Friday, October 16, 2009

Walk-Through: Volatility Batch File Maker and Volatility's ProcDump

1. Download the following files from Hogfly (Website)
exemplar6.tar.gz.001
exemplar6.tar.gz.002
exemplar6.tar.gz.003

In my example I placed the files in e:\exemlar6\ directory

2. Add the downloaded files together and extract with the following cmd prompt code:

Copy /b “exemplar6.tar.gz.001”+ “exemplar6.tar.gz.002”+” exemplar6.tar.gz.003” exemplar6.tar.gz

3. Extract using WinRAR (exemplar6.tar.gz to exemplar6.vmem)

4. Run PtfinderFE against extracted file(exemplar6.vmem) which creates exemplar6.txt


5.Run Volatility Batch File Maker.
-a. Select e:\exemlar6\xemplar6.vmem with “Browse for Memory Capture”.
-b. Select e:\exemlar6\exemplar6.txt (created by PtFinderFE) for your memory image with “Browse for Offset Text File”.
-c. Create Batch (Which is hidden until the previous listed fields are populated).

6. .Goto the directory containing exemplar6.vmem (e:\exemlar6\) and run e:\exemlar6\procdump.bat file.

7.Browse the e:\exemlar6\procdump folder.



8.Use an anti-virus tool against the reconstructed executable files in the e:\exemlar6\procdump directory

I decided to send the files to Virus Total for testing. Using their "Send to" Function.

PID 464 - “dw8.exe”(Virus Total Results: 13 of 40 Hits)
PID 648 ”tdctxte.exe” (Virus Total Results: 116 of 41 Hits)
PID 872 ”atsxyzd.sys” (Virus Total Results: 117 of 41 Hits)
PID 1056 ”dxonool32.sys” (Virus Total Results: 119 of 40 Hits)
PID 1876 ”sopidkc.exe” (Virus Total Results: 14 of 41 Hits)
PID 1932 ”afisicx.exe” (Virus Total Results: 119 of 40 Hits)


Some Additional Notes and Some Background:
I'm not sure why but it seems the executables that have unique icons instead of the generic executable icons have a high percentage of being malicious.

Until I created Volatility Batch File Maker I was using batch file, and changing input via a spreadsheet and some “find and replace” functions. One of the batch file I created attempted to use ProcDump on all the PIDs (-p option) from 0 to 6000. Reconstructed executables were only made for PIDs that were listed as running by Ptfinder. I also tried using Procdump offset (-o option) function with the same results(and ALOT more time!!!).

I was analyzing a “real world” machine which was running over 90 processes. I placed the executables created by ProcDump into a zip files, by groups of 10. I then sent them up to Virus Total for Scanning. Unfortunately when I found a hit there was no way to determine which file out of the group of ten was the suspected malware file.

I would like to start an ssdeep database of common executables created by Procdump.

5 comments:

toko furniture jepara said...

Thank you for presenting a wide variety of information that is very interesting to see in this artikle


tour karimunjawa
and toko furniture
or toko mebel
and tenun troso

tenun ikat said...

article from a very amazing, Good Job, Thank you for presenting a wide variety of information that is very interesting to see in this artikle

kursi makan mahoni
kursi makan modern
kursi makan mewah
kursi makan kayu
set kursi makan
kursi makan minimalis
meja makan mahoni
set meja makan
KURSI TAMU
sofa modern classic
kursi tamu minimalis
BUFFET
bufet besar
bufet tv minimalis
buvet tv besar
bufet ukir antik
bufet pajangan
lemari bufet
bufet jati
lemari bufet minimalis
JAM HIAS
lemari jam pajangan
jam hias jati
NAKAS
nakas duco
nakas jati
KITCHEN
kitchen set jati
set kitchen
set lemari dapur
GAZEBO
gazebo taman
GEBYOK
gebyok pelaminan
MEJA BELAJAR
meja belajar
RAK BUKU
rak buku minimalis
BANGKU
bangku ukiran jepara
bangku ukiran mewah
bangku ukiran
kursi bangku mewah

Adeline Niesha said...

I was   about to   say   something   on   this   topic.   But   now   i   can   see   that   everything   on   this   topic   is   very   amazing   and   mind   blowing, so   i have nothing to say here. I am just going through all the topics and being appreciated. Thanks for sharing. @ FreeSoft

Syaiful wisata said...

Amazing post, Thank you for presenting a wide variety of information that is very interesting to see in this artikle
tour karimunjawa

wisata karimunjawa

tour karimunjawa

wisata karimunjawa

paket wisata karimunjawa

paket wisata karimunjawa

paket wisata karimunjawa

paket wisata karimunjawa

paket karimunjawa tour

wisata karimunjawa

paket karimunjawa

wisata karimunjawa

karimun jawa

paket tour karimunjawa

wisata karimunjawa

wisata karimunjawa murah

harga tanah karimunjawa

jual pulau karimunjawa


Link Anyar
toko mebel jati

kursi jati murah

toko furniture anak

set tempat tidur

sofa ruang tamu

toko furniture murah

meja makan jati

set sofa ruang tamu

toko mebel jepara online

toko jati jepara

tenun jepara

kain tenun ikat

sangkar burung ukir

tenun ikat troso

Han Choe said...

I really liked this part of the article, with a nice and interesting topics have helped a lot of people who do not challenge things people should know... you need more publicize this so many people who know about it are rare for people to know this, Success for you.