Last changed: 08.09.2020
Memory Forensics
The open source tool volatility can be used to analyze memory dumps.
volatility2/vol.py --info
volatility2/vol.py <PLUGIN> -h
Even though volatility 3.0 is currently in development and is still missing some functionality it can be quite useful especially for newer versions of Windows.
volatility3/vol.py --help
volatility3/vol.py <PLUGIN> --help
Acquisition
winpmem
You can download winpmem and run it on the target machine to create a memory image.
winpmem.exe --format raw --volume_format raw -o memory.raw
dump memory from virtualbox
vboxmanage debugvm 'VM Name' dumpvmcore --filename memory.elf
volatility2/vol.py -f memory.elf imageinfo
volatility2/vol.py -f memory.elf vboxinfo
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 imagecopy -O memory.raw
dump memory from vmware
You can either create a snapshot of the virtual machine and copy the .vmem
and the .vmsn
files or suspend the virtual machine and copy the .vmem
and
the .vmss
file. If both files are in the same folder you can open the .vmem
file with volatility
.
volatility2/vol.py -f memory.vmem imageinfo
volatility2/vol.py -f memory.vmem vmwareinfo
volatility2/vol.py -f memory.vmem --profile=Win10x64_18362 imagecopy -O memory.raw
If you only have the .vmem
file you can try to manually convert it.
dd if=memory.vmem of=memory.padded_raw bs=1G count=3 oflag=append conv=notrunc
dd if=/dev/zero of=memory.padded_raw bs=1G count=1 oflag=append conv=notrunc
dd if=memory.vmem of=memory.padded_raw bs=1G skip=3 oflag=append conv=notrunc
Yara scan
volatility3/vol.py -f memory.elf windows.vadyarascan --yara-file my_rules.yara
Process analysis
search processes in memory
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 pslist
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 psscan
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 cmdline
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 dlllist
extract binary
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -p <PID> -D . procdump
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -p <PID> -D . procdump -m
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -p <PID> -D . memdump
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -p <PID> -D . vaddump
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -p <PID> -b <BASE> dlldump -D .
extract driver module
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 modules
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 unloadedmodules
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -b <BASE> -D . moddump
get binary filesize
readpe -S evil.exe | grep Pointer -B 1
services
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 svcscan
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -K "ControlSet001\services\<EVIL_SERVICE>" printkey
find malware activity
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 netscan
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 ndispktscan -p out.pcap
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 malfind
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 malfind -p <PID> -D .
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 getsids -p <PID>
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 apihooks
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 ldrmodules -p <PID>
User behavior
logon sessions
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 sessions
environment variables
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 envars -p <PID>
console history
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 consoles
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 cmdscan
file system information
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 mftparser
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 filescan
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 dumpfiles -Q <PHYSICAL_OFFSET> -D . -n
registry keys
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 hivelist
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -o <VIRTUAL_OFFSET> hivedump > SOFTWARE.dmp
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -K "Microsoft\Windows\CurrentVersion\Run" printkey
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -K "Software\Microsoft\Windows\CurrentVersion\Run" printkey
Volatility3 can dump recursively.
volatility3/vol.py -f memory.elf windows.registry.hivelist
volatility3/vol.py -f memory.elf windows.registry.printkey --offset <VIRTUAL_OFFSET> --key ControlSet001\\Services\\<EvilService> --recurse
data carving
The strings
tool offers a parameter to print file offsets of its findings.
strings -td | grep NEEDLE > string_offsets
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 strings -s string_offsets
bulk_extractor
carves files for known patterns and generates a report which
can be opened in BEViewer
.
bulk_extractor memory.image -o dump_directory
BEViewer
Other carving tools to mention are photorec
and foremost
.
Some plugins of volatility
also do carving for known kernel objects.
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 psscan
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 netscan
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 filescan
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 hivescan
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 mutantscan -s
dump cleartext credentials from crashdump
A memory image can be converted to a crashdump with volatility
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 raw2dmp -O memory.dmp
This crashdump can be opened in windbg
. To dump cleartext credentials the
mimikatz
dll has to be loaded.
.load /path/to/mimilib.dll
!process 0 0 lsass.exe
.process /r /p <ADDRESS>
!mimikatz
analysing kernel objects in volshell
_KDDEBUGGER_DATA64
The Kernel Debugging Data Block (KDBG) virtual address can be found with
volatility
s imageinfo
or kdbgscan
plugins.
dt('_KDDEBUGGER_DATA64', <VIRTUAL ADDRESS>)
Interesting content:
- PsLoadedModuleList (
_LIST_ENTRY
) -> (_LDR_DATA_TABLE_ENTRY
).InLoadOrderLinks - PsActiveProcessHead (
_LIST_ENTRY
) -> (_EPROCESS
).ActiveProcessLinks - MmPfnDatabase
Volatility plugins:
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 pslist
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 modules
_EPROCESS
dt('_LIST_ENTRY', <PsActiveProcessHead>)
dt('_EPROCESS', <Flink>-0x188)
ps()
Interesting content:
- UniqueProcessId
- Peb (
_PEB
) - ImageFileName
_PEB
To resove virtual addresses in user space you need to change the context to its process first.
sc()
cc(pid=<PID>)
dt('_PEB', <VIRTUAL ADDRESS)
Interesting content:
- BeingDebugged
- Ldr (
_PEB_LDR_DATA
) - ProcessParameters (
_RTL_USER_PROCESS_PARAMETERS
) - NtGlobalFlag
- OSMajorVersion
- OSMinorVersion
- OSBuildNumber
- SessionId
Volatility plugins:
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 sessions
_PEB_LDR_DATA
Interesting content:
- InLoadOrderModuleList (
_LIST_ENTRY
) -> (_LDR_DATA_TABLE_ENTRY
).InLoadOrderLinks
Volatility plugins:
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -p <PID> dlllist
_RTL_USER_PROCESS_PARAMETERS
Interesting content:
- DllPath
- CommandLine
- Environment
- EnvironmentSize
The content of the environment variables can be displayed with
db(<ENV_ADDRESS>, <ENV_SIZE>)
Volatility plugins:
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -p <PID> cmdline
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -p <PID> envars