Malware Threat Hunting With Volatility

 

 s



Due to continuous growth in malware attacks, memory forensics has become very crucial as it contains many forensic artifacts that digital forensic investigators cannot get through the traditional disk forensics. Forensic Analysis of a memory dump of victim's machine provides a detailed analysis of malware, checking traces of malware that have been created while running in the machine. Moreover, recent malware techniques also use stealthy methods to go undetected in typical disk forensics. Such techniques always execute exclusively from the memory or hide in the legitimate process to avoid the typical signature-based antivirus detection. Many of the recent studies also show that the percentage of such attacks have increased drastically. It is also estimated that the same trend will continue in the future and advanced threat like file-less malware will become the major concern for the organizations as well as security researchers. This post analyses memory forensics in the context of designing a forensic approach which will help to detect such advance malware threats. In this post, we are analyzing a sample memory image infected by a malware. It discusses a generalized framework for doing step by step analysis of memory image for detecting fileless malware attacks. 

 

The Volatility Framework

The Volatility Framework is an open source, cross-platform, incident response framework that comes with many useful plugins that provide the investigator with  a wealth of information from a snapshot of memory, also known as a memory dump. Apart from analyzing running and hidden processes, it is also a very popular choice for malware analysis. Running the standalone version is recommended as you do not have to gather and configure plugin scripts as it is fully self-contained.


After detecting the right Windows version and its KPCR,  volatility scans for dozens of other structures inside a dump file. Additional pluginslike malfind hunt for malicious activities by using strong heuristics or comparing results from different structures. Typical structures being parsed include:

  • _EPROCESS and _KPROCESS
  • _KTIMER
  • _ETHREAD and _KTHREAD
  • _CMHIVE
  • _LDR_DATA_TABLE_ENTRY
  • _KMUTANT

 

 Volatility Plugins

Volatility uses a variety of tools to automate memory dump processing. These tools are called plugins. To view the various plugins available in volatility, use the -h option as shown below:



D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -h
Volatility Foundation Volatility Framework 2.6
Usage: Volatility - A memory forensics analysis platform.

Options:
  -h, --help            list all available options and their default values.
                        Default values may be set in the configuration file
                        (/etc/volatilityrc)
  --conf-file=.volatilityrc
                        User based configuration file
  -d, --debug           Debug volatility
  --plugins=PLUGINS     Additional plugin directories to use (semi-colon
                        separated)
  --info                Print information about all registered objects
  --cache-directory=C:\Users\JOSEPH/.cache\volatility
                        Directory where cache files are stored
  --cache               Use caching
  --tz=TZ               Sets the (Olson) timezone for displaying timestamps
                        using pytz (if installed) or tzset
  -f FILENAME, --filename=FILENAME
                        Filename to use when opening an image
  --profile=WinXPSP2x86
                        Name of the profile to load (use --info to see a list
                        of supported profiles)
  -l LOCATION, --location=LOCATION
                        A URN location from which to load an address space
  -w, --write           Enable write support
  --dtb=DTB             DTB Address
  --shift=SHIFT         Mac KASLR shift address
  --output=text         Output in this format (support is module specific, see
                        the Module Output Options below)
  --output-file=OUTPUT_FILE
                        Write output in this file
  -v, --verbose         Verbose information
  -g KDBG, --kdbg=KDBG  Specify a KDBG virtual address (Note: for 64-bit
                        Windows 8 and above this is the address of
                        KdCopyDataBlock)
  --force               Force utilization of suspect profile
  --cookie=COOKIE       Specify the address of nt!ObHeaderCookie (valid for
                        Windows 10 only)
  -k KPCR, --kpcr=KPCR  Specify a specific KPCR address

        Supported Plugin Commands:

                amcache         Print AmCache information
                apihooks        Detect API hooks in process and kernel memory
                atoms           Print session and window station atom tables
                atomscan        Pool scanner for atom tables
                auditpol        Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
                bigpools        Dump the big page pools using BigPagePoolScanner
                bioskbd         Reads the keyboard buffer from Real Mode memory
                cachedump       Dumps cached domain hashes from memory
                callbacks       Print system-wide notification routines
                clipboard       Extract the contents of the windows clipboard
                cmdline         Display process command-line arguments
                cmdscan         Extract command history by scanning for _COMMAND_HISTORY
                connections     Print list of open connections [Windows XP and 2003 Only]
                connscan        Pool scanner for tcp connections
                consoles        Extract command history by scanning for _CONSOLE_INFORMATION
                crashinfo       Dump crash-dump information
                deskscan        Poolscaner for tagDESKTOP (desktops)
                devicetree      Show device tree
                dlldump         Dump DLLs from a process address space
                dlllist         Print list of loaded dlls for each process
                driverirp       Driver IRP hook detection
                drivermodule    Associate driver objects to kernel modules
                driverscan      Pool scanner for driver objects
                dumpcerts       Dump RSA private and public SSL keys
                dumpfiles       Extract memory mapped and cached files
                dumpregistry    Dumps registry files out to disk
                editbox         Displays information about Edit controls. (Listbox experimental.)
                envars          Display process environment variables
                eventhooks      Print details on windows event hooks
                evtlogs         Extract Windows Event Logs (XP/2003 only)
                filescan        Pool scanner for file objects
                gahti           Dump the USER handle type information
                gditimers       Print installed GDI timers and callbacks
                gdt             Display Global Descriptor Table
                getservicesids  Get the names of services in the Registry and return Calculated SID
                getsids         Print the SIDs owning each process
                handles         Print list of open handles for each process
                hashdump        Dumps passwords hashes (LM/NTLM) from memory
                hibinfo         Dump hibernation file information
                hivedump        Prints out a hive
                hivelist        Print list of registry hives.
                hivescan        Pool scanner for registry hives
                hpakextract     Extract physical memory from an HPAK file
                hpakinfo        Info on an HPAK file
                idt             Display Interrupt Descriptor Table
                iehistory       Reconstruct Internet Explorer cache / history
                imagecopy       Copies a physical address space out as a raw DD image
                imageinfo       Identify information for the image
                impscan         Scan for calls to imported functions
                joblinks        Print process job link information
                kdbgscan        Search for and dump potential KDBG values
                kpcrscan        Search for and dump potential KPCR values
                ldrmodules      Detect unlinked DLLs
                lsadump         Dump (decrypted) LSA secrets from the registry
                machoinfo       Dump Mach-O file format information
                malfind         Find hidden and injected code
                mbrparser       Scans for and parses potential Master Boot Records (MBRs)
                memdump         Dump the addressable memory for a process
                memmap          Print the memory map
                messagehooks    List desktop and thread window message hooks
                mftparser       Scans for and parses potential MFT entries
                moddump         Dump a kernel driver to an executable file sample
                modscan         Pool scanner for kernel modules
                modules         Print list of loaded modules
                multiscan       Scan for various objects at once
                mutantscan      Pool scanner for mutex objects
                notepad         List currently displayed notepad text
                objtypescan     Scan for Windows object type objects
                patcher         Patches memory based on page scans
                poolpeek        Configurable pool scanner plugin
                printkey        Print a registry key, and its subkeys and values
                privs           Display process privileges
                procdump        Dump a process to an executable file sample
                pslist          Print all running processes by following the EPROCESS lists
                psscan          Pool scanner for process objects
                pstree          Print process list as a tree
                psxview         Find hidden processes with various process listings
                qemuinfo        Dump Qemu information
                raw2dmp         Converts a physical memory sample to a windbg crash dump
                screenshot      Save a pseudo-screenshot based on GDI windows
                servicediff     List Windows services (ala Plugx)
                sessions        List details on _MM_SESSION_SPACE (user logon sessions)
                shellbags       Prints ShellBags info
                shimcache       Parses the Application Compatibility Shim Cache registry key
                shutdowntime    Print ShutdownTime of machine from registry
                sockets         Print list of open sockets
                sockscan        Pool scanner for tcp socket objects
                ssdt            Display SSDT entries
                strings         Match physical offsets to virtual addresses (may take a while, VERY verbose)
                svcscan         Scan for Windows services
                symlinkscan     Pool scanner for symlink objects
                thrdscan        Pool scanner for thread objects
                threads         Investigate _ETHREAD and _KTHREADs
                timeliner       Creates a timeline from various artifacts in memory
                timers          Print kernel timers and associated module DPCs
                truecryptmaster Recover TrueCrypt 7.1a Master Keys
                truecryptpassphrase     TrueCrypt Cached Passphrase Finder
                truecryptsummary        TrueCrypt Summary
                unloadedmodules Print list of unloaded modules
                userassist      Print userassist registry keys and information
                userhandles     Dump the USER handle tables
                vaddump         Dumps out the vad sections to a file
                vadinfo         Dump the VAD info
                vadtree         Walk the VAD tree and display in tree format
                vadwalk         Walk the VAD tree
                vboxinfo        Dump virtualbox information
                verinfo         Prints out the version information from PE images
                vmwareinfo      Dump VMware VMSS/VMSN information
                volshell        Shell in the memory image
                windows         Print Desktop Windows (verbose details)
                wintree         Print Z-Order Desktop Windows Tree
                wndscan         Pool scanner for window stations
                yarascan        Scan process or kernel memory with Yara signatures

Methodology For Threat Hunting Using Volatility

Having introduced volatility plugins, I will now outline the methodology for hunting malware with volatility and the plugins of relevance in each step.


Identify Rogue Processes

  • pslist
  • psscan
  • pstree
  • psxview


Analyze Process DLLs and Handles

  • dlllist
  • cmdline
  • getsids
  • handles
  • filescan
  • mutantscan
  • svcscan
  • cmdscan
  • consoles


Review Network Artifacts

  • connections
  • connscan
  • sockets
  • sockscan
  • netscan


Look For Evidence of Code Injection

  • malfind
  • ldrmodules


Check For Signs of A Rootkit

  • SSDT
  • psxview
  • modscan
  • apihooks
  • driverirp
  • idt


Dump Suspicious Process and Drivers

  • dlldump
  • moddump
  • procdump
  • memdump
  • malfind


Selecting A Profile

All operating systems store information in RAM. However, they may be situated in different locations within the memory according to the operating system used. In Volatility, we must choose a profile that best identifies the type of operating system  and service pack that helps Volatility in identifying locations that store artifacts and  useful information. This can be done using the imageinfo plugin.


The image info plugin identifies the Windows operating system version, the service pack, and the system architecture by locating the KDBG (Kernel Debugging Data Block) within the memory image.

 


D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f D:\Memdump\0zapftis.vmem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (D:\Memdump\0zapftis.vmem)
                      PAE type : PAE
                           DTB : 0x319000L
                          KDBG : 0x80544ce0L
          Number of Processors : 1
     Image Type (Service Pack) : 2
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2011-10-10 17:06:54 UTC+0000
     Image local date and time : 2011-10-10 13:06:54 -0400


The imageinfo output shows the suggested profiles as WinXPSP2x86:

  • WinXP - Windows XP
  • SP2/SP3: Service Pack 2/Service Pack 3
  • x86 - 32-bit Architecture

 

The image type, or service pack, is displayed as 2, suggesting that this is a Windows XP Service Pack 2 32-bit (x86) operating system, which will be used as the profile for the case along with the plugins:


Image Type (Service Pack) : 2
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2011-10-10 17:06:54 UTC+0000
     Image local date and time : 2011-10-10 13:06:54 -0400

 

To further narrow down the most likely profile, the kdbgscan plugin will use the kernel debugger data block scan (kdbgscan) plugin to make a profile suggestion based on the KDBG header.  Since the profile tells Volatility the format and type of memory objects that should be present in the RAM dump, getting the profile correct is an important first step to any further analysis.

 

D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f D:\Memdump\0zapftis.vmem kdbgscan
Volatility Foundation Volatility Framework 2.6
**************************************************
Instantiating KDBG using: Kernel AS WinXPSP2x86 (5.1.0 32bit)
Offset (V)                    : 0x80544ce0
Offset (P)                    : 0x544ce0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): WinXPSP3x86
Version64                     : 0x80544cb8 (Major: 15, Minor: 2600)
Service Pack (CmNtCSDVersion) : 2
Build string (NtBuildLab)     : 2600.xpsp_sp2_rtm.040803-2158
PsActiveProcessHead           : 0x80559258 (22 processes)
PsLoadedModuleList            : 0x805531a0 (120 modules)
KernelBase                    : 0x804d7000 (Matches MZ: True)
Major (OptionalHeader)        : 5
Minor (OptionalHeader)        : 1
KPCR                          : 0xffdff000 (CPU 0)

**************************************************
Instantiating KDBG using: Kernel AS WinXPSP2x86 (5.1.0 32bit)
Offset (V)                    : 0x80544ce0
Offset (P)                    : 0x544ce0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): WinXPSP2x86
Version64                     : 0x80544cb8 (Major: 15, Minor: 2600)
Service Pack (CmNtCSDVersion) : 2
Build string (NtBuildLab)     : 2600.xpsp_sp2_rtm.040803-2158
PsActiveProcessHead           : 0x80559258 (22 processes)
PsLoadedModuleList            : 0x805531a0 (120 modules)
KernelBase                    : 0x804d7000 (Matches MZ: True)
Major (OptionalHeader)        : 5
Minor (OptionalHeader)        : 1
KPCR                          : 0xffdff000 (CPU 0)      


Once the profile has been chosen, we can proceed with using Volatility plugins for the analysis of the memory image.


Analysis of Running Processes

In Windows, processes are represented by an executive object in the kernel of the operating system called an _EPROCESS.  Volatility uses a variety of methods to find and examine these objects.


On Windows systems, the kernel tracks the currently active processes using a doubly linked list.  Each running process is found in this list, and therefore most standard Windows calls to list processes accomplish this by walking this list and printing each process found in it.  Some malware will attempt to hide by delinking its process from this list, causing most tools on a live system to fail to detect the unlinked malware process.  When working with a memory dump, different approaches can be taken to locate processes.  For example, each process has a fixed format header that contains a key or tag of “Proc” on Windows systems.  By searching through the memory in a RAM dump looking for the known structure of a process object’s tag and other attributes, Volatility can detect processes that are not linked in the standard doubly linked process list.  By using and comparing different methods of identifying processes, an examiner can identify processes that were attempting to hide their presence. 


One of the easiest ways to get a list of processes that were running at the time a RAM dump was made is to use the pslist plugin.



D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem pslist
Volatility Foundation Volatility Framework 2.6
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit         
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x819cc830 System                    4      0     55      162 ------      0                                             
0x81945020 smss.exe                536      4      3       21 ------      0 2011-10-10 17:03:56 UTC+0000                
0x816c6020 csrss.exe               608    536     11      355      0      0 2011-10-10 17:03:58 UTC+0000                
0x813a9020 winlogon.exe            632    536     24      533      0      0 2011-10-10 17:03:58 UTC+0000                
0x816da020 services.exe            676    632     16      261      0      0 2011-10-10 17:03:58 UTC+0000                
0x813c4020 lsass.exe               688    632     23      336      0      0 2011-10-10 17:03:58 UTC+0000                
0x81772ca8 vmacthlp.exe            832    676      1       24      0      0 2011-10-10 17:03:59 UTC+0000                
0x8167e9d0 svchost.exe             848    676     20      194      0      0 2011-10-10 17:03:59 UTC+0000                
0x817757f0 svchost.exe             916    676      9      217      0      0 2011-10-10 17:03:59 UTC+0000                
0x816c6da0 svchost.exe             964    676     63     1058      0      0 2011-10-10 17:03:59 UTC+0000                
0x815daca8 svchost.exe            1020    676      5       58      0      0 2011-10-10 17:03:59 UTC+0000                
0x813aeda0 svchost.exe            1148    676     12      187      0      0 2011-10-10 17:04:00 UTC+0000                
0x817937e0 spoolsv.exe            1260    676     13      140      0      0 2011-10-10 17:04:00 UTC+0000                
0x81754990 VMwareService.e        1444    676      3      145      0      0 2011-10-10 17:04:00 UTC+0000                
0x8136c5a0 alg.exe                1616    676      7       99      0      0 2011-10-10 17:04:01 UTC+0000                
0x815c4da0 wscntfy.exe            1920    964      1       27      0      0 2011-10-10 17:04:39 UTC+0000                
0x813bcda0 explorer.exe           1956   1884     18      322      0      0 2011-10-10 17:04:39 UTC+0000                
0x816d63d0 VMwareTray.exe          184   1956      1       28      0      0 2011-10-10 17:04:41 UTC+0000                
0x8180b478 VMwareUser.exe          192   1956      6       83      0      0 2011-10-10 17:04:41 UTC+0000                
0x818233c8 reader_sl.exe           228   1956      2       26      0      0 2011-10-10 17:04:41 UTC+0000                
0x815e7be0 wuauclt.exe             400    964      8      173      0      0 2011-10-10 17:04:46 UTC+0000                
0x817a34b0 cmd.exe                 544   1956      1       30      0      0 2011-10-10 17:06:42 UTC+0000 

The pslist plugin walks the doubly linked list of processes in the same way as most commands that run on the live system.  It therefore provides a useful baseline of what would have been seen by commands like tasklist when the system was running, but will not give any information about processes that were hidden by removing themselves from the process list or those that had already terminated before the dump was captured. It makes use of virtual memory addressing and offsets and scans for _EPROCESS lists. This should always be the first process listing plugin used from Volatility.

 

The important parameters to look for are process ID, Parent Process ID, and the Timestamp information. For those new to PIDs and processes themselves, a quick Google search can assist with identification and description information. It is also useful to become familiar with  many of the start up processes in order to readily point out processes that may be  unusual or suspect. I will like to refer the reader to a popular SANS poster that treats this subject extensively. Richard Davis of 13 cubed made the SANS poster easier to comprehend with his own version which can be downloaded here. These two should are my reference materials when analyzing Windows process relationships.

 

Looking at the result above, nothing appears out of the ordinary, Although the process alge.exe is present and can sometimes be used to indicate the presence of malware, as a lone indicator, it is not sufficient to warrant further investigation at this point  as it is typically considered a legitimate Windows XP process.

 

To see the processes in the parent-child format lets now arrange the processes in the more structured way using the pstree plugin.



D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem pstree
Volatility Foundation Volatility Framework 2.6
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0x819cc830:System                                      4      0     55    162 1970-01-01 00:00:00 UTC+0000
. 0x81945020:smss.exe                                 536      4      3     21 2011-10-10 17:03:56 UTC+0000
.. 0x816c6020:csrss.exe                               608    536     11    355 2011-10-10 17:03:58 UTC+0000
.. 0x813a9020:winlogon.exe                            632    536     24    533 2011-10-10 17:03:58 UTC+0000
... 0x816da020:services.exe                           676    632     16    261 2011-10-10 17:03:58 UTC+0000
.... 0x817757f0:svchost.exe                           916    676      9    217 2011-10-10 17:03:59 UTC+0000
.... 0x81772ca8:vmacthlp.exe                          832    676      1     24 2011-10-10 17:03:59 UTC+0000
.... 0x816c6da0:svchost.exe                           964    676     63   1058 2011-10-10 17:03:59 UTC+0000
..... 0x815c4da0:wscntfy.exe                         1920    964      1     27 2011-10-10 17:04:39 UTC+0000
..... 0x815e7be0:wuauclt.exe                          400    964      8    173 2011-10-10 17:04:46 UTC+0000
.... 0x8167e9d0:svchost.exe                           848    676     20    194 2011-10-10 17:03:59 UTC+0000
.... 0x81754990:VMwareService.e                      1444    676      3    145 2011-10-10 17:04:00 UTC+0000
.... 0x8136c5a0:alg.exe                              1616    676      7     99 2011-10-10 17:04:01 UTC+0000
.... 0x813aeda0:svchost.exe                          1148    676     12    187 2011-10-10 17:04:00 UTC+0000
.... 0x817937e0:spoolsv.exe                          1260    676     13    140 2011-10-10 17:04:00 UTC+0000
.... 0x815daca8:svchost.exe                          1020    676      5     58 2011-10-10 17:03:59 UTC+0000
... 0x813c4020:lsass.exe                              688    632     23    336 2011-10-10 17:03:58 UTC+0000
 0x813bcda0:explorer.exe                             1956   1884     18    322 2011-10-10 17:04:39 UTC+0000
. 0x8180b478:VMwareUser.exe                           192   1956      6     83 2011-10-10 17:04:41 UTC+0000
. 0x817a34b0:cmd.exe                                  544   1956      1     30 2011-10-10 17:06:42 UTC+0000
. 0x816d63d0:VMwareTray.exe                           184   1956      1     28 2011-10-10 17:04:41 UTC+0000
. 0x818233c8:reader_sl.exe                            228   1956      2     26 2011-10-10 17:04:41 UTC+0000

The pstree plugin will display a list of processes in a tree format to show which process spawned other processes and make their parent/child relationship clearer.  

