- Vol-users - volatilityfoundation.org

by malware monna

Hi All, I'm new to volatility and i was reading one of the article on the internet and found the below output, so i was curious to know what does below ouput mean?, can anybody please help me understand the malfind pluging and the below ouput, any info would be useful. --------------------------------------------------------------------------------------------------------------------------------------- VMwareTray.exe 432 0x00e30000 0xe30fff00 VadS 0 PAGE_EXECUTE_R EADWRITE Dumped to: c:\re\zeus_demo\VMwareTray.exe.4be97e8.00e30000-00e30fff.dmp 0x00e30000 b8 35 00 00 00 e9 cd d7 ad 7b b8 91 00 00 00 e9 .5.......{...... 0x00e30010 4f df ad 7b 8b ff 55 8b ec e9 ef 17 3e 76 8b ff O..{..U.....>v.. 0x00e30020 55 8b ec e9 95 76 39 76 8b ff 55 8b ec e9 be 53 U....v9v..U....S 0x00e30030 3a 76 8b ff 55 8b ec e9 d6 18 3e 76 8b ff 55 8b :v..U.....>v..U. 0x00e30040 ec e9 14 95 39 76 8b ff 55 8b ec e9 4f 7e 3c 76 ....9v..U...O~<v 0x00e30050 8b ff 55 8b ec e9 0a 32 3a 76 8b ff 55 8b ec e9 ..U....2:v..U... 0x00e30060 7d 61 39 76 6a 2c 68 b8 8d 1c 77 e9 01 8c 39 76 }a9vj,h...w...9v 0x00e30070 8b ff 55 8b ec e9 c4 95 c8 70 8b ff 55 8b ec e9 ..U......p..U... Disassembly: 00e30000: b835000000 MOV EAX, 0x35 00e30005: e9cdd7ad7b JMP 0x7c90d7d7 00e3000a: b891000000 MOV EAX, 0x91 00e3000f: e94fdfad7b JMP 0x7c90df63 00e30014: 8bff MOV EDI, EDI 00e30016: 55 PUSH EBP 00e30017: 8bec MOV EBP, ESP 00e30019: e9ef173e76 JMP 0x7721180d 00e3001e: 8bff MOV EDI, EDI 00e30020: 55 PUSH EBP --------------------------------------------------------------------------------------------------------------------------------------------- Thanks

14 years, 8 months

2
1
0 0

Trouble with forensic1394 III

by Michael Felber

It seems that Volatility uses a I/O packet size that's to large for my system. Thanks to Freddie Witherden for supporting me. Using a small dumping application (see below) provided by Freddie I was successfully able to dump that 2GiB of RAM. So I transferred this thread to vol-dev. CU Michael

14 years, 10 months

2
1
0 0

Difference between LIST_ENTRY_PTR and LIST_ENTRY

by Eknath Venkataramani

While analyzing a memory snapshot, I saw some objects of the type LIST_ENTRY_PTR and some of the type LIST_ENTRY. From the addresses of those objects, it looked as if LIST_ENTRY_PTRs where the corresponding list heads and the LIST_ENTRY's were simply the nodes in the list. Is this correct? -- Eknath Venkataramani

14 years, 10 months

1
0
0 0

Trouble with forensic1394 II

by Michael Felber

So, a ldconfig later it looks more comfortable but still it does not work: # python vol.py -l Firewire://forensic1394/0 pslist Volatile Systems Volatility Framework 2.1_alpha IOError(u'forensic1394_read_device_v: Bad I/O request size',) IOError(u'forensic1394_read_device_v: Bad I/O request size',) No suitable address space mapping found Tried to open image as: WindowsHiberFileSpace32: No base Address Space EWFAddressSpace: Location is not of file scheme WindowsCrashDumpSpace32: No base Address Space JKIA32PagedMemory: No base Address Space IA32PagedMemoryPae: Module disabled JKIA32PagedMemoryPae: No base Address Space IA32PagedMemory: Module disabled WindowsHiberFileSpace32: Location is not of file scheme EWFAddressSpace: Location is not of file scheme WindowsCrashDumpSpace32: Location is not of file scheme JKIA32PagedMemory - EXCEPTION: Failed to read from firewire device IA32PagedMemoryPae: Module disabled JKIA32PagedMemoryPae - EXCEPTION: Failed to read from firewire device IA32PagedMemory: Module disabled FirewireAddressSpace: Must be first Address Space FileAddressSpace: Must be first Address Space Seems the python bindings were missed in the first approach. What could cause the FW-read-error? Regards Michael -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de

