gitpythonkaka / malwarecookbook

Automatically exported from code.google.com/p/malwarecookbook
1 stars 0 forks source link

Bug in impscan when processing spyeye memory image #2

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Reported by Frank B. 

this is what i currently get when i try to use impscan from a injected file 
called:

winlogon.exe.22e4da0.0ea00000-0ea3bfff.dmp

C:\forensics\Volatility-1.4_rc1>python volatility.py impscan -f 
..\malware-images\SpyEye.vmem -D dump -a 0x0ea00000 -s 0x3bfff -p 624

ea17000 ADVAPI32.dll AllocateAndInitializeSid 77da7a91
ea17200 WS2_32.dll ntohs 71a12b66
ea17004 ADVAPI32.dll FreeSid 77da7a80
ea17008 ADVAPI32.dll GetUserNameA 77dcd4c9
ea1700c ADVAPI32.dll RegQueryValueExA 77da7883
ea17010 ADVAPI32.dll RegOpenKeyExA 77da761b
ea17258 ntdll.dll wcscat 7c92a359
ea17014 ADVAPI32.dll CheckTokenMembership 77da815e
ea17218 WS2_32.dll closesocket 71a19639
ea17204 WS2_32.dll inet_addr 71a12bf4
ea1701c GDI32.dll CreateCompatibleDC 77ef5e10
ea17020 GDI32.dll SelectObject 77ef59a0
ea17024 GDI32.dll BitBlt 77ef6dc0
ea17028 GDI32.dll DeleteObject 77ef6a3b
ea1705c kernel32.dll DeleteFileA 7c81e85c
ea1702c GDI32.dll DeleteDC 77ef6ca6
ea17030 GDI32.dll CreateCompatibleBitmap 77ef6e51
ea17208 WS2_32.dll inet_ntoa 71a13f41
ea17234 ntdll.dll memcmp 7c91214f
ea17238 ntdll.dll RtlInitUnicodeString 7c9112d6
ea1723c ntdll.dll ZwCreateMutant 7c91d700
ea17040 kernel32.dll Sleep 7c802442
ea17260 ntdll.dll ZwDuplicateObject 7c91d90d
ea17044 kernel32.dll CreateThread 7c81082f
ea17248 ntdll.dll atoi 7c934c29
ea1720c WS2_32.dll WSAGetLastError 71a194dc
ea1704c kernel32.dll GetCurrentProcessId 7c80994e
ea17250 ntdll.dll _itoa 7c93f23a
ea17054 kernel32.dll LoadLibraryA 7c801d77
ea17058 kernel32.dll HeapCreate 7c812929
ea17264 ntdll.dll ZwQueryObject 7c91e0d8
ea1725c ntdll.dll strstr 7c91ec6f
ea17060 kernel32.dll GetLastError 7c920331
ea17210 WS2_32.dll ntohs 71a12b66
ea17064 kernel32.dll WaitForSingleObject 7c802530
ea17068 kernel32.dll CreateMutexA 7c80eb3f
ea1706c kernel32.dll GetCurrentThread 7c809919
ea17070 kernel32.dll ExitProcess 7c81caa2
ea17268 ntdll.dll strtoul 7c980815
ea17274 ntdll.dll _stricmp 7c923374
ea17278 ntdll.dll sprintf 7c93912e
ea17214 WS2_32.dll getpeername 71a20b50
ea1727c ntdll.dll strcat 7c9128ec
ea17280 ntdll.dll strcpy 7c9128d7
ea17284 kernel32.dll HeapAlloc 7c9205d4
ea17088 kernel32.dll GetTickCount 7c8092ac
ea1726c ntdll.dll vsprintf 7c980848
ea1728c ntdll.dll strlen 7c912a9d
ea17290 ntdll.dll isalnum 7c97fc5c
ea17294 ntdll.dll RtlRandom 7c974eda
ea17298 kernel32.dll HeapFree 7c92043d
ea1709c kernel32.dll GetThreadSelectorEntry 7c859fd0
ea170a0 kernel32.dll GetThreadContext 7c838eeb
ea17270 ntdll.dll ZwQueryInformationThread 7c91e030
ea170a4 kernel32.dll lstrcmpiA 7c80b929
