Hallo all,
According to a hint from Andreas Schuster (THX!!) I have tried to access the
_SE_AUDIT_PROCESS_CREATION_INFO-structure which is referenced in _EPROCESS.
SeAuditProcessCreationInfo:
>>> for proc in win32.tasks.pslist(self.addrspace):
... if proc.UniqueProcessId in (172, 528, 1560):
... print "SeAuditProcessCreationInfo:
{0:#x}".format(proc.SeAuditProcessCreationInfo)
...
SeAuditProcessCreationInfo: 0x82014964
SeAuditProcessCreationInfo: 0x81c8e6ac
SeAuditProcessCreationInfo: 0x81cc1214
So I have displayed the pointers to the
_SE_AUDIT_PROCESS_CREATION_INFO-structure.
I hoped to find a Unicode-string somewhere containing the path to the
imagefile.
Sadly a hexdump seems to be useless::
>>> db(0x82014964, length=256)
0x82014964 d0 b8 fe 81 40 b3 27 ff e7 d2 c9 01 00 00 01 00
....@.'.........
0x82014974 5e 03 00 00 00 03 00 00 00 03 00 00 32 00 00 00
^...........2...
0x82014984 59 01 00 00 00 30 88 c0 64 3c 22 82 c4 95 ff 81
Y....0..d<".....
0x82014994 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
...
But that's OK, because there should be a only another pointer again:
>>> dt("_SE_AUDIT_PROCESS_CREATION_INFO")
'_SE_AUDIT_PROCESS_CREATION_INFO' (4 bytes)
0x0 : ImageFileName ['pointer',
['_OBJECT_NAME_INFORMATION']]
How can I access this structure via object.method?
CU
Mic
Hey all,
Does the netscan plugin work against Windows 7 64-bit memory samples?
When I'm running it with the latest build (1574), I get the following:
Computer:volatility-read-only $ python vol.py -f
../Documents/Cases/Testing/memory.raw --profile=Win7SP1x64 netscan
Volatile Systems Volatility Framework 2.1_alpha
*** Failed to import volatility.plugins.evtlogs (AttributeError:
'module' object has no attribute 'LdrModules')
*** Failed to import volatility.plugins.timeliner (AttributeError:
'module' object has no attribute 'LdrModules')
Offset(P) Proto Local Address Foreign Address
State Pid Owner Created
0x11747cef0 TCPv4 0.0.0.0:62887 0.0.0.0:0
LISTENING 3212 svchost.exe
0x11785da10 TCPv4 0.0.0.0:3389 0.0.0.0:0
LISTENING 1260 svchost.exe
0x117894ef0 TCPv4 0.0.0.0:3389 0.0.0.0:0
LISTENING 1260 svchost.exe
0x117894ef0 TCPv6 :::3389 :::0
LISTENING 1260 svchost.exe
0x117a00670 TCPv4 0.0.0.0:49601 0.0.0.0:0
LISTENING 2412 vmware-convert
0x117a1ee00 TCPv4 0.0.0.0:62870 0.0.0.0:0
LISTENING 568 services.exe
0x117a1ee00 TCPv6 :::62870 :::0
LISTENING 568 services.exe
WARNING : volatility.obj : Cant find object _IN_ADDR in profile
<volatility.plugins.overlays.windows.win7.Win7SP1x64 object at
0x10b5be390>?
Traceback (most recent call last):
File "vol.py", line 173, in <module>
main()
File "vol.py", line 164, in main
command.execute()
File "/Users/e18529/volatility-read-only/volatility/commands.py",
line 101, in execute
func(outfd, data)
File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
line 266, in render_text
for offset, proto, laddr, lport, raddr, rport, state, p, ctime in data:
File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
line 212, in calculate
for ver, laddr, raddr, owner in self.enumerate_listeners(tcpentry):
File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
line 183, in enumerate_listeners
inaddr = LocalAddr.pData.dereference().dereference().v()
AttributeError: 'NoneType' object has no attribute 'v'
All the other plugins are working, this is the only one I'm having
issues with....I know about the first two "Failed to import" lines...
