12:25 p.m.
Are you asking about the `strings` plugin itself? It really doesn't
matter what the "string" is next to the offset, it should just work as
long as there is an offset and some kind of string next to it. For
example, I took a regular strings output and modified one of the
strings with your hex string:
225297940:Info
225297948:Info_Cert0
225297960:Software\Microsoft\WM Rights Manager\License Server
225298012:Microsoft Corporation
225298040:F_-
225298058:@Bt
225298113:0]G
225298125:VeD
225298173:YoL
225298209:\x55\x5e\xe2\xfd\x83\xc4 <- modified here
Running Volatility with the `strings` plugin yields:
0d6dc614 [1004:1527629332 3812:353515028] Info
0d6dc61c [1004:1527629340 3812:353515036] Info_Cert0
0d6dc628 [1004:1527629352 3812:353515048] Software\Microsoft\WM Rights
Manager\License Server
0d6dc65c [1004:1527629404 3812:353515100] Microsoft Corporation
0d6dc678 [1004:1527629432 3812:353515128] F_-
0d6dc68a [1004:1527629450 3812:353515146] @Bt
0d6dc6c1 [1004:1527629505 3812:353515201] 0]G
0d6dc6cd [1004:1527629517 3812:353515213] VeD
0d6dc6fd [1004:1527629565 3812:353515261] YoL
0d6dc721 [1004:1527629601 3812:353515297] \x55\x5e\xe2\xfd\x83\xc4
<- see the string doesn't really matter...
Now I've modified the same file with a hex editor to ensure that I
have some binary stuff as the string itself:
225297940:Info
225297948:Info_Cert0
225297960:Software\Microsoft\WM Rights Manager\License Server
225298012:Microsoft Corporation
225298040:F_-
225298058:@Bt
225298113:0]G
225298125:VeD
225298173:YoL
225298209:^[ ^A^E<9a>^Hh <- my funky string as seen in vim (editor)
.... and now my output as seen from vim:
0d6dc614 [1004:1527629332 3812:353515028] Info
0d6dc61c [1004:1527629340 3812:353515036] Info_Cert0
0d6dc628 [1004:1527629352 3812:353515048] Software\Microsoft\WM Rights
Manager\License Server
0d6dc65c [1004:1527629404 3812:353515100] Microsoft Corporation
0d6dc678 [1004:1527629432 3812:353515128] F_-
0d6dc68a [1004:1527629450 3812:353515146] @Bt
0d6dc6c1 [1004:1527629505 3812:353515201] 0]G
0d6dc6cd [1004:1527629517 3812:353515213] VeD
0d6dc6fd [1004:1527629565 3812:353515261] YoL
0d6dc721 [1004:1527629601 3812:353515297] ^[ ^A^E<9a>^Hh <- again
the string doesn't matter...
And actually I see that we don't even have to have a string next to
the offset, so the string really doesn't matte (the string was erased
from the input file and we can see that the output file is ok):
0d6dc614 [1004:1527629332 3812:353515028] Info
0d6dc61c [1004:1527629340 3812:353515036] Info_Cert0
0d6dc628 [1004:1527629352 3812:353515048] Software\Microsoft\WM Rights
Manager\License Server
0d6dc65c [1004:1527629404 3812:353515100] Microsoft Corporation
0d6dc678 [1004:1527629432 3812:353515128] <-
string was erased from input file
0d6dc68a [1004:1527629450 3812:353515146] @Bt
0d6dc6c1 [1004:1527629505 3812:353515201] 0]G
0d6dc6cd [1004:1527629517 3812:353515213] VeD
0d6dc6fd [1004:1527629565 3812:353515261] YoL
0d6dc721 [1004:1527629601 3812:353515297] ^[ ^A^E<9a>^Hh
So there you have it. Experiment on your own as well.
-gleeda
On Sun, Apr 15, 2012 at 2:11 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote:
Hi David,
In this case I'd say "no". I have the strings and their addresses I've
found
in memory. I'm looking for the PIDs that have the string in it. The strings
output is exactly what I want and I can use it to do mass lookups. strings
is quite nice for this job!
I'll look more into yara rules. I need something that can be easy to use for
many strings.
I am currently using encase and excel to export and format my memory hits.
It only takes a few minutes to make the strings input file. This fits the
bill for what I am using exactly if it is ascii, but not so well for binary.
I'll look closer at yara rules for this.
Thanks and have a great weekend,
Mike
________________________________
CC: vol-users(a)volatilityfoundation.org
From: phatbuckett(a)gmail.com
Subject: Re: [Vol-users] using hex values with strings command
Date: Sat, 14 Apr 2012 23:35:44 -0700
To: dragonforen(a)hotmail.com
Hi Mike,
Does malfind plugin + yara rule(s) work for your use case?
DS
On Apr 14, 2012, at 9:12 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote:
I have read the command reference for the strings plugin and do not see an
option to specify the string to look for in anything other than ascii.
Could strings be expanded to include hex values, perhaps in the form of
\x55\x5e\xe2\xfd\x83\xc4 or something like that?
Thanks,
Mike Lambert
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92