0xMohammed

Volatility - plugins

• Process Listing

  • pslist - walks the doubly-linked list pointed to by PsActiveProcessHead
  • pstree - print process tress
  • psscan - enumerate processes using pool tag scanning
  • psdispscan - enumerates processes by scanning for DISPATCHER_HEADER
  • psxview - Detect hidden processes
• handles - display open handles in a process

  • Important Parameters
    • -p: pids, comma separated)
    • -P: use physical offsets)
    • -t: types, comma separated)
    • -s: suppress results that are "less meaningful"
  • Investigative Notes
    • May help discover unknown relationships between processes via common use of identical handles
    • For most investigations, -s should be used as a default
• enumfunc - enumerates imported and exported functions

  • Important Parameters
    • -s Scan for objects
    • -P Show only process imports/exports
    • -K Show only kernel imports/exports
    • -I Show only imports
    • -E Show only exports
  • Investigative Notes
    • Primarily useful for malware analysts
    • Can be used for preliminary capability analysis
• dlllist - display a process's loaded DLLs

  • Important Parameters
    • -p pids, comma separated>
  • Investigative Notes
    • The DLLs loaded into a process can be used to infer functionality
    • Networking DLLs in processes that don't normally use networking may indicate code injection
• VADs Exploration

  • vadwalk - Display all VADs in list form
  • vadtree - Display all VADs in tree form
  • vadlist - List short details for each VAD
  • vadinfo - Display detailed VAD information
  • vaddump - Copy frames from VADs to the disk
• procdump - dump process executable
• impfuzzy - comparing the impfuzzy and imphash

Volatility - volshell

• Explore Processes

  • ps() -> List processes
  • cc(pid=4) -> Change to another process
• EPROCESS structure analysis

  • dt(proc()) -> list current process EPROCESS structure
  • dt("_EPROCESS", virtualadderss, space=addrspace) -> Expand the EPROCEES structure using virtual address
  • dt("_EPROCESS", physicaladderss, space=addrspace) -> Expand the EPROCEES structure using physical address
• PEB structure analysis

  • dt(proc().Peb) -> list current process PEB structure
  • dt("_PEB", virtualadderss, space=addrspace) -> Expand the PEB structure using virtual address
  • dt("_PEB", physicaladderss, space=addrspace) -> Expand the PEB structure using physical address
  • Important info in PEB structure

    • BeingDebugged -> some malicious programs set up a process and then connect a "debugger" to it
    • OSMajorVersion & OSMinorVersion -> correspond to the host operating system
    • OSBuildNumber
    • OSCSDVersion -> the service pack number multiplied by 0x100
    • ProcessParameters -> The pointer is to the process parameters.
    • Ldr -> Contains information about the loaded modules for the process.

Rekall - plugins

• Process Listing

  • pslist - list processes using all methods by default.
  • pstree - walk the task_struct.children and task_struct.sibling members to print process tress.
  • psscan - Scan Physical memory for \_EPROCESS pool allocations.
  • psxview - Find hidden processes with various process listings
• handles - print list of open handles to each process
• dlllist - display a process's loaded DLLs
• procdump - dump process executables
• vad - dump of the VAD.

Notes

• Providing KDBG virtual offsets to volatility with '-g' will speed up the process.
• Use redline to get a quick insight on the memory dump
• Suspicious Processes Indicators

  • Check parent/child relationships Processes run by users -> Have Explorer as an ancestor & Processes run by SYSTEM -> Have system as an ancestor
  • Look for irrelvant imports network apis used by notepad process
  • Valid Program Names: Programmers choose human readable names. Lookout for random series of characters.
  • Ending in .exe: Legitimate programs have a valid extension. Malware often leaves a blank extension.
  • More than one or two characters in the filename: Legitimate programs have a name, not just an ID number.
  • Spelling mistakes: Malware authors may not be native English speakers.
  • Correct file locations: Finding an executable starting from any uncommon directory is a sign of trouble.
  • Valid command line arguments: Processes are often launched with specific parameters.
  • Check Process Singletons: Some processes should never have more than one copy in process list
  • Use impfuzzy to compare Import Table hash with known variants
• Dealing with suspicious processes

  • Dump process executables
  • Use strings to look for Indicators of Packing and Persistence
  • Submit executables to online services as VirusTotal
  • Check opened handles for this process

This site is open source. Improve this page.