randrada, Author at eyehatemalwares.com

Volatility callbacks

Posted on June 20, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - callbacks

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

callbacks – a volatility plugin that is used to print system-wide notification routines.

Windows Callback – Windows operating system allows the driver to register a callback routine which will be called when a particular event occurs. Also, this functionality gives the rootkit driver the ability to monitor system activities and take necessary action depending on the activity.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

In using Volatility callbacks plugin, we can see different information such as:

Type – is monitored by the module.

Callback – callback function address.

Module – is responsible for monitoring the function.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> callbacks

#note: To use callbacks to look for suspicious driver/module, look for unknown name and unknown details.

Volatility printkey

Posted on June 20, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - printkey

printkey – a volatility plugin that is used print a registry key, and its subkeys and values. This plugin will search all hives and print the key information(if found) for the requested key. Therefore, if the key is located in more than one hive, the information for the key will be printed for each hive that contains it.

In this sample, we will use the Volatility printkey plugin to print a specific registry location from our captured memory dump. In our case, we list “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” registry key.

This plugin can help the analyst enumerate a registry key and check what its subkeys, and values, without extracting the registry hives.

Looking at the sample below, we can see the value, and subkeys inside this registry key.

If the information of interest is found, we can then dump the registry hives for further analysis.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> printkey -K <registry_key>

In this sample, we will use the printkey plugin to investigate the registry hive of our system infected with Zeus Banking malware.

The image below, we list the registry key “Software\Microsoft\Windows\CurrentVersion\Run” to see its values and subkeys. This registry key is commonly used by malware to persist on the system and survive the reboot.

We can see by listing the Run registry key using the plugin a value named GoogleUpdate.exe is found and we can see that it is residing inside AppData\Local which is not a normal location for Google Update.

Volatility connections

Posted on June 20, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - connections

connections – a volatility plugin that is used to scan connections on Windows XP and Windows 2003 only.

Connection State:

- - CLOSE_WAIT
  - CLOSED
  - ESTABLISHED
  - FIN_WAIT_1
  - FIN_WAIT_2
  - LAST_ACK
  - LISTEN
  - SYN_RECEIVED
  - SYN_SEND
  - TIMED_WAIT

When capturing a memory dump from Windows XP, you cannot use netscan as a plugin. Instead, we will use the Volatility connection plugin to extract network related data from inside our volatile memory.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> connections

Volatility netscan

Posted on June 20, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - netscan

netscan – a volatility plugin that is used to scan connections on vista, 7, 8, 10 and later image for connections and sockets.

Connection State:

- - CLOSE_WAIT
  - CLOSED
  - ESTABLISHED
  - FIN_WAIT_1
  - FIN_WAIT_2
  - LAST_ACK
  - LISTEN
  - SYN_RECEIVED
  - SYN_SEND
  - TIMED_WAIT

We can use the Volatility netscan plugin to enumerate network communication to our system and what process is responsible for the connection. We can also see what is the status of that connection.

Here we can see the following details:

(1) Foreign Address – outbound local ip address where our local system connects.

(2) PID – Process ID of the process responsible for the connection.

(3) Owner – Process name responsible for the connection.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> netscan

In this sample, we extract network information from a system’s memory dump that is infected with Sinowal Malware.

Using the Volatility netscan plugin we are able to detect the inbound and outbound ip address:

192.168.30.144:52467 > 108.59.6.39:80

#note: Check the system for unknown ip address both inbound and outbound. Also, see if it is using a non-standard port for connection.

Volatility moddump

Posted on June 20, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - moddump

moddump – a volatility plugin that is used dump a kernel driver to an executable file sample to disk.

After listing all the loaded modules using modules plugin, we can then use the Volatility moddump to dump it to disk for further analysis. We will use -b option and feed it with the base address of the kernel driver of choice.

In the sample below, we will dump srv.sys to disk.

First, Run modules plugin and copy the base address.

Next, use the syntax below.

Our syntax will be: vol.exe -f <mem_dump> –profile=<OS_version> moddump -b <base_address> -D <dest>

Then, a kernel driver will be dumped to the specified location.

#note: These steps can help if the system is infected with low level operating malware specially rootkits which operates below the system level, most rootkit implement and use a service to install itself as a kernel driver which gives the malware a full access to the system. Dumping the said malicious driver can aid the analyst to analyze the driver to create and IOCs.

