- Vol-users - volatilityfoundation.org

by Stefan Steizer

Hi everybody, i have tried the scudette branch r1628 for linux memory analysis and received some Errors. My test-systems were Ubuntu 11.10 (Kernel 3.0.0-17-generic, 64 Bit) and Debian 6.0.2.1 (Kernel 2.6.32-5-686, 32 Bit). The plugins i have tested were pslist, cpuinfo, dmesg, ifconfig and netstat. As i followed the instructions at the Wiki-Page the first thing i have noticed was an NameError after the *vol pslist* command: $ python vol.py Welcome to volshell! To get help, type 'help()' In [1]: session.filename = "memory.dd" In [2]: session.profile_file = "myprofile.zip" In [3]: session.profile = "Linux32" In [4]: vol pslist ------> vol(pslist) --------------------------------------------------------------------------- NameError Traceback (most recent call last) /home/vitax/lin64-support/vol.py in <module>() ----> 1 2 3 4 5 NameError: name 'pslist' is not defined After i changed the *In [4]: vol pslist* command into *In [4]: vol "pslist"*the NameError disappeared and the pslist plugin worked well on both systems. The next plugin was cpuinfo. On both system i've got the right processor output, but on Ubuntu i additionally received a warning/error: In [5]: vol "cpuinfo" ------> vol("cpuinfo") Processor Vendor Model *ERROR:root:Constant per_cpu__cpu_info does not exist in profile.* 0 GenuineIntel Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz Out[5]: <volatility.plugins.linux.cpuinfo.CpuInfo object at 0x2fc5190> The ifconfig plugin returned on both systems a ValueError. *On Ubuntu:* In [6]: vol "ifconfig" ------> vol("ifconfig") lo 127.0.0.1 00:00:00:00:00:00 ERROR:root:Error: Unknown format code 's' for object of type 'int' --------------------------------------------------------------------------- ValueError Traceback (most recent call last) /home/vitax/lin64-support/vol.py in <module>() ----> 1 2 3 4 5 /home/vitax/lin64-support/volatility/session.py in vol(self, plugin_cls, fd, debug, output, **kwargs) 194 kwargs['session'] = self 195 result = plugin_cls(**kwargs) --> 196 result.render(fd) 197 198 return result /home/vitax/lin64-support/volatility/plugins/linux/ifconfig.py in render(self, outfd) 97 98 outfd.write("{0:8s} {1:16s} {2:32s}\n".format( ---> 99 net_dev.name, ip, mac_addr)) 100 101 ValueError: Unknown format code 's' for object of type 'int' *On Debian:* In [6]: vol "ifconfig" ------> vol("ifconfig") lo 127.0.0.1 00:00:00:00:00:00 eth0 10.0.2.15 08:00:27:f6:0e:dd ERROR:root:Error: Unknown format code 's' for object of type 'int' --------------------------------------------------------------------------- ValueError Traceback (most recent call last) /home/vitax/lin64-support/vol.py in <module>() ----> 1 2 3 4 5 /home/vitax/lin64-support/volatility/session.pyc in vol(self, plugin_cls, fd, debug, output, **kwargs) 194 kwargs['session'] = self 195 result = plugin_cls(**kwargs) --> 196 result.render(fd) 197 198 return result /home/vitax/lin64-support/volatility/plugins/linux/ifconfig.pyc in render(self, outfd) 97 98 outfd.write("{0:8s} {1:16s} {2:32s}\n".format( ---> 99 net_dev.name, ip, mac_addr)) 100 101 ValueError: Unknown format code 's' for object of type 'int' After that i tried the netstat plugin. I received on both systems an AttributeError: *On Ubuntu:* * * In [7]: vol "netstat" ------> vol("netstat") --------------------------------------------------------------------------- AttributeError Traceback (most recent call last) /home/vitax/lin64-support/vol.py in <module>() ----> 1 2 3 4 5 /home/vitax/lin64-support/volatility/session.py in vol(self, plugin_cls, fd, debug, output, **kwargs) 178 """ 179 if isinstance(plugin_cls, basestring): --> 180 plugin_cls = getattr(self.plugins, plugin_cls) 181 182 if output is not None: /home/vitax/lin64-support/volatility/session.py in __getattr__(self, attr) 79 return self.plugins[attr] 80 except KeyError: ---> 81 raise AttributeError(attr) 82 83 AttributeError: netstat *On Debian:* * * In [7]: vol "netstat" ------> vol("netstat") ERROR: An unexpected error occurred while tokenizing input The following traceback may be corrupted or invalid The error message is: ('EOF in multi-line statement', (40, 0)) --------------------------------------------------------------------------- AttributeError Traceback (most recent call last) /home/vitax/lin64-support/vol.py in <module>() ----> 1 2 3 4 5 /home/vitax/lin64-support/volatility/session.pyc in vol(self, plugin_cls, fd, debug, output, **kwargs) 178 """ 179 if isinstance(plugin_cls, basestring): --> 180 plugin_cls = getattr(self.plugins, plugin_cls) 181 182 if output is not None: /home/vitax/lin64-support/volatility/session.pyc in __getattr__(self, attr) 79 return self.plugins[attr] 80 except KeyError: ---> 81 raise AttributeError(attr) 82 83 AttributeError: netstat In the end i tried the dmesg plugin. On Debian it worked well, but on Ubuntu i got this error: In [8]: vol "dmesg" ------> vol("dmesg") ERROR:root:Error: 'ascii' codec can't decode byte 0xc2 in position 74140: ordinal not in range(128) --------------------------------------------------------------------------- UnicodeDecodeError Traceback (most recent call last) /home/vitax/lin64-support/vol.py in <module>() ----> 1 2 3 4 5 /home/vitax/lin64-support/volatility/session.py in vol(self, plugin_cls, fd, debug, output, **kwargs) 194 kwargs['session'] = self 195 result = plugin_cls(**kwargs) --> 196 result.render(fd) 197 198 return result /home/vitax/lin64-support/volatility/plugins/linux/dmesg.py in render(self, outfd) 44 45 def render(self, outfd): ---> 46 outfd.write(self.get_dmesg()) 47 48 /home/vitax/lin64-support/volatility/session.py in write(self, data) 111 def write(self, data): 112 # Encode the data according to the output encoding. --> 113 data = data.encode(self.encoding) 114 try: 115 self.pager.write(data) UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 74140: ordinal not in range(128)

