SlideShare uma empresa Scribd logo

Malware analysis using volatility

Transferir como PPTX, PDF
Yashashree Gund
Yashashree Gund
Tecnologia
1 de 17
Malware Analysis Using Volatility Yashashree Shivaji Gund
Why Memory Analysis of Malware? - Injected code or file. - Different Hooks. - Unpacked file. - Kernel memory Accessibility. - Memory/registry forensics.
Volatility • Memory forensic on Windows, Linux, Mac and Android. • Easily available plugin and documentation. • We can use on variety of file formats (memory image). • Works on Only RAM content. No Hard disk content. http://code.google.com/p/volatility/wiki/VolatilityIntroduction
Memory Imaging for Analysis • Crash Dumps. • Livekd Dumps. • Virtual Machine Imaging. • Raw Dumps. and many more techniques http://www.forensicswiki.org/wiki/Tools:Memory_Imaging
VMware image • *.vmem its nothing but RAM image of current VMware state. • Just select last updated *.vmem file for volatility analysis. • We need to suspend VMware OS.
Use ‘DumpIT’ for Memory Dump • “DumpIT.exe” just run file it will ask for dumping memory. • Just make sure you have enough space for dumping memory. • It will dump in root folder with extension .raw.
Some Situations when Volatility is useful • Ransom ware screen lock . • After Infection we are not able to run any reversing tool. • Kernel driver is encrypted or packed and we need to unpack. • Strong anti debugging and protections applied for packed files and we need unpacked file.
Volatility syntax • volatility.exe [plugin] -f [image] --profile=[profile] Default profile of WinXPSP2x86 is set internally. • Volatility.exe pslist –f “malware.raw” • Volatility.exe pstree –f “malware.raw” • Volatility.exe connections –f “malware.raw” • Volatility.exe malfind –f “malware.vmem” • http://code.google.com/p/volatility/
Some more commands • “driverscan” will display all loaded drivers. • “apihooks” will display all hooks in memory.(It takes time) • If want to use some command only for one process we can use • “-p 1624” (1624 is PID) • e.g volatility.exe –f “memory.raw” –p 1220 modules It Will display loaded modules of PID 1220 • http://code.google.com/p/volatility/wiki/CommandReference21
Commands.. • “malfind” • Volatility.exe –f “malware.vmem” malfind • It can find injected code and dll. • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#malfind • ‘apihooks’ • Volatility.exe –f “malware.vmem” apihooks • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#apihooks • Both this commands will take time, I will suggest to redirect the output of these commands to text file.
Command.. • ‘procmemdump’ “Volatility.exe –f “malware.vmem” procmemdump –d dump_folder/ p 1624” To dump executable of PID 1624 to path “dump_folder” http://code.google.com/p/volatility/wiki/CommandReference23#procmemdu mp • ‘connections’ “volatility.exe –f “ransomware.vmem” connections” Similarly we can use sockets and some other commands related network. • http://code.google.com/p/volatility/wiki/CommandReference23#co nnections
Commands.. • ‘devicetree’ Volatility –f “necurs.vmem” devicetree (for rootkit analysis) • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#devicetree • ‘moddump’ Volatility –f “necurs.vmem” moddump –D dump_folder/ Will dump all kernel drivers http://code.google.com/p/volatility/wiki/CommandReference23#m oddump
Commands.. • ‘printkey’ • “volatility.exe –f “ransomware.vmem” printkey -K "Microsoftwindows NTCurrentVersionWinlogon“ It will display winlogon key contents similarly we can check run key to auto start objects. http://code.google.com/p/volatility/wiki/CommandReference23#pr intkey
Ransom ware • Volatility is useful in Winlock situations(VMware). - Process running.(pstree) - connections.(connections,sockets) - injection.(malfind) - Registry changes.(printkey) - Dump the Executable.(procmemdump)
Necurs • I am explaining here only how to dump necurs kernel driver. This driver will cause BSOD in Vmware once its loaded in memory so we need to suspend VMware after login screen before bsod. • “NtSecureSys” • • • • Use “devicetree” Check unknown entries in report Search “NtSecureSys” necurs device name. Dump all drivers using “moddump or We can dump one specific driver using base address. • Use of “driverirp” –r ddc9572038295e1f.
Conclusion • Open source framework , Python language plugin based architecture. • We can write plugin which are more useful with malwares. • Analyst should have Windows internals knowledge to use Volatility effectively. • http://code.google.com/p/volatility/
Thanks

Recomendados

Memory forensics
Memory forensicsMemory forensics
Memory forensics
Sunil Kumar
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
InfoSec Addicts
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and Mitigation
Jerod Brennen
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
Jeronimo Zucco
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 

