Day 24 - Volatility

Writer: Ville Kalliokoski

For the last entry in our advent calendar we have the powerhouse of static memory analysis - Volatility.

Would you like to see, what was going on inside a computer at some point in history? Memory dumps to the rescue! Memory dumps are, as the name suggests, everything from the volatile memory of a computer dumped in a file. This is a powerful tool for incident response and malware analysis alike, since you can go through everything from open processes to active and terminated connections and TCP/UDP sockets. Volatility is a collection of tools built to assist in researching these. Here we go over the basics of analyzing the processes found in the memory dump.

Getting started with Volatility - analyzing processes

Volatility supports memory dumps for most operating systems, from Windows XP to OSX Sierra. Here we'll be using a dump from Windows 7 SP1. First thing we need is the correct memory profile for Volatility, so it knows what we are dealing with. Volatility offers couple of plugins for finding this information: imageinfo, which provides profile suggestions, and kdbgscan, which is designed to positively identify the correct profile (Note that the output of the commands below has been truncated). $ cincan run cincan/volatility kdbgscan -f _samples/memory/Win7SP1x86_2400.raw * -f: input path of the memory dump for volatility

volatility: <= _samples/memory/Win7SP1x86_24000.raw
Volatility Foundation Volatility Framework 2.6.1
**************************************************
Instantiating KDBG using: /home/appuser/_samples/memory/Win7SP1x86_24000.raw WinXPSP2x86 (5.1.0 32bit)
Offset (P)                    : 0x2754b78
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win7SP1x86_23418
Version64                     : 0x2754b50 (Major: 15, Minor: 7601)
PsActiveProcessHead           : 0x82769d70
PsLoadedModuleList            : 0x82771730
KernelBase                    : 0x8261c000

**************************************************
Instantiating KDBG using: /home/appuser/_samples/memory/Win7SP1x86_24000.raw WinXPSP2x86 (5.1.0 32bit)
Offset (P)                    : 0x2754b78
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win7SP1x86_2400
Version64                     : 0x2754b50 (Major: 15, Minor: 7601)
PsActiveProcessHead           : 0x82769d70
PsLoadedModuleList            : 0x82771730
KernelBase                    : 0x8261c000
[snip]

From here we see that the first suggestion is Win7SP1x86_23418. In this case we know that this is not the correct one (see filename), and you can try this yourself with psscan and pslist in the next step: pslist works fine with the wrong profile, but psscan will not find any processes.

From here we get to the fun part: diving in to the memory. One of the first steps you might try is look through the running processes in the system. Volatility offers multiple plugins for this as well: pslist shows the same listing you'd get from the Windows Task Manager, while psscan can also find hidden processes. pstree uses the same enumeration for processes as pslist, but shows the processes in tree form.

$ cincan run cincan/volatility psscan --profile Win7SP1x86_24000 -f _samples/memory/Win7SP1x86_24000.raw * --profile: memory profile

volatility: <= _samples/memory/Win7SP1x86_24000.raw
Volatility Foundation Volatility Framework 2.6.1
Offset(P)          Name                PID   PPID PDB        Time created                   Time exited                   
------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------
0x0000000001b22d20 sshd.exe           2036   1928 0x0f6e68c0 2019-11-21 09:37:06 UTC+0000                                 
0x0000000001ed53d0 SearchProtocol     2608   2532 0x0f6e6500 2019-11-21 09:37:12 UTC+0000                                 
0x00000000095b5d20 cygrunsrv.exe      1772    460 0x0f6e6740 2019-11-21 09:37:05 UTC+0000                                 
0x000000000ab73480 svchost.exe        2172    460 0x0f6e6900 2019-11-21 09:37:08 UTC+0000                                 
0x000000000b20dc40 dllhost.exe        2352    588 0x0f6e6940 2019-11-21 09:37:08 UTC+0000   2019-11-21 09:37:16 UTC+0000  
0x000000000b2a6888 cygrunsrv.exe      1928   1772 0x0f6e6800 2019-11-21 09:37:06 UTC+0000   2019-11-21 09:37:07 UTC+0000  
0x000000000b348d20 conhost.exe        1980    328 0x0f6e6840 2019-11-21 09:37:06 UTC+0000                                 
0x000000000b54d030 sppsvc.exe         2072    460 0x0f6e6300 2019-11-21 09:37:07 UTC+0000                                 
0x000000000ee13030 csrss.exe           364    356 0x0f6e6140 2019-11-21 18:36:56 UTC+0000                                 
0x000000000ee1d030 wininit.exe         372    320 0x0f6e6180 2019-11-21 18:36:56 UTC+0000                                 
[snip]                        
0x000000000f1ff088 csrss.exe           328    320 0x0f6e60c0 2019-11-21 18:36:55 UTC+0000                                 
0x000000000f6e5d20 smss.exe            252      4 0x0f6e6040 2019-11-21 18:36:51 UTC+0000                                 
0x000000000fc920f8 SearchIndexer.     2532    460 0x0f6e6780 2019-11-21 09:37:11 UTC+0000                                 
0x000000000fc94b98 VBoxTray.exe       1880   1508 0x0f6e67c0 2019-11-21 09:37:06 UTC+0000                                 
0x000000000fc98d20 SearchFilterHo     2644   2532 0x0f6e6980 2019-11-21 09:37:12 UTC+0000                                 
0x000000000fcb6688 services.exe        460    372 0x0f6e6100 2019-11-21 18:36:56 UTC+0000                                 
0x000000000ffed668 System                4      0 0x00185000 2019-11-21 18:36:51 UTC+0000