 

Parent process is on the top of the list and corresponding child processes are indented below their parents. This command shows the same list of processes as the pslist plugin, but indentation is also used to identify child and parent processes. The system process is the parent of all processes and always has a PID of 4. To get a pictorial view of the parent-child process relationship, execute the following:


volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem pstree --output=dot --output-file=tree.dot

 

This command will create the list of process in the dot format.  To then convert that to a format such as JPEG, the dot command can be used as follows: 


dot -Tjpg tree.dot > tree.jpg




However, the pstree plugin relies on walking the doubly linked process list, and therefore suffers from the same limitations as the pslist plugin.  It can, however, be a useful command to run. 


As mentioned earlier, Volatility is not constrained to only using the doubly linked process list to identify allocated processes.  The memory dump can be scanned for known signatures of process objects, and anything that matches that pattern can be displayed.  This is an extremely helpful method to find processes that have been delinked from the process list to avoid detection.  Since it does not rely on the doubly linked process list, it can also uncover information about processes that were running previously but terminated before the dump was captured.  A process scan can be run with the following command:



D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem psscan
Volatility Foundation Volatility Framework 2.6
Offset(P)          Name                PID   PPID PDB        Time created                   Time exited                 
------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------
0x000000000156c5a0 alg.exe            1616    676 0x05e001e0 2011-10-10 17:04:01 UTC+0000                               
0x00000000015a9020 winlogon.exe        632    536 0x05e00060 2011-10-10 17:03:58 UTC+0000                               
0x00000000015aeda0 svchost.exe        1148    676 0x05e00180 2011-10-10 17:04:00 UTC+0000                               
0x00000000015bcda0 explorer.exe       1956   1884 0x05e00220 2011-10-10 17:04:39 UTC+0000                               
0x00000000015c4020 lsass.exe           688    632 0x05e000a0 2011-10-10 17:03:58 UTC+0000                               
0x00000000017c4da0 wscntfy.exe        1920    964 0x05e00240 2011-10-10 17:04:39 UTC+0000                               
0x00000000017daca8 svchost.exe        1020    676 0x05e00140 2011-10-10 17:03:59 UTC+0000                               
0x00000000017e7be0 wuauclt.exe         400    964 0x05e002c0 2011-10-10 17:04:46 UTC+0000                               
0x000000000187e9d0 svchost.exe         848    676 0x05e000e0 2011-10-10 17:03:59 UTC+0000                               
0x00000000018c6020 csrss.exe           608    536 0x05e00040 2011-10-10 17:03:58 UTC+0000                               
0x00000000018c6da0 svchost.exe         964    676 0x05e00120 2011-10-10 17:03:59 UTC+0000                               
0x00000000018d63d0 VMwareTray.exe      184   1956 0x05e00160 2011-10-10 17:04:41 UTC+0000                               
0x00000000018da020 services.exe        676    632 0x05e00080 2011-10-10 17:03:58 UTC+0000                               
0x0000000001954990 VMwareService.e    1444    676 0x05e001c0 2011-10-10 17:04:00 UTC+0000                               
0x0000000001972ca8 vmacthlp.exe        832    676 0x05e000c0 2011-10-10 17:03:59 UTC+0000                               
0x00000000019757f0 svchost.exe         916    676 0x05e00100 2011-10-10 17:03:59 UTC+0000                               
0x00000000019937e0 spoolsv.exe        1260    676 0x05e001a0 2011-10-10 17:04:00 UTC+0000                               
0x00000000019a34b0 cmd.exe             544   1956 0x05e00200 2011-10-10 17:06:42 UTC+0000                               
0x0000000001a0b478 VMwareUser.exe      192   1956 0x05e00260 2011-10-10 17:04:41 UTC+0000                               
0x0000000001a233c8 reader_sl.exe       228   1956 0x05e00280 2011-10-10 17:04:41 UTC+0000                               
0x0000000001b45020 smss.exe            536      4 0x05e00020 2011-10-10 17:03:56 UTC+0000                               
0x0000000001bcc830 System                4      0 0x00319000                                                            

 

Again, nothing appears particularly conspicuous. Moreover, this output looks very similar to the output of the pslist plugin.


The psscan plugin uses physical memory addressing and scans memory images for _EPROCESS pool allocations in contrast to the pslist plugin which uses physical memory addressing. The output from the psscan plugin does not provide the hierarchical view of the parent/child relationship in the way that the pstree plugin does.  To get a similar effect, you can output the results of psscan into a dot file, and use a program like Graphviz to display it graphically.  This can be both a useful investigative approach and make for useful graphs for report purposes.  To accomplish this, a command like the following can be used:

 

volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem psxview --output=dot --output-file=process.dot

 

This command will create the list of process in the dot format.  To then convert that to a format such as JPEG, the dot command can be used as follows: 


dot -Tjpg processes.dot > processes.jpg

 

It is usually recommended in the forensic community to compare the results of the psscan and the pslist plugins. For this task, shell-based text processing is of significant use. By using the following command, it is readily possible to differentiate between the outputs of the two plugins. 


cat pslist.txt psscan.txt | awk '{print $2"\t"$3}' | sort | uniq -c | grep -v "  2"

 

There are many structures within a Windows system that need to track running processes.  While the doubly linked process list is the most commonly used method for enumerating running processes, it is also the most likely to be targeted by processes that are attempting to evade detection.  As a result, comparing the results of the doubly linked list to other structures within the operating system and other methods of detecting processes can help detect processes that are maliciously hiding their presence.  For such cross-comparative analysis, use the psxview plugin.



D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem psxview
Volatility Foundation Volatility Framework 2.6
Offset(P)  Name                    PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
0x015a9020 winlogon.exe            632 True   True   True     True   True  True    True                                 0x018da020 services.exe            676 True   True   True     True   True  True    True
0x0156c5a0 alg.exe                1616 True   True   True     True   True  True    True
0x018d63d0 VMwareTray.exe          184 True   True   True     True   True  True    True
0x019757f0 svchost.exe             916 True   True   True     True   True  True    True
0x015c4020 lsass.exe               688 True   True   True     True   True  True    True                                 0x01972ca8 vmacthlp.exe            832 True   True   True     True   True  True    True
0x019a34b0 cmd.exe                 544 True   True   True     True   True  True    True
0x0187e9d0 svchost.exe             848 True   True   True     True   True  True    True
0x017daca8 svchost.exe            1020 True   True   True     True   True  True    True
0x01954990 VMwareService.e        1444 True   True   True     True   True  True    True
0x018c6da0 svchost.exe             964 True   True   True     True   True  True    True
0x01a233c8 reader_sl.exe           228 True   True   True     True   True  True    True
0x017e7be0 wuauclt.exe             400 True   True   True     True   True  True    True
0x019937e0 spoolsv.exe            1260 True   True   True     True   True  True    True
0x015bcda0 explorer.exe           1956 True   True   True     True   True  True    True
0x017c4da0 wscntfy.exe            1920 True   True   True     True   True  True    True
0x01a0b478 VMwareUser.exe          192 True   True   True     True   True  True    True
0x015aeda0 svchost.exe            1148 True   True   True     True   True  True    True
0x01bcc830 System                    4 True   True   True     True   False False   False
0x01b45020 smss.exe                536 True   True   True     True   False False   False
0x018c6020 csrss.exe               608 True   True   True     True   False True    True


For a process to be considered hidden, it should be invisible to, at a minimum, any non-crss detection mechanism but may also be undetectable by subsequent process detection methods. However, if a process is not seen by the pslist plugin, then the process is without a doubt hidden


Although some processes may be listed as hidden by the crss method, they generally are not hidden. Therefore any process marked as hidden (FALSE) by this method requires that another method (pslist, psscan, thrdproc, and pspcdid) confirm the suspicion. For Windows 7 and Vista systems, the list of internal processes is not available, and in some cases where Windows XP required memory pages might have been swapped out, the outcome of crss may be affected.


The psxview plugin uses multiple methods for detecting processes and displays which processes are and are not detected with each method.  This comparison can help detect processes that are maliciously trying to avoid detection.  Some methods will not detect certain processes, such as those that were started before the object upon which the detection method relies, or processes that have terminated not being detected by methods that only track running processes.  To help account for these expected variations, the command


volatility_2.6_win64_standalone -f D:\Memdump\0zapftis.vmem profile=WinXPSP2x86 --apply-rules psxview


will show True when a method detects the process, False when the method does not detect the process, and Okay when the process is expectedly absent due to a known limitation of the method being used.  Keep in mind that only the psscan method will detect terminated processes.

 

The next step after studying the running processes is to find network services and connections that may also have been established at that time


Summary of Process Analysis

The volatility plugins used so far in the analysis of this particular memory image has not succeeded in finding any indicators of compromise. Thus subsequent plugins may reveal evidence of infection.


Analyzing Network Connections

The first network-based Volatility plugin that should be used is connscan. It is used to verify the existence of ongoing network connections and scans a memory image for current or recently terminated connections. This plugin makes use of physical memory addressing and parses the _TCPT_OBJECT data structure to identify remote connections.



D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem connscan
Volatility Foundation Volatility Framework 2.6
Offset(P)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ---
0x01a25a50 0.0.0.0:1026              172.16.98.1:6666          1956

From the output above, PID 1956 (explorer.exe) has established a connection with a remote system 172.16.98.1 using port 6666. This port is a well known malware-based port. We can then investigate the above remote IP addresses using the OSINT techniques described here.


Another for determining network connections in Windows systems is the netscan plugin.  It will carve through the memory dump looking for artifacts from network activity, which means it may find both sessions that were active or inactive at the time of the RAM dump.


volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem netscan

 

I am unable to show the output for this command as the plugin does not support Windows XP operating system which is the operating system for my memory dump.

 

Sometimes, this plugin is unable to find all the information necessary to reconstruct all the active sessions due to data being paged out at the time of the dump.  Additionally, it may recover partially deleted data regarding old connections and/or generate false positive results.  As a result, it is a good idea to run commands like netstat -anob at the time of volatile data collection. To have a point of comparison.  Keep in mind that tools like netstat may be fooled by malware that is running on the live system, so the netscan plugin may detect hidden network activity that netstat misses.  Comparing the results of both commands is therefore a best practice when possible.

 

You can also find evidence of both recently terminated and ongoing communications using the connections plugin. This plugin supports both physical and virtual memory addresses.

 

volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem connections

 

Volatility offers two additional network-based plugins - sockets and sockscan. The sockets plugin lists open sockets and may provide additional information about covert network channels, while the sockscan plugin scans a suspect memory image for all TCP sockets. Generally, the output is the same for both plugins with the exception of memory addresses, where the sockets plugin uses virtual memory addressing while the the sockscan plugin uses physical memory addressing.


sockets output

D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem sockets
Volatility Foundation Volatility Framework 2.6
Offset(V)       PID   Port  Proto Protocol        Address         Create Time
---------- -------- ------ ------ --------------- --------------- -----------
0x8177e3c0     1956   1026      6 TCP             0.0.0.0         2011-10-10 17:04:39 UTC+0000
0x81596a78      688    500     17 UDP             0.0.0.0         2011-10-10 17:04:00 UTC+0000
0x8166a008      964   1029     17 UDP             127.0.0.1       2011-10-10 17:04:42 UTC+0000
0x818ddc08        4    445      6 TCP             0.0.0.0         2011-10-10 17:03:55 UTC+0000
0x818328d8      916    135      6 TCP             0.0.0.0         2011-10-10 17:03:59 UTC+0000
0x81687e98     1616   1025      6 TCP             127.0.0.1       2011-10-10 17:04:01 UTC+0000
0x817517e8      964    123     17 UDP             127.0.0.1       2011-10-10 17:04:00 UTC+0000
0x81753b20      688      0    255 Reserved        0.0.0.0         2011-10-10 17:04:00 UTC+0000
0x8174fe98     1148   1900     17 UDP             127.0.0.1       2011-10-10 17:04:41 UTC+0000
0x81753008      688   4500     17 UDP             0.0.0.0         2011-10-10 17:04:00 UTC+0000
0x816118d8        4    445     17 UDP             0.0.0.0         2011-10-10 17:03:55 UTC+0000

 

socksan ouput


D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem sockscan
Volatility Foundation Volatility Framework 2.6
Offset(P)       PID   Port  Proto Protocol        Address         Create Time
---------- -------- ------ ------ --------------- --------------- -----------
0x01796a78      688    500     17 UDP             0.0.0.0         2011-10-10 17:04:00 UTC+0000
0x018118d8        4    445     17 UDP             0.0.0.0         2011-10-10 17:03:55 UTC+0000
0x0186a008      964   1029     17 UDP             127.0.0.1       2011-10-10 17:04:42 UTC+0000
0x01887e98     1616   1025      6 TCP             127.0.0.1       2011-10-10 17:04:01 UTC+0000
0x0194fe98     1148   1900     17 UDP             127.0.0.1       2011-10-10 17:04:41 UTC+0000
0x019517e8      964    123     17 UDP             127.0.0.1       2011-10-10 17:04:00 UTC+0000
0x01953008      688   4500     17 UDP             0.0.0.0         2011-10-10 17:04:00 UTC+0000
0x01953b20      688      0    255 Reserved        0.0.0.0         2011-10-10 17:04:00 UTC+0000
0x0197e3c0     1956   1026      6 TCP             0.0.0.0         2011-10-10 17:04:39 UTC+0000
0x01a328d8      916    135      6 TCP             0.0.0.0         2011-10-10 17:03:59 UTC+0000
0x01addc08        4    445      6 TCP             0.0.0.0         2011-10-10 17:03:55 UTC+0000

You may wish to combine the outputs of both commands by following the commands below.


volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem sockets > sockets.txt
volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem sockscan.txt
cat sockets.txt sockscan.txt | awk '{$1="";print}' | sort -n | uniq > sockets_sockscan.txt

 

Examining these data, the covert communication found emanating from explorer.exe is not in the output. Thus, somewhere behind explorer.exe, there is clearly a hidden communication channel in use.


DLL Analysis

When analyzing a process, it is important to know which DLLs (dynamic-link libraries) are imported into the process itself.  A DLL contains executable code that can provide a process with specific functionality, so understanding which DLLs a process incorporates may give insight into its capabilities.  In addition, malicious software may inject rogue DLLs into otherwise benign processes to introduce malicious activity without starting a new process on the system, so examining processes for the presence of malicious DLLs or other code injection is an important analysis step.  Volatility supports this type of analysis with a few different plugins

 

Inside the _EPROCESS structure is the Process Environment Block  (_PEB).  The _PEB contains several items of interest including but not limited to:  

  • The path to the process’ executable on disk.
  • The command line used to invoke the process.
  • Three different lists of DLLs associated with the process.
    • One that lists the order in which each DLL was loaded into the process.
    • One that lists the DLLs based on their order in process memory.
    • One that lists the order in which they are executed by the program code.
       
  • The standard input, output, and error for the process.
  • The process’ working directory.

 

Most tools that run on a live system determine the DLLs used by a process by consulting the first of the three DLL lists stored in the PEB, which tracks the order in which each DLL is loaded.  As a result, malware will sometimes modify that list to hide the presence of a DLL.  Volatility has a plugin that also parses this same list, which can be run with the following command


D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem dlllist
Volatility Foundation Volatility Framework 2.6
************************************************************************
System pid:      4
Unable to read PEB for task.
************************************************************************
smss.exe pid:    536
Command line : \SystemRoot\System32\smss.exe


Base             Size  LoadCount Path
---------- ---------- ---------- ----
0x48580000     0xf000     0xffff \SystemRoot\System32\smss.exe
0x7c900000    0xb0000     0xffff C:\WINDOWS\system32\ntdll.dll
************************************************************************
csrss.exe pid:    608
Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
Service Pack 2

Base             Size  LoadCount Path
---------- ---------- ---------- ----
0x4a680000     0x5000     0xffff \??\C:\WINDOWS\system32\csrss.exe
0x7c900000    0xb0000     0xffff C:\WINDOWS\system32\ntdll.dll
0x75b40000     0xb000     0xffff C:\WINDOWS\system32\CSRSRV.dll
0x75b50000    0x10000        0x3 C:\WINDOWS\system32\basesrv.dll
0x75b60000    0x4a000        0x2 C:\WINDOWS\system32\winsrv.dll
0x77d40000    0x90000        0x6 C:\WINDOWS\system32\USER32.dll
0x7c800000    0xf4000        0xe C:\WINDOWS\system32\KERNEL32.dll
0x77f10000    0x46000        0x5 C:\WINDOWS\system32\GDI32.dll
0x75e90000    0xb0000        0x1 C:\WINDOWS\system32\sxs.dll
0x77dd0000    0x9b000        0x3 C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000    0x91000        0x3 C:\WINDOWS\system32\RPCRT4.dll
************************************************************************
winlogon.exe pid:    632
Command line : winlogon.exe
Service Pack 2

Base             Size  LoadCount Path
---------- ---------- ---------- ----
0x01000000    0x80000     0xffff \??\C:\WINDOWS\system32\winlogon.exe
0x7c900000    0xb0000     0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000    0xf4000     0xffff C:\WINDOWS\system32\kernel32.dll
0x77dd0000    0x9b000     0xffff C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000    0x91000     0xffff C:\WINDOWS\system32\RPCRT4.dll
0x776c0000    0x11000     0xffff C:\WINDOWS\system32\AUTHZ.dll
0x77c10000    0x58000     0xffff C:\WINDOWS\system32\msvcrt.dll
0x77a80000    0x94000     0xffff C:\WINDOWS\system32\CRYPT32.dll
0x77d40000    0x90000     0xffff C:\WINDOWS\system32\USER32.dll
0x77f10000    0x46000     0xffff C:\WINDOWS\system32\GDI32.dll
0x77b20000    0x12000     0xffff C:\WINDOWS\system32\MSASN1.dll
0x75940000     0x8000     0xffff C:\WINDOWS\system32\NDdeApi.dll
0x75930000     0xa000     0xffff C:\WINDOWS\system32\PROFMAP.dll
0x5b860000    0x54000     0xffff C:\WINDOWS\system32\NETAPI32.dll
0x769c0000    0xb3000     0xffff C:\WINDOWS\system32\USERENV.dll
0x76bf0000     0xb000     0xffff C:\WINDOWS\system32\PSAPI.DLL
0x76bc0000     0xf000     0xffff C:\WINDOWS\system32\REGAPI.dll
0x77fe0000    0x11000     0xffff C:\WINDOWS\system32\Secur32.dll
0x77920000    0xf3000     0xffff C:\WINDOWS\system32\SETUPAPI.dll
0x77c00000     0x8000     0xffff C:\WINDOWS\system32\VERSION.dll
0x76360000    0x10000     0xffff C:\WINDOWS\system32\WINSTA.dll
0x76c30000    0x2e000     0xffff C:\WINDOWS\system32\WINTRUST.dll
0x76c90000    0x28000     0xffff C:\WINDOWS\system32\IMAGEHLP.dll
0x71ab0000    0x17000     0xffff C:\WINDOWS\system32\WS2_32.dll
0x71aa0000     0x8000     0xffff C:\WINDOWS\system32\WS2HELP.dll
0x10000000    0x59000        0x1 C:\WINDOWS\system32\mfc42ul.dll
0x71f60000     0x8000        0x1 C:\WINDOWS\system32\snmpapi.dll
0x75970000    0xf7000        0x2 C:\WINDOWS\system32\MSGINA.dll
0x7c9c0000   0x814000       0x10 C:\WINDOWS\system32\SHELL32.dll
0x77f60000    0x76000       0x1b C:\WINDOWS\system32\SHLWAPI.dll
0x5d090000    0x97000        0x7 C:\WINDOWS\system32\COMCTL32.dll
0x74320000    0x3d000        0x2 C:\WINDOWS\system32\ODBC32.dll
0x763b0000    0x49000        0x2 C:\WINDOWS\system32\comdlg32.dll
0x773d0000   0x102000        0x3 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x20000000    0x17000        0x1 C:\WINDOWS\system32\odbcint.dll
0x776e0000    0x23000        0x1 C:\WINDOWS\system32\SHSVCS.dll
0x76bb0000     0x5000        0x2 C:\WINDOWS\system32\sfc.dll
0x76c60000    0x2a000        0x5 C:\WINDOWS\system32\sfc_os.dll
0x774e0000   0x13c000       0x19 C:\WINDOWS\system32\ole32.dll
0x77b40000    0x22000        0x1 C:\WINDOWS\system32\Apphelp.dll
0x723d0000    0x1c000        0x7 C:\WINDOWS\system32\WINSCARD.DLL
0x76f50000     0x8000        0x7 C:\WINDOWS\system32\WTSAPI32.dll
0x75e90000    0xb0000        0x1 C:\WINDOWS\system32\sxs.dll
0x5ad70000    0x38000        0x5 C:\WINDOWS\system32\uxtheme.dll
0x76b40000    0x2d000       0x12 C:\WINDOWS\system32\WINMM.dll
0x76600000    0x1d000        0x2 C:\WINDOWS\system32\cscdll.dll
0x75950000    0x1a000        0x6 C:\WINDOWS\system32\WlNotify.dll
0x73000000    0x26000        0x6 C:\WINDOWS\system32\WINSPOOL.DRV
0x71b20000    0x12000        0x7 C:\WINDOWS\system32\MPR.dll
0x0ffd0000    0x28000        0x1 C:\WINDOWS\system32\rsaenh.dll
0x71bf0000    0x13000        0x4 C:\WINDOWS\system32\SAMLIB.dll
0x77c70000    0x23000        0x1 C:\WINDOWS\system32\msv1_0.dll
0x76d60000    0x19000        0x1 C:\WINDOWS\system32\iphlpapi.dll
0x76f60000    0x2c000        0x3 C:\WINDOWS\system32\wldap32.dll
0x77a20000    0x54000        0x1 C:\WINDOWS\system32\cscui.dll
0x76d40000    0x18000        0x1 C:\WINDOWS\system32\MPRAPI.dll
0x77cc0000    0x32000        0x1 C:\WINDOWS\system32\ACTIVEDS.dll
0x76e10000    0x25000        0x1 C:\WINDOWS\system32\adsldpc.dll
0x76b20000    0x11000        0x1 C:\WINDOWS\system32\ATL.DLL
0x77120000    0x8c000        0x4 C:\WINDOWS\system32\OLEAUT32.dll
0x76e80000     0xe000        0x1 C:\WINDOWS\system32\rtutils.dll
0x014a0000   0x2c5000        0x2 C:\WINDOWS\system32\xpsp2res.dll
0x77050000    0xc5000        0x2 C:\WINDOWS\system32\COMRes.dll
0x76fd0000    0x7f000        0x2 C:\WINDOWS\system32\CLBCATQ.DLL
0x77690000    0x21000        0x1 C:\WINDOWS\system32\NTMARTA.DLL
0x72d20000     0x9000        0x6 C:\WINDOWS\system32\wdmaud.drv
0x72d10000     0x8000        0x2 C:\WINDOWS\system32\msacm32.drv
0x77be0000    0x15000        0x2 C:\WINDOWS\system32\MSACM32.dll
0x77bd0000     0x7000        0x1 C:\WINDOWS\system32\midimap.dll
************************************************************************
services.exe pid:    676
Command line : C:\WINDOWS\system32\services.exe
Service Pack 2

