_CREATION_INFO-structure.
I hoped to find a Unicode-string somewhere containing the path to the
imagefile.
Sadly a hexdump seems to be useless::
>>> db(0x82014964, length=256)
0x82014964 d0 b8 fe 81 40 b3 27 ff e7 d2 c9 01 00 00 01 00
....@.'.........
0x82014974 5e 03 00 00 00 03 00 00 00 03 00 00 32 00 00 00
^...........2...
0x82014984 59 01 00 00 00 30 88 c0 64 3c 22 82 c4 95 ff 81
Y....0..d<".....
0x82014994 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
...
But that's OK, because there should be a only another pointer again:
>>> dt("_SE_AUDIT_PROCESS_CREATION_INFO")
'_SE_AUDIT_PROCESS_CREATION_INFO' (4 bytes)
0x0 : ImageFileName ['pointer',
['_OBJECT_NAME_INFORMATION']]
How can I access this structure via object.method?
CU
Mic
Hey all,
Does the netscan plugin work against Windows 7 64-bit memory samples?
When I'm running it with the latest build (1574), I get the following:
Computer:volatility-read-only $ python vol.py -f
../Documents/Cases/Testing/memory.raw --profile=Win7SP1x64 netscan
Volatile Systems Volatility Framework 2.1_alpha
*** Failed to import volatility.plugins.evtlogs (AttributeError:
'module' object has no attribute 'LdrModules')
*** Failed to import volatility.plugins.timeliner (AttributeError:
'module' object has no attribute 'LdrModules')
Offset(P) Proto Local Address Foreign Address
State Pid Owner Created
0x11747cef0 TCPv4 0.0.0.0:62887 0.0.0.0:0
LISTENING 3212 svchost.exe
0x11785da10 TCPv4 0.0.0.0:3389 0.0.0.0:0
LISTENING 1260 svchost.exe
0x117894ef0 TCPv4 0.0.0.0:3389 0.0.0.0:0
LISTENING 1260 svchost.exe
0x117894ef0 TCPv6 :::3389 :::0
LISTENING 1260 svchost.exe
0x117a00670 TCPv4 0.0.0.0:49601 0.0.0.0:0
LISTENING 2412 vmware-convert
0x117a1ee00 TCPv4 0.0.0.0:62870 0.0.0.0:0
LISTENING 568 services.exe
0x117a1ee00 TCPv6 :::62870 :::0
LISTENING 568 services.exe
WARNING : volatility.obj : Cant find object _IN_ADDR in profile
<volatility.plugins.overlays.windows.win7.Win7SP1x64 object at
0x10b5be390>?
Traceback (most recent call last):
File "vol.py", line 173, in <module>
main()
File "vol.py", line 164, in main
command.execute()
File "/Users/e18529/volatility-read-only/volatility/commands.py",
line 101, in execute
func(outfd, data)
File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
line 266, in render_text
for offset, proto, laddr, lport, raddr, rport, state, p, ctime in data:
File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
line 212, in calculate
for ver, laddr, raddr, owner in self.enumerate_listeners(tcpentry):
File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
line 183, in enumerate_listeners
inaddr = LocalAddr.pData.dereference().dereference().v()
AttributeError: 'NoneType' object has no attribute 'v'
All the other plugins are working, this is the only one I'm having
issues with....I know about the first two "Failed to import" lines...
And I did remember to do a "make clean" after updating this time.... :)
Thanks,
Tom
One thing we need to do is search the registries for the keys that autorun malware.
Does anyone know of a free tool that will do that? I'm currently using Encase to do that but it is and expensive solution.
Harlan's RegRipper will dump some registry entries and sometimes it works, but it does not search.
Mike
Mike,
Have you tried any of the following?:
YARU (Yet Another Registry Utility) -
http://www.tzworks.net/prototype_page.php?proto_id=3
Regdecoder - http://code.google.com/p/registrydecoder/
Autoruns -
http://computer-forensics.sans.org/blog/2010/06/28/autoruns-dead-forensics/
Today's Topics:
>
> 1. searching registries (Mike Lambert)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 15 May 2012 17:38:58 -0500
> From: Mike Lambert <dragonforen(a)hotmail.com>
> Subject: [Vol-users] searching registries
> To: Volatility List <vol-users(a)volatilityfoundation.org>
> Message-ID: <SNT118-W5182DD5900ED6A56B23C3FAE1B0(a)phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> One thing we need to do is search the registries for the keys that autorun
> malware.
>
> Does anyone know of a free tool that will do that? I'm currently using
> Encase to do that but it is and expensive solution.
>
> Harlan's RegRipper will dump some registry entries and sometimes it works,
> but it does not search.
>
> Mike
>
>
I created a SpyEye VM infection for a presentation. (usexxxxxxxx.exe)
I lucked out and found that it is an example of "The Mis-leading 'Active' in PsActiveProcessHead and ActiveProcessLinks" (thank you MHL)
http://mnin.blogspot.com/2011/03/mis-leading-active-in.html
This makes it a great example to use in my presentation!! I've attached imageinfo, pslist, psscan, and psxview for anyone interested in seeing it.
(BTW, if you are going to the presentation, don't give it away until I give you a chance near the end. I'll let you explain it. (let someone else notice the 'wierd' stuff and wonder why)
I will make a package of this available if someone wants a copy. I can put it on my web site for download.
The package would consist of:
1. the incident response batch file output with win32dd imaging (I like win32dd, great for times, info and MD5)
2. 512MB memory image
3. E01 disk image of the 10GB disk
MHL, in this case is this a bug in SpyEye? OR does it have anything to do with injecting into your parent? <g>
Have a good day all!
Mike
PS. Thanks Jamie for linking to MHL's explanation in the Command Reference
I've got a memory forensics presentation coming up next week and I'd like to use a sample that will illustrate a crossview example.
Specifically, I'd like to use an example that hides from pslist on the running system (don't want a DKOM example) but we can find it using Volatility.
I'd like it to be something running and not a process injection sample.
Does someone have a suggestion which one may provide a good illustration?
Thanks,
Mike
In case you missed it, this is an interesting paper how how to frustrate
a few free memory forensic tools using one-byte modifications to main
computer memory:
https://media.blackhat.com/bh-eu-12/Haruyama/bh-eu-12-Haruyama-Memory_Foren….
The paper examines potential single points of failure in 3 free memory
forensic tools:
1. Volatility
2. Memoryze
3. Responder Community Edition
The reliability of memory forensic tools (both acquisition and analysis)
is a topic which to date has received very little attention (except on
the part of the "bad guys"). Hence, this paper provides some welcome
relief. The paper is marred however by its focus exclusively on free
tools. The commercial tools which cost $10K or $100K also may have
defects and it would be interesting to know how they compare to the free
tools. As I remember it, at least one of the commercial tools has a
license provision which prevents you from telling anyone if you find a
defect. So perhaps the author limited his focus due to legal constraints.
