[Vol-users] using hex values with strings command - only the address matters

Mike Lambert dragonforen at hotmail.com
Thu Apr 19 17:28:50 CDT 2012


Hi Jamie,
 
Yes, I'm talking about the strings plugin.
 
You are absolutely right! The string after the ":" is just for us humans; the plugin does not use it to "double check" (that was what I thought it would do).  Go girl!
 
Here is what Volatility 2.0 strings returned (note my label backs what you say)
stringtest.txt has this in it   71801060:IP-83.133.126.87
 
C:\Python27\volatility-2.0>python vol.py strings -f e:\tests\120414b\120414b.mem  --profile=WinXPSP3x86 -s stringtest.txt
Volatile Systems Volatility Framework 2.0
044798e4 [kernel:2223479012] IP-83.133.126.87

 
========================
 
Here is a question to MHL.  Can you give me the offsets into this structure in memory referenced at 71801048 above. (I plucked 16 bytes, I don't know it's length)
 
Scan 1 for connection objects (connscan):  
 
 Offset         Local Address                 Remote Address               Pid   
----------     -------------------------      -------------------------     ------ 
0x044798d8 192.168.1.44:1052         83.133.126.87:443           4012
 
Here is some info from memory and the connection in question. Vol 2.0 connscan found it (Vol 1.3 did not)
 
The following is from memory starting at 0x44798e8  (proportional spacing may mess this up)
 
Start address 71801048
C0 2C 9E 84 00 00 00 00 00 00 00 00 53 85 7E 57 C0 A8 01 2C 01 BB 04 1C AC 0F 00 00 00 00 01 00 B4 05 B4 05 F8 0D F0 CA 45 FD
                                                     83.133.126.87
                                                                       192.168.1.44   443   1052  4012                   
  
Info from PortRecorder showing the log entry for this comm
                                                                
 Date         Time      Proto SrcPort Source IP RemPort Remote Port PID
12/4/2014 15:37:22 TCP 1052 192.168.1.44 443 83.133.126.87 4012

 
Thanks to all!  I love strings !!
 
