Malware Analysis Using Volatility — Part 3
NEFARIOUS ACTIONS UNDER THE WINDOWS ARCHITECTURE
Considering that a malware can unlink, change the name, or substitute libraries of a system (Windows, for example), we are interested in investigating a malware infection in the libraries (dll). The initial task is the analysis of suspicious dlls because malware can be a hidden process. We can use the command
vol.exe dlllist — profile=WinXPSP3x86 -f stuxnet.vmem
Dlllist plugin -p flag
The output shows us all dlls loaded by the process in the machine. Since this is difficult,
our task is to investigate a specific process. We will use this command:
vol.exe dlllist — profile=WinXPSP3x86 -p 1928 -f stuxnet.vmem
And we can see the output for this specific process. We can obtain the same output using the command
vol.exe dlllist — profile=WinXPSP3x86 — offset=0x01e47c00 -f stuxnet.vmem
Another Volatility plugin that we can use when we are searching for MZ signature is malfind. If you want to analyze each process, type this command:
vol.exe malfind — profile=WinXPSP3x86 -f stuxnet.vmem | more
Or, since we suspect a particular process, we can use this plugin with -p flag.
vol.exe malfind — profile=WinXPSP3x86 -p 1928 -f stuxnet.vmem
To see an object that is not signaled by a thread, we use the handles plugin that gives us the mutant/mutex (or mutual exclusion) object of a process. According to Microsoft: “to prevent two threads from writing to shared memory at the same time, each thread waits for ownership of a mutex object before executing the code that accesses the memory. After writing to the shared memory, the thread releases the mutex object.”
vol.exe handles — profile=WinXPSP3x86 -t Mutant -p 1928 -s -f stuxnet.vmem
Vaddump plugin (be careful!)
To obtain VAD segments of process we use vaddump plugin (please take care).
vol.exe vaddump — profile=WinXPSP3x86 -p 868 -D vad -f stuxnet.vmem
In this example
“vad” is my directory
We can also extract in a graphic output:
vol.exe vadtree — profile=WinXPSP3x86 — output=dot — output-file=grapha.dot -p 868 -f
In the next slide, we see vadtree process 868 stuxnet malware.
Vaddump (recommend: use Linux!)
In Kali Linux, vaddump can be used (if you set up an environment variable):
volatility vaddump -p 1928 -D
Procdump plugin (be careful!)
➡ working in Linux!
➡ First you should create a folder (that will receive the extract .exe files. In my example, use my folder “forensics” to download these files).
➡ In Kali Linux, the command is:
volatility procdump -p 680,868,1928 -D forensics
Volatility Commands CheaSheet
Originally published at https://learncybersec.blogspot.com.