- Vol-users - volatilityfoundation.org

by Andre' M. DiMino

I just did an svn update to version 1327 and I'm now noticing the following errors upon execution of any volatility command. For example: ~/tools/Volatility/vol.py -f XP_SP3.vmem imageinfo Volatile Systems Volatility Framework 2.1_alpha *** Failed to import volatility.plugins.overlays.windows.win2k8_sp1_x86 (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') *** Failed to import volatility.plugins.overlays.windows.win2k8_sp1_x86_vtypes (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') *** Failed to import volatility.plugins.overlays.windows.win2k8_sp2_x86_vtypes (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') *** Failed to import volatility.plugins.overlays.windows.win2k8_sp2_x86 (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') Suggested Profile(s) : WinXPSP3x86, WinXPSP2x86 (Instantiated with WinXPSP2x86) : snip : ~/tools/Volatility/vol.py -f XP_SP3.vmem --profile=WinXPSP3x86 connscan Volatile Systems Volatility Framework 2.1_alpha *** Failed to import volatility.plugins.overlays.windows.win2k8_sp1_x86 (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') *** Failed to import volatility.plugins.overlays.windows.win2k8_sp1_x86_vtypes (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') *** Failed to import volatility.plugins.overlays.windows.win2k8_sp2_x86_vtypes (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') *** Failed to import volatility.plugins.overlays.windows.win2k8_sp2_x86 (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') Offset(P) Local Address Remote Address Pid ---------- ------------------------- ------------------------- ------ 0x0219fa40 0.0.0.0:19272 0.0.0.0:55542 2147487916 ~/tools/Volatility/vol.py -f XP_SP3.vmem --profile=WinXPSP3x86 modules Volatile Systems Volatility Framework 2.1_alpha *** Failed to import volatility.plugins.overlays.windows.win2k8_sp1_x86 (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') *** Failed to import volatility.plugins.overlays.windows.win2k8_sp1_x86_vtypes (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') *** Failed to import volatility.plugins.overlays.windows.win2k8_sp2_x86_vtypes (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') *** Failed to import volatility.plugins.overlays.windows.win2k8_sp2_x86 (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') Offset(V) File Base Size Name 0x823fc3a0 \WINDOWS\system32\ntkrnlpa.exe 0x00804d7000 0x1f8580 ntoskrnl.exe 0x823fc338 \WINDOWS\system32\hal.dll 0x00806d0000 0x020300 hal.dll : snip : Everything seems to complete OK so far, but I'm wondering what might have caused these new error messages. Thanks! Andre' -- Andre' M. DiMino DeepEnd REsearch http://deependresearch.org http://sempersecurus.org "Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else" - 1 Thess 5:15 (NIV)

14 years

3
3
0 0

Volatility-Linux TypeError

by Patrick Burkard

Hello, in the last view weeks i've tried to analyze Linux memorydumps with the volatility-linux Version (Revision 1313 from svn). My goal is to show that it is possible to discover hidden processes, kernelmodules etc. (for example from a rootkit) from a memory dump. By comparing the output from the memorydump analysis with the native execution of the system commands. I created a profile for the current stable Debian version. Trying to use this profile leads to the following TypeError: python volatility.py --profile=LinuxDebian26325 -f ~/Desktop/LF32.ram linux_task_list_ps Volatile Systems Volatility Framework 1.4_rc1 Name Pid Uid Traceback (most recent call last): File "volatility.py", line 129, in <module> main() File "volatility.py", line 120, in main command.execute() File "/home/dark-eye/Sources/volatility_linux/volatility/commands.py", line 101, in execute func(outfd, data) File "/home/dark-eye/Sources/volatility_linux/volatility/plugins/linux_task_list_ps.py", line 59, in render_text for task in data: File "/home/dark-eye/Sources/volatility_linux/volatility/plugins/linux_task_list_ps.py", line 50, in calculate for task in linux_common.walk_list_head("task_struct", "tasks", init_task.tasks, self.addr_space): File "/home/dark-eye/Sources/volatility_linux/volatility/plugins/linux_common.py", line 110, in walk_list_head yield obj.Object(struct_name, offset = list_ptr - offset, vm = addr_space) TypeError: unsupported operand type(s) for -: 'instancemethod' and 'int' I would really appreciate to debug or help to debug this issue. Sadly I can't find a way to evaluate the correctness of the kernel-profile. Is this a known problem from volatility-linux or could it be the result of a failure i've made while creating the debian profile? Thanks for every hint! Greetings Patrick

