Advertisement
unixfreaxjp

#Malware memory Analysis w/ Volatility (#Tips)

Apr 23rd, 2012
192
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. root@remnux:~/unixfreaxjp# uname -a; date
  2. Linux remnux 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:50:42 UTC 2011 i686 i686 i386 GNU/Linux
  3. Mon Apr 23 09:24:54 EDT 2012
  4.  
  5. # This is my private note for testing Remnux3.0's Volatile.
  6. # Be free to take a look for your reference too, hope will
  7. # be helpful. - unixfreaxjp -
  8.  
  9. /* Took the below snapshot to take the RAT nsapshot of memory
  10. * by win32dd */
  11. =============================================================
  12. C:\>win32dd /f ./test.dmp
  13. =============================================================
  14. win32dd - 1.3.1.20100417 - (Community Edition)
  15. Kernel land physical memory acquisition
  16. Copyright (C) 2007 - 2010, Matthieu Suiche <http://www.msuiche.net>
  17. Copyright (C) 2009 - 2010, MoonSols <http://www.moonsols.com>
  18.  
  19. Name Value
  20. ---- -----
  21. File type: Raw memory dump file
  22. Acquisition method: PFN Mapping
  23. Content: Memory manager physical memory block
  24.  
  25. Destination path: ./test.dmp
  26.  
  27. O.S. Version: Microsoft Windows XP Professional Service Pack 1 (build 2600)
  28. Computer name: UNIXFREAXJP-RAT
  29.  
  30. Physical memory in use: 58%
  31. Physical memory size: 776624 Kb ( 758 Mb)
  32. Physical memory available: 323368 Kb ( 315 Mb)
  33.  
  34. Paging file size: 1758228 Kb ( 1717 Mb)
  35. Paging file available: 1357412 Kb ( 1325 Mb)
  36.  
  37. Virtual memory size: 2097024 Kb ( 2047 Mb)
  38. Virtual memory available: 2082668 Kb ( 2033 Mb)
  39.  
  40. Extented memory available: 0 Kb ( 0 Mb)
  41.  
  42. Physical page size: 4096 bytes
  43. Minimum physical address: 0x0000000000002000
  44. Maximum physical address: 0x000000002F6DF000
  45.  
  46. Address space size: 795738112 bytes ( 777088 Kb)
  47.  
  48. --> Are you sure you want to continue? [y/n] y
  49.  
  50. Acquisition started at: [23/4/2012 (DD/MM/YYYY) 11:13:7 (UTC)]
  51.  
  52. Processing....Done.
  53.  
  54. Acquisition finished at: [2012-04-23 (YYYY-MM-DD) 11:14:15 (UTC)]
  55. Time elapsed: 1:08 minutes:seconds (68 secs)
  56.  
  57. Created file size: 795738112 bytes ( 758 Mb)
  58.  
  59. NtStatus (troubleshooting): 0x00000000
  60. Total of written pages: 194173
  61. Total of inacessible pages: 0
  62. Total of accessible pages: 194173
  63.  
  64. Physical memory in use: 58%
  65. Physical memory size: 776624 Kb ( 758 Mb)
  66. Physical memory available: 319472 Kb ( 311 Mb)
  67.  
  68. Paging file size: 1758228 Kb ( 1717 Mb)
  69. Paging file available: 1353564 Kb ( 1321 Mb)
  70.  
  71. Virtual memory size: 2097024 Kb ( 2047 Mb)
  72. Virtual memory available: 2082668 Kb ( 2033 Mb)
  73.  
  74. Extented memory available: 0 Kb ( 0 Mb)
  75.  
  76. Physical page size: 4096 bytes
  77. Minimum physical address: 0x0000000000002000
  78. Maximum physical address: 0x000000002F6DF000
  79.  
  80. Address space size: 795738112 bytes ( 777088 Kb)
  81.  
  82.  
  83.  
  84. /* Volatile */
  85.  
  86.  
  87.  
  88. =============================================================
  89. root@remnux:~/unixfreaxjp# vol -f test.dmp imageinfo
  90. =============================================================
  91. Determining profile based on KDBG search...
  92.  
