Hi Curt/Michael,

           Thanks for the reponse, i need little bit of help, as i'm new to memory forensics...i  need your help in understanding how to interpret the results ....any material on additional information on this topic will be helpful

Thanks,
Monnappa

On Tue, Oct 25, 2011 at 9:55 AM, Curt Wilson <research@perpetualhorizon.org> wrote:


Michael Ligh responded, but it's possible that you might need more explanation. While I'm not an expert, I'm getting better and would be glad to try to help you understand the assembly if necessary. Let me know and I'll see if I can help, if you don't already have it down.






On 10/22/2011 3:17 PM, malware monna wrote:
Hi All,

        I'm new to volatility and i was reading one of the article on the internet and found the below output, so i was curious to know what does below ouput mean?, can anybody please help me understand the malfind pluging and the below ouput, any info would be useful.

---------------------------------------------------------------------------------------------------------------------------------------

VMwareTray.exe       432    0x00e30000 0xe30fff00 VadS     0      PAGE_EXECUTE_R
EADWRITE
Dumped to: c:\re\zeus_demo\VMwareTray.exe.4be97e8.00e30000-00e30fff.dmp
0x00e30000   b8 35 00 00 00 e9 cd d7 ad 7b b8 91 00 00 00 e9    .5.......{......

0x00e30010   4f df ad 7b 8b ff 55 8b ec e9 ef 17 3e 76 8b ff    O..{..U.....>v..

0x00e30020   55 8b ec e9 95 76 39 76 8b ff 55 8b ec e9 be 53    U....v9v..U....S

0x00e30030   3a 76 8b ff 55 8b ec e9 d6 18 3e 76 8b ff 55 8b    :v..U.....>v..U.

0x00e30040   ec e9 14 95 39 76 8b ff 55 8b ec e9 4f 7e 3c 76    ....9v..U...O~<v

0x00e30050   8b ff 55 8b ec e9 0a 32 3a 76 8b ff 55 8b ec e9    ..U....2:v..U...

0x00e30060   7d 61 39 76 6a 2c 68 b8 8d 1c 77 e9 01 8c 39 76    }a9vj,h...w...9v

0x00e30070   8b ff 55 8b ec e9 c4 95 c8 70 8b ff 55 8b ec e9    ..U......p..U...

Disassembly:
00e30000: b835000000                       MOV EAX, 0x35
00e30005: e9cdd7ad7b                       JMP 0x7c90d7d7
00e3000a: b891000000                       MOV EAX, 0x91
00e3000f: e94fdfad7b                       JMP 0x7c90df63
00e30014: 8bff                             MOV EDI, EDI
00e30016: 55                               PUSH EBP
00e30017: 8bec                             MOV EBP, ESP
00e30019: e9ef173e76                       JMP 0x7721180d
00e3001e: 8bff                             MOV EDI, EDI
00e30020: 55                               PUSH EBP

---------------------------------------------------------------------------------------------------------------------------------------------

Thanks


_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users



-- 
Curt Wilson
Research Analyst, Arbor Networks ASERT cwilson@arbor.net
Personal Security Research: research@perpetualhorizon.org