Closed seifreed closed 8 years ago
I fixed dict_for_key
. Can you try now ant let me know if it works?
Marc Rivero López | @seifreed | www.ecrime.info http://www.ecrime.info/
El 31 ene 2016, a las 11:49, Thomas Chopitea notifications@github.com escribió:
I fixed dict_for_key. Can you try now ant let me know if it works?
— Reply to this email directly or view it on GitHub https://github.com/tomchop/volatility-autoruns/issues/12#issuecomment-177463562.
New error!
Volatility Foundation Volatility Framework 2.5
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 5, in
Marc Rivero López | @seifreed | www.ecrime.info http://www.ecrime.info/
El 31 ene 2016, a las 11:50, Marc Rivero López mriverolopez@gmail.com escribió:
of course man! i’ll go to try now!
Marc Rivero López | @seifreed | www.ecrime.info http://www.ecrime.info/
El 31 ene 2016, a las 11:49, Thomas Chopitea <notifications@github.com mailto:notifications@github.com> escribió:
I fixed dict_for_key. Can you try now ant let me know if it works?
— Reply to this email directly or view it on GitHub https://github.com/tomchop/volatility-autoruns/issues/12#issuecomment-177463562.
Now? :)
Hi!
No errors!
But I don’t get results
is strange right?
I’m running autoruns in a Windows Server 2012
Marc Rivero López | @seifreed | www.ecrime.info http://www.ecrime.info/
El 31 ene 2016, a las 12:03, Thomas Chopitea notifications@github.com escribió:
Now? :)
— Reply to this email directly or view it on GitHub https://github.com/tomchop/volatility-autoruns/issues/12#issuecomment-177467947.
Well the errors came from the fact that the registry keys couldn't be read. So no display is consistent with that.
What happens when you run this command?
printkey -K "Microsoft\Windows NT\CurrentVersion\Winlogon"
mmm
Is strange.. look:
printkey -K Microsoft\Windows NT\CurrentVersion\Winlogon Volatility Foundation Volatility Framework 2.5 Legend: (S) = Stable (V) = Volatile
The requested key could not be found in the hive(s) searched
:-\
Maybe I’m using a wrong KDB? :S
Marc Rivero López | @seifreed | www.ecrime.info http://www.ecrime.info/
El 31 ene 2016, a las 12:58, Thomas Chopitea notifications@github.com escribió:
Well the errors came from the fact that the registry keys couldn't be read. So no display is consistent with that. What happens when you run this command? printkey -K Microsoft\Windows NT\CurrentVersion\Winlogon
— Reply to this email directly or view it on GitHub https://github.com/tomchop/volatility-autoruns/issues/12#issuecomment-177481146.
I've run into this issue before. First of all, is there any way you can confirm that the key is properly set on the live system?
If the key is present and yet you cannot read it from memory, it might be a problem with the memory capture itself. What tool did you use to capture the memory? I know that DumpIt fails when confronted to modern OS (2012 server / Windows 8) and 64bit systems or very large memory samples (~8Gb), and this typically ends up with registry not being able to be read even by "native" volatility plugins.
Can you give me a little more details on your setup?
Hi Thomas,
Así Know the dump was captured using FTK,
You know any method for verify other stuff with the memory dump?
I tried to run volatility with malfind and Yara, and I’m not getting good results :-(
Marc Rivero López | @seifreed | www.ecrime.info http://www.ecrime.info/
El 31 ene 2016, a las 13:50, Thomas Chopitea notifications@github.com escribió:
I've run into this issue before. First of all, is there any way you can confirm that the key is properly set on the live system?
If the key is present and yet you cannot read it from memory, it might be a problem with the memory capture itself. What tool did you use to capture the memory? I know that DumpIt fails when confronted to modern OS (2012 server / Windows 8) and 64bit systems or very large memory samples (~8Gb), and this typically ends up with registry not being able to be read even by "native" volatility plugins.
Can you give me a little more details on your setup?
— Reply to this email directly or view it on GitHub https://github.com/tomchop/volatility-autoruns/issues/12#issuecomment-177490384.
