Hi all,
still playing with fire (or a single “Flame” ;-)) I have tried to dump the possibly infected services.exe from a decompressed hiberil.sys but run into an error message:
C:\Micha\Forensics\Volatility-2.1a>python vol.py pslist -f D:\X-Ways-Images\flame.mem | egrep -i "(PID|services)"
Volatile Systems Volatility Framework 2.1_alpha
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
0x84cae5a8 services.exe 912 868 37 966 0 0 2012-06-03 07:47:48
C:\Micha\Forensics\Volatility-2.1a>python vol.py procexedump -p 868 -f D:\X-Ways-Images\flame.mem -D C:\temp\VolDumpFlame
Volatile Systems Volatility Framework 2.1_alpha
************************************************************************
Dumping winlogon.exe, pid: 868 output: executable.868.exe
C:\Micha\Forensics\Volatility-2.1a>python vol.py procexedump -p 912 -f D:\X-Ways-Images\flame.mem -D C:\temp\VolDum
pFlame
Volatile Systems Volatility Framework 2.1_alpha
************************************************************************
Error: ImageBaseAddress not memory resident for process [912]
C:\Micha\Forensics\Volatility-2.1a>python vol.py procexedump -o 0x84cae5a8 -f D:\X-Ways-Images\flame.mem -D C:\temp
\VolDumpFlame
Volatile Systems Volatility Framework 2.1_alpha
************************************************************************
Error: PEB not memory resident for process [-]
Why the PEB header seems to be paged out? Isn’t it a strange behavior for such an important process like services.exe?
There is really no header:
C:\Micha\Forensics\Volatility-2.1a>python vol.py volshell -f D:\X-Ways-Images\flame.mem
Volatile Systems Volatility Framework 2.1_alpha
Current context: process System, pid=4, ppid=0 DTB=0x39000
Welcome to volshell! Current memory image is:
file:///D:/X-Ways-Images/flame.mem
>>> cc (offset=0x84cae5a8)
Current context: process services.exe, pid=912, ppid=868 DTB=0x13edc000
>>> db(0x84cae5a8)
0x84cae5a8 03 00 1b 00 00 00 00 00 b0 7c b6 84 b0 7c b6 84 .........|...|..
0x84cae5b8 b8 e5 ca 84 b8 e5 ca 84 00 c0 ed 13 00 50 ee 13 .............P..
0x84cae5c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x84cae5d8 ac 20 00 00 00 00 00 00 39 0a 00 00 4f 0c 00 00 ........9...O...
0x84cae5e8 e8 e5 ca 84 e8 e5 ca 84 00 00 00 00 00 00 00 00 ................
0x84cae5f8 58 9f b8 84 d0 51 60 84 00 00 00 00 01 00 00 00 X....Q`.........
0x84cae608 14 00 09 06 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x84cae618 00 f3 e8 2b 5d 41 cd 01 00 00 00 00 00 00 00 00 ...+]A..........
>>> dis(0x84cae5a8)
0x84cae5a8 0300 ADD EAX, [EAX]
0x84cae5aa 1b00 SBB EAX, [EAX]
0x84cae5ac 0000 ADD [EAX], AL
0x84cae5ae 0000 ADD [EAX], AL
0x84cae5b0 b07c MOV AL, 0x7c
0x84cae5b2 b684 MOV DH, 0x84
0x84cae5b4 b07c MOV AL, 0x7c
0x84cae5b6 b684 MOV DH, 0x84
0x84cae5b8 b8e5ca84b8 MOV EAX, 0xb884cae5
0x84cae5bd e5ca IN EAX, 0xca
0x84cae5bf 8400 TEST [EAX], AL
0x84cae5c1 c0ed13 SHR CH, 0x13
…
The goal was to find hooks within the code but it seems to be a challenge to find the complete process itself….
What could I do?
Regards
Mic