3:43 p.m.
Hi All
Apologies if this has been addressed already but can't find it in the
archives. Is volatility able to verify image signatures similar to how
process monitor can? Suspect the answer is no as it's not a live system and
may not be running under windows. None of the plugins seem to be able to do
this from what I can see, just want to check I'm not missing something.
Cheers
Ben
3:46 p.m.
I meant process explorer and the "verified signer" feature
On Tue, Jul 30, 2013 at 8:43 PM, sockify <sockify(a)gmail.com> wrote:
Hi All
Apologies if this has been addressed already but can't find it in the
archives. Is volatility able to verify image signatures similar to how
process monitor can? Suspect the answer is no as it's not a live system and
may not be running under windows. None of the plugins seem to be able to do
this from what I can see, just want to check I'm not missing something.
Cheers
Ben
12:42 p.m.
Hi Ben,
Process Explorer only verifies the signature of the image on disk, not in
memory. As these signatures are not generated on a per page basis, it is
not possible to use them to verify code in memory.
I plan on releasing a prototype plugin that validates in memory code on
Windows next week, alongside my presentation at DFRWS. This is not achieved
using the existing digital signatures however, but with hashes built from
Windows executables.
I hope this answers your question.
Regards,
Andrew White
On Tue, Jul 30, 2013 at 12:46 PM, sockify <sockify(a)gmail.com> wrote:
I meant process explorer and the "verified
signer" feature
On Tue, Jul 30, 2013 at 8:43 PM, sockify <sockify(a)gmail.com> wrote:
Hi All
Apologies if this has been addressed already but can't find it in the
archives. Is volatility able to verify image signatures similar to how
process monitor can? Suspect the answer is no as it's not a live system and
may not be running under windows. None of the plugins seem to be able to do
this from what I can see, just want to check I'm not missing something.
Cheers
Ben
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
2:20 p.m.
Hi Andrew
Thanks for the response and great explanation. If possible can you advise
when you have released the plugin either on or off list as and it sounds
good.
Thanks again
Ben
On Wed, Jul 31, 2013 at 5:42 PM, Andrew White <awhite.au(a)gmail.com> wrote:
Hi Ben,
Process Explorer only verifies the signature of the image on disk, not in
memory. As these signatures are not generated on a per page basis, it is
not possible to use them to verify code in memory.
I plan on releasing a prototype plugin that validates in memory code on
Windows next week, alongside my presentation at DFRWS. This is not achieved
using the existing digital signatures however, but with hashes built from
Windows executables.
I hope this answers your question.
Regards,
Andrew White
On Tue, Jul 30, 2013 at 12:46 PM, sockify <sockify(a)gmail.com> wrote:
I meant process explorer and the "verified
signer" feature
On Tue, Jul 30, 2013 at 8:43 PM, sockify <sockify(a)gmail.com> wrote:
Hi All
Apologies if this has been addressed already but can't find it in the
archives. Is volatility able to verify image signatures similar to how
process monitor can? Suspect the answer is no as it's not a live system and
may not be running under windows. None of the plugins seem to be able to do
this from what I can see, just want to check I'm not missing something.
Cheers
Ben
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4124
days inactive
4125
days old
vol-users@lists.volatilityfoundation.org
3 comments
2 participants
participants (2)
-
Andrew White -
sockify