[Vol-users] using hex values with strings command

Mike Lambert dragonforen at hotmail.com
Fri Apr 20 08:31:34 CDT 2012


Hi Michael!
 
That sounds like the problem. Thank you very much for solving the mystery. I will have to keep 32 and 64 bit in mind when running into these sorts of problems.
 
Have a good day!
Mike
 

> From: scudette at gmail.com
> Date: Fri, 20 Apr 2012 02:16:57 +0200
> Subject: Re: [Vol-users] using hex values with strings command
> To: dragonforen at hotmail.com
> CC: vol-users at volatilityfoundation.org
> 
> Mike,
> This sounds like you have the 64 bit python installed but yarra
> module is only 32 bit. The modules and the python interpreter have to
> match :-). Either build a 64 bit version of the yarra module or
> install the 32 bit python interpreter.
> 
> Michael.
> 
> On 20 April 2012 00:37, Mike Lambert <dragonforen at hotmail.com> wrote:
> > MHL,    Thanks for the yara help, I will use it.
> >
> > A quick question for installing yara on Win 7 home.
> >
> > I have python 2.7 installed and use it to run Vol2.0 and Vol1.3. When I try
> > to install yara, it says that python 2.7 is not installed (yara installer
> > can't find the reg key).
> > Do you know the reg key yara is looking for? I'll be happy to make one for
> > yara.
> >
> > I do not have the same problem on my XP Professional system. Yara installs
> > fine and I can use it.
> > I just can't install it on the Windoze 7 brick-box.   (I've moved my
> > production work to XP from Win 7, XP works....)
> >
> > Mike
> >
> >> Date: Wed, 18 Apr 2012 09:29:44 -0400
> >
> >> Subject: Re: [Vol-users] using hex values with strings command
> >> From: michael.hale at gmail.com
> >> To: dragonforen at hotmail.com
> >> CC: phatbuckett at gmail.com; vol-users at volatilityfoundation.org
> >
> >>
> >> Hi Mike,
> >>
> >> A little late, but hopefully you got your answer already. So we
> >> probably won't be expanding the strings command to use hex values,
> >> because by definition a string is only ascii/printable characters. But
> >> as Darren said you can use yara rules. If you're using a recent 2.1
> >> alpha branch, the yarascan command is your best bet and its included
> >> in the 2.1 package already.
> >>
> >> $ python vol.py yarascan -h
> >> Volatile Systems Volatility Framework 2.1_alpha
> >> Usage: Volatility - A memory forensics analysis platform.
> >> ....
> >> -p PID, --pid=PID Operate on these Process IDs (comma-separated)
> >> -K, --kernel Scan kernel modules
> >> -W, --wide Match wide (unicode) strings
> >> -Y YARA_RULES, --yara-rules=YARA_RULES
> >> Yara rules (as a string)
> >> -y YARA_FILE, --yara-file=YARA_FILE
> >> Yara rules (rules file)
> >> -D DUMP_DIR, --dump-dir=DUMP_DIR
> >> Directory in which to dump the file
> >>
> >> Just a few examples:
> >>
> >> 1. Search for an ascii string in all processes
> >>
> >> $ python vol.py yarascan -Y "test"
> >>
> >> 2. Search for a unicode string in a specific process
> >>
> >> $ python vol.py yarascan -Y "test" --wide -p 428
> >>
> >> 3. Search for a hex string in kernel memory
> >>
> >> $ python vol.py yarascan -Y "{90 EB 77}" --kernel
> >>
> >> 4. Search for a regex in all processes
> >>
> >> $ python vol.py yarascan -Y "/t[e|a]s{1,2}t/"
> >>
> >> 5. Read all rules from a yara file and scan for them all
> >>
> >> $ python vol.py yarascan -y yara.rules
> >>
> >> MHL
> >>
> >> On Sun, Apr 15, 2012 at 2:11 PM, Mike Lambert <dragonforen at hotmail.com>
> >> wrote:
> >> > Hi David,
> >> >
> >> > In this case I'd say "no". I have the strings and their addresses I've
> >> > found
> >> > in memory. I'm looking for the PIDs that have the string in it. The
> >> > strings
> >> > output is exactly what I want and I can use it to do mass lookups.
> >> > strings
> >> > is quite nice for this job!
> >> >
> >> > I'll look more into yara rules. I need something that can be easy to use
> >> > for
> >> > many strings.
> >> > I am currently using encase and excel to export and format my memory
> >> > hits.
> >> > It only takes a few minutes to make the strings input file. This fits
> >> > the
> >> > bill for what I am using exactly if it is ascii, but not so well for
> >> > binary.
> >> >
> >> > I'll look closer at yara rules for this.
> >> >
> >> > Thanks and have a great weekend,
> >> > Mike
> >> >
> >> > ________________________________
> >> > CC: vol-users at volatilityfoundation.org
> >> > From: phatbuckett at gmail.com
> >> > Subject: Re: [Vol-users] using hex values with strings command
> >> > Date: Sat, 14 Apr 2012 23:35:44 -0700
> >> > To: dragonforen at hotmail.com
> >> >
> >> >
> >> > Hi Mike,
> >> >
> >> > Does malfind plugin + yara rule(s) work for your use case?
> >> >
> >> > DS
> >> >
> >> > On Apr 14, 2012, at 9:12 PM, Mike Lambert <dragonforen at hotmail.com>
> >> > wrote:
> >> >
> >> > I have read the command reference for the strings plugin and do not see
> >> > an
> >> > option to specify the string to look for in anything other than ascii.
> >> >
> >> > Could strings be expanded to include hex values, perhaps in the form of
> >> > \x55\x5e\xe2\xfd\x83\xc4 or something like that?
> >> >
> >> > Thanks,
> >> > Mike Lambert
> >> >
> >> >
> >> > _______________________________________________
> >> > Vol-users mailing list
> >> > Vol-users at volatilityfoundation.org
> >> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >> >
> >> >
> >> > _______________________________________________
> >> > Vol-users mailing list
> >> > Vol-users at volatilityfoundation.org
> >> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >> >
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users at volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20120420/302e11d1/attachment.html


More information about the Vol-users mailing list