MEMORY ANALYSIS TOOLS


I have been teaching myself how to analyze memory dumps from various window machines.  Memory analysis has come a long way in a very short period of time and there are tools out there that do a very good job of parsing through these memory dumps.  So I thought I would provide a little information to the community on what tools are out there and some basic uses of these tools. 

 

Acquistion of Memory

 

win32dd-This is the easiest of the command line tools and probably one of the most used “open source” tools out there.  The basic syntax is as follows:

 

win32dd (output file)

 

That’s it, all you need to do is provide the name of the output file and where you want it saved.

 

There are also some “commercial” products out there like (Encase and FTK) but I will only be discussing “open source” tools in this blog.

 

Analysis of Memory

The following tools are the ones that I have used in the past and I realize there are probably more out there.

 

Memparser-This is a python script and can be found in the SANS Sift Workstation and is only used against Windows 2000 machines.

Memoryze-This tool was created by Kevin Mandia’s company “Mandiant” and is a free dowload.  This tool will only work on Windows XP SP2 and SP3, Windows Vista and Windows 2003 SP2.  There is a very good paper out there on how to use this tool at http://www.issa.org/Library/Journals/2009/February/McRee-toolsmith.pdf.

Volatility 1.3-This is a command line tool and is open source and contains “plugins” written by the community to parse through Windows XP SP2 and SP3 memory dump only.  This tool can be downloaded using SVN and the url is http://volatiltiy.googlecode.com.

Volatility 1.4_RC1-This is the latest version of volatility and has not been officially released yet but it can still be downloaded and used against Window 7 memory dumps only.  There is no documentation as of yet but should be available this summer.

 

Basic Use of Volatility

 

Once you have it downloaded the tool you will need to also download all the 3rd party plugins.  A bash script is available that will download all the plugins and place them in the appropriate folder.  It will also download the most current released version of volatility and install all perl modules needed to ensure the tool works properly.  This script can be dowloaded HERE.  Once all that is done then you can execute the following syntax to get a listing of available plugins:

 

python volatility –help

 

Plugin Description Primary Maintainer Core Vote
apihooks Find API hooks MHL .
bioskbd Reads the keyboard buffer from Real Mode memory MA Yes
connections Print list of open connections . Yes
connscan2 Scan Physical memory for TCPT_OBJECT objects (tcp connections) . Yes
crashdump Dumps the crashdump file to a raw file . Yes
crashinfo Dump crash-dump information . Yes
csrpslist Find hidden processes with csrss handles and CsrRootProcess MHL .
datetime Get date/time information for image MA Yes
dlllist Print list of loaded dlls for each process . Yes
dlldump Dump a DLL from a process address space MHL Yes (in contrib folder)
driverirp Driver IRP hook detection MHL .
driverscan Scan for driver objects DRIVER_OBJECT . .
files Print list of open files for each process . Yes
filescan Scan Physical memory for FILE_OBJECT pool allocations . .
getsids Print the SIDs owning each process moyix Yes
hashdump Dumps passwords hashes (LM/NTLM) from memory moyix Yes
hibdump Dumps the hibernation file to a raw file . Yes
hibinfo Dump hibernation file information . Yes
hivedump Prints out a hive moyix Yes
hivelist Print list of registry hives. moyix Yes
hivescan Scan Physical memory for CMHIVE objects (registry hives) moyix Yes
idt Display Interrupt Descriptor Table MHL .
imageinfo Identify information for the image MA Yes
impscan Scan a module for imports (API calls) MHL .
ldrmodules Detect unlinked DLLs MHL .
kpcrscan Search for and dump potential KPCR values scudette Yes
lsadump Dump (decrypted) LSA secrets from the registry moyix Yes
malfind Find hidden and injected code MHL .
memdump Dump the addressable memory for a process . Yes
memmap Print the memory map . Yes
moddump Dump out a kernel module (aka driver) . Yes (in contrib folder)
modscan2 Scan Physical memory for LDR_DATA_TABLE_ENTRY objects . Yes
modules Print list of loaded modules MA .
mutantscan Scan for mutant objects KMUTANT . .
mutantscandb mutantscan extension for highlighting suspicious mutexes MHL .
notifyroutines Print system-wide notification routines MHL .
orphanthread Locate hidden threads MHL .
patcher Patches memory based on page scans MA Yes
printkey Print a registry key, and its subkeys and values moyix Yes
procexedump Dump a process to an executable file sample . Yes
procmemdump Dump a process to an executable memory sample . Yes
pslist print all running processes by following the EPROCESS lists . Yes
psscan Scan Physical memory for EPROCESS objects . Yes
pstree Print process list as a tree scudette Yes
regobjkeys Print list of open regkeys for each process MA .
sockets Print list of open sockets . Yes
sockscan Scan Physical memory for ADDRESS_OBJECT objects (tcp sockets) . Yes
ssdt Display SSDT entries moyix Yes
ssdt_by_threads SSDT hooks by thread MHL .
ssdt_ex SSDT Hook Explorer for IDA Pro (and SSDT by thread) MHL .
strings Match physical offsets to virtual addresses (may take a while, VERY verbose) . .
svcscan Scan for Windows services MHL .
thrdscan Scan Physical memory for ETHREAD objects . Yes
thrdscan2 Scan physical memory for ETHREAD objects . Yes
vaddump Dumps out the vad sections to a file . .
vadinfo Dump the VAD info . .
vadtree Walk the VAD tree and display in tree format . .
vadwalk Walk the VAD tree . .

