11:41 a.m.
On Wed, Jul 11, 2012 at 10:14 AM, Michael Felber <MichaelFelber(a)gmx.net>wrote:
Hi folks,****
** **
Testing impscan with zeus.vmem I have a little question about the
capabilities of impscan:****
** **
Malfind finds 2 regions with injected code as seen many times:****
** **
C:\Micha\Forensics\Volatility-2.1a>python vol.py malfind -f
D:\X-Ways-Images\zeus.vmem -p 1724****
Volatile Systems Volatility Framework 2.1_rc1****
Process: explorer.exe Pid: 1724 Address: 0x1600000****
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE****
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6****
** **
0x01600000 b8 35 00 00 00 e9 cd d7 30 7b b8 91 00 00 00 e9
.5......0{......****
…****
** **
Process: explorer.exe Pid: 1724 Address: 0x15d0000****
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE****
Flags: CommitCharge: 38, MemCommit: 1, PrivateMemory: 1, Protection: 6****
** **
0x015d0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ
..............****
…****
** **
Base 0x015d0000 is a “real” exe-module and impscan can detect the hooked
calls very well:****
** **
C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f
D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x015d0000****
Volatile Systems Volatility Framework 2.1_rc1****
IAT Call Module Function****
---------- ---------- -------------------- --------****
0x015d1000 0x77dea43c ADVAPI32.dll CryptGetHashParam****
0x015d1004 0x77dd7535 ADVAPI32.dll RegCreateKeyExW****
0x015d1008 0x77de8546 ADVAPI32.dll CryptReleaseContext****
0x015d100c 0x77dd6fc8 ADVAPI32.dll RegQueryValueExW****
0x015d1010 0x77dd778e ADVAPI32.dll InitializeSecurityDescriptor***
*
0x015d1014 0x77df986b ADVAPI32.dll GetSidSubAuthorityCount****
0x015d1018 0x77dd77b3 ADVAPI32.dll SetSecurityDescriptorDacl****
0x015d101c 0x77df1285 ADVAPI32.dll SetNamedSecurityInfoW****
0x015d1020 0x77dfcaf6 ADVAPI32.dll LookupPrivilegeValueW****
0x015d1024 0x77dea2f9 ADVAPI32.dll CryptCreateHash****
0x015d1028 0x77de2cde ADVAPI32.dll
ConvertStringSecurityDescriptorToSecurityDescriptorW****
0x015d102c 0x77dd6a78 ADVAPI32.dll RegOpenKeyExW****
…****
** **
Base 0x01600000 contains jump instructions to other addresses:****
** **
0x1600000 b835000000 MOV EAX, 0x35****
0x1600005 e9cdd7307b JMP 0x7c90d7d7****
0x160000a b891000000 MOV EAX, 0x91****
0x160000f e94fdf307b JMP 0x7c90df63****
0x1600014 8bff MOV EDI, EDI****
0x1600016 55 PUSH EBP****
0x1600017 8bec MOV EBP, ESP****
0x1600019 e9ef17c175 JMP 0x7721180d****
** **
So it seems to be consistent that impscan is unable to find hooked calls
there:
True, as seen with vadinfo, the region at 0x01600000 ends at 0x01600fff
(only 1 page):
VAD node @ 0xff38cad0 Start 0x01600000 End 0x01600fff Tag VadS
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
Protection: PAGE_EXECUTE_READWRITE
If you were to disassemble all code in that region, you would not see any
calls to imported functions:
>> cc(pid = 1724)
Current context: process
explorer.exe, pid=1724, ppid=1708 DTB=0x6cc0280
>> dis(0x01600000, length = 0x1000)
0x1600000 b835000000 MOV EAX, 0x35
0x1600005 e9cdd7307b JMP 0x7c90d7d7
0x160000a b891000000 MOV EAX, 0x91
0x160000f e94fdf307b JMP 0x7c90df63
0x1600014 8bff MOV EDI, EDI
0x1600016 55 PUSH EBP
0x1600017 8bec MOV EBP, ESP
......
