search

volatilityfoundation / volatility

An advanced memory forensics framework
http://volatilityfoundation.org/
GNU General Public License v2.0
7.39k stars 1.29k forks source link

Not able to see executable code after `procdump` #668

Closed nikhilh-20 closed 5 years ago

nikhilh-20 commented 5 years ago

I have a malware sample on VMware Workstation 15 and I dumped its RAM using FTK Imager. I know for a fact that a process, RegAsm.exe is launched by the malware which has vbc.exe as children (exited though). I'm using these various tools (FTK, Volatility) for learning purposes.

When I tried to dump RegAsm.exe, it doesn't seem to dump the executable instructions and the dumped executable doesn't execute. I don't know if this is expected. If expected, how is procdump beneficial?

pslist output:

nikhilh@siftworkstation -> ~ 
$ volatility -f win7_x64.mem --profile=Win7SP0x64 pslist
Volatility Foundation Volatility Framework 2.5
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
..........
..........
0xfffffa80094cd060 RegAsm.exe              300   2952     12      231      1      1 2019-11-20 04:27:27 UTC+0000                                 
..........
..........
0xfffffa8008733b30 chrome.exe             2868   3044      0 --------      1      0 2019-11-20 04:27:43 UTC+0000   2019-11-20 04:28:52 UTC+0000  
0xfffffa800873d970 vbc.exe                 572    300      0 --------      1      0 2019-11-20 04:27:53 UTC+0000   2019-11-20 04:28:02 UTC+0000  
0xfffffa8006ea97d0 vbc.exe                3508    300      0 --------      1      0 2019-11-20 04:28:55 UTC+0000   2019-11-20 04:28:55 UTC+0000  
0xfffffa800924e880 FTK Imager.exe         1760   3044      8      391      1      0 2019-11-20 04:29:43 UTC+0000                                 
0xfffffa800a660b30 vbc.exe                3868    300      0 -------- ------      0 2019-11-20 04:39:58 UTC+0000   2019-11-20 04:39:58 UTC+0000

pstree output:

nikhilh@siftworkstation -> ~ 
$ volatility -f win7_x64.mem --profile=Win7SP0x64 pstree
Volatility Foundation Volatility Framework 2.5
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0xfffffa8008f02b30:wininit.exe                       408    332      3     78 2019-07-18 18:08:39 UTC+0000
. 0xfffffa8009133b30:services.exe                     516    408     13    208 2019-07-18 18:08:40 UTC+0000
..........
..........
0xfffffa80094cd060:RegAsm.exe                        300   2952     12    231 2019-11-20 04:27:27 UTC+0000
. 0xfffffa800a660b30:vbc.exe                         3868    300      0 ------ 2019-11-20 04:39:58 UTC+0000
. 0xfffffa8006ea97d0:vbc.exe                         3508    300      0 ------ 2019-11-20 04:28:55 UTC+0000
. 0xfffffa800873d970:vbc.exe                          572    300      0 ------ 2019-11-20 04:27:53 UTC+0000
..........
..........
. 0xfffffa8008db2060:explorer.exe                    3044    484     24    911 2019-07-18 18:09:29 UTC+0000
.. 0xfffffa8008733b30:chrome.exe                     2868   3044      0 ------ 2019-11-20 04:27:43 UTC+0000
.. 0xfffffa800924e880:FTK Imager.exe                 1760   3044      8    391 2019-11-20 04:29:43 UTC+0000
..........

procdump output:

nikhilh@siftworkstation -> ~ 
$ volatility -f win7_x64.mem --profile=Win7SP0x64 -p 300 procdump --dump-dir=./ --unsafe
Volatility Foundation Volatility Framework 2.5
Process(V)         ImageBase          Name                 Result
------------------ ------------------ -------------------- ------
0xfffffa80094cd060 0x0000000001330000 RegAsm.exe           OK: executable.300.exe

I tried running the dumped process executable in Win 7 x64 (the VM from which I dumped the memory) and got a runtime error: image

Code in dnSpyx86: image

atcuno commented 5 years ago

Hello,

A few things:

1) FTK is not a stable memory acquisition tool. Since you are using VMware you can just suspend the VM and then point Volatility to the resulting .vmem file in the guest's VM folder. If you copy the .vmem file somewhere else before pointing Volatility to it then be sure to copy any .vmss and .vmsn file as well as documented here: https://github.com/volatilityfoundation/volatility/wiki/VMware-Snapshot-File

2) You will never be able to run an executable extracted from process memory (with procdump or dlldump) as significant changes occur when an exe is loaded into memory.

3) If the extracted file is empty / all nulls then it means the page(s) corresponding to that executable were not present in memory. This is something that can happen with any acquisition method, but using an unstable acquisition tool definitely increases the chance of it.

nikhilh-20 commented 5 years ago

Thanks for that information!

  1. I'll try with VMware's suspend method and see how different things are compared to FTK's image.

  2. That makes sense. An exe needs to be linked and loaded into memory, so I guess the dumped executable (using procdump) doesn't have all that information to provide to Windows.

  3. I understand analyzing page files is very different from analyzing memory images. Is there any Volatility plugin that I can use to analyze page files in context of the said executable?

atcuno commented 5 years ago

Please re-open the ticket if you have anymore issues. Thanks.