ea170a8 kernel32.dll WideCharToMultiByte 7c80a0c7
ea170ac kernel32.dll IsBadReadPtr 7c809eb3
ea170b0 kernel32.dll IsBadWritePtr 7c809f29
ea170b4 kernel32.dll MultiByteToWideChar 7c809cad
ea170b8 kernel32.dll lstrcpyA 7c80c729
ea17074 kernel32.dll CloseHandle 7c809b77
ea170bc kernel32.dll GetVolumeInformationA 7c827052
ea170c0 kernel32.dll GetSystemWindowsDirectoryA 7c8228c9
ea17220 ntdll.dll ZwQuerySystemInformation 7c91e1aa
ea170c4 kernel32.dll SizeofResource 7c80baf1
ea170c8 kernel32.dll TerminateThread 7c81cacb
ea170cc kernel32.dll GetWindowsDirectoryA 7c82293b
ea170d0 kernel32.dll GetSystemDirectoryA 7c814c63
ea17078 kernel32.dll SetLastError 7c920340
ea170d4 kernel32.dll OpenMutexA 7c80ec1b
ea170d8 kernel32.dll ExitThread 7c80cca9
ea17224 ntdll.dll strncmp 7c912c43
ea170dc kernel32.dll WriteFile 7c810f9f
ea170e0 kernel32.dll CreateFileA 7c801a24
ea170e4 kernel32.dll lstrlenA 7c80c6e0
ea170e8 kernel32.dll lstrcpynA 7c810311
ea1707c kernel32.dll GetVersionExA 7c812851
ea170ec kernel32.dll lstrlenW 7c809a39
ea170f0 kernel32.dll ReadFile 7c80180e
ea17228 ntdll.dll _strlwr 7c9802bc
ea170f4 kernel32.dll SetNamedPipeHandleState 7c81f654
ea170f8 kernel32.dll SetHandleCount 7c80c6cf
ea170fc kernel32.dll CreateFileW 7c810976
ea17100 kernel32.dll lstrcatW 7c81114a
ea17080 kernel32.dll GetTimeZoneInformation 7c8394ae
ea17104 kernel32.dll lstrcpyW 7c80b8ec
ea17108 kernel32.dll OpenProcess 7c81e079
ea1722c ntdll.dll RtlAdjustPrivilege 7c939e8c
ea1710c kernel32.dll SetFileAttributesA 7c81fb44
ea17114 kernel32.dll VirtualProtect 7c801ad0
ea17118 kernel32.dll HeapFree 7c92043d
ea17084 kernel32.dll GetUserDefaultLangID 7c81e685
ea1711c kernel32.dll GetProcessHeap 7c80aa49
ea17120 kernel32.dll VirtualFree 7c809b14
ea17230 ntdll.dll ZwQueryInformationProcess 7c91e01b
ea17124 kernel32.dll HeapAlloc 7c9205d4
ea17128 kernel32.dll LoadResource 7c80a065
ea1712c kernel32.dll TerminateProcess 7c801e16
ea17130 kernel32.dll GetCurrentProcess 7c80e00d
ea17134 kernel32.dll UnhandledExceptionFilter 7c862b8a
ea17138 kernel32.dll SetUnhandledExceptionFilter 7c810386
ea1713c kernel32.dll SystemTimeToFileTime 7c810d34
ea17140 kernel32.dll SetFilePointer 7c810da6
ea17144 kernel32.dll GlobalAlloc 7c80ff2d
ea17148 kernel32.dll GlobalFree 7c80fe2f
ea1708c kernel32.dll GetLocalTime 7c80c9c1
ea1714c kernel32.dll DuplicateHandle 7c80e016
ea17150 kernel32.dll lstrcmpA 7c81ee79
ea17038 kernel32.dll GetCurrentDirectoryA 7c8397a1
ea17154 kernel32.dll LocalFileTimeToFileTime 7c8395ea
ea17158 kernel32.dll CreateDirectoryA 7c826219
ea1715c kernel32.dll GetExitCodeThread 7c8229a2
ea17160 kernel32.dll CreateDirectoryW 7c81e968
ea17090 kernel32.dll GetModuleFileNameA 7c80b357
ea17164 kernel32.dll FindResourceA 7c80c7b1
ea17168 kernel32.dll SetFileTime 7c81f955
