> Is there list of plugins on a per profile basis.
> For eg. connections, sockscan, sockets don't work for Windows 7 dumps. I
> didnot know this and was wondering what would've gone wrong
>
>
> --
> Eknath Venkataramani
We have most of the plugins broken down here (note the "OS Support" column):
http://code.google.com/p/volatility/wiki/FeaturesByPlugin
Also you can often see notes like that here:
http://code.google.com/p/volatility/wiki/CommandReference
All the best,
-gleeda
Is there list of plugins on a per profile basis.
For eg. connections, sockscan, sockets don't work for Windows 7 dumps. I
didnot know this and was wondering what would've gone wrong
--
Eknath Venkataramani
I've got a suspect process running on a system.
0x0703fcb8 8880792.tmp 5940 1504 0x0b353000 2011-05-27 07:00:12
%Windir%\Temp\8880792.tmp
It's 64K on disk and looks like it's packed with Armadillo:
File Name: 8880792.tmp
File Size: 65536
File Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 Hash: fec737234a47ae90ee79af44d3081a4d
SHA1 Hash: 4fb9abf6aba05ec1232b98ab39073c7635f7b9aa
Cymru MHR: Not listed
Packer ID(s):
=> Armadillo v1.71
Number of sections: 3
--------------------
('.text\x00\x00\x00', '0x1000', '0xb446', 49152)
('.rdata\x00\x00', '0xd000', '0x15d2', 8192)
('.data\x00\x00\x00', '0xf000', '0x20c0', 4096)
I dump process memory (procmemdump) and end up with strings not much
different than what I get for the file on disk. The procmemdump output
is about 10K larger.
The memdump output is 245M and going through the addressable memory
contents I get loads of suspicious data that looks like it's related
to malware. Samples:
are\EES\BIFROST
//sharedfreehosting.c
USER remote
hello keypublic
WEBCAM Ekran.png Ekran.bmp
60.167.78.224
www.proxyserverlist.biz
proxy_checker/index.php
ClientSocket
www.66444.com
open
ww4.tmdqq.net/51linwww3.57185.com/is686_.h1.hao591.net/is6
exefile=cdb.exe
dllfile=test.dll
regedits=stubpath
tp://bravor.net
w.ya.ru
whatismyip.co
Welcom to BackDor serv by emPyte
Fan666` .
tem\lsass.ex
ion\Run
*sniff*
sad
yo,
PRIVMSG
Splinter ddos v1.0
INFECT
Plus!
terra.com.mx
send.aspx?id=
Windll22.exe
!reboot
!reconnect
!join
!pwl
!connection
!switch
!chatslaves
Connected to
NetShadow v1.2
Server ID:
F:\Work\TEST MyFunlove
\calc.ex
LAgPCfAGCxoRI
CwgMCA8JERAO9x
Chat-Fenster
pcinfo
Resolution:
tmdqq.net57185.comszfocus.netcool-pic.com
dcomScaner
Vortex1 mazafaka
GONNA BE AN IRCF
HTTP://WWW.ASEXVIDEO
HACKTOOLZ
?ACTION=LOGIN&SEND=
ICQBETA
I suppose though that this is data from the HIPS application that has
been injected into this executable's process space. The same strings
are present in the memory space of all processes. I want to confirm
this by finding an indicator in the process memory that attributes
this data to the HIPS application. What is the best way to do this?
My initial suspicion is that the VAD table could show me that. Is this
right? How could this analysis proceed in Volatility? The 'modules'
plugin shows me a couple of entries that I suspect relate to it.
0x8a3c01e8 mfehidk.sys
0x00f70a9000 0x052000 mfehidk.sys
0x89030a20 \SystemRoot\system32\drivers\mfetdik.sys
0x00f7697000 0x00e000 mfetdik.sys
0x89237e68 \Device\mfehidk01.sys
0x00b7f38000 0x053000 mfehidk01.sys
--
Darren Spruell
phatbuckett(a)gmail.com
MHL has been helpful in the past, but I thought I would throw this one out
to a wider audience.
Simply put, I asked my sysadmin, who has helped me set up my VMware
environment, to set up an XP SP3 VM and load stuxnet.vmem as the suspended
memory image. VMware crapped out with "A fault has occurred causing the
virtual CPU to enter the shutdown state. ..." Does anyone have any insight
here? Is stuxnet.vmem the suspended memory image of a Stuxnet infected XP
SP3 machine?
If it had worked, I wanted to get sysinternals running on the VM, so that I
would have sysinternals and Volatility insight into Stuxnet -- although not
approaching what Mark Russinovitch was able to show with booting up the
machine and infecting it from the start. For educational purposes, for the
class I am teaching.
Thanks for any guidance, VMware or stuxnet. bfn
--
Professor G. Scott Graham
administratively: Dean's Designate for Academic Offences
academically: Associate Professor, Computer Science and Forensic Science
University of Toronto Mississauga
Hi Curt/Michael,
Thanks for the reponse, i need little bit of help, as i'm new to
memory forensics...i need your help in understanding how to interpret the
results ....any material on additional information on this topic will be
helpful
Thanks,
Monnappa
On Tue, Oct 25, 2011 at 9:55 AM, Curt Wilson
<research(a)perpetualhorizon.org>wrote:
>
>
> Michael Ligh responded, but it's possible that you might need more
> explanation. While I'm not an expert, I'm getting better and would be glad
> to try to help you understand the assembly if necessary. Let me know and
> I'll see if I can help, if you don't already have it down.
