Re: [Vol-users] Output of strings not found in memdump output

23 Mar 2015


      Hi Michael,
*sigh* When will I learn to check the origin of my samples?!
The guy who provided me with the sample tells me that he took a snapshot of
a VMWare machine and then used vss2core to convert it. I BELIEVE that makes
it into a Windows Memory Core Dump..?
I got hold of the original vmem and vmsn files. Trying to use imagecopy on
the vmsn just replicated the input file.
I think the header is not what Volatility would expect:
$ xxd Windows\ XP\ Pro\ SP2\ \(32-bit\)-Snapshot49.vmsn |head
0000000: d2be d2be 0800 0000 6300 0000 4368 6563  ........c...Chec
0000010: 6b70 6f69 6e74 0000 0000 0000 0000 0000  kpoint..........
0000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000040: 0000 0000 0000 0000 0000 0000 fc1e 0000  ................
0000050: 0000 0000 ab03 0000 0000 0000 4775 6573  ............Gues
0000060: 7456 6172 7300 0000 0000 0000 0000 0000  tVars...........
0000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000090: 0000 0000 0000 0000 0000 0000 a722 0000  ............."..
Does that mean I can't use this with Volatility?
Thank you,
Adam
On 23 March 2015 at 14:57, Michael Ligh &lt;michael.ligh(a)mnin.org&gt; wrote:
...
  -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 Hey Adam,
 We forgot to ask if the sample was a raw memory dump. For example:
 $ xxd ~/Desktop/memory.dmp | less
 0000000: 5041 4745 4455 4d50 0f00 0000 280a 0000  PAGEDUMP....(...
 0000010: 8001 6c07 00c0 e680 a031 5580 5892 5580  ..l......1U.X.U.
 0000020: 4c01 0000 0100 0000 8000 0000 5444 4f00  L...........TDO.
 0000030: 0000 0000 0000 0000 0000 0000 5041 4745  ............PAGE
 0000040: 5041 4745 5041 4745 5041 4745 5041 4745  PAGEPAGEPAGEPAGE
 If its something like a crash dump, hibernation, etc then the file
 format headers throw off the offsets. You can convert those special
 file types into a raw memory dump with the imagecopy plugin and then
 your strings translations should be accurate.
 Cheers!
 MHL
 On 3/23/15 8:54 AM, Bridgey theGeek wrote:
  Hi Andrew,
 I was certain I was running the latest version, but just to be sure
 I grabbed the latest version. Same result, same offsets.
 I can make the sample available, but more than happy to do
 whatever debugging needs doing (if I can!)
 Adam
 On 23 March 2015 at 13:03, Andrew Case &lt;atcuno(a)gmail.com
 <mailto:atcuno@gmail.com>> wrote:
 Are you using the latest git checkout of Volatility or the 2.4
 release? Can you try the latest checkout and re-run Volatility
 strings (you can run it on just the offsets from PID 123 to make it
 faster).
 If you are already on the latest checkout then we will need to
 debug further.
 Thanks, Andrew (@attrc)
 On 03/23/2015 04:38 AM, Bridgey theGeek wrote:
  Thanks Andrew:
 python vol.py --profile=WinXPSP2x86 -f memory.dmp volshell -p
 123 Volatility Foundation Volatility Framework 2.4 Current
 context: myapp.exe @ 0x822042f8, pid=123, ppid=392  DTB=0x76c0040
  Welcome to volshell! Current memory image is:
 file:///home/memory.dmp To get help, type 'hh()'
 >> db(0x75b6b4d8)  0x75b6b4d8  c3 7c
15 c7 85 00 ff ff ff 01 00 00 00 75 09 8d
 .|...........u.. 0x75b6b4e8  85 0c ff ff ff 50 ff 17 39 9d 00 ff
 ff ff 89 85 .....P..9....... 0x75b6b4f8  30 ff ff ff 74 12 6a 0c
 8d 85 c4 fe ff ff 50 6a 0...t.j.......Pj 0x75b6b508  07 6a fe e8
 ea 92 ff ff 83 bd 28 ff ff ff 0c 0f .j........(..... 0x75b6b518
 84 8c 59 00 00 e9 18 ff ff ff 90 90 47 00 6c 00 ..Y.........G.l.
 0x75b6b528  6f 00 62 00 61 00 6c 00 5c 00 54 00 65 00 72 00
 o.b.a.l.\.T.e.r. 0x75b6b538  6d 00 53 00 72 00 76 00 52 00 65 00
 61 00 64 00 m.S.r.v.R.e.a.d. 0x75b6b548  79 00 45 00 76 00 65 00
 6e 00 74 00 00 00 90 90 y.E.v.e.n.t.....
 Nope, still no banner. But it is identical to what I find at  0x1a34d8 in
  123.dmp. (As you'd expect.) Double-checked
that I was searching
 Unicode and ASCII - still no luck.
 Hmmm.
 Adam
 On 23 March 2015 at 04:02, Andrew Case &lt;atcuno(a)gmail.com 
<mailto:atcuno@gmail.com>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>> wrote:
 Can do you:
 vol.py ... volshell -p 123
 Then in volshell do:
 db(0x75b6b4d8)
 And see if you get the banner printed at the beginning?
 Also, how are you searching 123.dmp? Did you search ascii &  unicode
  (most common error)
 Thanks, Andrew (@attrc)
 On 03/20/2015 03:59 PM, Bridgey theGeek wrote:
  Hi all,
 I can't quite see what's wrong with my logic here, but I must
 be  missing
> something. Hoping someone can help me out.
>
> I'm looking for a private key in a memory sample
> (WinXPSP2x86). Specifically, to find out which process/es
> is/are accessing it.
>
> I can find the key by searching the raw memory dump  (memory.dmp).
 > As you might expect it's between:
-----BEGIN RSA PRIVATE
> KEY----- -----END RSA PRIVATE KEY-----
>
> I generated an offset:string file by using strings. Then, using
> the strings plugin I get this output: $ python vol.py -f
> memory.dmp --profile=WinXPSP2x86 strings  -s pk.txt
 > Volatility Foundation Volatility Framework
2.4 188435934 [FREE
> MEMORY:-1] -----BEGIN RSA PRIVATE KEY----- 188435968 [FREE
> MEMORY:-1] -----END RSA PRIVATE KEY----- 317375704
> [kernel:d2ab24d8] -----BEGIN RSA PRIVATE KEY----- 317376575
> [kernel:d2ab283f] -----END RSA PRIVATE KEY----- 417203416
> [123:75b6b4d8] -----BEGIN RSA PRIVATE KEY----- 417204287
> [123:75b6b83f] -----END RSA PRIVATE KEY----- 419888606 [FREE
> MEMORY:-1] -----BEGIN RSA PRIVATE KEY----- 419888640 [FREE
> MEMORY:-1] -----END RSA PRIVATE KEY-----
>
> Lovely. So I now do a memdump of process 123: $ python vol.py
> -f memory.dmp --profile=WinXPSP2x86 memdump  --pid=123
 
