[Vol-users] how does malfind plugin work

Michael Hale Ligh michael.hale at gmail.com
Mon Oct 24 22:01:35 CDT 2011


You've found an API hook trampoline allocated by Zeus. Please see the
description of malfind on the CommandReference:

http://code.google.com/p/volatility/wiki/CommandReference#malfind

MHL

On Sat, Oct 22, 2011 at 4:17 PM, malware monna <malware.monna at gmail.com>wrote:

> Hi All,
>
>         I'm new to volatility and i was reading one of the article on the
> internet and found the below output, so i was curious to know what does
> below ouput mean?, can anybody please help me understand the malfind pluging
> and the below ouput, any info would be useful.
>
>
> ---------------------------------------------------------------------------------------------------------------------------------------
>
> VMwareTray.exe       432    0x00e30000 0xe30fff00 VadS     0
> PAGE_EXECUTE_R
> EADWRITE
> Dumped to: c:\re\zeus_demo\VMwareTray.exe.4be97e8.00e30000-00e30fff.dmp
> 0x00e30000   b8 35 00 00 00 e9 cd d7 ad 7b b8 91 00 00 00 e9
> .5.......{......
>
> 0x00e30010   4f df ad 7b 8b ff 55 8b ec e9 ef 17 3e 76 8b ff
> O..{..U.....>v..
>
> 0x00e30020   55 8b ec e9 95 76 39 76 8b ff 55 8b ec e9 be 53
> U....v9v..U....S
>
> 0x00e30030   3a 76 8b ff 55 8b ec e9 d6 18 3e 76 8b ff 55 8b
> :v..U.....>v..U.
>
> 0x00e30040   ec e9 14 95 39 76 8b ff 55 8b ec e9 4f 7e 3c 76
> ....9v..U...O~<v
>
> 0x00e30050   8b ff 55 8b ec e9 0a 32 3a 76 8b ff 55 8b ec e9
> ..U....2:v..U...
>
> 0x00e30060   7d 61 39 76 6a 2c 68 b8 8d 1c 77 e9 01 8c 39 76
> }a9vj,h...w...9v
>
> 0x00e30070   8b ff 55 8b ec e9 c4 95 c8 70 8b ff 55 8b ec e9
> ..U......p..U...
>
> Disassembly:
> 00e30000: b835000000                       MOV EAX, 0x35
> 00e30005: e9cdd7ad7b                       JMP 0x7c90d7d7
> 00e3000a: b891000000                       MOV EAX, 0x91
> 00e3000f: e94fdfad7b                       JMP 0x7c90df63
> 00e30014: 8bff                             MOV EDI, EDI
> 00e30016: 55                               PUSH EBP
> 00e30017: 8bec                             MOV EBP, ESP
> 00e30019: e9ef173e76                       JMP 0x7721180d
> 00e3001e: 8bff                             MOV EDI, EDI
> 00e30020: 55                               PUSH EBP
>
> ---------------------------------------------------------------------------------------------------------------------------------------------
>
> Thanks
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20111024/99e93e33/attachment.html


More information about the Vol-users mailing list