And I did remember to do a "make clean" after updating this time.... :)
Thanks,
Tom
One thing we need to do is search the registries for the keys that autorun malware.
Does anyone know of a free tool that will do that? I'm currently using Encase to do that but it is and expensive solution.
Harlan's RegRipper will dump some registry entries and sometimes it works, but it does not search.
Mike
Mike,
Have you tried any of the following?:
YARU (Yet Another Registry Utility) -
http://www.tzworks.net/prototype_page.php?proto_id=3
Regdecoder - http://code.google.com/p/registrydecoder/
Autoruns -
http://computer-forensics.sans.org/blog/2010/06/28/autoruns-dead-forensics/
Today's Topics:
>
> 1. searching registries (Mike Lambert)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 15 May 2012 17:38:58 -0500
> From: Mike Lambert <dragonforen(a)hotmail.com>
> Subject: [Vol-users] searching registries
> To: Volatility List <vol-users(a)volatilityfoundation.org>
> Message-ID: <SNT118-W5182DD5900ED6A56B23C3FAE1B0(a)phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> One thing we need to do is search the registries for the keys that autorun
> malware.
>
> Does anyone know of a free tool that will do that? I'm currently using
> Encase to do that but it is and expensive solution.
>
> Harlan's RegRipper will dump some registry entries and sometimes it works,
> but it does not search.
>
> Mike
>
>
I created a SpyEye VM infection for a presentation. (usexxxxxxxx.exe)
I lucked out and found that it is an example of "The Mis-leading 'Active' in PsActiveProcessHead and ActiveProcessLinks" (thank you MHL)
http://mnin.blogspot.com/2011/03/mis-leading-active-in.html
This makes it a great example to use in my presentation!! I've attached imageinfo, pslist, psscan, and psxview for anyone interested in seeing it.
(BTW, if you are going to the presentation, don't give it away until I give you a chance near the end. I'll let you explain it. (let someone else notice the 'wierd' stuff and wonder why)
I will make a package of this available if someone wants a copy. I can put it on my web site for download.
The package would consist of:
1. the incident response batch file output with win32dd imaging (I like win32dd, great for times, info and MD5)
2. 512MB memory image
3. E01 disk image of the 10GB disk
MHL, in this case is this a bug in SpyEye? OR does it have anything to do with injecting into your parent? <g>
Have a good day all!
Mike
PS. Thanks Jamie for linking to MHL's explanation in the Command Reference
I've got a memory forensics presentation coming up next week and I'd like to use a sample that will illustrate a crossview example.
Specifically, I'd like to use an example that hides from pslist on the running system (don't want a DKOM example) but we can find it using Volatility.
I'd like it to be something running and not a process injection sample.
Does someone have a suggestion which one may provide a good illustration?
Thanks,
Mike
In case you missed it, this is an interesting paper how how to frustrate
a few free memory forensic tools using one-byte modifications to main
computer memory:
https://media.blackhat.com/bh-eu-12/Haruyama/bh-eu-12-Haruyama-Memory_Foren….
The paper examines potential single points of failure in 3 free memory
forensic tools:
1. Volatility
2. Memoryze
3. Responder Community Edition
The reliability of memory forensic tools (both acquisition and analysis)
is a topic which to date has received very little attention (except on
the part of the "bad guys"). Hence, this paper provides some welcome
relief. The paper is marred however by its focus exclusively on free
tools. The commercial tools which cost $10K or $100K also may have
defects and it would be interesting to know how they compare to the free
tools. As I remember it, at least one of the commercial tools has a
license provision which prevents you from telling anyone if you find a
defect. So perhaps the author limited his focus due to legal constraints.
Hi everybody,
i have tried the scudette branch r1628 for linux memory analysis and
received some Errors. My test-systems were Ubuntu 11.10 (Kernel
3.0.0-17-generic, 64 Bit) and Debian 6.0.2.1 (Kernel 2.6.32-5-686, 32
Bit). The plugins i have tested were pslist, cpuinfo, dmesg, ifconfig and
netstat.
