[Vol-users] Attributing a string to a program

Michael Hale Ligh michael.hale at gmail.com
Mon Sep 17 11:21:05 CDT 2012


Another few suggestions:

* If you're using Yara with Malfind, you're probably using an old version
of Volatility. Since 2.1, Malfind no longer has anything to do with Yara -
there's a separate YaraScan plugin that you should use instead [1]

* When you use YaraScan, make sure to try scanning in both usermode
(process memory) and kernel mode (there are different switches, see the [1]
reference)

* When you create the Yara rules, make sure you indicate "wide" if the
string is unicode

MHL


[1] http://code.google.com/p/volatility/wiki/CommandReference22#yarascan

On Mon, Sep 17, 2012 at 11:36 AM, Jamie Levy <jamie.levy at gmail.com> wrote:

> Have you tried the strings plugin?
>
> http://code.google.com/p/volatility/wiki/CommandReference22#strings
>
>
> On Mon, Sep 17, 2012 at 8:37 AM, David Bramer <david.bramer at gmail.com>
> wrote:
> > Hi,
> >
> > Have a memory dump which I have obtained via DumpIt, I'm then pretty
> > happy and can use Volatility to find out some of the answers to my
> > questions. However when I have run Strings on the memory dump I find a
> > string of great interest. I would like to figure out a means by which
> > I could find out what created this string.
> >
> > So far I've created a basic Yara rule and used malfind to no avail. Is
> > there anything else I could try?
> >
> > Cheers
> >
> > David
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users at volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
>
> --
> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20120917/35a30f39/attachment.html


More information about the Vol-users mailing list