Mike


> Date: Wed, 18 Apr 2012 12:25:40 -0400
> Subject: Re: [Vol-users] using hex values with strings command
> From: jamie.levy at gmail.com
> To: dragonforen at hotmail.com
> CC: vol-users at volatilityfoundation.org
> 
> Are you asking about the `strings` plugin itself? It really doesn't
> matter what the "string" is next to the offset, it should just work as
> long as there is an offset and some kind of string next to it. For
> example, I took a regular strings output and modified one of the
> strings with your hex string:
> 
> 
> 225297940:Info
> 225297948:Info_Cert0
> 225297960:Software\Microsoft\WM Rights Manager\License Server
> 225298012:Microsoft Corporation
> 225298040:F_-
> 225298058:@Bt
> 225298113:0]G
> 225298125:VeD
> 225298173:YoL
> 225298209:\x55\x5e\xe2\xfd\x83\xc4 <- modified here
> 
> 
> Running Volatility with the `strings` plugin yields:
> 
> 0d6dc614 [1004:1527629332 3812:353515028] Info
> 0d6dc61c [1004:1527629340 3812:353515036] Info_Cert0
> 0d6dc628 [1004:1527629352 3812:353515048] Software\Microsoft\WM Rights
> Manager\License Server
> 0d6dc65c [1004:1527629404 3812:353515100] Microsoft Corporation
> 0d6dc678 [1004:1527629432 3812:353515128] F_-
> 0d6dc68a [1004:1527629450 3812:353515146] @Bt
> 0d6dc6c1 [1004:1527629505 3812:353515201] 0]G
> 0d6dc6cd [1004:1527629517 3812:353515213] VeD
> 0d6dc6fd [1004:1527629565 3812:353515261] YoL
> 0d6dc721 [1004:1527629601 3812:353515297] \x55\x5e\xe2\xfd\x83\xc4
> <- see the string doesn't really matter...
> 
> 
> Now I've modified the same file with a hex editor to ensure that I
> have some binary stuff as the string itself:
> 
> 225297940:Info
> 225297948:Info_Cert0
> 225297960:Software\Microsoft\WM Rights Manager\License Server
> 225298012:Microsoft Corporation
> 225298040:F_-
> 225298058:@Bt
> 225298113:0]G
> 225298125:VeD
> 225298173:YoL
> 225298209:^[ ^A^E<9a>^Hh <- my funky string as seen in vim (editor)
> 
> .... and now my output as seen from vim:
> 
> 0d6dc614 [1004:1527629332 3812:353515028] Info
> 0d6dc61c [1004:1527629340 3812:353515036] Info_Cert0
> 0d6dc628 [1004:1527629352 3812:353515048] Software\Microsoft\WM Rights
> Manager\License Server
> 0d6dc65c [1004:1527629404 3812:353515100] Microsoft Corporation
> 0d6dc678 [1004:1527629432 3812:353515128] F_-
> 0d6dc68a [1004:1527629450 3812:353515146] @Bt
> 0d6dc6c1 [1004:1527629505 3812:353515201] 0]G
> 0d6dc6cd [1004:1527629517 3812:353515213] VeD
> 0d6dc6fd [1004:1527629565 3812:353515261] YoL
> 0d6dc721 [1004:1527629601 3812:353515297] ^[ ^A^E<9a>^Hh <- again
> the string doesn't matter...
> 
> 
> And actually I see that we don't even have to have a string next to
> the offset, so the string really doesn't matte (the string was erased
> from the input file and we can see that the output file is ok):
> 
> 0d6dc614 [1004:1527629332 3812:353515028] Info
> 0d6dc61c [1004:1527629340 3812:353515036] Info_Cert0
> 0d6dc628 [1004:1527629352 3812:353515048] Software\Microsoft\WM Rights
> Manager\License Server
> 0d6dc65c [1004:1527629404 3812:353515100] Microsoft Corporation
> 0d6dc678 [1004:1527629432 3812:353515128] <-
> string was erased from input file
> 0d6dc68a [1004:1527629450 3812:353515146] @Bt
> 0d6dc6c1 [1004:1527629505 3812:353515201] 0]G
> 0d6dc6cd [1004:1527629517 3812:353515213] VeD
> 0d6dc6fd [1004:1527629565 3812:353515261] YoL
> 0d6dc721 [1004:1527629601 3812:353515297] ^[ ^A^E<9a>^Hh
> 
> 
> So there you have it. Experiment on your own as well.
> 
> -gleeda
> 
> 
> On Sun, Apr 15, 2012 at 2:11 PM, Mike Lambert <dragonforen at hotmail.com> wrote:
> > Hi David,
> >
> > In this case I'd say "no". I have the strings and their addresses I've found
> > in memory. I'm looking for the PIDs that have the string in it. The strings
> > output is exactly what I want and I can use it to do mass lookups. strings
> > is quite nice for this job!
> >
> > I'll look more into yara rules. I need something that can be easy to use for
> > many strings.
> > I am currently using encase and excel to export and format my memory hits.
> > It only takes a few minutes to make the strings input file. This fits the
> > bill for what I am using exactly if it is ascii, but not so well for binary.
> >
> > I'll look closer at yara rules for this.
> >
> > Thanks and have a great weekend,
> > Mike
> >
> > ________________________________
> > CC: vol-users at volatilityfoundation.org
> > From: phatbuckett at gmail.com
> > Subject: Re: [Vol-users] using hex values with strings command
> > Date: Sat, 14 Apr 2012 23:35:44 -0700
> > To: dragonforen at hotmail.com
> >
> >
> > Hi Mike,
> >
> > Does malfind plugin + yara rule(s) work for your use case?
> >
> > DS
> >
> > On Apr 14, 2012, at 9:12 PM, Mike Lambert <dragonforen at hotmail.com> wrote:
> >
> > I have read the command reference for the strings plugin and do not see an
> > option to specify the string to look for in anything other than ascii.
> >
> > Could strings be expanded to include hex values, perhaps in the form of
> > \x55\x5e\xe2\xfd\x83\xc4 or something like that?
> >
> > Thanks,
> > Mike Lambert
> >
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users at volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users at volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >
> 
> 
> 
> -- 
> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20120419/2f36a324/attachment.html


More information about the Vol-users mailing list