Recomendados

Memory forensics
Memory forensicsMemory forensics
Memory forensics
Sunil Kumar
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
InfoSec Addicts
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and Mitigation
Jerod Brennen
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
Jeronimo Zucco
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
9905234521
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
Chaitanya Dhareshwar
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration Testing
Mohammed Adam
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
Sameera Amjad
 
Malware Analysis Tips and Tricks.pdf
Malware Analysis Tips and Tricks.pdfMalware Analysis Tips and Tricks.pdf
Malware Analysis Tips and Tricks.pdf
Yushimon
 
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Splunk
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
Sam Bowne
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
Albert Hui
 
Web Application Forensics: Taxonomy and Trends
Web Application Forensics: Taxonomy and TrendsWeb Application Forensics: Taxonomy and Trends
Web Application Forensics: Taxonomy and Trends
Krassen Deltchev
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
Natraj G
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
Malware forensic
Malware forensicMalware forensic
Malware forensic
SumeraHangi
 
NMAP
NMAPNMAP
NMAP
Club Scientifique de l'ESI - CSE
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
Prince Boonlia
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Oldsun
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
Sam Bowne
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
Andrew Case
 
A SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVINGA SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVING
IJCSES Journal
 

Mais conteúdo relacionado

Mais procurados

Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Web Application Forensics: Taxonomy and Trends
Web Application Forensics: Taxonomy and TrendsWeb Application Forensics: Taxonomy and Trends
Web Application Forensics: Taxonomy and Trends
Krassen Deltchev
 

Mais procurados (20)

Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration Testing
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
Malware Analysis Tips and Tricks.pdf
Malware Analysis Tips and Tricks.pdfMalware Analysis Tips and Tricks.pdf
Malware Analysis Tips and Tricks.pdf
 
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 
Web Application Forensics: Taxonomy and Trends
Web Application Forensics: Taxonomy and TrendsWeb Application Forensics: Taxonomy and Trends
Web Application Forensics: Taxonomy and Trends
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
 
Malware forensic
Malware forensicMalware forensic
Malware forensic
 
NMAP
NMAPNMAP
NMAP
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
 

Destaque

A SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVINGA SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVING
IJCSES Journal
 
Reversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upxReversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upx
Abdulrahman Bassam
 
Semantics aware malware detection ppt
Semantics aware malware detection pptSemantics aware malware detection ppt
Semantics aware malware detection ppt
Manish Yadav
 
Weka presentation
Weka presentationWeka presentation
Weka presentation
Saeed Iqbal
 

Destaque (11)

Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
A SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVINGA SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVING
 
Reversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upxReversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upx
 
Digital forensic | DIGITAL FORENSIC
Digital forensic | DIGITAL FORENSICDigital forensic | DIGITAL FORENSIC
Digital forensic | DIGITAL FORENSIC
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysis
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
 
Semantics aware malware detection ppt
Semantics aware malware detection pptSemantics aware malware detection ppt
Semantics aware malware detection ppt
 
Weka presentation
Weka presentationWeka presentation
Weka presentation
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
 

Semelhante a Malware analysis using volatility

Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docx
briancrawford30935
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
Michael Ducy
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
Royce Davis
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署
Bo-Yi Wu
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
Nephi Johnson
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDays Riga
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
Salesforce Engineering
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 

Semelhante a Malware analysis using volatility (20)

Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docx
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
 
The Modern Developer Toolbox
The Modern Developer ToolboxThe Modern Developer Toolbox
The Modern Developer Toolbox
 
Django dev-env-my-way
Django dev-env-my-wayDjango dev-env-my-way
Django dev-env-my-way
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
Docker for Developers: Dev, Test, Deploy @ BucksCo Devops at MeetMe HQ
Docker for Developers: Dev, Test, Deploy @ BucksCo Devops at MeetMe HQDocker for Developers: Dev, Test, Deploy @ BucksCo Devops at MeetMe HQ
Docker for Developers: Dev, Test, Deploy @ BucksCo Devops at MeetMe HQ
 
Android build on windows
Android build on windowsAndroid build on windows
Android build on windows
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署
 
Kubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanKubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with Podman
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
 
PAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERPAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLER
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
 
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Debugging webOS applications
Debugging webOS applicationsDebugging webOS applications
Debugging webOS applications
 
Symfony Live NYC 2014 - Rock Solid Deployment of Symfony Apps
Symfony Live NYC 2014 - Rock Solid Deployment of Symfony AppsSymfony Live NYC 2014 - Rock Solid Deployment of Symfony Apps
Symfony Live NYC 2014 - Rock Solid Deployment of Symfony Apps
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Operating Docker
Operating DockerOperating Docker
Operating Docker
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 

