search

ksanchezcld / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
1 stars 0 forks source link

dlllist patch to show x86 Dlls on a x64 system #251

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
I know that this has been mentioned elsewhere, but I decided to submit a patch 
for listing Dlls for x86 processes on a x64 system.  The issue is that these 
are currently not shown except when looking at the vad, which may be confusing 
to most users.  So before the patch you only see the x64 helper dlls, for 
example:

f.exe pid:   5368
Command line : f.exe

Base         Size         Path
0x00400000   0x049000     C:\Windows\system32\f.exe
0x772b0000   0x1ab000     C:\Windows\SYSTEM32\ntdll.dll
0x744a0000   0x03f000     C:\Windows\SYSTEM32\wow64.dll
0x74430000   0x05c000     C:\Windows\SYSTEM32\wow64win.dll
0x74420000   0x008000     C:\Windows\SYSTEM32\wow64cpu.dll

Afterward you see:

f.exe pid:   5368
Command line : f.exe

Base         Size         Path
0x00400000   0x049000     C:\Windows\system32\f.exe
0x772b0000   0x1ab000     C:\Windows\SYSTEM32\ntdll.dll
0x744a0000   0x03f000     C:\Windows\SYSTEM32\wow64.dll
0x74430000   0x05c000     C:\Windows\SYSTEM32\wow64win.dll
0x74420000   0x008000     C:\Windows\SYSTEM32\wow64cpu.dll
0x00040000   0x001000     \Windows\System32\apisetschema.dll
0x75e70000   0x100000     \Windows\SysWOW64\kernel32.dll
0x75600000   0x046000     \Windows\SysWOW64\KernelBase.dll
0x75260000   0x0f0000     \Windows\SysWOW64\rpcrt4.dll
0x74d80000   0x007000     \Windows\SysWOW64\wsock32.dll
0x74d40000   0x03c000     \Windows\SysWOW64\mswsock.dll
0x74ff0000   0x00c000     \Windows\SysWOW64\cryptbase.dll
0x74d90000   0x005000     \Windows\SysWOW64\WSHTCPIP.DLL
0x75000000   0x060000     \Windows\SysWOW64\sspicli.dll
0x753f0000   0x00a000     \Windows\SysWOW64\lpk.dll
0x75350000   0x0a0000     \Windows\SysWOW64\advapi32.dll
0x75410000   0x035000     \Windows\SysWOW64\ws2_32.dll
0x75790000   0x15c000     \Windows\SysWOW64\ole32.dll
0x75660000   0x0ac000     \Windows\SysWOW64\msvcrt.dll
0x75dd0000   0x09d000     \Windows\SysWOW64\usp10.dll
0x75b10000   0x060000     \Windows\SysWOW64\imm32.dll
0x76e30000   0x0cc000     \Windows\SysWOW64\msctf.dll
0x75f90000   0x090000     \Windows\SysWOW64\gdi32.dll
0x75f70000   0x019000     \Windows\SysWOW64\sechost.dll
0x76d50000   0x083000     \Windows\SysWOW64\clbcatq.dll
0x76f00000   0x08f000     \Windows\SysWOW64\oleaut32.dll
0x76f90000   0x100000     \Windows\SysWOW64\user32.dll
0x77490000   0x180000     \Windows\SysWOW64\ntdll.dll
0x77460000   0x006000     \Windows\SysWOW64\nsi.dll

you might want to make some changes, but here's the patch (attached)

Original issue reported on code.google.com by jamie.l...@gmail.com on 6 May 2012 at 8:47

Attachments:

GoogleCodeExporter commented 9 years ago 
Hmmm, so then the question becomes, why aren't we just doing the vad check and 
only returning those files?

It sounds like there's a technique for finding native loaded modules, and 
another technique for listing all file loaded in vads, and I'm just concerned 
that we're mixing the two techniques without giving the user much indication 
that we've done that.  Could the newer output be retrieved from any other 
existing plugin?  If so, I'd sooner we detect if it's a SysWow64 process and 
add a line saying "you might want to try this plugin with this filter to see 
additional loaded modules".

What do people think?

Original comment by mike.auty@gmail.com on 6 May 2012 at 11:33

GoogleCodeExporter commented 9 years ago 
hrmmm good point.  We could have it as a separate plugin, or maybe we could add 
a flag option?  

Hopefully more people will speak up with a preference :-)

Original comment by jamie.l...@gmail.com on 7 May 2012 at 12:30

GoogleCodeExporter commented 9 years ago 
There hasn't been a great deal of chatter here.  Which option would you prefer 
Jamie?

Original comment by mike.auty@gmail.com on 21 May 2012 at 11:28

GoogleCodeExporter commented 9 years ago 
Hmmm, the dlllist plugin doesn't show all DLLs loaded in wow64 processes, but 
it does in fact do what its supposed to do, and that is enumerate DLLs from the 
PEB. I'd try not to combine the techniques and err on the side of making a 
separate plugin, but then I remembered, ldrmodules should be able to do exactly 
this. 

