GoogleCodeExporter
commented
9 years ago Original comment by jamie.l...@gmail.com on 10 Dec 2012 at 2:13
Closed GoogleCodeExporter closed 9 years ago
GoogleCodeExporter
commented
9 years ago Original comment by jamie.l...@gmail.com on 10 Dec 2012 at 2:13
GoogleCodeExporter
commented
9 years ago Hi Sebastien,
Regarding the first problem "Volatility only scans VAD from the processes he
can see in the EPROCESS list" - that's actually OK. Its the same default
behavior as dlllist, handles, getsids, malfind, and various other plugins. With
no parameters, they work on all processes in the active list. If you want to
only analyze one or more processes in the active list, you can use -p/--pid.
More importantly for your situation is they all also accept the -o/--offset
parameter:
$ python vol.py yarascan -h
-o OFFSET, --offset=OFFSET
EPROCESS offset (in hex) in the physical address space
-p PID, --pid=PID Operate on these Process IDs (comma-separated)
-K, --kernel Scan kernel modules
.......
So if you wanted to scan a hidden process, and you've identified it with
psscan, just pass the physical offset using that parameter above and yarascan
will work with it.
Regarding the userspace vs kernel scan, I see what you mean, though I'm not
100% convinced its a required change at this time. It would be a very minor
change to enable scanning both spaces at the same time though. In fact, here's
a patch which I think would achieve your goal. Let me know if its what you're
thinking? Original comment by michael.hale@gmail.com on 3 Jan 2013 at 10:35
Attachments:
GoogleCodeExporter
commented
9 years ago Hey Sebastien, I'm going to mark this as wont-fix for now, unless a majority of
users want the change. You have the patch now and can enable it for your own
usage if desired. Hope that is ok? Original comment by michael.hale@gmail.com on 11 Jan 2013 at 3:21
GoogleCodeExporter
commented
9 years ago Hi Michael,
Sorry I didn't replied earlier, I just came back from holidays and was on
training all week.
>Regarding the userspace vs kernel scan, I see what you mean, though I'm not
100% convinced its a required change at this time. It would
>be a very minor change to enable scanning both spaces at the same time though.
In fact, here's a patch which I think would achieve your
>goal. Let me know if its what you're thinking?
Thanks for the patch! Yes that's what I was looking for. I agree that it's an
enhancement to speed up analysis and not an issue per se. I was just lazy to
run 2 times volatility instead of one time ;-)
>More importantly for your situation is they all also accept the -o/--offset
parameter
Hadn't thought of the --offset option, thanks for leading me to that solution
:-)
However, I wasn't able to test it because yarascan doesn't seem to work with
the --offset parameter. Am I missing something? Sorry I had a long week! The
-p/--pid parameter works has expected.
>Regarding the first problem "Volatility only scans VAD from the processes he
can see in the EPROCESS list"
>- that's actually OK. Its the same default behavior as dlllist, handles,
getsids, malfind, and various
>other plugins.
I understand that it is the default behavior but I don't think it should be for
yarascan.
When yara is used as a triage tool against a memory dump, analysts (or
automated sanboxes) needs to perform more steps to identify/classify the memory
dump:
1) Run yarascan against a set of rules, no need to run this step twice with
your patch ;-)
2) Run psxview to identify possible rootkit processes
3) Run psscan to find if processes found in step 2) are terminated (if analysts
only wants active rootkit)
4) Run yarascan against processes found in step 2 and/or 3 (sometimes can be
useful to run yara on terminated processes to detect lateral movement)
Regards,
SebastienOriginal comment by sebastie...@gmail.com on 11 Jan 2013 at 4:28
Original issue reported on code.google.com by
sebastie...@gmail.comon 6 Dec 2012 at 2:41