Volatility modules

Posted on June 20, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - modules

modules – a volatility plugin that is used print list of loaded modules/drivers.

Using the Volatility modules plugin, we can able to extract all the loaded modules/drivers inside the volatile memory.

Here are the following details that you will see:

- - Name – of the loaded modules/drivers
  - Base Address – where the loaded module is located in the system.
  - File – where the loaded module is located in the disk.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> modules

#note: In digital forensics, modules can be a persistence technique of a malware that can let itself operate in a low level function that allows the malware to takeover the whole system. Being able to parse these artifacts during investigation is a great leap for the investigator when investigating a possible rootkit malware.

Volatility malfind

Posted on June 19, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - malfind

malfind – a volatility plugin that is used find hidden and injected code. What malfind does is it finds a suspicious VAD memory region that has PAGE_EXECUTE_READWRITE memory protection in a process.

We can use the Volatility malfind to find suspicious memory region that have PAGE_EXECUTE_READWRITE protection.

In this sample, we can see that on process id 1796 there is a MZ 4d5a residing in @0x6550000 memory region.

This can lead us to the conclusion that this memory region is injected with malicious executable because it matches the memory protection PAGE_EXECUTE_READWRITE.

Now, you can then dump this memory region using vaddump for quick and further analysis.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> malfind -p <PID> -D <dest>

#note: An executable inside the memory region with 0x40 memory protection means injected not normally loaded.

In this sample, we also use malfind to detect possible code injection inside the process memory.

As we can see that it detects (1)PAGE_EXECUTE_READWRITE permission with its (2)assembly code representation.

at (3) we dumped the result from malfind to disk for further analysis.

at (4) we use strings extraction tool to find out what are the string it contains. This gives us that this memory region contains API function and other interested strings.

Now, at (5) we can submit this dumped memory region to VirusTotal for quick scanning and this gives us the result that this memory region is injected with a malware that identifed as XtremeRAT backdoor.

Volatility procdump

Posted on June 19, 2022June 19, 2022 by randrada

Memory Analysis using Volatility - apihooks

procdump – a volatility plugin that is used to dump a specific process.

In an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connection, malware intrusions, registry hives and etc that can be a valuable source as an evidence and not typically stored on the local hard disk. This is one of the investigator’s favorite data source to perform digital forensics and knowing the right tool to dump memory is a must.

Volatility vaddump

Posted on June 19, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - vaddump

vaddump – a volatility plugin that is used to dump out Virtual Address Descriptor sections to a file.

Virtual Address Descriptor – is used by the Windows memory manager to describe memory ranges used by a process as they are allocated. When a process allocates memory with VirtualAlloc, the memory manager creates an entry in the VAD tree.

Memory Permission to look for memory region:

PAGE_EXECUTE_READWRITE 0x40 – This memory region enables execute, read-only, or read/write access to the committed region of pages. A malware can inject its malicious code into the memory of a process by changing the memory permission to PAGE_EXECUTE_READWRITE. This allows the malware to use a legitimate process to execute its malicious intent to remain itself stealthy and bypass detection.

note: Not all that have this memory permission is malicious. We only identify this region malicious if this region has MZ or PE file inside or if the start of the instruction is either JMP, RET or Call.

Using Volatility vaddump plugin, we can extract all the memory region of a process specified after the -p parameter.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> vaddump -p <PID> -D <destination>

To dump a specific memory region we will use the -b option and then feed it with the address of our selected memory region.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> vaddump -p <PID> -b <addr> -D <destination>

Volatility vadinfo

Posted on June 19, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - vadinfo

vadinfo – a volatility plugin that is used to dump Virtual Address Descriptor info.

Memory Permission to look for memory region:

note: Not all that has this memory permission is malicious, we only identify this region malicious if this region has MZ or PE file inside or if the start of the instruction is either JMP, RET or Call.

In this sample we extract the vad information or the memory regions of the process notepad.exe(1).

at (2) is the start address of the memory region inside the process memory.

at (3) is the Protection or the Permission this region have.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> vadinfo -p <PID>

#note: This Volatility plugin will display the whole memory region it detects. This means that when you solely execute it inside the command prompt this will give you a lot of information. The best approach is extract is as a .txt file.

In this sample, we extract vad information into a text file and use a text editor for filtering.

We can see that there are regions that has PAGE_EXECUTE_READWRITE permission.