Base             Size  LoadCount Path
---------- ---------- ---------- ----
0x01000000    0x1c000     0xffff C:\WINDOWS\system32\services.exe
0x7c900000    0xb0000     0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000    0xf4000     0xffff C:\WINDOWS\system32\kernel32.dll
0x77c10000    0x58000     0xffff C:\WINDOWS\system32\msvcrt.dll
0x77dd0000    0x9b000     0xffff C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000    0x91000     0xffff C:\WINDOWS\system32\RPCRT4.dll
0x77d40000    0x90000     0xffff C:\WINDOWS\system32\USER32.dll
0x77f10000    0x46000     0xffff C:\WINDOWS\system32\GDI32.dll
0x769c0000    0xb3000     0xffff C:\WINDOWS\system32\USERENV.dll
0x758e0000    0x50000     0xffff C:\WINDOWS\system32\SCESRV.dll
0x776c0000    0x11000     0xffff C:\WINDOWS\system32\AUTHZ.dll
0x758c0000    0x1f000     0xffff C:\WINDOWS\system32\umpnpmgr.dll
0x76360000    0x10000     0xffff C:\WINDOWS\system32\WINSTA.dll
0x5b860000    0x54000     0xffff C:\WINDOWS\system32\NETAPI32.dll
0x5f770000     0xc000     0xffff C:\WINDOWS\system32\NCObjAPI.DLL
0x76080000    0x65000     0xffff C:\WINDOWS\system32\MSVCP60.dll
0x5cb70000    0x26000        0x1 C:\WINDOWS\system32\ShimEng.dll
0x6f880000   0x1ca000        0x1 C:\WINDOWS\AppPatch\AcGenral.DLL
0x76b40000    0x2d000        0x2 C:\WINDOWS\system32\WINMM.dll
0x774e0000   0x13c000        0x2 C:\WINDOWS\system32\ole32.dll
0x77120000    0x8c000        0x1 C:\WINDOWS\system32\OLEAUT32.dll
0x77be0000    0x15000        0x1 C:\WINDOWS\system32\MSACM32.dll
0x77c00000     0x8000        0x3 C:\WINDOWS\system32\VERSION.dll
0x7c9c0000   0x814000        0x1 C:\WINDOWS\system32\SHELL32.dll
0x77f60000    0x76000        0x3 C:\WINDOWS\system32\SHLWAPI.dll
0x5ad70000    0x38000        0x1 C:\WINDOWS\system32\UxTheme.dll
0x10000000    0x59000        0x1 C:\WINDOWS\system32\mfc42ul.dll
0x71ab0000    0x17000        0x3 C:\WINDOWS\system32\WS2_32.dll
0x71aa0000     0x8000        0x2 C:\WINDOWS\system32\WS2HELP.dll
0x71f60000     0x8000        0x1 C:\WINDOWS\system32\snmpapi.dll
0x773d0000   0x102000        0x1 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x5d090000    0x97000        0x1 C:\WINDOWS\system32\comctl32.dll
0x77fe0000    0x11000        0x3 C:\WINDOWS\system32\secur32.dll
0x77b40000    0x22000        0x1 C:\WINDOWS\system32\Apphelp.dll
0x77b70000    0x11000        0x1 C:\WINDOWS\system32\eventlog.dll
0x76bf0000     0xb000        0x1 C:\WINDOWS\system32\PSAPI.DLL
0x76f50000     0x8000        0x1 C:\WINDOWS\system32\wtsapi32.dll
************************************************************************

Unfortunately, examining the output generated from this plugin can in some cases (such as this) be both time-consuming and painstaking.


The preffered method for detecting indicators of compromise is two-fold. First, using keywords (such as 0zapftis, infection, rootkit,worm, etc.) it may be possible to find the infection as malware programmers do not often use innocuous filenames. Of course, this is at best a hit and miss approach. Secondly, an investigator may attempt to detect suspicious files based on their names and locations. However, this requires that the investigator has a very good working knowledge of the underlying operating system. Just looking blindly at filenames and locations will not produce meaningful results, unless something really sticks out.

 

Recall that a reliable source of filenames is the NIST NSRL hash-set. It can be broken down manually using command-line text processing tools by software product and operating system.


For this specific investigation, since emphasis is placed on indicators of compromise without the use of external documentation, the investigator must studiously examine the plugin's output. From the output shown above, the suspicious DLL (highlighted in red) is mfc42ul.dll. This file does not belong in the Windows System32 directory. While it looks valid because many mfc-based files can be found in a valid Windows installation, this file does not match any of the known list of files (NSRL hash-set). However the mfc42u.dll is a very close match to this suspicious filename and is a known Windows file. This suspicious DLL has been found at base offset 0x10000000 and it may have been use to carry out DLL injection. Upon closer inspection of the lengthy output generated by this plugin, 15 instances of this DLL was found in the memory address spaces of other processes


To list version information about Portable Executable (PE) files, use the verinfo plugin command. A truncated output is shown below:


D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem verinfo
Volatility Foundation Volatility Framework 2.6
\SystemRoot\System32\smss.exe
C:\WINDOWS\system32\ntdll.dll
\??\C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\CSRSRV.dll
C:\WINDOWS\system32\basesrv.dll
C:\WINDOWS\system32\winsrv.dll
  File version    : 5.1.2600.2180
  Product version : 5.1.2600.2180
  Flags           :
  OS              : Windows NT
  File Type       : Dynamic Link Library
  File Date       :
  CompanyName : Microsoft Corporation
  FileDescription : Windows Server DLL
  FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
  InternalName : winsrv
  LegalCopyright : \xa9 Microsoft Corporation. All rights reserved.
  OriginalFilename : winsrv.dll
  ProductName : Microsoft\xae Windows\xae Operating System
  ProductVersion : 5.1.2600.2180
C:\WINDOWS\system32\USER32.dll
  File version    : 5.1.2600.2180
  Product version : 5.1.2600.2180
  Flags           :
  OS              : Windows NT
  File Type       : Dynamic Link Library
  File Date       :
  CompanyName : Microsoft Corporation
  FileDescription : Windows XP USER API Client DLL
  FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
  InternalName : user32
  LegalCopyright : \xa9 Microsoft Corporation. All rights reserved.
  OriginalFilename : user32
  ProductName : Microsoft\xae Windows\xae Operating System
  ProductVersion : 5.1.2600.2180
C:\WINDOWS\system32\KERNEL32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\sxs.dll
  File version    : 5.1.2600.2180
  Product version : 5.1.2600.2180
  Flags           :
  OS              : Windows NT
  File Type       : Dynamic Link Library
  File Date       :
  CompanyName : Microsoft Corporation
  FileDescription : Fusion 2.5
  FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
  InternalName : SXS.DLL
  LegalCopyright : \xa9 Microsoft Corporation. All rights reserved.
  OriginalFilename : SXS.DLL
  ProductName : Microsoft\xae Windows\xae Operating System
  ProductVersion : 5.1.2600.2180
C:\WINDOWS\system32\ADVAPI32.dll
  File version    : 5.1.2600.2180
  Product version : 5.1.2600.2180
  Flags           :
  OS              : Windows NT
  File Type       : Dynamic Link Library
  File Date       :
  CompanyName : Microsoft Corporation
  FileDescription : Advanced Windows 32 Base API
  FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
  InternalName : advapi32.dll
  LegalCopyright : \xa9 Microsoft Corporation. All rights reserved.
  OriginalFilename : advapi32.dll
  ProductName : Microsoft\xae Windows\xae Operating System
  ProductVersion : 5.1.2600.2180
C:\WINDOWS\system32\RPCRT4.dll
  File version    : 5.1.2600.2180
  Product version : 5.1.2600.2180
  Flags           :
  OS              : Windows NT
  File Type       : Dynamic Link Library
  File Date       :
  CompanyName : Microsoft Corporation
  FileDescription : Remote Procedure Call Runtime
  FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
  InternalName : rpcrt4.dll
  LegalCopyright : \xa9 Microsoft Corporation. All rights reserved.
  OriginalFilename : rpcrt4.dll
  ProductName : Microsoft\xae Windows\xae Operating System
  ProductVersion : 5.1.2600.2180
\??\C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\SETUPAPI.dll
C:\WINDOWS\system32\odbcint.dll
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\wdmaud.drv
  File version    : 5.1.2600.2180
  Product version : 5.1.2600.2180
  Flags           :
  OS              : Windows NT
  File Type       : Driver
  File Date       :
  CompanyName : Microsoft Corporation
  FileDescription : WDM Audio driver mapper
  FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
  InternalName : WDMAUD.DRV
  LegalCopyright : \xa9 Microsoft Corporation. All rights reserved.
  OriginalFilename : WDMAUD.DRV
  ProductName : Microsoft\xae Windows\xae Operating System
  ProductVersion : 5.1.2600.2180
C:\WINDOWS\system32\msacm32.drv
  File version    : 5.1.2600.0
  Product version : 5.1.2600.0
  Flags           :
  OS              : Windows NT
  File Type       : Driver
  File Date       :
  CompanyName : Microsoft Corporation
  FileDescription : Microsoft Sound Mapper
  FileVersion : 5.1.2600.0 (xpclient.010817-1148)
  InternalName : Microsoft Sound Mapper
  LegalCopyright : \xa9 Microsoft Corporation. All rights reserved.
  OriginalFilename : msacm32.acm
  ProductName : Microsoft\xae Windows\xae Operating System
  ProductVersion : 5.1.2600.0


If an infection is active and does not show itself via the network, then the filescan plugin may be of assistance as it may be able to find open handles in memory. Unfortunately, no direct link to these files is possible as the physical disk image is not available for analysis. This plugin makes use of physical address offsets.

 

D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem filescan
Volatility Foundation Volatility Framework 2.6
Offset(P)            #Ptr   #Hnd Access Name
------------------ ------ ------ ------ ----
0x000000000156bcb0      2      1 ------ \Device\Afd\Endpoint
0x000000000156f100      1      1 ------ \Device\NamedPipe\W32TIME
0x00000000015a9a70      1      0 ------ \Device\KSENUM#00000002\{9B365890-165F-11D0-A195-0020AFD156E4}
0x00000000015ac5c8      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
0x00000000015ac6b0      1      0 R--rw- \Device\HarddiskVolume1\WINDOWS\Media\Windows XP Startup.wav
0x00000000015ac8f0      1      0 R--r-d \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
0x00000000015ad318      1      0 R--r-d \Device\HarddiskVolume1\WINDOWS\system32\webcheck.dll
0x00000000015ad740      1      0 R--r-d \Device\HarddiskVolume1\WINDOWS\system32\themeui.dll
0x00000000015ad858      1      1 ------ \Device\Afd\Endpoint
0x00000000015adb98      1      1 R--r-- \Device\HarddiskVolume1\WINDOWS\system32\ega.cpi
0x00000000015ae208      2      1 R--rw- \Device\HarddiskVolume1\Program Files\Windows NT\Accessories
0x00000000015ae3d0      1      0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\moricons.dll
0x00000000015afbf0      1      0 R--r-- \Device\HarddiskVolume1\WINDOWS\Fonts\framdit.ttf
0x00000000015afe08      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32
0x00000000015b0128      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32
0x00000000015b01d8      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
0x00000000015b0af0      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
0x00000000015b0c10      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
0x00000000015b1028      1      0 ------ \Device\KSENUM#00000002\{9B365890-165F-11D0-A195-0020AFD156E4}
0x00000000015b2380      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\dllcache
0x00000000015b2a38      1      1 RW-r-- \Device\HarddiskVolume1\WINDOWS\SoftwareDistribution\ReportingEvents.log
0x00000000015b2ad0      2      1 ------ \Device\Afd\Endpoint
0x00000000015b30b8      1      0 R--rwd \Device\HarddiskVolume1\Documents and Settings\Administrator\My Documents\My Music\Desktop.ini
0x00000000015b40b8      1      0 R--rw- \Device\HarddiskVolume1\WINDOWS\explorer.exe
0x00000000015b41f0      2      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\0426
0x00000000015b4318      2      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\0425
0x00000000015b4f18      1      0 R--r-- \Device\HarddiskVolume1\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
0x00000000015b5028      2      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\0410
0x00000000015b5118      2      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\0411
0x00000000015b6318      2      1 R--rw- \Device\HarddiskVolume1\Program Files\xerox\nwwia
0x00000000015b7028      1      0 R--r-d \Device\HarddiskVolume1\WINDOWS\system32\wscntfy.exe
0x00000000015b8128      1      0 R--r-d \Device\HarddiskVolume1\WINDOWS\system32\mfc42ul.dll
0x00000000015b9138      2      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\0414
0x00000000015b9320      1      1 ------ \Device\KSENUM#00000001\{9B365890-165F-11D0-A195-0020AFD156E4}
0x00000000015b95b8      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
0x00000000015ba128      2      1 ------ \Device\NamedPipe\TerminalServer\AutoReconnect
0x00000000015ba418      2      1 R--rw- \Device\HarddiskVolume1\WINDOWS\inf
0x00000000015ba4b0      2      1 R--rw- \Device\HarddiskVolume1\Program Files\Common Files\System\Ole DB

Once again the suspicious DLL was found at the physical memory address 0x00000000015b8128.

 

For a process to access other elements of the system, it must first acquire a handle to the objects that it wants to manipulate. Whether reading a file, writing to a registry key, or opening a connection to a remote share, the process must have permission to access the object and secure a handle to that object.  Permissions are determined based on the user account that is attempting to perform an action, and the permissions that have been assigned to that user and/or the groups of which it is a member.  A process is assigned a security token based on the user context in which it was run.  This token lists the user and/or groups for which the process is working, which in turn determines which files it may access and other security permissions.  The operating system uniquely refers to each user or group with a numeric Security Identifier (SID).  To determine the SIDs that are associated with a process’ token, use the following command

 

