Skip to main content

Malware Analysis Using Volatility - Part 3

NEFARIOUS ACTIONS UNDER THE WINDOWS ARCHITECTURE

 Dlllist plugin

 Considering that a malware can unlink, change the name, or substitute libraries of a system  (Windows, for example), we are interested in investigating a malware infection in the libraries (dll). The initial task is the analysis of suspicious dlls because malware can be a hidden process. We can use the command

vol.exe dlllist --profile=WinXPSP3x86 -f stuxnet.vmem

Dlllist plugin -p flag

 The output shows us all dlls loaded by the process in the machine. Since this is difficult,
our task is to investigate a specific process. We will use this command:

vol.exe dlllist --profile=WinXPSP3x86 -p 1928 -f stuxnet.vmem

And we can see the output for this specific process. We can obtain the same output using the command

vol.exe dlllist --profile=WinXPSP3x86 --offset=0x01e47c00 -f stuxnet.vmem

Malfind plugin

 Another Volatility plugin that we can use when we are searching for MZ signature is malfind. If you want to analyze each process, type this command:

vol.exe malfind --profile=WinXPSP3x86 -f stuxnet.vmem | more

Or, since we suspect a particular process, we can use this plugin with -p flag.

vol.exe malfind --profile=WinXPSP3x86 -p 1928 -f stuxnet.vmem

Handles plugin

 To see an object that is not signaled by a thread, we use the handles plugin that gives us the mutant/mutex (or mutual exclusion) object of a process. According to Microsoft: “to prevent two threads from writing to shared memory at the same time, each thread waits for ownership of a mutex object before executing the code that accesses the memory. After writing to the shared memory, the thread releases the mutex object."

vol.exe handles --profile=WinXPSP3x86 -t Mutant -p 1928 -s -f stuxnet.vmem

Vaddump plugin (be careful!)

 To obtain VAD segments of process we use vaddump plugin (please take care).

vol.exe vaddump --profile=WinXPSP3x86 -p 868 -D vad -f stuxnet.vmem

In this example

“vad” is my directory

Vadtree plugin

 We can also extract in a graphic output:

vol.exe vadtree --profile=WinXPSP3x86--output=dot --output-file=grapha.dot -p 868 -f
stuxnet.vmem

In the next slide, we see vadtree process 868 stuxnet malware.




Vaddump (recommend: use Linux!)

In Kali Linux, vaddump can be used (if you set up an environment variable):

volatility vaddump -p 1928 -D

Procdump plugin (be careful!)

    ➡ working in Linux!

    ➡ First you should create a folder (that will receive the extract .exe files. In my example,  use my           folder “forensics” to download these files).

    ➡ In Kali Linux, the command is:

volatility procdump -p 680,868,1928 -D forensics

Volatility Commands CheaSheet


Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was
Read more