  93. Suggested Profile(s) : WinXPSP3x86, WinXPSP2x86 (Instantiated with WinXPSP2x86)
  94. AS Layer1 : JKIA32PagedMemory (Kernel AS)
  95. AS Layer2 : FileAddressSpace (/media/linux/home/unixfreaxjp/test.dmp)
  96. PAE type : No PAE
  97. DTB : 0x39000
  98. KDBG : 0x805407e0L
  99. KPCR : 0xffdff000L
  100. KUSER_SHARED_DATA : 0xffdf0000L
  101. Image date and time : 2012-04-23 11:13:07
  102. Image local date and time : 2012-04-23 11:13:07
  103. Number of Processors : 1
  104. Image Type : Service Pack 1
  105. root@remnux:~/unixfreaxjp#
  106.  
  107.  
  108. =============================================================
  109. root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 pslist -P
  110. =============================================================
  111. Offset(P) Name PID PPID Thds Hnds Time
  112. ---------- -------------------- ------ ------ ------ ------ -------------------
  113. 0x037c87c8 System 4 0 56 295 1970-01-01 00:00:00
  114. 0x035d2998 smss.exe 640 4 3 21 2012-04-23 07:07:52
  115. 0x035efda8 csrss.exe 696 640 13 497 2012-04-23 07:07:57
  116. 0x035ccda8 winlogon.exe 720 640 19 516 2012-04-23 07:08:00
  117. 0x030bada8 services.exe 764 720 16 298 2012-04-23 07:08:05
  118. 0x030f3ba0 lsass.exe 776 720 19 325 2012-04-23 07:08:05
  119. 0x030a8998 ibmpmsvc.exe 920 764 4 36 2012-04-23 07:08:09
  120. 0x03096998 svchost.exe 1000 764 11 237 2012-04-23 07:08:26
  121. 0x03046380 svchost.exe 1036 764 86 1351 2012-04-23 07:08:27
  122. 0x0303cda8 ACS.EXE 1164 764 15 188 2012-04-23 07:08:27
  123. 0x03025380 svchost.exe 1296 764 8 86 2012-04-23 07:08:33
  124. 0x03021bb0 svchost.exe 1352 764 19 156 2012-04-23 07:08:35
  125. 0x032e1da8 spoolsv.exe 1728 764 16 196 2012-04-23 07:08:39
  126. 0x032dcba0 rrpcsb.exe 1844 764 4 103 2012-04-23 07:08:40
  127. 0x03267da8 python.exe 148 1844 0 ------ 2012-04-23 07:08:43
  128. 0x0326cda8 conime.exe 212 148 1 34 2012-04-23 07:08:44
  129. 0x032c7958 PGPserv.exe 292 764 6 111 2012-04-23 07:08:46
  130. 0x032629e8 QCONSVC.EXE 416 764 3 55 2012-04-23 07:08:48
  131. 0x032c2da8 svchost.exe 472 764 5 108 2012-04-23 07:08:48
  132. 0x0325d958 wdfmgr.exe 492 764 4 58 2012-04-23 07:08:48
  133. 0x02e7b348 python.exe 1096 1844 0 ------ 2012-04-23 07:08:51
  134. 0x0304f020 CAPRPCSK.EXE 1608 1728 1 15 2012-04-23 07:10:40
  135. 0x032ae9c0 CAPPSWK.EXE 1624 1728 0 ------ 2012-04-23 07:10:40
  136. 0x03747668 CAPPSWK.EXE 1896 1624 3 83 2012-04-23 07:10:42
  137. 0x02e79b30 rbmonitor.exe 1936 1036 7 195 2012-04-23 07:19:57
  138. 0x03118020 explorer.exe 1464 1156 13 783 2012-04-23 07:19:58
  139. 0x02e829b8 tp4serv.exe 1584 1464 3 41 2012-04-23 07:20:09
  140. 0x03074020 igfxtray.exe 1620 1464 1 68 2012-04-23 07:20:09
  141. 0x03247470 hkcmd.exe 312 1464 2 76 2012-04-23 07:20:10
