s
Due to continuous growth in malware attacks, memory forensics has become very crucial as it contains many forensic artifacts that digital forensic investigators cannot get through the traditional disk forensics. Forensic Analysis of a memory dump of victim's machine provides a detailed analysis of malware, checking traces of malware that have been created while running in the machine. Moreover, recent malware techniques also use stealthy methods to go undetected in typical disk forensics. Such techniques always execute exclusively from the memory or hide in the legitimate process to avoid the typical signature-based antivirus detection. Many of the recent studies also show that the percentage of such attacks have increased drastically. It is also estimated that the same trend will continue in the future and advanced threat like file-less malware will become the major concern for the organizations as well as security researchers. This post analyses memory forensics in the context of designing a forensic approach which will help to detect such advance malware threats. In this post, we are analyzing a sample memory image infected by a malware. It discusses a generalized framework for doing step by step analysis of memory image for detecting fileless malware attacks.
The Volatility Framework
The Volatility Framework is an open source, cross-platform, incident response framework that comes with many useful plugins that provide the investigator with a wealth of information from a snapshot of memory, also known as a memory dump. Apart from analyzing running and hidden processes, it is also a very popular choice for malware analysis. Running the standalone version is recommended as you do not have to gather and configure plugin scripts as it is fully self-contained.
After detecting the right Windows version and its KPCR, volatility scans for dozens of other structures inside a dump file. Additional pluginslike malfind hunt for malicious activities by using strong heuristics or comparing results from different structures. Typical structures being parsed include:
- _EPROCESS and _KPROCESS
- _KTIMER
- _ETHREAD and _KTHREAD
- _CMHIVE
- _LDR_DATA_TABLE_ENTRY
- _KMUTANT
Volatility Plugins
Volatility uses a variety of tools to automate memory dump processing. These tools are called plugins. To view the various plugins available in volatility, use the -h option as shown below:
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -h Volatility Foundation Volatility Framework 2.6 Usage: Volatility - A memory forensics analysis platform. Options: -h, --help list all available options and their default values. Default values may be set in the configuration file (/etc/volatilityrc) --conf-file=.volatilityrc User based configuration file -d, --debug Debug volatility --plugins=PLUGINS Additional plugin directories to use (semi-colon separated) --info Print information about all registered objects --cache-directory=C:\Users\JOSEPH/.cache\volatility Directory where cache files are stored --cache Use caching --tz=TZ Sets the (Olson) timezone for displaying timestamps using pytz (if installed) or tzset -f FILENAME, --filename=FILENAME Filename to use when opening an image --profile=WinXPSP2x86 Name of the profile to load (use --info to see a list of supported profiles) -l LOCATION, --location=LOCATION A URN location from which to load an address space -w, --write Enable write support --dtb=DTB DTB Address --shift=SHIFT Mac KASLR shift address --output=text Output in this format (support is module specific, see the Module Output Options below) --output-file=OUTPUT_FILE Write output in this file -v, --verbose Verbose information -g KDBG, --kdbg=KDBG Specify a KDBG virtual address (Note: for 64-bit Windows 8 and above this is the address of KdCopyDataBlock) --force Force utilization of suspect profile --cookie=COOKIE Specify the address of nt!ObHeaderCookie (valid for Windows 10 only) -k KPCR, --kpcr=KPCR Specify a specific KPCR address Supported Plugin Commands: amcache Print AmCache information apihooks Detect API hooks in process and kernel memory atoms Print session and window station atom tables atomscan Pool scanner for atom tables auditpol Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv bigpools Dump the big page pools using BigPagePoolScanner bioskbd Reads the keyboard buffer from Real Mode memory cachedump Dumps cached domain hashes from memory callbacks Print system-wide notification routines clipboard Extract the contents of the windows clipboard cmdline Display process command-line arguments cmdscan Extract command history by scanning for _COMMAND_HISTORY connections Print list of open connections [Windows XP and 2003 Only] connscan Pool scanner for tcp connections consoles Extract command history by scanning for _CONSOLE_INFORMATION crashinfo Dump crash-dump information deskscan Poolscaner for tagDESKTOP (desktops) devicetree Show device tree dlldump Dump DLLs from a process address space dlllist Print list of loaded dlls for each process driverirp Driver IRP hook detection drivermodule Associate driver objects to kernel modules driverscan Pool scanner for driver objects dumpcerts Dump RSA private and public SSL keys dumpfiles Extract memory mapped and cached files dumpregistry Dumps registry files out to disk editbox Displays information about Edit controls. (Listbox experimental.) envars Display process environment variables eventhooks Print details on windows event hooks evtlogs Extract Windows Event Logs (XP/2003 only) filescan Pool scanner for file objects gahti Dump the USER handle type information gditimers Print installed GDI timers and callbacks gdt Display Global Descriptor Table getservicesids Get the names of services in the Registry and return Calculated SID getsids Print the SIDs owning each process handles Print list of open handles for each process hashdump Dumps passwords hashes (LM/NTLM) from memory hibinfo Dump hibernation file information hivedump Prints out a hive hivelist Print list of registry hives. hivescan Pool scanner for registry hives hpakextract Extract physical memory from an HPAK file hpakinfo Info on an HPAK file idt Display Interrupt Descriptor Table iehistory Reconstruct Internet Explorer cache / history imagecopy Copies a physical address space out as a raw DD image imageinfo Identify information for the image impscan Scan for calls to imported functions joblinks Print process job link information kdbgscan Search for and dump potential KDBG values kpcrscan Search for and dump potential KPCR values ldrmodules Detect unlinked DLLs lsadump Dump (decrypted) LSA secrets from the registry machoinfo Dump Mach-O file format information malfind Find hidden and injected code mbrparser Scans for and parses potential Master Boot Records (MBRs) memdump Dump the addressable memory for a process memmap Print the memory map messagehooks List desktop and thread window message hooks mftparser Scans for and parses potential MFT entries moddump Dump a kernel driver to an executable file sample modscan Pool scanner for kernel modules modules Print list of loaded modules multiscan Scan for various objects at once mutantscan Pool scanner for mutex objects notepad List currently displayed notepad text objtypescan Scan for Windows object type objects patcher Patches memory based on page scans poolpeek Configurable pool scanner plugin printkey Print a registry key, and its subkeys and values privs Display process privileges procdump Dump a process to an executable file sample pslist Print all running processes by following the EPROCESS lists psscan Pool scanner for process objects pstree Print process list as a tree psxview Find hidden processes with various process listings qemuinfo Dump Qemu information raw2dmp Converts a physical memory sample to a windbg crash dump screenshot Save a pseudo-screenshot based on GDI windows servicediff List Windows services (ala Plugx) sessions List details on _MM_SESSION_SPACE (user logon sessions) shellbags Prints ShellBags info shimcache Parses the Application Compatibility Shim Cache registry key shutdowntime Print ShutdownTime of machine from registry sockets Print list of open sockets sockscan Pool scanner for tcp socket objects ssdt Display SSDT entries strings Match physical offsets to virtual addresses (may take a while, VERY verbose) svcscan Scan for Windows services symlinkscan Pool scanner for symlink objects thrdscan Pool scanner for thread objects threads Investigate _ETHREAD and _KTHREADs timeliner Creates a timeline from various artifacts in memory timers Print kernel timers and associated module DPCs truecryptmaster Recover TrueCrypt 7.1a Master Keys truecryptpassphrase TrueCrypt Cached Passphrase Finder truecryptsummary TrueCrypt Summary unloadedmodules Print list of unloaded modules userassist Print userassist registry keys and information userhandles Dump the USER handle tables vaddump Dumps out the vad sections to a file vadinfo Dump the VAD info vadtree Walk the VAD tree and display in tree format vadwalk Walk the VAD tree vboxinfo Dump virtualbox information verinfo Prints out the version information from PE images vmwareinfo Dump VMware VMSS/VMSN information volshell Shell in the memory image windows Print Desktop Windows (verbose details) wintree Print Z-Order Desktop Windows Tree wndscan Pool scanner for window stations yarascan Scan process or kernel memory with Yara signatures
Methodology For Threat Hunting Using Volatility
Having introduced volatility plugins, I will now outline the methodology for hunting malware with volatility and the plugins of relevance in each step.
Identify Rogue Processes
- pslist
- psscan
- pstree
- psxview
Analyze Process DLLs and Handles
- dlllist
- cmdline
- getsids
- handles
- filescan
- mutantscan
- svcscan
- cmdscan
- consoles
Review Network Artifacts
- connections
- connscan
- sockets
- sockscan
- netscan
Look For Evidence of Code Injection
- malfind
- ldrmodules
Check For Signs of A Rootkit
- SSDT
- psxview
- modscan
- apihooks
- driverirp
- idt
Dump Suspicious Process and Drivers
- dlldump
- moddump
- procdump
- memdump
- malfind
Selecting A Profile
All operating systems store information in RAM. However, they may be situated in different locations within the memory according to the operating system used. In Volatility, we must choose a profile that best identifies the type of operating system and service pack that helps Volatility in identifying locations that store artifacts and useful information. This can be done using the imageinfo plugin.
The image info plugin identifies the Windows operating system version, the service pack, and the system architecture by locating the KDBG (Kernel Debugging Data Block) within the memory image.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f D:\Memdump\0zapftis.vmem imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86) AS Layer1 : IA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (D:\Memdump\0zapftis.vmem) PAE type : PAE DTB : 0x319000L KDBG : 0x80544ce0L Number of Processors : 1 Image Type (Service Pack) : 2 KPCR for CPU 0 : 0xffdff000L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2011-10-10 17:06:54 UTC+0000 Image local date and time : 2011-10-10 13:06:54 -0400
The imageinfo output shows the suggested profiles as WinXPSP2x86:
- WinXP - Windows XP
- SP2/SP3: Service Pack 2/Service Pack 3
- x86 - 32-bit Architecture
The image type, or service pack, is displayed as 2, suggesting that this is a Windows XP Service Pack 2 32-bit (x86) operating system, which will be used as the profile for the case along with the plugins:
textImage Type (Service Pack) : 2 KPCR for CPU 0 : 0xffdff000L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2011-10-10 17:06:54 UTC+0000 Image local date and time : 2011-10-10 13:06:54 -0400
To further narrow down the most likely profile, the kdbgscan plugin will use the kernel debugger data block scan (kdbgscan) plugin to make a profile suggestion based on the KDBG header. Since the profile tells Volatility the format and type of memory objects that should be present in the RAM dump, getting the profile correct is an important first step to any further analysis.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f D:\Memdump\0zapftis.vmem kdbgscan Volatility Foundation Volatility Framework 2.6 ************************************************** Instantiating KDBG using: Kernel AS WinXPSP2x86 (5.1.0 32bit) Offset (V) : 0x80544ce0 Offset (P) : 0x544ce0 KDBG owner tag check : True Profile suggestion (KDBGHeader): WinXPSP3x86 Version64 : 0x80544cb8 (Major: 15, Minor: 2600) Service Pack (CmNtCSDVersion) : 2 Build string (NtBuildLab) : 2600.xpsp_sp2_rtm.040803-2158 PsActiveProcessHead : 0x80559258 (22 processes) PsLoadedModuleList : 0x805531a0 (120 modules) KernelBase : 0x804d7000 (Matches MZ: True) Major (OptionalHeader) : 5 Minor (OptionalHeader) : 1 KPCR : 0xffdff000 (CPU 0) ************************************************** Instantiating KDBG using: Kernel AS WinXPSP2x86 (5.1.0 32bit) Offset (V) : 0x80544ce0 Offset (P) : 0x544ce0 KDBG owner tag check : True Profile suggestion (KDBGHeader): WinXPSP2x86 Version64 : 0x80544cb8 (Major: 15, Minor: 2600) Service Pack (CmNtCSDVersion) : 2 Build string (NtBuildLab) : 2600.xpsp_sp2_rtm.040803-2158 PsActiveProcessHead : 0x80559258 (22 processes) PsLoadedModuleList : 0x805531a0 (120 modules) KernelBase : 0x804d7000 (Matches MZ: True) Major (OptionalHeader) : 5 Minor (OptionalHeader) : 1 KPCR : 0xffdff000 (CPU 0)
Once the profile has been chosen, we can proceed with using Volatility plugins for the analysis of the memory image.
Analysis of Running Processes
In Windows, processes are represented by an executive object in the kernel of the operating system called an _EPROCESS. Volatility uses a variety of methods to find and examine these objects.
On Windows systems, the kernel tracks the currently active processes using a doubly linked list. Each running process is found in this list, and therefore most standard Windows calls to list processes accomplish this by walking this list and printing each process found in it. Some malware will attempt to hide by delinking its process from this list, causing most tools on a live system to fail to detect the unlinked malware process. When working with a memory dump, different approaches can be taken to locate processes. For example, each process has a fixed format header that contains a key or tag of “Proc” on Windows systems. By searching through the memory in a RAM dump looking for the known structure of a process object’s tag and other attributes, Volatility can detect processes that are not linked in the standard doubly linked process list. By using and comparing different methods of identifying processes, an examiner can identify processes that were attempting to hide their presence.
One of the easiest ways to get a list of processes that were running at the time a RAM dump was made is to use the pslist plugin.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem pslist Volatility Foundation Volatility Framework 2.6 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0x819cc830 System 4 0 55 162 ------ 0 0x81945020 smss.exe 536 4 3 21 ------ 0 2011-10-10 17:03:56 UTC+0000 0x816c6020 csrss.exe 608 536 11 355 0 0 2011-10-10 17:03:58 UTC+0000 0x813a9020 winlogon.exe 632 536 24 533 0 0 2011-10-10 17:03:58 UTC+0000 0x816da020 services.exe 676 632 16 261 0 0 2011-10-10 17:03:58 UTC+0000 0x813c4020 lsass.exe 688 632 23 336 0 0 2011-10-10 17:03:58 UTC+0000 0x81772ca8 vmacthlp.exe 832 676 1 24 0 0 2011-10-10 17:03:59 UTC+0000 0x8167e9d0 svchost.exe 848 676 20 194 0 0 2011-10-10 17:03:59 UTC+0000 0x817757f0 svchost.exe 916 676 9 217 0 0 2011-10-10 17:03:59 UTC+0000 0x816c6da0 svchost.exe 964 676 63 1058 0 0 2011-10-10 17:03:59 UTC+0000 0x815daca8 svchost.exe 1020 676 5 58 0 0 2011-10-10 17:03:59 UTC+0000 0x813aeda0 svchost.exe 1148 676 12 187 0 0 2011-10-10 17:04:00 UTC+0000 0x817937e0 spoolsv.exe 1260 676 13 140 0 0 2011-10-10 17:04:00 UTC+0000 0x81754990 VMwareService.e 1444 676 3 145 0 0 2011-10-10 17:04:00 UTC+0000 0x8136c5a0 alg.exe 1616 676 7 99 0 0 2011-10-10 17:04:01 UTC+0000 0x815c4da0 wscntfy.exe 1920 964 1 27 0 0 2011-10-10 17:04:39 UTC+0000 0x813bcda0 explorer.exe 1956 1884 18 322 0 0 2011-10-10 17:04:39 UTC+0000 0x816d63d0 VMwareTray.exe 184 1956 1 28 0 0 2011-10-10 17:04:41 UTC+0000 0x8180b478 VMwareUser.exe 192 1956 6 83 0 0 2011-10-10 17:04:41 UTC+0000 0x818233c8 reader_sl.exe 228 1956 2 26 0 0 2011-10-10 17:04:41 UTC+0000 0x815e7be0 wuauclt.exe 400 964 8 173 0 0 2011-10-10 17:04:46 UTC+0000 0x817a34b0 cmd.exe 544 1956 1 30 0 0 2011-10-10 17:06:42 UTC+0000
The pslist plugin walks the doubly linked list of processes in the same way as most commands that run on the live system. It therefore provides a useful baseline of what would have been seen by commands like tasklist when the system was running, but will not give any information about processes that were hidden by removing themselves from the process list or those that had already terminated before the dump was captured. It makes use of virtual memory addressing and offsets and scans for _EPROCESS lists. This should always be the first process listing plugin used from Volatility.
The important parameters to look for are process ID, Parent Process ID, and the Timestamp information. For those new to PIDs and processes themselves, a quick Google search can assist with identification and description information. It is also useful to become familiar with many of the start up processes in order to readily point out processes that may be unusual or suspect. I will like to refer the reader to a popular SANS poster that treats this subject extensively. Richard Davis of 13 cubed made the SANS poster easier to comprehend with his own version which can be downloaded here. These two should are my reference materials when analyzing Windows process relationships.
Looking at the result above, nothing appears out of the ordinary, Although the process alge.exe is present and can sometimes be used to indicate the presence of malware, as a lone indicator, it is not sufficient to warrant further investigation at this point as it is typically considered a legitimate Windows XP process.
To see the processes in the parent-child format lets now arrange the processes in the more structured way using the pstree plugin.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem pstree Volatility Foundation Volatility Framework 2.6 Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0x819cc830:System 4 0 55 162 1970-01-01 00:00:00 UTC+0000 . 0x81945020:smss.exe 536 4 3 21 2011-10-10 17:03:56 UTC+0000 .. 0x816c6020:csrss.exe 608 536 11 355 2011-10-10 17:03:58 UTC+0000 .. 0x813a9020:winlogon.exe 632 536 24 533 2011-10-10 17:03:58 UTC+0000 ... 0x816da020:services.exe 676 632 16 261 2011-10-10 17:03:58 UTC+0000 .... 0x817757f0:svchost.exe 916 676 9 217 2011-10-10 17:03:59 UTC+0000 .... 0x81772ca8:vmacthlp.exe 832 676 1 24 2011-10-10 17:03:59 UTC+0000 .... 0x816c6da0:svchost.exe 964 676 63 1058 2011-10-10 17:03:59 UTC+0000 ..... 0x815c4da0:wscntfy.exe 1920 964 1 27 2011-10-10 17:04:39 UTC+0000 ..... 0x815e7be0:wuauclt.exe 400 964 8 173 2011-10-10 17:04:46 UTC+0000 .... 0x8167e9d0:svchost.exe 848 676 20 194 2011-10-10 17:03:59 UTC+0000 .... 0x81754990:VMwareService.e 1444 676 3 145 2011-10-10 17:04:00 UTC+0000 .... 0x8136c5a0:alg.exe 1616 676 7 99 2011-10-10 17:04:01 UTC+0000 .... 0x813aeda0:svchost.exe 1148 676 12 187 2011-10-10 17:04:00 UTC+0000 .... 0x817937e0:spoolsv.exe 1260 676 13 140 2011-10-10 17:04:00 UTC+0000 .... 0x815daca8:svchost.exe 1020 676 5 58 2011-10-10 17:03:59 UTC+0000 ... 0x813c4020:lsass.exe 688 632 23 336 2011-10-10 17:03:58 UTC+0000 0x813bcda0:explorer.exe 1956 1884 18 322 2011-10-10 17:04:39 UTC+0000 . 0x8180b478:VMwareUser.exe 192 1956 6 83 2011-10-10 17:04:41 UTC+0000 . 0x817a34b0:cmd.exe 544 1956 1 30 2011-10-10 17:06:42 UTC+0000 . 0x816d63d0:VMwareTray.exe 184 1956 1 28 2011-10-10 17:04:41 UTC+0000 . 0x818233c8:reader_sl.exe 228 1956 2 26 2011-10-10 17:04:41 UTC+0000
The pstree plugin will display a list of processes in a tree format to show which process spawned other processes and make their parent/child relationship clearer.
Parent process is on the top of the list and corresponding child processes are indented below their parents. This command shows the same list of processes as the pslist plugin, but indentation is also used to identify child and parent processes. The system process is the parent of all processes and always has a PID of 4. To get a pictorial view of the parent-child process relationship, execute the following:
textvolatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem pstree --output=dot --output-file=tree.dot
This command will create the list of process in the dot format. To then convert that to a format such as JPEG, the dot command can be used as follows:
textdot -Tjpg tree.dot > tree.jpg
However, the pstree plugin relies on walking the doubly linked process list, and therefore suffers from the same limitations as the pslist plugin. It can, however, be a useful command to run.
