Re: [Vol-users] Output of strings not found in memdump output
23 Mar
2015
23 Mar
'15
12:02 a.m.
Can do you:
vol.py ... volshell -p 123
Then in volshell do:
db(0x75b6b4d8)
And see if you get the banner printed at the beginning?
Also, how are you searching 123.dmp? Did you search ascii & unicode
(most common error)
Thanks,
Andrew (@attrc)
On 03/20/2015 03:59 PM, Bridgey theGeek wrote:
Hi all,
I can't quite see what's wrong with my logic here, but I must be missing
something.
Hoping someone can help me out.
I'm looking for a private key in a memory sample (WinXPSP2x86).
Specifically, to find out which process/es is/are accessing it.
I can find the key by searching the raw memory dump (memory.dmp).
As you might expect it's between:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
I generated an offset:string file by using strings.
Then, using the strings plugin I get this output:
$ python vol.py -f memory.dmp --profile=WinXPSP2x86 strings -s pk.txt
Volatility Foundation Volatility Framework 2.4
188435934 [FREE MEMORY:-1] -----BEGIN RSA PRIVATE KEY-----
188435968 [FREE MEMORY:-1] -----END RSA PRIVATE KEY-----
317375704 [kernel:d2ab24d8] -----BEGIN RSA PRIVATE KEY-----
317376575 [kernel:d2ab283f] -----END RSA PRIVATE KEY-----
417203416 [123:75b6b4d8] -----BEGIN RSA PRIVATE KEY-----
417204287 [123:75b6b83f] -----END RSA PRIVATE KEY-----
419888606 [FREE MEMORY:-1] -----BEGIN RSA PRIVATE KEY-----
419888640 [FREE MEMORY:-1] -----END RSA PRIVATE KEY-----
Lovely. So I now do a memdump of process 123:
$ python vol.py -f memory.dmp --profile=WinXPSP2x86 memdump --pid=123
--dump-dir=123
Volatility Foundation Volatility Framework 2.4
************************************************************************
Writing myapp.exe [ 123] to 123.dmp
However, if I search 123.dmp neither the BEGIN or END strings are present.
So I thought I'd try and find it via the virtual address give, 0x75b6b4d8:
$ python vol.py -f memory.dmp --profile=WinXPSP2x86 memmap --pid=123
Virtual Physical Size DumpFileOffset
---------- ---------- ---------- --------------
--SNIP--
0x75b6b000 0x18de0000 0x1000 0x1a3000
--SNIP--
The text is indeed at 0x18de04d8 in memory.dmp, but not at 0x1a34d8 in
123.dmp.
Again, it's no where to be found in 123.dmp.
Any suggestions..??
Many thanks,
Adam
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users