search

tomchop / volatility-autoruns

Autoruns plugin for the Volatility framework
GNU General Public License v2.0
118 stars 20 forks source link

Autoruns is not working #12

Closed seifreed closed 8 years ago

seifreed commented 8 years ago 
Volatility Foundation Volatility Framework 2.5
Traceback (most recent call last):
  File "/usr/local/bin/vol.py", line 5, in <module>
    pkg_resources.run_script('volatility==2.5', 'vol.py')
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 528, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 1394, in run_script
    execfile(script_filename, namespace, namespace)
  File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in <module>
    main()
  File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main
    command.execute()
  File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/commands.py", line 120, in execute
    data = self.calculate()
  File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 525, in calculate
    self.winlogon = self.get_winlogon()
  File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 236, in get_winlogon
    valdict = self.dict_for_key(winlogon_key)
  File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 191, in dict_for_key
    for v in rawreg.values(key):
  File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/win32/rawreg.py", line 128, in values
    return [ v for v in key.ValueList.List.dereference()
AttributeError: 'NoneType' object has no attribute 'ValueList'
tomchop commented 8 years ago

I fixed dict_for_key. Can you try now ant let me know if it works?

seifreed commented 8 years ago

of course man! i’ll go to try now!

Marc Rivero López | @seifreed | www.ecrime.info http://www.ecrime.info/

El 31 ene 2016, a las 11:49, Thomas Chopitea notifications@github.com escribió:

I fixed dict_for_key. Can you try now ant let me know if it works?

— Reply to this email directly or view it on GitHub https://github.com/tomchop/volatility-autoruns/issues/12#issuecomment-177463562.

seifreed commented 8 years ago

New error!

Volatility Foundation Volatility Framework 2.5 Traceback (most recent call last): File "/usr/local/bin/vol.py", line 5, in pkg_resources.run_script('volatility==2.5', 'vol.py') File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 528, in run_script self.require(requires)[0].run_script(script_name, ns) File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 1394, in run_script execfile(script_filename, namespace, namespace) File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in main() File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main command.execute() File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/commands.py", line 120, in execute data = self.calculate() File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 527, in calculate self.winlogon = self.get_winlogon() File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 239, in get_winlogon timestamp = winlogon_key.LastWriteTime AttributeError: 'NoneType' object has no attribute 'LastWriteTime'

Best regards

Marc Rivero López | @seifreed | www.ecrime.info http://www.ecrime.info/

El 31 ene 2016, a las 11:50, Marc Rivero López mriverolopez@gmail.com escribió:

of course man! i’ll go to try now!

Marc Rivero López | @seifreed | www.ecrime.info http://www.ecrime.info/

El 31 ene 2016, a las 11:49, Thomas Chopitea <notifications@github.com mailto:notifications@github.com> escribió:

I fixed dict_for_key. Can you try now ant let me know if it works?

— Reply to this email directly or view it on GitHub https://github.com/tomchop/volatility-autoruns/issues/12#issuecomment-177463562.

tomchop commented 8 years ago

Now? :)

seifreed commented 8 years ago

Hi!

No errors!

But I don’t get results

is strange right?

I’m running autoruns in a Windows Server 2012

Regards

Marc Rivero López | @seifreed | www.ecrime.info http://www.ecrime.info/

El 31 ene 2016, a las 12:03, Thomas Chopitea notifications@github.com escribió:

Now? :)

— Reply to this email directly or view it on GitHub https://github.com/tomchop/volatility-autoruns/issues/12#issuecomment-177467947.

tomchop commented 8 years ago

Well the errors came from the fact that the registry keys couldn't be read. So no display is consistent with that. What happens when you run this command? printkey -K "Microsoft\Windows NT\CurrentVersion\Winlogon"

seifreed commented 8 years ago

mmm

Is strange.. look:

printkey -K Microsoft\Windows NT\CurrentVersion\Winlogon Volatility Foundation Volatility Framework 2.5 Legend: (S) = Stable (V) = Volatile