As mentioned earlier, Volatility is not constrained to only using the doubly linked process list to identify allocated processes. The memory dump can be scanned for known signatures of process objects, and anything that matches that pattern can be displayed. This is an extremely helpful method to find processes that have been delinked from the process list to avoid detection. Since it does not rely on the doubly linked process list, it can also uncover information about processes that were running previously but terminated before the dump was captured. A process scan can be run with the following command:
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem psscan Volatility Foundation Volatility Framework 2.6 Offset(P) Name PID PPID PDB Time created Time exited ------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------ 0x000000000156c5a0 alg.exe 1616 676 0x05e001e0 2011-10-10 17:04:01 UTC+0000 0x00000000015a9020 winlogon.exe 632 536 0x05e00060 2011-10-10 17:03:58 UTC+0000 0x00000000015aeda0 svchost.exe 1148 676 0x05e00180 2011-10-10 17:04:00 UTC+0000 0x00000000015bcda0 explorer.exe 1956 1884 0x05e00220 2011-10-10 17:04:39 UTC+0000 0x00000000015c4020 lsass.exe 688 632 0x05e000a0 2011-10-10 17:03:58 UTC+0000 0x00000000017c4da0 wscntfy.exe 1920 964 0x05e00240 2011-10-10 17:04:39 UTC+0000 0x00000000017daca8 svchost.exe 1020 676 0x05e00140 2011-10-10 17:03:59 UTC+0000 0x00000000017e7be0 wuauclt.exe 400 964 0x05e002c0 2011-10-10 17:04:46 UTC+0000 0x000000000187e9d0 svchost.exe 848 676 0x05e000e0 2011-10-10 17:03:59 UTC+0000 0x00000000018c6020 csrss.exe 608 536 0x05e00040 2011-10-10 17:03:58 UTC+0000 0x00000000018c6da0 svchost.exe 964 676 0x05e00120 2011-10-10 17:03:59 UTC+0000 0x00000000018d63d0 VMwareTray.exe 184 1956 0x05e00160 2011-10-10 17:04:41 UTC+0000 0x00000000018da020 services.exe 676 632 0x05e00080 2011-10-10 17:03:58 UTC+0000 0x0000000001954990 VMwareService.e 1444 676 0x05e001c0 2011-10-10 17:04:00 UTC+0000 0x0000000001972ca8 vmacthlp.exe 832 676 0x05e000c0 2011-10-10 17:03:59 UTC+0000 0x00000000019757f0 svchost.exe 916 676 0x05e00100 2011-10-10 17:03:59 UTC+0000 0x00000000019937e0 spoolsv.exe 1260 676 0x05e001a0 2011-10-10 17:04:00 UTC+0000 0x00000000019a34b0 cmd.exe 544 1956 0x05e00200 2011-10-10 17:06:42 UTC+0000 0x0000000001a0b478 VMwareUser.exe 192 1956 0x05e00260 2011-10-10 17:04:41 UTC+0000 0x0000000001a233c8 reader_sl.exe 228 1956 0x05e00280 2011-10-10 17:04:41 UTC+0000 0x0000000001b45020 smss.exe 536 4 0x05e00020 2011-10-10 17:03:56 UTC+0000 0x0000000001bcc830 System 4 0 0x00319000
Again, nothing appears particularly conspicuous. Moreover, this output looks very similar to the output of the pslist plugin.
The psscan plugin uses physical memory addressing and scans memory images for _EPROCESS pool allocations in contrast to the pslist plugin which uses physical memory addressing. The output from the psscan plugin does not provide the hierarchical view of the parent/child relationship in the way that the pstree plugin does. To get a similar effect, you can output the results of psscan into a dot file, and use a program like Graphviz to display it graphically. This can be both a useful investigative approach and make for useful graphs for report purposes. To accomplish this, a command like the following can be used:
textvolatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem psxview --output=dot --output-file=process.dot
This command will create the list of process in the dot format. To then convert that to a format such as JPEG, the dot command can be used as follows:
textdot -Tjpg processes.dot > processes.jpg
It is usually recommended in the forensic community to compare the results of the psscan and the pslist plugins. For this task, shell-based text processing is of significant use. By using the following command, it is readily possible to differentiate between the outputs of the two plugins.
bash
cat pslist.txt psscan.txt | awk '{print $2"\t"$3}' | sort | uniq -c | grep -v " 2"
There are many structures within a Windows system that need to track running processes. While the doubly linked process list is the most commonly used method for enumerating running processes, it is also the most likely to be targeted by processes that are attempting to evade detection. As a result, comparing the results of the doubly linked list to other structures within the operating system and other methods of detecting processes can help detect processes that are maliciously hiding their presence. For such cross-comparative analysis, use the psxview plugin.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem psxview Volatility Foundation Volatility Framework 2.6 Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- -------- 0x015a9020 winlogon.exe 632 True True True True True True True 0x018da020 services.exe 676 True True True True True True True 0x0156c5a0 alg.exe 1616 True True True True True True True 0x018d63d0 VMwareTray.exe 184 True True True True True True True 0x019757f0 svchost.exe 916 True True True True True True True 0x015c4020 lsass.exe 688 True True True True True True True 0x01972ca8 vmacthlp.exe 832 True True True True True True True 0x019a34b0 cmd.exe 544 True True True True True True True 0x0187e9d0 svchost.exe 848 True True True True True True True 0x017daca8 svchost.exe 1020 True True True True True True True 0x01954990 VMwareService.e 1444 True True True True True True True 0x018c6da0 svchost.exe 964 True True True True True True True 0x01a233c8 reader_sl.exe 228 True True True True True True True 0x017e7be0 wuauclt.exe 400 True True True True True True True 0x019937e0 spoolsv.exe 1260 True True True True True True True 0x015bcda0 explorer.exe 1956 True True True True True True True 0x017c4da0 wscntfy.exe 1920 True True True True True True True 0x01a0b478 VMwareUser.exe 192 True True True True True True True 0x015aeda0 svchost.exe 1148 True True True True True True True 0x01bcc830 System 4 True True True True False False False 0x01b45020 smss.exe 536 True True True True False False False 0x018c6020 csrss.exe 608 True True True True False True True
For a process to be considered hidden, it should be invisible to, at a minimum, any non-crss detection mechanism but may also be undetectable by subsequent process detection methods. However, if a process is not seen by the pslist plugin, then the process is without a doubt hidden.
Although some processes may be listed as hidden by the crss method, they generally are not hidden. Therefore any process marked as hidden (FALSE) by this method requires that another method (pslist, psscan, thrdproc, and pspcdid) confirm the suspicion. For Windows 7 and Vista systems, the list of internal processes is not available, and in some cases where Windows XP required memory pages might have been swapped out, the outcome of crss may be affected.
The psxview plugin uses multiple methods for detecting processes and displays which processes are and are not detected with each method. This comparison can help detect processes that are maliciously trying to avoid detection. Some methods will not detect certain processes, such as those that were started before the object upon which the detection method relies, or processes that have terminated not being detected by methods that only track running processes. To help account for these expected variations, the command
textvolatility_2.6_win64_standalone -f D:\Memdump\0zapftis.vmem profile=WinXPSP2x86 --apply-rules psxview
will show True when a method detects the process, False when the method does not detect the process, and Okay when the process is expectedly absent due to a known limitation of the method being used. Keep in mind that only the psscan method will detect terminated processes.
The next step after studying the running processes is to find network services and connections that may also have been established at that time.
Summary of Process Analysis
The volatility plugins used so far in the analysis of this particular memory image has not succeeded in finding any indicators of compromise. Thus subsequent plugins may reveal evidence of infection.
Analyzing Network Connections
The first network-based Volatility plugin that should be used is connscan. It is used to verify the existence of ongoing network connections and scans a memory image for current or recently terminated connections. This plugin makes use of physical memory addressing and parses the _TCPT_OBJECT data structure to identify remote connections.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem connscan Volatility Foundation Volatility Framework 2.6 Offset(P) Local Address Remote Address Pid ---------- ------------------------- ------------------------- --- 0x01a25a50 0.0.0.0:1026 172.16.98.1:6666 1956
From the output above, PID 1956 (explorer.exe) has established a connection with a remote system 172.16.98.1 using port 6666. This port is a well known malware-based port. We can then investigate the above remote IP addresses using the OSINT techniques described here.
Another for determining network connections in Windows
systems is the netscan plugin. It will carve through the memory dump
looking for artifacts from network activity, which means it may find
both sessions that were active or inactive at the time of the RAM dump.
textvolatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem netscan
I am unable to show the output for this command as the plugin does not support Windows XP operating system which is the operating system for my memory dump.
Sometimes, this plugin is unable to find all the information necessary to reconstruct all the active sessions due to data being paged out at the time of the dump. Additionally, it may recover partially deleted data regarding old connections and/or generate false positive results. As a result, it is a good idea to run commands like netstat -anob at the time of volatile data collection. To have a point of comparison. Keep in mind that tools like netstat may be fooled by malware that is running on the live system, so the netscan plugin may detect hidden network activity that netstat misses. Comparing the results of both commands is therefore a best practice when possible.
You can also find evidence of both recently terminated and ongoing communications using the connections plugin. This plugin supports both physical and virtual memory addresses.
textvolatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem connections
Volatility offers two additional network-based plugins - sockets and sockscan. The sockets plugin lists open sockets and may provide additional information about covert network channels, while the sockscan plugin scans a suspect memory image for all TCP sockets. Generally, the output is the same for both plugins with the exception of memory addresses, where the sockets plugin uses virtual memory addressing while the the sockscan plugin uses physical memory addressing.
sockets output
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem sockets Volatility Foundation Volatility Framework 2.6 Offset(V) PID Port Proto Protocol Address Create Time ---------- -------- ------ ------ --------------- --------------- ----------- 0x8177e3c0 1956 1026 6 TCP 0.0.0.0 2011-10-10 17:04:39 UTC+0000 0x81596a78 688 500 17 UDP 0.0.0.0 2011-10-10 17:04:00 UTC+0000 0x8166a008 964 1029 17 UDP 127.0.0.1 2011-10-10 17:04:42 UTC+0000 0x818ddc08 4 445 6 TCP 0.0.0.0 2011-10-10 17:03:55 UTC+0000 0x818328d8 916 135 6 TCP 0.0.0.0 2011-10-10 17:03:59 UTC+0000 0x81687e98 1616 1025 6 TCP 127.0.0.1 2011-10-10 17:04:01 UTC+0000 0x817517e8 964 123 17 UDP 127.0.0.1 2011-10-10 17:04:00 UTC+0000 0x81753b20 688 0 255 Reserved 0.0.0.0 2011-10-10 17:04:00 UTC+0000 0x8174fe98 1148 1900 17 UDP 127.0.0.1 2011-10-10 17:04:41 UTC+0000 0x81753008 688 4500 17 UDP 0.0.0.0 2011-10-10 17:04:00 UTC+0000 0x816118d8 4 445 17 UDP 0.0.0.0 2011-10-10 17:03:55 UTC+0000
socksan ouput
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem sockscan Volatility Foundation Volatility Framework 2.6 Offset(P) PID Port Proto Protocol Address Create Time ---------- -------- ------ ------ --------------- --------------- ----------- 0x01796a78 688 500 17 UDP 0.0.0.0 2011-10-10 17:04:00 UTC+0000 0x018118d8 4 445 17 UDP 0.0.0.0 2011-10-10 17:03:55 UTC+0000 0x0186a008 964 1029 17 UDP 127.0.0.1 2011-10-10 17:04:42 UTC+0000 0x01887e98 1616 1025 6 TCP 127.0.0.1 2011-10-10 17:04:01 UTC+0000 0x0194fe98 1148 1900 17 UDP 127.0.0.1 2011-10-10 17:04:41 UTC+0000 0x019517e8 964 123 17 UDP 127.0.0.1 2011-10-10 17:04:00 UTC+0000 0x01953008 688 4500 17 UDP 0.0.0.0 2011-10-10 17:04:00 UTC+0000 0x01953b20 688 0 255 Reserved 0.0.0.0 2011-10-10 17:04:00 UTC+0000 0x0197e3c0 1956 1026 6 TCP 0.0.0.0 2011-10-10 17:04:39 UTC+0000 0x01a328d8 916 135 6 TCP 0.0.0.0 2011-10-10 17:03:59 UTC+0000 0x01addc08 4 445 6 TCP 0.0.0.0 2011-10-10 17:03:55 UTC+0000
You may wish to combine the outputs of both commands by following the commands below.
bash
volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem sockets > sockets.txt
volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem sockscan.txt
cat sockets.txt sockscan.txt | awk '{$1="";print}' | sort -n | uniq > sockets_sockscan.txt
Examining these data, the covert communication found emanating from explorer.exe is not in the output. Thus, somewhere behind explorer.exe, there is clearly a hidden communication channel in use.
DLL Analysis
When analyzing a process, it is important to know which DLLs (dynamic-link libraries) are imported into the process itself. A DLL contains executable code that can provide a process with specific functionality, so understanding which DLLs a process incorporates may give insight into its capabilities. In addition, malicious software may inject rogue DLLs into otherwise benign processes to introduce malicious activity without starting a new process on the system, so examining processes for the presence of malicious DLLs or other code injection is an important analysis step. Volatility supports this type of analysis with a few different plugins.
Inside the _EPROCESS structure is the Process Environment Block (_PEB). The _PEB contains several items of interest including but not limited to:
- The path to the process’ executable on disk.
- The command line used to invoke the process.
- Three different lists of DLLs associated with the process.
- One that lists the order in which each DLL was loaded into the process.
- One that lists the DLLs based on their order in process memory.
- One that lists the order in which they are executed by the program code.
- The standard input, output, and error for the process.
- The process’ working directory.
Most tools that run on a live system determine the DLLs used by a process by consulting the first of the three DLL lists stored in the PEB, which tracks the order in which each DLL is loaded. As a result, malware will sometimes modify that list to hide the presence of a DLL. Volatility has a plugin that also parses this same list, which can be run with the following command:
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem dlllist Volatility Foundation Volatility Framework 2.6 ************************************************************************ System pid: 4 Unable to read PEB for task. ************************************************************************ smss.exe pid: 536 Command line : \SystemRoot\System32\smss.exe Base Size LoadCount Path ---------- ---------- ---------- ---- 0x48580000 0xf000 0xffff \SystemRoot\System32\smss.exe 0x7c900000 0xb0000 0xffff C:\WINDOWS\system32\ntdll.dll ************************************************************************ csrss.exe pid: 608 Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 Service Pack 2 Base Size LoadCount Path ---------- ---------- ---------- ---- 0x4a680000 0x5000 0xffff \??\C:\WINDOWS\system32\csrss.exe 0x7c900000 0xb0000 0xffff C:\WINDOWS\system32\ntdll.dll 0x75b40000 0xb000 0xffff C:\WINDOWS\system32\CSRSRV.dll 0x75b50000 0x10000 0x3 C:\WINDOWS\system32\basesrv.dll 0x75b60000 0x4a000 0x2 C:\WINDOWS\system32\winsrv.dll 0x77d40000 0x90000 0x6 C:\WINDOWS\system32\USER32.dll 0x7c800000 0xf4000 0xe C:\WINDOWS\system32\KERNEL32.dll 0x77f10000 0x46000 0x5 C:\WINDOWS\system32\GDI32.dll 0x75e90000 0xb0000 0x1 C:\WINDOWS\system32\sxs.dll 0x77dd0000 0x9b000 0x3 C:\WINDOWS\system32\ADVAPI32.dll 0x77e70000 0x91000 0x3 C:\WINDOWS\system32\RPCRT4.dll ************************************************************************ winlogon.exe pid: 632 Command line : winlogon.exe Service Pack 2 Base Size LoadCount Path ---------- ---------- ---------- ---- 0x01000000 0x80000 0xffff \??\C:\WINDOWS\system32\winlogon.exe 0x7c900000 0xb0000 0xffff C:\WINDOWS\system32\ntdll.dll 0x7c800000 0xf4000 0xffff C:\WINDOWS\system32\kernel32.dll 0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll 0x77e70000 0x91000 0xffff C:\WINDOWS\system32\RPCRT4.dll 0x776c0000 0x11000 0xffff C:\WINDOWS\system32\AUTHZ.dll 0x77c10000 0x58000 0xffff C:\WINDOWS\system32\msvcrt.dll 0x77a80000 0x94000 0xffff C:\WINDOWS\system32\CRYPT32.dll 0x77d40000 0x90000 0xffff C:\WINDOWS\system32\USER32.dll 0x77f10000 0x46000 0xffff C:\WINDOWS\system32\GDI32.dll 0x77b20000 0x12000 0xffff C:\WINDOWS\system32\MSASN1.dll 0x75940000 0x8000 0xffff C:\WINDOWS\system32\NDdeApi.dll 0x75930000 0xa000 0xffff C:\WINDOWS\system32\PROFMAP.dll 0x5b860000 0x54000 0xffff C:\WINDOWS\system32\NETAPI32.dll 0x769c0000 0xb3000 0xffff C:\WINDOWS\system32\USERENV.dll 0x76bf0000 0xb000 0xffff C:\WINDOWS\system32\PSAPI.DLL 0x76bc0000 0xf000 0xffff C:\WINDOWS\system32\REGAPI.dll 0x77fe0000 0x11000 0xffff C:\WINDOWS\system32\Secur32.dll 0x77920000 0xf3000 0xffff C:\WINDOWS\system32\SETUPAPI.dll 0x77c00000 0x8000 0xffff C:\WINDOWS\system32\VERSION.dll 0x76360000 0x10000 0xffff C:\WINDOWS\system32\WINSTA.dll 0x76c30000 0x2e000 0xffff C:\WINDOWS\system32\WINTRUST.dll 0x76c90000 0x28000 0xffff C:\WINDOWS\system32\IMAGEHLP.dll 0x71ab0000 0x17000 0xffff C:\WINDOWS\system32\WS2_32.dll 0x71aa0000 0x8000 0xffff C:\WINDOWS\system32\WS2HELP.dll 0x10000000 0x59000 0x1 C:\WINDOWS\system32\mfc42ul.dll 0x71f60000 0x8000 0x1 C:\WINDOWS\system32\snmpapi.dll 0x75970000 0xf7000 0x2 C:\WINDOWS\system32\MSGINA.dll 0x7c9c0000 0x814000 0x10 C:\WINDOWS\system32\SHELL32.dll 0x77f60000 0x76000 0x1b C:\WINDOWS\system32\SHLWAPI.dll 0x5d090000 0x97000 0x7 C:\WINDOWS\system32\COMCTL32.dll 0x74320000 0x3d000 0x2 C:\WINDOWS\system32\ODBC32.dll 0x763b0000 0x49000 0x2 C:\WINDOWS\system32\comdlg32.dll 0x773d0000 0x102000 0x3 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x20000000 0x17000 0x1 C:\WINDOWS\system32\odbcint.dll 0x776e0000 0x23000 0x1 C:\WINDOWS\system32\SHSVCS.dll 0x76bb0000 0x5000 0x2 C:\WINDOWS\system32\sfc.dll 0x76c60000 0x2a000 0x5 C:\WINDOWS\system32\sfc_os.dll 0x774e0000 0x13c000 0x19 C:\WINDOWS\system32\ole32.dll 0x77b40000 0x22000 0x1 C:\WINDOWS\system32\Apphelp.dll 0x723d0000 0x1c000 0x7 C:\WINDOWS\system32\WINSCARD.DLL 0x76f50000 0x8000 0x7 C:\WINDOWS\system32\WTSAPI32.dll 0x75e90000 0xb0000 0x1 C:\WINDOWS\system32\sxs.dll 0x5ad70000 0x38000 0x5 C:\WINDOWS\system32\uxtheme.dll 0x76b40000 0x2d000 0x12 C:\WINDOWS\system32\WINMM.dll 0x76600000 0x1d000 0x2 C:\WINDOWS\system32\cscdll.dll 0x75950000 0x1a000 0x6 C:\WINDOWS\system32\WlNotify.dll 0x73000000 0x26000 0x6 C:\WINDOWS\system32\WINSPOOL.DRV 0x71b20000 0x12000 0x7 C:\WINDOWS\system32\MPR.dll 0x0ffd0000 0x28000 0x1 C:\WINDOWS\system32\rsaenh.dll 0x71bf0000 0x13000 0x4 C:\WINDOWS\system32\SAMLIB.dll 0x77c70000 0x23000 0x1 C:\WINDOWS\system32\msv1_0.dll 0x76d60000 0x19000 0x1 C:\WINDOWS\system32\iphlpapi.dll 0x76f60000 0x2c000 0x3 C:\WINDOWS\system32\wldap32.dll 0x77a20000 0x54000 0x1 C:\WINDOWS\system32\cscui.dll 0x76d40000 0x18000 0x1 C:\WINDOWS\system32\MPRAPI.dll 0x77cc0000 0x32000 0x1 C:\WINDOWS\system32\ACTIVEDS.dll 0x76e10000 0x25000 0x1 C:\WINDOWS\system32\adsldpc.dll 0x76b20000 0x11000 0x1 C:\WINDOWS\system32\ATL.DLL 0x77120000 0x8c000 0x4 C:\WINDOWS\system32\OLEAUT32.dll 0x76e80000 0xe000 0x1 C:\WINDOWS\system32\rtutils.dll 0x014a0000 0x2c5000 0x2 C:\WINDOWS\system32\xpsp2res.dll 0x77050000 0xc5000 0x2 C:\WINDOWS\system32\COMRes.dll 0x76fd0000 0x7f000 0x2 C:\WINDOWS\system32\CLBCATQ.DLL 0x77690000 0x21000 0x1 C:\WINDOWS\system32\NTMARTA.DLL 0x72d20000 0x9000 0x6 C:\WINDOWS\system32\wdmaud.drv 0x72d10000 0x8000 0x2 C:\WINDOWS\system32\msacm32.drv 0x77be0000 0x15000 0x2 C:\WINDOWS\system32\MSACM32.dll 0x77bd0000 0x7000 0x1 C:\WINDOWS\system32\midimap.dll ************************************************************************ services.exe pid: 676 Command line : C:\WINDOWS\system32\services.exe Service Pack 2 Base Size LoadCount Path ---------- ---------- ---------- ---- 0x01000000 0x1c000 0xffff C:\WINDOWS\system32\services.exe 0x7c900000 0xb0000 0xffff C:\WINDOWS\system32\ntdll.dll 0x7c800000 0xf4000 0xffff C:\WINDOWS\system32\kernel32.dll 0x77c10000 0x58000 0xffff C:\WINDOWS\system32\msvcrt.dll 0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll 0x77e70000 0x91000 0xffff C:\WINDOWS\system32\RPCRT4.dll 0x77d40000 0x90000 0xffff C:\WINDOWS\system32\USER32.dll 0x77f10000 0x46000 0xffff C:\WINDOWS\system32\GDI32.dll 0x769c0000 0xb3000 0xffff C:\WINDOWS\system32\USERENV.dll 0x758e0000 0x50000 0xffff C:\WINDOWS\system32\SCESRV.dll 0x776c0000 0x11000 0xffff C:\WINDOWS\system32\AUTHZ.dll 0x758c0000 0x1f000 0xffff C:\WINDOWS\system32\umpnpmgr.dll 0x76360000 0x10000 0xffff C:\WINDOWS\system32\WINSTA.dll 0x5b860000 0x54000 0xffff C:\WINDOWS\system32\NETAPI32.dll 0x5f770000 0xc000 0xffff C:\WINDOWS\system32\NCObjAPI.DLL 0x76080000 0x65000 0xffff C:\WINDOWS\system32\MSVCP60.dll 0x5cb70000 0x26000 0x1 C:\WINDOWS\system32\ShimEng.dll 0x6f880000 0x1ca000 0x1 C:\WINDOWS\AppPatch\AcGenral.DLL 0x76b40000 0x2d000 0x2 C:\WINDOWS\system32\WINMM.dll 0x774e0000 0x13c000 0x2 C:\WINDOWS\system32\ole32.dll 0x77120000 0x8c000 0x1 C:\WINDOWS\system32\OLEAUT32.dll 0x77be0000 0x15000 0x1 C:\WINDOWS\system32\MSACM32.dll 0x77c00000 0x8000 0x3 C:\WINDOWS\system32\VERSION.dll 0x7c9c0000 0x814000 0x1 C:\WINDOWS\system32\SHELL32.dll 0x77f60000 0x76000 0x3 C:\WINDOWS\system32\SHLWAPI.dll 0x5ad70000 0x38000 0x1 C:\WINDOWS\system32\UxTheme.dll 0x10000000 0x59000 0x1 C:\WINDOWS\system32\mfc42ul.dll 0x71ab0000 0x17000 0x3 C:\WINDOWS\system32\WS2_32.dll 0x71aa0000 0x8000 0x2 C:\WINDOWS\system32\WS2HELP.dll 0x71f60000 0x8000 0x1 C:\WINDOWS\system32\snmpapi.dll 0x773d0000 0x102000 0x1 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x5d090000 0x97000 0x1 C:\WINDOWS\system32\comctl32.dll 0x77fe0000 0x11000 0x3 C:\WINDOWS\system32\secur32.dll 0x77b40000 0x22000 0x1 C:\WINDOWS\system32\Apphelp.dll 0x77b70000 0x11000 0x1 C:\WINDOWS\system32\eventlog.dll 0x76bf0000 0xb000 0x1 C:\WINDOWS\system32\PSAPI.DLL 0x76f50000 0x8000 0x1 C:\WINDOWS\system32\wtsapi32.dll ************************************************************************
Unfortunately, examining the output generated from this plugin can in some cases (such as this) be both time-consuming and painstaking.
