[Vol-users] Malfind and impscan questions

Kathy Simmons kathys82911 at gmail.com
Fri Jan 17 11:54:18 CST 2014


I have a memory dump of a Windows XP box with a piece of malware running in
it. In the course of running malfind on the image, there are eight
responses, two of which are below (A and B).

After the malfind command, I run the impscan command to look at the imports:
           python vol.py impscan -p 820 -b 0x1f00000
           python vol.py impscan -p 820 -b 0x01f50010

The response to the first impscan command is what I expected (see C
below).  The response to the second impscan command (see D below) is not
what I expected at all - no imports?

I also ran impscan on the address 0x01f50012 based on the results from the
malfind command (see D below) as I figured that I wanted to dump the dll
starting on the beginning of the MZ header. But neither address produced
any imports - I'm not sure where to go from here.


I'm very new at this; any help would be greatly appreciated.  My end goal
is to take this piece of malware, which looks to have injected several
dll's into a process, dump out each dll, then  have them reverse engineered.

Thanks-



A.
Process: xxxxxx.exe Pid: 820 Address: 0x1f00000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 9, PrivateMemory: 1, Protection: 6

0x01f00000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00
MZ..............
0x01f00010  b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
........ at .......
0x01f00020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
0x01f00030  00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00
................

0x1f00000 4d               DEC EBP
0x1f00001 5a               POP EDX
0x1f00002 90               NOP
0x1f00003 0003             ADD [EBX], AL
0x1f00005 0000             ADD [EAX], AL

0x1f00007 000400           ADD [EAX+EAX], AL
0x1f0000a 0000             ADD [EAX], AL
0x1f0000c ff               DB 0xff
0x1f0000d ff00             INC DWORD [EAX]
0x1f0000f 00b800000000     ADD [EAX+0x0], BH
0x1f00015 0000             ADD [EAX], AL
0x1f00017 004000           ADD [EAX+0x0], AL
0x1f0001a 0000             ADD [EAX], AL
0x1f0001c 0000             ADD [EAX], AL
0x1f0001e 0000             ADD [EAX], AL
0x1f00020 0000             ADD [EAX], AL
0x1f00022 0000             ADD [EAX], AL
0x1f00024 0000             ADD [EAX], AL
0x1f00026 0000             ADD [EAX], AL
0x1f00028 0000             ADD [EAX], AL
0x1f0002a 0000             ADD [EAX], AL
0x1f0002c 0000             ADD [EAX], AL
0x1f0002e 0000             ADD [EAX], AL
0x1f00030 0000             ADD [EAX], AL
0x1f00032 0000             ADD [EAX], AL
0x1f00034 0000             ADD [EAX], AL
0x1f00036 0000             ADD [EAX], AL
0x1f00038 0000             ADD [EAX], AL
0x1f0003a 0000             ADD [EAX], AL
0x1f0003c c8000000         ENTER 0x0, 0x0


B.
Process: XXXXXX.exe Pid: 820 Address: 0x1f50000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 59, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01f50000  4c 1b cd 25 00 00 09 e8 16 4f 9e 7e cd 25 00 00
L..%.....O.~.%..
0x01f50010  00 00 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff
..MZ............
0x01f50020  00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00
.......... at .....
0x01f50030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................

0x1f50000 4c               DEC ESP
0x1f50001 1bcd             SBB ECX, EBP
0x1f50003 25000009e8       AND EAX, 0xe8090000
0x1f50008 16               PUSH SS
0x1f50009 4f               DEC EDI
0x1f5000a 9e               SAHF
0x1f5000b 7ecd             JLE 0x1f4ffda
0x1f5000d 2500000000       AND EAX, 0x0

*0x1f50012 4d               DEC EBP0x1f50013 5a               POP EDX*
0x1f50014 90               NOP
0x1f50015 0003             ADD [EBX], AL
0x1f50017 0000             ADD [EAX], AL
0x1f50019 000400           ADD [EAX+EAX], AL
0x1f5001c 0000             ADD [EAX], AL
0x1f5001e ff               DB 0xff
0x1f5001f ff00             INC DWORD [EAX]
0x1f50021 00b800000000     ADD [EAX+0x0], BH
0x1f50027 0000             ADD [EAX], AL
0x1f50029 004000           ADD [EAX+0x0], AL
0x1f5002c 0000             ADD [EAX], AL
.................
................

C.
python vol.py impscan -p 9820 -b 0x01f00000
Volatility Foundation Volatility Framework 2.3.1
IAT                Call               Module               Function
------------------ ------------------ -------------------- --------
0x0000000001f07d10 0x0000000076cf2c70 kernel32.dll         HeapFree
0x0000000001f07d18 0x0000000076cf2d60 kernel32.dll         GetProcessHeap
0x0000000001f07d20 0x0000000076e41b70 kernel32.dll         HeapAlloc


D.
python vol.py impscan -p 820 -b 0x01f50010
Volatility Foundation Volatility Framework 2.3.1
IAT                Call               Module               Function
------------------ ------------------ -------------------- --------

E.
python vol.py impscan -p 820 -b 0x01f50012
Volatility Foundation Volatility Framework 2.3.1
IAT                Call               Module               Function
------------------ ------------------ -------------------- --------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20140117/84975abf/attachment.html


More information about the Vol-users mailing list