SlideShare une entreprise Scribd logo

Malware analysis using volatility

Télécharger en tant que PPTX, PDF
Yashashree Gund
Yashashree Gund
Technologie
1  sur  17
Malware Analysis Using Volatility Yashashree Shivaji Gund
Why Memory Analysis of Malware? - Injected code or file. - Different Hooks. - Unpacked file. - Kernel memory Accessibility. - Memory/registry forensics.
Volatility • Memory forensic on Windows, Linux, Mac and Android. • Easily available plugin and documentation. • We can use on variety of file formats (memory image). • Works on Only RAM content. No Hard disk content. http://code.google.com/p/volatility/wiki/VolatilityIntroduction
Memory Imaging for Analysis • Crash Dumps. • Livekd Dumps. • Virtual Machine Imaging. • Raw Dumps. and many more techniques http://www.forensicswiki.org/wiki/Tools:Memory_Imaging
VMware image • *.vmem its nothing but RAM image of current VMware state. • Just select last updated *.vmem file for volatility analysis. • We need to suspend VMware OS.
Use ‘DumpIT’ for Memory Dump • “DumpIT.exe” just run file it will ask for dumping memory. • Just make sure you have enough space for dumping memory. • It will dump in root folder with extension .raw.
Some Situations when Volatility is useful • Ransom ware screen lock . • After Infection we are not able to run any reversing tool. • Kernel driver is encrypted or packed and we need to unpack. • Strong anti debugging and protections applied for packed files and we need unpacked file.
Volatility syntax • volatility.exe [plugin] -f [image] --profile=[profile] Default profile of WinXPSP2x86 is set internally. • Volatility.exe pslist –f “malware.raw” • Volatility.exe pstree –f “malware.raw” • Volatility.exe connections –f “malware.raw” • Volatility.exe malfind –f “malware.vmem” • http://code.google.com/p/volatility/
Some more commands • “driverscan” will display all loaded drivers. • “apihooks” will display all hooks in memory.(It takes time) • If want to use some command only for one process we can use • “-p 1624” (1624 is PID) • e.g volatility.exe –f “memory.raw” –p 1220 modules It Will display loaded modules of PID 1220 • http://code.google.com/p/volatility/wiki/CommandReference21
Commands.. • “malfind” • Volatility.exe –f “malware.vmem” malfind • It can find injected code and dll. • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#malfind • ‘apihooks’ • Volatility.exe –f “malware.vmem” apihooks • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#apihooks • Both this commands will take time, I will suggest to redirect the output of these commands to text file.
Command.. • ‘procmemdump’ “Volatility.exe –f “malware.vmem” procmemdump –d dump_folder/ p 1624” To dump executable of PID 1624 to path “dump_folder” http://code.google.com/p/volatility/wiki/CommandReference23#procmemdu mp • ‘connections’ “volatility.exe –f “ransomware.vmem” connections” Similarly we can use sockets and some other commands related network. • http://code.google.com/p/volatility/wiki/CommandReference23#co nnections
Commands.. • ‘devicetree’ Volatility –f “necurs.vmem” devicetree (for rootkit analysis) • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#devicetree • ‘moddump’ Volatility –f “necurs.vmem” moddump –D dump_folder/ Will dump all kernel drivers http://code.google.com/p/volatility/wiki/CommandReference23#m oddump
Commands.. • ‘printkey’ • “volatility.exe –f “ransomware.vmem” printkey -K "Microsoftwindows NTCurrentVersionWinlogon“ It will display winlogon key contents similarly we can check run key to auto start objects. http://code.google.com/p/volatility/wiki/CommandReference23#pr intkey
Ransom ware • Volatility is useful in Winlock situations(VMware). - Process running.(pstree) - connections.(connections,sockets) - injection.(malfind) - Registry changes.(printkey) - Dump the Executable.(procmemdump)
Necurs • I am explaining here only how to dump necurs kernel driver. This driver will cause BSOD in Vmware once its loaded in memory so we need to suspend VMware after login screen before bsod. • “NtSecureSys” • • • • Use “devicetree” Check unknown entries in report Search “NtSecureSys” necurs device name. Dump all drivers using “moddump or We can dump one specific driver using base address. • Use of “driverirp” –r ddc9572038295e1f.
Conclusion • Open source framework , Python language plugin based architecture. • We can write plugin which are more useful with malwares. • Analyst should have Windows internals knowledge to use Volatility effectively. • http://code.google.com/p/volatility/
Thanks

Recommandé

Tor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSTor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OS
Reality Net System Solutions
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Sqlmap
SqlmapSqlmap
Sqlmap
Rushikesh Kulkarni
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
vimal kumar
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
Stephane Potier
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 