The preffered method for detecting indicators of compromise is two-fold. First, using keywords (such as 0zapftis, infection, rootkit,worm, etc.) it may be possible to find the infection as malware programmers do not often use innocuous filenames. Of course, this is at best a hit and miss approach. Secondly, an investigator may attempt to detect suspicious files based on their names and locations. However, this requires that the investigator has a very good working knowledge of the underlying operating system. Just looking blindly at filenames and locations will not produce meaningful results, unless something really sticks out.
Recall that a reliable source of filenames is the NIST NSRL hash-set. It can be broken down manually using command-line text processing tools by software product and operating system.
For this specific investigation, since emphasis is placed on indicators of compromise without the use of external documentation, the investigator must studiously examine the plugin's output. From the output shown above, the suspicious DLL (highlighted in red) is mfc42ul.dll. This file does not belong in the Windows System32 directory. While it looks valid because many mfc-based files can be found in a valid Windows installation, this file does not match any of the known list of files (NSRL hash-set). However the mfc42u.dll is a very close match to this suspicious filename and is a known Windows file. This suspicious DLL has been found at base offset 0x10000000 and it may have been use to carry out DLL injection. Upon closer inspection of the lengthy output generated by this plugin, 15 instances of this DLL was found in the memory address spaces of other processes.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem verinfo Volatility Foundation Volatility Framework 2.6 \SystemRoot\System32\smss.exe C:\WINDOWS\system32\ntdll.dll \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\ntdll.dll C:\WINDOWS\system32\CSRSRV.dll C:\WINDOWS\system32\basesrv.dll C:\WINDOWS\system32\winsrv.dll File version : 5.1.2600.2180 Product version : 5.1.2600.2180 Flags : OS : Windows NT File Type : Dynamic Link Library File Date : CompanyName : Microsoft Corporation FileDescription : Windows Server DLL FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) InternalName : winsrv LegalCopyright : \xa9 Microsoft Corporation. All rights reserved. OriginalFilename : winsrv.dll ProductName : Microsoft\xae Windows\xae Operating System ProductVersion : 5.1.2600.2180 C:\WINDOWS\system32\USER32.dll File version : 5.1.2600.2180 Product version : 5.1.2600.2180 Flags : OS : Windows NT File Type : Dynamic Link Library File Date : CompanyName : Microsoft Corporation FileDescription : Windows XP USER API Client DLL FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) InternalName : user32 LegalCopyright : \xa9 Microsoft Corporation. All rights reserved. OriginalFilename : user32 ProductName : Microsoft\xae Windows\xae Operating System ProductVersion : 5.1.2600.2180 C:\WINDOWS\system32\KERNEL32.dll C:\WINDOWS\system32\GDI32.dll C:\WINDOWS\system32\sxs.dll File version : 5.1.2600.2180 Product version : 5.1.2600.2180 Flags : OS : Windows NT File Type : Dynamic Link Library File Date : CompanyName : Microsoft Corporation FileDescription : Fusion 2.5 FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) InternalName : SXS.DLL LegalCopyright : \xa9 Microsoft Corporation. All rights reserved. OriginalFilename : SXS.DLL ProductName : Microsoft\xae Windows\xae Operating System ProductVersion : 5.1.2600.2180 C:\WINDOWS\system32\ADVAPI32.dll File version : 5.1.2600.2180 Product version : 5.1.2600.2180 Flags : OS : Windows NT File Type : Dynamic Link Library File Date : CompanyName : Microsoft Corporation FileDescription : Advanced Windows 32 Base API FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) InternalName : advapi32.dll LegalCopyright : \xa9 Microsoft Corporation. All rights reserved. OriginalFilename : advapi32.dll ProductName : Microsoft\xae Windows\xae Operating System ProductVersion : 5.1.2600.2180 C:\WINDOWS\system32\RPCRT4.dll File version : 5.1.2600.2180 Product version : 5.1.2600.2180 Flags : OS : Windows NT File Type : Dynamic Link Library File Date : CompanyName : Microsoft Corporation FileDescription : Remote Procedure Call Runtime FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) InternalName : rpcrt4.dll LegalCopyright : \xa9 Microsoft Corporation. All rights reserved. OriginalFilename : rpcrt4.dll ProductName : Microsoft\xae Windows\xae Operating System ProductVersion : 5.1.2600.2180 \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\ntdll.dll C:\WINDOWS\system32\kernel32.dll C:\WINDOWS\system32\ADVAPI32.dll C:\WINDOWS\system32\RPCRT4.dll C:\WINDOWS\system32\msvcrt.dll C:\WINDOWS\system32\USER32.dll C:\WINDOWS\system32\GDI32.dll C:\WINDOWS\system32\SETUPAPI.dll C:\WINDOWS\system32\odbcint.dll C:\WINDOWS\system32\WINMM.dll C:\WINDOWS\system32\wdmaud.drv File version : 5.1.2600.2180 Product version : 5.1.2600.2180 Flags : OS : Windows NT File Type : Driver File Date : CompanyName : Microsoft Corporation FileDescription : WDM Audio driver mapper FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) InternalName : WDMAUD.DRV LegalCopyright : \xa9 Microsoft Corporation. All rights reserved. OriginalFilename : WDMAUD.DRV ProductName : Microsoft\xae Windows\xae Operating System ProductVersion : 5.1.2600.2180 C:\WINDOWS\system32\msacm32.drv File version : 5.1.2600.0 Product version : 5.1.2600.0 Flags : OS : Windows NT File Type : Driver File Date : CompanyName : Microsoft Corporation FileDescription : Microsoft Sound Mapper FileVersion : 5.1.2600.0 (xpclient.010817-1148) InternalName : Microsoft Sound Mapper LegalCopyright : \xa9 Microsoft Corporation. All rights reserved. OriginalFilename : msacm32.acm ProductName : Microsoft\xae Windows\xae Operating System ProductVersion : 5.1.2600.0
If an infection is active and does not show itself via the network, then the filescan plugin may be of assistance as it may be able to find open handles in memory. Unfortunately, no direct link to these files is possible as the physical disk image is not available for analysis. This plugin makes use of physical address offsets.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem filescan Volatility Foundation Volatility Framework 2.6 Offset(P) #Ptr #Hnd Access Name ------------------ ------ ------ ------ ---- 0x000000000156bcb0 2 1 ------ \Device\Afd\Endpoint 0x000000000156f100 1 1 ------ \Device\NamedPipe\W32TIME 0x00000000015a9a70 1 0 ------ \Device\KSENUM#00000002\{9B365890-165F-11D0-A195-0020AFD156E4} 0x00000000015ac5c8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 0x00000000015ac6b0 1 0 R--rw- \Device\HarddiskVolume1\WINDOWS\Media\Windows XP Startup.wav 0x00000000015ac8f0 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll 0x00000000015ad318 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\system32\webcheck.dll 0x00000000015ad740 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\system32\themeui.dll 0x00000000015ad858 1 1 ------ \Device\Afd\Endpoint 0x00000000015adb98 1 1 R--r-- \Device\HarddiskVolume1\WINDOWS\system32\ega.cpi 0x00000000015ae208 2 1 R--rw- \Device\HarddiskVolume1\Program Files\Windows NT\Accessories 0x00000000015ae3d0 1 0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\moricons.dll 0x00000000015afbf0 1 0 R--r-- \Device\HarddiskVolume1\WINDOWS\Fonts\framdit.ttf 0x00000000015afe08 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32 0x00000000015b0128 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32 0x00000000015b01d8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 0x00000000015b0af0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 0x00000000015b0c10 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 0x00000000015b1028 1 0 ------ \Device\KSENUM#00000002\{9B365890-165F-11D0-A195-0020AFD156E4} 0x00000000015b2380 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\dllcache 0x00000000015b2a38 1 1 RW-r-- \Device\HarddiskVolume1\WINDOWS\SoftwareDistribution\ReportingEvents.log 0x00000000015b2ad0 2 1 ------ \Device\Afd\Endpoint 0x00000000015b30b8 1 0 R--rwd \Device\HarddiskVolume1\Documents and Settings\Administrator\My Documents\My Music\Desktop.ini 0x00000000015b40b8 1 0 R--rw- \Device\HarddiskVolume1\WINDOWS\explorer.exe 0x00000000015b41f0 2 1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\0426 0x00000000015b4318 2 1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\0425 0x00000000015b4f18 1 0 R--r-- \Device\HarddiskVolume1\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db 0x00000000015b5028 2 1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\0410 0x00000000015b5118 2 1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\0411 0x00000000015b6318 2 1 R--rw- \Device\HarddiskVolume1\Program Files\xerox\nwwia 0x00000000015b7028 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\system32\wscntfy.exe 0x00000000015b8128 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\system32\mfc42ul.dll 0x00000000015b9138 2 1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\0414 0x00000000015b9320 1 1 ------ \Device\KSENUM#00000001\{9B365890-165F-11D0-A195-0020AFD156E4} 0x00000000015b95b8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 0x00000000015ba128 2 1 ------ \Device\NamedPipe\TerminalServer\AutoReconnect 0x00000000015ba418 2 1 R--rw- \Device\HarddiskVolume1\WINDOWS\inf 0x00000000015ba4b0 2 1 R--rw- \Device\HarddiskVolume1\Program Files\Common Files\System\Ole DB
Once again the suspicious DLL was found at the physical memory address 0x00000000015b8128.
For a process to access other elements of the system, it must first acquire a handle to the objects that it wants to manipulate. Whether reading a file, writing to a registry key, or opening a connection to a remote share, the process must have permission to access the object and secure a handle to that object. Permissions are determined based on the user account that is attempting to perform an action, and the permissions that have been assigned to that user and/or the groups of which it is a member. A process is assigned a security token based on the user context in which it was run. This token lists the user and/or groups for which the process is working, which in turn determines which files it may access and other security permissions. The operating system uniquely refers to each user or group with a numeric Security Identifier (SID). To determine the SIDs that are associated with a process’ token, use the following command:
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem getsids Volatility Foundation Volatility Framework 2.6 System (4): S-1-5-18 (Local System) System (4): S-1-5-32-544 (Administrators) System (4): S-1-1-0 (Everyone) System (4): S-1-5-11 (Authenticated Users) smss.exe (536): S-1-5-18 (Local System) smss.exe (536): S-1-5-32-544 (Administrators) smss.exe (536): S-1-1-0 (Everyone) smss.exe (536): S-1-5-11 (Authenticated Users) csrss.exe (608): S-1-5-18 (Local System) csrss.exe (608): S-1-5-32-544 (Administrators) csrss.exe (608): S-1-1-0 (Everyone) csrss.exe (608): S-1-5-11 (Authenticated Users) winlogon.exe (632): S-1-5-18 (Local System) winlogon.exe (632): S-1-5-32-544 (Administrators) winlogon.exe (632): S-1-1-0 (Everyone) winlogon.exe (632): S-1-5-11 (Authenticated Users) services.exe (676): S-1-5-18 (Local System) services.exe (676): S-1-5-32-544 (Administrators) services.exe (676): S-1-1-0 (Everyone) services.exe (676): S-1-5-11 (Authenticated Users) lsass.exe (688): S-1-5-18 (Local System) lsass.exe (688): S-1-5-32-544 (Administrators) lsass.exe (688): S-1-1-0 (Everyone) lsass.exe (688): S-1-5-11 (Authenticated Users) vmacthlp.exe (832): S-1-5-18 (Local System) vmacthlp.exe (832): S-1-5-32-544 (Administrators) vmacthlp.exe (832): S-1-1-0 (Everyone) vmacthlp.exe (832): S-1-5-11 (Authenticated Users) svchost.exe (848): S-1-5-18 (Local System) svchost.exe (848): S-1-5-32-544 (Administrators) svchost.exe (848): S-1-1-0 (Everyone) svchost.exe (848): S-1-5-11 (Authenticated Users) svchost.exe (916): S-1-5-20 (NT Authority) svchost.exe (916): S-1-5-20 (NT Authority) svchost.exe (916): S-1-1-0 (Everyone) svchost.exe (916): S-1-5-32-545 (Users) svchost.exe (916): S-1-5-6 (Service) svchost.exe (916): S-1-5-11 (Authenticated Users) svchost.exe (916): S-1-5-5-0-54905 (Logon Session) svchost.exe (916): S-1-2-0 (Local (Users with the ability to log in locally)) svchost.exe (916): S-1-1-0 (Everyone) svchost.exe (916): S-1-5-11 (Authenticated Users) svchost.exe (916): S-1-2-0 (Local (Users with the ability to log in locally)) svchost.exe (916): S-1-5-32-545 (Users) svchost.exe (964): S-1-5-18 (Local System) svchost.exe (964): S-1-5-32-544 (Administrators) svchost.exe (964): S-1-1-0 (Everyone) svchost.exe (964): S-1-5-11 (Authenticated Users) svchost.exe (1020): S-1-5-20 (NT Authority) svchost.exe (1020): S-1-5-20 (NT Authority) svchost.exe (1020): S-1-1-0 (Everyone) svchost.exe (1020): S-1-5-32-545 (Users) svchost.exe (1020): S-1-5-6 (Service) svchost.exe (1020): S-1-5-11 (Authenticated Users) svchost.exe (1020): S-1-5-5-0-57076 (Logon Session) svchost.exe (1020): S-1-2-0 (Local (Users with the ability to log in locally)) svchost.exe (1020): S-1-1-0 (Everyone) svchost.exe (1020): S-1-5-11 (Authenticated Users) svchost.exe (1020): S-1-2-0 (Local (Users with the ability to log in locally)) svchost.exe (1020): S-1-5-32-545 (Users) svchost.exe (1148): S-1-5-19 (NT Authority) svchost.exe (1148): S-1-5-19 (NT Authority) svchost.exe (1148): S-1-1-0 (Everyone) svchost.exe (1148): S-1-5-32-545 (Users) svchost.exe (1148): S-1-5-6 (Service) svchost.exe (1148): S-1-5-11 (Authenticated Users) svchost.exe (1148): S-1-5-5-0-57864 (Logon Session) svchost.exe (1148): S-1-2-0 (Local (Users with the ability to log in locally)) svchost.exe (1148): S-1-1-0 (Everyone) svchost.exe (1148): S-1-5-11 (Authenticated Users) svchost.exe (1148): S-1-2-0 (Local (Users with the ability to log in locally)) svchost.exe (1148): S-1-5-32-545 (Users) spoolsv.exe (1260): S-1-5-18 (Local System) spoolsv.exe (1260): S-1-5-32-544 (Administrators) spoolsv.exe (1260): S-1-1-0 (Everyone) spoolsv.exe (1260): S-1-5-11 (Authenticated Users) VMwareService.e (1444): S-1-5-18 (Local System) VMwareService.e (1444): S-1-5-32-544 (Administrators) VMwareService.e (1444): S-1-1-0 (Everyone) VMwareService.e (1444): S-1-5-11 (Authenticated Users) alg.exe (1616): S-1-5-19 (NT Authority) alg.exe (1616): S-1-5-19 (NT Authority) alg.exe (1616): S-1-1-0 (Everyone) alg.exe (1616): S-1-5-32-545 (Users) alg.exe (1616): S-1-5-6 (Service) alg.exe (1616): S-1-5-11 (Authenticated Users) alg.exe (1616): S-1-5-5-0-73075 (Logon Session) alg.exe (1616): S-1-2-0 (Local (Users with the ability to log in locally)) alg.exe (1616): S-1-1-0 (Everyone) alg.exe (1616): S-1-5-11 (Authenticated Users) alg.exe (1616): S-1-2-0 (Local (Users with the ability to log in locally)) alg.exe (1616): S-1-5-32-545 (Users) wscntfy.exe (1920): S-1-5-21-839522115-73586283-2147125571-500 (Administrator) wscntfy.exe (1920): S-1-5-21-839522115-73586283-2147125571-513 (Domain Users) wscntfy.exe (1920): S-1-1-0 (Everyone) wscntfy.exe (1920): S-1-5-32-544 (Administrators) wscntfy.exe (1920): S-1-5-32-545 (Users) wscntfy.exe (1920): S-1-5-4 (Interactive) wscntfy.exe (1920): S-1-5-11 (Authenticated Users) wscntfy.exe (1920): S-1-5-5-0-59067 (Logon Session) wscntfy.exe (1920): S-1-2-0 (Local (Users with the ability to log in locally)) explorer.exe (1956): S-1-5-21-839522115-73586283-2147125571-500 (Administrator) explorer.exe (1956): S-1-5-21-839522115-73586283-2147125571-513 (Domain Users) explorer.exe (1956): S-1-1-0 (Everyone) explorer.exe (1956): S-1-5-32-544 (Administrators) explorer.exe (1956): S-1-5-32-545 (Users) explorer.exe (1956): S-1-5-4 (Interactive) explorer.exe (1956): S-1-5-11 (Authenticated Users) explorer.exe (1956): S-1-5-5-0-59067 (Logon Session) explorer.exe (1956): S-1-2-0 (Local (Users with the ability to log in locally)) VMwareTray.exe (184): S-1-5-21-839522115-73586283-2147125571-500 (Administrator) VMwareTray.exe (184): S-1-5-21-839522115-73586283-2147125571-513 (Domain Users) VMwareTray.exe (184): S-1-1-0 (Everyone) VMwareTray.exe (184): S-1-5-32-544 (Administrators) VMwareTray.exe (184): S-1-5-32-545 (Users) VMwareTray.exe (184): S-1-5-4 (Interactive) VMwareTray.exe (184): S-1-5-11 (Authenticated Users) VMwareTray.exe (184): S-1-5-5-0-59067 (Logon Session) VMwareTray.exe (184): S-1-2-0 (Local (Users with the ability to log in locally)) VMwareUser.exe (192): S-1-5-21-839522115-73586283-2147125571-500 (Administrator) VMwareUser.exe (192): S-1-5-21-839522115-73586283-2147125571-513 (Domain Users) VMwareUser.exe (192): S-1-1-0 (Everyone) VMwareUser.exe (192): S-1-5-32-544 (Administrators) VMwareUser.exe (192): S-1-5-32-545 (Users) VMwareUser.exe (192): S-1-5-4 (Interactive) VMwareUser.exe (192): S-1-5-11 (Authenticated Users) VMwareUser.exe (192): S-1-5-5-0-59067 (Logon Session) VMwareUser.exe (192): S-1-2-0 (Local (Users with the ability to log in locally)) reader_sl.exe (228): S-1-5-21-839522115-73586283-2147125571-500 (Administrator) reader_sl.exe (228): S-1-5-21-839522115-73586283-2147125571-513 (Domain Users) reader_sl.exe (228): S-1-1-0 (Everyone) reader_sl.exe (228): S-1-5-32-544 (Administrators) reader_sl.exe (228): S-1-5-32-545 (Users) reader_sl.exe (228): S-1-5-4 (Interactive) reader_sl.exe (228): S-1-5-11 (Authenticated Users) reader_sl.exe (228): S-1-5-5-0-59067 (Logon Session) reader_sl.exe (228): S-1-2-0 (Local (Users with the ability to log in locally)) wuauclt.exe (400): S-1-5-18 (Local System) wuauclt.exe (400): S-1-5-32-544 (Administrators) wuauclt.exe (400): S-1-1-0 (Everyone) wuauclt.exe (400): S-1-5-11 (Authenticated Users) cmd.exe (544): S-1-5-21-839522115-73586283-2147125571-500 (Administrator) cmd.exe (544): S-1-5-21-839522115-73586283-2147125571-513 (Domain Users) cmd.exe (544): S-1-1-0 (Everyone) cmd.exe (544): S-1-5-32-544 (Administrators) cmd.exe (544): S-1-5-32-545 (Users) cmd.exe (544): S-1-5-4 (Interactive) cmd.exe (544): S-1-5-11 (Authenticated Users) cmd.exe (544): S-1-5-5-0-59067 (Logon Session) cmd.exe (544): S-1-2-0 (Local (Users with the ability to log in locally))