  142. 0x03053020 TpShocks.exe 1056 1464 2 36 2012-04-23 07:20:11
  143. 0x036e0da8 TPHKMGR.exe 608 1464 5 120 2012-04-23 07:20:12
  144. 0x02e449a0 rundll32.exe 1292 1464 2 35 2012-04-23 07:20:12
  145. 0x03261020 TPONSCR.exe 1104 608 1 28 2012-04-23 07:20:14
  146. 0x0301d818 TpScrex.exe 1184 608 1 28 2012-04-23 07:20:14
  147. 0x02e71570 ibmprc.exe 1144 1464 2 27 2012-04-23 07:20:14
  148. 0x036d0598 rundll32.exe 1188 1464 1 45 2012-04-23 07:20:14
  149. 0x036d4020 ctfmon.exe 2020 1464 1 56 2012-04-23 07:20:18
  150. 0x02e379b8 WDSM.exe 180 1464 1 103 2012-04-23 07:20:19
  151. 0x03211818 Maruo.exe 2252 1464 1 28 2012-04-23 07:20:33
  152. 0x032dbc58 Maruo.exe 2348 2252 1 31 2012-04-23 07:20:38
  153. 0x031d15a0 firefox.exe 3916 1464 34 807 2012-04-23 08:28:05
  154. 0x031ec020 putty.exe 2356 1464 5 87 2012-04-23 11:02:04
  155. 0x02c54020 Maruo.exe 2360 1464 1 74 2012-04-23 11:05:23
  156. 0x031c49c8 cmd.exe 3408 1464 1 20 2012-04-23 11:07:23
  157. 0x02c74020 win32dd.exe 3372 3408 1 23 2012-04-23 11:12:54
  158.  
  159. =============================================================
  160. root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 pstree
  161. =============================================================
  162. Name Pid PPid Thds Hnds Time
  163. 0x83BC87C8:System 4 0 56 295 1970-01-01 00:00:00
  164. . 0x839D2998:smss.exe 640 4 3 21 2012-04-23 07:07:52
  165. .. 0x839EFDA8:csrss.exe 696 640 13 497 2012-04-23 07:07:57
  166. .. 0x839CCDA8:winlogon.exe 720 640 19 516 2012-04-23 07:08:00
  167. ... 0x834F3BA0:lsass.exe 776 720 19 325 2012-04-23 07:08:05
  168. ... 0x834BADA8:services.exe 764 720 16 298 2012-04-23 07:08:05
  169. .... 0x8343CDA8:ACS.EXE 1164 764 15 188 2012-04-23 07:08:27
  170. .... 0x83425380:svchost.exe 1296 764 8 86 2012-04-23 07:08:33
  171. .... 0x834A8998:ibmpmsvc.exe 920 764 4 36 2012-04-23 07:08:09
  172. .... 0x836629E8:QCONSVC.EXE 416 764 3 55 2012-04-23 07:08:48
  173. .... 0x836C7958:PGPserv.exe 292 764 6 111 2012-04-23 07:08:46
  174. .... 0x836DCBA0:rrpcsb.exe 1844 764 4 103 2012-04-23 07:08:40
  175. ..... 0x83667DA8:python.exe 148 1844 0 ------ 2012-04-23 07:08:43
  176. ...... 0x8366CDA8:conime.exe 212 148 1 34 2012-04-23 07:08:44
  177. ..... 0x8327B348:python.exe 1096 1844 0 ------ 2012-04-23 07:08:51
  178. .... 0x836E1DA8:spoolsv.exe 1728 764 16 196 2012-04-23 07:08:39
  179. ..... 0x836AE9C0:CAPPSWK.EXE 1624 1728 0 ------ 2012-04-23 07:10:40
  180. ...... 0x83B47668:CAPPSWK.EXE 1896 1624 3 83 2012-04-23 07:10:42
  181. ..... 0x8344F020:CAPRPCSK.EXE 1608 1728 1 15 2012-04-23 07:10:40
  182. .... 0x83421BB0:svchost.exe 1352 764 19 156 2012-04-23 07:08:35
  183. .... 0x83446380:svchost.exe 1036 764 86 1351 2012-04-23 07:08:27
  184. ..... 0x83279B30:rbmonitor.exe 1936 1036 7 195 2012-04-23 07:19:57
  185. .... 0x836C2DA8:svchost.exe 472 764 5 108 2012-04-23 07:08:48
