SlideShare una empresa de Scribd logo

Malware analysis using volatility

Descargar como PPTX, PDF
Yashashree Gund
Yashashree Gund
Tecnología
1 de 17
Malware Analysis Using Volatility Yashashree Shivaji Gund
Why Memory Analysis of Malware? - Injected code or file. - Different Hooks. - Unpacked file. - Kernel memory Accessibility. - Memory/registry forensics.
Volatility • Memory forensic on Windows, Linux, Mac and Android. • Easily available plugin and documentation. • We can use on variety of file formats (memory image). • Works on Only RAM content. No Hard disk content. http://code.google.com/p/volatility/wiki/VolatilityIntroduction
Memory Imaging for Analysis • Crash Dumps. • Livekd Dumps. • Virtual Machine Imaging. • Raw Dumps. and many more techniques http://www.forensicswiki.org/wiki/Tools:Memory_Imaging
VMware image • *.vmem its nothing but RAM image of current VMware state. • Just select last updated *.vmem file for volatility analysis. • We need to suspend VMware OS.
Use ‘DumpIT’ for Memory Dump • “DumpIT.exe” just run file it will ask for dumping memory. • Just make sure you have enough space for dumping memory. • It will dump in root folder with extension .raw.
Some Situations when Volatility is useful • Ransom ware screen lock . • After Infection we are not able to run any reversing tool. • Kernel driver is encrypted or packed and we need to unpack. • Strong anti debugging and protections applied for packed files and we need unpacked file.
Volatility syntax • volatility.exe [plugin] -f [image] --profile=[profile] Default profile of WinXPSP2x86 is set internally. • Volatility.exe pslist –f “malware.raw” • Volatility.exe pstree –f “malware.raw” • Volatility.exe connections –f “malware.raw” • Volatility.exe malfind –f “malware.vmem” • http://code.google.com/p/volatility/
Some more commands • “driverscan” will display all loaded drivers. • “apihooks” will display all hooks in memory.(It takes time) • If want to use some command only for one process we can use • “-p 1624” (1624 is PID) • e.g volatility.exe –f “memory.raw” –p 1220 modules It Will display loaded modules of PID 1220 • http://code.google.com/p/volatility/wiki/CommandReference21
Commands.. • “malfind” • Volatility.exe –f “malware.vmem” malfind • It can find injected code and dll. • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#malfind • ‘apihooks’ • Volatility.exe –f “malware.vmem” apihooks • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#apihooks • Both this commands will take time, I will suggest to redirect the output of these commands to text file.
Command.. • ‘procmemdump’ “Volatility.exe –f “malware.vmem” procmemdump –d dump_folder/ p 1624” To dump executable of PID 1624 to path “dump_folder” http://code.google.com/p/volatility/wiki/CommandReference23#procmemdu mp • ‘connections’ “volatility.exe –f “ransomware.vmem” connections” Similarly we can use sockets and some other commands related network. • http://code.google.com/p/volatility/wiki/CommandReference23#co nnections
Commands.. • ‘devicetree’ Volatility –f “necurs.vmem” devicetree (for rootkit analysis) • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#devicetree • ‘moddump’ Volatility –f “necurs.vmem” moddump –D dump_folder/ Will dump all kernel drivers http://code.google.com/p/volatility/wiki/CommandReference23#m oddump
Commands.. • ‘printkey’ • “volatility.exe –f “ransomware.vmem” printkey -K "Microsoftwindows NTCurrentVersionWinlogon“ It will display winlogon key contents similarly we can check run key to auto start objects. http://code.google.com/p/volatility/wiki/CommandReference23#pr intkey
Ransom ware • Volatility is useful in Winlock situations(VMware). - Process running.(pstree) - connections.(connections,sockets) - injection.(malfind) - Registry changes.(printkey) - Dump the Executable.(procmemdump)
Necurs • I am explaining here only how to dump necurs kernel driver. This driver will cause BSOD in Vmware once its loaded in memory so we need to suspend VMware after login screen before bsod. • “NtSecureSys” • • • • Use “devicetree” Check unknown entries in report Search “NtSecureSys” necurs device name. Dump all drivers using “moddump or We can dump one specific driver using base address. • Use of “driverirp” –r ddc9572038295e1f.
Conclusion • Open source framework , Python language plugin based architecture. • We can write plugin which are more useful with malwares. • Analyst should have Windows internals knowledge to use Volatility effectively. • http://code.google.com/p/volatility/
Thanks