As i followed the instructions at the Wiki-Page the first thing i have
noticed was an NameError after the *vol pslist* command:
$ python vol.py
Welcome to volshell!
To get help, type 'help()'
In [1]: session.filename = "memory.dd"
In [2]: session.profile_file = "myprofile.zip"
In [3]: session.profile = "Linux32"
In [4]: vol pslist
------> vol(pslist)
---------------------------------------------------------------------------
NameError Traceback (most recent call last)
/home/vitax/lin64-support/vol.py in <module>()
----> 1
2
3
4
5
NameError: name 'pslist' is not defined
After i changed the *In [4]: vol pslist* command into *In [4]: vol
"pslist"*the NameError disappeared and the pslist plugin worked well
on both systems.
The next plugin was cpuinfo. On both system i've got the right processor
output, but on Ubuntu i additionally received a warning/error:
In [5]: vol "cpuinfo"
------> vol("cpuinfo")
Processor Vendor Model
*ERROR:root:Constant per_cpu__cpu_info does not exist in profile.*
0 GenuineIntel Intel(R) Core(TM)2 Duo CPU P8600 @
2.40GHz
Out[5]: <volatility.plugins.linux.cpuinfo.CpuInfo object at 0x2fc5190>
The ifconfig plugin returned on both systems a ValueError.
*On Ubuntu:*
In [6]: vol "ifconfig"
------> vol("ifconfig")
lo 127.0.0.1 00:00:00:00:00:00
ERROR:root:Error: Unknown format code 's' for object of type 'int'
---------------------------------------------------------------------------
ValueError Traceback (most recent call last)
/home/vitax/lin64-support/vol.py in <module>()
----> 1
2
3
4
5
/home/vitax/lin64-support/volatility/session.py in vol(self, plugin_cls,
fd, debug, output, **kwargs)
194 kwargs['session'] = self
195 result = plugin_cls(**kwargs)
--> 196 result.render(fd)
197
198 return result
/home/vitax/lin64-support/volatility/plugins/linux/ifconfig.py in
render(self, outfd)
97
98 outfd.write("{0:8s} {1:16s} {2:32s}\n".format(
---> 99 net_dev.name, ip, mac_addr))
100
101
ValueError: Unknown format code 's' for object of type 'int'
*On Debian:*
In [6]: vol "ifconfig"
------> vol("ifconfig")
lo 127.0.0.1 00:00:00:00:00:00
eth0 10.0.2.15 08:00:27:f6:0e:dd
ERROR:root:Error: Unknown format code 's' for object of type 'int'
---------------------------------------------------------------------------
ValueError Traceback (most recent call last)
/home/vitax/lin64-support/vol.py in <module>()
----> 1
2
3
4
5
/home/vitax/lin64-support/volatility/session.pyc in vol(self, plugin_cls,
fd, debug, output, **kwargs)
194 kwargs['session'] = self
195 result = plugin_cls(**kwargs)
--> 196 result.render(fd)
197
198 return result
/home/vitax/lin64-support/volatility/plugins/linux/ifconfig.pyc in
render(self, outfd)
97
98 outfd.write("{0:8s} {1:16s} {2:32s}\n".format(
---> 99 net_dev.name, ip, mac_addr))
100
101
ValueError: Unknown format code 's' for object of type 'int'
After that i tried the netstat plugin. I received on both systems an
AttributeError:
*On Ubuntu:*
*
*
In [7]: vol "netstat"
------> vol("netstat")
---------------------------------------------------------------------------
AttributeError Traceback (most recent call last)
/home/vitax/lin64-support/vol.py in <module>()
----> 1
2
3
4
5
/home/vitax/lin64-support/volatility/session.py in vol(self, plugin_cls,
fd, debug, output, **kwargs)
178 """
179 if isinstance(plugin_cls, basestring):
--> 180 plugin_cls = getattr(self.plugins, plugin_cls)
181
182 if output is not None:
/home/vitax/lin64-support/volatility/session.py in __getattr__(self, attr)
79 return self.plugins[attr]
80 except KeyError:
---> 81 raise AttributeError(attr)
82
83
AttributeError: netstat
*On Debian:*
*
*
In [7]: vol "netstat"
------> vol("netstat")
ERROR: An unexpected error occurred while tokenizing input
The following traceback may be corrupted or invalid
