Category: Memory Analysis

Volatility vaddump

Posted on by randrada

Memory Analysis using Volatility - vaddump

Download Volatility Standalone 2.6 for Windows
Install Volatility in Linux
Windows Memory Permission Constants

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

vaddump a volatility plugin that is used to dump out Virtual Address Descriptor sections to a file.

Virtual Address Descriptor – is used by the Windows memory manager to describe memory ranges used by a process as they are allocated. When a process allocates memory with VirtualAlloc, the memory manager creates an entry in the VAD tree.

Memory Permission to look for memory region:

PAGE_EXECUTE_READWRITE 0x40 – This memory region enables execute, read-only, or read/write access to the committed region of pages. A malware can inject its malicious code into the memory of a process by changing the memory permission to PAGE_EXECUTE_READWRITE. This allows the malware to use a legitimate process to execute its malicious intent to remain itself stealthy and bypass detection.

note: Not all that have this memory permission is malicious. We only identify this region malicious if this region has MZ or PE file inside or if the start of the instruction is either JMP, RET or Call.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

Plugins

Using Volatility vaddump plugin, we can extract all the memory region of a process specified after the -p parameter.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> vaddump -p <PID> -D <destination>

To dump a specific memory region we will use the -b option and then feed it with the address of our selected memory region.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> vaddump -p <PID> -b <addr> -D <destination>

Volatility vadinfo

Posted on by randrada

Memory Analysis using Volatility - vadinfo

Download Volatility Standalone 2.6 for Windows
Install Volatility in Linux
Windows Memory Permission Constants

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

vadinfo a volatility plugin that is used to dump Virtual Address Descriptor info.

Virtual Address Descriptor – is used by the Windows memory manager to describe memory ranges used by a process as they are allocated. When a process allocates memory with VirtualAlloc, the memory manager creates an entry in the VAD tree.

Memory Permission to look for memory region:

PAGE_EXECUTE_READWRITE 0x40 – This memory region enables execute, read-only, or read/write access to the committed region of pages. A malware can inject its malicious code into the memory of a process by changing the memory permission to PAGE_EXECUTE_READWRITE. This allows the malware to use a legitimate process to execute its malicious intent to remain itself stealthy and bypass detection.

note: Not all that has this memory permission is malicious, we only identify this region malicious if this region has MZ or PE file inside or if the start of the instruction is either JMP, RET or Call.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

Plugins

In this sample we extract the vad information or the memory regions of the process notepad.exe(1).

at (2) is the start address of the memory region inside the process memory.

at (3) is the Protection or the Permission this region have. 

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> vadinfo -p <PID>

#note: This Volatility plugin will display the whole memory region it detects. This means that when you solely execute it inside the command prompt this will give you a lot of information. The best approach is extract is as a .txt file.

In this sample, we extract vad information into a text file and use a text editor for filtering.

We can see that there are regions that has PAGE_EXECUTE_READWRITE permission.

Volatility apihooks

Posted on by randrada

Memory Analysis using Volatility - apihooks

Download Volatility Standalone 2.6 for Windows
Install Volatility in Linux

Volatility is a tool used for the extraction of digital artifacts from volatile memory (RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time-efficient and quick manner.

apihooks a volatility plugin that is used to detect API hooks in process and kernel memory.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must. 

Plugins

We use the Volatility apihooks plugin to detect API hooking. Running this plugin directly on the command prompt will display a lot of information. To make it convenient for us, we can extract the result as a .txt file and view it later using other tools such as notepad or notepad++.

The image below is a sample of apihooks detects regsvr32.exe hooks !DeleteFileW and we see different information such as 

      • Hook mode: Usermode 
      • Hook type: IAT
      • Process responsible for hooking (which is not normal for .exe is hooking a function) 
      • Hooked function

Malware hooking this function disables the capacity of a user to delete the sample itself from the disk since the DeleteFileW is hooked.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> apihooks  -p <PID> > Destination

Volatility handles

Posted on by randrada

Memory Analysis using Volatility - handles

Download Volatility Standalone 2.6 for Windows
Install Volatility in Linux

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

handles a volatility plugin that is used to print list of open handles for each process.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

 

Plugins

Using the Volatility handles plugin to display open handles. This applies to files, registry keys, mutexes, named pipes, events, windows stations, desktops, threads, and all other types of securable executive objects.

To use this plugin, we need to use -p option and supply with the target process id.

Our syntax will be like: vol.exe -f <memory_dump> –profile=<OS_version> handles -p <PID>

When using the Volatility handles plugin, you will be presented with a lot of data, so it is important to be able to filter the results based on what we need.

Process Handles can give us the important data such as:

      • File that relates to the process.
      • Process that is attached to the process itself.
      • Mutex names which can be a good as host based indicator of compromise.
      • Key or registry keys that is used by the process itself.

To be able to filter these data we can then use the -t option and supply it with the data we want to see.

