Malware and Networking
Windows API
Microsoft's TCP/IP
Sockets
Clients contain client sockets
Servers contain server sockets
Ws2_32.dll
Wininet.dll
Winsock2
Kernel
Windows Sockets API
Passess
After a socket is created it must be bound to a port and listened.
Clients call connect.
Windows uses Berkeley compatible sockets in the Winsock Libraries
| Function | Description |
|----------|--------------------------------------------------------|
| Socket | Create a socket |
| bind | Attach to a socket on a port |
| listen | Listen for incoming connections |
| accept | Open and accept a connection |
| connect | Open a connection to a remote socket that is listening |
| recv | Recieve data from the remote socket |
| send | Send data to remote socket |
Rouge listeners
Suspicious connections
Promiscuous network cards
Hidden ports
Browser History
>>> dt("_ADDRESS_OBJECT")
'_ADDRESS_OBJECT' (104 bytes)
0x0 : Next ['pointer', ['_ADDRESS_OBJECT']]
0x2c : LocalIpAddress ['IpAddress']
0x30 : LocalPort ['unsigned be short']
0x32 : Protocol ['unsigned short']
0x148 : Pid ['unsigned long']
0x158 : CreateTime ['WinTimeStamp', {'is_utc': True}]
>>>
>>> dt("_TCPT_OBJECT")
'_TCPT_OBJECT' (32 bytes)
0x0 : Next ['pointer', ['_TCPT_OBJECT']]
0xc : RemoteIpAddress ['IpAddress']
0x10 : LocalIpAddress ['IpAddress']
0x14 : RemotePort ['unsigned be short']
0x16 : LocalPort ['unsigned be short']
0x18 : Pid ['unsigned long']
Both are Undocumented
Connections are stored in a hash table using Separate Chaining
0 -> 1023 = Well-known / system ports
1024 -> 49151 = ephermeral client or server ports and are registered ports by IANA.
49152 -> 65535 = unregistered ports
Print list of open sockets
Only works on XP and 2003 Server Images
vol.py sockets -f zeus.bin --profile=WinXPSP3x86
Volatility Foundation Volatility Framework 2.4
PID Port Proto Protocol Address Create Time
-------- ------ ------ --------------- --------------- -----------
892 19705 6 TCP 0.0.0.0 2009-02-12 03:38:14
PID Port Proto Protocol Address Create Time
-------- ------ ------ --------------- --------------- -----------
1064 1276 17 UDP 127.0.0.1 2009-02-12 03:38:12
1064 1275 17 UDP 192.168.128.128 2009-02-12 03:38:12
892 19705 6 TCP 0.0.0.0 2009-02-12 03:38:14
892 35335 6 TCP 0.0.0.0 2009-02-12 03:38:14
892 1277 6 TCP 0.0.0.0 2009-02-12 03:38:15
python vol.py -f zeus.vmem --profile=WinXPSP3x86 pslist | grep 892
Volatility Foundation Volatility Framework 2.4
Name PID PPID Thds Hnds Sess Start
----------------- ------ ------ ------ -------- ------ ------------------
svchost.exe 892 728 26 294 0 2008-09-18 05:32:58
$ python vol.py -f zeus.vmem --profile=WinXPSP3x86 pslist | grep 1064
Volatility Foundation Volatility Framework 2.4
Name PID PPID Thds Hnds Sess Start
----------------- ------ ------ ------ -------- ------ ------------------
svchost.exe 1064 728 62 1235 0 2008-09-18 05:32:59
View TCP connections active at time of acquisition.