The requested key could not be found in the hive(s) searched

:-\

Maybe I’m using a wrong KDB? :S

Regards

Marc Rivero López | @seifreed | www.ecrime.info http://www.ecrime.info/

El 31 ene 2016, a las 12:58, Thomas Chopitea notifications@github.com escribió:

Well the errors came from the fact that the registry keys couldn't be read. So no display is consistent with that. What happens when you run this command? printkey -K Microsoft\Windows NT\CurrentVersion\Winlogon

— Reply to this email directly or view it on GitHub https://github.com/tomchop/volatility-autoruns/issues/12#issuecomment-177481146.

tomchop commented 8 years ago

I've run into this issue before. First of all, is there any way you can confirm that the key is properly set on the live system?

If the key is present and yet you cannot read it from memory, it might be a problem with the memory capture itself. What tool did you use to capture the memory? I know that DumpIt fails when confronted to modern OS (2012 server / Windows 8) and 64bit systems or very large memory samples (~8Gb), and this typically ends up with registry not being able to be read even by "native" volatility plugins.

Can you give me a little more details on your setup?

seifreed commented 8 years ago

Hi Thomas,

Así Know the dump was captured using FTK,

You know any method for verify other stuff with the memory dump?

I tried to run volatility with malfind and Yara, and I’m not getting good results :-(

Regards

Marc Rivero López | @seifreed | www.ecrime.info http://www.ecrime.info/

El 31 ene 2016, a las 13:50, Thomas Chopitea notifications@github.com escribió:

I've run into this issue before. First of all, is there any way you can confirm that the key is properly set on the live system?

If the key is present and yet you cannot read it from memory, it might be a problem with the memory capture itself. What tool did you use to capture the memory? I know that DumpIt fails when confronted to modern OS (2012 server / Windows 8) and 64bit systems or very large memory samples (~8Gb), and this typically ends up with registry not being able to be read even by "native" volatility plugins.

Can you give me a little more details on your setup?

— Reply to this email directly or view it on GitHub https://github.com/tomchop/volatility-autoruns/issues/12#issuecomment-177490384.

seifreed commented 8 years ago

Hi Thomas,

I tried autoruns with other dump and run it successfully

seifreed@linux-analyzer:~/$ vol.py --profile=Win7SP1x64 -f memory.dmp autoruns Volatility Foundation Volatility Framework 2.5

Autoruns =========================================

Hive: \SystemRoot\System32\Config\SOFTWARE Wow6432Node\Microsoft\Windows\CurrentVersion\Run (Last modified: 2015-10-26 12:38:43 UTC+0000) Adobe Reader Speed Launcher : "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" (PIDs: -) GrooveMonitor : "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" (PIDs: -)

Hive: \??\C:\Users\Sarah Connor\ntuser.dat Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2016-01-26 00:08:55 UTC+0000) soiq : "C:\Users\Sarah Connor\AppData\Roaming\Microsoft\Aubleu\auble.exe" (PIDs: -)

Hive: \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:47 UTC+0000) Sidebar : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -) Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2015-10-26 21:06:34 UTC+0000) mctadmin : C:\Windows\System32\mctadmin.exe (PIDs: -)

Hive: \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:48 UTC+0000) Sidebar : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -) Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2015-10-26 21:06:34 UTC+0000) mctadmin : C:\Windows\System32\mctadmin.exe (PIDs: -)

Services =========================================

Service: clr_optimization_v4.0.30319_32 (Microsoft .NET Framework NGEN v4.0.30319_X86) - Own_Process, Auto Start Image path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Last modified: 2016-01-19 20:09:23 UTC+0000) PIDs: 2228

Service: clr_optimization_v4.0.30319_64 (Microsoft .NET Framework NGEN v4.0.30319_X64) - Own_Process, Auto Start Image path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe (Last modified: 2016-01-19 20:09:24 UTC+0000) PIDs: 2644