14 years

5
11
0 0

Vote Volatility: 2011 Toolsmith Tool of the Year

by AAron Walters

In case you may have missed it, Volatility 2.0 has been nominated for the ISSA Journal's Toolsmith Tool of the Year. If you believe in open source forensics tools and want to show your support for the Volatility team, please take a few moments to cast your vote! Feel free to tell all your friends and family to vote as well! You have until January 31 to vote from all your machines! http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-y… X September - Volatility for memory analysis If you need extra motivation, you may want to check out the 64-bit Beta support recently merged into trunk! Bug reports welcome! Enjoy! Thanks, The Volatility Project (TVP)

14 years

1
0
0 0

api hooking

by malware monna

Hi All, i'm new to Volatility, i was trying to analyze a spyeye sample, and while running apihooks i got the below output, it looks like there is inline api hook and i see jump into this 0xba.....location.... i would like to know the DLL that is associated with a JMP, in this case it shows unknown............how can i determine the dll? and how can dump the dll from the memory?.....any information would be helpful, sorry this could be a stupid question. VMwareUser.exe[636] inline wininet.dll!InternetReadFile[0x7806abb4] 0x7806abb4 JMP 0xbaf140c (UNKNOWN) VMwareUser.exe[636] inline wininet.dll!InternetReadFileExA[0x78082ae2] 0x78082ae2 JMP 0xbaf1526 (UNKNOWN) VMwareUser.exe[636] inline wininet.dll!InternetWriteFile[0x78073645] 0x78073645 JMP 0xbaf2d4b (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!NtEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!NtQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20 (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!NtResumeThread[0x7c90db20] 0x7c90db20 JMP 0xbaf625c (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!NtSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6 (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!NtVdmControl[0x7c90df00] 0x7c90df00 JMP 0xbae4fd6 (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!ZwEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!ZwQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20 (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!ZwResumeThread[0x7c90db20] 0x7c90db20 JMP 0xbaf625c (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!ZwSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6 (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!ZwVdmControl[0x7c90df00] 0x7c90df00 JMP 0xbae4fd6 (UNKNOWN) VMwareUser.exe[636] inline crypt32.dll!PFXImportCertStore[0x77aeff8f] 0x77aeff8f JMP 0xbae0b02 (UNKNOWN) VMwareUser.exe[636] inline user32.dll!TranslateMessage[0x7e418bf6] 0x7e418bf6 JMP 0xbadc47f (UNKNOWN) VMwareUser.exe[636] inline advapi32.dll!CryptEncrypt[0x77dee340] 0x77dee340 JMP 0xbaeda23 (UNKNOWN) VMwareUser.exe[636] inline ws2_32.dll!send[0x71ab4c27] 0x71ab4c27 JMP 0xbaee35d (UNKNOWN) ctfmon.exe[768] inline ntdll.dll!NtClose[0x7c90cfd0] 0x7c90cfd0 JMP 0xa003b2 (UNKNOWN) ctfmon.exe[768] inline ntdll.dll!ZwClose[0x7c90cfd0] 0x7c90cfd0 JMP 0xa003b2 (UNKNOWN) wmiprvse.exe[1876] inline ntdll.dll!NtEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN) wmiprvse.exe[1876] inline ntdll.dll!NtQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20 (UNKNOWN) wmiprvse.exe[1876] inline ntdll.dll!NtResumeThread[0x7c90db20] 0x7c90db20 JMP 0xbaf625c (UNKNOWN) wmiprvse.exe[1876] inline ntdll.dll!NtSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6 (UNKNOWN) wmiprvse.exe[1876] inline ntdll.dll!NtVdmControl[0x7c90df00] 0x7c90df00 JMP 0xbae4fd6 (UNKNOWN) wmiprvse.exe[1876] inline ntdll.dll!ZwEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN) Thanks

14 years, 1 month

2
1
0 0

Re: [Vol-users] profile based plugin list

by Jamie Levy

> Is there list of plugins on a per profile basis. > For eg. connections, sockscan, sockets don't work for Windows 7 dumps. I > didnot know this and was wondering what would've gone wrong > > > -- > Eknath Venkataramani We have most of the plugins broken down here (note the "OS Support" column): http://code.google.com/p/volatility/wiki/FeaturesByPlugin Also you can often see notes like that here: http://code.google.com/p/volatility/wiki/CommandReference All the best, -gleeda