D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem getsids
Volatility Foundation Volatility Framework 2.6
System (4): S-1-5-18 (Local System)
System (4): S-1-5-32-544 (Administrators)
System (4): S-1-1-0 (Everyone)
System (4): S-1-5-11 (Authenticated Users)
smss.exe (536): S-1-5-18 (Local System)
smss.exe (536): S-1-5-32-544 (Administrators)
smss.exe (536): S-1-1-0 (Everyone)
smss.exe (536): S-1-5-11 (Authenticated Users)
csrss.exe (608): S-1-5-18 (Local System)
csrss.exe (608): S-1-5-32-544 (Administrators)
csrss.exe (608): S-1-1-0 (Everyone)
csrss.exe (608): S-1-5-11 (Authenticated Users)
winlogon.exe (632): S-1-5-18 (Local System)
winlogon.exe (632): S-1-5-32-544 (Administrators)
winlogon.exe (632): S-1-1-0 (Everyone)
winlogon.exe (632): S-1-5-11 (Authenticated Users)
services.exe (676): S-1-5-18 (Local System)
services.exe (676): S-1-5-32-544 (Administrators)
services.exe (676): S-1-1-0 (Everyone)
services.exe (676): S-1-5-11 (Authenticated Users)
lsass.exe (688): S-1-5-18 (Local System)
lsass.exe (688): S-1-5-32-544 (Administrators)
lsass.exe (688): S-1-1-0 (Everyone)
lsass.exe (688): S-1-5-11 (Authenticated Users)
vmacthlp.exe (832): S-1-5-18 (Local System)
vmacthlp.exe (832): S-1-5-32-544 (Administrators)
vmacthlp.exe (832): S-1-1-0 (Everyone)
vmacthlp.exe (832): S-1-5-11 (Authenticated Users)
svchost.exe (848): S-1-5-18 (Local System)
svchost.exe (848): S-1-5-32-544 (Administrators)
svchost.exe (848): S-1-1-0 (Everyone)
svchost.exe (848): S-1-5-11 (Authenticated Users)
svchost.exe (916): S-1-5-20 (NT Authority)
svchost.exe (916): S-1-5-20 (NT Authority)
svchost.exe (916): S-1-1-0 (Everyone)
svchost.exe (916): S-1-5-32-545 (Users)
svchost.exe (916): S-1-5-6 (Service)
svchost.exe (916): S-1-5-11 (Authenticated Users)
svchost.exe (916): S-1-5-5-0-54905 (Logon Session)
svchost.exe (916): S-1-2-0 (Local (Users with the ability to log in locally))
svchost.exe (916): S-1-1-0 (Everyone)
svchost.exe (916): S-1-5-11 (Authenticated Users)
svchost.exe (916): S-1-2-0 (Local (Users with the ability to log in locally))
svchost.exe (916): S-1-5-32-545 (Users)
svchost.exe (964): S-1-5-18 (Local System)
svchost.exe (964): S-1-5-32-544 (Administrators)
svchost.exe (964): S-1-1-0 (Everyone)
svchost.exe (964): S-1-5-11 (Authenticated Users)
svchost.exe (1020): S-1-5-20 (NT Authority)
svchost.exe (1020): S-1-5-20 (NT Authority)
svchost.exe (1020): S-1-1-0 (Everyone)
svchost.exe (1020): S-1-5-32-545 (Users)
svchost.exe (1020): S-1-5-6 (Service)
svchost.exe (1020): S-1-5-11 (Authenticated Users)
svchost.exe (1020): S-1-5-5-0-57076 (Logon Session)
svchost.exe (1020): S-1-2-0 (Local (Users with the ability to log in locally))
svchost.exe (1020): S-1-1-0 (Everyone)
svchost.exe (1020): S-1-5-11 (Authenticated Users)
svchost.exe (1020): S-1-2-0 (Local (Users with the ability to log in locally))
svchost.exe (1020): S-1-5-32-545 (Users)
svchost.exe (1148): S-1-5-19 (NT Authority)
svchost.exe (1148): S-1-5-19 (NT Authority)
svchost.exe (1148): S-1-1-0 (Everyone)
svchost.exe (1148): S-1-5-32-545 (Users)
svchost.exe (1148): S-1-5-6 (Service)
svchost.exe (1148): S-1-5-11 (Authenticated Users)
svchost.exe (1148): S-1-5-5-0-57864 (Logon Session)
svchost.exe (1148): S-1-2-0 (Local (Users with the ability to log in locally))
svchost.exe (1148): S-1-1-0 (Everyone)
svchost.exe (1148): S-1-5-11 (Authenticated Users)
svchost.exe (1148): S-1-2-0 (Local (Users with the ability to log in locally))
svchost.exe (1148): S-1-5-32-545 (Users)
spoolsv.exe (1260): S-1-5-18 (Local System)
spoolsv.exe (1260): S-1-5-32-544 (Administrators)
spoolsv.exe (1260): S-1-1-0 (Everyone)
spoolsv.exe (1260): S-1-5-11 (Authenticated Users)
VMwareService.e (1444): S-1-5-18 (Local System)
VMwareService.e (1444): S-1-5-32-544 (Administrators)
VMwareService.e (1444): S-1-1-0 (Everyone)
VMwareService.e (1444): S-1-5-11 (Authenticated Users)
alg.exe (1616): S-1-5-19 (NT Authority)
alg.exe (1616): S-1-5-19 (NT Authority)
alg.exe (1616): S-1-1-0 (Everyone)
alg.exe (1616): S-1-5-32-545 (Users)
alg.exe (1616): S-1-5-6 (Service)
alg.exe (1616): S-1-5-11 (Authenticated Users)
alg.exe (1616): S-1-5-5-0-73075 (Logon Session)
alg.exe (1616): S-1-2-0 (Local (Users with the ability to log in locally))
alg.exe (1616): S-1-1-0 (Everyone)
alg.exe (1616): S-1-5-11 (Authenticated Users)
alg.exe (1616): S-1-2-0 (Local (Users with the ability to log in locally))
alg.exe (1616): S-1-5-32-545 (Users)
wscntfy.exe (1920): S-1-5-21-839522115-73586283-2147125571-500 (Administrator)
wscntfy.exe (1920): S-1-5-21-839522115-73586283-2147125571-513 (Domain Users)
wscntfy.exe (1920): S-1-1-0 (Everyone)
wscntfy.exe (1920): S-1-5-32-544 (Administrators)
wscntfy.exe (1920): S-1-5-32-545 (Users)
wscntfy.exe (1920): S-1-5-4 (Interactive)
wscntfy.exe (1920): S-1-5-11 (Authenticated Users)
wscntfy.exe (1920): S-1-5-5-0-59067 (Logon Session)
wscntfy.exe (1920): S-1-2-0 (Local (Users with the ability to log in locally))
explorer.exe (1956): S-1-5-21-839522115-73586283-2147125571-500 (Administrator)
explorer.exe (1956): S-1-5-21-839522115-73586283-2147125571-513 (Domain Users)
explorer.exe (1956): S-1-1-0 (Everyone)
explorer.exe (1956): S-1-5-32-544 (Administrators)
explorer.exe (1956): S-1-5-32-545 (Users)
explorer.exe (1956): S-1-5-4 (Interactive)
explorer.exe (1956): S-1-5-11 (Authenticated Users)
explorer.exe (1956): S-1-5-5-0-59067 (Logon Session)
explorer.exe (1956): S-1-2-0 (Local (Users with the ability to log in locally))
VMwareTray.exe (184): S-1-5-21-839522115-73586283-2147125571-500 (Administrator)
VMwareTray.exe (184): S-1-5-21-839522115-73586283-2147125571-513 (Domain Users)
VMwareTray.exe (184): S-1-1-0 (Everyone)
VMwareTray.exe (184): S-1-5-32-544 (Administrators)
VMwareTray.exe (184): S-1-5-32-545 (Users)
VMwareTray.exe (184): S-1-5-4 (Interactive)
VMwareTray.exe (184): S-1-5-11 (Authenticated Users)
VMwareTray.exe (184): S-1-5-5-0-59067 (Logon Session)
VMwareTray.exe (184): S-1-2-0 (Local (Users with the ability to log in locally))
VMwareUser.exe (192): S-1-5-21-839522115-73586283-2147125571-500 (Administrator)
VMwareUser.exe (192): S-1-5-21-839522115-73586283-2147125571-513 (Domain Users)
VMwareUser.exe (192): S-1-1-0 (Everyone)
VMwareUser.exe (192): S-1-5-32-544 (Administrators)
VMwareUser.exe (192): S-1-5-32-545 (Users)
VMwareUser.exe (192): S-1-5-4 (Interactive)
VMwareUser.exe (192): S-1-5-11 (Authenticated Users)
VMwareUser.exe (192): S-1-5-5-0-59067 (Logon Session)
VMwareUser.exe (192): S-1-2-0 (Local (Users with the ability to log in locally))
reader_sl.exe (228): S-1-5-21-839522115-73586283-2147125571-500 (Administrator)
reader_sl.exe (228): S-1-5-21-839522115-73586283-2147125571-513 (Domain Users)
reader_sl.exe (228): S-1-1-0 (Everyone)
reader_sl.exe (228): S-1-5-32-544 (Administrators)
reader_sl.exe (228): S-1-5-32-545 (Users)
reader_sl.exe (228): S-1-5-4 (Interactive)
reader_sl.exe (228): S-1-5-11 (Authenticated Users)
reader_sl.exe (228): S-1-5-5-0-59067 (Logon Session)
reader_sl.exe (228): S-1-2-0 (Local (Users with the ability to log in locally))
wuauclt.exe (400): S-1-5-18 (Local System)
wuauclt.exe (400): S-1-5-32-544 (Administrators)
wuauclt.exe (400): S-1-1-0 (Everyone)
wuauclt.exe (400): S-1-5-11 (Authenticated Users)
cmd.exe (544): S-1-5-21-839522115-73586283-2147125571-500 (Administrator)
cmd.exe (544): S-1-5-21-839522115-73586283-2147125571-513 (Domain Users)
cmd.exe (544): S-1-1-0 (Everyone)
cmd.exe (544): S-1-5-32-544 (Administrators)
cmd.exe (544): S-1-5-32-545 (Users)
cmd.exe (544): S-1-5-4 (Interactive)
cmd.exe (544): S-1-5-11 (Authenticated Users)
cmd.exe (544): S-1-5-5-0-59067 (Logon Session)
cmd.exe (544): S-1-2-0 (Local (Users with the ability to log in locally))

 

In addition to permissions, a process may also be assigned privileges by the operating system to perform certain tasks.  Privileges include things like the ability to bypass file permissions in order to read files to make backup copies, the ability to access memory of any process to perform debugging operations, the ability to shutdown or restart the system, or the ability to load kernel drivers.  These privileges are determined in accordance with local computer policies set by the system administrator.  Malware will frequently attempt to enable additional privileges to allow a malicious process to perform additional tasks.  To list the privileges assigned or enabled for a process use the following command

 


D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem privs -p 1956
Volatility Foundation Volatility Framework 2.6
Pid      Process          Value  Privilege                            Attributes               Description
-------- ---------------- ------ ------------------------------------ ------------------------ -----------
    1956 explorer.exe         23 SeChangeNotifyPrivilege              Present,Enabled,Default  Receive notifications of changes to files or directories
    1956 explorer.exe          8 SeSecurityPrivilege                  Present                  Manage auditing and security log
    1956 explorer.exe         17 SeBackupPrivilege                    Present                  Backup files and directories
    1956 explorer.exe         18 SeRestorePrivilege                   Present                  Restore files and directories
    1956 explorer.exe         12 SeSystemtimePrivilege                Present                  Change the system time
    1956 explorer.exe         19 SeShutdownPrivilege                  Present                  Shut down the system
    1956 explorer.exe         24 SeRemoteShutdownPrivilege            Present                  Force shutdown from a remote system
    1956 explorer.exe          9 SeTakeOwnershipPrivilege             Present                  Take ownership of files/objects
    1956 explorer.exe         20 SeDebugPrivilege                     Present                  Debug programs
    1956 explorer.exe         22 SeSystemEnvironmentPrivilege         Present                  Edit firmware environment values
    1956 explorer.exe         11 SeSystemProfilePrivilege             Present                  Profile system performance
    1956 explorer.exe         13 SeProfileSingleProcessPrivilege      Present                  Profile a single process
    1956 explorer.exe         14 SeIncreaseBasePriorityPrivilege      Present                  Increase scheduling priority
    1956 explorer.exe         10 SeLoadDriverPrivilege                Present,Enabled          Load and unload device drivers
    1956 explorer.exe         15 SeCreatePagefilePrivilege            Present                  Create a pagefile
    1956 explorer.exe          5 SeIncreaseQuotaPrivilege             Present                  Increase quotas
    1956 explorer.exe         25 SeUndockPrivilege                    Present,Enabled          Remove computer from docking station
    1956 explorer.exe         28 SeManageVolumePrivilege              Present                  Manage the files on a volume
    1956 explorer.exe         29 SeImpersonatePrivilege               Present,Enabled,Default  Impersonate a client after authentication
    1956 explorer.exe         30 SeCreateGlobalPrivilege              Present,Enabled,Default  Create global objects

 

 The output of this command will list the various privileges that are present for that process, an indicator of whether each privilege is enabled, a note as to whether the system enabled the privilege by default or if it was explicitly enabled, and a description of what the privilege allows the process to do.  Before a privilege may be used, it must first be enabled.  Therefore, your analysis should pay attention to enabled privileges, particularly those that were not enabled by default, as they indicate a privilege that the malware bothered to specifically enable and has likely used or intended to use.  The --silent option can be added to show only those privileges that were explicitly enabled. 

 

You can also view information about Windows thread-based mutexes in memory to identify typical malware pattern. This can be done using the mutantscan plugin. This plugin makes use of physical offset addressing.


D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem mutantscan
Volatility Foundation Volatility Framework 2.6
Offset(P)              #Ptr     #Hnd Signal Thread           CID Name
------------------ -------- -------- ------ ---------- --------- ----
0x000000000156b260        1        1      1 0x00000000
0x000000000156e708        1        1      1 0x00000000
0x00000000015a9550        1        1      1 0x00000000
0x00000000015a9c08        1        1      1 0x00000000
0x00000000015a9ee8        1        1      1 0x00000000
0x00000000015aad68        1        1      1 0x00000000
0x00000000015ad538        2        1      1 0x00000000           WininetStartupMutex
0x00000000015ad5d0        1        1      1 0x00000000
0x00000000015ae2c0        1        1      1 0x00000000
0x00000000015af6e8        1        1      1 0x00000000
0x00000000015b0990        1        1      1 0x00000000
0x00000000015b2250        1        1      1 0x00000000
0x00000000015b2c20        2        1      1 0x00000000           msgina: InteractiveLogonRequestMutex
0x00000000015b2c70        2        1      1 0x00000000           msgina: InteractiveLogonMutex
0x00000000015b3ec8        1        1      1 0x00000000
0x00000000015b4fe0        2        1      1 0x00000000           ExplorerIsShellMutex
0x00000000015b70f0        2        1      0 0x815cb988 1920:1928 wscntfy_mtx
0x00000000015b9978        1        1      1 0x00000000
0x00000000015b9b80        1        1      1 0x00000000
0x00000000015c1dc0        2        1      1 0x00000000           PSched_Perf_Library_Lock_PID_5a4
0x00000000016824f8        1        1      1 0x00000000
0x0000000001683470        1        1      1 0x00000000
0x00000000016834e0        1        1      1 0x00000000
0x0000000001686020        1        1      1 0x00000000
0x0000000001688630        2        1      1 0x00000000           _SHuassist.mtx
0x00000000016888c0        2        1      0 0x81484788   400:420 Instance0:  ESENT Performance Data Schema Version 40
0x00000000016cdfb8        2        1      1 0x00000000           c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
0x000000000178e020        1        1      1 0x00000000
0x00000000017912f8        1        1      1 0x00000000
0x0000000001794368        4        3      1 0x00000000           WindowsUpdateTracingMutex
0x00000000017960a8        1        1      1 0x00000000
0x00000000017b3648        1        1      1 0x00000000
0x00000000017b3a70        1        1      1 0x00000000
0x00000000017b3e98        1        1      1 0x00000000
0x00000000017b4488        2        1      1 0x00000000           ISAPISearch_Perf_Library_Lock_PID_5a4
0x00000000017b53b8        1        1      1 0x00000000
0x00000000017b5e98        1        1      1 0x00000000
0x00000000017b7138        1        1      1 0x00000000
0x00000000017b7810        7        6      1 0x00000000           SHIMLIB_LOG_MUTEX
0x00000000017ba390        3        2      1 0x00000000           _!MSFTHISTORY!_
0x00000000017be2f0        2        1      1 0x00000000           MSDTC_Perf_Library_Lock_PID_5a4
0x00000000017c2180        1        1      1 0x00000000
0x00000000017c3120        1        1      1 0x00000000
0x00000000017d1f90        2        1      1 0x00000000           TermService_Perf_Library_Lock_PID_5a4
0x00000000017d1fe0        2        1      1 0x00000000           Tcpip_Perf_Library_Lock_PID_5a4
0x00000000017d51d8        1        1      1 0x00000000
0x00000000017d6f60        2        1      0 0x813b7230 1956:2000 SYS!ICP!94062
0x00000000017d6fa0        1        1      1 0x00000000
0x00000000017d72a0        1        1      1 0x00000000
0x00000000017db8f8        2        1      1 0x00000000           WPA_LICSTORE_MUTEX
0x00000000017db948        2        1      1 0x00000000           WPA_HWID_MUTEX
0x00000000017db998        2        1      1 0x00000000           WPA_LT_MUTEX
0x00000000017db9e8        2        1      1 0x00000000           WPA_RT_MUTEX
0x00000000017dba38        2        1      1 0x00000000           WPA_PR_MUTEX
0x00000000017f88e0        2        1      1 0x00000000           746bbf3569adEncrypt
0x00000000018071f8        1        1      1 0x00000000
0x0000000001807268        1        1      1 0x00000000
0x000000000180b148        1        1      1 0x00000000
0x000000000180b640        2        1      1 0x00000000           PerfDisk_Perf_Library_Lock_PID_5a4
0x000000000181a168        2        1      1 0x00000000           winlogon: Logon UserProfileMapping Mutex
0x0000000001845eb8        1        1      1 0x00000000
0x0000000001845ef8        1        1      1 0x00000000
0x000000000184b3a8        1        1      1 0x00000000
0x000000000188c230        1        1      1 0x00000000
0x00000000018c23b8        1        1      1 0x00000000
0x00000000018c27e0        1        1      1 0x00000000
0x00000000018c2c08        1        1      1 0x00000000
0x00000000018c3580        1        1      1 0x00000000
0x00000000018c5740        1        1      1 0x00000000
0x00000000018c5e50        1        1      1 0x00000000
0x00000000018c7a70        1        1      1 0x00000000
0x00000000018c7e98        1        1      1 0x00000000
0x00000000018c7f20        1        1      1 0x00000000
0x00000000018c99a0        3        2      1 0x00000000           RasPbFile
0x00000000018c99e0        1        1      1 0x00000000
0x00000000018c9b70        1        1      1 0x00000000
0x00000000018c9be0        1        1      1 0x00000000
0x00000000018cd220        1        1      1 0x00000000
0x00000000018d01d8        2        1      1 0x00000000           ContentFilter_Perf_Library_Lock_PID_5a4
0x00000000018d2648        1        1      1 0x00000000
0x00000000018d51c0        1        1      1 0x00000000
0x00000000018d8180        2        1      1 0x00000000           SYS!IPC!79025
0x00000000018d8278        2        1      1 0x00000000           ThinPrint-L
0x00000000018e1a28        2        1      1 0x00000000           PerfNet_Perf_Library_Lock_PID_5a4
0x00000000018e6350        1        1      1 0x00000000
0x00000000019095f0        1        1      1 0x00000000
0x00000000019519d0        1        1      1 0x00000000
0x0000000001955548        3        2      1 0x00000000           SRDataStore
0x0000000001971220        1        1      1 0x00000000
0x00000000019743b8        1        1      1 0x00000000
0x00000000019747e0        1        1      1 0x00000000
0x0000000001975a70        1        1      1 0x00000000
0x0000000001975f40        2        1      1 0x00000000           ZonesLockedCacheCounterMutex
0x0000000001975f90        2        1      1 0x00000000           ZonesCacheCounterMutex
0x0000000001975fe0        2        1      1 0x00000000           ZonesCounterMutex
0x00000000019768d8        1        1      1 0x00000000
0x0000000001976d00        1        1      1 0x00000000
0x0000000001977a70        1        1      1 0x00000000
0x0000000001978c28        1        1      1 0x00000000
0x000000000197b220        1        1      1 0x00000000
0x000000000197b648        1        1      1 0x00000000
0x000000000197ba70        1        1      1 0x00000000
0x000000000197e1c0        1        1      1 0x00000000
0x000000000197ef38        3        2      1 0x00000000           SYS!ICP!393-1M
0x000000000197efe0        2        1     -1 0x813bea80 1956:1980 SYS!IPC!79027
0x000000000197f990        1        1      1 0x00000000
0x0000000001980d00        1        1      1 0x00000000
0x00000000019813e8        2        1      1 0x00000000           c:!documents and settings!administrator!local settings!history!history.ie5!
0x0000000001982120        1        1      1 0x00000000
0x00000000019831c0        1        1      1 0x00000000
0x000000000198fc88        1        1      1 0x00000000
0x0000000001992960        1        1      1 0x00000000
0x0000000001992a80        1        1      1 0x00000000
0x00000000019960b8        2        1      1 0x00000000           4FCC0DEFE22C4f138FB9D5AF25FD9398
0x0000000001996108        2        1      1 0x00000000           0CADFD67AF62496dB34264F000F5624A
0x0000000001996628        1        1      1 0x00000000
0x00000000019966f8        2        1      1 0x00000000           238FAD3109D3473aB4764B20B3731840
0x00000000019a5658        1        1      1 0x00000000
0x00000000019a56c8        1        1      1 0x00000000
0x00000000019a5de8        1        1      1 0x00000000
0x00000000019a84d0        1        1      1 0x00000000
0x00000000019db620        2        1      1 0x00000000           PerfOS_Perf_Library_Lock_PID_5a4
0x00000000019eb3d0        1        1      1 0x00000000
0x00000000019eced8        1        1      1 0x00000000
0x0000000001a0b2d0        1        1      1 0x00000000
0x0000000001a0c448        1        1      1 0x00000000
0x0000000001a0c6e8        1        1      1 0x00000000
0x0000000001a1aa70        1        1      1 0x00000000
0x0000000001a1ae98        1        1      1 0x00000000
0x0000000001a1ba80        2        1      1 0x00000000           PnP_Init_Mutex
0x0000000001a1bc08        2        1      1 0x00000000           c:!documents and settings!administrator!cookies!
0x0000000001a1c730        2        1      1 0x00000000           WininetProxyRegistryMutex
0x0000000001a1c770        1        1      1 0x00000000
0x0000000001a1fc90        2        1      1 0x00000000           VMwareGuestDnDDataMutex
0x0000000001a223b8        1        1      1 0x00000000
0x0000000001a240e0        2        1      1 0x00000000           ContentIndex_Perf_Library_Lock_PID_5a4
0x0000000001a281d0        2        1      1 0x00000000           RSVP_Perf_Library_Lock_PID_5a4
0x0000000001a28220        1        1      1 0x00000000
0x0000000001a29790        2        1      1 0x00000000           PerfProc_Perf_Library_Lock_PID_5a4
0x0000000001a2b180        1        1      1 0x00000000
0x0000000001a2c180        3        2      1 0x00000000           MidiMapper_modLongMessage_RefCnt
0x0000000001a2eac0        3        2      1 0x00000000           SYS!ICP!393-1MR
0x0000000001a30290        3        2      1 0x00000000           MidiMapper_Configure
0x0000000001a31020        1        1      1 0x00000000
0x0000000001a391e8        1        1      1 0x00000000
0x0000000001a39728        2        1      1 0x00000000           c:!documents and settings!localservice!local settings!temporary internet files!content.ie5!
0x0000000001a39838        2        1      1 0x00000000           c:!documents and settings!localservice!cookies!
0x0000000001a3ba50        2        1      1 0x00000000           TapiSrv_Perf_Library_Lock_PID_5a4
0x0000000001a3baa0        2        1      1 0x00000000           Spooler_Perf_Library_Lock_PID_5a4
0x0000000001a400c8        1        1      1 0x00000000
0x0000000001a40118        2        1      1 0x00000000           RemoteAccess_Perf_Library_Lock_PID_5a4
0x0000000001a9b528        1        1      1 0x00000000
0x0000000001a9b7f0        2        1      1 0x00000000           c:!documents and settings!localservice!local settings!history!history.ie5!
0x0000000001a9e0f0        2        1      1 0x00000000           userenv: Machine Registry policy mutex
0x0000000001a9e4e8        2        1      1 0x00000000           userenv: machine policy mutex
0x0000000001a9ec00        1        1      1 0x00000000
0x0000000001adf3a0        1        1      1 0x00000000
0x0000000001ae24b0        2        1      1 0x00000000           SingleSesMutex
0x0000000001ae2710        2        1      1 0x00000000           VMwareGuestCopyPasteMutex
0x0000000001ae9718        2        1      1 0x00000000           TpVcW32ListMutex
0x0000000001b09350        2        1      1 0x00000000           userenv: User Registry policy mutex
0x0000000001b2ad58        6        5      1 0x00000000           ShimCacheMutex
0x0000000001b2e200        2        1      1 0x00000000           userenv: user policy mutex
0x0000000001b401b0        2        1      1 0x00000000           WmiApRpl_Perf_Library_Lock_PID_5a4   

The output indicates that at least two processes or threads labelled as PID 1956 (explorer.exe) are using suspicious looking mutexes SYS!ICP!. These have been highlighted in red above. Other non-PID 1956 mutexes have been highlighted also because they look like they are from the same source, specifically some suspicious process or thread related to the PID 1956 highlighted above. It appears that the suspicious mutexes highlighted are using IPC-based synchronization and communication. Thus, it can be inferred that these suspicious mutexes are working together by some process or thread related to PID 1956 to carry out the covert communication.

