Analyzing mapped PE files in a process memory image

[superponible]

I'm working on a plugin for volatility that presents the memory image it opens as a FUSE volume where each directory is a view of a different process. What I'm trying to do is then open one of these virtual memory file representations and be able to analyze PE files mapped at various locations in memory with r2. Essentially, I'd like the same analysis performed on the file at a given memory location as if I had just loaded the PE file itself in r2. I'm not sure if this is currently possible. Some more details are below. I will attach the zipped "memory" file referenced below or post it somewhere and link to it if it's too big.

Here is the memory sample:

$ ls -lh ~/mem_samples/cridex.vmem
-rw-------@ 1 user  staff   512M Aug  1  2012 /Users/user/mem_samples/cridex.vmem

And here is a volatility list of a process and its loaded DLLs:

$ vol.py --plugins=. -f ~/mem_samples/cridex.vmem dlllist -p 1640
Volatility Foundation Volatility Framework 2.6
************************************************************************
reader_sl.exe pid:   1640
Command line : "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
Service Pack 3

Base             Size  LoadCount LoadTime                       Path
---------- ---------- ---------- ------------------------------ ----
0x00400000     0xa000     0xffff                                C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
0x7c900000    0xaf000     0xffff                                C:\WINDOWS\system32\ntdll.dll
0x7c800000    0xf6000     0xffff                                C:\WINDOWS\system32\kernel32.dll
0x7e410000    0x91000     0xffff                                C:\WINDOWS\system32\USER32.dll
0x77f10000    0x49000     0xffff                                C:\WINDOWS\system32\GDI32.dll
...snip...

Run the plugin to create a FUSE volume from the memory image:

$ vol.py --plugins=. -f ~/mem_samples/cridex.vmem volfuse -m mount
Volatility Foundation Volatility Framework 2.6
Current context: System @ 0x823c89c8, pid=4, ppid=0 DTB=0x2fe000
FUSE Volume is ready

Mount directory now contains a subdir for each process:

$ ls -l mount
total 0
...snip...
drwxr-xr-x  2 root  wheel  0 Jul 21  2012 1220_svchost.exe
drwxr-xr-x  2 root  wheel  0 Jul 21  2012 1484_explorer.exe
drwxr-xr-x  2 root  wheel  0 Jul 21  2012 1512_spoolsv.exe
drwxr-xr-x  2 root  wheel  0 Jul 21  2012 1588_wuauclt.exe
drwxr-xr-x  2 root  wheel  0 Jul 21  2012 1640_reader_sl.exe
drwxr-xr-x  2 root  wheel  0 Jul 21  2012 368_smss.exe
drwxr-xr-x  2 root  wheel  0 Dec 31  1969 4_System
...snip...

Change into the process shown above and show the dlls and vads directory and the "memory" file which is the full 4GB virtual memory address space for this process.

$ cd mount/1640_reader_sl.exe/
$ ls -l
total 8388608
drwxr-xr-x  2 root  wheel     0B Dec 31  1969 dlls
-r--r--r--  0 root  wheel   4.0G Dec 31  1969 memory
drwxr-xr-x  2 root  wheel     0B Dec 31  1969 vads

Open the memory file with r2:

$ r2 -n memory
 -- Use hasher to calculate hashes of portion blocks of a file
[0x00000000]> oba 0x400000
[0x00000000]> ie
[Entrypoints]

0 entrypoints

Tried doing this to load the PE file at 0x400000, but it doesn't seem to be working. The file is there, however, along with other DLLs shown in the volatility pslist output at the top:

[0x00000000]> px @ 0x400000
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x00400000  4d5a 9000 0300 0000 0400 0000 ffff 0000  MZ..............
0x00400010  b800 0000 0000 0000 4000 0000 0000 0000  ........@.......
0x00400020  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x00400030  0000 0000 0000 0000 0000 0000 f000 0000  ................
0x00400040  0e1f ba0e 00b4 09cd 21b8 014c cd21 5468  ........!..L.!Th
0x00400050  6973 2070 726f 6772 616d 2063 616e 6e6f  is program canno
0x00400060  7420 6265 2072 756e 2069 6e20 444f 5320  t be run in DOS
...snip...
[0x00000000]> px @0x7c900000
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x7c900000  4d5a 9000 0300 0000 0400 0000 ffff 0000  MZ..............
0x7c900010  b800 0000 0000 0000 4000 0000 0000 0000  ........@.......
0x7c900020  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x7c900030  0000 0000 0000 0000 0000 0000 e000 0000  ................
0x7c900040  0e1f ba0e 00b4 09cd 21b8 014c cd21 5468  ........!..L.!Th
0x7c900050  6973 2070 726f 6772 616d 2063 616e 6e6f  is program canno
0x7c900060  7420 6265 2072 756e 2069 6e20 444f 5320  t be run in DOS
...snip...
[0x00000000]> px @0x7c800000
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x7c800000  4d5a 9000 0300 0000 0400 0000 ffff 0000  MZ..............
0x7c800010  b800 0000 0000 0000 4000 0000 0000 0000  ........@.......
0x7c800020  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x7c800030  0000 0000 0000 0000 0000 0000 f000 0000  ................
0x7c800040  0e1f ba0e 00b4 09cd 21b8 014c cd21 5468  ........!..L.!Th
0x7c800050  6973 2070 726f 6772 616d 2063 616e 6e6f  is program canno
0x7c800060  7420 6265 2072 756e 2069 6e20 444f 5320  t be run in DOS
...snip...

[superponible]

reader_sl_mem.zip

Attached zip file is ~20M but will unzip to 4G. It is the 1640_reader_sl.exe/memory file from the description above.

[radare]

cc @skuater

[Maijin]

Check https://github.com/countercept/radare2-scripts

[ret2libc]

@GustavoLCR I see this is assigned to you. Do you think you'll be able to complete this for next release? I'm asking not to put pressure, just to try cleaning up a bit the issues that are assigned for the next milestone.