RE: [Vol-users] IAT hook question

First email was bounced by gmail. I've added a pw to the zip. PW is Rocra Let me know when you have the .exe ok. Thanks Date: Thu, 17 Jan 2013 14:48:06 -0500 Subject: Re: [Vol-users] IAT hook question From: michael.hale(a)gmail.com To: dragonforen(a)hotmail.com CC: vol-users(a)volatilityfoundation.org Hmm sorry, I must be reading the GMER log incorrectly: dragonforen(a)hotmail.com> wrote: MHL, Thank you very much. Attached is a ZIP. (Rocra is the short name) I used Volatility 2.1 C:\Python27\volatility-2.1>vol.py dlldump -f E:\Tests\130115b\Vol\130115b.w32 --profile=WinXPSP3x86 -p 464 -D E:\Tests\130115b\Vol\dlldump > E:\Tests\130115b\Vol\dlldump.txt Volatile Systems Volatility Framework 2.1 C:\Python27\volatility-2.1> Have a good day, Mike Date: Thu, 17 Jan 2013 12:47:54 -0500 Subject: Re: [Vol-users] IAT hook question From: michael.hale(a)gmail.com To: dragonforen(a)hotmail.com CC: vol-users(a)volatilityfoundation.org Mike, if you could use dlldump and extract kernel32.dll from pid 464 and send it to me, I'll take a look. The necessary pages of the PE file may just not be memory resident. MHL On Thu, Jan 17, 2013 at 12:31 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote: I am looking at a Red October infection. The malware is svchost PID 464, C:\Program Files\Windows NT\svchost.exe GMER tells me that the IAT is hooked. See attached. I wanted to see this with Volatility per the apihooks documentation here http://code.google.com/p/volatility/wiki/CommandReferenceMal22 "As of Volatility 2.1, apihooks also detects hooked winsock procedure tables, includes an easier to read output format, supports multiple hop disassembly, and can optionally scan quicker through memory by ignoring non-critical processes and DLLs. Here is an example of detecting IAT hooks installed by Coreflood. The hooking module is unknown because there is no module (DLL) associated with the memory in which the rootkit code exists. If you want to extract the code containing the hooks, you have a few options: " I tried apihooks in Volatility 2.1 and 2.2, below is the result C:\Python27\volatility-2.1>vol.py -f E:\Tests\130115b\Vol\130115b.w32 --profile=WinXPSP3x86 -p 464 apihooks Volatile Systems Volatility Framework 2.1 C:\Python27\volatility-2.1> ------------------------- C:\Python27\volatility-2.2>vol.py apihooks -f E:\Tests\130115b\Vol\130115b.w32 --profile=WinXPSP3x86 -p 464 Volatile Systems Volatility Framework 2.2 C:\Python27\volatility-2.2> ========================= My question is, "what am I doing wrong?" It is probably something simple. Thanks for the help, Mike _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users