In addition to understanding the permission and privilege context of a process, it is important to understand which handles it has opened to other system resources.  A handle is a mechanism used by the operating system to allow access from one resource to another, and to ensure that different resources are not attempting to make conflicting changes at the same time.  Specifically, a handle controls access to kernel objects that represent other resources on the system like files, registry keys, processes, etc.  To list the handles opened by a process use the handles plugin. This plugin makes use of virtual memory addressing.

 

0x81489a40   1956       0xa8   0x1f0003 Event            DUMMY!DUMMY
0x81489a40   1956       0xbc   0x1f0003 Event            DUMMY!DUMMY
0x8177efe0   1956       0xa0   0x1f0001 Mutant           SYS!IPC!79027
0xe1a84680   1956       0xa4    0xf0007 Section          SYS!ICP!3949-1
0x8177ef38   1956       0xac   0x1f0001 Mutant           SYS!ICP!393-1M
0x8182eac0   1956       0xb0   0x1f0001 Mutant           SYS!ICP!393-1MR
0xe1cc0e78   1956       0xb4    0xf0007 Section          SYS!ICP!393-1
0x815d6f60   1956       0xc0   0x1f0001 Mutant           SYS!ICP!94062
0x8182eac0   1956      0x114   0x1f0001 Mutant           SYS!ICP!393-1MR
0x8177ef38   1956      0x124   0x1f0001 Mutant           SYS!ICP!393-1M
0xe1cc0e78   1956      0x13c    0xf0007 Section          SYS!ICP!393-1
0x816d8180   1956      0x164   0x1f0001 Mutant           SYS!IPC!79025

 

Going through the hundreds of entries generated by the handles plugin was a time-consuming process. The specific handles  listed above sere flagged because they do not appear to be legitimate for explorer.exe. While many processes and threads communicate with other processes and threads, explorer.exe is not a program that typically does it in this fashion. Moreover, events such as DUMMY!DUMMY! are highly suspicious, as is the number of mutexes in use by explorer.exe. Furthermore, it was suspicious that out of all the processes on the system, taht only explorer.exe was found using IPC thread-based communications. Finally, matches were obtained between this output and output from the mutantscan plugin. These have been highlighted in red.


A process may have many handles opened, so the -t option can be used to restrict the output to a specified type of handle.  Examples include key, file and thread.  To list only the handles to registry keys, use the command: 


D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem handles -p 1956 -t key
Volatility Foundation Volatility Framework 2.6
Offset(V)     Pid     Handle     Access Type             Details
---------- ------ ---------- ---------- ---------------- -------
0xe17f0718   1956       0x1c  0x20f003f Key              MACHINE
0xe1ccbbc0   1956       0x64  0x20f003f Key              USER\S-1-5-21-839522115-73586283-2147125571-500
0xe1c82e20   1956       0x6c    0x2001f Key              USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
0xe1ca3a10   1956       0x7c  0x20f003f Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1cd1ad0   1956       0x8c    0x20019 Key              MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\DRIVERS32
0xe1ccbb58   1956       0x98    0x20019 Key              MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
0xe1d188e8   1956      0x148    0xf003f Key              MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9
0xe1d18950   1956      0x150    0xf003f Key              MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\NAMESPACE_CATALOG5
0xe1d18a70   1956      0x170    0xf003f Key              USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
0xe1d19710   1956      0x178    0xf003f Key              MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
0xe1d47280   1956      0x180    0xf003f Key              USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
0xe1d195a0   1956      0x184    0xf003f Key              MACHINE\SOFTWARE\CLASSES
0xe1d19050   1956      0x190    0xf003f Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1d19538   1956      0x198    0xf003f Key              MACHINE\SOFTWARE\MICROSOFT\COM3
0xe1d47848   1956      0x1a0       0x10 Key              USER
0xe1d2c7b8   1956      0x1a8    0xf003f Key              MACHINE\SOFTWARE\CLASSES
0xe1d477e0   1956      0x1b0       0x10 Key              USER
0xe1d2c718   1956      0x1b8    0xf003f Key              MACHINE\SOFTWARE\MICROSOFT\COM3
0xe1d47740   1956      0x1c0    0xf003f Key              MACHINE\SOFTWARE\MICROSOFT\COM3
0xe1d476a8   1956      0x1c8    0xf003f Key              MACHINE\SOFTWARE\CLASSES\CLSID
0xe1d47610   1956      0x1d0    0xf003f Key              MACHINE\SOFTWARE\CLASSES
0xe1d47578   1956      0x1d8    0xf003f Key              MACHINE\SOFTWARE\MICROSOFT\COM3
0xe1d474e0   1956      0x1e0       0x10 Key              USER
0xe1d47448   1956      0x1e8    0xf003f Key              MACHINE\SOFTWARE\MICROSOFT\COM3
0xe1d473b0   1956      0x1f0    0xf003f Key              MACHINE\SOFTWARE\MICROSOFT\COM3
0xe1d47318   1956      0x1f8    0xf003f Key              MACHINE\SOFTWARE\CLASSES\CLSID
0xe1d36828   1956      0x208    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1d367c0   1956      0x218    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1d47100   1956      0x224    0x2001f Key              USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\PLUS!\THEMES\APPLY
0xe1d4bfb8   1956      0x230    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1d4a970   1956      0x23c    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1d61968   1956      0x25c    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1d52d58   1956      0x278       0x1b Key              MACHINE\SOFTWARE\CLASSES\HTTP\SHELL
0xe1d52cf0   1956      0x290    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1af9de0   1956      0x294    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1d60c50   1956      0x29c    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1d61df8   1956      0x2bc    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1b62b58   1956      0x2c4    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1d60d68   1956      0x2e4  0x20f003f Key              USER
0xe1c85718   1956      0x2ec    0x2001b Key              USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY\P3GLOBAL
0xe1d61900   1956      0x2f0    0x2001d Key              USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY\P3SITES
0xe1d68938   1956      0x2f4    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1d688d0   1956      0x310    0xf003f Key              USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS
0xe1d70c58   1956      0x318    0xf003f Key              USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\SHELL
0xe1d70d08   1956      0x320    0xf003f Key              MACHINE\SOFTWARE\CLASSES\CLSID
0xe1d718e0   1956      0x324    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP
0xe1d70518   1956      0x328    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1d704b0   1956      0x32c    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1b442e8   1956      0x330    0xf003f Key              MACHINE\SOFTWARE\CLASSES\APPLICATIONS\ACRORD32.EXE
0xe1d72f20   1956      0x334    0xf003f Key              USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\SHELLNOROAM
0xe1d72e28   1956      0x338    0xf003f Key              USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\SHELLNOROAM\MUICACHE
0xe1d73590   1956      0x344    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1d73528   1956      0x34c    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1af9fb8   1956      0x374    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1a664e0   1956      0x378    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1a73428   1956      0x37c    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe18b0fb8   1956      0x390    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe18b9790   1956      0x3a4    0x10003 Key              USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USERASSIST\{75048700-EF1F-11D0-9888-006097DEACF9}\COUNT
0xe1a5f3f8   1956      0x3a8    0x10003 Key              USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USERASSIST\{5E6AB780-7743-11CF-A12B-00AA004AE837}\COUNT
0xe1ad5918   1956      0x3b0    0x20019 Key              MACHINE\SOFTWARE\MICROSOFT\TRACING\NETSHELL
0xe1a47da0   1956      0x3c4    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe189d788   1956      0x3e8    0x20019 Key              MACHINE\SYSTEM\CONTROLSET001\SERVICES\TCPIP\LINKAGE
0xe1b441b0   1956      0x3ec    0x20019 Key              MACHINE\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
0xe1d68218   1956      0x3f0    0x20019 Key              MACHINE\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES
0xe1d7d558   1956      0x3f4    0x20019 Key              MACHINE\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS
0xe1ac2a98   1956      0x410    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe17f1508   1956      0x418    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe17a65c8   1956      0x448    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1619308   1956      0x44c    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1815520   1956      0x450    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe17f6ab0   1956      0x464    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1c83908   1956      0x478    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe17f6b18   1956      0x488    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1c77238   1956      0x4a4    0x2001f Key              USER\S-1-5-21-839522115-73586283-2147125571-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\RUNMRU
0xe1c474d0   1956      0x4ac    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1d8fcc8   1956      0x4c0    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe17f8c78   1956      0x4c4    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe17a7300   1956      0x4e0       0x11 Key              MACHINE\SOFTWARE\MICROSOFT\MULTIMEDIA\AUDIO\VOLUMECONTROL
0xe1c47400   1956      0x4e4    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1c82f88   1956      0x4ec    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1ce3350   1956      0x4f4    0x20019 Key              MACHINE\SYSTEM\SETUP
0xe1ce32b8   1956      0x4f8    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1d94020   1956      0x504    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1b6a690   1956      0x510    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1c47468   1956      0x514    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1c9a370   1956      0x518    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1b00020   1956      0x51c    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1cb19e8   1956      0x520    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES
0xe1c9beb0   1956      0x548    0x20019 Key              USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES

 File objects can obviously represent files stored on disk, but they can also be used to represent network connections.  The type of device involved should be apparent when looking at the path to the object.  Some items that may be less obvious include:

  • \Device\Ip    \Device\Tcp   and \Device\Afd\Endpoint -> all refer to handles for network connections.
  • \Device\LanmanRedirector and \Device\Mup -> both refer to handles to SMB network shares.

Therefore, searching for these device handles may help you locate indications of network activity by the process being examined.  Alternatively, the following command can be used to identify drive letter assignments, such as the C: or D: drives, assigned to hard drives or even mapped network drives, along with the time when the mapping was created 

 

volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem symlinkscan   


If you know that an adversary is storing data in a certain file, you can search through all the process file handles to determine which process was using that file.  For example, if the file name was hiddenfile.txt, you can use the following command to identify processes that may be using that file: 

 

 

volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem handles -t file | grep hiddenfile.txt 


In addition to handles, it may be of use to examine the environment variables set by a process.  The command is given below:

 

volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem envars

 

This will list all environment variables for all processes that were running at the time of the dump.  The plugin can be restricted to a single process with the -p [PID] switch as seen previously with handles and other plugins.  Finally, the --silent option can be employed to have Volatility compare the results of the envars plugin to a list of known, normal values, and only display items that do not match the known values as programmed into the module.  

 

D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem -p 1956 envars --silent
Volatility Foundation Volatility Framework 2.6
Pid      Process              Block      Variable                       Value
-------- -------------------- ---------- ------------------------------ -----

D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem -p 1956 envars
Volatility Foundation Volatility Framework 2.6
Pid      Process              Block      Variable                       Value
-------- -------------------- ---------- ------------------------------ -----
    1956 explorer.exe         0x00010000 ALLUSERSPROFILE                C:\Documents and Settings\All Users
    1956 explorer.exe         0x00010000 APPDATA                        C:\Documents and Settings\Administrator\Application Data
    1956 explorer.exe         0x00010000 CLIENTNAME                     Console
    1956 explorer.exe         0x00010000 CommonProgramFiles             C:\Program Files\Common Files
    1956 explorer.exe         0x00010000 COMPUTERNAME                   GENERALLEE
    1956 explorer.exe         0x00010000 ComSpec                        C:\WINDOWS\system32\cmd.exe
    1956 explorer.exe         0x00010000 FP_NO_HOST_CHECK               NO
    1956 explorer.exe         0x00010000 HOMEDRIVE                      C:
    1956 explorer.exe         0x00010000 HOMEPATH                       \Documents and Settings\Administrator
    1956 explorer.exe         0x00010000 J2D_D3D                        false
    1956 explorer.exe         0x00010000 LOGONSERVER                    \\GENERALLEE
    1956 explorer.exe         0x00010000 NUMBER_OF_PROCESSORS           1
    1956 explorer.exe         0x00010000 OS                             Windows_NT
    1956 explorer.exe         0x00010000 Path                           C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    1956 explorer.exe         0x00010000 PATHEXT                        .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    1956 explorer.exe         0x00010000 PROCESSOR_ARCHITECTURE         x86
    1956 explorer.exe         0x00010000 PROCESSOR_IDENTIFIER           x86 Family 6 Model 42 Stepping 7, GenuineIntel
    1956 explorer.exe         0x00010000 PROCESSOR_LEVEL                6
    1956 explorer.exe         0x00010000 PROCESSOR_REVISION             2a07
    1956 explorer.exe         0x00010000 ProgramFiles                   C:\Program Files
    1956 explorer.exe         0x00010000 SESSIONNAME                    Console
    1956 explorer.exe         0x00010000 SystemDrive                    C:
    1956 explorer.exe         0x00010000 SystemRoot                     C:\WINDOWS
    1956 explorer.exe         0x00010000 TEMP                           C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
    1956 explorer.exe         0x00010000 TMP                            C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
    1956 explorer.exe         0x00010000 USERDOMAIN                     GENERALLEE
    1956 explorer.exe         0x00010000 USERNAME                       Administrator
    1956 explorer.exe         0x00010000 USERPROFILE                    C:\Documents and Settings\Administrator
    1956 explorer.exe         0x00010000 windir                         C:\WINDOWS

Armed with the information provided by the handles plugin, it is worthwhile investigating potential information that could be revealed using Volatility threads-based plugins

 

 The threads plugin parses the _ETHREADS and _KTHREADS data structures. It uses virtual memory addressing.



D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem threads | grep 1956
Volatility Foundation Volatility Framework 2.6
ETHREAD: 0x815cbda8 Pid: 1956 Tid: 1960
ETHREAD: 0x8178b658 Pid: 1956 Tid: 2032
ETHREAD: 0x815cdda8 Pid: 1956 Tid: 2012
ETHREAD: 0x01a2f8e8 Pid: 1956 Tid: 124
ETHREAD: 0x816dda80 Pid: 1956 Tid: 2016
ETHREAD: 0x813bea80 Pid: 1956 Tid: 1980
ETHREAD: 0x816cf658 Pid: 1956 Tid: 2008
ETHREAD: 0x81883da8 Pid: 1956 Tid: 320
ETHREAD: 0x813b7230 Pid: 1956 Tid: 2000
ETHREAD: 0x01984238 Pid: 1956 Tid: 132
ETHREAD: 0x818e72a0 Pid: 1956 Tid: 292
ETHREAD: 0x815c24c0 Pid: 1956 Tid: 1992
ETHREAD: 0x813bc560 Pid: 1956 Tid: 396
ETHREAD: 0x8148cc28 Pid: 1956 Tid: 164
ETHREAD: 0x816cf230 Pid: 1956 Tid: 2004
ETHREAD: 0x813c4da8 Pid: 1956 Tid: 2020
ETHREAD: 0x816dd230 Pid: 1956 Tid: 2028
ETHREAD: 0x816d1a80 Pid: 1956 Tid: 1996
ETHREAD: 0x816d43d0 Pid: 1956 Tid: 160
ETHREAD: 0x813c4988 Pid: 1956 Tid: 2024
ETHREAD: 0x81906368 Pid: 1956 Tid: 2040   

The thrdscan plugin parses the _ETHREADS data structure. It differs in output from the threads plugin as it uses physical memory addressing.


D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem thrdscan | grep 1956
Volatility Foundation Volatility Framework 2.6
0x00000000015b7230   1956   2000    0x7c810856 2011-10-10 17:04:39 UTC+0000
0x00000000015bc560   1956    396    0x7c810856 2011-10-10 17:04:46 UTC+0000
0x00000000015bea80   1956   1980    0x7c810856 2011-10-10 17:04:39 UTC+0000
0x00000000015c4988   1956   2024    0x7c810856 2011-10-10 17:04:40 UTC+0000
0x00000000015c4da8   1956   2020    0x7c810856 2011-10-10 17:04:40 UTC+0000
0x000000000168cc28   1956    164    0x7c810856 2011-10-10 17:04:41 UTC+0000
0x00000000017c24c0   1956   1992    0x7c810856 2011-10-10 17:04:39 UTC+0000
0x00000000017cbda8   1956   1960    0x7c810867 2011-10-10 17:04:39 UTC+0000
0x00000000017cdda8   1956   2012    0x7c810856 2011-10-10 17:04:40 UTC+0000
0x00000000018cf230   1956   2004    0x7c810856 2011-10-10 17:04:39 UTC+0000
0x00000000018cf658   1956   2008    0x7c810856 2011-10-10 17:04:39 UTC+0000   2011-10-10 17:04:39 UTC+0000
0x00000000018d1a80   1956   1996    0x7c810856 2011-10-10 17:04:39 UTC+0000
0x00000000018d43d0   1956    160    0x7c810856 2011-10-10 17:04:40 UTC+0000
0x00000000018dd230   1956   2028    0x7c810856 2011-10-10 17:04:40 UTC+0000
0x00000000018dda80   1956   2016    0x7c810856 2011-10-10 17:04:40 UTC+0000
0x0000000001984238   1956    132    0x7c810856 2011-10-10 17:04:40 UTC+0000   2011-10-10 17:06:48 UTC+0000
0x000000000198b658   1956   2032    0x7c810856 2011-10-10 17:04:40 UTC+0000
0x0000000001a2f8e8   1956    124    0x7c810856 2011-10-10 17:04:40 UTC+0000   2011-10-10 17:06:47 UTC+0000
0x0000000001a83da8   1956    320    0x7c810856 2011-10-10 17:04:45 UTC+0000
0x0000000001ae72a0   1956    292    0x7c810856 2011-10-10 17:04:44 UTC+0000
0x0000000001b06368   1956   2040    0x7c810856 2011-10-10 17:04:40 UTC+0000   


From tne output of the threads and thrdscan plugins, TID 1980 and 2000 highlighted in red can be correlated with the output of the mutantscan plugin (1956:1980 and 1956:2000). Whether the remaning threads have contributed to the infection is not currently known but there is reason to suspect that some of the additional non-exited threads may have contributed to the infection.

 

The investigator may want to find additional information about commands entered into a command shell. Two plugins can be useful for this.

 

The cmdscan plugin is used to query the process memory of crss.exe or conhost,exe for possible commands that may have been entered into the system shell (cmd.exe, i.e. PID 544) or through a backdoor or RDP session by an attacker. Specifically, it looks for COMMAND_HISTORY based structures left behind in memory. The scanning of crss.exe applies to Windows XP, 2003, Vista, and Server 2008 while the use of conhost.exe applies to higher versions

 

D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem cmdscan
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: csrss.exe Pid: 608
CommandHistory: 0x11132d8 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 2 LastAdded: 1 LastDisplayed: 1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x4c4
Cmd #0 @ 0x4e1eb8: sc query malwar
Cmd #1 @ 0x11135e8: sc query malware   

 The consoles plugin is similar to the cmdscan plugin except that it searches for CONSOLE_INFORMATION based data structures instead. More specifically, it provides the history of commands fed to the system shell (cmd.exe, i.e. PID 544) or through a backdoor and this data structure keeps both the input and output buffers for commands found using this plugin.

