Re: [Vol-users] Output of strings not found in memdump output

Hi Michael, *sigh* When will I learn to check the origin of my samples?! The guy who provided me with the sample tells me that he took a snapshot of a VMWare machine and then used vss2core to convert it. I BELIEVE that makes it into a Windows Memory Core Dump..? I got hold of the original vmem and vmsn files. Trying to use imagecopy on the vmsn just replicated the input file. I think the header is not what Volatility would expect: $ xxd Windows\ XP\ Pro\ SP2\ \(32-bit\)-Snapshot49.vmsn |head 0000000: d2be d2be 0800 0000 6300 0000 4368 6563 ........c...Chec 0000010: 6b70 6f69 6e74 0000 0000 0000 0000 0000 kpoint.......... 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000040: 0000 0000 0000 0000 0000 0000 fc1e 0000 ................ 0000050: 0000 0000 ab03 0000 0000 0000 4775 6573 ............Gues 0000060: 7456 6172 7300 0000 0000 0000 0000 0000 tVars........... 0000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000090: 0000 0000 0000 0000 0000 0000 a722 0000 .............".. Does that mean I can't use this with Volatility? Thank you, Adam On 23 March 2015 at 14:57, Michael Ligh &lt;michael.ligh(a)mnin.org <mailto:michael.ligh@mnin.org>> wrote: Hey Adam, We forgot to ask if the sample was a raw memory dump. For example: $ xxd ~/Desktop/memory.dmp | less 0000000: 5041 4745 4455 4d50 0f00 0000 280a 0000 PAGEDUMP....(... 0000010: 8001 6c07 00c0 e680 a031 5580 5892 5580 ..l......1U.X.U. 0000020: 4c01 0000 0100 0000 8000 0000 5444 4f00 L...........TDO. 0000030: 0000 0000 0000 0000 0000 0000 5041 4745 ............PAGE 0000040: 5041 4745 5041 4745 5041 4745 5041 4745 PAGEPAGEPAGEPAGE If its something like a crash dump, hibernation, etc then the file format headers throw off the offsets. You can convert those special file types into a raw memory dump with the imagecopy plugin and then your strings translations should be accurate. Cheers! MHL On 3/23/15 8:54 AM, Bridgey theGeek wrote: > On 03/23/2015 04:38 AM, Bridgey theGeek wrote: >> Thanks Andrew: >> >> python vol.py --profile=WinXPSP2x86 -f memory.dmp volshell -p >> 123 Volatility Foundation Volatility Framework 2.4 Current >> context: myapp.exe @ 0x822042f8, pid=123, ppid=392 > DTB=0x76c0040 >> Welcome to volshell! Current memory image is: >> file:///home/memory.dmp To get help, type 'hh()' >>>>> db(0x75b6b4d8) >> 0x75b6b4d8 c3 7c 15 c7 85 00 ff ff ff 01 00 00 00 75 09 8d >> .|...........u.. 0x75b6b4e8 85 0c ff ff ff 50 ff 17 39 9d 00 >> ff ff ff 89 85 .....P..9....... 0x75b6b4f8 30 ff ff ff 74 12 >> 6a 0c 8d 85 c4 fe ff ff 50 6a 0...t.j.......Pj 0x75b6b508 07 >> 6a fe e8 ea 92 ff ff 83 bd 28 ff ff ff 0c 0f .j........(..... >> 0x75b6b518 84 8c 59 00 00 e9 18 ff ff ff 90 90 47 00 6c 00 >> ..Y.........G.l. 0x75b6b528 6f 00 62 00 61 00 6c 00 5c 00 54 >> 00 65 00 72 00 o.b.a.l.\.T.e.r. 0x75b6b538 6d 00 53 00 72 00 >> 76 00 52 00 65 00 61 00 64 00 m.S.r.v.R.e.a.d. 0x75b6b548 79 >> 00 45 00 76 00 65 00 6e 00 74 00 00 00 90 90 y.E.v.e.n.t..... >> >> Nope, still no banner. But it is identical to what I find at > 0x1a34d8 in >> 123.dmp. (As you'd expect.) Double-checked that I was >> searching Unicode and ASCII - still no luck. >> >> Hmmm. >> >>> >> On 23 March 2015 at 04:02, Andrew Case &lt;atcuno(a)gmail.com <mailto:atcuno@gmail.com> <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>>> wrote: >> >> Can do you: >> >> vol.py ... volshell -p 123 >> >> Then in volshell do: >> >> db(0x75b6b4d8) >> >> And see if you get the banner printed at the beginning? >> >> Also, how are you searching 123.dmp? Did you search ascii & > unicode >> (most common error) >> >>> >> On 03/20/2015 03:59 PM, Bridgey theGeek wrote: >>> Hi all, >>> >>> I can't quite see what's wrong with my logic here, but I >>> must be >> missing >>> something. Hoping someone can help me out. >>> >>> I'm looking for a private key in a memory sample >>> (WinXPSP2x86). Specifically, to find out which process/es >>> is/are accessing it. >>> >>> I can find the key by searching the raw memory dump > (memory.dmp). >>> As you might expect it's between: -----BEGIN RSA PRIVATE >>> KEY----- -----END RSA PRIVATE KEY----- >>> >>> I generated an offset:string file by using strings. Then, >>> using the strings plugin I get this output: $ python vol.py >>> -f memory.dmp --profile=WinXPSP2x86 strings > -s pk.txt >>> Volatility Foundation Volatility Framework 2.4 188435934 >>> [FREE MEMORY:-1] -----BEGIN RSA PRIVATE KEY----- 188435968 >>> [FREE MEMORY:-1] -----END RSA PRIVATE KEY----- 317375704 >>> [kernel:d2ab24d8] -----BEGIN RSA PRIVATE KEY----- 317376575 >>> [kernel:d2ab283f] -----END RSA PRIVATE KEY----- 417203416 >>> [123:75b6b4d8] -----BEGIN RSA PRIVATE KEY----- 417204287 >>> [123:75b6b83f] -----END RSA PRIVATE KEY----- 419888606 [FREE >>> MEMORY:-1] -----BEGIN RSA PRIVATE KEY----- 419888640 [FREE >>> MEMORY:-1] -----END RSA PRIVATE KEY----- >>> >>> Lovely. So I now do a memdump of process 123: $ python >>> vol.py -f memory.dmp --profile=WinXPSP2x86 memdump > --pid=123 >>> --dump-dir=123 Volatility Foundation Volatility Framework >>> 2.4 >>> >> ************************************************************************ <mailto:Vol-users@volatilityfoundation.org> <mailto:Vol-users@volatilityfoundation.org>> <mailto:Vol-users@volatilityfoundation.org> > <mailto:Vol-users@volatilityfoundation.org>>> >>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >>> >> >> -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iF4EAREKAAYFAlUQa/wACgkQXnt9v1O0LIvSUwD/dQmzW2p9WhsGyMFRBy2/Q/P3 AnZWxDcdCieeVz64W2EBAJ5D6CrInY/7c/yUliTNB9MrHw7RkGzWOX8GtI54UPvw =WW/7 -----END PGP SIGNATURE-----