If you want to find out more about how the processes have been hidden, you can use psxview. It compares different sources of process listings and shows which source finds the processes.

$ cincan run cincan/volatility psxview --profile Win7SP1x86_24000 -f _samples/memory/Win7SP1x86_24000.raw

volatility: <= _samples/memory/Win7SP1x86_24000.raw
Volatility Foundation Volatility Framework 2.6.1
Offset(P)  Name                    PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
0x0ab73480 svchost.exe            2172 True   True   True     True   True  True    True     
0x0ef97440 svchost.exe            1396 True   True   True     True   True  True    True     
0x0b54d030 sppsvc.exe             2072 True   True   True     True   True  True    True     
0x0eebe188 svchost.exe             808 True   True   True     True   True  True    True     
0x0eeed310 audiodg.exe             988 True   True   True     True   True  True    True     
0x0fc94b98 VBoxTray.exe           1880 True   True   True     True   True  True    True     
0x0ef82918 spoolsv.exe            1348 True   True   True     True   True  True    True     
0x0eed6030 svchost.exe             904 True   True   True     True   True  True    True     
0x0eec99a0 svchost.exe             848 True   True   True     True   True  True    True     
[snip] 
0x0f6e5d20 smss.exe                252 True   True   True     True   False False   False    
0x0ee13030 csrss.exe               364 True   True   True     True   False True    True     
0x0b2a6888 cygrunsrv.exe          1928 True   True   False    True   False True    False    2019-11-21 09:37:07 UTC+0000
0x0ffed668 System                    4 True   True   True     True   False False   False    
0x0f1ff088 csrss.exe               328 True   True   True     True   False True    True     
0x0ef99740 userinit.exe           1404 False  True   False    False  False False   False    2019-11-21 09:37:32 UTC+0000
0x0b20dc40 dllhost.exe            2352 False  True   False    False  False False   False    2019-11-21 09:37:16 UTC+0000

If you want to look closer to any of the executables in processes, you can use procdump to dump the process executable to your disk: $ cincan run -d dump volatility procdump --profile=Win7SP1x86_24000 -D dump/ -p 2036 -f _samples/memory/Win7SP1x86_24000.raw -D: path where the executable will be saved -p: process ID of the executable to be dumped

volatility: <= _samples/memory/Win7SP1x86_24000.raw
volatility: <= dump
volatility: => dump/executable.2036.exe
Volatility Foundation Volatility Framework 2.6.1
Process(V) ImageBase  Name                 Result
---------- ---------- -------------------- ------
0x84904d20 0x00400000 sshd.exe             OK: executable.2036.exe

(Note the -d dump flag for cincan command, see Limitations for input/output in the cincan command documentation.)

From here you can start analyzing the executable or dive even deeper in to the memory dump.

Other resources

Volatility Foundation

The CLI tool cincan used here is available from PyPI, install it with pip install cincan-command. Installation of this tool is enough to get started -- the containers are downloaded automatically from either your local repository or DockerHub.

For more tools and sources take a look at CinCan’s Gitlab repository and Dockerhub!