[Vol-users] Need to pick a malware for a demo

Mike Lambert dragonforen at hotmail.com
Thu May 3 17:09:36 CDT 2012


Hi Rob,
 
Thanks for the suggestion. As I recall that would fit the profile when combined with another tool. And I think it will run in a VM. 
 
In the past a friend of mine used Hacker Defender and Optiplex as an example in a presentation.  I'd like to pick something else if possible (would rather not duplicate and look lame). 
 
What would be really cool is something current that runs in a VM and is a good pslist crossview demo.  If I can't find something current, I'll fall back to HD. Good thought!
 
Thanks much for the suggestion.  If you have any other thoughts I appreciate them.
 
Mike
 

> Date: Thu, 3 May 2012 09:57:16 -0500
> Subject: Re: [Vol-users] Need to pick a malware for a demo
> From: robdewhirst at gmail.com
> To: vol-users at volatilityfoundation.org
> 
> Check out the Hacker Defender rootkit. I am pretty sure I demoed
> exactly what you are wanting to do (including using Volatility to
> reveal the rootkit) about a year ago and this malware was a good
> example and easy to use. I don't know for sure that it hides from
> PsList but it hides from the built-in windows tools.
> 
> Email me if you can't find a copy.
> 
> On Wed, May 2, 2012 at 11:32 PM, Mike Lambert <dragonforen at hotmail.com> wrote:
> > I've got a memory forensics presentation coming up next week and I'd like to
> > use a sample that will illustrate a crossview example.
> >
> > Specifically, I'd like to use an example that hides from pslist on the
> > running system (don't want a DKOM example) but we can find it using
> > Volatility.
> > I'd like it to be something running and not a process injection sample.
> >
> > Does someone have a suggestion which one may provide a good illustration?
> >
> > Thanks,
> > Mike
> >
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users at volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20120503/b376ea7f/attachment.html


More information about the Vol-users mailing list