Recommandé

Tor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSTor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OS
Reality Net System Solutions
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Sqlmap
SqlmapSqlmap
Sqlmap
Rushikesh Kulkarni
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
vimal kumar
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
Stephane Potier
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensics
Mayank Chaudhari
 
Introduction to YARA rules
Introduction to YARA rulesIntroduction to YARA rules
Introduction to YARA rules
n|u - The Open Security Community
 
Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)
Shuvo Sarker
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
Nikhil Raj
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging
Sam Bowne
 
CNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionCNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data Collection
Sam Bowne
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
Password Security and Use of John the Ripper Tool
Password Security and Use of John the Ripper ToolPassword Security and Use of John the Ripper Tool
Password Security and Use of John the Ripper Tool
Neranjan Viduranga
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration Testing
Mohammed Adam
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Hacking and cracking
Hacking and crackingHacking and cracking
Hacking and cracking
Deepak kumar
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
Sam Bowne
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
Lionel Faleiro
 
Metasploit
MetasploitMetasploit
Metasploit
Parth Sahu
 
Metasploit
MetasploitMetasploit
Metasploit
Institute of Information Security (IIS)
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
Andrew Case
 
A SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVINGA SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVING
IJCSES Journal
 

Contenu connexe

Tendances

BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
 
Password Security and Use of John the Ripper Tool
Password Security and Use of John the Ripper ToolPassword Security and Use of John the Ripper Tool
Password Security and Use of John the Ripper Tool
Neranjan Viduranga
 
Hacking and cracking
Hacking and crackingHacking and cracking
Hacking and cracking
Deepak kumar
 

Tendances (20)

BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensics
 
Introduction to YARA rules
Introduction to YARA rulesIntroduction to YARA rules
Introduction to YARA rules
 
Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging
 
CNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionCNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data Collection
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Password Security and Use of John the Ripper Tool
Password Security and Use of John the Ripper ToolPassword Security and Use of John the Ripper Tool
Password Security and Use of John the Ripper Tool
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration Testing
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Hacking and cracking
Hacking and crackingHacking and cracking
Hacking and cracking
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
 
Metasploit
MetasploitMetasploit
Metasploit
 
Metasploit
MetasploitMetasploit
Metasploit
 

En vedette

A SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVINGA SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVING
IJCSES Journal
 
Reversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upxReversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upx
Abdulrahman Bassam
 
Semantics aware malware detection ppt
Semantics aware malware detection pptSemantics aware malware detection ppt
Semantics aware malware detection ppt
Manish Yadav
 
Weka presentation
Weka presentationWeka presentation
Weka presentation
Saeed Iqbal
 

En vedette (12)

Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
A SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVINGA SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVING
 
Reversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upxReversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upx
 
Digital forensic | DIGITAL FORENSIC
Digital forensic | DIGITAL FORENSICDigital forensic | DIGITAL FORENSIC
Digital forensic | DIGITAL FORENSIC
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysis
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
 
Semantics aware malware detection ppt
Semantics aware malware detection pptSemantics aware malware detection ppt
Semantics aware malware detection ppt
 
Weka presentation
Weka presentationWeka presentation
Weka presentation
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
 

Similaire à Malware analysis using volatility

Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docx
briancrawford30935
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
Michael Ducy
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
Royce Davis
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署
Bo-Yi Wu
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
Nephi Johnson
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDays Riga
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
Salesforce Engineering
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 

Similaire à Malware analysis using volatility (20)

Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docx
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
 
The Modern Developer Toolbox
The Modern Developer ToolboxThe Modern Developer Toolbox
The Modern Developer Toolbox
 
Django dev-env-my-way
Django dev-env-my-wayDjango dev-env-my-way
Django dev-env-my-way
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
Docker for Developers: Dev, Test, Deploy @ BucksCo Devops at MeetMe HQ
Docker for Developers: Dev, Test, Deploy @ BucksCo Devops at MeetMe HQDocker for Developers: Dev, Test, Deploy @ BucksCo Devops at MeetMe HQ
Docker for Developers: Dev, Test, Deploy @ BucksCo Devops at MeetMe HQ
 
Android build on windows
Android build on windowsAndroid build on windows
Android build on windows
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署
 
Kubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanKubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with Podman
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
 
PAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERPAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLER
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
 
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Debugging webOS applications
Debugging webOS applicationsDebugging webOS applications
Debugging webOS applications
 