 


D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem consoles
Volatility Foundation Volatility Framework 2.6
**************************************************
ConsoleProcess: csrss.exe Pid: 608
Console: 0x4e2370 CommandHistorySize: 50
HistoryBufferCount: 2 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\system32\cmd.exe
Title: C:\WINDOWS\system32\cmd.exe
AttachedProcess: cmd.exe Pid: 544 Handle: 0x4c4
----
CommandHistory: 0x1113498 Application: sc.exe Flags:
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x0
----
CommandHistory: 0x11132d8 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 2 LastAdded: 1 LastDisplayed: 1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x4c4
Cmd #0 at 0x4e1eb8: sc query malwar
Cmd #1 at 0x11135e8: sc query malware
----
Screen 0x4e2a70 X:80 Y:300
Dump:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>sc query malwar
[SC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.


C:\Documents and Settings\Administrator>sc query malware

SERVICE_NAME: malware
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

C:\Documents and Settings\Administrator>   

 

Based on the output of the cmdscan and the consoles plugin, some individual, either locally or remotely queried the system for some service named malware. This service was found to be running and was found to be a kernel-based driver. This information is a very important indicator of compromise as it provides several important clues. The first is that there appears to be a malicious driver on the system providing some unknown service, which is currently active. Moreover, any process initiated by this driver is not  visible to Volatility's process list plugins (i.e. pslist, psscan, psxview). Thirdly, this service is known as malware. Taken together, these clues will help the investigator track down the malware. 


It is also helpful to scan for drivers in the memory dump for analysis. The  driverscan plugin scans the memory dumpfor driver objects and uses physical memory addressing.


D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem driverscan
Volatility Foundation Volatility Framework 2.6
Offset(P)              #Ptr     #Hnd Start            Size Service Key          Name         Driver Name
------------------ -------- -------- ---------- ---------- -------------------- ------------ -----------
0x00000000015a9880        3        0 0xf0ad6000     0xed80 sysaudio             sysaudio     \Driver\sysaudio
0x00000000015ad3b8        3        0 0xf9ec6000     0x1a80 ParVdm               ParVdm       \Driver\ParVdm
0x00000000015aff38        3        0 0xf9ec8000     0x1e00 VMMEMCTL             VMMEMCTL     \Driver\VMMEMCTL
0x000000000167f978        7        0 0xf11c0000    0x57a80 Tcpip                Tcpip        \Driver\Tcpip
0x000000000168da70        3        0 0xf9afc000     0x8900 Gpc                  Gpc          \Driver\Gpc
0x00000000016bf450       17        0 0xf96e5000    0x2ca80 NDIS                 NDIS         \Driver\NDIS
0x00000000016bf548        4        0 0xf9712000    0x8c480 Ntfs                 Ntfs         \FileSystem\Ntfs
0x00000000016bf758        3        0 0xf979f000    0x16780 KSecDD               KSecDD       \Driver\KSecDD
0x00000000016bf968        6        0 0xf97b6000    0x11f00 sr                   sr           \FileSystem\sr
0x00000000016c0d20        6        0 0xf9817000    0x25700 dmio                 dmio         \Driver\dmio
0x00000000016c0f38        3        0 0xf9ea2000     0x1700 dmload               dmload       \Driver\dmload
0x00000000016c8030        6        0 0xf9c94000     0x4580 Ptilink              Ptilink      \Driver\Ptilink
0x00000000016c8148        5        0 0xf9b0c000     0x9f00 TermDD               TermDD       \Driver\TermDD
0x00000000016ca648        5        0 0xf94a7000    0x30100 rdpdr                rdpdr        \Driver\rdpdr
0x00000000016d4388       81        0 0xf985c000    0x10a80 PCI                  PCI          \Driver\PCI
0x00000000017b2240        3        0 0xf9b7c000     0x8700 Wanarp               Wanarp       \Driver\Wanarp
0x00000000017b2450        3        0 0xf1076000    0x20f00 IpNat                IpNat        \Driver\IpNat
0x00000000017b3550        3        0 0xf09cc000    0x29f00 kmixer               kmixer       \Driver\kmixer
0x00000000017daf38        6        0 0xf959d000     0x2580 hidusb               hidusb       \Driver\hidusb
0x00000000017e48b8        4        0 0xf1097000    0x6e380 MRxSmb               MRxSmb       \FileSystem\MRxSmb
0x00000000017f5590        4        0 0xf9646000    0x13900 Parport              Parport      \Driver\Parport
0x00000000017f5e40        6        0 0xf9c64000     0x5a00 Mouclass             Mouclass     \Driver\Mouclass
0x00000000017fa850        3        0 0xf9b1c000     0x9480 NDProxy              NDProxy      \Driver\NDProxy
0x00000000017fcb30        9        0 0xf97ff000    0x17480 atapi                atapi        \Driver\atapi
0x00000000017fce40        5        0 0xf99bc000     0xcc80 VolSnap              VolSnap      \Driver\VolSnap
0x00000000017fcf38        4        0 0xf9c24000     0x4900 PartMgr              PartMgr      \Driver\PartMgr
0x0000000001807bf8        3        0 0xf9ca4000     0x5000 Flpydisk             Flpydisk     \Driver\Flpydisk
0x0000000001811da0        3        0 0xf1218000    0x12400 IPSec                IPSec        \Driver\IPSec
0x0000000001816978        3        0 0xf114e000    0x21d00 AFD                  AFD          \Driver\AFD
0x000000000183d030        3        0 0xf9a7c000     0xbc80 vmci                 vmci         \Driver\vmci
0x000000000183d5d0        3        0 0xf9c7c000     0x7400 vmxnet               vmxnet       \Driver\vmxnet
0x000000000183d6c8        4        0 0xf9c74000     0x5000 usbuhci              usbuhci      \Driver\usbuhci
0x000000000183dd70        4        0 0xf9a8c000     0xdf80 vmx_svga             vmx_svga     \Driver\vmx_svga
0x000000000183fa48        4        0 0xf9a6c000     0xe080 redbook              redbook      \Driver\redbook
0x000000000183fc38        3        0 0xf9a5c000     0xc180 Cdrom                Cdrom        \Driver\Cdrom
0x000000000183fe50        3        0 0xf9a4c000     0xa380 Imapi                Imapi        \Driver\Imapi
0x0000000001840be8        4        0 0xf9c6c000     0x6b00 Fdc                  Fdc          \Driver\Fdc
0x000000000184b278        3        0 0xf9cc4000     0x7880 Npfs                 Npfs         \FileSystem\Npfs
0x000000000184b620        3        0 0xf9eae000     0x1080 mnmdd                mnmdd        \Driver\mnmdd
0x000000000184c388        3        0 0xf9cb4000     0x5200 VgaSave              VgaSave      \Driver\VgaSave
0x000000000184d750        3        0 0xf9eac000     0x1080 Beep                 Beep         \Driver\Beep
0x000000000184eca0        3        0 0xf9c9c000     0x4080 Raspti               Raspti       \Driver\Raspti
0x000000000186d888        4        0 0xf97c8000    0x1e780 FltMgr               FltMgr       \FileSystem\FltMgr
0x0000000001878878        7        0 0xf9eaa000     0x1f00 Fs_Rec               Fs_Rec       \FileSystem\Fs_Rec
0x00000000018c2f38        5        0 0xf0a41000    0x14400 wdmaud               wdmaud       \Driver\wdmaud
0x00000000018c6b10        3        0 0xf0cd9000    0x2c400 MRxDAV               MRxDAV       \FileSystem\MRxDAV
0x00000000018c8030        3        0 0xf0eb2000     0x3280 Ndisuio              Ndisuio      \Driver\Ndisuio
0x00000000018c8c88        3        0 0xf9b6c000     0x8880 Fips                 Fips         \Driver\Fips
0x00000000018e90d8        3        0 0xf9b9c000     0xf900 Cdfs                 Cdfs         \FileSystem\Cdfs
0x000000000191c2b8        5        0 0xf9db8000     0x2b00 vmscsi               vmscsi       \Driver\vmscsi
0x0000000001972f38        4        0 0xf9599000     0x2f80 mouhid               mouhid       \Driver\mouhid
0x0000000001974b10        3        0 0xf0c5e000    0x52180 Srv                  Srv          \FileSystem\Srv
0x00000000019a8030        3        0 0xf9cbc000     0x4a80 Msfs                 Msfs         \FileSystem\Msfs
0x00000000019aaca0        9        0 0xf9ea6000     0x1100 swenum               swenum       \Driver\swenum
0x00000000019ae8d0        5        0 0xf07f3000    0x40380 HTTP                 HTTP         \Driver\HTTP
0x00000000019db708        6        0 0xf9e4c000     0x2580 NdisTapi             NdisTapi     \Driver\NdisTapi
0x00000000019db9e8        3        0 0xf9acc000     0xc880 Rasl2tp              Rasl2tp      \Driver\Rasl2tp
0x00000000019e62c0        3        0 0xf9ea4000     0x1280 vmmouse              vmmouse      \Driver\vmmouse
0x00000000019e6b40        4        0 0xf9c5c000     0x6000 Kbdclass             Kbdclass     \Driver\Kbdclass
0x00000000019f5e18        4        0 0xf99cc000     0x8e00 Disk                 Disk         \Driver\Disk
0x0000000001a071e0        5        0 0xf9a2c000     0xce00 i8042prt             i8042prt     \Driver\i8042prt
0x0000000001a0f8b8        4        0 0xf9db0000     0x2480 Compbatt             Compbatt     \Driver\Compbatt
0x0000000001a19f38        5        0 0xf9cd4000     0x7b80 usbccgp              usbccgp      \Driver\usbccgp
0x0000000001a1b788       13        0 0x00000000        0x0 \Driver\Win32k       Win32k       \Driver\Win32k
0x0000000001a498b8        3        0 0xf9eb4000     0x1500 malware              malware      \Driver\malware
0x0000000001a7e2c0        3        0 0xf1106000    0x2b180 Rdbss                Rdbss        \FileSystem\Rdbss
0x0000000001a7eda0        3        0 0xf9685000     0x2f00 WS2IFSL              WS2IFSL      \Driver\WS2IFSL
0x0000000001a86030        4        0 0xf95b1000    0x16680 NdisWan              NdisWan      \Driver\NdisWan
0x0000000001a86910        5        0 0xf94d8000    0x10e00 PSched               PSched       \Driver\PSched
0x0000000001a8c638        5        0 0xf96ca000    0x1a580 Mup                  Mup          \FileSystem\Mup
0x0000000001a946f0        3        0 0xf9e48000     0x3700 CmBatt               CmBatt       \Driver\CmBatt
0x0000000001a94e60        4        0 0xf9c84000     0x6800 usbehci              usbehci      \Driver\usbehci
0x0000000001a9dda0        3        0 0xf9e94000     0x2980 gameenum             gameenum     \Driver\gameenum
0x0000000001aa4718        4        0 0xf9a9c000     0x9f00 es1371               es1371       \Driver\es1371
0x0000000001ae3a30        4        0 0xf9e40000     0x3c80 serenum              serenum      \Driver\serenum
0x0000000001ae3c08        4        0 0xf9a3c000     0xfd80 Serial               Serial       \Driver\Serial
0x0000000001ae54d8        3        0 0xf9e6c000     0x3c80 mssmbios             mssmbios     \Driver\mssmbios
0x0000000001b06268        3        0 0xf9689000     0x2280 RasAcd               RasAcd       \Driver\RasAcd
0x0000000001b06f38        3        0 0xf9473000    0x33200 Update               Update       \Driver\Update
0x0000000001b07c40        3        0 0xf9fcf000      0xb80 Null                 Null         \Driver\Null
0x0000000001b0d5f0        3        0 0xf99ec000     0xa580 agp440               agp440       \Driver\agp440
0x0000000001b21978        3        0 0xf9b4c000     0x8700 NetBIOS              NetBIOS      \FileSystem\NetBIOS
0x0000000001b21da0        4        0 0xf1132000    0x1ba00 vmhgfs               vmhgfs       \FileSystem\vmhgfs
0x0000000001b29988        3        0 0xf9aec000     0xbd00 PptpMiniport         PptpMiniport \Driver\PptpMiniport
0x0000000001b2a100        3        0 0xf9adc000     0xa200 RasPppoe             RasPppoe     \Driver\RasPppoe
0x0000000001b2a348        7        0 0xfa0ee000      0xc00 audstub              audstub      \Driver\audstub
0x0000000001b2a4b0        3        0 0xf9abc000     0x8d00 intelppm             intelppm     \Driver\intelppm
0x0000000001b2b7e0        7        0 0xf9b3c000     0xe100 usbhub               usbhub       \Driver\usbhub
0x0000000001b41638        3        0 0xf9eb0000     0x1080 RDPCDD               RDPCDD       \Driver\RDPCDD
0x0000000001b46a28        5        0 0xf1198000    0x27c00 NetBT                NetBT        \Driver\NetBT
0x0000000001bb43f8        4        0 0x00000000        0x0 \Driver\ACPI_HAL     ACPI_HAL     \Driver\ACPI_HAL
0x0000000001bb85e0       58        0 0x00000000        0x0 \Driver\PnpManager   PnpManager   \Driver\PnpManager
0x0000000001be71c0        4        0 0xf999c000     0x8c00 isapnp               isapnp       \Driver\isapnp
0x0000000001be87d8        6        0 0xf983d000    0x1e880 Ftdisk               Ftdisk       \Driver\Ftdisk
0x0000000001be8a78        7        0 0xf99ac000     0xa500 MountMgr             MountMgr     \Driver\MountMgr
0x0000000001be9290        5        0 0xf9ea0000     0x1580 IntelIde             IntelIde     \Driver\IntelIde
0x0000000001bea9c8       63        0 0xf986d000    0x2dd80 ACPI                 ACPI         \Driver\ACPI
0x0000000001beaef8        5        0 0x00000000        0x0                      RAW          \FileSystem\RAW
0x0000000001beb030        4        0 0x00000000        0x0 \Driver\WMIxWDM      WMIxWDM      \Driver\WMIxWDM

The malicious driver is highlighted in red. It is located at physical memory address 0x0000000001a498b8

 

The driverirp plugin scans the memory dump for driver IRP hooking. This plugin uses neither physical nor virtual memory addressing, instead it accepts KDBG and KPCR addresses. A truncated output which shows the area of interest is given below.


DriverName: malware
DriverStart: 0xf9eb4000
DriverSize: 0x1500
DriverStartIo: 0x0
   0 IRP_MJ_CREATE                        0xf9eb4d76 winsys32.sys
   1 IRP_MJ_CREATE_NAMED_PIPE             0xf9eb4d76 winsys32.sys
   2 IRP_MJ_CLOSE                         0xf9eb4d76 winsys32.sys
   3 IRP_MJ_READ                          0xf9eb4e00 winsys32.sys
   4 IRP_MJ_WRITE                         0xf9eb4d76 winsys32.sys
   5 IRP_MJ_QUERY_INFORMATION             0xf9eb4d76 winsys32.sys
   6 IRP_MJ_SET_INFORMATION               0xf9eb4d76 winsys32.sys
   7 IRP_MJ_QUERY_EA                      0xf9eb4d76 winsys32.sys
   8 IRP_MJ_SET_EA                        0xf9eb4d76 winsys32.sys
   9 IRP_MJ_FLUSH_BUFFERS                 0xf9eb4d76 winsys32.sys
  10 IRP_MJ_QUERY_VOLUME_INFORMATION      0xf9eb4d76 winsys32.sys
  11 IRP_MJ_SET_VOLUME_INFORMATION        0xf9eb4d76 winsys32.sys
  12 IRP_MJ_DIRECTORY_CONTROL             0xf9eb4d76 winsys32.sys
  13 IRP_MJ_FILE_SYSTEM_CONTROL           0xf9eb4d76 winsys32.sys
  14 IRP_MJ_DEVICE_CONTROL                0xf9eb4e46 winsys32.sys
  15 IRP_MJ_INTERNAL_DEVICE_CONTROL       0xf9eb4d76 winsys32.sys
  16 IRP_MJ_SHUTDOWN                      0xf9eb4d76 winsys32.sys
  17 IRP_MJ_LOCK_CONTROL                  0xf9eb4d76 winsys32.sys
  18 IRP_MJ_CLEANUP                       0xf9eb4d76 winsys32.sys
  19 IRP_MJ_CREATE_MAILSLOT               0xf9eb4d76 winsys32.sys
  20 IRP_MJ_QUERY_SECURITY                0xf9eb4d76 winsys32.sys
  21 IRP_MJ_SET_SECURITY                  0xf9eb4d76 winsys32.sys
  22 IRP_MJ_POWER                         0xf9eb4e66 winsys32.sys
  23 IRP_MJ_SYSTEM_CONTROL                0xf9eb4d76 winsys32.sys
  24 IRP_MJ_DEVICE_CHANGE                 0xf9eb4d76 winsys32.sys
  25 IRP_MJ_QUERY_QUOTA                   0xf9eb4d76 winsys32.sys
  26 IRP_MJ_SET_QUOTA                     0xf9eb4d76 winsys32.sys
  27 IRP_MJ_PNP                           0x804f320e ntoskrnl.exe
--------------------------------------------------   


Examining the driverirp plugin's output, it is not readily possible for non-reverse engineers to determine which driver IRP function code are typically used for standard device drivers and which are used for malware. Unfortunately, such knowledge  is not readily available in the form of a whitelist or blacklist.

 

It can be helpful to determine the relationship between drivers and their required Windows devices. In so doing, it may be possible to determine what device, and hence purpose of a malicious driver. The devicetree plugin can help determine this. A prunned output showing the item of interest is shown below.

 

D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem ldrmodules -p 1956
Volatility Foundation Volatility Framework 2.6
DRV 0x01a498b8 \Driver\malware
---| DEV 0x816c8d80 KeyboardClassC FILE_DEVICE_KEYBOARD

 

Based on the output shown above, the malicious driver requires a keyboard-based device. The only logical reason for this is that the driver is a keyboard logger, and by having direct access to this device, it will be able to record user keystrokes.

 

To help detect DLLs that have unlinked from the load order list in the _PEB, Volatility also has a ldrmodules plugin.  This plugin acts similarly to the psxview plugin for processes in that it will enumerate the results of DLLs listed in all three lists in the PEB and present a comparison of the results.  This helps an analyst detect anomalies that may be indicative of an attempt to hide the presence of a DLL.  In addition, the ldrmodules plugin also manually scans the process’ executive object in kernel memory looking for signatures of DLLs or other types of executable code modules and presents a list of all items that it detects.  In this way, even if the process memory itself has been tampered with, the lists of modules stored about the process in kernel memory can be used to help identify any tampering.  One thing to be aware of in the output from this plugin is that the executable itself will by default only appear in two out of the three PEB lists since it is not a separately loaded DLL but is rather the main executable code.  The ldrmodules plugin can be run as follows:


D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem ldrmodules | grep False
Volatility Foundation Volatility Framework 2.6
4 System 0x7c900000 False False False \WINDOWS\system32\ntdll.dll
536 smss.exe 0x48580000 True False True \WINDOWS\system32\smss.exe
608 csrss.exe 0x00450000 False False False \WINDOWS\Fonts\vgasys.fon
608 csrss.exe 0x4a680000 True False True \WINDOWS\system32\csrss.exe
608 csrss.exe 0x01230000 False False False \WINDOWS\Fonts\dosapp.fon
608 csrss.exe 0x01250000 False False False \WINDOWS\Fonts\cga80woa.fon
608 csrss.exe 0x01260000 False False False \WINDOWS\Fonts\cga40woa.fon
608 csrss.exe 0x010a0000 False False False \WINDOWS\Fonts\vgaoem.fon
608 csrss.exe 0x01240000 False False False \WINDOWS\Fonts\ega40woa.fon
632 winlogon.exe 0x01000000 True False True \WINDOWS\system32\winlogon.exe
676 services.exe 0x01000000 True False True \WINDOWS\system32\services.exe
688 lsass.exe 0x01000000 True False True \WINDOWS\system32\lsass.exe
832 vmacthlp.exe 0x00400000 True False True \Program Files\VMware\VMware Tools\vmacthlp.exe
848 svchost.exe 0x01000000 True False True \WINDOWS\system32\svchost.exe
916 svchost.exe 0x01000000 True False True \WINDOWS\system32\svchost.exe
964 svchost.exe 0x01000000 True False True \WINDOWS\system32\svchost.exe
964 svchost.exe 0x02030000 False False False \WINDOWS\system32\stdole2.tlb
1020 svchost.exe 0x01000000 True False True \WINDOWS\system32\svchost.exe
1148 svchost.exe 0x01000000 True False True \WINDOWS\system32\svchost.exe
1260 spoolsv.exe 0x01000000 True False True \WINDOWS\system32\spoolsv.exe
1444 VMwareService.e 0x00400000 True False True \Program Files\VMware\VMware Tools\VMwareService.exe
1616 alg.exe 0x01000000 True False True \WINDOWS\system32\alg.exe
1920 wscntfy.exe 0x01000000 True False True \WINDOWS\system32\wscntfy.exe
1956 explorer.exe 0x01000000 True False True \WINDOWS\explorer.exe
184 VMwareTray.exe 0x00400000 True False True \Program Files\VMware\VMware Tools\VMwareTray.exe
192 VMwareUser.exe 0x00400000 True False True \Program Files\VMware\VMware Tools\VMwareUser.exe
228 reader_sl.exe 0x00400000 True False True \Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
400 wuauclt.exe 0x00400000 True False True \WINDOWS\system32\wuauclt.exe
544 cmd.exe 0x4ad00000 True False True \WINDOWS\system32\cmd.exe

Upon close examination of the output, nothing was found to be out of the ordinary. In fact, due to the specific nature of the processes involved and the types of files listed as unlinked, nothing suspicious or malicious should be construed from this information. However, scanning for the PID 1956 reveals the malicious DLL highlighted in red below.