14 years, 10 months

2
2
0 0

Trouble with forensic1394

by Michael Felber

Hello all, I have tried the libforensic1394 package from https://freddie.witherden.org/tools/libforensic1394/ with Volatility. That's the result: # python vol.py -l Firewire://forensic1394/0 pslist Volatile Systems Volatility Framework 2.1_alpha No suitable address space mapping found Tried to open image as: WindowsHiberFileSpace32: No base Address Space EWFAddressSpace: Location is not of file scheme WindowsCrashDumpSpace32: No base Address Space JKIA32PagedMemory: No base Address Space IA32PagedMemoryPae: Module disabled JKIA32PagedMemoryPae: No base Address Space IA32PagedMemory: Module disabled FileAddressSpace: Location is not of file scheme What could I have missed? I had expected to to read something about the firewire address space but neither Firewire:... nor firewire:... did work. Regards Michael -- NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie! Jetzt informieren: http://www.gmx.net/de/go/freephone

14 years, 10 months

1
0
0 0

Finding API-Hooks

by Michael Felber

Hey Michael, trying to list the hooked API-calls in the zeus.vmem-image according page 666 of your "Cookbook" with Volatility 2.0 and maware.py r97 I get the following result only: C:\Python27\Scripts>python vol.py apihooks -f "D:\X-Ways-Images\Malware\zeus.vmem" Volatile Systems Volatility Framework 2.0 Name Type Target Value wuauclt.exe[468](a)wuaueng.dll iat sfc.dll!*invalid* 0x0 0x76c69828 (sfc_os.dll) Finished after 383.752000093 seconds Did I miss something or should I use an older version of Volatility and the malware-Plugin? Kindest regards Michael

14 years, 10 months

2
4
0 0

unable to extract process 1336 from prolaco-image

by Michael Felber

Hi, I have tried to extract the process 1336 (1_doc_RCData_61) from the prolaco-Image provided at http://malwarecookbook.googlecode.com/svn-history/r26/trunk/15/6/prolaco.vme m.zip Neither procexedump nor procmemdump did work for this process but for any other. What went wrong? Regards Michael

14 years, 10 months

2
2
0 0

Versions 1.3, 1.4 and 2.0

by macubergeek

I'm new to volatility and recently completed a SANS course which taught v. 1.3. I'm trying to straighten out in my head the different sets of plugins that come with each version. It looks like v. 2.0 absorbed some older third party plugins but didn't absorb others like malfind.py and the other malware related third party plugins. Am I right here? It appears one has to have all three versions available for different feature sets? Is this correct? Jim ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ %49%66%20%79%6F%75%20%63%61%6E%20%72%65%61%64%20%74%68%69%73%20%79%6F%75%20%6E%65%65%64%20%74%6F%20%67%65%74%20%61%20%67%69%72%6C%66%72%69%65%6E%64%2E

14 years, 10 months

5
5
0 0

feature request: Output in Dot-Format for psscan

by Michael Felber

Hello, in 1.4rc1 there was a nice feature to visualize the output of psscan in the GraphViz-dot-format with -output=dot. I have used it frequently to explain memory structures to non IT-Experts or for training purposes. Is it possible to add this feature to Version 2.0 again, please? Cu Michael

14 years, 10 months

1
0
0 0

files-command missed

by Michael Felber

Hi all, In v2.0 I miss the files-command. As a workaround I use C:\Python27\Scripts>python vol.py handles -p 816 -f . | grep -i "File" "files" was easier to use. Why it has gone? Cu Michael

14 years, 10 months

2
2
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users