Thanks Andrew:

python vol.py --profile=WinXPSP2x86 -f memory.dmp volshell -p 123
Volatility Foundation Volatility Framework 2.4
Current context: myapp.exe @ 0x822042f8, pid=123, ppid=392 DTB=0x76c0040
Welcome to volshell! Current memory image is:
file:///home/memory.dmp
To get help, type 'hh()'
>>> db(0x75b6b4d8)
0x75b6b4d8  c3 7c 15 c7 85 00 ff ff ff 01 00 00 00 75 09 8d   .|...........u..
0x75b6b4e8  85 0c ff ff ff 50 ff 17 39 9d 00 ff ff ff 89 85   .....P..9.......
0x75b6b4f8  30 ff ff ff 74 12 6a 0c 8d 85 c4 fe ff ff 50 6a   0...t.j.......Pj
0x75b6b508  07 6a fe e8 ea 92 ff ff 83 bd 28 ff ff ff 0c 0f   .j........(.....
0x75b6b518  84 8c 59 00 00 e9 18 ff ff ff 90 90 47 00 6c 00   ..Y.........G.l.
0x75b6b528  6f 00 62 00 61 00 6c 00 5c 00 54 00 65 00 72 00   o.b.a.l.\.T.e.r.
0x75b6b538  6d 00 53 00 72 00 76 00 52 00 65 00 61 00 64 00   m.S.r.v.R.e.a.d.
0x75b6b548  79 00 45 00 76 00 65 00 6e 00 74 00 00 00 90 90   y.E.v.e.n.t.....

Nope, still no banner. But it is identical to what I find at 0x1a34d8 in 123.dmp. (As you'd expect.)
Double-checked that I was searching Unicode and ASCII - still no luck.

Hmmm.

Adam

On 23 March 2015 at 04:02, Andrew Case <atcuno@gmail.com> wrote:
Can do you:

vol.py ... volshell -p 123

Then in volshell do:

db(0x75b6b4d8)

And see if you get the banner printed at the beginning?

Also, how are you searching 123.dmp? Did you search ascii & unicode
(most common error)

Thanks,
Andrew (@attrc)

On 03/20/2015 03:59 PM, Bridgey theGeek wrote:
> Hi all,
>
> I can't quite see what's wrong with my logic here, but I must be missing
> something.
> Hoping someone can help me out.
>
> I'm looking for a private key in a memory sample (WinXPSP2x86).
> Specifically, to find out which process/es is/are accessing it.
>
> I can find the key by searching the raw memory dump (memory.dmp).
> As you might expect it's between:
> -----BEGIN RSA PRIVATE KEY-----
> -----END RSA PRIVATE KEY-----
>
> I generated an offset:string file by using strings.
> Then, using the strings plugin I get this output:
> $ python vol.py -f memory.dmp --profile=WinXPSP2x86 strings -s pk.txt
> Volatility Foundation Volatility Framework 2.4
> 188435934 [FREE MEMORY:-1] -----BEGIN RSA PRIVATE KEY-----
> 188435968 [FREE MEMORY:-1] -----END RSA PRIVATE KEY-----
> 317375704 [kernel:d2ab24d8] -----BEGIN RSA PRIVATE KEY-----
> 317376575 [kernel:d2ab283f] -----END RSA PRIVATE KEY-----
> 417203416 [123:75b6b4d8] -----BEGIN RSA PRIVATE KEY-----
> 417204287 [123:75b6b83f] -----END RSA PRIVATE KEY-----
> 419888606 [FREE MEMORY:-1] -----BEGIN RSA PRIVATE KEY-----
> 419888640 [FREE MEMORY:-1] -----END RSA PRIVATE KEY-----
>
> Lovely. So I now do a memdump of process 123:
> $ python vol.py -f memory.dmp --profile=WinXPSP2x86 memdump --pid=123
> --dump-dir=123
> Volatility Foundation Volatility Framework 2.4
> ************************************************************************
> Writing myapp.exe [   123] to 123.dmp
>
> However, if I search 123.dmp neither the BEGIN or END strings are present.
>
> So I thought I'd try and find it via the virtual address give, 0x75b6b4d8:
> $ python vol.py -f memory.dmp --profile=WinXPSP2x86 memmap --pid=123
> Virtual    Physical         Size DumpFileOffset
> ---------- ---------- ---------- --------------
> --SNIP--
> 0x75b6b000 0x18de0000     0x1000       0x1a3000
> --SNIP--
>
> The text is indeed at 0x18de04d8 in memory.dmp, but not at 0x1a34d8 in
> 123.dmp.
> Again, it's no where to be found in 123.dmp.
>
> Any suggestions..??
>
> Many thanks,
> Adam
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users@volatilesystems.com
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>