sayfudin13 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Error exporting process from memory dump #491

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
I got a memory dump of the system infected with FAVEAVLOCK infection. On 
investigating, I came to conclusion that SVCHOST.EXE was used to call C&C 
servers but this SVCHOST.EXE was been called by 56[1].mp3. So tried to export 
this file and a memory dump of this mp3 file. It gave me below mentioned error. 
Please explain me what does it means and is there any way to extract this 
sample?

PS D:\Setups\Forensics\Memory Analysis\TestBed> .\volatility.exe 
--profile=Win7SP1x86 -f .\LT0006567-20140328-131741.raw procexedump -p 8688 -D 
.\Files

Process(V) ImageBase  Name                 Result
---------- ---------- -------------------- ------
0x859fb4b0 ---------- 56[1].mp3            Error: PEB at 0x7ffdb000 is paged

PS D:\Setups\Forensics\Memory Analysis\TestBed> .\volatility.exe 
--profile=Win7SP1x86 -f .\LT0006567-20140328-131741.raw procmemdump -p 8688 -D 
.\Files

Process(V) ImageBase  Name                 Result
---------- ---------- -------------------- ------
0x859fb4b0 ---------- 56[1].mp3            Error: PEB at 0x7ffdb000 is paged

Find the attached file containing output of pstree plugin which shows that 
SVCHOST.EXE is called by 56[1].mp3

What version of the product are you using? On what operating system?

Please provide any additional information below.

Original issue reported on code.google.com by mr.darsh...@gmail.com on 29 Mar 2014 at 1:56

Attachments:

GoogleCodeExporter commented 9 years ago
Hello,

Processes with 0 threads (0 in the Thds column) and invalid handle table (---- 
in the Hnds column) have terminated and their address space is destroyed. Thus 
you won't be able to dump the exe using procmemdump or procexedump. 

You can try to see if the kernel has a cached copy of the 56[1].mp3 file from 
disk. To do this, either supply the name as a regex to dumpfiles or find the 
offset of the file object. For example:

1) dumpfiles --regex="mp3" --dump-dir=OUTPUT 

or 

2a) filescan | grep mp3 
2b) dumpfiles -Q OFFSET_FROM_FILESCAN --dump-dir=OUTPUT

If there's no cached copy of the disk and the process is no longer running, I'm 
afraid you won't be able to get it from the memory dump. 

Original comment by michael.hale@gmail.com on 30 Mar 2014 at 8:21

GoogleCodeExporter commented 9 years ago
Dumpfiles and filescan are I guess plugins for volatility.. am I correct?

Original comment by mr.darsh...@gmail.com on 30 Mar 2014 at 10:04

GoogleCodeExporter commented 9 years ago
Yes. They are: 

http://code.google.com/p/volatility/wiki/CommandReference23#filescan

http://code.google.com/p/volatility/wiki/CommandReference23#dumpfiles

Original comment by jamie.l...@gmail.com on 31 Mar 2014 at 1:50

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Sorry, sent prematurely.

Actually in this case, the regex option may not work (though you can try).  The 
reason why it might not work is because the process is no longer running (so it 
can't get it from the process' own VAD).  If it is accessed by another process 
(like as a handle opened another process), then you might get lucky and get it 
from that process' VAD, but it then again you might not.  Try the filescan 
option first since it seems more likely to obtain the exe that way.

Original comment by jamie.l...@gmail.com on 31 Mar 2014 at 1:58

GoogleCodeExporter commented 9 years ago
I suspect if it will work, as that mp3 file itself is getting executed.

Original comment by mr.darsh...@gmail.com on 1 Apr 2014 at 10:27

GoogleCodeExporter commented 9 years ago

Original comment by michael.hale@gmail.com on 25 May 2014 at 5:36