Re: [Vol-users] Attributing a string to a program
17 Sep
2012
17 Sep
'12
12:21 p.m.
Another few suggestions:
* If you're using Yara with Malfind, you're probably using an old version
of Volatility. Since 2.1, Malfind no longer has anything to do with Yara -
there's a separate YaraScan plugin that you should use instead [1]
* When you use YaraScan, make sure to try scanning in both usermode
(process memory) and kernel mode (there are different switches, see the [1]
reference)
* When you create the Yara rules, make sure you indicate "wide" if the
string is unicode
MHL
[1] http://code.google.com/p/volatility/wiki/CommandReference22#yarascan
On Mon, Sep 17, 2012 at 11:36 AM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
Have you tried the strings plugin?
http://code.google.com/p/volatility/wiki/CommandReference22#strings
On Mon, Sep 17, 2012 at 8:37 AM, David Bramer <david.bramer(a)gmail.com>
wrote:
Hi,
Have a memory dump which I have obtained via DumpIt, I'm then pretty
happy and can use Volatility to find out some of the answers to my
questions. However when I have run Strings on the memory dump I find a
string of great interest. I would like to figure out a means by which
I could find out what created this string.
So far I've created a basic Yara rule and used malfind to no avail. Is
there anything else I could try?
Cheers
David
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Attachments:
- attachment.html (text/html — 2.9 KB)