[Vol-users] using hex values with strings command

Michael Cohen scudette at gmail.com
Thu Apr 19 19:16:57 CDT 2012


Mike,
   This sounds like you have the 64 bit python installed but yarra
module is only 32 bit. The modules and the python interpreter have to
match :-). Either build a 64 bit version of the yarra module or
install the 32 bit python interpreter.

Michael.

On 20 April 2012 00:37, Mike Lambert <dragonforen at hotmail.com> wrote:
> MHL,    Thanks for the yara help, I will use it.
>
> A quick question for installing yara on Win 7 home.
>
> I have python 2.7 installed and use it to run Vol2.0 and Vol1.3. When I try
> to install yara, it says that python 2.7 is not installed (yara installer
> can't find the reg key).
> Do you know the reg key yara is looking for? I'll be happy to make one for
> yara.
>
> I do not have the same problem on my XP Professional system. Yara installs
> fine and I can use it.
> I just can't install it on the Windoze 7 brick-box.   (I've moved my
> production work to XP from Win 7, XP works....)
>
> Mike
>
>> Date: Wed, 18 Apr 2012 09:29:44 -0400
>
>> Subject: Re: [Vol-users] using hex values with strings command
>> From: michael.hale at gmail.com
>> To: dragonforen at hotmail.com
>> CC: phatbuckett at gmail.com; vol-users at volatilityfoundation.org
>
>>
>> Hi Mike,
>>
>> A little late, but hopefully you got your answer already. So we
>> probably won't be expanding the strings command to use hex values,
>> because by definition a string is only ascii/printable characters. But
>> as Darren said you can use yara rules. If you're using a recent 2.1
>> alpha branch, the yarascan command is your best bet and its included
>> in the 2.1 package already.
>>
>> $ python vol.py yarascan -h
>> Volatile Systems Volatility Framework 2.1_alpha
>> Usage: Volatility - A memory forensics analysis platform.
>> ....
>> -p PID, --pid=PID Operate on these Process IDs (comma-separated)
>> -K, --kernel Scan kernel modules
>> -W, --wide Match wide (unicode) strings
>> -Y YARA_RULES, --yara-rules=YARA_RULES
>> Yara rules (as a string)
>> -y YARA_FILE, --yara-file=YARA_FILE
>> Yara rules (rules file)
>> -D DUMP_DIR, --dump-dir=DUMP_DIR
>> Directory in which to dump the file
>>
>> Just a few examples:
>>
>> 1. Search for an ascii string in all processes
>>
>> $ python vol.py yarascan -Y "test"
>>
>> 2. Search for a unicode string in a specific process
>>
>> $ python vol.py yarascan -Y "test" --wide -p 428
>>
>> 3. Search for a hex string in kernel memory
>>
>> $ python vol.py yarascan -Y "{90 EB 77}" --kernel
>>
>> 4. Search for a regex in all processes
>>
>> $ python vol.py yarascan -Y "/t[e|a]s{1,2}t/"
>>
>> 5. Read all rules from a yara file and scan for them all
>>
>> $ python vol.py yarascan -y yara.rules
>>
>> MHL
>>
>> On Sun, Apr 15, 2012 at 2:11 PM, Mike Lambert <dragonforen at hotmail.com>
>> wrote:
>> > Hi David,
>> >
>> > In this case I'd say "no". I have the strings and their addresses I've
>> > found
>> > in memory. I'm looking for the PIDs that have the string in it. The
>> > strings
>> > output is exactly what I want and I can use it to do mass lookups.
>> > strings
>> > is quite nice for this job!
>> >
>> > I'll look more into yara rules. I need something that can be easy to use
>> > for
>> > many strings.
>> > I am currently using encase and excel to export and format my memory
>> > hits.
>> > It only takes a few minutes to make the strings input file. This fits
>> > the
>> > bill for what I am using exactly if it is ascii, but not so well for
>> > binary.
>> >
>> > I'll look closer at yara rules for this.
>> >
>> > Thanks and have a great weekend,
>> > Mike
>> >
>> > ________________________________
>> > CC: vol-users at volatilityfoundation.org
>> > From: phatbuckett at gmail.com
>> > Subject: Re: [Vol-users] using hex values with strings command
>> > Date: Sat, 14 Apr 2012 23:35:44 -0700
>> > To: dragonforen at hotmail.com
>> >
>> >
>> > Hi Mike,
>> >
>> > Does malfind plugin + yara rule(s) work for your use case?
>> >
>> > DS
>> >
>> > On Apr 14, 2012, at 9:12 PM, Mike Lambert <dragonforen at hotmail.com>
>> > wrote:
>> >
>> > I have read the command reference for the strings plugin and do not see
>> > an
>> > option to specify the string to look for in anything other than ascii.
>> >
>> > Could strings be expanded to include hex values, perhaps in the form of
>> > \x55\x5e\xe2\xfd\x83\xc4 or something like that?
>> >
>> > Thanks,
>> > Mike Lambert
>> >
>> >
>> > _______________________________________________
>> > Vol-users mailing list
>> > Vol-users at volatilityfoundation.org
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >
>> >
>> > _______________________________________________
>> > Vol-users mailing list
>> > Vol-users at volatilityfoundation.org
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>


More information about the Vol-users mailing list