14 years, 2 months

2
1
0 0

profile based plugin list

by Eknath Venkataramani

Is there list of plugins on a per profile basis. For eg. connections, sockscan, sockets don't work for Windows 7 dumps. I didnot know this and was wondering what would've gone wrong -- Eknath Venkataramani

14 years, 2 months

1
0
0 0

Identifying HIPS process injection

by Darren Spruell

I've got a suspect process running on a system. 0x0703fcb8 8880792.tmp 5940 1504 0x0b353000 2011-05-27 07:00:12 %Windir%\Temp\8880792.tmp It's 64K on disk and looks like it's packed with Armadillo: File Name: 8880792.tmp File Size: 65536 File Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5 Hash: fec737234a47ae90ee79af44d3081a4d SHA1 Hash: 4fb9abf6aba05ec1232b98ab39073c7635f7b9aa Cymru MHR: Not listed Packer ID(s): => Armadillo v1.71 Number of sections: 3 -------------------- ('.text\x00\x00\x00', '0x1000', '0xb446', 49152) ('.rdata\x00\x00', '0xd000', '0x15d2', 8192) ('.data\x00\x00\x00', '0xf000', '0x20c0', 4096) I dump process memory (procmemdump) and end up with strings not much different than what I get for the file on disk. The procmemdump output is about 10K larger. The memdump output is 245M and going through the addressable memory contents I get loads of suspicious data that looks like it's related to malware. Samples: are\EES\BIFROST //sharedfreehosting.c USER remote hello keypublic WEBCAM Ekran.png Ekran.bmp 60.167.78.224 www.proxyserverlist.biz proxy_checker/index.php ClientSocket www.66444.com open ww4.tmdqq.net/51lin www3.57185.com/is686_.h 1.hao591.net/is6 exefile=cdb.exe dllfile=test.dll regedits=stubpath tp://bravor.net w.ya.ru whatismyip.co Welcom to BackDor serv by emPyte Fan666` . tem\lsass.ex ion\Run *sniff* sad yo, PRIVMSG Splinter ddos v1.0 INFECT Plus! terra.com.mx send.aspx?id= Windll22.exe !reboot !reconnect !join !pwl !connection !switch !chatslaves Connected to NetShadow v1.2 Server ID: F:\Work\TEST MyFunlove \calc.ex LAgPCfAGCxoRI CwgMCA8JERAO9x Chat-Fenster pcinfo Resolution: tmdqq.net 57185.com szfocus.net cool-pic.com dcomScaner Vortex1 mazafaka GONNA BE AN IRCF HTTP://WWW.ASEXVIDEO HACKTOOLZ ?ACTION=LOGIN&SEND= ICQBETA I suppose though that this is data from the HIPS application that has been injected into this executable's process space. The same strings are present in the memory space of all processes. I want to confirm this by finding an indicator in the process memory that attributes this data to the HIPS application. What is the best way to do this? My initial suspicion is that the VAD table could show me that. Is this right? How could this analysis proceed in Volatility? The 'modules' plugin shows me a couple of entries that I suspect relate to it. 0x8a3c01e8 mfehidk.sys 0x00f70a9000 0x052000 mfehidk.sys 0x89030a20 \SystemRoot\system32\drivers\mfetdik.sys 0x00f7697000 0x00e000 mfetdik.sys 0x89237e68 \Device\mfehidk01.sys 0x00b7f38000 0x053000 mfehidk01.sys -- Darren Spruell phatbuckett(a)gmail.com

14 years, 2 months

2
1
0 0

stuxnet.vmem and VMware

by G. Scott Graham

MHL has been helpful in the past, but I thought I would throw this one out to a wider audience. Simply put, I asked my sysadmin, who has helped me set up my VMware environment, to set up an XP SP3 VM and load stuxnet.vmem as the suspended memory image. VMware crapped out with "A fault has occurred causing the virtual CPU to enter the shutdown state. ..." Does anyone have any insight here? Is stuxnet.vmem the suspended memory image of a Stuxnet infected XP SP3 machine? If it had worked, I wanted to get sysinternals running on the VM, so that I would have sysinternals and Volatility insight into Stuxnet -- although not approaching what Mark Russinovitch was able to show with booting up the machine and infecting it from the start. For educational purposes, for the class I am teaching. Thanks for any guidance, VMware or stuxnet. bfn -- Professor G. Scott Graham administratively: Dean's Designate for Academic Offences academically: Associate Professor, Computer Science and Forensic Science University of Toronto Mississauga