>
>
>
>
>
>
> On 10/22/2011 3:17 PM, malware monna wrote:
>
> Hi All,
>
> I'm new to volatility and i was reading one of the article on the
> internet and found the below output, so i was curious to know what does
> below ouput mean?, can anybody please help me understand the malfind pluging
> and the below ouput, any info would be useful.
>
>
> ---------------------------------------------------------------------------------------------------------------------------------------
>
> VMwareTray.exe 432 0x00e30000 0xe30fff00 VadS 0
> PAGE_EXECUTE_R
> EADWRITE
> Dumped to: c:\re\zeus_demo\VMwareTray.exe.4be97e8.00e30000-00e30fff.dmp
> 0x00e30000 b8 35 00 00 00 e9 cd d7 ad 7b b8 91 00 00 00 e9
> .5.......{......
>
> 0x00e30010 4f df ad 7b 8b ff 55 8b ec e9 ef 17 3e 76 8b ff
> O..{..U.....>v..
>
> 0x00e30020 55 8b ec e9 95 76 39 76 8b ff 55 8b ec e9 be 53
> U....v9v..U....S
>
> 0x00e30030 3a 76 8b ff 55 8b ec e9 d6 18 3e 76 8b ff 55 8b
> :v..U.....>v..U.
>
> 0x00e30040 ec e9 14 95 39 76 8b ff 55 8b ec e9 4f 7e 3c 76
> ....9v..U...O~<v
>
> 0x00e30050 8b ff 55 8b ec e9 0a 32 3a 76 8b ff 55 8b ec e9
> ..U....2:v..U...
>
> 0x00e30060 7d 61 39 76 6a 2c 68 b8 8d 1c 77 e9 01 8c 39 76
> }a9vj,h...w...9v
>
> 0x00e30070 8b ff 55 8b ec e9 c4 95 c8 70 8b ff 55 8b ec e9
> ..U......p..U...
>
> Disassembly:
> 00e30000: b835000000 MOV EAX, 0x35
> 00e30005: e9cdd7ad7b JMP 0x7c90d7d7
> 00e3000a: b891000000 MOV EAX, 0x91
> 00e3000f: e94fdfad7b JMP 0x7c90df63
> 00e30014: 8bff MOV EDI, EDI
> 00e30016: 55 PUSH EBP
> 00e30017: 8bec MOV EBP, ESP
> 00e30019: e9ef173e76 JMP 0x7721180d
> 00e3001e: 8bff MOV EDI, EDI
> 00e30020: 55 PUSH EBP
>
> ---------------------------------------------------------------------------------------------------------------------------------------------
>
> Thanks
>
>
> _______________________________________________
> Vol-users mailing listVol-users@volatilityfoundation.orghttp://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
>
> --
> Curt Wilson
> Research Analyst, Arbor Networks ASERT cwilson(a)arbor.net
> Personal Security Research: research(a)perpetualhorizon.org
>
>
Hello all,
I'm looking for some guidance on next steps with some data I have from
a memory analysis.
I was following the steps on using strings to look for processes that
might have malicious IP's or URL's in memory:
https://code.google.com/p/volatility/wiki/CommandReference#strings
The issue I'm having now is where to proceed with the output I have.
So for example in my URL.txt file I have this:
1b64666b7 [2632:834520759] http://ghc.ru
1b646674d [2632:834520909] http://rst.void.ru
Now my understanding of the output is [PID:Address Space]. The
particular PID in this instance refers to:
0x89c82020 WINWORD.EXE 2632 2284 11 943 2011-10-11 15:07:13
So how do I go deeper in to looking at why winword.exe may be making
http requests? And what does the first value (ex 1b64666b7) refer to?
Is that the virtual address in the memory dump file or something
else?
If there's any additional docs online I could look at to explain this
further that would be helpful as well.
Thanks ahead of time,
Tom
It seems that Volatility uses a I/O packet size that's to large for my
system.
Thanks to Freddie Witherden for supporting me.
Using a small dumping application (see below) provided by Freddie I was
successfully able to dump that 2GiB of RAM.
So I transferred this thread to vol-dev.
CU
Michael
While analyzing a memory snapshot, I saw some objects of the type
LIST_ENTRY_PTR and some of the type LIST_ENTRY. From the addresses of those
objects, it looked as if LIST_ENTRY_PTRs where the corresponding list heads
and the LIST_ENTRY's were simply the nodes in the list.
Is this correct?
--
Eknath Venkataramani
So, a ldconfig later it looks more comfortable but still it does not work:
# python vol.py -l Firewire://forensic1394/0 pslist
Volatile Systems Volatility Framework 2.1_alpha
IOError(u'forensic1394_read_device_v: Bad I/O request size',)
IOError(u'forensic1394_read_device_v: Bad I/O request size',)
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
EWFAddressSpace: Location is not of file scheme
WindowsCrashDumpSpace32: No base Address Space
JKIA32PagedMemory: No base Address Space
IA32PagedMemoryPae: Module disabled
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: Location is not of file scheme
EWFAddressSpace: Location is not of file scheme
WindowsCrashDumpSpace32: Location is not of file scheme
JKIA32PagedMemory - EXCEPTION: Failed to read from firewire device
IA32PagedMemoryPae: Module disabled
JKIA32PagedMemoryPae - EXCEPTION: Failed to read from firewire device
IA32PagedMemory: Module disabled
FirewireAddressSpace: Must be first Address Space
FileAddressSpace: Must be first Address Space
Seems the python bindings were missed in the first approach. What could cause the FW-read-error?
Regards
Michael
--
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
