[Vol-users] IAT hook question

Mike Lambert dragonforen at hotmail.com
Thu Jan 17 14:49:12 CST 2013

I've tried sending twice, 2nd time passworded. Rejected both times. I've not seen anything on the Vol-list either. May be a size problem. 
Reporting-MTA: dns;snt0-omc2-s18.snt0.hotmail.com
Received-From-MTA: dns;SNT118-W46
Arrival-Date: Thu, 17 Jan 2013 12:18:41 -0800
Final-Recipient: rfc822;michael.hale at gmail.com
Action: failed
Status: 5.5.0
Diagnostic-Code: smtp;552-5.7.0 Our system detected an illegal attachment on your message. Please
552-5.7.0 visit http://support.google.com/mail/bin/answer.py?answer=6590 to
552 5.7.0 review our attachment guidelines. m1si2744262obl.114

I have put it here. PW is Rocra   http://michael-lambert.us/Rocra_svchost-exe_464_exe-dump.zip 
Let me know when you receive the .exe successfully.

From: postmaster at mail.hotmail.com
To: dragonforen at hotmail.com
Date: Thu, 17 Jan 2013 12:26:58 -0800
Subject: Delivery Status Notification (Failure)

This is an automatically generated Delivery Status Notification.
Delivery to the following recipients failed.
       michael.hale at gmail.com

--Forwarded Message Attachment--
From: dragonforen at hotmail.com
To: michael.hale at gmail.com
CC: vol-users at volatilityfoundation.org
Subject: RE: [Vol-users] IAT hook question
Date: Thu, 17 Jan 2013 14:26:31 -0600

First email was bounced by gmail.  I've added a pw to the zip. PW is Rocra
Let me know when you have the .exe ok.

Date: Thu, 17 Jan 2013 14:48:06 -0500
Subject: Re: [Vol-users] IAT hook question
From: michael.hale at gmail.com
To: dragonforen at hotmail.com
CC: vol-users at volatilityfoundation.org

Hmm sorry, I must be reading the GMER log incorrectly: 

dragonforen at hotmail.com> wrote:

Thank you very much. Attached is a ZIP. (Rocra is the short name)  I used Volatility 2.1
C:\Python27\volatility-2.1>vol.py dlldump -f E:\Tests\130115b\Vol\130115b.w32 --profile=WinXPSP3x86 -p 464 -D E:\Tests\130115b\Vol\dlldump > E:\Tests\130115b\Vol\dlldump.txt 

Volatile Systems Volatility Framework 2.1
Have a good day,


Date: Thu, 17 Jan 2013 12:47:54 -0500
Subject: Re: [Vol-users] IAT hook question
From: michael.hale at gmail.com
To: dragonforen at hotmail.com
CC: vol-users at volatilityfoundation.org

Mike, if you could use dlldump and extract kernel32.dll from pid 464 and send it to me, I'll take a look. The necessary pages of the PE file may just not be memory resident.  


On Thu, Jan 17, 2013 at 12:31 PM, Mike Lambert <dragonforen at hotmail.com> wrote:

I am looking at a Red October infection. The malware is svchost PID 464, C:\Program Files\Windows NT\svchost.exe 
GMER tells me that the IAT is hooked. See attached.
I wanted to see this with Volatility per the apihooks documentation here
"As of Volatility 2.1, apihooks also detects hooked winsock procedure tables, includes an easier to read output format, supports multiple hop disassembly, and can optionally scan quicker through memory by ignoring non-critical processes and DLLs.
Here is an example of detecting IAT hooks installed by Coreflood. The hooking module is unknown because there is no module (DLL) associated with the memory in which the rootkit code exists. If you want to extract the code containing the hooks, you have a few options: "
I tried apihooks in Volatility 2.1 and 2.2, below is the result
C:\Python27\volatility-2.1>vol.py -f E:\Tests\130115b\Vol\130115b.w32 --profile=WinXPSP3x86 -p 464 apihooks
Volatile Systems Volatility Framework 2.1
C:\Python27\volatility-2.2>vol.py apihooks -f E:\Tests\130115b\Vol\130115b.w32 --profile=WinXPSP3x86 -p 464
Volatile Systems Volatility Framework 2.2
My question is, "what am I doing wrong?" It is probably something simple.
Thanks for the help,

Vol-users mailing list
Vol-users at volatilityfoundation.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130117/71db216a/attachment.html

More information about the Vol-users mailing list