To see this in action, our syntax will be like:

vol.exe -f <memory_dump> –profile=<OS_VERSION> handles -p <PID> -t <handles_data>

In our case, at (1) we use file to see the, at (2) we use mutant to see the mutex names, at (3) for Keys registry keys found inside the process, (4) we use Process if the process attached itself to another process.

In this sample, using the handles filtering we can able to carve important information that lies beneath the volatile memory. 

Sample 1: NjRAT a famous backdoor rootkit malware that inject itself into other processes, and using the Process filter we are able to detect the processes it spawns and injects.

Sample 2: NjRAT uses the following mutex name to persist inside the system and make sure that there is only one process running on the system. Using mutant handles filter we are able to extract this data.

Volatility dumpregistry

Posted on by randrada

Memory Analysis using Volatility - dumpregistry

Download Volatility Standalone 2.6 for Windows
Install Volatility in Linux

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

dumpregistry a volatility plugin that is used dump registry files out to disk.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

 

Plugins

To dump all registry hive, we have to use the Volatility dumpregistry plugin.

Our syntax will be like: vol.exe -f <memory_dump> –profile=<OS_version> dumpregistry -D <directory>

 

Volatility hivelist

Posted on by randrada

Memory Analysis using Volatility - hivelist

Download Volatility Standalone 2.6 for Windows
Install Volatility in Linux

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

hivelist – a volatility plugin that is used print list of registry hives.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

 

Plugins

Using Volatility hivelist plugin we were able to list all available registry hives from our memory dump.

Our syntax will be like: vol.exe -f <memory_dump> –profile=<OS_version> hivelist

Volatility ldrmodules

Posted on by randrada

Memory Analysis using Volatility - ldrmodules

Download Volatility Standalone 2.6 for Windows
Install Volatility in Linux

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

ldrmodules – a volatility plugin that is used detect unlinked DLLs.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

Plugins

When analyzing a malware sample, some sample have the ability to unlink themselves from other modules, and if the sample has this capability when you run dlllist plugin, that module won’t appear on the  result.

 

That is why, during an investigation, it is a good practice to compare both dlllist and ldrmodules results to see if there is any unlinking between the process loaded modules.

 

When a module is found between tables it has a boolean value of True and if not, False.

Our syntax will be like: vol.exe -f <memory_dump> –profile=<OS_version> ldrmodules -p <PID>

Volatility dlldump

Posted on by randrada

Memory Analysis using Volatility - dlldump

Download Volatility Standalone 2.6 for Windows
Install Volatility in Linux

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

dlldump – a volatility plugin that is used to dump a module from a process using its address space.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

 

Plugins

In this sample, we will dump a loaded module from process id 2076(notepad.exe) using the Volatility dlldump plugin.

First, list the loaded module of a process using dlllist plugin.

Next, get the base address of the module.

Then, supply the base address to the -b option.

Finally, supply the directory path to the -D option where you want to dump the module.

Our syntax will be like: 

vol.exe -f <memory_dump> –profile=<OS_version> dllldump -p <PID> -b <base_addr> -D <directory>

 

Volatility dlllist

Posted on by randrada

Memory Analysis using Volatility - dlllist

Download Volatility Standalone 2.6 for Windows
Install Volatility in Linux

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

dlllist – a volatility plugin that is used to display and print all the listed loaded modules of a process.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

 

Plugins

We can extract the process’s loaded modules using the Volatility plugin dlllist.

We can use the -p parameter and supply the target Process ID we are investigating. 

In our sample, we supply the process id 2076(Notepad.exe) to list its loaded modules.

This plugin can be used to detect suspicious modules that is loaded into a process, especially when that module resides in a non legitimate directory path. 

Our syntax will be like: vol.exe -f <memory_dump> –profile=<OS_version> dlllist -p <PID>

In this sample, we use the Volatility dlllist plugin to list all loaded modules from a suspected process.

We dumped the modules, hash it, and send the sample to VirusTotal[.]com. We can see that it flagged as Sinowal Malware. 

#note: We see that this module is not at its proper directory path which is SYSTEM32.

 

Volatility cmdline

Posted on by randrada

Memory Analysis using Volatility - cmdline

Download Volatility Standalone 2.6 for Windows
Install Volatility in Linux

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

cmdline – a volatility plugin that is used to display the process command-line arguments. This plugin can be used to detect whether the process is launched using a malicious command or not.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

 

Plugins

We can determine how the executable is launched by using the Volatility cmdline plugin. We can also see the path where the executable is located, which allows the analyst to determine whether an executable is in a legitimate or malicious directory.

In our sample, we can see that the process notepad.exe is legitimate because the path is legitimate @ System32

Our syntax will be like: Vol.exe -f <memory_dump> –profile=<OS_version> cmdline

 

In this sample, we can see that a suspicious dll is launched as a service by using regsrv32.exe.

Furthermore, we can see that the suspicious is located in the C:\ProgramData directory, which is not a typical location for legitimate dll.

We attempt to upload this sample dll to VirusTotal.