The error message is: ('EOF in multi-line statement', (40, 0))
---------------------------------------------------------------------------
AttributeError Traceback (most recent call last)
/home/vitax/lin64-support/vol.py in <module>()
----> 1
2
3
4
5
/home/vitax/lin64-support/volatility/session.pyc in vol(self, plugin_cls,
fd, debug, output, **kwargs)
178 """
179 if isinstance(plugin_cls, basestring):
--> 180 plugin_cls = getattr(self.plugins, plugin_cls)
181
182 if output is not None:
/home/vitax/lin64-support/volatility/session.pyc in __getattr__(self, attr)
79 return self.plugins[attr]
80 except KeyError:
---> 81 raise AttributeError(attr)
82
83
AttributeError: netstat
In the end i tried the dmesg plugin. On Debian it worked well, but on
Ubuntu i got this error:
In [8]: vol "dmesg"
------> vol("dmesg")
ERROR:root:Error: 'ascii' codec can't decode byte 0xc2 in position 74140:
ordinal not in range(128)
---------------------------------------------------------------------------
UnicodeDecodeError Traceback (most recent call last)
/home/vitax/lin64-support/vol.py in <module>()
----> 1
2
3
4
5
/home/vitax/lin64-support/volatility/session.py in vol(self, plugin_cls,
fd, debug, output, **kwargs)
194 kwargs['session'] = self
195 result = plugin_cls(**kwargs)
--> 196 result.render(fd)
197
198 return result
/home/vitax/lin64-support/volatility/plugins/linux/dmesg.py in render(self,
outfd)
44
45 def render(self, outfd):
---> 46 outfd.write(self.get_dmesg())
47
48
/home/vitax/lin64-support/volatility/session.py in write(self, data)
111 def write(self, data):
112 # Encode the data according to the output encoding.
--> 113 data = data.encode(self.encoding)
114 try:
115 self.pager.write(data)
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 74140:
ordinal not in range(128)
I have read the command reference for the strings plugin and do not see an option to specify the string to look for in anything other than ascii.
Could strings be expanded to include hex values, perhaps in the form of \x55\x5e\xe2\xfd\x83\xc4 or something like that?
Thanks,
Mike Lambert
Thanks Howard, it works like a champ!
Mike
From: Howard.Patterson(a)tn.gov
To: dragonforen(a)hotmail.com
Subject: RE: [Vol-users] Using Windows XP VMs for testing and windows activation
Date: Thu, 12 Apr 2012 23:27:12 +0000
The easiest way I've found, and one I think will work in your situation, is to boot into Safe Mode with the XP system. Then choose "Start, Run" and enter the following:
rundll32.exe syssetup,SetupOobeBnk
Those are both the letter "Ohs" in there and it is case sensitive. If it works you won't see any sign of it until you reboot. If you type it incorrectly an error message will come back. This basically resets how long you have to activate (I believe 30 days).
-Howard
From: vol-users-bounces(a)volatilityfoundation.org [mailto:vol-users-bounces@volatilesystems.com] On Behalf Of Mike Lambert
Sent: Thursday, April 12, 2012 6:06 PM
To: Volatility List
Subject: [Vol-users] Using Windows XP VMs for testing and windows activation
I have not used VMs in the past to do malware testing because of the windows activation problems I run into. Clone, you have to activate; copy, you have to activate; move, you have to activate. I'm surprised that it still activates!
I would like to talk to someone who knows the best way to deal with this. (or not) I'd like to have a clone that is infected that I can go back to later. (I do that now with hard disk images - I can put back a disk image to disk and plug it into the computer and bring it right back up.)
I can continue to use my test system, which I do not have any problem with. I blow a copy of a clean system to disk and then go on testing without any activation problems.
Let me know if you have a solution.
Thanks,
Mike
