Skip to main content

Posts

Showing posts from July, 2015

Malware Analysis Using Volatility - Part 4

THE MALICIOUS INTELLIGENCE FROM BEHIND THE INSTRUCTION CODES AND THE ARTIFACTS IN MEMORY Classical Windows attack vector     ➡ Exploiting Registry keys, hijacking autorun properties of the system even          without user clicking on “autostart”.     ➡ Exploiting DLL injection     ➡ Exploiting services     ➡ Exploiting .exe (lsass.exe, explorer.exe)     ➡ Exploiting ATOMS TABLES     ➡ Creating names using ASLR Windows Graphical User Interface     ➡ The Windows system has memory usage control features handled through a process. This                     methodological approach is called synchronization object .     ➡ When a new process is created (threads and handles) the allocation of memory property of a               mutant object is negotiated to give access to avail...
Read more

Malware Analysis Using Volatility - Part 3

NEFARIOUS ACTIONS UNDER THE WINDOWS ARCHITECTURE Dlllist plugin Considering that a malware can unlink, change the name, or substitute libraries of a system  (Windows, for example), we are interested in investigating a malware infection in the libraries (dll). The initial task is the analysis of suspicious dlls because malware can be a hidden process. We can use the command vol.exe dlllist --profile=WinXPSP3x86 -f stuxnet.vmem Dlllist plugin -p flag The output shows us all dlls loaded by the process in the machine. Since this is difficult, our task is to investigate a specific process. We will use this command: vol.exe dlllist --profile=WinXPSP3x86 -p 1928 -f stuxnet.vmem And we can see the output for this specific process. We can obtain the same output using the command vol.exe dlllist --profile=WinXPSP3x86 --offset=0x01e47c00 -f stuxnet.vmem Malfind plugin Another Volatility plugin that we can use when we are searching for MZ signature is malfind. If you want ...
Read more