Recomendados

CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
Sam Bowne
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
Anshul Tayal
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
Sander Demeester
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 

Recomendados

CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
Sam Bowne
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
Anshul Tayal
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
Sander Demeester
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
iOS Forensics
iOS Forensics iOS Forensics
iOS Forensics
Tjylen Veselyj
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
Sam Bowne
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
Riyaz Walikar
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Olga Kochetova
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0
Frank Boldewin
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
Damir Delija
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
NTFS vs FAT
NTFS vs FATNTFS vs FAT
NTFS vs FAT
Tanveer Ahmed
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
Santosh Khadsare
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
Himanshu0734
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imager
ParminderKaurBScHons
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
Linux Hardening
Linux HardeningLinux Hardening
Linux Hardening
Michael Boelen
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management Handbook
Sam Bowne
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
Andrew Case
 
A SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVINGA SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVING
IJCSES Journal
 

Más contenido relacionado

La actualidad más candente

Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Olga Kochetova
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 

La actualidad más candente (20)

iOS Forensics
iOS Forensics iOS Forensics
iOS Forensics
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
NTFS vs FAT
NTFS vs FATNTFS vs FAT
NTFS vs FAT
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imager
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Linux Hardening
Linux HardeningLinux Hardening
Linux Hardening
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management Handbook
 

Destacado

A SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVINGA SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVING
IJCSES Journal
 
Reversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upxReversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upx
Abdulrahman Bassam
 
Semantics aware malware detection ppt
Semantics aware malware detection pptSemantics aware malware detection ppt
Semantics aware malware detection ppt
Manish Yadav
 
Weka presentation
Weka presentationWeka presentation
Weka presentation
Saeed Iqbal
 

Destacado (12)

Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
A SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVINGA SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVING
 
Reversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upxReversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upx
 
Digital forensic | DIGITAL FORENSIC
Digital forensic | DIGITAL FORENSICDigital forensic | DIGITAL FORENSIC
Digital forensic | DIGITAL FORENSIC
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysis
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
 
Semantics aware malware detection ppt
Semantics aware malware detection pptSemantics aware malware detection ppt
Semantics aware malware detection ppt
 
Weka presentation
Weka presentationWeka presentation
Weka presentation
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
 

Similar a Malware analysis using volatility

Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docx
briancrawford30935
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
Michael Ducy
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
Royce Davis
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署
Bo-Yi Wu
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
Nephi Johnson
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDays Riga
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
Salesforce Engineering
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 

Similar a Malware analysis using volatility (20)

Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docx
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
 
The Modern Developer Toolbox
The Modern Developer ToolboxThe Modern Developer Toolbox
The Modern Developer Toolbox
 
Django dev-env-my-way
Django dev-env-my-wayDjango dev-env-my-way
Django dev-env-my-way
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
Docker for Developers: Dev, Test, Deploy @ BucksCo Devops at MeetMe HQ
Docker for Developers: Dev, Test, Deploy @ BucksCo Devops at MeetMe HQDocker for Developers: Dev, Test, Deploy @ BucksCo Devops at MeetMe HQ
Docker for Developers: Dev, Test, Deploy @ BucksCo Devops at MeetMe HQ
 
Android build on windows
Android build on windowsAndroid build on windows
Android build on windows
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署
 
Kubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanKubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with Podman
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
 
PAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERPAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLER
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
 
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Debugging webOS applications
Debugging webOS applicationsDebugging webOS applications
Debugging webOS applications
 
Symfony Live NYC 2014 - Rock Solid Deployment of Symfony Apps
Symfony Live NYC 2014 - Rock Solid Deployment of Symfony AppsSymfony Live NYC 2014 - Rock Solid Deployment of Symfony Apps
Symfony Live NYC 2014 - Rock Solid Deployment of Symfony Apps
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Operating Docker
Operating DockerOperating Docker
Operating Docker
 

Último

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Último (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Malware analysis using volatility