Only works on XP and 2003 Server Images
python vol.py -f Win2003SP2x64.vmem --profile=Win2003SP2x64 connections
Volatile Systems Volatility Framework 2.1_alpha
Offset(V) Local Address Remote Address Pid
------------------ ------------------------- ------------------------- ------
0xfffffadfe6f2e2f0 172.16.237.150:1408 72.246.25.25:80 2136
0xfffffadfe72e8080 172.16.237.150:1369 64.4.11.30:80 2136
0xfffffadfe622d010 172.16.237.150:1403 74.125.229.188:80 2136
0xfffffadfe62e09e0 172.16.237.150:1352 64.4.11.20:80 2136
0xfffffadfe6f2e630 172.16.237.150:1389 209.191.122.70:80 2136
0xfffffadfe5e7a610 172.16.237.150:1419 74.125.229.187:80 2136
0xfffffadfe7321bc0 172.16.237.150:1418 74.125.229.188:80 2136
0xfffffadfe5ea3c90 172.16.237.150:1393 216.115.98.241:80 2136
0xfffffadfe72a3a80 172.16.237.150:1391 209.191.122.70:80 2136
0xfffffadfe5ed8560 172.16.237.150:1402 74.125.229.188:80 2136
Only works on XP and 2003 Server Images
Pool tag scan for _TCPT_OBJECT
python vol.py -f Win2K3SP0x64.vmem --profile=Win2003SP2x64 connscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ------
0x0ea7a610 172.16.237.150:1419 74.125.229.187:80 2136
0x0eaa3c90 172.16.237.150:1393 216.115.98.241:80 2136
0x0eaa4480 172.16.237.150:1398 216.115.98.241:80 2136
0x0ead8560 172.16.237.150:1402 74.125.229.188:80 2136
0x0ee2d010 172.16.237.150:1403 74.125.229.188:80 2136
0x0eee09e0 172.16.237.150:1352 64.4.11.20:80 2136
0x0f9f83c0 172.16.237.150:1425 98.139.240.23:80 2136
0x0f9fe010 172.16.237.150:1394 216.115.98.241:80 2136
Pool tag scan for _ADDRESS_OBJECT
XP and 2003 Server Only
[root&windows]#volatility -f Lab2.vmem --profile=WinXPSP2x86 sockscan
Volatility Foundation Volatility Framework 2.4
Offset(P) PID Port Proto Protocol Address Create Time
---------- -------- ------ ------ --------------- --------------- -----------
0x014273f8 1392 1900 17 UDP 192.168.145.135 2015-04-02 19:47:09 UTC+0000
0x01455978 1056 123 17 UDP 127.0.0.1 2015-04-02 18:37:38 UTC+0000
0x0145b478 1056 123 17 UDP 192.168.145.135 2015-04-02 18:37:38 UTC+0000
0x0145e4c8 1392 1900 17 UDP 127.0.0.1 2015-04-02 19:47:09 UTC+0000
0x01481938 828 3389 6 TCP 0.0.0.0 2015-04-02 19:38:07 UTC+0000
0x01f16008 4 137 17 UDP 192.168.145.135 2015-04-07 03:05:41 UTC+0000
0x01f181d8 1052 1355 17 UDP 127.0.0.1 2015-04-06 19:04:12 UTC+0000
0x01f218b8 1076 123 17 UDP 192.168.145.135 2015-04-07 03:05:41 UTC+0000
0x01f33680 1076 123 17 UDP 127.0.0.1 2015-04-07 03:05:41 UTC+0000
0x01f5b6e8 876 3389 6 TCP 0.0.0.0 2015-04-04 00:09:19 UTC+0000
0x01f684f8 1752 1028 6 TCP 127.0.0.1 2015-04-04 00:09:11 UTC+0000
0x01f87bb0 696 0 255 Reserved 0.0.0.0 2015-04-04 00:09:00 UTC+0000
0x01f9b5c0 1332 1309 17 UDP 127.0.0.1 2015-04-06 19:03:47 UTC+0000
0x01fabc18 4 1143 6 TCP 0.0.0.0 2015-04-05 03:05:04 UTC+0000
0x020db008 1372 1900 17 UDP 127.0.0.1 2015-04-07 03:05:41 UTC+0000
0x0214c5f0 696 4500 17 UDP 0.0.0.0 2015-04-04 00:09:00 UTC+0000
0x0214cd80 696 500 17 UDP 0.0.0.0 2015-04-04 00:09:00 UTC+0000
0x021b17b8 4 139 6 TCP 192.168.145.135 2015-04-07 03:05:41 UTC+0000
Dump executable to disk, restore imports and analyze!