--dump-dir=123 Volatility Foundation Volatility Framework 2.4
 
  ************************************************************************
  Writing myapp.exe [   123] to 123.dmp
>
> However, if I search 123.dmp neither the BEGIN or END  strings are
  present.

 So I thought I'd try and find it via the virtual address give,  0x75b6b4d8:
> $ python vol.py -f memory.dmp --profile=WinXPSP2x86 memmap  --pid=123
 > Virtual    Physical         Size
DumpFileOffset ----------
> ---------- ---------- -------------- --SNIP-- 0x75b6b000
> 0x18de0000     0x1000       0x1a3000 --SNIP--
>
> The text is indeed at 0x18de04d8 in memory.dmp, but not at  0x1a34d8 in
 > 123.dmp. Again, it's no where to be found
in 123.dmp.
>
> Any suggestions..??
>
> Many thanks, Adam
>
>
> _______________________________________________ Vol-users
> mailing list Vol-users(a)volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
 <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
 
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
 
 
 _______________________________________________ Vol-users mailing
 list Vol-users(a)volatilityfoundation.org
 http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
...PGP SIGNATURE...
  -----BEGIN PGP SIGNATURE-----
 Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
 Comment: GPGTools - https://gpgtools.org
 iF4EAREKAAYFAlUQKcQACgkQXnt9v1O0LIuwSwEAhKUK1clPJ5l8ujiKwRHfOO3M
 Hzw2CpeyvY7XCCoHViAA/1D+gc/0ZWL5TNSQEi5FkwKq4TIlfEaWk0nrH0/loplk
 =cA1W
 -----END PGP SIGNATURE-----

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: [Vol-users] Output of strings not found in memdump output