Hi Thomas,
I tried autoruns with other dump and run it successfully
seifreed@linux-analyzer:~/$ vol.py --profile=Win7SP1x64 -f memory.dmp autoruns Volatility Foundation Volatility Framework 2.5
Autoruns =========================================
Hive: \SystemRoot\System32\Config\SOFTWARE Wow6432Node\Microsoft\Windows\CurrentVersion\Run (Last modified: 2015-10-26 12:38:43 UTC+0000) Adobe Reader Speed Launcher : "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" (PIDs: -) GrooveMonitor : "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" (PIDs: -)
Hive: \??\C:\Users\Sarah Connor\ntuser.dat Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2016-01-26 00:08:55 UTC+0000) soiq : "C:\Users\Sarah Connor\AppData\Roaming\Microsoft\Aubleu\auble.exe" (PIDs: -)
Hive: \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:47 UTC+0000) Sidebar : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -) Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2015-10-26 21:06:34 UTC+0000) mctadmin : C:\Windows\System32\mctadmin.exe (PIDs: -)
Hive: \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:48 UTC+0000) Sidebar : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -) Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2015-10-26 21:06:34 UTC+0000) mctadmin : C:\Windows\System32\mctadmin.exe (PIDs: -)
Services =========================================
Service: clr_optimization_v4.0.30319_32 (Microsoft .NET Framework NGEN v4.0.30319_X86) - Own_Process, Auto Start Image path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Last modified: 2016-01-19 20:09:23 UTC+0000) PIDs: 2228
Service: clr_optimization_v4.0.30319_64 (Microsoft .NET Framework NGEN v4.0.30319_X64) - Own_Process, Auto Start Image path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe (Last modified: 2016-01-19 20:09:24 UTC+0000) PIDs: 2644
Service: kuzlejf (Remote Procedure Call (RPC) Service) - Own_Process, Auto Start Image path: C:\Users\Sarah Connor\AppData\Roaming\Microsoft\Aubleu\auble.exe /D (Last modified: 2016-01-26 00:08:46 UTC+0000) PIDs: -
Service: WMPNetworkSvc (@%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101) - Own_Process, Auto Start Image path: "%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe" (Last modified: 2015-10-26 12:26:39 UTC+0000) PIDs: -
Winlogon =========================================
Shell: explorer.exe (default: Explorer.exe) PIDs: 1992, 2820 Last write time: 2016-01-19 19:41:29 UTC+0000
Userinit: C:\Windows\system32\userinit.exe, (default: userinit.exe) PIDs: - Last write time: 2016-01-19 19:41:29 UTC+0000
Active Setup =====================================
Command line: %SystemRoot%\system32\unregmp2.exe /ShowWMP Last-written: 2010-11-21 03:33:56 UTC+0000 (PIDs: -)
Command line: C:\Windows\System32\ie4uinit.exe -UserIconConfig Last-written: 2015-10-26 21:06:33 UTC+0000 (PIDs: -)
Command line: "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP Last-written: 2015-10-26 21:06:33 UTC+0000 (PIDs: -)
Command line: %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll Last-written: 2009-07-14 04:49:00 UTC+0000 (PIDs: -)
Command line: "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE Last-written: 2010-11-21 03:33:56 UTC+0000 (PIDs: -)
Command line: %SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI Last-written: 2010-11-21 03:33:56 UTC+0000 (PIDs: -)
Command line: regsvr32.exe /s /n /i:U shell32.dll Last-written: 2010-11-21 03:33:56 UTC+0000 (PIDs: -)
Command line: C:\Windows\System32\ie4uinit.exe -BaseSettings Last-written: 2015-10-26 21:06:33 UTC+0000 (PIDs: -)
Command line: C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install Last-written: 2015-10-26 21:06:33 UTC+0000 (PIDs: -)
Regards,
Marc Rivero López | @seifreed | www.ecrime.info http://www.ecrime.info/
El 31 ene 2016, a las 17:44, Marc Rivero López mriverolopez@gmail.com escribió:
Hi Thomas,
Así Know the dump was captured using FTK,
You know any method for verify other stuff with the memory dump?
I tried to run volatility with malfind and Yara, and I’m not getting good results :-(
Regards
Marc Rivero López | @seifreed | www.ecrime.info http://www.ecrime.info/
El 31 ene 2016, a las 13:50, Thomas Chopitea <notifications@github.com mailto:notifications@github.com> escribió:
I've run into this issue before. First of all, is there any way you can confirm that the key is properly set on the live system?
If the key is present and yet you cannot read it from memory, it might be a problem with the memory capture itself. What tool did you use to capture the memory? I know that DumpIt fails when confronted to modern OS (2012 server / Windows 8) and 64bit systems or very large memory samples (~8Gb), and this typically ends up with registry not being able to be read even by "native" volatility plugins.
Can you give me a little more details on your setup?
— Reply to this email directly or view it on GitHub https://github.com/tomchop/volatility-autoruns/issues/12#issuecomment-177490384.
Thanks for the update. I guess we can mark this as resolved then?
Mmm
Marc Rivero López | @seifreed | www.ecrime.info http://www.ecrime.info/
El 2 feb 2016, a las 14:59, Thomas Chopitea notifications@github.com escribió:
Thanks for the update. I guess we can mark this as resolved then?
— Reply to this email directly or view it on GitHub https://github.com/tomchop/volatility-autoruns/issues/12#issuecomment-178584634.