Hi Kathy, 

One quick thing about impscan is the --base option should be passed the base address of the memory range to scan. Neither the ?10 address or nor the ?12 address is truly a "base" address, so that's why it fails on those. The bases according to your output are 0x1f00000 (which you did and got 3 results: HeapFree, GetProcessHeap, and HeapAlloc) and 0x01f50000. Thus try using impscan --base=0x01f50000 if you haven't already. The fact that the MZ header at 0x01f50012 isn't at the base of the memory region (0x01f50000) is quite suspect. If loaded through a normal API function like CreateProcess, LoadLibrary, etc then the MZ will always be at the base. You can also use vaddump --base=0x01f50000 to dump out the memory segment, then use a hex editor to remove the first 0x12 bytes, and load the resulting file into something like LordPE, CFF Explorer, PE explorer, etc to see what you can gather about its imports. Those are just a few things to get you started. 

MHL


On Fri, Jan 17, 2014 at 11:54 AM, Kathy Simmons <kathys82911@gmail.com> wrote:
I have a memory dump of a Windows XP box with a piece of malware running in it. In the course of running malfind on the image, there are eight responses, two of which are below (A and B).

After the malfind command, I run the impscan command to look at the imports:
           python vol.py impscan -p 820 -b 0x1f00000
           python vol.py impscan -p 820 -b 0x01f50010

The response to the first impscan command is what I expected (see C below).  The response to the second impscan command (see D below) is not what I expected at all - no imports?

I also ran impscan on the address 0x01f50012 based on the results from the malfind command (see D below) as I figured that I wanted to dump the dll starting on the beginning of the MZ header. But neither address produced any imports - I'm not sure where to go from here.


I'm very new at this; any help would be greatly appreciated.  My end goal is to take this piece of malware, which looks to have injected several dll's into a process, dump out each dll, then  have them reverse engineered.

Thanks-



A.
Process: xxxxxx.exe Pid: 820 Address: 0x1f00000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 9, PrivateMemory: 1, Protection: 6

0x01f00000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ..............
0x01f00010  b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00   ........@.......
0x01f00020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x01f00030  00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00   ................

0x1f00000 4d               DEC EBP
0x1f00001 5a               POP EDX
0x1f00002 90               NOP
0x1f00003 0003             ADD [EBX], AL
0x1f00005 0000             ADD [EAX], AL

0x1f00007 000400           ADD [EAX+EAX], AL
0x1f0000a 0000             ADD [EAX], AL
0x1f0000c ff               DB 0xff
0x1f0000d ff00             INC DWORD [EAX]
0x1f0000f 00b800000000     ADD [EAX+0x0], BH
0x1f00015 0000             ADD [EAX], AL
0x1f00017 004000           ADD [EAX+0x0], AL
0x1f0001a 0000             ADD [EAX], AL
0x1f0001c 0000             ADD [EAX], AL
0x1f0001e 0000             ADD [EAX], AL
0x1f00020 0000             ADD [EAX], AL
0x1f00022 0000             ADD [EAX], AL
0x1f00024 0000             ADD [EAX], AL
0x1f00026 0000             ADD [EAX], AL
0x1f00028 0000             ADD [EAX], AL
0x1f0002a 0000             ADD [EAX], AL
0x1f0002c 0000             ADD [EAX], AL
0x1f0002e 0000             ADD [EAX], AL
0x1f00030 0000             ADD [EAX], AL
0x1f00032 0000             ADD [EAX], AL
0x1f00034 0000             ADD [EAX], AL
0x1f00036 0000             ADD [EAX], AL
0x1f00038 0000             ADD [EAX], AL
0x1f0003a 0000             ADD [EAX], AL
0x1f0003c c8000000         ENTER 0x0, 0x0


B.
Process: XXXXXX.exe Pid: 820 Address: 0x1f50000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 59, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01f50000  4c 1b cd 25 00 00 09 e8 16 4f 9e 7e cd 25 00 00   L..%.....O.~.%..
0x01f50010  00 00 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff   ..MZ............
0x01f50020  00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00   ..........@.....
0x01f50030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x1f50000 4c               DEC ESP
0x1f50001 1bcd             SBB ECX, EBP
0x1f50003 25000009e8       AND EAX, 0xe8090000
0x1f50008 16               PUSH SS
0x1f50009 4f               DEC EDI
0x1f5000a 9e               SAHF
0x1f5000b 7ecd             JLE 0x1f4ffda
0x1f5000d 2500000000       AND EAX, 0x0
0x1f50012 4d               DEC EBP
0x1f50013 5a               POP EDX
0x1f50014 90               NOP
0x1f50015 0003             ADD [EBX], AL
0x1f50017 0000             ADD [EAX], AL
0x1f50019 000400           ADD [EAX+EAX], AL
0x1f5001c 0000             ADD [EAX], AL
0x1f5001e ff               DB 0xff
0x1f5001f ff00             INC DWORD [EAX]
0x1f50021 00b800000000     ADD [EAX+0x0], BH
0x1f50027 0000             ADD [EAX], AL
0x1f50029 004000           ADD [EAX+0x0], AL
0x1f5002c 0000             ADD [EAX], AL
.................
................

C.
python vol.py impscan -p 9820 -b 0x01f00000
Volatility Foundation Volatility Framework 2.3.1
IAT                Call               Module               Function
------------------ ------------------ -------------------- --------
0x0000000001f07d10 0x0000000076cf2c70 kernel32.dll         HeapFree
0x0000000001f07d18 0x0000000076cf2d60 kernel32.dll         GetProcessHeap
0x0000000001f07d20 0x0000000076e41b70 kernel32.dll         HeapAlloc


D.
python vol.py impscan -p 820 -b 0x01f50010
Volatility Foundation Volatility Framework 2.3.1
IAT                Call               Module               Function
------------------ ------------------ -------------------- --------

E.
python vol.py impscan -p 820 -b 0x01f50012
Volatility Foundation Volatility Framework 2.3.1
IAT                Call               Module               Function
------------------ ------------------ -------------------- --------


_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users