  186. .... 0x83496998:svchost.exe 1000 764 11 237 2012-04-23 07:08:26
  187. .... 0x8365D958:wdfmgr.exe 492 764 4 58 2012-04-23 07:08:48
  188. 0x83518020:explorer.exe 1464 1156 13 783 2012-04-23 07:19:58
  189. . 0x832449A0:rundll32.exe 1292 1464 2 35 2012-04-23 07:20:12
  190. . 0x83647470:hkcmd.exe 312 1464 2 76 2012-04-23 07:20:10
  191. . 0x832829B8:tp4serv.exe 1584 1464 3 41 2012-04-23 07:20:09
  192. . 0x832379B8:WDSM.exe 180 1464 1 103 2012-04-23 07:20:19
  193. . 0x835D15A0:firefox.exe 3916 1464 34 807 2012-04-23 08:28:05
  194. . 0x83453020:TpShocks.exe 1056 1464 2 36 2012-04-23 07:20:11
  195. . 0x83611818:Maruo.exe 2252 1464 1 28 2012-04-23 07:20:33
  196. .. 0x836DBC58:Maruo.exe 2348 2252 1 31 2012-04-23 07:20:38
  197. . 0x83AD0598:rundll32.exe 1188 1464 1 45 2012-04-23 07:20:14
  198. . 0x83054020:Maruo.exe 2360 1464 1 74 2012-04-23 11:05:23
  199. . 0x83AE0DA8:TPHKMGR.exe 608 1464 5 120 2012-04-23 07:20:12
  200. .. 0x83661020:TPONSCR.exe 1104 608 1 28 2012-04-23 07:20:14
  201. .. 0x8341D818:TpScrex.exe 1184 608 1 28 2012-04-23 07:20:14
  202. . 0x83AD4020:ctfmon.exe 2020 1464 1 56 2012-04-23 07:20:18
  203. . 0x835C49C8:cmd.exe 3408 1464 1 20 2012-04-23 11:07:23
  204. .. 0x83074020:win32dd.exe 3372 3408 1 23 2012-04-23 11:12:54
  205. . 0x835EC020:putty.exe 2356 1464 5 87 2012-04-23 11:02:04
  206. . 0x83271570:ibmprc.exe 1144 1464 2 27 2012-04-23 07:20:14
  207. . 0x83474020:igfxtray.exe 1620 1464 1 68 2012-04-23 07:20:09
  208.  
  209.  
  210. =============================================================
  211. root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 dlllist
  212. =============================================================
  213. :
  214. :
  215. cmd.exe pid: 3408
  216. Command line : "C:\WINDOWS\system32\cmd.exe"
  217. Service Pack 1
  218.  
  219. Base Size Path
  220. 0x4ad00000 0x076000 C:\WINDOWS\system32\cmd.exe
  221. 0x77f50000 0x0a7000 C:\WINDOWS\System32\ntdll.dll
  222. 0x77e20000 0x124000 C:\WINDOWS\system32\kernel32.dll
  223. 0x77bc0000 0x053000 C:\WINDOWS\system32\msvcrt.dll
  224. 0x77cf0000 0x08c000 C:\WINDOWS\system32\USER32.dll
  225. 0x7f000000 0x042000 C:\WINDOWS\system32\GDI32.dll
  226. 0x77d80000 0x09b000 C:\WINDOWS\system32\ADVAPI32.dll
  227. 0x78000000 0x087000 C:\WINDOWS\system32\RPCRT4.dll
  228. 0x762e0000 0x01c000 C:\WINDOWS\System32\IMM32.DLL
  229. 0x60740000 0x008000 C:\WINDOWS\system32\LPK.DLL
  230. 0x72ef0000 0x05a000 C:\WINDOWS\system32\USP10.dll
  231. 0x10000000 0x00d000 C:\WINDOWS\system32\OCMAPIHK.DLL
  232. 0x75e90000 0x01e000 C:\WINDOWS\system32\Apphelp.dll
  233. ************************************************************************
  234. win32dd.exe pid: 3372
  235. Command line : win32dd /f ./test.dmp
  236. Service Pack 1
  237.  