ea1703c kernel32.dll lstrcatA 7c838fb9
ea1716c kernel32.dll GetComputerNameA 7c8260a9
ea17170 kernel32.dll WaitNamedPipeW 7c8343d8
ea17178 SHELL32.dll SHFileOperationA 7ca7d4a1
ea17094 kernel32.dll FreeLibrary 7c80aa66
ea1717c SHELL32.dll SHGetFolderPathA 7ca483b0
ea17180 SHELL32.dll StrStrIA 7cba93c0
ea17240 ntdll.dll ZwClose 7c91d586
ea17184 SHELL32.dll StrCmpNIA 7cba9352
ea17188 SHELL32.dll StrStrW 7cba93cb
ea17244 ntdll.dll wcslen 7c92035a
ea171a0 USER32.dll CharLowerA 77d3eed5
ea171a4 USER32.dll SetWindowLongA 77d1ded3
ea171a8 USER32.dll GetWindowLongA 77d1947c
ea1729c ntdll.dll strcmp 7c9129d1
ea171ac USER32.dll CallWindowProcA 77d1e34b
ea171b0 USER32.dll EnumWindows 77d1d935
ea17048 kernel32.dll GetProcAddress 7c80ac28
ea171b4 USER32.dll GetWindowDC 77d18ff9
ea171b8 USER32.dll GetWindowRect 77d1b57c
ea171bc USER32.dll GetCursorPos 77d1c566
ea171c0 USER32.dll ReleaseDC 77d1866d
ea172a0 ntdll.dll _allmul 7c9119d0
ea171c4 USER32.dll LoadCursorA 77d1e8fa
ea171c8 USER32.dll GetIconInfo 77d1e9a1
ea1724c ntdll.dll _chkstk 7c911a09
ea171cc USER32.dll DrawIcon 77d301ef
ea171d0 USER32.dll GetKeyboardState 77d1ef35
ea171d4 USER32.dll ToUnicode 77d6628a
ea171d8 USER32.dll wsprintfA 77d1a2de
ea17050 kernel32.dll GetModuleHandleA 7c80b529
ea172a8 ole32.dll CreateStreamOnHGlobal 774c974a
ea17254 ntdll.dll wcscpy 7c923473
ea171fc WS2_32.dll connect 71a1406a
Volatile Systems Volatility Framework 1.4_rc1
Traceback (most recent call last):
 File "volatility.py", line 126, in <module>
   main()
 File "volatility.py", line 117, in main
   command.execute()
 File "C:\forensics\Volatility-1.4_rc1\volatility\commands.py", line 77, in execute
   data = self.calculate()
 File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line 1508, in calculate
   data = self.rebuild(addr_space, base)
 File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line 597, in rebuild
   for offset, code in self.get_image(sys.stdout, addr_space, start):
 File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\procdump.py", line 167, in get_image
   for sect in self.get_sections(addr_space, nt_header):
 File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\procdump.py", line 100, in get_sections
   self.sanity_check_section(sect, nt_header.OptionalHeader.SizeOfImage)
 File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\procdump.py", line 109, in sanity_check_section
   raise ValueError('VirtualSize {0:08x} is larger than image size.'.format(sect.Misc.VirtualSize))
ValueError: VirtualSize 00361000 is larger than image size. 

Original issue reported on code.google.com by michael.hale@gmail.com on 6 Jan 2011 at 2:32

GoogleCodeExporter commented 9 years ago
Fixed in r27

Original comment by michael.hale@gmail.com on 7 Jan 2011 at 10:29