Service: kuzlejf (Remote Procedure Call (RPC) Service) - Own_Process, Auto Start Image path: C:\Users\Sarah Connor\AppData\Roaming\Microsoft\Aubleu\auble.exe /D (Last modified: 2016-01-26 00:08:46 UTC+0000) PIDs: -

Service: WMPNetworkSvc (@%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101) - Own_Process, Auto Start Image path: "%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe" (Last modified: 2015-10-26 12:26:39 UTC+0000) PIDs: -

Winlogon =========================================

Shell: explorer.exe (default: Explorer.exe) PIDs: 1992, 2820 Last write time: 2016-01-19 19:41:29 UTC+0000

Userinit: C:\Windows\system32\userinit.exe, (default: userinit.exe) PIDs: - Last write time: 2016-01-19 19:41:29 UTC+0000

Active Setup =====================================

Command line: %SystemRoot%\system32\unregmp2.exe /ShowWMP Last-written: 2010-11-21 03:33:56 UTC+0000 (PIDs: -)

Command line: C:\Windows\System32\ie4uinit.exe -UserIconConfig Last-written: 2015-10-26 21:06:33 UTC+0000 (PIDs: -)

Command line: "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP Last-written: 2015-10-26 21:06:33 UTC+0000 (PIDs: -)

Command line: %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll Last-written: 2009-07-14 04:49:00 UTC+0000 (PIDs: -)

Command line: "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE Last-written: 2010-11-21 03:33:56 UTC+0000 (PIDs: -)

Command line: %SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI Last-written: 2010-11-21 03:33:56 UTC+0000 (PIDs: -)

Command line: regsvr32.exe /s /n /i:U shell32.dll Last-written: 2010-11-21 03:33:56 UTC+0000 (PIDs: -)

Command line: C:\Windows\System32\ie4uinit.exe -BaseSettings Last-written: 2015-10-26 21:06:33 UTC+0000 (PIDs: -)

Command line: C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install Last-written: 2015-10-26 21:06:33 UTC+0000 (PIDs: -)

Regards,

Marc Rivero López | @seifreed | www.ecrime.info http://www.ecrime.info/

El 31 ene 2016, a las 17:44, Marc Rivero López mriverolopez@gmail.com escribió:

Hi Thomas,

Así Know the dump was captured using FTK,

You know any method for verify other stuff with the memory dump?

I tried to run volatility with malfind and Yara, and I’m not getting good results :-(

Regards

Marc Rivero López | @seifreed | www.ecrime.info http://www.ecrime.info/

El 31 ene 2016, a las 13:50, Thomas Chopitea <notifications@github.com mailto:notifications@github.com> escribió:

I've run into this issue before. First of all, is there any way you can confirm that the key is properly set on the live system?

If the key is present and yet you cannot read it from memory, it might be a problem with the memory capture itself. What tool did you use to capture the memory? I know that DumpIt fails when confronted to modern OS (2012 server / Windows 8) and 64bit systems or very large memory samples (~8Gb), and this typically ends up with registry not being able to be read even by "native" volatility plugins.

Can you give me a little more details on your setup?

— Reply to this email directly or view it on GitHub https://github.com/tomchop/volatility-autoruns/issues/12#issuecomment-177490384.

tomchop commented 8 years ago

Thanks for the update. I guess we can mark this as resolved then?

seifreed commented 8 years ago

Mmm

Yep!

Marc Rivero López | @seifreed | www.ecrime.info http://www.ecrime.info/

El 2 feb 2016, a las 14:59, Thomas Chopitea notifications@github.com escribió:

Thanks for the update. I guess we can mark this as resolved then?

— Reply to this email directly or view it on GitHub https://github.com/tomchop/volatility-autoruns/issues/12#issuecomment-178584634.