  • 2. Why Memory Analysis of Malware? - Injected code or file. - Different Hooks. - Unpacked file. - Kernel memory Accessibility. - Memory/registry forensics.
  • 3. Volatility • Memory forensic on Windows, Linux, Mac and Android. • Easily available plugin and documentation. • We can use on variety of file formats (memory image). • Works on Only RAM content. No Hard disk content. http://code.google.com/p/volatility/wiki/VolatilityIntroduction
  • 4. Memory Imaging for Analysis • Crash Dumps. • Livekd Dumps. • Virtual Machine Imaging. • Raw Dumps. and many more techniques http://www.forensicswiki.org/wiki/Tools:Memory_Imaging
  • 5. VMware image • *.vmem its nothing but RAM image of current VMware state. • Just select last updated *.vmem file for volatility analysis. • We need to suspend VMware OS.
  • 6. Use ‘DumpIT’ for Memory Dump • “DumpIT.exe” just run file it will ask for dumping memory. • Just make sure you have enough space for dumping memory. • It will dump in root folder with extension .raw.
  • 7. Some Situations when Volatility is useful • Ransom ware screen lock . • After Infection we are not able to run any reversing tool. • Kernel driver is encrypted or packed and we need to unpack. • Strong anti debugging and protections applied for packed files and we need unpacked file.
  • 8. Volatility syntax • volatility.exe [plugin] -f [image] --profile=[profile] Default profile of WinXPSP2x86 is set internally. • Volatility.exe pslist –f “malware.raw” • Volatility.exe pstree –f “malware.raw” • Volatility.exe connections –f “malware.raw” • Volatility.exe malfind –f “malware.vmem” • http://code.google.com/p/volatility/
  • 9. Some more commands • “driverscan” will display all loaded drivers. • “apihooks” will display all hooks in memory.(It takes time) • If want to use some command only for one process we can use • “-p 1624” (1624 is PID) • e.g volatility.exe –f “memory.raw” –p 1220 modules It Will display loaded modules of PID 1220 • http://code.google.com/p/volatility/wiki/CommandReference21
  • 10. Commands.. • “malfind” • Volatility.exe –f “malware.vmem” malfind • It can find injected code and dll. • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#malfind • ‘apihooks’ • Volatility.exe –f “malware.vmem” apihooks • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#apihooks • Both this commands will take time, I will suggest to redirect the output of these commands to text file.
  • 11. Command.. • ‘procmemdump’ “Volatility.exe –f “malware.vmem” procmemdump –d dump_folder/ p 1624” To dump executable of PID 1624 to path “dump_folder” http://code.google.com/p/volatility/wiki/CommandReference23#procmemdu mp • ‘connections’ “volatility.exe –f “ransomware.vmem” connections” Similarly we can use sockets and some other commands related network. • http://code.google.com/p/volatility/wiki/CommandReference23#co nnections
  • 12. Commands.. • ‘devicetree’ Volatility –f “necurs.vmem” devicetree (for rootkit analysis) • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#devicetree • ‘moddump’ Volatility –f “necurs.vmem” moddump –D dump_folder/ Will dump all kernel drivers http://code.google.com/p/volatility/wiki/CommandReference23#m oddump
  • 13. Commands.. • ‘printkey’ • “volatility.exe –f “ransomware.vmem” printkey -K "Microsoftwindows NTCurrentVersionWinlogon“ It will display winlogon key contents similarly we can check run key to auto start objects. http://code.google.com/p/volatility/wiki/CommandReference23#pr intkey
  • 14. Ransom ware • Volatility is useful in Winlock situations(VMware). - Process running.(pstree) - connections.(connections,sockets) - injection.(malfind) - Registry changes.(printkey) - Dump the Executable.(procmemdump)
  • 15. Necurs • I am explaining here only how to dump necurs kernel driver. This driver will cause BSOD in Vmware once its loaded in memory so we need to suspend VMware after login screen before bsod. • “NtSecureSys” • • • • Use “devicetree” Check unknown entries in report Search “NtSecureSys” necurs device name. Dump all drivers using “moddump or We can dump one specific driver using base address. • Use of “driverirp” –r ddc9572038295e1f.
  • 16. Conclusion • Open source framework , Python language plugin based architecture. • We can write plugin which are more useful with malwares. • Analyst should have Windows internals knowledge to use Volatility effectively. • http://code.google.com/p/volatility/