10:21 a.m.
Hi guys,
Currently I've got a sample of an infected win7 machine with enough
memory (8gb) which is not being used by anything except for 'the
malware' (no running office etc) so quite a lot of stuff should not
have been swapped out of memory yet.
Strangely, I can't dump the process:
; vol.py -f dump.raw --profile=Win7SP1x64 procexedump -p 4932
--dump-dir results/4932.bin
Volatile Systems Volatility Framework 2.2
Process(V) ImageBase Name Result
------------------ ------------------ -------------------- ------
Okay so it might be not in memory anymore... fine. So let's scan for
network activity using connscan.
This does not yield any results either.... just like svcscan.
Also the image is very very slow... on a regular machine (core i5 2400,
20gb mem) running imageinfo on the 8gb images takes about 10 minutes.
Also malfind mentions :
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x05140000, instantiating _MMADDRESS_NODE
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x05140000, instantiating _MMADDRESS_NODE
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x21A4C320A, instantiating _MMADDRESS_NODE
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x21A4C320A, instantiating _MMADDRESS_NODE
Psxview says al processes are like this:
0x000000021a841060 <PROCESSNAME> 6640 False True False
False False
Isn't that just weird? (yes it's because psscan is the only module being
able to retrieve data from memory... but isn't that strange)
This makes me presume my memory images are broken. My collaegue
probably (!) used winpmem -f for doing this. What's the best way to
create a memory image on a windows7 x64 box without having admin? (these
boxes are remotely managed and it takes a looooot of time to make sure
an admin will do something).
Or is this just perfectly normal behaviour and is win7x64 just being
badly supported by volatility? (I know the networkbased plugins don't
work but that's okay... it's being mentioned in the docs)
Furthermore: during our recent volatility training (in amsterdam), we
used a plugin for getting data from internet explorer history. I had a
look online and didn't find it, is it non-public?
Cheers,
Boudewijn Ector
11:30 a.m.
Nice to hear from someone from our class =)
A few things about your post...
8GB on x64 is where several acquisition tools seem to break, so it is
may be that and your output seems to indicate so.
Also, you are using Volatility 2.2 which is quite old at this point. I
would recommend using the latest through SVN. Not only is there many
bugfixes, but also new plugins, such as iehistory that will help you
recover the IE data you want and is the one we used in class.
Also, we have full support for networking information on Windows 7
x64, you just have to use the netscan plugin and not the others
(sockets, sockscan, etc.).
Do you have any other acquisition tools you can use or are your
machines virtualized?
On Wed, Oct 23, 2013 at 9:21 AM, Boudewijn Ector
<boudewijn(a)boudewijnector.nl> wrote:
Hi guys,
Currently I've got a sample of an infected win7 machine with enough
memory (8gb) which is not being used by anything except for 'the
malware' (no running office etc) so quite a lot of stuff should not
have been swapped out of memory yet.
Strangely, I can't dump the process:
; vol.py -f dump.raw --profile=Win7SP1x64 procexedump -p 4932
--dump-dir results/4932.bin
Volatile Systems Volatility Framework 2.2
Process(V) ImageBase Name Result
------------------ ------------------ -------------------- ------
Okay so it might be not in memory anymore... fine. So let's scan for
network activity using connscan.
This does not yield any results either.... just like svcscan.
Also the image is very very slow... on a regular machine (core i5 2400,
20gb mem) running imageinfo on the 8gb images takes about 10 minutes.
Also malfind mentions :
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x05140000, instantiating _MMADDRESS_NODE
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x05140000, instantiating _MMADDRESS_NODE
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x21A4C320A, instantiating _MMADDRESS_NODE
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x21A4C320A, instantiating _MMADDRESS_NODE
Psxview says al processes are like this:
0x000000021a841060 <PROCESSNAME> 6640 False True False
False False
Isn't that just weird? (yes it's because psscan is the only module being
able to retrieve data from memory... but isn't that strange)
This makes me presume my memory images are broken. My collaegue
probably (!) used winpmem -f for doing this. What's the best way to
create a memory image on a windows7 x64 box without having admin? (these
boxes are remotely managed and it takes a looooot of time to make sure
an admin will do something).
Or is this just perfectly normal behaviour and is win7x64 just being
badly supported by volatility? (I know the networkbased plugins don't
work but that's okay... it's being mentioned in the docs)
Furthermore: during our recent volatility training (in amsterdam), we
used a plugin for getting data from internet explorer history. I had a
look online and didn't find it, is it non-public?
Cheers,
Boudewijn Ector
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
11:37 a.m.
Boudewijn,
I agree, it looks like your memory dump is corrupted. To answer your
question about internet explorer history, that is the iehistory plugin [1]
[2], which is provided with volatility 2.3.
[1].
http://volatility-labs.blogspot.com/2012/09/howto-scan-for-internet-cachehi…
[2].
https://code.google.com/p/volatility/source/browse/trunk/volatility/plugins…
Michael
On Wed, Oct 23, 2013 at 11:30 AM, Andrew Case <atcuno(a)gmail.com> wrote:
Nice to hear from someone from our class =)
A few things about your post...
8GB on x64 is where several acquisition tools seem to break, so it is
may be that and your output seems to indicate so.
Also, you are using Volatility 2.2 which is quite old at this point. I
would recommend using the latest through SVN. Not only is there many
bugfixes, but also new plugins, such as iehistory that will help you
recover the IE data you want and is the one we used in class.