 

D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem ldrmodules -p 1956
Volatility Foundation Volatility Framework 2.6
Pid      Process              Base       InLoad InInit InMem MappedPath
-------- -------------------- ---------- ------ ------ ----- ----------
    1956 explorer.exe         0x5ad70000 True   True   True  \WINDOWS\system32\uxtheme.dll
    1956 explorer.exe         0x01000000 True   False  True  \WINDOWS\explorer.exe
    1956 explorer.exe         0x76b40000 True   True   True  \WINDOWS\system32\winmm.dll
    1956 explorer.exe         0x5ba60000 True   True   True  \WINDOWS\system32\themeui.dll
    1956 explorer.exe         0x76360000 True   True   True  \WINDOWS\system32\winsta.dll
    1956 explorer.exe         0x77c00000 True   True   True  \WINDOWS\system32\version.dll
    1956 explorer.exe         0x7d1e0000 True   True   True  \WINDOWS\system32\msi.dll
    1956 explorer.exe         0x76e80000 True   True   True  \WINDOWS\system32\rtutils.dll
    1956 explorer.exe         0x75f80000 True   True   True  \WINDOWS\system32\browseui.dll
    1956 explorer.exe         0x10000000 True   True   True  \WINDOWS\system32\mfc42ul.dll
    1956 explorer.exe         0x77120000 True   True   True  \WINDOWS\system32\oleaut32.dll
    1956 explorer.exe         0x771b0000 True   True   True  \WINDOWS\system32\wininet.dll
    1956 explorer.exe         0x76c90000 True   True   True  \WINDOWS\system32\imagehlp.dll
    1956 explorer.exe         0x76fc0000 True   True   True  \WINDOWS\system32\rasadhlp.dll
    1956 explorer.exe         0x71ab0000 True   True   True  \WINDOWS\system32\ws2_32.dll
    1956 explorer.exe         0x77dd0000 True   True   True  \WINDOWS\system32\advapi32.dll
    1956 explorer.exe         0x77a80000 True   True   True  \WINDOWS\system32\crypt32.dll
    1956 explorer.exe         0x76f60000 True   True   True  \WINDOWS\system32\wldap32.dll
    1956 explorer.exe         0x20000000 True   True   True  \WINDOWS\system32\xpsp2res.dll
    1956 explorer.exe         0x71f60000 True   True   True  \WINDOWS\system32\snmpapi.dll
    1956 explorer.exe         0x76380000 True   True   True  \WINDOWS\system32\msimg32.dll
    1956 explorer.exe         0x773d0000 True   True   True  \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
    2.drv

 

If  determining which modules the kernel has loaded is of interest in your analysis, the modules and modscan plugins can be used.  The following command walks the doubly linked list of loaded kernel drivers found in the LDR_DATA_TABLE_ENTRY structures and provides the name and path of drivers loaded by the kernel.

 

D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem modules
Volatility Foundation Volatility Framework 2.6
Offset(V)  Name                 Base             Size File
---------- -------------------- ---------- ---------- ----
0x819fc3a0 ntoskrnl.exe         0x804d7000   0x1f6280 \WINDOWS\system32\ntkrnlpa.exe
0x819fc338 hal.dll              0x806ce000    0x20380 \WINDOWS\system32\hal.dll
0x819fc2d0 kdcom.dll            0xf9e9c000     0x2000 \WINDOWS\system32\KDCOM.DLL
0x819fc260 BOOTVID.dll          0xf9dac000     0x3000 \WINDOWS\system32\BOOTVID.dll
0x819fc1f8 ACPI.sys             0xf986d000    0x2e000 ACPI.sys
0x819fc188 WMILIB.SYS           0xf9e9e000     0x2000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0x819fc120 pci.sys              0xf985c000    0x11000 pci.sys
0x819fc0b0 isapnp.sys           0xf999c000     0x9000 isapnp.sys
0x819fc040 compbatt.sys         0xf9db0000     0x3000 compbatt.sys
0x819f1008 BATTC.SYS            0xf9db4000     0x4000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0x819f1f98 intelide.sys         0xf9ea0000     0x2000 intelide.sys
0x819f1f28 PCIIDEX.SYS          0xf9c1c000     0x7000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0x819f1eb8 MountMgr.sys         0xf99ac000     0xb000 MountMgr.sys
0x819f1e48 ftdisk.sys           0xf983d000    0x1f000 ftdisk.sys
0x819f1dd8 dmload.sys           0xf9ea2000     0x2000 dmload.sys
0x819f1d70 dmio.sys             0xf9817000    0x26000 dmio.sys
0x819f1d00 PartMgr.sys          0xf9c24000     0x5000 PartMgr.sys
0x819f1c90 VolSnap.sys          0xf99bc000     0xd000 VolSnap.sys
0x819f1c28 atapi.sys            0xf97ff000    0x18000 atapi.sys
0x819f1bb8 vmscsi.sys           0xf9db8000     0x3000 vmscsi.sys
0x819f1b48 SCSIPORT.SYS         0xf97e7000    0x18000 \WINDOWS\system32\drivers\SCSIPORT.SYS
0x819f1ae0 disk.sys             0xf99cc000     0x9000 disk.sys
0x819f1a70 CLASSPNP.SYS         0xf99dc000     0xd000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0x819f1a00 fltMgr.sys           0xf97c8000    0x1f000 fltMgr.sys
0x819f1998 sr.sys               0xf97b6000    0x12000 sr.sys
0x819f1928 KSecDD.sys           0xf979f000    0x17000 KSecDD.sys
0x819f18c0 Ntfs.sys             0xf9712000    0x8d000 Ntfs.sys
0x819f1858 NDIS.sys             0xf96e5000    0x2d000 NDIS.sys
0x819f17f0 Mup.sys              0xf96ca000    0x1b000 Mup.sys
0x819f1780 agp440.sys           0xf99ec000     0xb000 agp440.sys
0x817af440 i8042prt.sys         0xf9a2c000     0xd000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8166b688 kbdclass.sys         0xf9c5c000     0x6000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8166b398 vmmouse.sys          0xf9ea4000     0x2000 \SystemRoot\system32\DRIVERS\vmmouse.sys
0x81725c68 mouclass.sys         0xf9c64000     0x6000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x815f5f10 parport.sys          0xf9646000    0x14000 \SystemRoot\system32\DRIVERS\parport.sys
0x815f5660 serial.sys           0xf9a3c000    0x10000 \SystemRoot\system32\DRIVERS\serial.sys
0x818e3b70 serenum.sys          0xf9e40000     0x4000 \SystemRoot\system32\DRIVERS\serenum.sys
0x81646f10 fdc.sys              0xf9c6c000     0x7000 \SystemRoot\system32\DRIVERS\fdc.sys
0x81646cc8 imapi.sys            0xf9a4c000     0xb000 \SystemRoot\system32\DRIVERS\imapi.sys
0x81646a70 cdrom.sys            0xf9a5c000     0xd000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x818e3b00 redbook.sys          0xf9a6c000     0xf000 \SystemRoot\system32\DRIVERS\redbook.sys
0x81646500 ks.sys               0xf9623000    0x23000 \SystemRoot\system32\DRIVERS\ks.sys
0x81646808 vmci.sys             0xf9a7c000     0xc000 \SystemRoot\system32\DRIVERS\vmci.sys
0x81646a00 vmx_svga.sys         0xf9a8c000     0xe000 \SystemRoot\system32\DRIVERS\vmx_svga.sys
0x8163dbd8 VIDEOPRT.SYS         0xf960f000    0x14000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0x8163dcd8 usbuhci.sys          0xf9c74000     0x5000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x814d0de0 USBPORT.SYS          0xf95ec000    0x23000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x81725df8 vmxnet.sys           0xf9c7c000     0x8000 \SystemRoot\system32\DRIVERS\vmxnet.sys
0x814cf138 es1371mp.sys         0xf9a9c000     0xa000 \SystemRoot\system32\drivers\es1371mp.sys
0x8163d128 portcls.sys          0xf95c8000    0x24000 \SystemRoot\system32\drivers\portcls.sys
0x8160bfa0 drmk.sys             0xf9aac000     0xf000 \SystemRoot\system32\drivers\drmk.sys
0x814d0bc8 usbehci.sys          0xf9c84000     0x7000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8160bf30 CmBatt.sys           0xf9e48000     0x4000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8160bda0 intelppm.sys         0xf9abc000     0x9000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8160bb90 audstub.sys          0xfa0ee000     0x1000 \SystemRoot\system32\DRIVERS\audstub.sys
0x8192a418 rasl2tp.sys          0xf9acc000     0xd000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8192a2b0 ndistapi.sys         0xf9e4c000     0x3000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x814d08c0 ndiswan.sys          0xf95b1000    0x17000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8192a240 raspppoe.sys         0xf9adc000     0xb000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8192a1d0 raspptp.sys          0xf9aec000     0xc000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8160b1a0 TDI.SYS              0xf9c8c000     0x5000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x81929a58 psched.sys           0xf94d8000    0x11000 \SystemRoot\system32\DRIVERS\psched.sys
0x8148d908 msgpc.sys            0xf9afc000     0x9000 \SystemRoot\system32\DRIVERS\msgpc.sys
0x81652398 ptilink.sys          0xf9c94000     0x5000 \SystemRoot\system32\DRIVERS\ptilink.sys
0x816736c0 raspti.sys           0xf9c9c000     0x5000 \SystemRoot\system32\DRIVERS\raspti.sys
0x8148d0d0 rdpdr.sys            0xf94a7000    0x31000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0x8164d138 termdd.sys           0xf9b0c000     0xa000 \SystemRoot\system32\DRIVERS\termdd.sys
0x81941e78 swenum.sys           0xf9ea6000     0x2000 \SystemRoot\system32\DRIVERS\swenum.sys
0x81708d20 update.sys           0xf9473000    0x34000 \SystemRoot\system32\DRIVERS\update.sys
0x8148d230 mssmbios.sys         0xf9e6c000     0x4000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x81708150 NDProxy.SYS          0xf9b1c000     0xa000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x81708dc0 flpydisk.sys         0xf9ca4000     0x5000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0x818e5f70 usbhub.sys           0xf9b3c000     0xf000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8189ec78 USBD.SYS             0xf9ea8000     0x2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x818e5958 gameenum.sys         0xf9e94000     0x3000 \SystemRoot\system32\DRIVERS\gameenum.sys
0x817a8668 Fs_Rec.SYS           0xf9eaa000     0x2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8189e258 Null.SYS             0xf9fcf000     0x1000 \SystemRoot\System32\Drivers\Null.SYS
0x8189e058 Beep.SYS             0xf9eac000     0x2000 \SystemRoot\System32\Drivers\Beep.SYS
0x8190be80 vga.sys              0xf9cb4000     0x6000 \SystemRoot\System32\drivers\vga.sys
0x8190bc80 mnmdd.SYS            0xf9eae000     0x2000 \SystemRoot\System32\Drivers\mnmdd.SYS
0x8161a090 RDPCDD.sys           0xf9eb0000     0x2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8190b868 Msfs.SYS             0xf9cbc000     0x5000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8190b638 Npfs.SYS             0xf9cc4000     0x8000 \SystemRoot\System32\Drivers\Npfs.SYS
0x817a5ba8 rasacd.sys           0xf9689000     0x3000 \SystemRoot\system32\DRIVERS\rasacd.sys
0x8190b260 ipsec.sys            0xf1218000    0x13000 \SystemRoot\system32\DRIVERS\ipsec.sys
0x8180cfa0 tcpip.sys            0xf11c0000    0x58000 \SystemRoot\system32\DRIVERS\tcpip.sys
0x8180ccb0 netbt.sys            0xf1198000    0x28000 \SystemRoot\system32\DRIVERS\netbt.sys
0x816143a0 ws2ifsl.sys          0xf9685000     0x3000 \SystemRoot\System32\drivers\ws2ifsl.sys
0x8180c7a8 afd.sys              0xf114e000    0x22000 \SystemRoot\System32\drivers\afd.sys
0x81480630 netbios.sys          0xf9b4c000     0x9000 \SystemRoot\system32\DRIVERS\netbios.sys
0x816ff3a0 vmhgfs.sys           0xf1132000    0x1c000 \SystemRoot\System32\DRIVERS\vmhgfs.sys
0x817eba60 rdbss.sys            0xf1106000    0x2c000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x81921300 mrxsmb.sys           0xf1097000    0x6f000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x8177f228 winsys32.sys         0xf9eb4000     0x2000 \??\C:\WINDOWS\system32\drivers\winsys32.sys
0x817eb2c0 Fips.SYS             0xf9b6c000     0x9000 \SystemRoot\System32\Drivers\Fips.SYS
0x817eb0f0 ipnat.sys            0xf1076000    0x21000 \SystemRoot\system32\DRIVERS\ipnat.sys
0x815bb120 wanarp.sys           0xf9b7c000     0x9000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x817ae590 Cdfs.SYS             0xf9b9c000    0x10000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x817980d8 usbccgp.sys          0xf9cd4000     0x8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x818a21c8 hidusb.sys           0xf959d000     0x3000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x819264c8 HIDCLASS.SYS         0xf9bac000     0x9000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x81925280 HIDPARSE.SYS         0xf9cdc000     0x7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8180a0e8 mouhid.sys           0xf9599000     0x3000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x817220e0 dump_scsiport.sys    0xf9595000     0x4000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x8171fa20 dump_vmscsi.sys      0xf9591000     0x3000 \SystemRoot\System32\Drivers\dump_vmscsi.sys
0x813d0918 win32k.sys           0xbf800000   0x1c1000 \SystemRoot\System32\win32k.sys
0x81642890 watchdog.sys         0xf9ce4000     0x5000 \SystemRoot\System32\watchdog.sys
0x818a3f60 Dxapi.sys            0xf946f000     0x3000 \SystemRoot\System32\drivers\Dxapi.sys
0x8189b008 dxg.sys              0xbf9c1000    0x12000 \SystemRoot\System32\drivers\dxg.sys
0x819474e8 dxgthk.sys           0xfa00f000     0x1000 \SystemRoot\System32\drivers\dxgthk.sys
0x815b6310 vmx_fb.dll           0xbf9d3000    0x29000 \SystemRoot\System32\vmx_fb.dll
0x8183c260 ndisuio.sys          0xf0eb2000     0x4000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x8181b898 mrxdav.sys           0xf0cd9000    0x2d000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x815ba4e8 ParVdm.SYS           0xf9ec6000     0x2000 \SystemRoot\System32\Drivers\ParVdm.SYS
0x81796b38 vmmemctl.sys         0xf9ec8000     0x2000 \??\C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys
0x81720b58 srv.sys              0xf0c5e000    0x53000 \SystemRoot\system32\DRIVERS\srv.sys
0x8187ea58 wdmaud.sys           0xf0a41000    0x15000 \SystemRoot\system32\drivers\wdmaud.sys
0x816cb5b8 sysaudio.sys         0xf0ad6000     0xf000 \SystemRoot\system32\drivers\sysaudio.sys
0x8181af08 kmixer.sys           0xf09cc000    0x2a000 \SystemRoot\system32\drivers\kmixer.sys
0x81783008 HTTP.sys             0xf07f3000    0x41000 \SystemRoot\System32\Drivers\HTTP.sys

 

If a driver has been removed from that list, the modules plugin will not find it.  However, the modscan plugin will scan the memory dump for the tags or signatures of kernel loaded drivers and provide a list based on its manual scan.  However, because it relies on manual scanning and interpretation of memory data, it may result in false positive results. 

 