How about a simple notice in dlllist output for wow64 processes (see attached 
patch, wording can be revised) that redirects users to the ldrmodules plugin? 

Here's an example:

$ python vol.py -f ~/Desktop/win7x64cmd.dd --profile=Win7SP0x64 dlllist -p 2284
Volatile Systems Volatility Framework 2.1_alpha
************************************************************************
f-response-ent pid:   2284
Command line : C:\F-Response\f-response-ent.exe
Note: use ldrmodules for listing DLLs in Wow64 processes

Base         Size         Path
0x00400000   0x171000     C:\F-Response\f-response-ent.exe
0x77520000   0x1ab000     C:\Windows\SYSTEM32\ntdll.dll
0x73b80000   0x03f000     C:\Windows\SYSTEM32\wow64.dll
0x73b20000   0x05c000     C:\Windows\SYSTEM32\wow64win.dll
0x74e10000   0x008000     C:\Windows\SYSTEM32\wow64cpu.dll

And here's the ldrmodules list:

$ python vol.py -f ~/Desktop/win7x64cmd.dd --profile=Win7SP0x64 ldrmodules -p 
2284
Volatile Systems Volatility Framework 2.1_alpha
Pid      Process              Base         InLoad   InInit   InMem    MappedPath
2284     f-response-ent       0x74e10000   1        1        1        
\Windows\System32\wow64cpu.dll
2284     f-response-ent       0x400000     1        0        1        
\F-Response\f-response-ent.exe
2284     f-response-ent       0x76170000   0        0        0        
\Windows\SysWOW64\nsi.dll
2284     f-response-ent       0x77170000   0        0        0        
\Windows\SysWOW64\KernelBase.dll
2284     f-response-ent       0x73b80000   1        1        1        
\Windows\System32\wow64.dll
2284     f-response-ent       0x75590000   0        0        0        
\Windows\SysWOW64\rpcrt4.dll
2284     f-response-ent       0x73810000   0        0        0        
\Windows\SysWOW64\mswsock.dll
2284     f-response-ent       0x71240000   0        0        0        
\Windows\SysWOW64\WSHTCPIP.DLL
2284     f-response-ent       0x75ec0000   0        0        0        
\Windows\SysWOW64\msvcrt.dll
2284     f-response-ent       0x74e50000   0        0        0        
\Windows\SysWOW64\wsock32.dll
2284     f-response-ent       0x77270000   0        0        0        
\Windows\SysWOW64\oleaut32.dll
2284     f-response-ent       0x760a0000   0        0        0        
\Windows\SysWOW64\imm32.dll
2284     f-response-ent       0x77250000   0        0        0        
\Windows\SysWOW64\sechost.dll
2284     f-response-ent       0x752d0000   0        0        0        
\Windows\SysWOW64\ole32.dll
2284     f-response-ent       0x73b20000   1        1        1        
\Windows\System32\wow64win.dll
2284     f-response-ent       0x77520000   1        1        1        
\Windows\System32\ntdll.dll
2284     f-response-ent       0x75f70000   0        0        0        
\Windows\SysWOW64\advapi32.dll
2284     f-response-ent       0x76010000   0        0        0        
\Windows\SysWOW64\clbcatq.dll
2284     f-response-ent       0x75270000   0        0        0        
\Windows\SysWOW64\sspicli.dll
2284     f-response-ent       0x75a40000   0        0        0        
\Windows\SysWOW64\usp10.dll
2284     f-response-ent       0x77240000   0        0        0        
\Windows\SysWOW64\lpk.dll
2284     f-response-ent       0x75260000   0        0        0        
\Windows\SysWOW64\cryptbase.dll
2284     f-response-ent       0x75680000   0        0        0        
\Windows\SysWOW64\user32.dll
2284     f-response-ent       0x75490000   0        0        0        
\Windows\SysWOW64\kernel32.dll
2284     f-response-ent       0x762c0000   0        0        0        
\Windows\SysWOW64\ws2_32.dll
2284     f-response-ent       0x770d0000   0        0        0        
\Windows\SysWOW64\gdi32.dll
2284     f-response-ent       0x75ae0000   0        0        0        
\Windows\SysWOW64\msctf.dll
2284     f-response-ent       0x77700000   0        0        0        
\Windows\SysWOW64\ntdll.dll

Original comment by michael.hale@gmail.com on 22 May 2012 at 2:38

Attachments:

GoogleCodeExporter commented 9 years ago 
MHL's solution is good.  My main concern was that some users would miss 
something because they wouldn't realize how x86 dlls were loaded and so it 
would be good to either print those out automatically, have a flag option or an 
alert.  The alert is probably the best option.

Original comment by jamie.l...@gmail.com on 22 May 2012 at 12:11

GoogleCodeExporter commented 9 years ago 
This issue was closed by revision r1788.

Original comment by michael.hale@gmail.com on 22 May 2012 at 1:38