  238. Base Size Path
  239. 0x00400000 0x01a000 C:\transit\@@DEV\@@@ANALYST\moonsols\win32dd.exe
  240. 0x77f50000 0x0a7000 C:\WINDOWS\System32\ntdll.dll
  241. 0x77e20000 0x124000 C:\WINDOWS\system32\kernel32.dll
  242. 0x77cf0000 0x08c000 C:\WINDOWS\system32\USER32.dll
  243. 0x7f000000 0x042000 C:\WINDOWS\system32\GDI32.dll
  244. 0x77d80000 0x09b000 C:\WINDOWS\system32\ADVAPI32.dll
  245. 0x78000000 0x087000 C:\WINDOWS\system32\RPCRT4.dll
  246. 0x719e0000 0x014000 C:\WINDOWS\System32\WS2_32.dll
  247. 0x77bc0000 0x053000 C:\WINDOWS\system32\msvcrt.dll
  248. 0x719d0000 0x008000 C:\WINDOWS\System32\WS2HELP.dll
  249. 0x74a10000 0x007000 C:\WINDOWS\System32\POWRPROF.dll
  250. 0x762e0000 0x01c000 C:\WINDOWS\System32\IMM32.DLL
  251. 0x60740000 0x008000 C:\WINDOWS\System32\LPK.DLL
  252. 0x72ef0000 0x05a000 C:\WINDOWS\System32\USP10.dll
  253. 0x10000000 0x00d000 C:\WINDOWS\System32\OCMAPIHK.DLL
  254.  
  255.  
  256. =============================================================
  257. root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 connections -P
  258. =============================================================
  259. Offset(P) Local Address Remote Address Pid
  260. ---------- ------------------------- ------------------------- ------
  261. root@remnux:~/unixfreaxjp#
  262.  
  263. =============================================================
  264. root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 sockets -P
  265. =============================================================
  266. Offset(P) PID Port Proto Address Create Time
  267. ---------- ------ ------ ------------------- -------------- --------------------------
  268.  
  269.  
  270. =============================================================
  271. root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 sockscan
  272. =============================================================
  273. Offset PID Port Proto Address Create Time
  274. ---------- ------ ------ ------------------- -------------- --------------------------
  275. 0x0b3b7be4 945014 17774 25185 - 116.105.111.110 -
  276.  
  277.  
  278. =============================================================
  279. root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 connscan
  280. =============================================================
  281. Offset Local Address Remote Address Pid
  282. ---------- ------------------------- ------------------------- ------
  283. 0x02c36008 192.168.7.2:1473 173.194.38.106:80 3916
  284. 0x02c582a8 192.168.7.2:1234 173.194.38.97:80 45219846
  285. 0x02e1fae0 192.168.7.2:1268 173.194.38.102:443 3916
  286. 0x02e22aa0 192.168.7.2:1126 199.59.148.87:443 3916
  287. 0x02e3c9d0 192.168.7.2:1201 173.236.192.217:80 3916
  288. 0x02e53838 192.168.7.2:1408 192.168.7.1:22 2356
  289. 0x02efc008 192.168.7.2:1186 74.125.235.133:443 3916
  290. 0x02f71008 192.168.7.2:1471 207.171.189.80:80 3916
  291. 0x02f9d008 192.168.7.2:1460 199.59.150.41:443 3916
  292. 0x02fc0008 192.168.7.2:1470 207.171.189.80:80 3916
  293. 0x0301f1c8 192.168.7.2:1480 199.59.150.9:443 3916
  294. 0x030e1e08 127.0.0.1:1085 127.0.0.1:1087 3916
  295. 0x0316ee60 192.168.7.2:1457 74.125.235.145:443 3916
  296. 0x03175ac0 192.168.7.2:1477 199.59.150.41:443 3916
  297. 0x031dd958 0.0.0.0:55919 0.0.0.0:21157 34056384
  298. 0x032781c8 192.168.7.2:1454 173.194.38.118:443 3916
  299. 0x0328fc20 192.168.7.2:1479 173.194.38.118:443 3916
  300. 0x032a3bf0 127.0.0.1:1087 127.0.0.1:1085 3916
  301.  
