search

Joostvtz / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Output of "self.parse_string(ldr_entry.FullDllName)" in modscan.py #158

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1. Using modscan on XP (SP2/3) memory dumps. (prolaco.vmem is available under 
FAQ section here)

What is the expected output? What do you see instead?
This is with regards to the "File" column, LDR_MODULE.FullDllName field.
Expected output:
'\\SystemRoot\\system32\\drivers\\kmixer.sys'

What I see:
'\xc3\x90\x00\xc3\x90\x00\x00\x00\x00\x00\x00\x00\x00\x00\xeb\x82\xb0
\xeb\xab\x90\x00\xe8\x80\x90\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\xe3\x80\x88\xee\x87\xb2\xe5\x80\x80\x01\x00\x00\xe0\xa2\xa0\xe0\xa4\x81\x10
'

What version of the product are you using? On what operating system?
Volatility 2.0.
Host OS used: Windows 7 Professional SP1. 
Memory dumps: Windows XP SP2 (prolaco.vmem), Windows XP SP3 (my own, dumped 
using different tools like win32dd, FDPro)

Original issue reported on code.google.com by fenn...@gmail.com on 25 Oct 2011 at 10:02

Attachments:

GoogleCodeExporter commented 8 years ago 
Are you able to upload the memory dump somewhere for troubleshooting?

Original comment by Bret...@gmail.com on 25 Oct 2011 at 6:45

GoogleCodeExporter commented 8 years ago 
You've just witnessed the power of memory forensics! 

Note with the "modules" plugin which walks the linked list of *active and 
loaded* modules, there is no kmixer. This indicates one of two things:

1) kmixer is no longer loaded
2) kmixer has been unlinked by a rootkit, but remains loaded

Since kmixer is a legit component of Windows, there would be no reason for a 
rootkit to hide it. Plus, its involved in sound, which people enable and 
disable all the time, causing kmixer to load/unload frequently. 

So what you've found with modscan (which is the entire purpose of modscan) is 
an artifact of the once loaded kmixer.sys. The FullDllName field has been 
partially overwritten, since the memory for the LDR_MODULE was released back to 
the OS when the driver unloaded. Although FullDllName is destroyed, the 
BaseDllName, Base, and Size fields are untouched, allowing you to still 
identify the driver and where it used to be loaded. 

So no problems here, in fact its a great example of why we use memory forensics 
over live system tools.

Original comment by michael.hale@gmail.com on 25 Oct 2011 at 7:10