I have read the command reference for the strings plugin and do not see an option to specify the string to look for in anything other than ascii.
Could strings be expanded to include hex values, perhaps in the form of \x55\x5e\xe2\xfd\x83\xc4 or something like that?
Thanks,
Mike Lambert
Thanks Howard, it works like a champ!
Mike
From: Howard.Patterson(a)tn.gov
To: dragonforen(a)hotmail.com
Subject: RE: [Vol-users] Using Windows XP VMs for testing and windows activation
Date: Thu, 12 Apr 2012 23:27:12 +0000
The easiest way I've found, and one I think will work in your situation, is to boot into Safe Mode with the XP system. Then choose "Start, Run" and enter the following:
rundll32.exe syssetup,SetupOobeBnk
Those are both the letter "Ohs" in there and it is case sensitive. If it works you won't see any sign of it until you reboot. If you type it incorrectly an error message will come back. This basically resets how long you have to activate (I believe 30 days).
-Howard
From: vol-users-bounces(a)volatilityfoundation.org [mailto:vol-users-bounces@volatilesystems.com] On Behalf Of Mike Lambert
Sent: Thursday, April 12, 2012 6:06 PM
To: Volatility List
Subject: [Vol-users] Using Windows XP VMs for testing and windows activation
I have not used VMs in the past to do malware testing because of the windows activation problems I run into. Clone, you have to activate; copy, you have to activate; move, you have to activate. I'm surprised that it still activates!
I would like to talk to someone who knows the best way to deal with this. (or not) I'd like to have a clone that is infected that I can go back to later. (I do that now with hard disk images - I can put back a disk image to disk and plug it into the computer and bring it right back up.)
I can continue to use my test system, which I do not have any problem with. I blow a copy of a clean system to disk and then go on testing without any activation problems.
Let me know if you have a solution.
Thanks,
Mike
I have not used VMs in the past to do malware testing because of the windows activation problems I run into. Clone, you have to activate; copy, you have to activate; move, you have to activate. I'm surprised that it still activates!
I would like to talk to someone who knows the best way to deal with this. (or not) I'd like to have a clone that is infected that I can go back to later. (I do that now with hard disk images - I can put back a disk image to disk and plug it into the computer and bring it right back up.)
I can continue to use my test system, which I do not have any problem with. I blow a copy of a clean system to disk and then go on testing without any activation problems.
Let me know if you have a solution.
Thanks,
Mike
All,
Has anyone successfully analyzed memory from a windows 2008 server memory dump? This is my third time attempting to do so, and have yet to have any success with volatility. I took the memory dump so I know the profile, however, volatility reports it as a Windows 7 machine. Any advice on how to approach this persistent problem?
Does anyone have a copy of Brian Kaplan's paper, "RAM is Key, Extracting Disk Encryption Keys From Volatile Memory"
that they could email me at dragonforen(a)hotmail.com
If so, thank you!
Mike
Hi,
I'm using zeusscan2 module against a zeus infected memory dump, i'm able to
get the rc4 keys and xor keys as mentioned in this link "
http://mnin.blogspot.in/2011/09/abstract-memory-analysis-zeus.html".......i
have also downloaded the zeus config file, that this sample tried to
download, knowing this information, is it possible to decrypt the config
file, if yes, how can i decrypt the config file or what are the steps to
decrypt the config file?....and i think the zeuscan plugin is really
awesome (Thanks Michael for writing such a great plugin, its really
useful?)..
Thanks,
Does this mean volatility can't identify the hiberfil?
$ python ~/Volatility/vol.py hibinfo -f hiberfile.sys
Volatile Systems Volatility Framework 2.1_alpha
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
EWFAddressSpace: No base address space provided
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature found
EWFAddressSpace: EWF signature not present
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
JKIA32PagedMemory: No valid DTB found
JKIA32PagedMemoryPae: No valid DTB found
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
Hello,
Over the last week or so, when I've done an svn update on the
2.1_alpha code, I've been receiving the following errors:
Volatile Systems Volatility Framework 2.1_alpha
*** Failed to import
volatility.plugins.overlays.windows.win2k3_sp2_x64 (AttributeError:
'module' object has no attribute 'AbstractWindowsX86')
*** Failed to import volatility.plugins.overlays.windows.win7_sp0_x86
(AttributeError: 'module' object has no attribute
'AbstractWindowsX86')
*** Failed to import volatility.plugins.zeusscan1 (AttributeError:
'module' object has no attribute 'ImpScan')
*** Failed to import
volatility.plugins.overlays.windows.win2k3_sp1_x86 (AttributeError:
'module' object has no attribute 'AbstractWindowsX86')
*** Failed to import volatility.plugins.zeusscan2 (AttributeError:
'module' object has no attribute 'ApiHooks')
*** Failed to import volatility.plugins.overlays.windows.vista_sp1_x86
(AttributeError: 'module' object has no attribute
'AbstractWindowsX86')
*** Failed to import volatility.plugins.overlays.windows.win7_sp1_x86
(AttributeError: 'module' object has no attribute
'AbstractWindowsX86')
*** Failed to import volatility.plugins.overlays.windows.vista_sp2_x86
(AttributeError: 'module' object has no attribute
'AbstractWindowsX86')
*** Failed to import
volatility.plugins.overlays.windows.win2k3_sp1_x64 (AttributeError:
'module' object has no attribute 'AbstractWindowsX86')
*** Failed to import volatility.plugins.overlays.windows.xp_sp3_x86
(AttributeError: 'module' object has no attribute 'nt_types')
*** Failed to import volatility.plugins.evtlogs (AttributeError:
'module' object has no attribute 'LdrModules')
*** Failed to import volatility.plugins.overlays.windows.vista_sp1_x64
(AttributeError: 'module' object has no attribute
'AbstractWindowsX86')
*** Failed to import
volatility.plugins.overlays.windows.win2k3_sp0_x86 (AttributeError:
'module' object has no attribute 'AbstractWindowsX86')
*** Failed to import volatility.plugins.overlays.windows.win7_sp1_x64
(AttributeError: 'module' object has no attribute
'AbstractWindowsX86')
*** Failed to import
volatility.plugins.overlays.windows.win2k3_sp2_x86 (AttributeError:
'module' object has no attribute 'AbstractWindowsX86')
*** Failed to import volatility.plugins.overlays.windows.vista_sp0_x64
(AttributeError: 'module' object has no attribute
'AbstractWindowsX86')
*** Failed to import volatility.plugins.overlays.windows.vista_sp2_x64
(AttributeError: 'module' object has no attribute
'AbstractWindowsX86')
*** Failed to import volatility.plugins.overlays.windows.xp_sp2_x86
(AttributeError: 'module' object has no attribute 'nt_types')
*** Failed to import volatility.plugins.timeliner (AttributeError:
'module' object has no attribute 'LdrModules')
*** Failed to import volatility.plugins.overlays.windows.vista_sp0_x86
(AttributeError: 'module' object has no attribute
'AbstractWindowsX86')
*** Failed to import volatility.plugins.overlays.windows.win7_sp0_x64
(AttributeError: 'module' object has no attribute
'AbstractWindowsX86')
(This is with revision 1558)
This is just from doing an imageinfo. I was thinking since it
includes plugins that some plugins need to be updated for 2.1, but I
didn't want to make the assumption.
It does finish the KDBG search and give me the correct profile, so
it's parsing the dump. Just wasn't sure about the errors.
Thanks,
Tom