In addition to permissions, a process may also be assigned privileges by the operating system to perform certain tasks. Privileges include things like the ability to bypass file permissions in order to read files to make backup copies, the ability to access memory of any process to perform debugging operations, the ability to shutdown or restart the system, or the ability to load kernel drivers. These privileges are determined in accordance with local computer policies set by the system administrator. Malware will frequently attempt to enable additional privileges to allow a malicious process to perform additional tasks. To list the privileges assigned or enabled for a process use the following command:
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem privs -p 1956 Volatility Foundation Volatility Framework 2.6 Pid Process Value Privilege Attributes Description -------- ---------------- ------ ------------------------------------ ------------------------ ----------- 1956 explorer.exe 23 SeChangeNotifyPrivilege Present,Enabled,Default Receive notifications of changes to files or directories 1956 explorer.exe 8 SeSecurityPrivilege Present Manage auditing and security log 1956 explorer.exe 17 SeBackupPrivilege Present Backup files and directories 1956 explorer.exe 18 SeRestorePrivilege Present Restore files and directories 1956 explorer.exe 12 SeSystemtimePrivilege Present Change the system time 1956 explorer.exe 19 SeShutdownPrivilege Present Shut down the system 1956 explorer.exe 24 SeRemoteShutdownPrivilege Present Force shutdown from a remote system 1956 explorer.exe 9 SeTakeOwnershipPrivilege Present Take ownership of files/objects 1956 explorer.exe 20 SeDebugPrivilege Present Debug programs 1956 explorer.exe 22 SeSystemEnvironmentPrivilege Present Edit firmware environment values 1956 explorer.exe 11 SeSystemProfilePrivilege Present Profile system performance 1956 explorer.exe 13 SeProfileSingleProcessPrivilege Present Profile a single process 1956 explorer.exe 14 SeIncreaseBasePriorityPrivilege Present Increase scheduling priority 1956 explorer.exe 10 SeLoadDriverPrivilege Present,Enabled Load and unload device drivers 1956 explorer.exe 15 SeCreatePagefilePrivilege Present Create a pagefile 1956 explorer.exe 5 SeIncreaseQuotaPrivilege Present Increase quotas 1956 explorer.exe 25 SeUndockPrivilege Present,Enabled Remove computer from docking station 1956 explorer.exe 28 SeManageVolumePrivilege Present Manage the files on a volume 1956 explorer.exe 29 SeImpersonatePrivilege Present,Enabled,Default Impersonate a client after authentication 1956 explorer.exe 30 SeCreateGlobalPrivilege Present,Enabled,Default Create global objects
The output of this command will list the various privileges that are present for that process, an indicator of whether each privilege is enabled, a note as to whether the system enabled the privilege by default or if it was explicitly enabled, and a description of what the privilege allows the process to do. Before a privilege may be used, it must first be enabled. Therefore, your analysis should pay attention to enabled privileges, particularly those that were not enabled by default, as they indicate a privilege that the malware bothered to specifically enable and has likely used or intended to use. The --silent option can be added to show only those privileges that were explicitly enabled.
You can also view information about Windows thread-based mutexes in memory to identify typical malware pattern. This can be done using the mutantscan plugin. This plugin makes use of physical offset addressing.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem mutantscan Volatility Foundation Volatility Framework 2.6 Offset(P) #Ptr #Hnd Signal Thread CID Name ------------------ -------- -------- ------ ---------- --------- ---- 0x000000000156b260 1 1 1 0x00000000 0x000000000156e708 1 1 1 0x00000000 0x00000000015a9550 1 1 1 0x00000000 0x00000000015a9c08 1 1 1 0x00000000 0x00000000015a9ee8 1 1 1 0x00000000 0x00000000015aad68 1 1 1 0x00000000 0x00000000015ad538 2 1 1 0x00000000 WininetStartupMutex 0x00000000015ad5d0 1 1 1 0x00000000 0x00000000015ae2c0 1 1 1 0x00000000 0x00000000015af6e8 1 1 1 0x00000000 0x00000000015b0990 1 1 1 0x00000000 0x00000000015b2250 1 1 1 0x00000000 0x00000000015b2c20 2 1 1 0x00000000 msgina: InteractiveLogonRequestMutex 0x00000000015b2c70 2 1 1 0x00000000 msgina: InteractiveLogonMutex 0x00000000015b3ec8 1 1 1 0x00000000 0x00000000015b4fe0 2 1 1 0x00000000 ExplorerIsShellMutex 0x00000000015b70f0 2 1 0 0x815cb988 1920:1928 wscntfy_mtx 0x00000000015b9978 1 1 1 0x00000000 0x00000000015b9b80 1 1 1 0x00000000 0x00000000015c1dc0 2 1 1 0x00000000 PSched_Perf_Library_Lock_PID_5a4 0x00000000016824f8 1 1 1 0x00000000 0x0000000001683470 1 1 1 0x00000000 0x00000000016834e0 1 1 1 0x00000000 0x0000000001686020 1 1 1 0x00000000 0x0000000001688630 2 1 1 0x00000000 _SHuassist.mtx 0x00000000016888c0 2 1 0 0x81484788 400:420 Instance0: ESENT Performance Data Schema Version 40 0x00000000016cdfb8 2 1 1 0x00000000 c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! 0x000000000178e020 1 1 1 0x00000000 0x00000000017912f8 1 1 1 0x00000000 0x0000000001794368 4 3 1 0x00000000 WindowsUpdateTracingMutex 0x00000000017960a8 1 1 1 0x00000000 0x00000000017b3648 1 1 1 0x00000000 0x00000000017b3a70 1 1 1 0x00000000 0x00000000017b3e98 1 1 1 0x00000000 0x00000000017b4488 2 1 1 0x00000000 ISAPISearch_Perf_Library_Lock_PID_5a4 0x00000000017b53b8 1 1 1 0x00000000 0x00000000017b5e98 1 1 1 0x00000000 0x00000000017b7138 1 1 1 0x00000000 0x00000000017b7810 7 6 1 0x00000000 SHIMLIB_LOG_MUTEX 0x00000000017ba390 3 2 1 0x00000000 _!MSFTHISTORY!_ 0x00000000017be2f0 2 1 1 0x00000000 MSDTC_Perf_Library_Lock_PID_5a4 0x00000000017c2180 1 1 1 0x00000000 0x00000000017c3120 1 1 1 0x00000000 0x00000000017d1f90 2 1 1 0x00000000 TermService_Perf_Library_Lock_PID_5a4 0x00000000017d1fe0 2 1 1 0x00000000 Tcpip_Perf_Library_Lock_PID_5a4 0x00000000017d51d8 1 1 1 0x00000000 0x00000000017d6f60 2 1 0 0x813b7230 1956:2000 SYS!ICP!94062 0x00000000017d6fa0 1 1 1 0x00000000 0x00000000017d72a0 1 1 1 0x00000000 0x00000000017db8f8 2 1 1 0x00000000 WPA_LICSTORE_MUTEX 0x00000000017db948 2 1 1 0x00000000 WPA_HWID_MUTEX 0x00000000017db998 2 1 1 0x00000000 WPA_LT_MUTEX 0x00000000017db9e8 2 1 1 0x00000000 WPA_RT_MUTEX 0x00000000017dba38 2 1 1 0x00000000 WPA_PR_MUTEX 0x00000000017f88e0 2 1 1 0x00000000 746bbf3569adEncrypt 0x00000000018071f8 1 1 1 0x00000000 0x0000000001807268 1 1 1 0x00000000 0x000000000180b148 1 1 1 0x00000000 0x000000000180b640 2 1 1 0x00000000 PerfDisk_Perf_Library_Lock_PID_5a4 0x000000000181a168 2 1 1 0x00000000 winlogon: Logon UserProfileMapping Mutex 0x0000000001845eb8 1 1 1 0x00000000 0x0000000001845ef8 1 1 1 0x00000000 0x000000000184b3a8 1 1 1 0x00000000 0x000000000188c230 1 1 1 0x00000000 0x00000000018c23b8 1 1 1 0x00000000 0x00000000018c27e0 1 1 1 0x00000000 0x00000000018c2c08 1 1 1 0x00000000 0x00000000018c3580 1 1 1 0x00000000 0x00000000018c5740 1 1 1 0x00000000 0x00000000018c5e50 1 1 1 0x00000000 0x00000000018c7a70 1 1 1 0x00000000 0x00000000018c7e98 1 1 1 0x00000000 0x00000000018c7f20 1 1 1 0x00000000 0x00000000018c99a0 3 2 1 0x00000000 RasPbFile 0x00000000018c99e0 1 1 1 0x00000000 0x00000000018c9b70 1 1 1 0x00000000 0x00000000018c9be0 1 1 1 0x00000000 0x00000000018cd220 1 1 1 0x00000000 0x00000000018d01d8 2 1 1 0x00000000 ContentFilter_Perf_Library_Lock_PID_5a4 0x00000000018d2648 1 1 1 0x00000000 0x00000000018d51c0 1 1 1 0x00000000 0x00000000018d8180 2 1 1 0x00000000 SYS!IPC!79025 0x00000000018d8278 2 1 1 0x00000000 ThinPrint-L 0x00000000018e1a28 2 1 1 0x00000000 PerfNet_Perf_Library_Lock_PID_5a4 0x00000000018e6350 1 1 1 0x00000000 0x00000000019095f0 1 1 1 0x00000000 0x00000000019519d0 1 1 1 0x00000000 0x0000000001955548 3 2 1 0x00000000 SRDataStore 0x0000000001971220 1 1 1 0x00000000 0x00000000019743b8 1 1 1 0x00000000 0x00000000019747e0 1 1 1 0x00000000 0x0000000001975a70 1 1 1 0x00000000 0x0000000001975f40 2 1 1 0x00000000 ZonesLockedCacheCounterMutex 0x0000000001975f90 2 1 1 0x00000000 ZonesCacheCounterMutex 0x0000000001975fe0 2 1 1 0x00000000 ZonesCounterMutex 0x00000000019768d8 1 1 1 0x00000000 0x0000000001976d00 1 1 1 0x00000000 0x0000000001977a70 1 1 1 0x00000000 0x0000000001978c28 1 1 1 0x00000000 0x000000000197b220 1 1 1 0x00000000 0x000000000197b648 1 1 1 0x00000000 0x000000000197ba70 1 1 1 0x00000000 0x000000000197e1c0 1 1 1 0x00000000 0x000000000197ef38 3 2 1 0x00000000 SYS!ICP!393-1M 0x000000000197efe0 2 1 -1 0x813bea80 1956:1980 SYS!IPC!79027 0x000000000197f990 1 1 1 0x00000000 0x0000000001980d00 1 1 1 0x00000000 0x00000000019813e8 2 1 1 0x00000000 c:!documents and settings!administrator!local settings!history!history.ie5! 0x0000000001982120 1 1 1 0x00000000 0x00000000019831c0 1 1 1 0x00000000 0x000000000198fc88 1 1 1 0x00000000 0x0000000001992960 1 1 1 0x00000000 0x0000000001992a80 1 1 1 0x00000000 0x00000000019960b8 2 1 1 0x00000000 4FCC0DEFE22C4f138FB9D5AF25FD9398 0x0000000001996108 2 1 1 0x00000000 0CADFD67AF62496dB34264F000F5624A 0x0000000001996628 1 1 1 0x00000000 0x00000000019966f8 2 1 1 0x00000000 238FAD3109D3473aB4764B20B3731840 0x00000000019a5658 1 1 1 0x00000000 0x00000000019a56c8 1 1 1 0x00000000 0x00000000019a5de8 1 1 1 0x00000000 0x00000000019a84d0 1 1 1 0x00000000 0x00000000019db620 2 1 1 0x00000000 PerfOS_Perf_Library_Lock_PID_5a4 0x00000000019eb3d0 1 1 1 0x00000000 0x00000000019eced8 1 1 1 0x00000000 0x0000000001a0b2d0 1 1 1 0x00000000 0x0000000001a0c448 1 1 1 0x00000000 0x0000000001a0c6e8 1 1 1 0x00000000 0x0000000001a1aa70 1 1 1 0x00000000 0x0000000001a1ae98 1 1 1 0x00000000 0x0000000001a1ba80 2 1 1 0x00000000 PnP_Init_Mutex 0x0000000001a1bc08 2 1 1 0x00000000 c:!documents and settings!administrator!cookies! 0x0000000001a1c730 2 1 1 0x00000000 WininetProxyRegistryMutex 0x0000000001a1c770 1 1 1 0x00000000 0x0000000001a1fc90 2 1 1 0x00000000 VMwareGuestDnDDataMutex 0x0000000001a223b8 1 1 1 0x00000000 0x0000000001a240e0 2 1 1 0x00000000 ContentIndex_Perf_Library_Lock_PID_5a4 0x0000000001a281d0 2 1 1 0x00000000 RSVP_Perf_Library_Lock_PID_5a4 0x0000000001a28220 1 1 1 0x00000000 0x0000000001a29790 2 1 1 0x00000000 PerfProc_Perf_Library_Lock_PID_5a4 0x0000000001a2b180 1 1 1 0x00000000 0x0000000001a2c180 3 2 1 0x00000000 MidiMapper_modLongMessage_RefCnt 0x0000000001a2eac0 3 2 1 0x00000000 SYS!ICP!393-1MR 0x0000000001a30290 3 2 1 0x00000000 MidiMapper_Configure 0x0000000001a31020 1 1 1 0x00000000 0x0000000001a391e8 1 1 1 0x00000000 0x0000000001a39728 2 1 1 0x00000000 c:!documents and settings!localservice!local settings!temporary internet files!content.ie5! 0x0000000001a39838 2 1 1 0x00000000 c:!documents and settings!localservice!cookies! 0x0000000001a3ba50 2 1 1 0x00000000 TapiSrv_Perf_Library_Lock_PID_5a4 0x0000000001a3baa0 2 1 1 0x00000000 Spooler_Perf_Library_Lock_PID_5a4 0x0000000001a400c8 1 1 1 0x00000000 0x0000000001a40118 2 1 1 0x00000000 RemoteAccess_Perf_Library_Lock_PID_5a4 0x0000000001a9b528 1 1 1 0x00000000 0x0000000001a9b7f0 2 1 1 0x00000000 c:!documents and settings!localservice!local settings!history!history.ie5! 0x0000000001a9e0f0 2 1 1 0x00000000 userenv: Machine Registry policy mutex 0x0000000001a9e4e8 2 1 1 0x00000000 userenv: machine policy mutex 0x0000000001a9ec00 1 1 1 0x00000000 0x0000000001adf3a0 1 1 1 0x00000000 0x0000000001ae24b0 2 1 1 0x00000000 SingleSesMutex 0x0000000001ae2710 2 1 1 0x00000000 VMwareGuestCopyPasteMutex 0x0000000001ae9718 2 1 1 0x00000000 TpVcW32ListMutex 0x0000000001b09350 2 1 1 0x00000000 userenv: User Registry policy mutex 0x0000000001b2ad58 6 5 1 0x00000000 ShimCacheMutex 0x0000000001b2e200 2 1 1 0x00000000 userenv: user policy mutex 0x0000000001b401b0 2 1 1 0x00000000 WmiApRpl_Perf_Library_Lock_PID_5a4
The output indicates that at least two processes or threads labelled as PID 1956 (explorer.exe) are using suspicious looking mutexes SYS!ICP!. These have been highlighted in red above. Other non-PID 1956 mutexes have been highlighted also because they look like they are from the same source, specifically some suspicious process or thread related to the PID 1956 highlighted above. It appears that the suspicious mutexes highlighted are using IPC-based synchronization and communication. Thus, it can be inferred that these suspicious mutexes are working together by some process or thread related to PID 1956 to carry out the covert communication.
In addition to understanding the permission and privilege context of a process, it is important to understand which handles it has opened to other system resources. A handle is a mechanism used by the operating system to allow access from one resource to another, and to ensure that different resources are not attempting to make conflicting changes at the same time. Specifically, a handle controls access to kernel objects that represent other resources on the system like files, registry keys, processes, etc. To list the handles opened by a process use the handles plugin. This plugin makes use of virtual memory addressing.
text0x81489a40 1956 0xa8 0x1f0003 Event DUMMY!DUMMY 0x81489a40 1956 0xbc 0x1f0003 Event DUMMY!DUMMY 0x8177efe0 1956 0xa0 0x1f0001 Mutant SYS!IPC!79027 0xe1a84680 1956 0xa4 0xf0007 Section SYS!ICP!3949-1 0x8177ef38 1956 0xac 0x1f0001 Mutant SYS!ICP!393-1M 0x8182eac0 1956 0xb0 0x1f0001 Mutant SYS!ICP!393-1MR 0xe1cc0e78 1956 0xb4 0xf0007 Section SYS!ICP!393-1 0x815d6f60 1956 0xc0 0x1f0001 Mutant SYS!ICP!94062 0x8182eac0 1956 0x114 0x1f0001 Mutant SYS!ICP!393-1MR 0x8177ef38 1956 0x124 0x1f0001 Mutant SYS!ICP!393-1M 0xe1cc0e78 1956 0x13c 0xf0007 Section SYS!ICP!393-1 0x816d8180 1956 0x164 0x1f0001 Mutant SYS!IPC!79025
Going through the hundreds of entries generated by the handles plugin was a time-consuming process. The specific handles listed above sere flagged because they do not appear to be legitimate for explorer.exe. While many processes and threads communicate with other processes and threads, explorer.exe is not a program that typically does it in this fashion. Moreover, events such as DUMMY!DUMMY! are highly suspicious, as is the number of mutexes in use by explorer.exe. Furthermore, it was suspicious that out of all the processes on the system, taht only explorer.exe was found using IPC thread-based communications. Finally, matches were obtained between this output and output from the mutantscan plugin. These have been highlighted in red.