Yara scan in memory to match malware signatures
If DLL Dlldump it!
Injected shellcode? Dump ir ot Disassemble it in VolShell!
| WinSock | WinINet | COM |
|----------------- |------------------- |------------------- |
| WSAStartup | InternetOpen | URLDownloadToFile |
| getaddrinfo | InternetConnect | CoInitialize |
| socket | InternetOpenURL | CoCreateInstance |
| connect | InternetReadFile | Navigate |
| send | InternetWriteFile | |
| recv | HttpOpenRequest | |
| WSAGetLastError | HTTPQueryInfo | |
| | | |
Windows Vista + network artifacts using pool-scanning
Scans
Distinguishes between IPv4 and IPv6
prints
>>> dt("_TCP_ENDPOINT")
'_TCP_ENDPOINT' (None bytes)
0x0 : CreateTime ['WinTimeStamp', {'is_utc': True, 'value': 0}]
0xc : InetAF ['pointer', ['_INETAF']]
0x10 : AddrInfo ['pointer', ['_ADDRINFO']]
0x14 : ListEntry ['_LIST_ENTRY']
0x34 : State ['Enumeration', {'target': 'long', 'choices': {0: 'CLOSED', 1: 'LISTENING', 2: 'SYN_SENT', 3: 'SYN_RCVD', 4: 'ESTABLISHED', 5: 'FIN_WAIT1', 6: 'FIN_WAIT2', 7: 'CLOSE_WAIT', 8: 'CLOSING', 9: 'LAST_ACK', 12: 'TIME_WAIT', 13: 'DELETE_TCB'}}]
0x38 : LocalPort ['unsigned be short']
0x3a : RemotePort ['unsigned be short']
0x174 : Owner ['pointer', ['_EPROCESS']]
>>> dt("_TCP_LISTENER")
'_TCP_LISTENER' (None bytes)
0x18 : Owner ['pointer', ['_EPROCESS']]
0x20 : CreateTime ['WinTimeStamp', {'is_utc': True}]
0x34 : LocalAddr ['pointer', ['_LOCAL_ADDRESS']]
0x38 : InetAF ['pointer', ['_INETAF']]
0x3e : Port ['unsigned be short']
>>> dt("_UDP_ENDPOINT")
'_UDP_ENDPOINT' (None bytes)
0x14 : InetAF ['pointer', ['_INETAF']]
0x18 : Owner ['pointer', ['_EPROCESS']]
0x30 : CreateTime ['WinTimeStamp', {'is_utc': True}]
0x38 : LocalAddr ['pointer', ['_LOCAL_ADDRESS']]
0x48 : Port ['unsigned be short']
(-) means results could not be found in memory dump.
Information in structures are pointers to pointers and are not always there if pages are swapped.
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 netscan
Volatility Foundation Volatility Framework 2.4
Offset(P) Proto Local Address Foreign Address State Pid Owner Created
0x3da07008 UDPv4 0.0.0.0:0 *:* 2876 devenv.exe 2013-10-15 18:46:18 UTC+0000
0x3da07008 UDPv6 :::0 *:* 2876 devenv.exe 2013-10-15 18:46:18 UTC+0000
0x3da076c0 UDPv4 0.0.0.0:0 *:* 2876 devenv.exe 2013-10-15 18:46:18 UTC+0000
0x3dad5a18 UDPv4 0.0.0.0:0 *:* 2876 devenv.exe 2013-10-15 18:46:18 UTC+0000
0x3dad5a18 UDPv6 :::0 *:*
0x3ddca628 TCPv4 0.0.0.0:49178 0.0.0.0:0 LISTENING 520 lsass.exe
0x3ddca628 TCPv6 :::49178 :::0 LISTENING 520 lsass.exe
0x3ddcdf60 TCPv4 0.0.0.0:49178 0.0.0.0:0 LISTENING 520 lsass.exe
0x3da2db78 TCPv4 192.168.228.159:49210 63.241.108.124:80 CLOSED -------- --------------
0x3dab8570 TCPv4 192.168.228.159:49203 70.37.57.244:80 CLOSED -------- --------------
0x3dad6008 TCPv4 192.168.228.159:49202 64.4.11.25:80 CLOSED -------- --------------
0x3ef65af8 UDPv4 192.168.228.159:138 *:* 4 System 2013-10-15 18:48:52 UTC+0000
0x3f309200 TCPv4 192.168.228.159:49204 65.55.57.27:80 CLOSED -------- --------------
[root&windows]#whois 64.4.11.25
NetRange: 64.4.0.0 - 64.4.63.255
CIDR: 64.4.0.0/18
NetName: MICROSOFT
[root&windows]#whois 70.37.57.244
NetRange: 70.37.0.0 - 70.37.191.255
CIDR: 70.37.128.0/18, 70.37.0.0/17
NetName: MICROSOFT
Use yara to discover web related activity in memory
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 yarascan --wide -Y "http"
Rule: r1
Owner: Process taskhost.exe Pid 320
0x772c5eb0 68 00 74 00 74 00 70 00 00 00 00 00 66 00 74 00 h.t.t.p.....f.t.
