[Vol-users] using hex values with strings command

Michael Hale Ligh michael.hale at gmail.com
Wed Apr 18 08:29:44 CDT 2012


Hi Mike,

A little late, but hopefully you got your answer already. So we
probably won't be expanding the strings command to use hex values,
because by definition a string is only ascii/printable characters. But
as Darren said you can use yara rules. If you're using a recent 2.1
alpha branch, the yarascan command is your best bet and its included
in the 2.1 package already.

$ python vol.py yarascan -h
Volatile Systems Volatility Framework 2.1_alpha
Usage: Volatility - A memory forensics analysis platform.
....
  -p PID, --pid=PID     Operate on these Process IDs (comma-separated)
  -K, --kernel          Scan kernel modules
  -W, --wide            Match wide (unicode) strings
  -Y YARA_RULES, --yara-rules=YARA_RULES
                        Yara rules (as a string)
  -y YARA_FILE, --yara-file=YARA_FILE
                        Yara rules (rules file)
  -D DUMP_DIR, --dump-dir=DUMP_DIR
                        Directory in which to dump the file

Just a few examples:

1. Search for an ascii string in all processes

$ python vol.py yarascan -Y "test"

2. Search for a unicode string in a specific process

$ python vol.py yarascan -Y "test" --wide -p 428

3. Search for a hex string in kernel memory

$ python vol.py yarascan -Y "{90 EB 77}" --kernel

4. Search for a regex in all processes

$ python vol.py yarascan -Y "/t[e|a]s{1,2}t/"

5. Read all rules from a yara file and scan for them all

$ python vol.py yarascan -y yara.rules

MHL

On Sun, Apr 15, 2012 at 2:11 PM, Mike Lambert <dragonforen at hotmail.com> wrote:
> Hi David,
>
> In this case I'd say "no". I have the strings and their addresses I've found
> in memory. I'm looking for the PIDs that have the string in it. The strings
> output is exactly what I want and I can use it to do mass lookups. strings
> is quite nice for this job!
>
> I'll look more into yara rules. I need something that can be easy to use for
> many strings.
> I am currently using encase and excel to export and format my memory hits.
> It only takes a few minutes to make the strings input file. This fits the
> bill for what I am using exactly if it is ascii, but not so well for binary.
>
> I'll look closer at yara rules for this.
>
> Thanks and have a great weekend,
> Mike
>
> ________________________________
> CC: vol-users at volatilityfoundation.org
> From: phatbuckett at gmail.com
> Subject: Re: [Vol-users] using hex values with strings command
> Date: Sat, 14 Apr 2012 23:35:44 -0700
> To: dragonforen at hotmail.com
>
>
> Hi Mike,
>
> Does malfind plugin + yara rule(s) work for your use case?
>
> DS
>
> On Apr 14, 2012, at 9:12 PM, Mike Lambert <dragonforen at hotmail.com> wrote:
>
> I have read the command reference for the strings plugin and do not see an
> option to specify the string to look for in anything other than ascii.
>
> Could strings be expanded to include hex values, perhaps in the form of
> \x55\x5e\xe2\xfd\x83\xc4 or something like that?
>
> Thanks,
> Mike Lambert
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>


More information about the Vol-users mailing list