RE: [Vol-users] Need to pick a malware for a demo
3 May
2012
3 May
'12
6:09 p.m.
Hi Rob,
Thanks for the suggestion. As I recall that would fit the profile when combined with
another tool. And I think it will run in a VM.
In the past a friend of mine used Hacker Defender and Optiplex as an example in a
presentation. I'd like to pick something else if possible (would rather not duplicate
and look lame).
What would be really cool is something current that runs in a VM and is a good pslist
crossview demo. If I can't find something current, I'll fall back to HD. Good
thought!
Thanks much for the suggestion. If you have any other thoughts I appreciate them.
Mike
Date: Thu, 3 May 2012 09:57:16 -0500
Subject: Re: [Vol-users] Need to pick a malware for a demo
From: robdewhirst(a)gmail.com
To: vol-users(a)volatilityfoundation.org
Check out the Hacker Defender rootkit. I am pretty sure I demoed
exactly what you are wanting to do (including using Volatility to
reveal the rootkit) about a year ago and this malware was a good
example and easy to use. I don't know for sure that it hides from
PsList but it hides from the built-in windows tools.
Email me if you can't find a copy.
On Wed, May 2, 2012 at 11:32 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote:
I've got a memory forensics presentation
coming up next week and I'd like to
use a sample that will illustrate a crossview example.
Specifically, I'd like to use an example that hides from pslist on the
running system (don't want a DKOM example) but we can find it using
Volatility.
I'd like it to be something running and not a process injection sample.
Does someone have a suggestion which one may provide a good illustration?
Thanks,
Mike
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users Attachments:
- attachment.html (text/html — 2.7 KB)