  302.  
  303. =============================================================
  304. root@remnux:~/unixfreaxjp# mkdir dumpdir
  305. root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 procmemdump -p3916 -D./dumpdir
  306. =============================================================
  307. ************************************************************************
  308. Dumping firefox.exe, pid: 3916 output: executable.3916.exe
  309.  
  310. =============================================================
  311. root@remnux:~/unixfreaxjp# file ./dumpdir/executable.3916.exe
  312. =============================================================
  313. ./dumpdir/executable.3916.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
  314.  
  315.  
  316. =============================================================
  317. root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 memdump -p1296 -D ./dumpdir
  318. =============================================================
  319. ************************************************************************
  320. Writing svchost.exe [ 1296] to 1296.dmp
  321.  
  322. =============================================================
  323. root@remnux:~/unixfreaxjp# strings -a ./dumpdir/1296.dmp
  324. =============================================================
  325. u.;5|
  326. SVWUj
  327. ]_^[
  328. t.;t$$t(
  329. VWumh
  330. wLVWP
  331. FVWS
  332. :
  333. :
  334.  
  335. =============================================================
  336. root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 memmap
  337. =============================================================
  338. 0x0080281000 0x0000281000 0x000000001000
  339. 0x0080282000 0x0000282000 0x000000001000
  340. 0x0080283000 0x0000283000 0x000000001000
  341. 0x0080284000 0x0000284000 0x000000001000
  342. 0x0080285000 0x0000285000 0x000000001000
  343. :
  344. :
  345.  
  346. =============================================================
  347. root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 volshell
  348. =============================================================
  349. Current context: process System, pid=4, ppid=0 DTB=0x39000
  350. Welcome to volshell! Current memory image is:
  351. file:///media/linux/home/unixfreaxjp/test.dmp
  352. To get help, type 'hh()'
  353. >>>
  354. >>> hh()
  355. ps() : Print a process listing.
  356. cc(offset=None, pid=None, name=None) : Change current shell context.
  357. dd(address, length=128, space=None) : Print dwords at address.
  358. db(address, length=128, width=16, space=None) : Print bytes as canonical hexdump.
  359. hh(cmd=None) : Get help on a command.
  360. dt(objct, address=None) : Describe an object or show type info.
  361. list_entry(head, objname, offset=-1, fieldname=None, forward=True) : Traverse a _LIST_ENTRY.
  362. dis(address, length=128, space=None) : Disassemble code at a given address.
  363.  
  364. For help on a specific command, type 'hh(<command>)'
  365.  
  366.  
  367.  
  368. =============================================================
  369. root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 malfind -D ./dumpdir/
  370. =============================================================
  371. Name Pid Start End Tag Hits Protect
  372.  
  373. firefox.exe 3916 0x02040000 0x2040fff0 VadS 0 PAGE_EXECUTE_READWRITE
  374. Dumped to: ./dumpdir/firefox.exe.31d15a0.02040000-02040fff.dmp
  375. 0x02040000 1b 6f f5 77 68 58 02 00 00 e9 12 6f f1 75 00 00 .o.whX.....o.u..
  376. 0x02040010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  377. 0x02040020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  378. 0x02040030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  379. 0x02040040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  380. 0x02040050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  381. 0x02040060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  382. 0x02040070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  383.  
