search

JPCERTCC / MalConfScan

Volatility plugin for extracts configuration data of known malware
Other
485 stars 67 forks source link

malconfscan blocked during scan #5

Closed Batman781 closed 5 years ago

Batman781 commented 5 years ago

Hi,

I'm trying to analize a memory dump from vmware Windows 10 paused machine infected with some malwares. Currently I've got vmem file and vmsn file. Vmem file is large 4GB. Running following command the debug messages stops and there is no progress after 2 hours of time: python vol.py -f Win10Untrusted-Snapshot5.vmem --profile=Win10x64 malconfscan -d -v

Last debug messages are following:

DEBUG   : volatility.debug    : Applying modification from ShellBagsTypesWin7
DEBUG   : volatility.debug    : Applying modification from UserAssistWin7VTypes
DEBUG   : volatility.debug    : Applying modification from VistaObjectClasses
DEBUG   : volatility.debug    : Applying modification from Win32KCoreClasses
DEBUG   : volatility.debug    : Applying modification from Win7ObjectClasses
DEBUG   : volatility.debug    : Applying modification from Win8x64VolatilityKDBG
DEBUG   : volatility.debug    : Applying modification from WinPEx64VTypes
DEBUG   : volatility.debug    : Applying modification from Windows64Overlay
DEBUG   : volatility.debug    : Applying modification from ServiceBasex64
DEBUG   : volatility.debug    : Applying modification from ServiceVista
DEBUG   : volatility.debug    : Applying modification from Win8ObjectClasses
DEBUG   : volatility.debug    : Applying modification from Win8x64DTB
DEBUG   : volatility.debug    : Applying modification from Win8x64Gui
DEBUG   : volatility.debug    : Applying modification from Win8x64MaxCommit
DEBUG   : volatility.debug    : Applying modification from Service8x64

event attaching to a single PID I got same behaviour.

Batman781 commented 5 years ago

Changing profile does not block anymore