[Vol-users] using hex values with strings command

Mike Lambert dragonforen at hotmail.com
Sun Apr 15 13:11:18 CDT 2012


Hi David,
 
In this case I'd say "no". I have the strings and their addresses I've found in memory. I'm looking for the PIDs that have the string in it. The strings output is exactly what I want and I can use it to do mass lookups. strings is quite nice for this job!
 
I'll look more into yara rules. I need something that can be easy to use for many strings.
I am currently using encase and excel to export and format my memory hits. It only takes a few minutes to make the strings input file. This fits the bill for what I am using exactly if it is ascii, but not so well for binary.
 
I'll look closer at yara rules for this.
 
Thanks and have a great weekend,
Mike
 



CC: vol-users at volatilityfoundation.org
From: phatbuckett at gmail.com
Subject: Re: [Vol-users] using hex values with strings command
Date: Sat, 14 Apr 2012 23:35:44 -0700
To: dragonforen at hotmail.com



Hi Mike,


Does malfind plugin + yara rule(s) work for your use case?


DS

On Apr 14, 2012, at 9:12 PM, Mike Lambert <dragonforen at hotmail.com> wrote:







I have read the command reference for the strings plugin and do not see an option to specify the string to look for in anything other than ascii.

Could strings be expanded to include hex values, perhaps in the form of \x55\x5e\xe2\xfd\x83\xc4 or something like that?
 
Thanks,
Mike Lambert
 



_______________________________________________
Vol-users mailing list
Vol-users at volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20120415/9a7c728d/attachment.html


More information about the Vol-users mailing list