A process may have many handles opened, so the -t option can be used to restrict the output to a specified type of handle. Examples include key, file and thread. To list only the handles to registry keys, use the command:
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem handles -p 1956 -t key Volatility Foundation Volatility Framework 2.6 Offset(V) Pid Handle Access Type Details ---------- ------ ---------- ---------- ---------------- ------- 0xe17f0718 1956 0x1c 0x20f003f Key MACHINE 0xe1ccbbc0 1956 0x64 0x20f003f Key USER\S-1-5-21-839522115-73586283-2147125571-500 0xe1c82e20 1956 0x6c 0x2001f Key USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS 0xe1ca3a10 1956 0x7c 0x20f003f Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1cd1ad0 1956 0x8c 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\DRIVERS32 0xe1ccbb58 1956 0x98 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON 0xe1d188e8 1956 0x148 0xf003f Key MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9 0xe1d18950 1956 0x150 0xf003f Key MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\NAMESPACE_CATALOG5 0xe1d18a70 1956 0x170 0xf003f Key USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER 0xe1d19710 1956 0x178 0xf003f Key MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER 0xe1d47280 1956 0x180 0xf003f Key USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER 0xe1d195a0 1956 0x184 0xf003f Key MACHINE\SOFTWARE\CLASSES 0xe1d19050 1956 0x190 0xf003f Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1d19538 1956 0x198 0xf003f Key MACHINE\SOFTWARE\MICROSOFT\COM3 0xe1d47848 1956 0x1a0 0x10 Key USER 0xe1d2c7b8 1956 0x1a8 0xf003f Key MACHINE\SOFTWARE\CLASSES 0xe1d477e0 1956 0x1b0 0x10 Key USER 0xe1d2c718 1956 0x1b8 0xf003f Key MACHINE\SOFTWARE\MICROSOFT\COM3 0xe1d47740 1956 0x1c0 0xf003f Key MACHINE\SOFTWARE\MICROSOFT\COM3 0xe1d476a8 1956 0x1c8 0xf003f Key MACHINE\SOFTWARE\CLASSES\CLSID 0xe1d47610 1956 0x1d0 0xf003f Key MACHINE\SOFTWARE\CLASSES 0xe1d47578 1956 0x1d8 0xf003f Key MACHINE\SOFTWARE\MICROSOFT\COM3 0xe1d474e0 1956 0x1e0 0x10 Key USER 0xe1d47448 1956 0x1e8 0xf003f Key MACHINE\SOFTWARE\MICROSOFT\COM3 0xe1d473b0 1956 0x1f0 0xf003f Key MACHINE\SOFTWARE\MICROSOFT\COM3 0xe1d47318 1956 0x1f8 0xf003f Key MACHINE\SOFTWARE\CLASSES\CLSID 0xe1d36828 1956 0x208 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1d367c0 1956 0x218 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1d47100 1956 0x224 0x2001f Key USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\PLUS!\THEMES\APPLY 0xe1d4bfb8 1956 0x230 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1d4a970 1956 0x23c 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1d61968 1956 0x25c 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1d52d58 1956 0x278 0x1b Key MACHINE\SOFTWARE\CLASSES\HTTP\SHELL 0xe1d52cf0 1956 0x290 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1af9de0 1956 0x294 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1d60c50 1956 0x29c 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1d61df8 1956 0x2bc 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1b62b58 1956 0x2c4 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1d60d68 1956 0x2e4 0x20f003f Key USER 0xe1c85718 1956 0x2ec 0x2001b Key USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY\P3GLOBAL 0xe1d61900 1956 0x2f0 0x2001d Key USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY\P3SITES 0xe1d68938 1956 0x2f4 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1d688d0 1956 0x310 0xf003f Key USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS 0xe1d70c58 1956 0x318 0xf003f Key USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\SHELL 0xe1d70d08 1956 0x320 0xf003f Key MACHINE\SOFTWARE\CLASSES\CLSID 0xe1d718e0 1956 0x324 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP 0xe1d70518 1956 0x328 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1d704b0 1956 0x32c 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1b442e8 1956 0x330 0xf003f Key MACHINE\SOFTWARE\CLASSES\APPLICATIONS\ACRORD32.EXE 0xe1d72f20 1956 0x334 0xf003f Key USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\SHELLNOROAM 0xe1d72e28 1956 0x338 0xf003f Key USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\SHELLNOROAM\MUICACHE 0xe1d73590 1956 0x344 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1d73528 1956 0x34c 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1af9fb8 1956 0x374 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1a664e0 1956 0x378 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1a73428 1956 0x37c 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe18b0fb8 1956 0x390 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe18b9790 1956 0x3a4 0x10003 Key USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USERASSIST\{75048700-EF1F-11D0-9888-006097DEACF9}\COUNT 0xe1a5f3f8 1956 0x3a8 0x10003 Key USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USERASSIST\{5E6AB780-7743-11CF-A12B-00AA004AE837}\COUNT 0xe1ad5918 1956 0x3b0 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\TRACING\NETSHELL 0xe1a47da0 1956 0x3c4 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe189d788 1956 0x3e8 0x20019 Key MACHINE\SYSTEM\CONTROLSET001\SERVICES\TCPIP\LINKAGE 0xe1b441b0 1956 0x3ec 0x20019 Key MACHINE\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS 0xe1d68218 1956 0x3f0 0x20019 Key MACHINE\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES 0xe1d7d558 1956 0x3f4 0x20019 Key MACHINE\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS 0xe1ac2a98 1956 0x410 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe17f1508 1956 0x418 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe17a65c8 1956 0x448 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1619308 1956 0x44c 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1815520 1956 0x450 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe17f6ab0 1956 0x464 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1c83908 1956 0x478 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe17f6b18 1956 0x488 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1c77238 1956 0x4a4 0x2001f Key USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\RUNMRU 0xe1c474d0 1956 0x4ac 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1d8fcc8 1956 0x4c0 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe17f8c78 1956 0x4c4 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe17a7300 1956 0x4e0 0x11 Key MACHINE\SOFTWARE\MICROSOFT\MULTIMEDIA\AUDIO\VOLUMECONTROL 0xe1c47400 1956 0x4e4 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1c82f88 1956 0x4ec 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1ce3350 1956 0x4f4 0x20019 Key MACHINE\SYSTEM\SETUP 0xe1ce32b8 1956 0x4f8 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1d94020 1956 0x504 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1b6a690 1956 0x510 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1c47468 1956 0x514 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1c9a370 1956 0x518 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1b00020 1956 0x51c 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1cb19e8 1956 0x520 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES 0xe1c9beb0 1956 0x548 0x20019 Key USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
File objects can obviously represent files stored on disk, but they can also be used to represent network connections. The type of device involved should be apparent when looking at the path to the object. Some items that may be less obvious include:
\Device\Ip \Device\Tcpand\Device\Afd\Endpoint-> all refer to handles for network connections.\Device\LanmanRedirectorand\Device\Mup-> both refer to handles to SMB network shares.
Therefore, searching for these device handles may help you locate indications of network activity by the process being examined. Alternatively, the following command can be used to identify drive letter assignments, such as the C: or D: drives, assigned to hard drives or even mapped network drives, along with the time when the mapping was created
volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem symlinkscan
If you know that an adversary is storing data in a certain file, you can search through all the process file handles to determine which process was using that file. For example, if the file name was hiddenfile.txt, you can use the following command to identify processes that may be using that file:
volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem handles -t file | grep hiddenfile.txt In addition to handles, it may be of use to examine the environment variables set by a process. The command is given below:
textvolatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem envars
This will list all environment variables for all processes that were running at the time of the dump. The plugin can be restricted to a single process with the -p [PID] switch as seen previously with handles and other plugins. Finally, the --silent option can be employed to have Volatility compare the results of the envars plugin to a list of known, normal values, and only display items that do not match the known values as programmed into the module.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem -p 1956 envars --silent Volatility Foundation Volatility Framework 2.6 Pid Process Block Variable Value -------- -------------------- ---------- ------------------------------ ----- D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem -p 1956 envars Volatility Foundation Volatility Framework 2.6 Pid Process Block Variable Value -------- -------------------- ---------- ------------------------------ ----- 1956 explorer.exe 0x00010000 ALLUSERSPROFILE C:\Documents and Settings\All Users 1956 explorer.exe 0x00010000 APPDATA C:\Documents and Settings\Administrator\Application Data 1956 explorer.exe 0x00010000 CLIENTNAME Console 1956 explorer.exe 0x00010000 CommonProgramFiles C:\Program Files\Common Files 1956 explorer.exe 0x00010000 COMPUTERNAME GENERALLEE 1956 explorer.exe 0x00010000 ComSpec C:\WINDOWS\system32\cmd.exe 1956 explorer.exe 0x00010000 FP_NO_HOST_CHECK NO 1956 explorer.exe 0x00010000 HOMEDRIVE C: 1956 explorer.exe 0x00010000 HOMEPATH \Documents and Settings\Administrator 1956 explorer.exe 0x00010000 J2D_D3D false 1956 explorer.exe 0x00010000 LOGONSERVER \\GENERALLEE 1956 explorer.exe 0x00010000 NUMBER_OF_PROCESSORS 1 1956 explorer.exe 0x00010000 OS Windows_NT 1956 explorer.exe 0x00010000 Path C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem 1956 explorer.exe 0x00010000 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH 1956 explorer.exe 0x00010000 PROCESSOR_ARCHITECTURE x86 1956 explorer.exe 0x00010000 PROCESSOR_IDENTIFIER x86 Family 6 Model 42 Stepping 7, GenuineIntel 1956 explorer.exe 0x00010000 PROCESSOR_LEVEL 6 1956 explorer.exe 0x00010000 PROCESSOR_REVISION 2a07 1956 explorer.exe 0x00010000 ProgramFiles C:\Program Files 1956 explorer.exe 0x00010000 SESSIONNAME Console 1956 explorer.exe 0x00010000 SystemDrive C: 1956 explorer.exe 0x00010000 SystemRoot C:\WINDOWS 1956 explorer.exe 0x00010000 TEMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp 1956 explorer.exe 0x00010000 TMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp 1956 explorer.exe 0x00010000 USERDOMAIN GENERALLEE 1956 explorer.exe 0x00010000 USERNAME Administrator 1956 explorer.exe 0x00010000 USERPROFILE C:\Documents and Settings\Administrator 1956 explorer.exe 0x00010000 windir C:\WINDOWS
Armed with the information provided by the handles plugin, it is worthwhile investigating potential information that could be revealed using Volatility threads-based plugins
The threads plugin parses the _ETHREADS and _KTHREADS data structures. It uses virtual memory addressing.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem threads | grep 1956 Volatility Foundation Volatility Framework 2.6 ETHREAD: 0x815cbda8 Pid: 1956 Tid: 1960 ETHREAD: 0x8178b658 Pid: 1956 Tid: 2032 ETHREAD: 0x815cdda8 Pid: 1956 Tid: 2012 ETHREAD: 0x01a2f8e8 Pid: 1956 Tid: 124 ETHREAD: 0x816dda80 Pid: 1956 Tid: 2016 ETHREAD: 0x813bea80 Pid: 1956 Tid: 1980 ETHREAD: 0x816cf658 Pid: 1956 Tid: 2008 ETHREAD: 0x81883da8 Pid: 1956 Tid: 320 ETHREAD: 0x813b7230 Pid: 1956 Tid: 2000 ETHREAD: 0x01984238 Pid: 1956 Tid: 132 ETHREAD: 0x818e72a0 Pid: 1956 Tid: 292 ETHREAD: 0x815c24c0 Pid: 1956 Tid: 1992 ETHREAD: 0x813bc560 Pid: 1956 Tid: 396 ETHREAD: 0x8148cc28 Pid: 1956 Tid: 164 ETHREAD: 0x816cf230 Pid: 1956 Tid: 2004 ETHREAD: 0x813c4da8 Pid: 1956 Tid: 2020 ETHREAD: 0x816dd230 Pid: 1956 Tid: 2028 ETHREAD: 0x816d1a80 Pid: 1956 Tid: 1996 ETHREAD: 0x816d43d0 Pid: 1956 Tid: 160 ETHREAD: 0x813c4988 Pid: 1956 Tid: 2024 ETHREAD: 0x81906368 Pid: 1956 Tid: 2040
The thrdscan plugin parses the _ETHREADS data structure. It differs in output from the threads plugin as it uses physical memory addressing.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem thrdscan | grep 1956 Volatility Foundation Volatility Framework 2.6 0x00000000015b7230 1956 2000 0x7c810856 2011-10-10 17:04:39 UTC+0000 0x00000000015bc560 1956 396 0x7c810856 2011-10-10 17:04:46 UTC+0000 0x00000000015bea80 1956 1980 0x7c810856 2011-10-10 17:04:39 UTC+0000 0x00000000015c4988 1956 2024 0x7c810856 2011-10-10 17:04:40 UTC+0000 0x00000000015c4da8 1956 2020 0x7c810856 2011-10-10 17:04:40 UTC+0000 0x000000000168cc28 1956 164 0x7c810856 2011-10-10 17:04:41 UTC+0000 0x00000000017c24c0 1956 1992 0x7c810856 2011-10-10 17:04:39 UTC+0000 0x00000000017cbda8 1956 1960 0x7c810867 2011-10-10 17:04:39 UTC+0000 0x00000000017cdda8 1956 2012 0x7c810856 2011-10-10 17:04:40 UTC+0000 0x00000000018cf230 1956 2004 0x7c810856 2011-10-10 17:04:39 UTC+0000 0x00000000018cf658 1956 2008 0x7c810856 2011-10-10 17:04:39 UTC+0000 2011-10-10 17:04:39 UTC+0000 0x00000000018d1a80 1956 1996 0x7c810856 2011-10-10 17:04:39 UTC+0000 0x00000000018d43d0 1956 160 0x7c810856 2011-10-10 17:04:40 UTC+0000 0x00000000018dd230 1956 2028 0x7c810856 2011-10-10 17:04:40 UTC+0000 0x00000000018dda80 1956 2016 0x7c810856 2011-10-10 17:04:40 UTC+0000 0x0000000001984238 1956 132 0x7c810856 2011-10-10 17:04:40 UTC+0000 2011-10-10 17:06:48 UTC+0000 0x000000000198b658 1956 2032 0x7c810856 2011-10-10 17:04:40 UTC+0000 0x0000000001a2f8e8 1956 124 0x7c810856 2011-10-10 17:04:40 UTC+0000 2011-10-10 17:06:47 UTC+0000 0x0000000001a83da8 1956 320 0x7c810856 2011-10-10 17:04:45 UTC+0000 0x0000000001ae72a0 1956 292 0x7c810856 2011-10-10 17:04:44 UTC+0000 0x0000000001b06368 1956 2040 0x7c810856 2011-10-10 17:04:40 UTC+0000
From tne output of the threads and thrdscan plugins, TID 1980 and 2000 highlighted in red can be correlated with the output of the mutantscan plugin (1956:1980 and 1956:2000). Whether the remaning threads have contributed to the infection is not currently known but there is reason to suspect that some of the additional non-exited threads may have contributed to the infection.
The investigator may want to find additional information about commands entered into a command shell. Two plugins can be useful for this.
The cmdscan plugin is used to query the process memory of crss.exe or conhost,exe for possible commands that may have been entered into the system shell (cmd.exe, i.e. PID 544) or through a backdoor or RDP session by an attacker. Specifically, it looks for COMMAND_HISTORY based structures left behind in memory. The scanning of crss.exe applies to Windows XP, 2003, Vista, and Server 2008 while the use of conhost.exe applies to higher versions
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem cmdscan Volatility Foundation Volatility Framework 2.6 ************************************************** CommandProcess: csrss.exe Pid: 608 CommandHistory: 0x11132d8 Application: cmd.exe Flags: Allocated, Reset CommandCount: 2 LastAdded: 1 LastDisplayed: 1 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x4c4 Cmd #0 @ 0x4e1eb8: sc query malwar Cmd #1 @ 0x11135e8: sc query malware
The consoles plugin is similar to the cmdscan plugin except that it searches for CONSOLE_INFORMATION based data structures instead. More specifically, it provides the history of commands fed to the system shell (cmd.exe, i.e. PID 544) or through a backdoor and this data structure keeps both the input and output buffers for commands found using this plugin.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem consoles Volatility Foundation Volatility Framework 2.6 ************************************************** ConsoleProcess: csrss.exe Pid: 608 Console: 0x4e2370 CommandHistorySize: 50 HistoryBufferCount: 2 HistoryBufferMax: 4 OriginalTitle: %SystemRoot%\system32\cmd.exe Title: C:\WINDOWS\system32\cmd.exe AttachedProcess: cmd.exe Pid: 544 Handle: 0x4c4 ---- CommandHistory: 0x1113498 Application: sc.exe Flags: CommandCount: 0 LastAdded: -1 LastDisplayed: -1 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x0 ---- CommandHistory: 0x11132d8 Application: cmd.exe Flags: Allocated, Reset CommandCount: 2 LastAdded: 1 LastDisplayed: 1 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x4c4 Cmd #0 at 0x4e1eb8: sc query malwar Cmd #1 at 0x11135e8: sc query malware ---- Screen 0x4e2a70 X:80 Y:300 Dump: Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Administrator>sc query malwar [SC] EnumQueryServicesStatus:OpenService FAILED 1060: The specified service does not exist as an installed service. C:\Documents and Settings\Administrator>sc query malware SERVICE_NAME: malware TYPE : 1 KERNEL_DRIVER STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 C:\Documents and Settings\Administrator>
Based on the output of the cmdscan and the consoles plugin, some individual, either locally or remotely queried the system for some service named malware. This service was found to be running and was found to be a kernel-based driver. This information is a very important indicator of compromise as it provides several important clues. The first is that there appears to be a malicious driver on the system providing some unknown service, which is currently active. Moreover, any process initiated by this driver is not visible to Volatility's process list plugins (i.e. pslist, psscan, psxview). Thirdly, this service is known as malware. Taken together, these clues will help the investigator track down the malware.
