Friday, October 16, 2009

Volatility Batch File Maker



The Tool: VolatilityBatch File Maker Download

I wanted to take the text output of the various tools (Ptfinder, PtFinderFE and Volatility >PsScan2) which identifies all the offsets for (running) processes and input that offset data into several Volatility tools (ProcDump, MemDmp and VadDump). This program creates three batch files. After running the batch files I can quickly leverage additional investigation techniques at the output.

1.Run Ptfinder, PtFinderFE or Volatility >PsScan2 to create a text file that contains process offsets.
2.Run Volatility Batch File Maker.
-a.Select you memory image with “Browse for Memory Capture”.
-b.Select the Offset Text File for your memory image with “Browse for Offset Text File”.
-c.Create Batch (Which is hidden until the previous fields are populated)

Three Batch files are created,upon execution of the “Create Batch”, in the root folder where the memory capture resides. The three batch programs created are procdump.bat, memdmp.bat and vaddump.bat. When you run the batch files each one will create a folder in the residing directory and populate that directory with the selected Volatility Output. Each batch file also creates an additional text output showing any errors(procdumpinfo.txt, memdmpinfor.txt and vaddmpinfo.txt).

The following is an example of the procdump batch file with the following two inputs:
Location of Volatility = "C:\volatility"
Location of Memory Dump ="E:\exemplar\6\exemplar6.vmem"


mkdir procdump
cd procdump
python "c:\volatility\volatility" procdump -f "E:\exemplar\6\exemplar6.vmem" -u -o 0x00551b80>>procdumpinfo.txt
python "c:\volatility\volatility" procdump -f "E:\exemplar\6\exemplar6.vmem" -u -o 0x0166f7b0>>procdumpinfo.txt
python "c:\volatility\volatility" procdump -f "E:\exemplar\6\exemplar6.vmem" -u -o 0x01690920>>procdumpinfo.txt
python "c:\volatility\volatility" procdump -f "E:\exemplar\6\exemplar6.vmem" -u -o 0x016aa3c0>>procdumpinfo.txt
python "c:\volatility\volatili*****Truncated - You get the idea********************

Uses for the Ouput of the Batch Files:
After re-creating all the “executables” from the running processes you can run a virus scanner at the procdump folder. This can be another tool in the arsenal of defeating the Trojan Horse Defense.

Or how about one for the incident response guys... You could run this protocol at a full memory.dmp or on a converted hiberfil.sys (Converted with Suiche's Hibershell) created on a machine prior to your actual response and collection. How many times has someone “helped” you out by deleting the malware from the target machine just before you walked into the door. If the memory.dmp or hiberfil.sys is recent you might be able to “recreate” the malware executable. You could also show a machine has been compromised (or not) when the memory.dmp or hiberfil.sys was captured

The Vaddump folder now contains the output which can easily be used in a program like Encase to give you context to you memory image.

Some walk-through examples to be posted soon. Also I am in the process of updating PtFinderFE!!!

3 comments:

jepara minimalis said...

Thank you for presenting a wide variety of information that is very interesting to see in this artikle


http://www.tourkarimunjawaisland.com/
and http://jualfurniturejepara.com/
or http://www.mebeljeparafurniture.com/
and http://www.tokokaintenunjepara.com/

Syaiful wisata said...

greath post, Thank you for presenting a wide variety of information that is very interesting to see in this artikle
wisata karimunjawa

tour karimunjawa

paket wisata karimunjawa

tour karimunjawa

wisata karimunjawa

paket karimunjawa

wisata karimunjawa

liburan karimunjawa

paket karimunjawa murah

paket wisata karimunjawa

paket karimunjawa murah

paket wisata karimunjawa

tour karimunjawa

tour karimunjawa murah

backpacker karimunjawa

liburan karimunjawa murah

jual pantai karimunjawa

jual pulau karimunjawa


Link Anyar
toko mebel ukir

jual kursi jati

furniture anak murah

tempat tidur

sofa ruang tamu murah

toko mebel jepara

meja makan murah

kursi ruang tamu

toko mebel jepara

toko furniture jepara

toko tenun jepara

kain tenun jepara

toko sangkar burung

toko tenun troso

DumpsPass4sure said...

It is difficult to imagine attempting IT exam without consulting a suitable source of learning. I knew this fact and downloaded Pass4sure VMware dumps on the suggestion of my friend. I quickly got it from Dumpspass4sure and started my preparation. I got passing guarantee with VMware pdf dumps but now, after my experience, I can give guarantee to anyone for distinctive grades.