14 years, 2 months

2
1
0 0

Re: [Vol-users] how does malfind plugin work

by malware monna

Hi Curt/Michael, Thanks for the reponse, i need little bit of help, as i'm new to memory forensics...i need your help in understanding how to interpret the results ....any material on additional information on this topic will be helpful Thanks, Monnappa On Tue, Oct 25, 2011 at 9:55 AM, Curt Wilson <research(a)perpetualhorizon.org>wrote: > > > Michael Ligh responded, but it's possible that you might need more > explanation. While I'm not an expert, I'm getting better and would be glad > to try to help you understand the assembly if necessary. Let me know and > I'll see if I can help, if you don't already have it down. > > > > > > > On 10/22/2011 3:17 PM, malware monna wrote: > > Hi All, > > I'm new to volatility and i was reading one of the article on the > internet and found the below output, so i was curious to know what does > below ouput mean?, can anybody please help me understand the malfind pluging > and the below ouput, any info would be useful. > > > --------------------------------------------------------------------------------------------------------------------------------------- > > VMwareTray.exe 432 0x00e30000 0xe30fff00 VadS 0 > PAGE_EXECUTE_R > EADWRITE > Dumped to: c:\re\zeus_demo\VMwareTray.exe.4be97e8.00e30000-00e30fff.dmp > 0x00e30000 b8 35 00 00 00 e9 cd d7 ad 7b b8 91 00 00 00 e9 > .5.......{...... > > 0x00e30010 4f df ad 7b 8b ff 55 8b ec e9 ef 17 3e 76 8b ff > O..{..U.....>v.. > > 0x00e30020 55 8b ec e9 95 76 39 76 8b ff 55 8b ec e9 be 53 > U....v9v..U....S > > 0x00e30030 3a 76 8b ff 55 8b ec e9 d6 18 3e 76 8b ff 55 8b > :v..U.....>v..U. > > 0x00e30040 ec e9 14 95 39 76 8b ff 55 8b ec e9 4f 7e 3c 76 > ....9v..U...O~<v > > 0x00e30050 8b ff 55 8b ec e9 0a 32 3a 76 8b ff 55 8b ec e9 > ..U....2:v..U... > > 0x00e30060 7d 61 39 76 6a 2c 68 b8 8d 1c 77 e9 01 8c 39 76 > }a9vj,h...w...9v > > 0x00e30070 8b ff 55 8b ec e9 c4 95 c8 70 8b ff 55 8b ec e9 > ..U......p..U... > > Disassembly: > 00e30000: b835000000 MOV EAX, 0x35 > 00e30005: e9cdd7ad7b JMP 0x7c90d7d7 > 00e3000a: b891000000 MOV EAX, 0x91 > 00e3000f: e94fdfad7b JMP 0x7c90df63 > 00e30014: 8bff MOV EDI, EDI > 00e30016: 55 PUSH EBP > 00e30017: 8bec MOV EBP, ESP > 00e30019: e9ef173e76 JMP 0x7721180d > 00e3001e: 8bff MOV EDI, EDI > 00e30020: 55 PUSH EBP > > --------------------------------------------------------------------------------------------------------------------------------------------- > > Thanks > > > _______________________________________________ > Vol-users mailing listVol-users@volatilityfoundation.orghttp://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > > > -- > Curt Wilson > Research Analyst, Arbor Networks ASERT cwilson(a)arbor.net > Personal Security Research: research(a)perpetualhorizon.org > >

14 years, 3 months

1
0
0 0

Need some assistance with strings output

by Tom Yarrish

Hello all, I'm looking for some guidance on next steps with some data I have from a memory analysis. I was following the steps on using strings to look for processes that might have malicious IP's or URL's in memory: https://code.google.com/p/volatility/wiki/CommandReference#strings The issue I'm having now is where to proceed with the output I have. So for example in my URL.txt file I have this: 1b64666b7 [2632:834520759] http://ghc.ru 1b646674d [2632:834520909] http://rst.void.ru Now my understanding of the output is [PID:Address Space]. The particular PID in this instance refers to: 0x89c82020 WINWORD.EXE 2632 2284 11 943 2011-10-11 15:07:13 So how do I go deeper in to looking at why winword.exe may be making http requests? And what does the first value (ex 1b64666b7) refer to? Is that the virtual address in the memory dump file or something else? If there's any additional docs online I could look at to explain this further that would be helpful as well. Thanks ahead of time, Tom

14 years, 3 months

1
0
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users