It is also helpful to scan for drivers in the memory dump for analysis. The driverscan plugin scans the memory dumpfor driver objects and uses physical memory addressing.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem driverscan Volatility Foundation Volatility Framework 2.6 Offset(P) #Ptr #Hnd Start Size Service Key Name Driver Name ------------------ -------- -------- ---------- ---------- -------------------- ------------ ----------- 0x00000000015a9880 3 0 0xf0ad6000 0xed80 sysaudio sysaudio \Driver\sysaudio 0x00000000015ad3b8 3 0 0xf9ec6000 0x1a80 ParVdm ParVdm \Driver\ParVdm 0x00000000015aff38 3 0 0xf9ec8000 0x1e00 VMMEMCTL VMMEMCTL \Driver\VMMEMCTL 0x000000000167f978 7 0 0xf11c0000 0x57a80 Tcpip Tcpip \Driver\Tcpip 0x000000000168da70 3 0 0xf9afc000 0x8900 Gpc Gpc \Driver\Gpc 0x00000000016bf450 17 0 0xf96e5000 0x2ca80 NDIS NDIS \Driver\NDIS 0x00000000016bf548 4 0 0xf9712000 0x8c480 Ntfs Ntfs \FileSystem\Ntfs 0x00000000016bf758 3 0 0xf979f000 0x16780 KSecDD KSecDD \Driver\KSecDD 0x00000000016bf968 6 0 0xf97b6000 0x11f00 sr sr \FileSystem\sr 0x00000000016c0d20 6 0 0xf9817000 0x25700 dmio dmio \Driver\dmio 0x00000000016c0f38 3 0 0xf9ea2000 0x1700 dmload dmload \Driver\dmload 0x00000000016c8030 6 0 0xf9c94000 0x4580 Ptilink Ptilink \Driver\Ptilink 0x00000000016c8148 5 0 0xf9b0c000 0x9f00 TermDD TermDD \Driver\TermDD 0x00000000016ca648 5 0 0xf94a7000 0x30100 rdpdr rdpdr \Driver\rdpdr 0x00000000016d4388 81 0 0xf985c000 0x10a80 PCI PCI \Driver\PCI 0x00000000017b2240 3 0 0xf9b7c000 0x8700 Wanarp Wanarp \Driver\Wanarp 0x00000000017b2450 3 0 0xf1076000 0x20f00 IpNat IpNat \Driver\IpNat 0x00000000017b3550 3 0 0xf09cc000 0x29f00 kmixer kmixer \Driver\kmixer 0x00000000017daf38 6 0 0xf959d000 0x2580 hidusb hidusb \Driver\hidusb 0x00000000017e48b8 4 0 0xf1097000 0x6e380 MRxSmb MRxSmb \FileSystem\MRxSmb 0x00000000017f5590 4 0 0xf9646000 0x13900 Parport Parport \Driver\Parport 0x00000000017f5e40 6 0 0xf9c64000 0x5a00 Mouclass Mouclass \Driver\Mouclass 0x00000000017fa850 3 0 0xf9b1c000 0x9480 NDProxy NDProxy \Driver\NDProxy 0x00000000017fcb30 9 0 0xf97ff000 0x17480 atapi atapi \Driver\atapi 0x00000000017fce40 5 0 0xf99bc000 0xcc80 VolSnap VolSnap \Driver\VolSnap 0x00000000017fcf38 4 0 0xf9c24000 0x4900 PartMgr PartMgr \Driver\PartMgr 0x0000000001807bf8 3 0 0xf9ca4000 0x5000 Flpydisk Flpydisk \Driver\Flpydisk 0x0000000001811da0 3 0 0xf1218000 0x12400 IPSec IPSec \Driver\IPSec 0x0000000001816978 3 0 0xf114e000 0x21d00 AFD AFD \Driver\AFD 0x000000000183d030 3 0 0xf9a7c000 0xbc80 vmci vmci \Driver\vmci 0x000000000183d5d0 3 0 0xf9c7c000 0x7400 vmxnet vmxnet \Driver\vmxnet 0x000000000183d6c8 4 0 0xf9c74000 0x5000 usbuhci usbuhci \Driver\usbuhci 0x000000000183dd70 4 0 0xf9a8c000 0xdf80 vmx_svga vmx_svga \Driver\vmx_svga 0x000000000183fa48 4 0 0xf9a6c000 0xe080 redbook redbook \Driver\redbook 0x000000000183fc38 3 0 0xf9a5c000 0xc180 Cdrom Cdrom \Driver\Cdrom 0x000000000183fe50 3 0 0xf9a4c000 0xa380 Imapi Imapi \Driver\Imapi 0x0000000001840be8 4 0 0xf9c6c000 0x6b00 Fdc Fdc \Driver\Fdc 0x000000000184b278 3 0 0xf9cc4000 0x7880 Npfs Npfs \FileSystem\Npfs 0x000000000184b620 3 0 0xf9eae000 0x1080 mnmdd mnmdd \Driver\mnmdd 0x000000000184c388 3 0 0xf9cb4000 0x5200 VgaSave VgaSave \Driver\VgaSave 0x000000000184d750 3 0 0xf9eac000 0x1080 Beep Beep \Driver\Beep 0x000000000184eca0 3 0 0xf9c9c000 0x4080 Raspti Raspti \Driver\Raspti 0x000000000186d888 4 0 0xf97c8000 0x1e780 FltMgr FltMgr \FileSystem\FltMgr 0x0000000001878878 7 0 0xf9eaa000 0x1f00 Fs_Rec Fs_Rec \FileSystem\Fs_Rec 0x00000000018c2f38 5 0 0xf0a41000 0x14400 wdmaud wdmaud \Driver\wdmaud 0x00000000018c6b10 3 0 0xf0cd9000 0x2c400 MRxDAV MRxDAV \FileSystem\MRxDAV 0x00000000018c8030 3 0 0xf0eb2000 0x3280 Ndisuio Ndisuio \Driver\Ndisuio 0x00000000018c8c88 3 0 0xf9b6c000 0x8880 Fips Fips \Driver\Fips 0x00000000018e90d8 3 0 0xf9b9c000 0xf900 Cdfs Cdfs \FileSystem\Cdfs 0x000000000191c2b8 5 0 0xf9db8000 0x2b00 vmscsi vmscsi \Driver\vmscsi 0x0000000001972f38 4 0 0xf9599000 0x2f80 mouhid mouhid \Driver\mouhid 0x0000000001974b10 3 0 0xf0c5e000 0x52180 Srv Srv \FileSystem\Srv 0x00000000019a8030 3 0 0xf9cbc000 0x4a80 Msfs Msfs \FileSystem\Msfs 0x00000000019aaca0 9 0 0xf9ea6000 0x1100 swenum swenum \Driver\swenum 0x00000000019ae8d0 5 0 0xf07f3000 0x40380 HTTP HTTP \Driver\HTTP 0x00000000019db708 6 0 0xf9e4c000 0x2580 NdisTapi NdisTapi \Driver\NdisTapi 0x00000000019db9e8 3 0 0xf9acc000 0xc880 Rasl2tp Rasl2tp \Driver\Rasl2tp 0x00000000019e62c0 3 0 0xf9ea4000 0x1280 vmmouse vmmouse \Driver\vmmouse 0x00000000019e6b40 4 0 0xf9c5c000 0x6000 Kbdclass Kbdclass \Driver\Kbdclass 0x00000000019f5e18 4 0 0xf99cc000 0x8e00 Disk Disk \Driver\Disk 0x0000000001a071e0 5 0 0xf9a2c000 0xce00 i8042prt i8042prt \Driver\i8042prt 0x0000000001a0f8b8 4 0 0xf9db0000 0x2480 Compbatt Compbatt \Driver\Compbatt 0x0000000001a19f38 5 0 0xf9cd4000 0x7b80 usbccgp usbccgp \Driver\usbccgp 0x0000000001a1b788 13 0 0x00000000 0x0 \Driver\Win32k Win32k \Driver\Win32k 0x0000000001a498b8 3 0 0xf9eb4000 0x1500 malware malware \Driver\malware 0x0000000001a7e2c0 3 0 0xf1106000 0x2b180 Rdbss Rdbss \FileSystem\Rdbss 0x0000000001a7eda0 3 0 0xf9685000 0x2f00 WS2IFSL WS2IFSL \Driver\WS2IFSL 0x0000000001a86030 4 0 0xf95b1000 0x16680 NdisWan NdisWan \Driver\NdisWan 0x0000000001a86910 5 0 0xf94d8000 0x10e00 PSched PSched \Driver\PSched 0x0000000001a8c638 5 0 0xf96ca000 0x1a580 Mup Mup \FileSystem\Mup 0x0000000001a946f0 3 0 0xf9e48000 0x3700 CmBatt CmBatt \Driver\CmBatt 0x0000000001a94e60 4 0 0xf9c84000 0x6800 usbehci usbehci \Driver\usbehci 0x0000000001a9dda0 3 0 0xf9e94000 0x2980 gameenum gameenum \Driver\gameenum 0x0000000001aa4718 4 0 0xf9a9c000 0x9f00 es1371 es1371 \Driver\es1371 0x0000000001ae3a30 4 0 0xf9e40000 0x3c80 serenum serenum \Driver\serenum 0x0000000001ae3c08 4 0 0xf9a3c000 0xfd80 Serial Serial \Driver\Serial 0x0000000001ae54d8 3 0 0xf9e6c000 0x3c80 mssmbios mssmbios \Driver\mssmbios 0x0000000001b06268 3 0 0xf9689000 0x2280 RasAcd RasAcd \Driver\RasAcd 0x0000000001b06f38 3 0 0xf9473000 0x33200 Update Update \Driver\Update 0x0000000001b07c40 3 0 0xf9fcf000 0xb80 Null Null \Driver\Null 0x0000000001b0d5f0 3 0 0xf99ec000 0xa580 agp440 agp440 \Driver\agp440 0x0000000001b21978 3 0 0xf9b4c000 0x8700 NetBIOS NetBIOS \FileSystem\NetBIOS 0x0000000001b21da0 4 0 0xf1132000 0x1ba00 vmhgfs vmhgfs \FileSystem\vmhgfs 0x0000000001b29988 3 0 0xf9aec000 0xbd00 PptpMiniport PptpMiniport \Driver\PptpMiniport 0x0000000001b2a100 3 0 0xf9adc000 0xa200 RasPppoe RasPppoe \Driver\RasPppoe 0x0000000001b2a348 7 0 0xfa0ee000 0xc00 audstub audstub \Driver\audstub 0x0000000001b2a4b0 3 0 0xf9abc000 0x8d00 intelppm intelppm \Driver\intelppm 0x0000000001b2b7e0 7 0 0xf9b3c000 0xe100 usbhub usbhub \Driver\usbhub 0x0000000001b41638 3 0 0xf9eb0000 0x1080 RDPCDD RDPCDD \Driver\RDPCDD 0x0000000001b46a28 5 0 0xf1198000 0x27c00 NetBT NetBT \Driver\NetBT 0x0000000001bb43f8 4 0 0x00000000 0x0 \Driver\ACPI_HAL ACPI_HAL \Driver\ACPI_HAL 0x0000000001bb85e0 58 0 0x00000000 0x0 \Driver\PnpManager PnpManager \Driver\PnpManager 0x0000000001be71c0 4 0 0xf999c000 0x8c00 isapnp isapnp \Driver\isapnp 0x0000000001be87d8 6 0 0xf983d000 0x1e880 Ftdisk Ftdisk \Driver\Ftdisk 0x0000000001be8a78 7 0 0xf99ac000 0xa500 MountMgr MountMgr \Driver\MountMgr 0x0000000001be9290 5 0 0xf9ea0000 0x1580 IntelIde IntelIde \Driver\IntelIde 0x0000000001bea9c8 63 0 0xf986d000 0x2dd80 ACPI ACPI \Driver\ACPI 0x0000000001beaef8 5 0 0x00000000 0x0 RAW \FileSystem\RAW 0x0000000001beb030 4 0 0x00000000 0x0 \Driver\WMIxWDM WMIxWDM \Driver\WMIxWDM
The malicious driver is highlighted in red. It is located at physical memory address 0x0000000001a498b8.
The driverirp plugin scans the memory dump for driver IRP hooking. This plugin uses neither physical nor virtual memory addressing, instead it accepts KDBG and KPCR addresses. A truncated output which shows the area of interest is given below.
textDriverName: malware DriverStart: 0xf9eb4000 DriverSize: 0x1500 DriverStartIo: 0x0 0 IRP_MJ_CREATE 0xf9eb4d76 winsys32.sys 1 IRP_MJ_CREATE_NAMED_PIPE 0xf9eb4d76 winsys32.sys 2 IRP_MJ_CLOSE 0xf9eb4d76 winsys32.sys 3 IRP_MJ_READ 0xf9eb4e00 winsys32.sys 4 IRP_MJ_WRITE 0xf9eb4d76 winsys32.sys 5 IRP_MJ_QUERY_INFORMATION 0xf9eb4d76 winsys32.sys 6 IRP_MJ_SET_INFORMATION 0xf9eb4d76 winsys32.sys 7 IRP_MJ_QUERY_EA 0xf9eb4d76 winsys32.sys 8 IRP_MJ_SET_EA 0xf9eb4d76 winsys32.sys 9 IRP_MJ_FLUSH_BUFFERS 0xf9eb4d76 winsys32.sys 10 IRP_MJ_QUERY_VOLUME_INFORMATION 0xf9eb4d76 winsys32.sys 11 IRP_MJ_SET_VOLUME_INFORMATION 0xf9eb4d76 winsys32.sys 12 IRP_MJ_DIRECTORY_CONTROL 0xf9eb4d76 winsys32.sys 13 IRP_MJ_FILE_SYSTEM_CONTROL 0xf9eb4d76 winsys32.sys 14 IRP_MJ_DEVICE_CONTROL 0xf9eb4e46 winsys32.sys 15 IRP_MJ_INTERNAL_DEVICE_CONTROL 0xf9eb4d76 winsys32.sys 16 IRP_MJ_SHUTDOWN 0xf9eb4d76 winsys32.sys 17 IRP_MJ_LOCK_CONTROL 0xf9eb4d76 winsys32.sys 18 IRP_MJ_CLEANUP 0xf9eb4d76 winsys32.sys 19 IRP_MJ_CREATE_MAILSLOT 0xf9eb4d76 winsys32.sys 20 IRP_MJ_QUERY_SECURITY 0xf9eb4d76 winsys32.sys 21 IRP_MJ_SET_SECURITY 0xf9eb4d76 winsys32.sys 22 IRP_MJ_POWER 0xf9eb4e66 winsys32.sys 23 IRP_MJ_SYSTEM_CONTROL 0xf9eb4d76 winsys32.sys 24 IRP_MJ_DEVICE_CHANGE 0xf9eb4d76 winsys32.sys 25 IRP_MJ_QUERY_QUOTA 0xf9eb4d76 winsys32.sys 26 IRP_MJ_SET_QUOTA 0xf9eb4d76 winsys32.sys 27 IRP_MJ_PNP 0x804f320e ntoskrnl.exe --------------------------------------------------
Examining the driverirp plugin's output, it is not readily possible for non-reverse engineers to determine which driver IRP function code are typically used for standard device drivers and which are used for malware. Unfortunately, such knowledge is not readily available in the form of a whitelist or blacklist.
It
can be helpful to determine the relationship between drivers and their
required Windows devices. In so doing, it may be possible to determine
what device, and hence purpose of a malicious driver. The devicetree
plugin can help determine this. A prunned output showing the item of
interest is shown below.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem ldrmodules -p 1956 Volatility Foundation Volatility Framework 2.6 DRV 0x01a498b8 \Driver\malware
---| DEV 0x816c8d80 KeyboardClassC FILE_DEVICE_KEYBOARD
To help detect DLLs that have unlinked from the load order list in the _PEB, Volatility also has a ldrmodules plugin. This plugin acts similarly to the psxview plugin for processes in that it will enumerate the results of DLLs listed in all three lists in the PEB and present a comparison of the results. This helps an analyst detect anomalies that may be indicative of an attempt to hide the presence of a DLL. In addition, the ldrmodules plugin also manually scans the process’ executive object in kernel memory looking for signatures of DLLs or other types of executable code modules and presents a list of all items that it detects. In this way, even if the process memory itself has been tampered with, the lists of modules stored about the process in kernel memory can be used to help identify any tampering. One thing to be aware of in the output from this plugin is that the executable itself will by default only appear in two out of the three PEB lists since it is not a separately loaded DLL but is rather the main executable code. The ldrmodules plugin can be run as follows:
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem ldrmodules | grep False
Volatility Foundation Volatility Framework 2.6
4 System 0x7c900000 False False False \WINDOWS\system32\ntdll.dll
536 smss.exe 0x48580000 True False True \WINDOWS\system32\smss.exe
608 csrss.exe 0x00450000 False False False \WINDOWS\Fonts\vgasys.fon
608 csrss.exe 0x4a680000 True False True \WINDOWS\system32\csrss.exe
608 csrss.exe 0x01230000 False False False \WINDOWS\Fonts\dosapp.fon
608 csrss.exe 0x01250000 False False False \WINDOWS\Fonts\cga80woa.fon
608 csrss.exe 0x01260000 False False False \WINDOWS\Fonts\cga40woa.fon
608 csrss.exe 0x010a0000 False False False \WINDOWS\Fonts\vgaoem.fon
608 csrss.exe 0x01240000 False False False \WINDOWS\Fonts\ega40woa.fon
632 winlogon.exe 0x01000000 True False True \WINDOWS\system32\winlogon.exe
676 services.exe 0x01000000 True False True \WINDOWS\system32\services.exe
688 lsass.exe 0x01000000 True False True \WINDOWS\system32\lsass.exe
832 vmacthlp.exe 0x00400000 True False True \Program Files\VMware\VMware Tools\vmacthlp.exe
848 svchost.exe 0x01000000 True False True \WINDOWS\system32\svchost.exe
916 svchost.exe 0x01000000 True False True \WINDOWS\system32\svchost.exe
964 svchost.exe 0x01000000 True False True \WINDOWS\system32\svchost.exe
964 svchost.exe 0x02030000 False False False \WINDOWS\system32\stdole2.tlb
1020 svchost.exe 0x01000000 True False True \WINDOWS\system32\svchost.exe
1148 svchost.exe 0x01000000 True False True \WINDOWS\system32\svchost.exe
1260 spoolsv.exe 0x01000000 True False True \WINDOWS\system32\spoolsv.exe
1444 VMwareService.e 0x00400000 True False True \Program Files\VMware\VMware Tools\VMwareService.exe
1616 alg.exe 0x01000000 True False True \WINDOWS\system32\alg.exe
1920 wscntfy.exe 0x01000000 True False True \WINDOWS\system32\wscntfy.exe
1956 explorer.exe 0x01000000 True False True \WINDOWS\explorer.exe
184 VMwareTray.exe 0x00400000 True False True \Program Files\VMware\VMware Tools\VMwareTray.exe
192 VMwareUser.exe 0x00400000 True False True \Program Files\VMware\VMware Tools\VMwareUser.exe
228 reader_sl.exe 0x00400000 True False True \Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
400 wuauclt.exe 0x00400000 True False True \WINDOWS\system32\wuauclt.exe
544 cmd.exe 0x4ad00000 True False True \WINDOWS\system32\cmd.exe
Upon close examination of the output, nothing was found to be out of the ordinary. In fact, due to the specific nature of the processes involved and the types of files listed as unlinked, nothing suspicious or malicious should be construed from this information. However, scanning for the PID 1956 reveals the malicious DLL highlighted in red below.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem ldrmodules -p 1956 Volatility Foundation Volatility Framework 2.6 Pid Process Base InLoad InInit InMem MappedPath -------- -------------------- ---------- ------ ------ ----- ---------- 1956 explorer.exe 0x5ad70000 True True True \WINDOWS\system32\uxtheme.dll 1956 explorer.exe 0x01000000 True False True \WINDOWS\explorer.exe 1956 explorer.exe 0x76b40000 True True True \WINDOWS\system32\winmm.dll 1956 explorer.exe 0x5ba60000 True True True \WINDOWS\system32\themeui.dll 1956 explorer.exe 0x76360000 True True True \WINDOWS\system32\winsta.dll 1956 explorer.exe 0x77c00000 True True True \WINDOWS\system32\version.dll 1956 explorer.exe 0x7d1e0000 True True True \WINDOWS\system32\msi.dll 1956 explorer.exe 0x76e80000 True True True \WINDOWS\system32\rtutils.dll 1956 explorer.exe 0x75f80000 True True True \WINDOWS\system32\browseui.dll 1956 explorer.exe 0x10000000 True True True \WINDOWS\system32\mfc42ul.dll 1956 explorer.exe 0x77120000 True True True \WINDOWS\system32\oleaut32.dll 1956 explorer.exe 0x771b0000 True True True \WINDOWS\system32\wininet.dll 1956 explorer.exe 0x76c90000 True True True \WINDOWS\system32\imagehlp.dll 1956 explorer.exe 0x76fc0000 True True True \WINDOWS\system32\rasadhlp.dll 1956 explorer.exe 0x71ab0000 True True True \WINDOWS\system32\ws2_32.dll 1956 explorer.exe 0x77dd0000 True True True \WINDOWS\system32\advapi32.dll 1956 explorer.exe 0x77a80000 True True True \WINDOWS\system32\crypt32.dll 1956 explorer.exe 0x76f60000 True True True \WINDOWS\system32\wldap32.dll 1956 explorer.exe 0x20000000 True True True \WINDOWS\system32\xpsp2res.dll 1956 explorer.exe 0x71f60000 True True True \WINDOWS\system32\snmpapi.dll 1956 explorer.exe 0x76380000 True True True \WINDOWS\system32\msimg32.dll 1956 explorer.exe 0x773d0000 True True True \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 2.drv
