Attached is a plugin to detect stuxnet and other malware samples that use the
window messaging subsystem to detect USB insertions.
Example:
$ python vol.py -f stuxnet.vmem usbwindows
Volatile Systems Volatility Framework 2.3_alpha
Context Process Window
Procedure
------------------------------ -------------------- --------------------
----------
0\Service-0x0-3e7$\Default services.exe AFX64c313
0x013fe695
0\Service-0x0-3e5$\Default services.exe AFX64c313
0x013fe695
0\SAWinSta\SADesktop services.exe AFX64c313
0x013fe695
0\Service-0x0-3e4$\Default services.exe AFX64c313
0x013fe695
Original issue reported on code.google.com by michael.hale@gmail.com on 5 Sep 2013 at 11:45
Original issue reported on code.google.com by
michael.hale@gmail.comon 5 Sep 2013 at 11:45Attachments: