2. Why Memory Analysis of Malware?
- Injected code or file.
- Different Hooks.
- Unpacked file.
- Kernel memory Accessibility.
- Memory/registry forensics.
3. Volatility
• Memory forensic on Windows, Linux, Mac and Android.
• Easily available plugin and documentation.
• We can use on variety of file formats (memory image).
• Works on Only RAM content. No Hard disk content.
http://code.google.com/p/volatility/wiki/VolatilityIntroduction
4. Memory Imaging for Analysis
• Crash Dumps.
• Livekd Dumps.
• Virtual Machine Imaging.
• Raw Dumps.
and many more techniques
http://www.forensicswiki.org/wiki/Tools:Memory_Imaging
5. VMware image
• *.vmem its nothing but RAM image of current VMware state.
• Just select last updated *.vmem file for volatility analysis.
• We need to suspend VMware OS.
6. Use ‘DumpIT’ for Memory Dump
• “DumpIT.exe” just run file it will ask for dumping memory.
• Just make sure you have enough space for dumping memory.
• It will dump in root folder with extension .raw.
7. Some Situations when Volatility is
useful
• Ransom ware screen lock .
• After Infection we are not able to run any reversing tool.
• Kernel driver is encrypted or packed and we need to unpack.
• Strong anti debugging and protections applied for packed files
and we need unpacked file.
9. Some more commands
• “driverscan” will display all loaded drivers.
• “apihooks” will display all hooks in memory.(It takes time)
• If want to use some command only for one process we can use
• “-p 1624” (1624 is PID)
• e.g volatility.exe –f “memory.raw” –p 1220 modules
It Will display loaded modules of PID 1220
•
http://code.google.com/p/volatility/wiki/CommandReference21
10. Commands..
• “malfind”
• Volatility.exe –f “malware.vmem” malfind
• It can find injected code and dll.
• http://code.google.com/p/volatility/wiki/CommandReferenceMal
23#malfind
• ‘apihooks’
• Volatility.exe –f “malware.vmem” apihooks
• http://code.google.com/p/volatility/wiki/CommandReferenceMal
23#apihooks
• Both this commands will take time, I will suggest to redirect the
output of these commands to text file.
11. Command..
• ‘procmemdump’
“Volatility.exe –f “malware.vmem” procmemdump –d dump_folder/ p 1624”
To dump executable of PID 1624 to path “dump_folder”
http://code.google.com/p/volatility/wiki/CommandReference23#procmemdu
mp
• ‘connections’
“volatility.exe –f “ransomware.vmem” connections”
Similarly we can use sockets and some other commands related network.
• http://code.google.com/p/volatility/wiki/CommandReference23#co
nnections
13. Commands..
• ‘printkey’
• “volatility.exe –f “ransomware.vmem” printkey -K
"Microsoftwindows NTCurrentVersionWinlogon“
It will display winlogon key contents similarly we can check run key
to auto start objects.
http://code.google.com/p/volatility/wiki/CommandReference23#pr
intkey
14. Ransom ware
• Volatility is useful in Winlock situations(VMware).
- Process running.(pstree)
- connections.(connections,sockets)
- injection.(malfind)
- Registry changes.(printkey)
- Dump the Executable.(procmemdump)
15. Necurs
• I am explaining here only how to dump necurs kernel driver.
This driver will cause BSOD in Vmware once its loaded in
memory so we need to suspend VMware after login screen
before bsod.
• “NtSecureSys”
•
•
•
•
Use “devicetree”
Check unknown entries in report
Search “NtSecureSys” necurs device name.
Dump all drivers using “moddump or We can dump one specific driver
using base address.
• Use of “driverirp” –r ddc9572038295e1f.
16. Conclusion
• Open source framework , Python language plugin based
architecture.
• We can write plugin which are more useful with malwares.
• Analyst should have Windows internals knowledge to use
Volatility effectively.
• http://code.google.com/p/volatility/