  384. Disassembly:
  385. 02040000: 1b6ff5 SBB EBP, [EDI-0xb]
  386. 02040003: 7768 JA 0x204006d
  387. 02040005: 58 POP EAX
  388. 02040006: 0200 ADD AL, [EAX]
  389. 02040008: 00e9 ADD CL, CH
  390. 0204000a: 126ff1 ADC CH, [EDI-0xf]
  391. 0204000d: 7500 JNZ 0x204000f
  392. 0204000f: 0000 ADD [EAX], AL
  393. 02040011: 0000 ADD [EAX], AL
  394. 02040013: 0000 ADD [EAX], AL
  395.  
  396. =============================================================
  397. root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 hivescan
  398. =============================================================
  399. Offset (hex)
  400. 63426568 0x03c7d008
  401. 63458144 0x03c84b60
  402. 71756640 0x0446eb60
  403. 100591960 0x05fee958
  404. 115226456 0x06de3758
  405. 115443544 0x06e18758
  406. 117456904 0x07004008
  407. 200962056 0x0bfa7008
  408. 205273952 0x0c3c3b60
  409. 212844552 0x0cafc008
  410. 219321368 0x0d129418
  411. 380906336 0x16b42b60
  412. 381963104 0x16c44b60
  413.  
  414. =============================================================
  415. root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 hivelist
  416. =============================================================
  417. Virtual Physical Name
  418. 0xe16d6b60 0x16b42b60 \Device\HarddiskVolume1\Documents and Settings\kaspersky\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
  419. 0xe16deb60 0x16c44b60 \Device\HarddiskVolume1\Documents and Settings\kaspersky\NTUSER.DAT
  420. 0xe1377418 0x0d129418 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
  421. 0xe12d3b60 0x0c3c3b60 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
  422. 0xe11c4008 0x0bfa7008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
  423. 0xe1318008 0x0cafc008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
  424. 0xe1a43758 0x06e18758 \Device\HarddiskVolume1\WINDOWS\system32\config\SOFTWARE
  425. 0xe1a3a758 0x06de3758 \Device\HarddiskVolume1\WINDOWS\system32\config\DEFAULT
  426. 0xe1a41008 0x07004008 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
  427. 0xe1987958 0x05fee958 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
  428. 0xe181cb60 0x0446eb60 [no name]
  429. 0xe1036b60 0x03c84b60 \Device\HarddiskVolume1\WINDOWS\system32\config\SYSTEM
  430. 0xe102e008 0x03c7d008 [no name]
  431. 0x8066ab1c 0x0066ab1c [no name]
  432.  
  433. =============================================================
  434. root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 printkey
  435. =============================================================
  436.  
  437. Values:
  438. ----------------------------
  439. Registry: [no name]
  440. Key name: REGISTRY (S)
  441. Last updated: 2012-04-23 07:07:40
  442.  
  443. Subkeys:
  444. (S) MACHINE
  445. (S) USER
  446.  
  447. Values:
  448. ----------------------------
  449. Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
  450. Key name: S-1-5-19_Classes (S)
  451. Last updated: 2003-02-27 12:01:19
  452.  
  453. Subkeys:
  454. (S) Network
  455. (S) Software
  456.  
  457. Values:
  458. ----------------------------
  459. Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
  460. Key name: SECURITY (S)
  461. Last updated: 2012-04-23 07:07:57
  462.  
  463. Subkeys:
  464. (S) Cache
  465. (S) Policy
  466. (S) RXACT
  467. (V) SAM
  468.  
  469. Values:
  470. ----------------------------
  471. Registry: \Device\HarddiskVolume1\Documents and Settings\kaspersky\NTUSER.DAT
  472. Key name: $$$PROTO.HIV (S)
  473. Last updated: 2012-04-23 07:21:34
  474.  
  475. Subkeys:
  476. (S) AppEvents
  477. (S) Applications
  478. (S) Console
  479. (S) Control Panel
  480. (S) DefaultScope
  481. (S) Environment
  482. (S) EUDC
  483. (S) Identities
  484. (S) Keyboard Layout
  485. (S) Network
  486. (S) NodeEventQuery
  487. (S) pmtest
  488. (S) Printers
  489. (S) RemoteAccess
  490. (S) Software
  491. (S) UNICODE Program Groups
  492. (S) Windows 3.1 Migration Status
  493. (V) SessionInformation
  494. (V) Volatile Environment
  495.  