14 years, 1 month

2
1
0 0

using hex values with strings command

by Mike Lambert

I have read the command reference for the strings plugin and do not see an option to specify the string to look for in anything other than ascii. Could strings be expanded to include hex values, perhaps in the form of \x55\x5e\xe2\xfd\x83\xc4 or something like that? Thanks, Mike Lambert

14 years, 2 months

5
8
0 1

FW: [Vol-users] Using Windows XP VMs for testing and windows activation

by Mike Lambert

Thanks Howard, it works like a champ! Mike From: Howard.Patterson(a)tn.gov To: dragonforen(a)hotmail.com Subject: RE: [Vol-users] Using Windows XP VMs for testing and windows activation Date: Thu, 12 Apr 2012 23:27:12 +0000 The easiest way I've found, and one I think will work in your situation, is to boot into Safe Mode with the XP system. Then choose "Start, Run" and enter the following: rundll32.exe syssetup,SetupOobeBnk Those are both the letter "Ohs" in there and it is case sensitive. If it works you won't see any sign of it until you reboot. If you type it incorrectly an error message will come back. This basically resets how long you have to activate (I believe 30 days). -Howard From: vol-users-bounces(a)volatilityfoundation.org [mailto:vol-users-bounces@volatilesystems.com] On Behalf Of Mike Lambert Sent: Thursday, April 12, 2012 6:06 PM To: Volatility List Subject: [Vol-users] Using Windows XP VMs for testing and windows activation I have not used VMs in the past to do malware testing because of the windows activation problems I run into. Clone, you have to activate; copy, you have to activate; move, you have to activate. I'm surprised that it still activates! I would like to talk to someone who knows the best way to deal with this. (or not) I'd like to have a clone that is infected that I can go back to later. (I do that now with hard disk images - I can put back a disk image to disk and plug it into the computer and bring it right back up.) I can continue to use my test system, which I do not have any problem with. I blow a copy of a clean system to disk and then go on testing without any activation problems. Let me know if you have a solution. Thanks, Mike

14 years, 2 months

1
0
0 0

Using Windows XP VMs for testing and windows activation

by Mike Lambert

I have not used VMs in the past to do malware testing because of the windows activation problems I run into. Clone, you have to activate; copy, you have to activate; move, you have to activate. I'm surprised that it still activates! I would like to talk to someone who knows the best way to deal with this. (or not) I'd like to have a clone that is infected that I can go back to later. (I do that now with hard disk images - I can put back a disk image to disk and plug it into the computer and bring it right back up.) I can continue to use my test system, which I do not have any problem with. I blow a copy of a clean system to disk and then go on testing without any activation problems. Let me know if you have a solution. Thanks, Mike

14 years, 2 months

2
2
0 0

Server 2008

by Dustin Mooney

All, Has anyone successfully analyzed memory from a windows 2008 server memory dump? This is my third time attempting to do so, and have yet to have any success with volatility. I took the memory dump so I know the profile, however, volatility reports it as a Windows 7 machine. Any advice on how to approach this persistent problem?