Also, we have full support for networking information on Windows 7
x64, you just have to use the netscan plugin and not the others
(sockets, sockscan, etc.).
Do you have any other acquisition tools you can use or are your
machines virtualized?
On Wed, Oct 23, 2013 at 9:21 AM, Boudewijn Ector
<boudewijn(a)boudewijnector.nl> wrote:
Hi guys,
Currently I've got a sample of an infected win7 machine with enough
memory (8gb) which is not being used by anything except for 'the
malware' (no running office etc) so quite a lot of stuff should not
have been swapped out of memory yet.
Strangely, I can't dump the process:
; vol.py -f dump.raw --profile=Win7SP1x64 procexedump -p 4932
--dump-dir results/4932.bin
Volatile Systems Volatility Framework 2.2
Process(V) ImageBase Name Result
------------------ ------------------ -------------------- ------
Okay so it might be not in memory anymore... fine. So let's scan for
network activity using connscan.
This does not yield any results either.... just like svcscan.
Also the image is very very slow... on a regular machine (core i5 2400,
20gb mem) running imageinfo on the 8gb images takes about 10 minutes.
Also malfind mentions :
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x05140000, instantiating _MMADDRESS_NODE
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x05140000, instantiating _MMADDRESS_NODE
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x21A4C320A, instantiating _MMADDRESS_NODE
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x21A4C320A, instantiating _MMADDRESS_NODE
Psxview says al processes are like this:
0x000000021a841060 <PROCESSNAME> 6640 False True False
False False
Isn't that just weird? (yes it's because psscan is the only module being
able to retrieve data from memory... but isn't that strange)
This makes me presume my memory images are broken. My collaegue
probably (!) used winpmem -f for doing this. What's the best way to
create a memory image on a windows7 x64 box without having admin? (these
boxes are remotely managed and it takes a looooot of time to make sure
an admin will do something).
Or is this just perfectly normal behaviour and is win7x64 just being
badly supported by volatility? (I know the networkbased plugins don't
work but that's okay... it's being mentioned in the docs)
Furthermore: during our recent volatility training (in amsterdam), we
used a plugin for getting data from internet explorer history. I had a
look online and didn't find it, is it non-public?
Cheers,
Boudewijn Ector
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
11:37 a.m.
You must have admin in order to acquire memory... How did you manage
to get a sample without having admin? If you have a virtualized
environment then you can acquire the memory from outside the machine
without having admin privileges on the acquired machine, however
(vmsn/vmss on esx for example).
On Wed, Oct 23, 2013 at 11:30 AM, Andrew Case <atcuno(a)gmail.com> wrote:
Nice to hear from someone from our class =)
A few things about your post...
8GB on x64 is where several acquisition tools seem to break, so it is
may be that and your output seems to indicate so.
Also, you are using Volatility 2.2 which is quite old at this point. I
would recommend using the latest through SVN. Not only is there many
bugfixes, but also new plugins, such as iehistory that will help you
recover the IE data you want and is the one we used in class.
Also, we have full support for networking information on Windows 7
x64, you just have to use the netscan plugin and not the others
(sockets, sockscan, etc.).
Do you have any other acquisition tools you can use or are your
machines virtualized?
On Wed, Oct 23, 2013 at 9:21 AM, Boudewijn Ector
<boudewijn(a)boudewijnector.nl> wrote:
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
Hi guys,
Currently I've got a sample of an infected win7 machine with enough
memory (8gb) which is not being used by anything except for 'the
malware' (no running office etc) so quite a lot of stuff should not
have been swapped out of memory yet.
Strangely, I can't dump the process:
; vol.py -f dump.raw --profile=Win7SP1x64 procexedump -p 4932
--dump-dir results/4932.bin
Volatile Systems Volatility Framework 2.2
Process(V) ImageBase Name Result
------------------ ------------------ -------------------- ------
Okay so it might be not in memory anymore... fine. So let's scan for
network activity using connscan.
This does not yield any results either.... just like svcscan.
Also the image is very very slow... on a regular machine (core i5 2400,
20gb mem) running imageinfo on the 8gb images takes about 10 minutes.
Also malfind mentions :
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x05140000, instantiating _MMADDRESS_NODE
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x05140000, instantiating _MMADDRESS_NODE
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x21A4C320A, instantiating _MMADDRESS_NODE
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x21A4C320A, instantiating _MMADDRESS_NODE
Psxview says al processes are like this:
0x000000021a841060 <PROCESSNAME> 6640 False True False
False False
Isn't that just weird? (yes it's because psscan is the only module being
able to retrieve data from memory... but isn't that strange)
This makes me presume my memory images are broken. My collaegue
probably (!) used winpmem -f for doing this. What's the best way to
create a memory image on a windows7 x64 box without having admin? (these
boxes are remotely managed and it takes a looooot of time to make sure
an admin will do something).
Or is this just perfectly normal behaviour and is win7x64 just being
badly supported by volatility? (I know the networkbased plugins don't
work but that's okay... it's being mentioned in the docs)
Furthermore: during our recent volatility training (in amsterdam), we
used a plugin for getting data from internet explorer history. I had a
look online and didn't find it, is it non-public?
Cheers,
Boudewijn Ector
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4040
days inactive
4040
days old
vol-users@lists.volatilityfoundation.org
3 comments
4 participants
participants (4)
-
Andrew Case -
Boudewijn Ector -
Jamie Levy -
Michael Hale Ligh