Is there list of plugins on a per profile basis.
For eg. connections, sockscan, sockets don't work for Windows 7 dumps. I
didnot know this and was wondering what would've gone wrong
I've got a suspect process running on a system.
0x0703fcb8 8880792.tmp 5940 1504 0x0b353000 2011-05-27 07:00:12
It's 64K on disk and looks like it's packed with Armadillo:
File Name: 8880792.tmp
File Size: 65536
File Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 Hash: fec737234a47ae90ee79af44d3081a4d
SHA1 Hash: 4fb9abf6aba05ec1232b98ab39073c7635f7b9aa
Cymru MHR: Not listed
=> Armadillo v1.71
Number of sections: 3
('.text\x00\x00\x00', '0x1000', '0xb446', 49152)
('.rdata\x00\x00', '0xd000', '0x15d2', 8192)
('.data\x00\x00\x00', '0xf000', '0x20c0', 4096)
I dump process memory (procmemdump) and end up with strings not much
different than what I get for the file on disk. The procmemdump output
is about 10K larger.
The memdump output is 245M and going through the addressable memory
contents I get loads of suspicious data that looks like it's related
to malware. Samples:
WEBCAM Ekran.png Ekran.bmp
Welcom to BackDor serv by emPyte
Splinter ddos v1.0
GONNA BE AN IRCF
I suppose though that this is data from the HIPS application that has
been injected into this executable's process space. The same strings
are present in the memory space of all processes. I want to confirm
this by finding an indicator in the process memory that attributes
this data to the HIPS application. What is the best way to do this?
My initial suspicion is that the VAD table could show me that. Is this
right? How could this analysis proceed in Volatility? The 'modules'
plugin shows me a couple of entries that I suspect relate to it.
0x00f70a9000 0x052000 mfehidk.sys
0x00f7697000 0x00e000 mfetdik.sys
0x00b7f38000 0x053000 mfehidk01.sys
MHL has been helpful in the past, but I thought I would throw this one out
to a wider audience.
Simply put, I asked my sysadmin, who has helped me set up my VMware
environment, to set up an XP SP3 VM and load stuxnet.vmem as the suspended
memory image. VMware crapped out with "A fault has occurred causing the
virtual CPU to enter the shutdown state. ..." Does anyone have any insight
here? Is stuxnet.vmem the suspended memory image of a Stuxnet infected XP
If it had worked, I wanted to get sysinternals running on the VM, so that I
would have sysinternals and Volatility insight into Stuxnet -- although not
approaching what Mark Russinovitch was able to show with booting up the
machine and infecting it from the start. For educational purposes, for the
class I am teaching.
Thanks for any guidance, VMware or stuxnet. bfn
Professor G. Scott Graham
administratively: Dean's Designate for Academic Offences
academically: Associate Professor, Computer Science and Forensic Science
University of Toronto Mississauga