[Vol-users] Malfind and impscan questions

Michael Hale Ligh michael.hale at gmail.com
Sun Jan 19 17:11:03 CST 2014


Hi Kathy,

One quick thing about impscan is the --base option should be passed the
base address of the memory range to scan. Neither the ?10 address or nor
the ?12 address is truly a "base" address, so that's why it fails on those.
The bases according to your output are 0x1f00000 (which you did and got 3
results: HeapFree, GetProcessHeap, and HeapAlloc) and 0x01f50000. Thus try
using impscan --base=0x01f50000 if you haven't already. The fact that the
MZ header at 0x01f50012 isn't at the base of the memory region (0x01f50000)
is quite suspect. If loaded through a normal API function like
CreateProcess, LoadLibrary, etc then the MZ will always be at the base. You
can also use vaddump --base=0x01f50000 to dump out the memory segment, then
use a hex editor to remove the first 0x12 bytes, and load the resulting
file into something like LordPE, CFF Explorer, PE explorer, etc to see what
you can gather about its imports. Those are just a few things to get you
started.

MHL


On Fri, Jan 17, 2014 at 11:54 AM, Kathy Simmons <kathys82911 at gmail.com>wrote:

> I have a memory dump of a Windows XP box with a piece of malware running
> in it. In the course of running malfind on the image, there are eight
> responses, two of which are below (A and B).
>
> After the malfind command, I run the impscan command to look at the
> imports:
>            python vol.py impscan -p 820 -b 0x1f00000
>            python vol.py impscan -p 820 -b 0x01f50010
>
> The response to the first impscan command is what I expected (see C
> below).  The response to the second impscan command (see D below) is not
> what I expected at all - no imports?
>
> I also ran impscan on the address 0x01f50012 based on the results from the
> malfind command (see D below) as I figured that I wanted to dump the dll
> starting on the beginning of the MZ header. But neither address produced
> any imports - I'm not sure where to go from here.
>
>
> I'm very new at this; any help would be greatly appreciated.  My end goal
> is to take this piece of malware, which looks to have injected several
> dll's into a process, dump out each dll, then  have them reverse engineered.
>
> Thanks-
>
>
>
> A.
> Process: xxxxxx.exe Pid: 820 Address: 0x1f00000
> Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
> Flags: CommitCharge: 9, PrivateMemory: 1, Protection: 6
>
> 0x01f00000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00
> MZ..............
> 0x01f00010  b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
> ........ at .......
> 0x01f00020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 0x01f00030  00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00
> ................
>
> 0x1f00000 4d               DEC EBP
> 0x1f00001 5a               POP EDX
> 0x1f00002 90               NOP
> 0x1f00003 0003             ADD [EBX], AL
> 0x1f00005 0000             ADD [EAX], AL
>
> 0x1f00007 000400           ADD [EAX+EAX], AL
> 0x1f0000a 0000             ADD [EAX], AL
> 0x1f0000c ff               DB 0xff
> 0x1f0000d ff00             INC DWORD [EAX]
> 0x1f0000f 00b800000000     ADD [EAX+0x0], BH
> 0x1f00015 0000             ADD [EAX], AL
> 0x1f00017 004000           ADD [EAX+0x0], AL
> 0x1f0001a 0000             ADD [EAX], AL
> 0x1f0001c 0000             ADD [EAX], AL
> 0x1f0001e 0000             ADD [EAX], AL
> 0x1f00020 0000             ADD [EAX], AL
> 0x1f00022 0000             ADD [EAX], AL
> 0x1f00024 0000             ADD [EAX], AL
> 0x1f00026 0000             ADD [EAX], AL
> 0x1f00028 0000             ADD [EAX], AL
> 0x1f0002a 0000             ADD [EAX], AL
> 0x1f0002c 0000             ADD [EAX], AL
> 0x1f0002e 0000             ADD [EAX], AL
> 0x1f00030 0000             ADD [EAX], AL
> 0x1f00032 0000             ADD [EAX], AL
> 0x1f00034 0000             ADD [EAX], AL
> 0x1f00036 0000             ADD [EAX], AL
> 0x1f00038 0000             ADD [EAX], AL
> 0x1f0003a 0000             ADD [EAX], AL
> 0x1f0003c c8000000         ENTER 0x0, 0x0
>
>
> B.
> Process: XXXXXX.exe Pid: 820 Address: 0x1f50000
> Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
> Flags: CommitCharge: 59, MemCommit: 1, PrivateMemory: 1, Protection: 6
>
> 0x01f50000  4c 1b cd 25 00 00 09 e8 16 4f 9e 7e cd 25 00 00
> L..%.....O.~.%..
> 0x01f50010  00 00 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff
> ..MZ............
> 0x01f50020  00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00
> .......... at .....
> 0x01f50030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
>
> 0x1f50000 4c               DEC ESP
> 0x1f50001 1bcd             SBB ECX, EBP
> 0x1f50003 25000009e8       AND EAX, 0xe8090000
> 0x1f50008 16               PUSH SS
> 0x1f50009 4f               DEC EDI
> 0x1f5000a 9e               SAHF
> 0x1f5000b 7ecd             JLE 0x1f4ffda
> 0x1f5000d 2500000000       AND EAX, 0x0
>
> *0x1f50012 4d               DEC EBP0x1f50013 5a               POP EDX*
> 0x1f50014 90               NOP
> 0x1f50015 0003             ADD [EBX], AL
> 0x1f50017 0000             ADD [EAX], AL
> 0x1f50019 000400           ADD [EAX+EAX], AL
> 0x1f5001c 0000             ADD [EAX], AL
> 0x1f5001e ff               DB 0xff
> 0x1f5001f ff00             INC DWORD [EAX]
> 0x1f50021 00b800000000     ADD [EAX+0x0], BH
> 0x1f50027 0000             ADD [EAX], AL
> 0x1f50029 004000           ADD [EAX+0x0], AL
> 0x1f5002c 0000             ADD [EAX], AL
> .................
> ................
>
> C.
> python vol.py impscan -p 9820 -b 0x01f00000
> Volatility Foundation Volatility Framework 2.3.1
> IAT                Call               Module               Function
> ------------------ ------------------ -------------------- --------
> 0x0000000001f07d10 0x0000000076cf2c70 kernel32.dll         HeapFree
> 0x0000000001f07d18 0x0000000076cf2d60 kernel32.dll         GetProcessHeap
> 0x0000000001f07d20 0x0000000076e41b70 kernel32.dll         HeapAlloc
>
>
> D.
> python vol.py impscan -p 820 -b 0x01f50010
> Volatility Foundation Volatility Framework 2.3.1
> IAT                Call               Module               Function
> ------------------ ------------------ -------------------- --------
>
> E.
> python vol.py impscan -p 820 -b 0x01f50012
> Volatility Foundation Volatility Framework 2.3.1
> IAT                Call               Module               Function
> ------------------ ------------------ -------------------- --------
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20140119/a6c06ae4/attachment.html


More information about the Vol-users mailing list