[Vol-users] (win7x64) : creating images for volatility

Jamie Levy jamie.levy at gmail.com
Wed Oct 23 10:37:51 CDT 2013


You must have admin in order to acquire memory...  How did you manage
to get a sample without having admin?  If you have a virtualized
environment then you can acquire the memory from outside the machine
without having admin privileges on the acquired machine, however
(vmsn/vmss on esx for example).





On Wed, Oct 23, 2013 at 11:30 AM, Andrew Case <atcuno at gmail.com> wrote:
> Nice to hear from someone from our class =)
>
> A few things about your post...
>
> 8GB on x64 is where several acquisition tools seem to break, so it is
> may be that and your output seems to indicate so.
>
> Also, you are using Volatility 2.2 which is quite old at this point. I
> would recommend using the latest through SVN. Not only is there many
> bugfixes, but also new plugins, such as iehistory that will help you
> recover the IE data you want and is the one we used in class.
>
> Also, we have full support for networking information on Windows 7
> x64, you just have to use the netscan plugin and not the others
> (sockets, sockscan, etc.).
>
> Do you have any other acquisition tools you can use or are your
> machines virtualized?
>
> On Wed, Oct 23, 2013 at 9:21 AM, Boudewijn Ector
> <boudewijn at boudewijnector.nl> wrote:
>> Hi guys,
>>
>>
>> Currently I've got a sample of an infected win7 machine with enough
>> memory (8gb) which is not being used by anything except for 'the
>> malware'  (no running office etc) so quite a lot of stuff should not
>> have been swapped out of memory yet.
>>
>>
>> Strangely, I can't dump the process:
>>
>> ; vol.py  -f dump.raw --profile=Win7SP1x64 procexedump -p 4932
>> --dump-dir results/4932.bin
>> Volatile Systems Volatility Framework 2.2
>> Process(V)         ImageBase          Name                 Result
>> ------------------ ------------------ -------------------- ------
>>
>>
>> Okay so it might be not in memory anymore... fine. So let's scan for
>> network activity using connscan.
>> This does not yield any results either.... just like svcscan.
>>
>> Also the image is very very slow... on a regular machine (core i5 2400,
>> 20gb mem) running imageinfo on the 8gb images takes about 10 minutes.
>>
>> Also malfind mentions :
>>
>> WARNING : volatility.obj      : NoneObject as string: Invalid Address
>> 0x05140000, instantiating _MMADDRESS_NODE
>> WARNING : volatility.obj      : NoneObject as string: Invalid Address
>> 0x05140000, instantiating _MMADDRESS_NODE
>> WARNING : volatility.obj      : NoneObject as string: Invalid Address
>> 0x21A4C320A, instantiating _MMADDRESS_NODE
>> WARNING : volatility.obj      : NoneObject as string: Invalid Address
>> 0x21A4C320A, instantiating _MMADDRESS_NODE
>>
>>
>> Psxview says al processes are like this:
>>
>> 0x000000021a841060 <PROCESSNAME>            6640 False  True   False
>> False   False
>>
>> Isn't that just weird? (yes it's because psscan is the only module being
>> able to retrieve data from memory... but isn't that strange)
>>
>>
>> This makes me presume my memory images are broken.  My collaegue
>> probably (!) used winpmem -f for doing this. What's the best way to
>> create a memory image on a windows7 x64 box without having admin? (these
>> boxes are remotely managed and it takes a looooot of time to make sure
>> an admin will do something).
>> Or is this just perfectly normal behaviour and is win7x64 just being
>> badly supported by volatility? (I know the networkbased plugins don't
>> work but that's okay... it's being mentioned in the docs)
>>
>>
>> Furthermore: during our recent volatility training (in amsterdam), we
>> used a plugin for getting data from internet explorer history. I had a
>> look online and didn't find it, is it non-public?
>>
>> Cheers,
>>
>> Boudewijn Ector
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users



-- 
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92


More information about the Vol-users mailing list