Symfony Live NYC 2014 - Rock Solid Deployment of Symfony Apps
Symfony Live NYC 2014 - Rock Solid Deployment of Symfony AppsSymfony Live NYC 2014 - Rock Solid Deployment of Symfony Apps
Symfony Live NYC 2014 - Rock Solid Deployment of Symfony Apps
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Operating Docker
Operating DockerOperating Docker
Operating Docker
 

Dernier

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Dernier (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 

Malware analysis using volatility

  • 2. Why Memory Analysis of Malware? - Injected code or file. - Different Hooks. - Unpacked file. - Kernel memory Accessibility. - Memory/registry forensics.
  • 3. Volatility • Memory forensic on Windows, Linux, Mac and Android. • Easily available plugin and documentation. • We can use on variety of file formats (memory image). • Works on Only RAM content. No Hard disk content. http://code.google.com/p/volatility/wiki/VolatilityIntroduction
  • 4. Memory Imaging for Analysis • Crash Dumps. • Livekd Dumps. • Virtual Machine Imaging. • Raw Dumps. and many more techniques http://www.forensicswiki.org/wiki/Tools:Memory_Imaging
  • 5. VMware image • *.vmem its nothing but RAM image of current VMware state. • Just select last updated *.vmem file for volatility analysis. • We need to suspend VMware OS.
  • 6. Use ‘DumpIT’ for Memory Dump • “DumpIT.exe” just run file it will ask for dumping memory. • Just make sure you have enough space for dumping memory. • It will dump in root folder with extension .raw.
  • 7. Some Situations when Volatility is useful • Ransom ware screen lock . • After Infection we are not able to run any reversing tool. • Kernel driver is encrypted or packed and we need to unpack. • Strong anti debugging and protections applied for packed files and we need unpacked file.
  • 8. Volatility syntax • volatility.exe [plugin] -f [image] --profile=[profile] Default profile of WinXPSP2x86 is set internally. • Volatility.exe pslist –f “malware.raw” • Volatility.exe pstree –f “malware.raw” • Volatility.exe connections –f “malware.raw” • Volatility.exe malfind –f “malware.vmem” • http://code.google.com/p/volatility/
  • 9. Some more commands • “driverscan” will display all loaded drivers. • “apihooks” will display all hooks in memory.(It takes time) • If want to use some command only for one process we can use • “-p 1624” (1624 is PID) • e.g volatility.exe –f “memory.raw” –p 1220 modules It Will display loaded modules of PID 1220 • http://code.google.com/p/volatility/wiki/CommandReference21
  • 10. Commands.. • “malfind” • Volatility.exe –f “malware.vmem” malfind • It can find injected code and dll. • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#malfind • ‘apihooks’ • Volatility.exe –f “malware.vmem” apihooks • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#apihooks • Both this commands will take time, I will suggest to redirect the output of these commands to text file.
  • 11. Command.. • ‘procmemdump’ “Volatility.exe –f “malware.vmem” procmemdump –d dump_folder/ p 1624” To dump executable of PID 1624 to path “dump_folder” http://code.google.com/p/volatility/wiki/CommandReference23#procmemdu mp • ‘connections’ “volatility.exe –f “ransomware.vmem” connections” Similarly we can use sockets and some other commands related network. • http://code.google.com/p/volatility/wiki/CommandReference23#co nnections
  • 12. Commands.. • ‘devicetree’ Volatility –f “necurs.vmem” devicetree (for rootkit analysis) • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#devicetree • ‘moddump’ Volatility –f “necurs.vmem” moddump –D dump_folder/ Will dump all kernel drivers http://code.google.com/p/volatility/wiki/CommandReference23#m oddump
  • 13. Commands.. • ‘printkey’ • “volatility.exe –f “ransomware.vmem” printkey -K "Microsoftwindows NTCurrentVersionWinlogon“ It will display winlogon key contents similarly we can check run key to auto start objects. http://code.google.com/p/volatility/wiki/CommandReference23#pr intkey
  • 14. Ransom ware • Volatility is useful in Winlock situations(VMware). - Process running.(pstree) - connections.(connections,sockets) - injection.(malfind) - Registry changes.(printkey) - Dump the Executable.(procmemdump)
  • 15. Necurs • I am explaining here only how to dump necurs kernel driver. This driver will cause BSOD in Vmware once its loaded in memory so we need to suspend VMware after login screen before bsod. • “NtSecureSys” • • • • Use “devicetree” Check unknown entries in report Search “NtSecureSys” necurs device name. Dump all drivers using “moddump or We can dump one specific driver using base address. • Use of “driverirp” –r ddc9572038295e1f.
  • 16. Conclusion • Open source framework , Python language plugin based architecture. • We can write plugin which are more useful with malwares. • Analyst should have Windows internals knowledge to use Volatility effectively. • http://code.google.com/p/volatility/