  496. =====================
  497. PLUGIN LISTS
  498. =====================
  499.  
  500. apihooks [MALWARE] Find API hooks
  501. bioskbd Reads the keyboard buffer from Real Mode memory
  502. callbacks [MALWARE] Print system-wide notification routines
  503. connections Print list of open connections [Windows XP Only]
  504. connscan Scan Physical memory for _TCPT_OBJECT objects (tcp connections)
  505. crashinfo Dump crash-dump information
  506. datetime A simple example plugin that gets the date/time information from a Windows image
  507. devicetree [MALWARE] Show device tree
  508. dlldump Dump DLLs from a process address space
  509. dlllist Print list of loaded dlls for each process
  510. driverirp [MALWARE] Driver IRP hook detection
  511. driverscan Scan for driver objects _DRIVER_OBJECT
  512. evtlogs Extract Windows Event Logs (XP/2K3 only)
  513. filescan Scan Physical memory for _FILE_OBJECT pool allocations
  514. gdt [MALWARE] Display Global Descriptor Table
  515. getservicesids Get the names of services in the Registry and return Calculated SID
  516. getsids Print the SIDs owning each process
  517. handles Print list of open handles for each process
  518. hashdump Dumps passwords hashes (LM/NTLM) from memory
  519. hibinfo Dump hibernation file information
  520. hivedump Prints out a hive
  521. hivelist Print list of registry hives.
  522. hivescan Scan Physical memory for _CMHIVE objects (registry hives)
  523. idt [MALWARE] Display Interrupt Descriptor Table
  524. imagecopy Copies a physical address space out as a raw DD image
  525. imageinfo Identify information for the image
  526. impscan [MALWARE] Scan a module for imports (API calls)
  527. inspectcache Inspect the contents of a cache
  528. kdbgscan Search for and dump potential KDBG values
  529. kpcrscan Search for and dump potential KPCR values
  530. ldrmodules [MALWARE] Detect unlinked DLLs
  531. lsadump Dump (decrypted) LSA secrets from the registry
  532. malfind [MALWARE] Find hidden and injected code
  533. memdump Dump the addressable memory for a process
  534. memmap Print the memory map
  535. moddump Dump a kernel driver to an executable file sample
  536. modscan Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
  537. modules Print list of loaded modules
  538. mutantscan Scan for mutant objects _KMUTANT
  539. netscan Scan a Vista, 2008 or Windows 7 image for connections and sockets
  540. patcher Patches memory based on page scans
  541. printkey Print a registry key, and its subkeys and values
  542. procexedump Dump a process to an executable file sample
  543. procmemdump Dump a process to an executable memory sample
  544. psdispscan Scan Physical memory for _EPROCESS objects based on their Dispatch Headers
  545. pslist print all running processes by following the EPROCESS lists
  546. psscan Scan Physical memory for _EPROCESS pool allocations
  547. pstree Print process list as a tree
  548. psxview [MALWARE] Find hidden processes with various process listings
  549. registryapi A wrapper several highly used Registry functions and w/a Timeline component
  550. sockets Print list of open sockets
  551. sockscan Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)
  552. ssdt Display SSDT entries
  553. ssdt_ex [MALWARE] SSDT Hook Explorer for IDA Pro (and SSDT by thread)
  554. strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
  555. svcscan [MALWARE] Scan for Windows services
  556. testsuite Run unit test suit using the Cache
  557. ------
  558. ZeroDay Japan http://0day.jp
  559. OPERATION CLEANUP JAPAN | #OCJP
  560. Analyst: Hendunixfreaxjp ADRIAN アドリアン・ヘンドリック
  561. Malware Researcher VT/ twitter/google: @unixfreaxjp
  562. sponsored by: 株式会社ケイエルジェイテック http://www.kljtech.com
Advertisement
RAW Paste Data Copied
Advertisement