If determining which modules the kernel has loaded is of interest in your analysis, the modules and modscan plugins can be used. The following command walks the doubly linked list of loaded kernel drivers found in the LDR_DATA_TABLE_ENTRY structures and provides the name and path of drivers loaded by the kernel.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem modules Volatility Foundation Volatility Framework 2.6 Offset(V) Name Base Size File ---------- -------------------- ---------- ---------- ---- 0x819fc3a0 ntoskrnl.exe 0x804d7000 0x1f6280 \WINDOWS\system32\ntkrnlpa.exe 0x819fc338 hal.dll 0x806ce000 0x20380 \WINDOWS\system32\hal.dll 0x819fc2d0 kdcom.dll 0xf9e9c000 0x2000 \WINDOWS\system32\KDCOM.DLL 0x819fc260 BOOTVID.dll 0xf9dac000 0x3000 \WINDOWS\system32\BOOTVID.dll 0x819fc1f8 ACPI.sys 0xf986d000 0x2e000 ACPI.sys 0x819fc188 WMILIB.SYS 0xf9e9e000 0x2000 \WINDOWS\system32\DRIVERS\WMILIB.SYS 0x819fc120 pci.sys 0xf985c000 0x11000 pci.sys 0x819fc0b0 isapnp.sys 0xf999c000 0x9000 isapnp.sys 0x819fc040 compbatt.sys 0xf9db0000 0x3000 compbatt.sys 0x819f1008 BATTC.SYS 0xf9db4000 0x4000 \WINDOWS\system32\DRIVERS\BATTC.SYS 0x819f1f98 intelide.sys 0xf9ea0000 0x2000 intelide.sys 0x819f1f28 PCIIDEX.SYS 0xf9c1c000 0x7000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS 0x819f1eb8 MountMgr.sys 0xf99ac000 0xb000 MountMgr.sys 0x819f1e48 ftdisk.sys 0xf983d000 0x1f000 ftdisk.sys 0x819f1dd8 dmload.sys 0xf9ea2000 0x2000 dmload.sys 0x819f1d70 dmio.sys 0xf9817000 0x26000 dmio.sys 0x819f1d00 PartMgr.sys 0xf9c24000 0x5000 PartMgr.sys 0x819f1c90 VolSnap.sys 0xf99bc000 0xd000 VolSnap.sys 0x819f1c28 atapi.sys 0xf97ff000 0x18000 atapi.sys 0x819f1bb8 vmscsi.sys 0xf9db8000 0x3000 vmscsi.sys 0x819f1b48 SCSIPORT.SYS 0xf97e7000 0x18000 \WINDOWS\system32\drivers\SCSIPORT.SYS 0x819f1ae0 disk.sys 0xf99cc000 0x9000 disk.sys 0x819f1a70 CLASSPNP.SYS 0xf99dc000 0xd000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS 0x819f1a00 fltMgr.sys 0xf97c8000 0x1f000 fltMgr.sys 0x819f1998 sr.sys 0xf97b6000 0x12000 sr.sys 0x819f1928 KSecDD.sys 0xf979f000 0x17000 KSecDD.sys 0x819f18c0 Ntfs.sys 0xf9712000 0x8d000 Ntfs.sys 0x819f1858 NDIS.sys 0xf96e5000 0x2d000 NDIS.sys 0x819f17f0 Mup.sys 0xf96ca000 0x1b000 Mup.sys 0x819f1780 agp440.sys 0xf99ec000 0xb000 agp440.sys 0x817af440 i8042prt.sys 0xf9a2c000 0xd000 \SystemRoot\system32\DRIVERS\i8042prt.sys 0x8166b688 kbdclass.sys 0xf9c5c000 0x6000 \SystemRoot\system32\DRIVERS\kbdclass.sys 0x8166b398 vmmouse.sys 0xf9ea4000 0x2000 \SystemRoot\system32\DRIVERS\vmmouse.sys 0x81725c68 mouclass.sys 0xf9c64000 0x6000 \SystemRoot\system32\DRIVERS\mouclass.sys 0x815f5f10 parport.sys 0xf9646000 0x14000 \SystemRoot\system32\DRIVERS\parport.sys 0x815f5660 serial.sys 0xf9a3c000 0x10000 \SystemRoot\system32\DRIVERS\serial.sys 0x818e3b70 serenum.sys 0xf9e40000 0x4000 \SystemRoot\system32\DRIVERS\serenum.sys 0x81646f10 fdc.sys 0xf9c6c000 0x7000 \SystemRoot\system32\DRIVERS\fdc.sys 0x81646cc8 imapi.sys 0xf9a4c000 0xb000 \SystemRoot\system32\DRIVERS\imapi.sys 0x81646a70 cdrom.sys 0xf9a5c000 0xd000 \SystemRoot\system32\DRIVERS\cdrom.sys 0x818e3b00 redbook.sys 0xf9a6c000 0xf000 \SystemRoot\system32\DRIVERS\redbook.sys 0x81646500 ks.sys 0xf9623000 0x23000 \SystemRoot\system32\DRIVERS\ks.sys 0x81646808 vmci.sys 0xf9a7c000 0xc000 \SystemRoot\system32\DRIVERS\vmci.sys 0x81646a00 vmx_svga.sys 0xf9a8c000 0xe000 \SystemRoot\system32\DRIVERS\vmx_svga.sys 0x8163dbd8 VIDEOPRT.SYS 0xf960f000 0x14000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS 0x8163dcd8 usbuhci.sys 0xf9c74000 0x5000 \SystemRoot\system32\DRIVERS\usbuhci.sys 0x814d0de0 USBPORT.SYS 0xf95ec000 0x23000 \SystemRoot\system32\DRIVERS\USBPORT.SYS 0x81725df8 vmxnet.sys 0xf9c7c000 0x8000 \SystemRoot\system32\DRIVERS\vmxnet.sys 0x814cf138 es1371mp.sys 0xf9a9c000 0xa000 \SystemRoot\system32\drivers\es1371mp.sys 0x8163d128 portcls.sys 0xf95c8000 0x24000 \SystemRoot\system32\drivers\portcls.sys 0x8160bfa0 drmk.sys 0xf9aac000 0xf000 \SystemRoot\system32\drivers\drmk.sys 0x814d0bc8 usbehci.sys 0xf9c84000 0x7000 \SystemRoot\system32\DRIVERS\usbehci.sys 0x8160bf30 CmBatt.sys 0xf9e48000 0x4000 \SystemRoot\system32\DRIVERS\CmBatt.sys 0x8160bda0 intelppm.sys 0xf9abc000 0x9000 \SystemRoot\system32\DRIVERS\intelppm.sys 0x8160bb90 audstub.sys 0xfa0ee000 0x1000 \SystemRoot\system32\DRIVERS\audstub.sys 0x8192a418 rasl2tp.sys 0xf9acc000 0xd000 \SystemRoot\system32\DRIVERS\rasl2tp.sys 0x8192a2b0 ndistapi.sys 0xf9e4c000 0x3000 \SystemRoot\system32\DRIVERS\ndistapi.sys 0x814d08c0 ndiswan.sys 0xf95b1000 0x17000 \SystemRoot\system32\DRIVERS\ndiswan.sys 0x8192a240 raspppoe.sys 0xf9adc000 0xb000 \SystemRoot\system32\DRIVERS\raspppoe.sys 0x8192a1d0 raspptp.sys 0xf9aec000 0xc000 \SystemRoot\system32\DRIVERS\raspptp.sys 0x8160b1a0 TDI.SYS 0xf9c8c000 0x5000 \SystemRoot\system32\DRIVERS\TDI.SYS 0x81929a58 psched.sys 0xf94d8000 0x11000 \SystemRoot\system32\DRIVERS\psched.sys 0x8148d908 msgpc.sys 0xf9afc000 0x9000 \SystemRoot\system32\DRIVERS\msgpc.sys 0x81652398 ptilink.sys 0xf9c94000 0x5000 \SystemRoot\system32\DRIVERS\ptilink.sys 0x816736c0 raspti.sys 0xf9c9c000 0x5000 \SystemRoot\system32\DRIVERS\raspti.sys 0x8148d0d0 rdpdr.sys 0xf94a7000 0x31000 \SystemRoot\system32\DRIVERS\rdpdr.sys 0x8164d138 termdd.sys 0xf9b0c000 0xa000 \SystemRoot\system32\DRIVERS\termdd.sys 0x81941e78 swenum.sys 0xf9ea6000 0x2000 \SystemRoot\system32\DRIVERS\swenum.sys 0x81708d20 update.sys 0xf9473000 0x34000 \SystemRoot\system32\DRIVERS\update.sys 0x8148d230 mssmbios.sys 0xf9e6c000 0x4000 \SystemRoot\system32\DRIVERS\mssmbios.sys 0x81708150 NDProxy.SYS 0xf9b1c000 0xa000 \SystemRoot\System32\Drivers\NDProxy.SYS 0x81708dc0 flpydisk.sys 0xf9ca4000 0x5000 \SystemRoot\system32\DRIVERS\flpydisk.sys 0x818e5f70 usbhub.sys 0xf9b3c000 0xf000 \SystemRoot\system32\DRIVERS\usbhub.sys 0x8189ec78 USBD.SYS 0xf9ea8000 0x2000 \SystemRoot\system32\DRIVERS\USBD.SYS 0x818e5958 gameenum.sys 0xf9e94000 0x3000 \SystemRoot\system32\DRIVERS\gameenum.sys 0x817a8668 Fs_Rec.SYS 0xf9eaa000 0x2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS 0x8189e258 Null.SYS 0xf9fcf000 0x1000 \SystemRoot\System32\Drivers\Null.SYS 0x8189e058 Beep.SYS 0xf9eac000 0x2000 \SystemRoot\System32\Drivers\Beep.SYS 0x8190be80 vga.sys 0xf9cb4000 0x6000 \SystemRoot\System32\drivers\vga.sys 0x8190bc80 mnmdd.SYS 0xf9eae000 0x2000 \SystemRoot\System32\Drivers\mnmdd.SYS 0x8161a090 RDPCDD.sys 0xf9eb0000 0x2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys 0x8190b868 Msfs.SYS 0xf9cbc000 0x5000 \SystemRoot\System32\Drivers\Msfs.SYS 0x8190b638 Npfs.SYS 0xf9cc4000 0x8000 \SystemRoot\System32\Drivers\Npfs.SYS 0x817a5ba8 rasacd.sys 0xf9689000 0x3000 \SystemRoot\system32\DRIVERS\rasacd.sys 0x8190b260 ipsec.sys 0xf1218000 0x13000 \SystemRoot\system32\DRIVERS\ipsec.sys 0x8180cfa0 tcpip.sys 0xf11c0000 0x58000 \SystemRoot\system32\DRIVERS\tcpip.sys 0x8180ccb0 netbt.sys 0xf1198000 0x28000 \SystemRoot\system32\DRIVERS\netbt.sys 0x816143a0 ws2ifsl.sys 0xf9685000 0x3000 \SystemRoot\System32\drivers\ws2ifsl.sys 0x8180c7a8 afd.sys 0xf114e000 0x22000 \SystemRoot\System32\drivers\afd.sys 0x81480630 netbios.sys 0xf9b4c000 0x9000 \SystemRoot\system32\DRIVERS\netbios.sys 0x816ff3a0 vmhgfs.sys 0xf1132000 0x1c000 \SystemRoot\System32\DRIVERS\vmhgfs.sys 0x817eba60 rdbss.sys 0xf1106000 0x2c000 \SystemRoot\system32\DRIVERS\rdbss.sys 0x81921300 mrxsmb.sys 0xf1097000 0x6f000 \SystemRoot\system32\DRIVERS\mrxsmb.sys 0x8177f228 winsys32.sys 0xf9eb4000 0x2000 \??\C:\WINDOWS\system32\drivers\winsys32.sys 0x817eb2c0 Fips.SYS 0xf9b6c000 0x9000 \SystemRoot\System32\Drivers\Fips.SYS 0x817eb0f0 ipnat.sys 0xf1076000 0x21000 \SystemRoot\system32\DRIVERS\ipnat.sys 0x815bb120 wanarp.sys 0xf9b7c000 0x9000 \SystemRoot\system32\DRIVERS\wanarp.sys 0x817ae590 Cdfs.SYS 0xf9b9c000 0x10000 \SystemRoot\System32\Drivers\Cdfs.SYS 0x817980d8 usbccgp.sys 0xf9cd4000 0x8000 \SystemRoot\system32\DRIVERS\usbccgp.sys 0x818a21c8 hidusb.sys 0xf959d000 0x3000 \SystemRoot\system32\DRIVERS\hidusb.sys 0x819264c8 HIDCLASS.SYS 0xf9bac000 0x9000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS 0x81925280 HIDPARSE.SYS 0xf9cdc000 0x7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS 0x8180a0e8 mouhid.sys 0xf9599000 0x3000 \SystemRoot\system32\DRIVERS\mouhid.sys 0x817220e0 dump_scsiport.sys 0xf9595000 0x4000 \SystemRoot\System32\Drivers\dump_diskdump.sys 0x8171fa20 dump_vmscsi.sys 0xf9591000 0x3000 \SystemRoot\System32\Drivers\dump_vmscsi.sys 0x813d0918 win32k.sys 0xbf800000 0x1c1000 \SystemRoot\System32\win32k.sys 0x81642890 watchdog.sys 0xf9ce4000 0x5000 \SystemRoot\System32\watchdog.sys 0x818a3f60 Dxapi.sys 0xf946f000 0x3000 \SystemRoot\System32\drivers\Dxapi.sys 0x8189b008 dxg.sys 0xbf9c1000 0x12000 \SystemRoot\System32\drivers\dxg.sys 0x819474e8 dxgthk.sys 0xfa00f000 0x1000 \SystemRoot\System32\drivers\dxgthk.sys 0x815b6310 vmx_fb.dll 0xbf9d3000 0x29000 \SystemRoot\System32\vmx_fb.dll 0x8183c260 ndisuio.sys 0xf0eb2000 0x4000 \SystemRoot\system32\DRIVERS\ndisuio.sys 0x8181b898 mrxdav.sys 0xf0cd9000 0x2d000 \SystemRoot\system32\DRIVERS\mrxdav.sys 0x815ba4e8 ParVdm.SYS 0xf9ec6000 0x2000 \SystemRoot\System32\Drivers\ParVdm.SYS 0x81796b38 vmmemctl.sys 0xf9ec8000 0x2000 \??\C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys 0x81720b58 srv.sys 0xf0c5e000 0x53000 \SystemRoot\system32\DRIVERS\srv.sys 0x8187ea58 wdmaud.sys 0xf0a41000 0x15000 \SystemRoot\system32\drivers\wdmaud.sys 0x816cb5b8 sysaudio.sys 0xf0ad6000 0xf000 \SystemRoot\system32\drivers\sysaudio.sys 0x8181af08 kmixer.sys 0xf09cc000 0x2a000 \SystemRoot\system32\drivers\kmixer.sys 0x81783008 HTTP.sys 0xf07f3000 0x41000 \SystemRoot\System32\Drivers\HTTP.sys
If a driver has been removed from that list, the modules plugin will not find it. However, the modscan plugin will scan the memory dump for the tags or signatures of kernel loaded drivers and provide a list based on its manual scan. However, because it relies on manual scanning and interpretation of memory data, it may result in false positive results.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem modscan Volatility Foundation Volatility Framework 2.6 Offset(P) Name Base Size File ------------------ -------------------- ---------- ---------- ---- 0x00000000015d0918 win32k.sys 0xbf800000 0x1c1000 \SystemRoot\System32\win32k.sys 0x0000000001680630 netbios.sys 0xf9b4c000 0x9000 \SystemRoot\system32\DRIVERS\netbios.sys 0x000000000168d0d0 rdpdr.sys 0xf94a7000 0x31000 \SystemRoot\system32\DRIVERS\rdpdr.sys 0x000000000168d230 mssmbios.sys 0xf9e6c000 0x4000 \SystemRoot\system32\DRIVERS\mssmbios.sys 0x000000000168d908 msgpc.sys 0xf9afc000 0x9000 \SystemRoot\system32\DRIVERS\msgpc.sys 0x00000000016cf138 es1371mp.sys 0xf9a9c000 0xa000 \SystemRoot\system32\drivers\es1371mp.sys 0x00000000016d08c0 ndiswan.sys 0xf95b1000 0x17000 \SystemRoot\system32\DRIVERS\ndiswan.sys 0x00000000016d0bc8 usbehci.sys 0xf9c84000 0x7000 \SystemRoot\system32\DRIVERS\usbehci.sys 0x00000000016d0de0 USBPORT.SYS 0xf95ec000 0x23000 \SystemRoot\system32\DRIVERS\USBPORT.SYS 0x00000000017b6310 vmx_fb.dll 0xbf9d3000 0x29000 \SystemRoot\System32\vmx_fb.dll 0x00000000017ba4e8 ParVdm.SYS 0xf9ec6000 0x2000 \SystemRoot\System32\Drivers\ParVdm.SYS 0x00000000017bb120 wanarp.sys 0xf9b7c000 0x9000 \SystemRoot\system32\DRIVERS\wanarp.sys 0x00000000017f5660 serial.sys 0xf9a3c000 0x10000 \SystemRoot\system32\DRIVERS\serial.sys 0x00000000017f5f10 parport.sys 0xf9646000 0x14000 \SystemRoot\system32\DRIVERS\parport.sys 0x000000000180b1a0 TDI.SYS 0xf9c8c000 0x5000 \SystemRoot\system32\DRIVERS\TDI.SYS 0x000000000180bb90 audstub.sys 0xfa0ee000 0x1000 \SystemRoot\system32\DRIVERS\audstub.sys 0x000000000180bda0 intelppm.sys 0xf9abc000 0x9000 \SystemRoot\system32\DRIVERS\intelppm.sys 0x000000000180bf30 CmBatt.sys 0xf9e48000 0x4000 \SystemRoot\system32\DRIVERS\CmBatt.sys 0x000000000180bfa0 drmk.sys 0xf9aac000 0xf000 \SystemRoot\system32\drivers\drmk.sys 0x00000000018143a0 ws2ifsl.sys 0xf9685000 0x3000 \SystemRoot\System32\drivers\ws2ifsl.sys 0x000000000181a090 RDPCDD.sys 0xf9eb0000 0x2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys 0x000000000183d128 portcls.sys 0xf95c8000 0x24000 \SystemRoot\system32\drivers\portcls.sys 0x000000000183dbd8 VIDEOPRT.SYS 0xf960f000 0x14000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS 0x000000000183dcd8 usbuhci.sys 0xf9c74000 0x5000 \SystemRoot\system32\DRIVERS\usbuhci.sys 0x0000000001842890 watchdog.sys 0xf9ce4000 0x5000 \SystemRoot\System32\watchdog.sys 0x0000000001846500 ks.sys 0xf9623000 0x23000 \SystemRoot\system32\DRIVERS\ks.sys 0x0000000001846808 vmci.sys 0xf9a7c000 0xc000 \SystemRoot\system32\DRIVERS\vmci.sys 0x0000000001846a00 vmx_svga.sys 0xf9a8c000 0xe000 \SystemRoot\system32\DRIVERS\vmx_svga.sys 0x0000000001846a70 cdrom.sys 0xf9a5c000 0xd000 \SystemRoot\system32\DRIVERS\cdrom.sys 0x0000000001846cc8 imapi.sys 0xf9a4c000 0xb000 \SystemRoot\system32\DRIVERS\imapi.sys 0x0000000001846f10 fdc.sys 0xf9c6c000 0x7000 \SystemRoot\system32\DRIVERS\fdc.sys 0x000000000184d138 termdd.sys 0xf9b0c000 0xa000 \SystemRoot\system32\DRIVERS\termdd.sys 0x0000000001852398 ptilink.sys 0xf9c94000 0x5000 \SystemRoot\system32\DRIVERS\ptilink.sys 0x000000000186b398 vmmouse.sys 0xf9ea4000 0x2000 \SystemRoot\system32\DRIVERS\vmmouse.sys 0x000000000186b688 kbdclass.sys 0xf9c5c000 0x6000 \SystemRoot\system32\DRIVERS\kbdclass.sys 0x00000000018736c0 raspti.sys 0xf9c9c000 0x5000 \SystemRoot\system32\DRIVERS\raspti.sys 0x00000000018cb5b8 sysaudio.sys 0xf0ad6000 0xf000 \SystemRoot\system32\drivers\sysaudio.sys 0x00000000018d90a8 splitter.sys 0xf9f14000 0x2000 ⏨ረ\REGISTRY\MACHINE\SYSTEM\ControlSet00 0x00000000018ff3a0 vmhgfs.sys 0xf1132000 0x1c000 \SystemRoot\System32\DRIVERS\vmhgfs.sys 0x0000000001908150 NDProxy.SYS 0xf9b1c000 0xa000 \SystemRoot\System32\Drivers\NDProxy.SYS 0x0000000001908d20 update.sys 0xf9473000 0x34000 \SystemRoot\system32\DRIVERS\update.sys 0x0000000001908dc0 flpydisk.sys 0xf9ca4000 0x5000 \SystemRoot\system32\DRIVERS\flpydisk.sys 0x000000000191fa20 dump_vmscsi.sys 0xf9591000 0x3000 \SystemRoot\System32\Drivers\dump_vmscsi.sys 0x0000000001920b58 srv.sys 0xf0c5e000 0x53000 \SystemRoot\system32\DRIVERS\srv.sys 0x00000000019220e0 dump_scsiport.sys 0xf9595000 0x4000 \SystemRoot\System32\Drivers\dump_diskdump.sys 0x0000000001925c68 mouclass.sys 0xf9c64000 0x6000 \SystemRoot\system32\DRIVERS\mouclass.sys 0x0000000001925df8 vmxnet.sys 0xf9c7c000 0x8000 \SystemRoot\system32\DRIVERS\vmxnet.sys 0x000000000197f228 winsys32.sys 0xf9eb4000 0x2000 \??\C:\WINDOWS\system32\drivers\winsys32.sys 0x0000000001983008 HTTP.sys 0xf07f3000 0x41000 \SystemRoot\System32\Drivers\HTTP.sys 0x0000000001996b38 vmmemctl.sys 0xf9ec8000 0x2000 \??