[Vol-users] zeusscan2

Michael Hale Ligh michael.hale at gmail.com
Tue Jan 28 09:12:51 CST 2014

Hi Steve,

The plugin may have encountered a bad size field, causing it to read too
much data into memory at once. Can you do the following for me, please:

* Run zeusscan2 -p PID where PID is the process id for explorer.exe (we
know Zeus injects explorer, so this will let us focus on just one process

* If you get the same memory-consumption behavior, run vadinfo -p PID and
send me the output (offlist is fine)

* If you don't see the same behavior on explorer.exe, please run vadinfo
across all processes (just vol.py vadinfo > results.txt) and send me that


On Tue, Jan 28, 2014 at 8:06 AM, <shorejsi2 at mmm.com> wrote:

> Michael;
>  Thanks for putting me straight on that one. Seems I had read somewhere
> (the Internet? Can't be; everything written there is true...) that
> zeusscan/zeusscan2 couldn't run in Volatility versions  beyond 2.0.
> Obviously not true.  As it happens, I already have 2.3.1 installed and
> typically use it first.
>  Running under 2.3.1 gave a different result, but not necessarily a
> 'better' different result:
> $ python vol.py --plugins=contrib/plugins/malware  zeusscan2 -f
> ~/Images/CA005040-HP8460/CA005040-HP8460-RAM.dd4.001 --profile=Win7SP1x86
> Volatility Foundation Volatility Framework 2.3.1
> Killed
>  Seems it used up all 20GB of installed ram, then consumed the 10GB of
> available swap space before it bailed.
>  I'll have my hands on a drive image in a day or so (it's an off-site
> machine) and then if anyone's interested in looking at the malware itself
> I'll certainly provide copies.
>                         -=[ Steve ]=-
> >> I would recommend grabbing a 2.3.1 install, the 2.0 version is more
> than 3 years old now.
> >> $ svn checkout *http://volatility.googlecode.com/svn/trunk/*<http://volatility.googlecode.com/svn/trunk/>volatility-read-only
> >> $ cd volatility-read-only
> >> $ python vol.py --plugins=contrib/plugins/malware -f mem.dmp zeusscan2
> >> Give that a shot...
> >> MHL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20140128/98449533/attachment-0001.html

More information about the Vol-users mailing list