D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem modscan
Volatility Foundation Volatility Framework 2.6
Offset(P)          Name                 Base             Size File
------------------ -------------------- ---------- ---------- ----
0x00000000015d0918 win32k.sys           0xbf800000   0x1c1000 \SystemRoot\System32\win32k.sys
0x0000000001680630 netbios.sys          0xf9b4c000     0x9000 \SystemRoot\system32\DRIVERS\netbios.sys
0x000000000168d0d0 rdpdr.sys            0xf94a7000    0x31000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0x000000000168d230 mssmbios.sys         0xf9e6c000     0x4000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x000000000168d908 msgpc.sys            0xf9afc000     0x9000 \SystemRoot\system32\DRIVERS\msgpc.sys
0x00000000016cf138 es1371mp.sys         0xf9a9c000     0xa000 \SystemRoot\system32\drivers\es1371mp.sys
0x00000000016d08c0 ndiswan.sys          0xf95b1000    0x17000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x00000000016d0bc8 usbehci.sys          0xf9c84000     0x7000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x00000000016d0de0 USBPORT.SYS          0xf95ec000    0x23000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x00000000017b6310 vmx_fb.dll           0xbf9d3000    0x29000 \SystemRoot\System32\vmx_fb.dll
0x00000000017ba4e8 ParVdm.SYS           0xf9ec6000     0x2000 \SystemRoot\System32\Drivers\ParVdm.SYS
0x00000000017bb120 wanarp.sys           0xf9b7c000     0x9000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x00000000017f5660 serial.sys           0xf9a3c000    0x10000 \SystemRoot\system32\DRIVERS\serial.sys
0x00000000017f5f10 parport.sys          0xf9646000    0x14000 \SystemRoot\system32\DRIVERS\parport.sys
0x000000000180b1a0 TDI.SYS              0xf9c8c000     0x5000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x000000000180bb90 audstub.sys          0xfa0ee000     0x1000 \SystemRoot\system32\DRIVERS\audstub.sys
0x000000000180bda0 intelppm.sys         0xf9abc000     0x9000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x000000000180bf30 CmBatt.sys           0xf9e48000     0x4000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x000000000180bfa0 drmk.sys             0xf9aac000     0xf000 \SystemRoot\system32\drivers\drmk.sys
0x00000000018143a0 ws2ifsl.sys          0xf9685000     0x3000 \SystemRoot\System32\drivers\ws2ifsl.sys
0x000000000181a090 RDPCDD.sys           0xf9eb0000     0x2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x000000000183d128 portcls.sys          0xf95c8000    0x24000 \SystemRoot\system32\drivers\portcls.sys
0x000000000183dbd8 VIDEOPRT.SYS         0xf960f000    0x14000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0x000000000183dcd8 usbuhci.sys          0xf9c74000     0x5000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x0000000001842890 watchdog.sys         0xf9ce4000     0x5000 \SystemRoot\System32\watchdog.sys
0x0000000001846500 ks.sys               0xf9623000    0x23000 \SystemRoot\system32\DRIVERS\ks.sys
0x0000000001846808 vmci.sys             0xf9a7c000     0xc000 \SystemRoot\system32\DRIVERS\vmci.sys
0x0000000001846a00 vmx_svga.sys         0xf9a8c000     0xe000 \SystemRoot\system32\DRIVERS\vmx_svga.sys
0x0000000001846a70 cdrom.sys            0xf9a5c000     0xd000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x0000000001846cc8 imapi.sys            0xf9a4c000     0xb000 \SystemRoot\system32\DRIVERS\imapi.sys
0x0000000001846f10 fdc.sys              0xf9c6c000     0x7000 \SystemRoot\system32\DRIVERS\fdc.sys
0x000000000184d138 termdd.sys           0xf9b0c000     0xa000 \SystemRoot\system32\DRIVERS\termdd.sys
0x0000000001852398 ptilink.sys          0xf9c94000     0x5000 \SystemRoot\system32\DRIVERS\ptilink.sys
0x000000000186b398 vmmouse.sys          0xf9ea4000     0x2000 \SystemRoot\system32\DRIVERS\vmmouse.sys
0x000000000186b688 kbdclass.sys         0xf9c5c000     0x6000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x00000000018736c0 raspti.sys           0xf9c9c000     0x5000 \SystemRoot\system32\DRIVERS\raspti.sys
0x00000000018cb5b8 sysaudio.sys         0xf0ad6000     0xf000 \SystemRoot\system32\drivers\sysaudio.sys
0x00000000018d90a8 splitter.sys         0xf9f14000     0x2000 Γſεà║ßê¿ÎµÃ§Ã«\REGISTRY\MACHINE\SYSTEM\ControlSet00
0x00000000018ff3a0 vmhgfs.sys           0xf1132000    0x1c000 \SystemRoot\System32\DRIVERS\vmhgfs.sys
0x0000000001908150 NDProxy.SYS          0xf9b1c000     0xa000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x0000000001908d20 update.sys           0xf9473000    0x34000 \SystemRoot\system32\DRIVERS\update.sys
0x0000000001908dc0 flpydisk.sys         0xf9ca4000     0x5000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0x000000000191fa20 dump_vmscsi.sys      0xf9591000     0x3000 \SystemRoot\System32\Drivers\dump_vmscsi.sys
0x0000000001920b58 srv.sys              0xf0c5e000    0x53000 \SystemRoot\system32\DRIVERS\srv.sys
0x00000000019220e0 dump_scsiport.sys    0xf9595000     0x4000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x0000000001925c68 mouclass.sys         0xf9c64000     0x6000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x0000000001925df8 vmxnet.sys           0xf9c7c000     0x8000 \SystemRoot\system32\DRIVERS\vmxnet.sys
0x000000000197f228 winsys32.sys         0xf9eb4000     0x2000 \??\C:\WINDOWS\system32\drivers\winsys32.sys
0x0000000001983008 HTTP.sys             0xf07f3000    0x41000 \SystemRoot\System32\Drivers\HTTP.sys
0x0000000001996b38 vmmemctl.sys         0xf9ec8000     0x2000 \??\C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys
0x00000000019980d8 usbccgp.sys          0xf9cd4000     0x8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x00000000019a5ba8 rasacd.sys           0xf9689000     0x3000 \SystemRoot\system32\DRIVERS\rasacd.sys
0x00000000019a8668 Fs_Rec.SYS           0xf9eaa000     0x2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x00000000019ae590 Cdfs.SYS             0xf9b9c000    0x10000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x00000000019af440 i8042prt.sys         0xf9a2c000     0xd000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x00000000019eb0f0 ipnat.sys            0xf1076000    0x21000 \SystemRoot\system32\DRIVERS\ipnat.sys
0x00000000019eb2c0 Fips.SYS             0xf9b6c000     0x9000 \SystemRoot\System32\Drivers\Fips.SYS
0x00000000019eba60 rdbss.sys            0xf1106000    0x2c000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x00000000019eca78 DMusic.sys           0xf0aa6000     0xd000 fbb6e3f-ccfe-4d84-90d9-421418b03a8e}
0x0000000001a0a0e8 mouhid.sys           0xf9599000     0x3000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x0000000001a0c7a8 afd.sys              0xf114e000    0x22000 \SystemRoot\System32\drivers\afd.sys
0x0000000001a0ccb0 netbt.sys            0xf1198000    0x28000 \SystemRoot\system32\DRIVERS\netbt.sys
0x0000000001a0cfa0 tcpip.sys            0xf11c0000    0x58000 \SystemRoot\system32\DRIVERS\tcpip.sys
0x0000000001a1af08 kmixer.sys           0xf09cc000    0x2a000 \SystemRoot\system32\drivers\kmixer.sys
0x0000000001a1b898 mrxdav.sys           0xf0cd9000    0x2d000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x0000000001a3c260 ndisuio.sys          0xf0eb2000     0x4000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x0000000001a7ea58 wdmaud.sys           0xf0a41000    0x15000 \SystemRoot\system32\drivers\wdmaud.sys
0x0000000001a8b498 drmkaud.sys          0xf9f9c000     0x1000 ΦíÿεçêystemRoot\system32\drivers\drmkaud.sys
0x0000000001a9b008 dxg.sys              0xbf9c1000    0x12000 \SystemRoot\System32\drivers\dxg.sys
0x0000000001a9e058 Beep.SYS             0xf9eac000     0x2000 \SystemRoot\System32\Drivers\Beep.SYS
0x0000000001a9e258 Null.SYS             0xf9fcf000     0x1000 \SystemRoot\System32\Drivers\Null.SYS
0x0000000001a9ec78 USBD.SYS             0xf9ea8000     0x2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x0000000001aa21c8 hidusb.sys           0xf959d000     0x3000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x0000000001aa3f60 Dxapi.sys            0xf946f000     0x3000 \SystemRoot\System32\drivers\Dxapi.sys
0x0000000001ae3b00 redbook.sys          0xf9a6c000     0xf000 \SystemRoot\system32\DRIVERS\redbook.sys
0x0000000001ae3b70 serenum.sys          0xf9e40000     0x4000 \SystemRoot\system32\DRIVERS\serenum.sys
0x0000000001ae5958 gameenum.sys         0xf9e94000     0x3000 \SystemRoot\system32\DRIVERS\gameenum.sys
0x0000000001ae5f70 usbhub.sys           0xf9b3c000     0xf000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x0000000001b0b260 ipsec.sys            0xf1218000    0x13000 \SystemRoot\system32\DRIVERS\ipsec.sys
0x0000000001b0b638 Npfs.SYS             0xf9cc4000     0x8000 \SystemRoot\System32\Drivers\Npfs.SYS
0x0000000001b0b868 Msfs.SYS             0xf9cbc000     0x5000 \SystemRoot\System32\Drivers\Msfs.SYS
0x0000000001b0bc80 mnmdd.SYS            0xf9eae000     0x2000 \SystemRoot\System32\Drivers\mnmdd.SYS
0x0000000001b0be80 vga.sys              0xf9cb4000     0x6000 \SystemRoot\System32\drivers\vga.sys
0x0000000001b21300 mrxsmb.sys           0xf1097000    0x6f000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x0000000001b25280 HIDPARSE.SYS         0xf9cdc000     0x7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x0000000001b264c8 HIDCLASS.SYS         0xf9bac000     0x9000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x0000000001b29a58 psched.sys           0xf94d8000    0x11000 \SystemRoot\system32\DRIVERS\psched.sys
0x0000000001b2a1d0 raspptp.sys          0xf9aec000     0xc000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x0000000001b2a240 raspppoe.sys         0xf9adc000     0xb000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x0000000001b2a2b0 ndistapi.sys         0xf9e4c000     0x3000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x0000000001b2a418 rasl2tp.sys          0xf9acc000     0xd000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x0000000001b402d0 swmidi.sys           0xf0ab6000     0xe000 ΦÇêεçïfbb6e3f-ccfe-4d84-90d9-421418b03a8e}
0x0000000001b41e78 swenum.sys           0xf9ea6000     0x2000 \SystemRoot\system32\DRIVERS\swenum.sys
0x0000000001b474e8 dxgthk.sys           0xfa00f000     0x1000 \SystemRoot\System32\drivers\dxgthk.sys
0x0000000001bf1008 BATTC.SYS            0xf9db4000     0x4000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0x0000000001bf1780 agp440.sys           0xf99ec000     0xb000 agp440.sys
0x0000000001bf17f0 Mup.sys              0xf96ca000    0x1b000 Mup.sys
0x0000000001bf1858 NDIS.sys             0xf96e5000    0x2d000 NDIS.sys
0x0000000001bf18c0 Ntfs.sys             0xf9712000    0x8d000 Ntfs.sys
0x0000000001bf1928 KSecDD.sys           0xf979f000    0x17000 KSecDD.sys
0x0000000001bf1998 sr.sys               0xf97b6000    0x12000 sr.sys
0x0000000001bf1a00 fltMgr.sys           0xf97c8000    0x1f000 fltMgr.sys
0x0000000001bf1a70 CLASSPNP.SYS         0xf99dc000     0xd000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0x0000000001bf1ae0 disk.sys             0xf99cc000     0x9000 disk.sys
0x0000000001bf1b48 SCSIPORT.SYS         0xf97e7000    0x18000 \WINDOWS\system32\drivers\SCSIPORT.SYS
0x0000000001bf1bb8 vmscsi.sys           0xf9db8000     0x3000 vmscsi.sys
0x0000000001bf1c28 atapi.sys            0xf97ff000    0x18000 atapi.sys
0x0000000001bf1c90 VolSnap.sys          0xf99bc000     0xd000 VolSnap.sys
0x0000000001bf1d00 PartMgr.sys          0xf9c24000     0x5000 PartMgr.sys
0x0000000001bf1d70 dmio.sys             0xf9817000    0x26000 dmio.sys
0x0000000001bf1dd8 dmload.sys           0xf9ea2000     0x2000 dmload.sys
0x0000000001bf1e48 ftdisk.sys           0xf983d000    0x1f000 ftdisk.sys
0x0000000001bf1eb8 MountMgr.sys         0xf99ac000     0xb000 MountMgr.sys
0x0000000001bf1f28 PCIIDEX.SYS          0xf9c1c000     0x7000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0x0000000001bf1f98 intelide.sys         0xf9ea0000     0x2000 intelide.sys
0x0000000001bfc040 compbatt.sys         0xf9db0000     0x3000 compbatt.sys
0x0000000001bfc0b0 isapnp.sys           0xf999c000     0x9000 isapnp.sys
0x0000000001bfc120 pci.sys              0xf985c000    0x11000 pci.sys
0x0000000001bfc188 WMILIB.SYS           0xf9e9e000     0x2000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0x0000000001bfc1f8 ACPI.sys             0xf986d000    0x2e000 ACPI.sys
0x0000000001bfc260 BOOTVID.dll          0xf9dac000     0x3000 \WINDOWS\system32\BOOTVID.dll
0x0000000001bfc2d0 kdcom.dll            0xf9e9c000     0x2000 \WINDOWS\system32\KDCOM.DLL
0x0000000001bfc338 hal.dll              0x806ce000    0x20380 \WINDOWS\system32\hal.dll
0x0000000001bfc3a0 ntoskrnl.exe         0x804d7000   0x1f6280 \WINDOWS\system32\ntkrnlpa.exe

Summary of Analysis

The volatility plugins used in this step revealed important clues concerning the infection. It is now known that a covert communication channel was in use by some process/thread hidden/injected under/into PID 1956 (explorer.exe). It was discovered that a malicious driver has been loaded and it was found in the Windows System32 directory.


Looking For Evidence of Code Injection

A plugin that may come in handy in detecting malicious code that has been injected into a process is malfind.  As attackers seek to evade endpoint protection systems, they will often inject malicious code directly into the process space of an otherwise benign process. This allows them to keep their malicious code from being written to disk where it is more likely to be scanned by antivirus or other endpoint defenses. The malfind plug-in is designed to help you detect such injected code. If memory address offsets are specified, then they must be physical memory addresses.


Using the following command, it was attempted to find and dump injected code associated with PID 1956 (explorer.exe).


volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem malfind -p 1956 -o 0x15bcda0 --dump-dir=malfind


The command found no indication of injected code as no output or dumped file resulted from the command. The following command was then run at larget against the entire memory image to detect if other processes had not been hijacked via code injection.

 

volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem malfind --dump-dir=malfind


This command succeeded in dumping 10 dmp files from memory. However, looking only at the textual output generated by the malfind plugin, no indication of maliciously injected code was found. The ten files were afterwards scanned using prominent anti-virus scanners. No indication of infection was found.


Memory is allocated in units known as pages. Although pages may vary in size from system to system, 4,096 bytes is a common value. The concept of a page is like a cluster on disk, in that a page is the smallest unit that can be allocated in memory and a cluster is typically the smallest unit on disk that can be allocated by the operating system. Each page must be provided with permissions indicating whether the data contained within it can be read, executed, or written. DLLs are typically loaded with permissions indicating that they can be read, but if they are written to, a new copy must be made and the changes made only on that copy (copy on write). This allows multiple processes to share a single instance of a DLL in memory, but if one of the processes attempts to make a change to that DLL it must copy its own instance of the DLL into its process memory space before it is allowed to make changes. This avoids one process modifying code that may be in use by other processes in the case of a shared DLL. 


For malicious code to be injected into the memory space of a running process, the page holding that memory must allow new code to be written to that page. For the code to then be of any use to the attacker, the code must be able to be read and executed as well. Normally, if a page of memory contains executable code, that code will have been loaded into memory from disk, so the code in the page is backed by a file on disk, and the location from which is was loaded is recorded in RAM. When a page is marked with read, write, and execute permissions, but there is no associated file on disk to explain from where that code came, that is indicative of code having been injected into the process maliciously. The malfind plug-in automates the detection of pages that are marked with read, write, and execute permissions and are also not backed by a file on disk. 


Although the plug-in helps identify potentially suspicious pages within a process’s memory, it is up to you to complete the analysis and confirm that the pages discovered contain executable code. One of the easiest ways to identify executable code is by the presence of the MZ header at the beginning of the page. This header is used by Windows systems to identify executable files. Even if the MZ header is not present, the page may still contain executable code, so the malfind plug-in will display the hexadecimal and ASCII representations of the data as well as display the assembly language instructions that data would represent if it was intended as executable code. It is up to the human analyst to decide whether the data contained in the page is executable code or simply other types of data that would not be harmful to the system.  Note that the malfind plugin only displays the first 64 bytes of each memory address it identifies.  Malware authors may avoid putting an MZ header or obvious code at the beginning of the memory segment to avoid detection, so it may be necessary to dump the memory for further examination.  This can be done by adding the --dump-dir=[directory] option to the malfind command to dump each memory segment that it finds out to disk for further analysis
.


Registry Artifacts In Memory

Since many elements of the Windows registry are updated or frequently read by the Operating System, it is common to capture registry key data in a RAM dump. The Registry is commonly used by malware to configure system settings  for permanent infection. However, the difficulty in working with the registry lies in knowing where to look for evidence. The registry is spread across many data files (commonly known as registry hives) in various locations  and each serves a specific purpose with respect to system, application, and user configurations. 

 

Volatility has a hivelist plugin to list registry hives, including their path on disk.  There may also be a hive listed by Volatility as “[no name]” that represents pointers to other hives, and is normal.

 

D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem hivelist
Volatility Foundation Volatility Framework 2.6
Virtual    Physical   Name
---------- ---------- ----
0xe1bf6b60 0x0af3cb60 \Device\HarddiskVolume1\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1bb2b60 0x0accab60 \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
0xe1a4db60 0x08b7cb60 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1991b60 0x07d9ab60 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
0xe1844458 0x07741458 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe183e008 0x076b8008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
0xe1544b60 0x05c63b60 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe154db60 0x05c6fb60 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe154d008 0x05c6f008 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe1544008 0x05c63008 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe13b5a40 0x02463a40 [no name]
0xe1018388 0x020bf388 \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe1008b60 0x020c3b60 [no name]

 The hivescan plugin displays the physical locations of available registry hives.

 

D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem hivescan
Volatility Foundation Volatility Framework 2.6
Offset(P)
----------
0x020bf388
0x020c3b60
0x02463a40
0x05c63008
0x05c63b60
0x05c6f008
0x05c6fb60
0x076b8008
0x07741458
0x07d9ab60
0x08b7cb60
0x0accab60
0x0af3cb60  

Malware will often use autostart extensibility points (ASEPs), places in the registry or elsewhere that cause executable code to be launched automatically as a system starts, a user logs in, or other defined event.  Since many of these locations are in the registry, it may benefit your analysis to look at specific keys for evidence of malware.  The printkey plugin provides the ability to view the subkeys, value names and data stored within a registry key.   The syntax for this plugin is:

 

volatility_2.6_win64_standalone -f [dump_file] --profile=[profile] printkey -K "Path\To\Key" 

 

where "Path\To\Key" represents that name (and optionally portions of the path) to the specific key that you desire to examine.  If the key name specified exists in multiple places, each instance will be printed.



D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem printkey -K controlset001\services\malware
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: malware (S)
Last updated: 2011-10-10 17:03:55 UTC+0000

Subkeys:
  (S) Security
  (V) Enum

Values:
REG_DWORD     Type            : (S) 1
REG_EXPAND_SZ ImagePath       : (S) \??\C:\WINDOWS\system32\drivers\winsys32.sys
REG_SZ        DisplayName     : (S) malware2 


D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem printkey -K controlset001\Enum\Root\LEGACY_malware\0000
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: 0000 (S)
Last updated: 2011-10-10 17:03:55 UTC+0000

Subkeys:
  (V) Control

Values:
REG_SZ        Service         : (S) malware
REG_SZ        ClassGUID       : (S) {8ECC055D-047F-11D1-A537-0000F8753ED1}
REG_SZ        DeviceDesc      : (S) malware2

Information about executables that were previously present on the system can be gleaned from the shimcache and shellbags keys of the registry.  The shimcache and shellbags plugins respectively will parse and present this information


D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem shimcache
Volatility Foundation Volatility Framework 2.6
WARNING : volatility.debug    : No ShimCache data found 


D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem shellbags
ItemPos1024x768(1)        mfc42ul.dll    2011-10-07 04:36:50 UTC+0000   2011-10-07 04:36:50 UTC+0000   2011-10-10 17:02:50 UTC+0000   ARC
000   2011-10-07 04:36:50 UTC+0000   2011-10-10 17:02:50 UTC+0000   ARC                       mfc42ul.dll

If needed, password hashes from the SAM hive can be dumped from memory for external password cracking.  Volatility can obtain the system key from the SYSTEM hive and use it to extract the hashes from the SAM hive


D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem hashdump


Additional user password data may be recoverable from the LSA Secrets stored in the registry.  Again, Volatility automates that extraction with the lsadump plugin, with the following syntax


D:\hsoftware\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem lsadump


Dumping Suspicious Processes, DLLs, and Drivers

Once sufficient evidence has been established indicating that suspicious or possibly malicious processes, DLLs, or drivers may be hiding in memory, they can be dumped for further analysis. Plugins of importance in this step include:

  • dlldump
  • moddump
  • procdump
  • memdump
  • malfind

 

The evidence thus far indicates that one malicious driver has been loaded and that a highly suspicious DLL has been found associated with PID 1956 (explorer.exe). Also PID 1956 was found in the midst of a covert communication with some unknown remote  system.


Based on the information gleaned from the dlllist plugin, there are fifteen instances of the suspicious dll mfc42ul.dll. In order to dump all detected instances of the suspicious DLL, the dlldump plugin will be run supplying each of the PIDs and physical memory addresses offsets such as shown below:


volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem dlldump -p 184 -b 0x00390000 --dump-dir=dlldump
volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem dlldump -p 192 -b 0x10000000 --dump-dir=dlldump
.....

The Volatility's moddump plugin was designed to dump drivers from memory to disk. The start address of the suspicious driver obtained from the drivers plugin must be supplied as argument. To dump driver malware/winsys32.sys from the memory dump, the following command will be used.


volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem moddump -b 0xf9eb4000 --dump-dir=moddump


The malfind plugin was designed to search for malware hidden through code injection. The physical memoryb address offset of the suspicious process must be supplied as argument. To find and dump injected code associated with  PID 1956 (explorer.exe), the following command will be used:


volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem malfind -p 184 -o 0x015bcdao --dump-dir=malfind.


Finally, Volatility can produce a list of timestamped events, which is essential to any investigation. To produce this list, we will use the timeliner plugin. The timeliner plugin helps investigators by providing a timeline of all the events that took place when the image was acquired. The timeliner plugin groups details by time and includes process, PID, process offset, DDLs used, registry details, and other useful information.


volatility_2.6_win64_standalone  --profile=WinXPSP2x86 -f D:\Memdump\0zapftis.vmem timeliner


The output of the timeliner plugin can be very lengthy, but we can find useful timeline information as it relates to processes, users, programs, and other artifacts if we take the time to sift through the output


1 Comments

Post a Comment

Previous Post Next Post