Re: [Vol-users] Volatility's Network Connections
11 May
2009
11 May
'09
10:18 p.m.
On Mon, May 11, 2009 at 9:32 PM, Brendan Dolan-Gavitt <
bdolangavitt(a)wesleyan.edu> wrote:
I am also a little concerned about what appears to me
to be a drop in
Andreas' plug-ins are great and I can't wait to check out your new ones,
Brendan. I'll be releasing 4-5 new plug-ins for detecting rootkit behavior
over the next few weeks. If anyone has suggestions for useful plug-ins,
send them my way or announce them here so we can get it going.
For example, does anyone know if there any plans to provide functionaility
development activity around Volatility. Is
Mandiant Memoryze going to take
over the top slot? Right now, I see Mandiant Memoryze as third best behind
HBGary and Volatility, but Volatility can't stand still.
I don't think there's been a drop in development activity. It's been a
while since our last release, but a lot of activity has been taking place in
the world of Volatility plugins. Andreas Schuster has recently released
several new plugins that can find some less well-known artifacts of malware,
and Jesse Kornblum has released a Volatility plugin to search memory for
TrueCrypt passphrases.
I've also released a set of plugins for examining registry data, and shown
how to integrate with other popular tools like RegRipper. I'm also working
on some plugins that let you look at the state of on-screen graphical
elements like windows, buttons, etc.
similar to HBGary's new Digital DNA in
Volatility?
I don't have any plans to do it myself, but Volatility would provide an
excellent platform to anyone who wanted to build it
:)
An easy way to implement something similar is by using a combination of
pyssdeep (fuzzy hashing of memory segments in Python -
http://code.google.com/p/pyssdeep/) and YARA (malware classification in
Python - http://code.google.com/p/yara-project/) I'm sure the guys at
HBGary have some more advanced things going on with their product, but with
a bit of dedicated work in creating YARA rules and assigning appropriate
weights (for example, use of "WriteProcessMemory" is 5 points, use of
"StartServiceA" is 3 points, etc), you could generate a very useful
alternative.
MHL
Attachments:
- attachment.html (text/html — 3.1 KB)