14 years, 2 months

3
3
0 0

Analyzing diasassembly with little information

by fd ksdf

Hello! malfind found some suspicious regions and printed the disassembly so I went into volshell to get more information, but what exactly can someone do with this disassembly? As far as I know, there are no symbols, no way to view what is in the registers or these memory addresses, and when I try to disassemble the few CALLs I can, I get a "Memory unreadable" error. >>> dis(0x08070000,512) 0x8070000 55 PUSH EBP 0x8070001 8bec MOV EBP, ESP 0x8070003 83c4ec ADD ESP, -0x14 0x8070006 56 PUSH ESI 0x8070007 57 PUSH EDI 0x8070008 8b4508 MOV EAX, [EBP+0x8] 0x807000b 8bf0 MOV ESI, EAX 0x807000d 8d7dec LEA EDI, [EBP-0x14] 0x8070010 a5 MOVSD 0x8070011 a5 MOVSD 0x8070012 a5 MOVSD 0x8070013 a5 MOVSD 0x8070014 a5 MOVSD 0x8070015 ff75f8 PUSH DWORD [EBP-0x8] 0x8070018 ff55f4 CALL DWORD [EBP-0xc] 0x807001b ff75fc PUSH DWORD [EBP-0x4] 0x807001e 50 PUSH EAX 0x807001f ff55f0 CALL DWORD [EBP-0x10] 0x8070022 50 PUSH EAX 0x8070023 ff55ec CALL DWORD [EBP-0x14] 0x8070026 5f POP EDI 0x8070027 5e POP ESI 0x8070028 8be5 MOV ESP, EBP 0x807002a 5d POP EBP 0x807002b c20400 RET 0x4 0x807002e 8bc0 MOV EAX, EAX 0x8070030 53 PUSH EBX 0x8070031 56 PUSH ESI 0x8070032 57 PUSH EDI 0x8070033 55 PUSH EBP 0x8070034 83c4e8 ADD ESP, -0x18 0x8070037 8be9 MOV EBP, ECX 0x8070039 8bfa MOV EDI, EDX 0x807003b 8bd8 MOV EBX, EAX 0x807003d 33f6 XOR ESI, ESI 0x807003f 6800334000 PUSH DWORD 0x403300 0x8070044 6814334000 PUSH DWORD 0x403314 0x8070049 e85efaffff CALL 0x806faac 0x807004e 50 PUSH EAX 0x807004f e860faffff CALL 0x806fab4 0x8070054 8944240c MOV [ESP+0xc], EAX 0x8070058 6820334000 PUSH DWORD 0x403320 0x807005d 6814334000 PUSH DWORD 0x403314 0x8070062 e845faffff CALL 0x806faac 0x8070067 50 PUSH EAX 0x8070068 e847faffff CALL 0x806fab4 0x807006d 89442408 MOV [ESP+0x8], EAX 0x8070071 6830334000 PUSH DWORD 0x403330 0x8070076 6814334000 PUSH DWORD 0x403314 0x807007b e82cfaffff CALL 0x806faac 0x8070080 50 PUSH EAX 0x8070081 e82efaffff CALL 0x806fab4 0x8070086 89442404 MOV [ESP+0x4], EAX 0x807008a 8bd5 MOV EDX, EBP 0x807008c 8bc3 MOV EAX, EBX 0x807008e 0000 ADD [EAX], AL 0x8070090 0000 ADD [EAX], AL 0x8070092 0000 ADD [EAX], AL 0x8070094 0000 ADD [EAX], AL 0x8070096 0000 ADD [EAX], AL 0x8070098 0000 ADD [EAX], AL 0x807009a 0000 ADD [EAX], AL 0x807009c 0000 ADD [EAX], AL 0x807009e 0000 ADD [EAX], AL [snip] >>> dis(0x806faac) >>> db(0x806faac) Memory unreadable at 0806faac >>>

14 years, 2 months

3
3
0 0

Volatility 1.3 cryptoscan plugin output

by Mike Lambert

Could someone send me a sample of what the output for the cryptoscan plugin output should be? Thanks, Mike

14 years, 2 months

1
0
0 0

"RAM is Key, Extracting Disk Encryption Keys From Volatile Memory" paper

by Mike Lambert

Does anyone have a copy of Brian Kaplan's paper, "RAM is Key, Extracting Disk Encryption Keys From Volatile Memory" that they could email me at dragonforen(a)hotmail.com If so, thank you! Mike

14 years, 2 months

2
1
0 0

decrypting the zeus config file

by malware monna

Hi, I'm using zeusscan2 module against a zeus infected memory dump, i'm able to get the rc4 keys and xor keys as mentioned in this link " http://mnin.blogspot.in/2011/09/abstract-memory-analysis-zeus.html".......i have also downloaded the zeus config file, that this sample tried to download, knowing this information, is it possible to decrypt the config file, if yes, how can i decrypt the config file or what are the steps to decrypt the config file?....and i think the zeuscan plugin is really awesome (Thanks Michael for writing such a great plugin, its really useful?).. Thanks,

14 years, 2 months

1
0
0 0

Hiberfil information

by Dewhirst, Rob

Does this mean volatility can't identify the hiberfil? $ python ~/Volatility/vol.py hibinfo -f hiberfile.sys Volatile Systems Volatility Framework 2.1_alpha No suitable address space mapping found Tried to open image as: WindowsHiberFileSpace32: No base Address Space EWFAddressSpace: No base address space provided WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space JKIA32PagedMemory: No base Address Space JKIA32PagedMemoryPae: No base Address Space IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled WindowsHiberFileSpace32: No xpress signature found EWFAddressSpace: EWF signature not present WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected JKIA32PagedMemory: No valid DTB found JKIA32PagedMemoryPae: No valid DTB found IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled FileAddressSpace: Must be first Address Space

14 years, 3 months

3
8
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users