8:48 a.m.
There are various ways of injecting code without using a DLL. To quote
the CommandReference
(http://code.google.com/p/volatility/wiki/CommandReference#apihooks)
"Here is an example of detecting IAT hooks installed by Coreflood. The
far right field contains UNKNOWN because there is no module associated
with the memory in which the rootkit code exists."
You can dump the code block using vaddump, then look for the file
named according to the 0xba range.
MHL
On Thu, Dec 8, 2011 at 1:25 PM, malware monna <malware.monna(a)gmail.com> wrote:
Hi All,
i'm new to Volatility, i was trying to analyze a spyeye sample, and while
running apihooks i got the below output, it looks like there is inline api
hook and i see jump into this 0xba.....location.... i would like to know the
DLL that is associated with a JMP, in this case it shows
unknown............how can i determine the dll? and how can dump the dll
from the memory?.....any information would be helpful, sorry this could be a
stupid question.
VMwareUser.exe[636] inline
wininet.dll!InternetReadFile[0x7806abb4] 0x7806abb4 JMP 0xbaf140c (UNKNOWN)
VMwareUser.exe[636] inline
wininet.dll!InternetReadFileExA[0x78082ae2] 0x78082ae2 JMP 0xbaf1526
(UNKNOWN)
VMwareUser.exe[636] inline
wininet.dll!InternetWriteFile[0x78073645] 0x78073645 JMP 0xbaf2d4b (UNKNOWN)
VMwareUser.exe[636] inline
ntdll.dll!NtEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN)
VMwareUser.exe[636] inline
ntdll.dll!NtQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20
(UNKNOWN)
VMwareUser.exe[636] inline
ntdll.dll!NtResumeThread[0x7c90db20] 0x7c90db20 JMP 0xbaf625c (UNKNOWN)
VMwareUser.exe[636] inline
ntdll.dll!NtSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6
(UNKNOWN)
VMwareUser.exe[636] inline
ntdll.dll!NtVdmControl[0x7c90df00] 0x7c90df00 JMP 0xbae4fd6 (UNKNOWN)
VMwareUser.exe[636] inline
ntdll.dll!ZwEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN)
VMwareUser.exe[636] inline
ntdll.dll!ZwQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20
(UNKNOWN)
VMwareUser.exe[636] inline
ntdll.dll!ZwResumeThread[0x7c90db20] 0x7c90db20 JMP 0xbaf625c (UNKNOWN)
VMwareUser.exe[636] inline
ntdll.dll!ZwSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6
(UNKNOWN)
VMwareUser.exe[636] inline
ntdll.dll!ZwVdmControl[0x7c90df00] 0x7c90df00 JMP 0xbae4fd6 (UNKNOWN)
VMwareUser.exe[636] inline
crypt32.dll!PFXImportCertStore[0x77aeff8f] 0x77aeff8f JMP 0xbae0b02
(UNKNOWN)
VMwareUser.exe[636] inline
user32.dll!TranslateMessage[0x7e418bf6] 0x7e418bf6 JMP 0xbadc47f (UNKNOWN)
VMwareUser.exe[636] inline
advapi32.dll!CryptEncrypt[0x77dee340] 0x77dee340 JMP 0xbaeda23 (UNKNOWN)
VMwareUser.exe[636] inline
ws2_32.dll!send[0x71ab4c27] 0x71ab4c27 JMP 0xbaee35d (UNKNOWN)
ctfmon.exe[768] inline
ntdll.dll!NtClose[0x7c90cfd0] 0x7c90cfd0 JMP 0xa003b2 (UNKNOWN)
ctfmon.exe[768] inline
ntdll.dll!ZwClose[0x7c90cfd0] 0x7c90cfd0 JMP 0xa003b2 (UNKNOWN)
wmiprvse.exe[1876] inline
ntdll.dll!NtEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN)
wmiprvse.exe[1876] inline
ntdll.dll!NtQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20
(UNKNOWN)
wmiprvse.exe[1876] inline
ntdll.dll!NtResumeThread[0x7c90db20] 0x7c90db20 JMP 0xbaf625c (UNKNOWN)
wmiprvse.exe[1876] inline
ntdll.dll!NtSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6
(UNKNOWN)
wmiprvse.exe[1876] inline
ntdll.dll!NtVdmControl[0x7c90df00] 0x7c90df00 JMP 0xbae4fd6 (UNKNOWN)
wmiprvse.exe[1876] inline
ntdll.dll!ZwEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN)
Thanks
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users