 

The above table shows all the current plugins for Volatility 1.4.

 


Plugin Author URL Description Status Supported OSes Core Vote
bioskbd AB & MA url Reads the keyboard buffer from Real Mode memory . . Yes
cryptoscan JesseK url Finds Truecrypt passphrases . . No
DriverIRP MHL url Prints driver IRP function addresses . . Yes
driverscan Andreas Schuster url Scan for kernel _DRIVER_OBJECTs. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.) . . Yes
dmp2raw . . Convert a crash dump to a raw dump . . .
fileobjscan AKA filescan (1.4 branch) Andreas Schuster url File object -> process linkage, including hidden files. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.) . . Yes
getsids Moyix url Get information about what user (SID) started a process. . . Yes
IDT MHL url Prints the Interrupt Descriptor Table (IDT) addresses for one processor . . Yes
kernel_hooks MHL url Detects IAT, EAT, and in-line hooks in kernel drivers instead of usermode modules . . Yes
keyboardbuffer Andreas Schuster url Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords. . . (Above)
kpcrscan Bradley Schatz url Finds potential KPCR addresses . . .
malfind2 MHL url Automates the process of finding and extracting (usually malicious) code injected into another process . . Yes
moddump Moyix url Dump out a kernel module (aka driver) . . Yes
mutantscan Andreas Schuster url Extracts mutexes from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.) . . No
objtypescan Andreas Schuster url Enumerates Windows kernel object types. (Note: If running the SVN version of Volatility, just install the plugin file from this archive) . . Yes
orphan_threads MHL url Detects hidden system/kernel threads . . No
patcher MA url Patches memory based on page scans . . Yes
psscan3 Moyix url Scans the physical address space looking for memory resident data structures associated with processes. . . Yes
pstree Scudette url Produces a tree-style listing of processes . . Yes
raw2dmp . . Convert a raw dump to a crash dump . . .
Registry Tools Moyix url A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys . . Yes
Modified Regripper & Glue Code Moyix url Code to run a modified RegRipper against the registry hives embedded in a memory dump. Note that due to a dependency on Inline::Python, this only works on Linux. . . No
sqlite3 Gleeda url Allows one to place Volatility output into a SQLite3 Database . . As example
ssdt Moyix url List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table . . Yes
suspicious JesseK url Identify suspicious processes. This version counts any command line running Truecrypt or any command line that starts with a lower case drive letter as suspicious . . No
symlinkobjscan Andreas Schuster url Extracts symbolic link objects from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.) . . Yes
threadqueues Moyix url Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs. . . No
usermode_hooks MHL url Detect IAT/EAT/Inline rootkit hooks . . Yes
verinfo MA url Prints out the version information from PE images . . NO
Volatility Analyst Pack 0.1 MHL url A pack which contains updates to many of the listed modules . . (included above)
volshell Moyix url Creates a python shell can be used with the framework . . No

 

The above table shows all the plugins available for Volatiltiy 1.3.  There are also plenty of documentation on how to use this product, in fact, I wrote the manual on the use of this product which is located in the document library on this forum.  To view this manual click HERE.

 

One of the questions I always get from someone that is just starting out using this tool is “Which plugins do I use first and in what order.”  There is no right and wrong answer here but here is a list of some basic plugins I use just to see what is going on.

 

Date/TIme-This will give you the date and time of when the memory image was taken.

Ident-This will tell you about what operating system it came from.

Connscan-This will list the connections.

pstree and pslist-This will list all the processes in use at the time of the memory dump.  This is where you need to pay attention to the PID numbers and what service spawned what.  Once you find a suspected file or malware being spawned by for example “services.exe” then you would move on to the next plugin.

procdump-This will dump the process (exe) of the PID that you provide, so you need to make sure you give it the right PID number.

 

As with anything this tool requires the user to practice and become familiar with the plugins and what they can do.  Please take a look at some of the external links on the Training wiki to forensic challenges.

 

The last thing I want to discuss is the hiberfil.sys file.  This file will be found on a laptop computer that has gone into “hibernation mode” at some point.  The contents of the memory is dumped into the file in a compressed state.  So you need a tool to uncompress the memory so you can run these tools against it.  And it so happens that Volatility has a plugin that will do that for you.  That plugin is Hibinfo and the syntax is as follows: 

 

Python volatility hibinfo -f (path to image) -d (path and name of the output file ie memory.dd)

 

Once that is done then you can use volatility or whatever tool you like against the dump file.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s