Below is a quick guide for dumping and analyzing windows and linux memory. If you wish to utilize the volitility framework it can be found at volatilityfoundation.org. This guide will help you with some of the challenges available on CyDefe Labs. Check those out at Labs.CyDefe.com
Check back frequently for more guides, tips, and trick with DFIR, pentesting, reverse engineering and much much more. Many of the guides and tips we will be post will help you in real world environments and with our platform. Happy hacking everyone.
MEMORY ACQUSITION
WINPMEM/LINPMEM
1. Windows
a. C:\> winpmem_<version>.exe -o F:\mem.aff4
b. C:\> winpmem_<version>.exe F:\mem.aff4 -e PhysicalMemory -o mem.raw
2. Linux
a. ./linpmem_<version>.post4 -o F:\mem.aff4
b. ./linpmem_<version>.post4 F:\mem.aff4 -e PhysicalMemory -o mem.raw
3. Linux Alt
a. sudo dd if=/dev/fmem of=/tmp/memory.raw bs=1MB
VOLATILITY USAGE
Example usage: ./volatility_<version>_lin64_standalone --profile=<profile name> <command> -f <memory file name>
LISTING AVAILABLE PROFILES
1. info - Displays a list of profiles
a. ./volatility_<version>_lin64_standalone --info
ROGUE PROCESS IDENTIFICATION
1. pslist - High level view of running processes
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> pslist -f <memory file name>
2. psscan - Scan memory for EPROCESS blocks
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> psscan -f <memory file name>
3. pstree - Display parent-process relationships
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> pstree -f <memory file name>
ROOTKIT IDENTIFICATION
1. psxview - Find hidden processes using cross-view
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> psxview -f <memory file name>
2. modscan - Scan memory for loaded, unloaded, and
a. unlinked drivers
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> modscan -f <memory file name>
3. apihooks - Find API/DLL function hooks
a. -p Operate only on specific PIDs
b. -Q Only scan critical processes and DLLS
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> apihooks -f <memory file name>
4. ssdt - Hooks in System Service Descriptor Table
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> ssdt | egrep –v ‘(ntoskrnl|win32k)’ -f <memory file name>
5. driverirp - Identify I/O Request Packet (IRP) hooks
a. -r Analyze drivers matching REGEX name pattern
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> driverirp –r tcpip -f <memory file name>
6. idt - Display Interrupt Descriptor Table
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> idt -f <memory file name>
NETWORK ARTIFACTS
1. Connections - List of open TCP connections
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> connections -f <memory file name>
2. connscan - ID TCP connections, including closed
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> connscan -f <memory file name>
3. sockets - Print listening sockets (any protocol)
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> sockets -f <memory file name>
4. sockscan - ID sockets, including closed/unlinked
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> sockscan -f <memory file name>
5. netscan - Scan for connections and sockets
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> netscan -f <memory file name>
CODE INJECTION IDENTIFICATION
1. malfind - Find injected code and dump sections
a. -p Show information only for specific PIDs
b. -o Provide physical offset of single process to scan
c. --dump-dir Directory to save memory sections
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> malfind -f <memory file name> --dump-dir ./output_dir
2. ldrmodules - Detect unlinked DLLs
a. -p Show information only for specific PIDs
b. -v Verbose: show full paths from three
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> ldrmodules –p 4 –v -f <memory file name>
REGISTRY KEY ANALYSIS
1. printkey - Output a registry key, subkeys, and values
a. -K “Registry key path”
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> printkey –K “Software\Microsoft\Windows\CurrentVersion\Run” -f <memory file name>
HASH DUMP
1. hivelist - Find and list available registry hives
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> hivelist -f <memory file name>
2. hashdump - Dump user NTLM and Lanman hashes
a. -y Virtual offset of SYSTEM registry hive (from hivelist)
b. -s Virtual offset of SAM registry hive (from hivelist)
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> hashdump -f <memory file name> –y 0x8781c008 –s 0x87f6b9c8
PROCESSES
1. procdump - Dump process to executable sample
a. -p Dump only specific PIDs
b. -o Specify process by physical memory offset
c. --dump-dir Directory to save extracted files
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> procmemdump -p 4 -f <memory file name> --dump-dir ./output
2. memdump - Dump every memory section into a file
a. -p Dump memory sections from these PIDs
b. --dump-dir Directory to save extracted files
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> memdump -p 4 –dump-dir ./output -f <memory file name>
FILES
1. Filescan - Scan memory for FILE_OBJECT handles
a. # ./volatility_<version>_lin64_standalone filescan -f <memory file name>
2. Dumpfiles - Extract FILE_OBJECTs from memory
a. -Q Dump using physical offset of FILE_OBJECT
b. -r Extract using a REGEX (add -i for case insensitive)
c. -n Add original file name to output name
d. --dump-dir Directory to save extracted files
3. Example: # v./volatility_<version>_lin64_standalone dumpfiles -n -i -r \\.exe -f <memory file name> –dump-dir=./