Último (20)

Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Malware analysis using volatility

  • 2. Why Memory Analysis of Malware? - Injected code or file. - Different Hooks. - Unpacked file. - Kernel memory Accessibility. - Memory/registry forensics.
  • 3. Volatility • Memory forensic on Windows, Linux, Mac and Android. • Easily available plugin and documentation. • We can use on variety of file formats (memory image). • Works on Only RAM content. No Hard disk content. http://code.google.com/p/volatility/wiki/VolatilityIntroduction
  • 4. Memory Imaging for Analysis • Crash Dumps. • Livekd Dumps. • Virtual Machine Imaging. • Raw Dumps. and many more techniques http://www.forensicswiki.org/wiki/Tools:Memory_Imaging
  • 5. VMware image • *.vmem its nothing but RAM image of current VMware state. • Just select last updated *.vmem file for volatility analysis. • We need to suspend VMware OS.
  • 6. Use ‘DumpIT’ for Memory Dump • “DumpIT.exe” just run file it will ask for dumping memory. • Just make sure you have enough space for dumping memory. • It will dump in root folder with extension .raw.
  • 7. Some Situations when Volatility is useful • Ransom ware screen lock . • After Infection we are not able to run any reversing tool. • Kernel driver is encrypted or packed and we need to unpack. • Strong anti debugging and protections applied for packed files and we need unpacked file.
  • 8. Volatility syntax • volatility.exe [plugin] -f [image] --profile=[profile] Default profile of WinXPSP2x86 is set internally. • Volatility.exe pslist –f “malware.raw” • Volatility.exe pstree –f “malware.raw” • Volatility.exe connections –f “malware.raw” • Volatility.exe malfind –f “malware.vmem” • http://code.google.com/p/volatility/
  • 9. Some more commands • “driverscan” will display all loaded drivers. • “apihooks” will display all hooks in memory.(It takes time) • If want to use some command only for one process we can use • “-p 1624” (1624 is PID) • e.g volatility.exe –f “memory.raw” –p 1220 modules It Will display loaded modules of PID 1220 • http://code.google.com/p/volatility/wiki/CommandReference21
  • 10. Commands.. • “malfind” • Volatility.exe –f “malware.vmem” malfind • It can find injected code and dll. • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#malfind • ‘apihooks’ • Volatility.exe –f “malware.vmem” apihooks • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#apihooks • Both this commands will take time, I will suggest to redirect the output of these commands to text file.
  • 11. Command.. • ‘procmemdump’ “Volatility.exe –f “malware.vmem” procmemdump –d dump_folder/ p 1624” To dump executable of PID 1624 to path “dump_folder” http://code.google.com/p/volatility/wiki/CommandReference23#procmemdu mp • ‘connections’ “volatility.exe –f “ransomware.vmem” connections” Similarly we can use sockets and some other commands related network. • http://code.google.com/p/volatility/wiki/CommandReference23#co nnections
  • 12. Commands.. • ‘devicetree’ Volatility –f “necurs.vmem” devicetree (for rootkit analysis) • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#devicetree • ‘moddump’ Volatility –f “necurs.vmem” moddump –D dump_folder/ Will dump all kernel drivers http://code.google.com/p/volatility/wiki/CommandReference23#m oddump
  • 13. Commands.. • ‘printkey’ • “volatility.exe –f “ransomware.vmem” printkey -K "Microsoftwindows NTCurrentVersionWinlogon“ It will display winlogon key contents similarly we can check run key to auto start objects. http://code.google.com/p/volatility/wiki/CommandReference23#pr intkey
  • 14. Ransom ware • Volatility is useful in Winlock situations(VMware). - Process running.(pstree) - connections.(connections,sockets) - injection.(malfind) - Registry changes.(printkey) - Dump the Executable.(procmemdump)
  • 15. Necurs • I am explaining here only how to dump necurs kernel driver. This driver will cause BSOD in Vmware once its loaded in memory so we need to suspend VMware after login screen before bsod. • “NtSecureSys” • • • • Use “devicetree” Check unknown entries in report Search “NtSecureSys” necurs device name. Dump all drivers using “moddump or We can dump one specific driver using base address. • Use of “driverirp” –r ddc9572038295e1f.
  • 16. Conclusion • Open source framework , Python language plugin based architecture. • We can write plugin which are more useful with malwares. • Analyst should have Windows internals knowledge to use Volatility effectively. • http://code.google.com/p/volatility/