Hi folks,

 

Testing impscan with zeus.vmem I have a little question about the capabilities of impscan:

 

Malfind finds 2 regions with injected code as seen many times:

 

C:\Micha\Forensics\Volatility-2.1a>python vol.py malfind -f D:\X-Ways-Images\zeus.vmem -p 1724

Volatile Systems Volatility Framework 2.1_rc1

Process: explorer.exe Pid: 1724 Address: 0x1600000

Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE

Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

 

0x01600000  b8 35 00 00 00 e9 cd d7 30 7b b8 91 00 00 00 e9   .5......0{......

 

Process: explorer.exe Pid: 1724 Address: 0x15d0000

Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE

Flags: CommitCharge: 38, MemCommit: 1, PrivateMemory: 1, Protection: 6

 

0x015d0000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ..............

 

Base 0x015d0000 is a “real” exe-module and impscan can detect the hooked calls very well:

 

C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x015d0000

Volatile Systems Volatility Framework 2.1_rc1

IAT        Call       Module               Function

---------- ---------- -------------------- --------

0x015d1000 0x77dea43c ADVAPI32.dll         CryptGetHashParam

0x015d1004 0x77dd7535 ADVAPI32.dll         RegCreateKeyExW

0x015d1008 0x77de8546 ADVAPI32.dll         CryptReleaseContext

0x015d100c 0x77dd6fc8 ADVAPI32.dll         RegQueryValueExW

0x015d1010 0x77dd778e ADVAPI32.dll         InitializeSecurityDescriptor

0x015d1014 0x77df986b ADVAPI32.dll         GetSidSubAuthorityCount

0x015d1018 0x77dd77b3 ADVAPI32.dll         SetSecurityDescriptorDacl

0x015d101c 0x77df1285 ADVAPI32.dll         SetNamedSecurityInfoW

0x015d1020 0x77dfcaf6 ADVAPI32.dll         LookupPrivilegeValueW

0x015d1024 0x77dea2f9 ADVAPI32.dll         CryptCreateHash

0x015d1028 0x77de2cde ADVAPI32.dll         ConvertStringSecurityDescriptorToSecurityDescriptorW

0x015d102c 0x77dd6a78 ADVAPI32.dll         RegOpenKeyExW

 

Base 0x01600000 contains jump instructions to other addresses:

 

0x1600000 b835000000       MOV EAX, 0x35

0x1600005 e9cdd7307b       JMP 0x7c90d7d7

0x160000a b891000000       MOV EAX, 0x91

0x160000f e94fdf307b       JMP 0x7c90df63

0x1600014 8bff             MOV EDI, EDI

0x1600016 55               PUSH EBP

0x1600017 8bec             MOV EBP, ESP

0x1600019 e9ef17c175       JMP 0x7721180d

 

So it seems to be consistent that impscan is unable to find hooked calls there:

 

C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x01600000

Volatile Systems Volatility Framework 2.1_rc1

IAT        Call       Module               Function

---------- ---------- -------------------- --------

Traceback (most recent call last):

  File "vol.py", line 185, in <module>

    main()

  File "vol.py", line 176, in main

    command.execute()

  File "C:\Micha\Forensics\Volatility-2.1a\volatility\commands.py", line 111, in execute

    func(outfd, data)

  File "C:\Micha\Forensics\Volatility-2.1a\volatility\plugins\malware\impscan.py", line 358, in render_text

    for iat, call, mod, func in data:

  File "C:\Micha\Forensics\Volatility-2.1a\volatility\plugins\malware\impscan.py", line 338, in calculate

    forward = True)

  File "C:\Micha\Forensics\Volatility-2.1a\volatility\plugins\malware\impscan.py", line 130, in _vicinity_scan

    start_addr = sortedlist[0]

IndexError: list index out of range

 

Or does the error message mean something other? Looked at the first jump target there is the “detoured” call as expected:

 

C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x7c90d7d7

Volatile Systems Volatility Framework 2.1_rc1

IAT        Call       Module               Function

---------- ---------- -------------------- --------

0x7c97d280 0x7c832b5c kernel32.dll         BaseQueryModuleData

 

So impscan is not able to directly handle such trampoline calls, is it?

 

Following the trace of the jump targets there are two imports of BaseQueryModuleData:

 

C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x7c90df63

Volatile Systems Volatility Framework 2.1_rc1

IAT        Call       Module               Function

---------- ---------- -------------------- --------

0x7c97d280 0x7c832b5c kernel32.dll         BaseQueryModuleData

 

Also the next jump targets import the same api calls:

 

C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x7721180d

Volatile Systems Volatility Framework 2.1_rc1

IAT        Call       Module               Function

---------- ---------- -------------------- --------

0x77261000 0x77dd761b ADVAPI32.dll         RegOpenKeyExA

0x77261004 0x77dfd4c9 ADVAPI32.dll         GetUserNameA

0x77261034 0x77dfc41b ADVAPI32.dll         RegOpenKeyA

C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x771c76bd

Volatile Systems Volatility Framework 2.1_rc1

IAT        Call       Module               Function

---------- ---------- -------------------- --------

0x77261000 0x77dd761b ADVAPI32.dll         RegOpenKeyExA

0x77261004 0x77dfd4c9 ADVAPI32.dll         GetUserNameA

0x77261034 0x77dfc41b ADVAPI32.dll         RegOpenKeyA

 

I have no clue why theses api-call are hooked twice. Does anybody have an idea?

 

Regards

 

Michael