0x16000ce 8bff MOV EDI, EDI
0x16000d0 55 PUSH EBP
0x16000d1 8bec MOV EBP, ESP
0x16000d3 e975f64e76 JMP 0x77aef74d
0x16000d8 0000 ADD [EAX], AL
0x16000da 0000 ADD [EAX], AL
0x16000dc 0000 ADD [EAX], AL
0x16000de 0000 ADD [EAX], AL
C:\Micha\Forensics\Volatility-2.1a>python vol.py
impscan -f
D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x01600000****
Volatile Systems Volatility Framework 2.1_rc1****
IAT Call Module Function****
---------- ---------- -------------------- --------****
Traceback (most recent call last):****
File "vol.py", line 185, in <module>****
main()****
File "vol.py", line 176, in main****
command.execute()****
File "C:\Micha\Forensics\Volatility-2.1a\volatility\commands.py", line
111, in execute****
func(outfd, data)****
File
"C:\Micha\Forensics\Volatility-2.1a\volatility\plugins\malware\impscan.py",
line 358, in render_text****
for iat, call, mod, func in data:****
File
"C:\Micha\Forensics\Volatility-2.1a\volatility\plugins\malware\impscan.py",
line 338, in calculate****
forward = True)****
File
"C:\Micha\Forensics\Volatility-2.1a\volatility\plugins\malware\impscan.py",
line 130, in _vicinity_scan****
start_addr = sortedlist[0]****
IndexError: list index out of range****
** **
Or does the error message mean something other?
It just means there are no calls to imported functions in the scanned
memory region. However, I need to fix the IndexError. If there are no calls
found, the output table should just be empty, not a backtrace.
Looked at the first jump target there is the
“detoured” call as expected:*
***
** **
C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f
D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x7c90d7d7****
Volatile Systems Volatility Framework 2.1_rc1****
IAT Call Module Function****
---------- ---------- -------------------- --------****
0x7c97d280 0x7c832b5c kernel32.dll BaseQueryModuleData****
** **
So impscan is not able to directly handle such trampoline calls, is it?
No, impscan just scans the memory region you specify with --base. It
doesn't follow jumps and calls (i.e. its not an emulator).
Following the trace of the jump targets there are two
imports of
BaseQueryModuleData:****
** **
C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f
D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x7c90df63****
Volatile Systems Volatility Framework 2.1_rc1****
IAT Call Module Function****
---------- ---------- -------------------- --------****
0x7c97d280 0x7c832b5c kernel32.dll BaseQueryModuleData****
** **
Also the next jump targets import the same api calls:****
** **
C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f
D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x7721180d****
Volatile Systems Volatility Framework 2.1_rc1****
IAT Call Module Function****
---------- ---------- -------------------- --------****
0x77261000 0x77dd761b ADVAPI32.dll RegOpenKeyExA****
0x77261004 0x77dfd4c9 ADVAPI32.dll GetUserNameA****
0x77261034 0x77dfc41b ADVAPI32.dll RegOpenKeyA****
…****
C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f
D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x771c76bd****
Volatile Systems Volatility Framework 2.1_rc1****
IAT Call Module Function****
---------- ---------- -------------------- --------****
0x77261000 0x77dd761b ADVAPI32.dll RegOpenKeyExA****
0x77261004 0x77dfd4c9 ADVAPI32.dll GetUserNameA****
0x77261034 0x77dfc41b ADVAPI32.dll RegOpenKeyA****
…****
** **
I have no clue why theses api-call are hooked twice. Does anybody have an
idea?
0x7721180d and 0x771c76bd are within the same VAD region, so the calls
aren't being hooked twice, you're just scanning the same region twice. They
are both inside 0x771b0000-0x77255fff which is where wininet.dll is loaded.
So you are seeing the functions imported by wininet.dll.
VAD node @ 0xff221a68 Start 0x771b0000 End 0x77255fff Tag Vad
Flags: CommitCharge: 15, ImageMap: 1, Protection: 7
Protection: PAGE_EXECUTE_WRITECOPY
ControlArea @80f04f30 Segment e16c9008
Dereference list: Flink 00000000, Blink 00000000
NumberOfSectionReferences: 1 NumberOfPfnReferences: 78
NumberOfMappedViews: 21 NumberOfUserReferences: 22
WaitingForDeletion Event: 00000000
Control Flags: Accessed: 1, File: 1, HadUserReference: 1, Image: 1
FileObject @ff3b9130, Name: \WINDOWS\system32\wininet.dll
First prototype PTE: e16c9048 Last contiguous PTE: fffffffc
Flags2: Inherit: 1
MHL
Regards****
** **
Michael****
** **
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users