\C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys 0x00000000019980d8 usbccgp.sys 0xf9cd4000 0x8000 \SystemRoot\system32\DRIVERS\usbccgp.sys 0x00000000019a5ba8 rasacd.sys 0xf9689000 0x3000 \SystemRoot\system32\DRIVERS\rasacd.sys 0x00000000019a8668 Fs_Rec.SYS 0xf9eaa000 0x2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS 0x00000000019ae590 Cdfs.SYS 0xf9b9c000 0x10000 \SystemRoot\System32\Drivers\Cdfs.SYS 0x00000000019af440 i8042prt.sys 0xf9a2c000 0xd000 \SystemRoot\system32\DRIVERS\i8042prt.sys 0x00000000019eb0f0 ipnat.sys 0xf1076000 0x21000 \SystemRoot\system32\DRIVERS\ipnat.sys 0x00000000019eb2c0 Fips.SYS 0xf9b6c000 0x9000 \SystemRoot\System32\Drivers\Fips.SYS 0x00000000019eba60 rdbss.sys 0xf1106000 0x2c000 \SystemRoot\system32\DRIVERS\rdbss.sys 0x00000000019eca78 DMusic.sys 0xf0aa6000 0xd000 fbb6e3f-ccfe-4d84-90d9-421418b03a8e} 0x0000000001a0a0e8 mouhid.sys 0xf9599000 0x3000 \SystemRoot\system32\DRIVERS\mouhid.sys 0x0000000001a0c7a8 afd.sys 0xf114e000 0x22000 \SystemRoot\System32\drivers\afd.sys 0x0000000001a0ccb0 netbt.sys 0xf1198000 0x28000 \SystemRoot\system32\DRIVERS\netbt.sys 0x0000000001a0cfa0 tcpip.sys 0xf11c0000 0x58000 \SystemRoot\system32\DRIVERS\tcpip.sys 0x0000000001a1af08 kmixer.sys 0xf09cc000 0x2a000 \SystemRoot\system32\drivers\kmixer.sys 0x0000000001a1b898 mrxdav.sys 0xf0cd9000 0x2d000 \SystemRoot\system32\DRIVERS\mrxdav.sys 0x0000000001a3c260 ndisuio.sys 0xf0eb2000 0x4000 \SystemRoot\system32\DRIVERS\ndisuio.sys 0x0000000001a7ea58 wdmaud.sys 0xf0a41000 0x15000 \SystemRoot\system32\drivers\wdmaud.sys 0x0000000001a8b498 drmkaud.sys 0xf9f9c000 0x1000 衘ystemRoot\system32\drivers\drmkaud.sys 0x0000000001a9b008 dxg.sys 0xbf9c1000 0x12000 \SystemRoot\System32\drivers\dxg.sys 0x0000000001a9e058 Beep.SYS 0xf9eac000 0x2000 \SystemRoot\System32\Drivers\Beep.SYS 0x0000000001a9e258 Null.SYS 0xf9fcf000 0x1000 \SystemRoot\System32\Drivers\Null.SYS 0x0000000001a9ec78 USBD.SYS 0xf9ea8000 0x2000 \SystemRoot\system32\DRIVERS\USBD.SYS 0x0000000001aa21c8 hidusb.sys 0xf959d000 0x3000 \SystemRoot\system32\DRIVERS\hidusb.sys 0x0000000001aa3f60 Dxapi.sys 0xf946f000 0x3000 \SystemRoot\System32\drivers\Dxapi.sys 0x0000000001ae3b00 redbook.sys 0xf9a6c000 0xf000 \SystemRoot\system32\DRIVERS\redbook.sys 0x0000000001ae3b70 serenum.sys 0xf9e40000 0x4000 \SystemRoot\system32\DRIVERS\serenum.sys 0x0000000001ae5958 gameenum.sys 0xf9e94000 0x3000 \SystemRoot\system32\DRIVERS\gameenum.sys 0x0000000001ae5f70 usbhub.sys 0xf9b3c000 0xf000 \SystemRoot\system32\DRIVERS\usbhub.sys 0x0000000001b0b260 ipsec.sys 0xf1218000 0x13000 \SystemRoot\system32\DRIVERS\ipsec.sys 0x0000000001b0b638 Npfs.SYS 0xf9cc4000 0x8000 \SystemRoot\System32\Drivers\Npfs.SYS 0x0000000001b0b868 Msfs.SYS 0xf9cbc000 0x5000 \SystemRoot\System32\Drivers\Msfs.SYS 0x0000000001b0bc80 mnmdd.SYS 0xf9eae000 0x2000 \SystemRoot\System32\Drivers\mnmdd.SYS 0x0000000001b0be80 vga.sys 0xf9cb4000 0x6000 \SystemRoot\System32\drivers\vga.sys 0x0000000001b21300 mrxsmb.sys 0xf1097000 0x6f000 \SystemRoot\system32\DRIVERS\mrxsmb.sys 0x0000000001b25280 HIDPARSE.SYS 0xf9cdc000 0x7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS 0x0000000001b264c8 HIDCLASS.SYS 0xf9bac000 0x9000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS 0x0000000001b29a58 psched.sys 0xf94d8000 0x11000 \SystemRoot\system32\DRIVERS\psched.sys 0x0000000001b2a1d0 raspptp.sys 0xf9aec000 0xc000 \SystemRoot\system32\DRIVERS\raspptp.sys 0x0000000001b2a240 raspppoe.sys 0xf9adc000 0xb000 \SystemRoot\system32\DRIVERS\raspppoe.sys 0x0000000001b2a2b0 ndistapi.sys 0xf9e4c000 0x3000 \SystemRoot\system32\DRIVERS\ndistapi.sys 0x0000000001b2a418 rasl2tp.sys 0xf9acc000 0xd000 \SystemRoot\system32\DRIVERS\rasl2tp.sys 0x0000000001b402d0 swmidi.sys 0xf0ab6000 0xe000 耈fbb6e3f-ccfe-4d84-90d9-421418b03a8e} 0x0000000001b41e78 swenum.sys 0xf9ea6000 0x2000 \SystemRoot\system32\DRIVERS\swenum.sys 0x0000000001b474e8 dxgthk.sys 0xfa00f000 0x1000 \SystemRoot\System32\drivers\dxgthk.sys 0x0000000001bf1008 BATTC.SYS 0xf9db4000 0x4000 \WINDOWS\system32\DRIVERS\BATTC.SYS 0x0000000001bf1780 agp440.sys 0xf99ec000 0xb000 agp440.sys 0x0000000001bf17f0 Mup.sys 0xf96ca000 0x1b000 Mup.sys 0x0000000001bf1858 NDIS.sys 0xf96e5000 0x2d000 NDIS.sys 0x0000000001bf18c0 Ntfs.sys 0xf9712000 0x8d000 Ntfs.sys 0x0000000001bf1928 KSecDD.sys 0xf979f000 0x17000 KSecDD.sys 0x0000000001bf1998 sr.sys 0xf97b6000 0x12000 sr.sys 0x0000000001bf1a00 fltMgr.sys 0xf97c8000 0x1f000 fltMgr.sys 0x0000000001bf1a70 CLASSPNP.SYS 0xf99dc000 0xd000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS 0x0000000001bf1ae0 disk.sys 0xf99cc000 0x9000 disk.sys 0x0000000001bf1b48 SCSIPORT.SYS 0xf97e7000 0x18000 \WINDOWS\system32\drivers\SCSIPORT.SYS 0x0000000001bf1bb8 vmscsi.sys 0xf9db8000 0x3000 vmscsi.sys 0x0000000001bf1c28 atapi.sys 0xf97ff000 0x18000 atapi.sys 0x0000000001bf1c90 VolSnap.sys 0xf99bc000 0xd000 VolSnap.sys 0x0000000001bf1d00 PartMgr.sys 0xf9c24000 0x5000 PartMgr.sys 0x0000000001bf1d70 dmio.sys 0xf9817000 0x26000 dmio.sys 0x0000000001bf1dd8 dmload.sys 0xf9ea2000 0x2000 dmload.sys 0x0000000001bf1e48 ftdisk.sys 0xf983d000 0x1f000 ftdisk.sys 0x0000000001bf1eb8 MountMgr.sys 0xf99ac000 0xb000 MountMgr.sys 0x0000000001bf1f28 PCIIDEX.SYS 0xf9c1c000 0x7000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS 0x0000000001bf1f98 intelide.sys 0xf9ea0000 0x2000 intelide.sys 0x0000000001bfc040 compbatt.sys 0xf9db0000 0x3000 compbatt.sys 0x0000000001bfc0b0 isapnp.sys 0xf999c000 0x9000 isapnp.sys 0x0000000001bfc120 pci.sys 0xf985c000 0x11000 pci.sys 0x0000000001bfc188 WMILIB.SYS 0xf9e9e000 0x2000 \WINDOWS\system32\DRIVERS\WMILIB.SYS 0x0000000001bfc1f8 ACPI.sys 0xf986d000 0x2e000 ACPI.sys 0x0000000001bfc260 BOOTVID.dll 0xf9dac000 0x3000 \WINDOWS\system32\BOOTVID.dll 0x0000000001bfc2d0 kdcom.dll 0xf9e9c000 0x2000 \WINDOWS\system32\KDCOM.DLL 0x0000000001bfc338 hal.dll 0x806ce000 0x20380 \WINDOWS\system32\hal.dll 0x0000000001bfc3a0 ntoskrnl.exe 0x804d7000 0x1f6280 \WINDOWS\system32\ntkrnlpa.exe
Summary of Analysis
The volatility plugins used in this step revealed important clues concerning the infection. It is now known that a covert communication channel was in use by some process/thread hidden/injected under/into PID 1956 (explorer.exe). It was discovered that a malicious driver has been loaded and it was found in the Windows System32 directory.
Looking For Evidence of Code Injection
A plugin that may come in handy in detecting malicious code that has been injected into a process is malfind. As attackers seek to evade endpoint protection systems, they will often inject malicious code directly into the process space of an otherwise benign process. This allows them to keep their malicious code from being written to disk where it is more likely to be scanned by antivirus or other endpoint defenses. The malfind plug-in is designed to help you detect such injected code. If memory address offsets are specified, then they must be physical memory addresses.
Using the following command, it was attempted to find and dump injected code associated with PID 1956 (explorer.exe).
textvolatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem malfind -p 1956 -o 0x15bcda0 --dump-dir=malfind
The command found no indication of injected code as no output or dumped file resulted from the command. The following command was then run at larget against the entire memory image to detect if other processes had not been hijacked via code injection.
textvolatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem malfind --dump-dir=malfind
This command succeeded in dumping 10 dmp files from memory. However, looking only at the textual output generated by the malfind plugin, no indication of maliciously injected code was found. The ten files were afterwards scanned using prominent anti-virus scanners. No indication of infection was found.
Memory is allocated in units known as pages. Although pages may vary in size from system to system, 4,096 bytes is a common value. The concept of a page is like a cluster on disk, in that a page is the smallest unit that can be allocated in memory and a cluster is typically the smallest unit on disk that can be allocated by the operating system. Each page must be provided with permissions indicating whether the data contained within it can be read, executed, or written. DLLs are typically loaded with permissions indicating that they can be read, but if they are written to, a new copy must be made and the changes made only on that copy (copy on write). This allows multiple processes to share a single instance of a DLL in memory, but if one of the processes attempts to make a change to that DLL it must copy its own instance of the DLL into its process memory space before it is allowed to make changes. This avoids one process modifying code that may be in use by other processes in the case of a shared DLL.
For malicious code to be injected into the memory space of a running process, the page holding that memory must allow new code to be written to that page. For the code to then be of any use to the attacker, the code must be able to be read and executed as well. Normally, if a page of memory contains executable code, that code will have been loaded into memory from disk, so the code in the page is backed by a file on disk, and the location from which is was loaded is recorded in RAM. When a page is marked with read, write, and execute permissions, but there is no associated file on disk to explain from where that code came, that is indicative of code having been injected into the process maliciously. The malfind plug-in automates the detection of pages that are marked with read, write, and execute permissions and are also not backed by a file on disk.
Although the plug-in helps identify potentially suspicious pages within a process’s memory, it is up to you to complete the analysis and confirm that the pages discovered contain executable code. One of the easiest ways to identify executable code is by the presence of the MZ header at the beginning of the page. This header is used by Windows systems to identify executable files. Even if the MZ header is not present, the page may still contain executable code, so the malfind plug-in will display the hexadecimal and ASCII representations of the data as well as display the assembly language instructions that data would represent if it was intended as executable code. It is up to the human analyst to decide whether the data contained in the page is executable code or simply other types of data that would not be harmful to the system. Note that the malfind plugin only displays the first 64 bytes of each memory address it identifies. Malware authors may avoid putting an MZ header or obvious code at the beginning of the memory segment to avoid detection, so it may be necessary to dump the memory for further examination. This can be done by adding the --dump-dir=[directory] option to the malfind command to dump each memory segment that it finds out to disk for further analysis.
Registry Artifacts In Memory
Since many elements of the Windows registry are updated or frequently read by the Operating System, it is common to capture registry key data in a RAM dump. The Registry is commonly used by malware to configure system settings for permanent infection. However, the difficulty in working with the registry lies in knowing where to look for evidence. The registry is spread across many data files (commonly known as registry hives) in various locations and each serves a specific purpose with respect to system, application, and user configurations.
Volatility has a hivelist plugin to list registry hives, including their path on disk. There may also be a hive listed by Volatility as “[no name]” that represents pointers to other hives, and is normal.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem hivelist Volatility Foundation Volatility Framework 2.6 Virtual Physical Name ---------- ---------- ---- 0xe1bf6b60 0x0af3cb60 \Device\HarddiskVolume1\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 0xe1bb2b60 0x0accab60 \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT 0xe1a4db60 0x08b7cb60 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 0xe1991b60 0x07d9ab60 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT 0xe1844458 0x07741458 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 0xe183e008 0x076b8008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT 0xe1544b60 0x05c63b60 \Device\HarddiskVolume1\WINDOWS\system32\config\software 0xe154db60 0x05c6fb60 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM 0xe154d008 0x05c6f008 \Device\HarddiskVolume1\WINDOWS\system32\config\default 0xe1544008 0x05c63008 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY 0xe13b5a40 0x02463a40 [no name] 0xe1018388 0x020bf388 \Device\HarddiskVolume1\WINDOWS\system32\config\system 0xe1008b60 0x020c3b60 [no name]
The hivescan plugin displays the physical locations of available registry hives.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem hivescan Volatility Foundation Volatility Framework 2.6 Offset(P) ---------- 0x020bf388 0x020c3b60 0x02463a40 0x05c63008 0x05c63b60 0x05c6f008 0x05c6fb60 0x076b8008 0x07741458 0x07d9ab60 0x08b7cb60 0x0accab60 0x0af3cb60
Malware will often use autostart extensibility points (ASEPs), places in the registry or elsewhere that cause executable code to be launched automatically as a system starts, a user logs in, or other defined event. Since many of these locations are in the registry, it may benefit your analysis to look at specific keys for evidence of malware. The printkey plugin provides the ability to view the subkeys, value names and data stored within a registry key. The syntax for this plugin is:
textvolatility_2.6_win64_standalonetext-f [dump_file] --profile=[profile] printkey -K "Path\To\Key"
where "Path\To\Key" represents that name (and optionally portions of the path) to the specific key that you desire to examine. If the key name specified exists in multiple places, each instance will be printed.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem printkey -K controlset001\services\malware Volatility Foundation Volatility Framework 2.6 Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system Key name: malware (S) Last updated: 2011-10-10 17:03:55 UTC+0000 Subkeys: (S) Security (V) Enum Values: REG_DWORD Type : (S) 1 REG_EXPAND_SZ ImagePath : (S) \??\C:\WINDOWS\system32\drivers\winsys32.sys REG_SZ DisplayName : (S) malware2 D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem printkey -K controlset001\Enum\Root\LEGACY_malware\0000 Volatility Foundation Volatility Framework 2.6 Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system Key name: 0000 (S) Last updated: 2011-10-10 17:03:55 UTC+0000 Subkeys: (V) Control Values: REG_SZ Service : (S) malware REG_SZ ClassGUID : (S) {8ECC055D-047F-11D1-A537-0000F8753ED1} REG_SZ DeviceDesc : (S) malware2
Information about executables that were previously present on the system can be gleaned from the shimcache and shellbags keys of the registry. The shimcache and shellbags plugins respectively will parse and present this information.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem shimcache Volatility Foundation Volatility Framework 2.6 WARNING : volatility.debug : No ShimCache data found D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem shellbags ItemPos1024x768(1) mfc42ul.dll 2011-10-07 04:36:50 UTC+0000 2011-10-07 04:36:50 UTC+0000 2011-10-10 17:02:50 UTC+0000 ARC 000 2011-10-07 04:36:50 UTC+0000 2011-10-10 17:02:50 UTC+0000 ARC mfc42ul.dll
If needed, password hashes from the SAM hive can be dumped from memory for external password cracking. Volatility can obtain the system key from the SYSTEM hive and use it to extract the hashes from the SAM hive.
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem hashdump
Additional user password data may be recoverable from the LSA Secrets stored in the registry. Again, Volatility automates that extraction with the lsadump plugin, with the following syntax:
textD:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem lsadump
Dumping Suspicious Processes, DLLs, and Drivers
Once sufficient evidence has been established indicating that suspicious or possibly malicious processes, DLLs, or drivers may be hiding in memory, they can be dumped for further analysis. Plugins of importance in this step include:
- dlldump
- moddump
- procdump
- memdump
- malfind
The evidence thus far indicates that one malicious driver has been loaded and that a highly suspicious DLL has been found associated with PID 1956 (explorer.exe). Also PID 1956 was found in the midst of a covert communication with some unknown remote system.
Based on the information gleaned from the dlllist plugin, there are fifteen instances of the suspicious dll mfc42ul.dll. In order to dump all detected instances of the suspicious DLL, the dlldump plugin will be run supplying each of the PIDs and physical memory addresses offsets such as shown below:
textvolatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem dlldump -p 184 -b 0x00390000 --dump-dir=dlldump volatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem dlldump -p 192 -b 0x10000000 --dump-dir=dlldump .....
The Volatility's moddump plugin was designed to dump drivers from memory to disk. The start address of the suspicious driver obtained from the drivers plugin must be supplied as argument. To dump driver malware/winsys32.sys from the memory dump, the following command will be used.
textvolatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem moddump -b 0xf9eb4000 --dump-dir=moddump
The malfind plugin was designed to search for malware hidden through code injection. The physical memoryb address offset of the suspicious process must be supplied as argument. To find and dump injected code associated with PID 1956 (explorer.exe), the following command will be used:
textvolatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem malfind -p 184 -o 0x015bcdao --dump-dir=malfind.
Finally, Volatility can produce a list of timestamped events, which is essential to any investigation. To produce this list, we will use the timeliner plugin. The timeliner plugin helps investigators by providing a timeline of all the events that took place when the image was acquired. The timeliner plugin groups details by time and includes process, PID, process offset, DDLs used, registry details, and other useful information.
textvolatility_2.6_win64_standalone --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem timeliner
The output of the timeliner plugin can be very lengthy, but we can find useful timeline information as it relates to processes, users, programs, and other artifacts if we take the time to sift through the output.
This is AWESOME! Keep up the good work
ReplyDeletePost a Comment