0x772c5ec0 70 00 00 00 67 00 6f 00 70 00 68 00 65 00 72 00 p...g.o.p.h.e.r.
0x772c5ed0 00 00 00 00 6d 00 61 00 69 00 6c 00 74 00 6f 00 ....m.a.i.l.t.o.
0x772c5ee0 00 00 00 00 6e 00 65 00 77 00 73 00 00 00 00 00 ....n.e.w.s.....
0x772c5ef0 6e 00 6e 00 74 00 70 00 00 00 00 00 74 00 65 00 n.n.t.p.....t.e.
0x772c5f00 6c 00 6e 00 65 00 74 00 00 00 00 00 77 00 61 00 l.n.e.t.....w.a.
0x772c5f10 69 00 73 00 00 00 00 00 6d 00 6b 00 00 00 00 00 i.s.....m.k.....
Find a firewall log for an IP address?
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 yarascan --wide -Y "192.168"
Owner: Process VSSVC.exe Pid 580
0x002d84b8 31 00 39 00 32 00 2e 00 31 00 36 00 38 00 2e 00 1.9.2...1.6.8...
0x002d84c8 32 00 32 00 38 00 2e 00 31 00 35 00 39 00 00 00 2.2.8...1.5.9...
Owner: Process VSSVC.exe Pid 580
0x0029f620 31 00 39 00 32 00 2e 00 31 00 36 00 38 00 2e 00 1.9.2...1.6.8...
0x0029f630 32 00 32 00 38 00 2e 00 31 00 35 00 39 00 00 00 2.2.8...1.5.9...
From knowing what processes had network connections, use -p to find only connections that appeared malicious
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 yarascan --wide -Y "http" -p 520
Volatility Foundation Volatility Framework 2.4
Rule: r1
Owner: Process lsass.exe Pid 520
0x752bd3a4 68 00 74 00 74 00 70 00 00 00 90 90 6e 00 63 00 h.t.t.p.....n.c.
0x752bd3b4 61 00 6c 00 72 00 70 00 63 00 00 00 6e 00 63 00 a.l.r.p.c...n.c.
0x752bd3c4 61 00 63 00 6e 00 5f 00 6e 00 70 00 00 00 90 90 a.c.n._.n.p.....
0x752bd3d4 6e 00 63 00 61 00 63 00 6e 00 5f 00 69 00 70 00 n.c.a.c.n._.i.p.
0x752bd3e4 5f 00 74 00 63 00 70 00 00 00 90 90 90 90 90 8b _.t.c.p.........
0x752bd3f4 ff 55 8b ec 83 ec 0c 8b 45 08 c1 e0 02 8b 88 74 .U......E......t
0x752bd404 ad 32 75 33 d2 c7 45 f4 0c 00 00 00 c7 45 f8 04 .2u3..E......E..
0x752bd414 00 00 00 89 55 fc 3b ca 0f 84 9d 02 00 00 56 8d ....U.;.......V.
0x752bd424 75 f4 56 52 51 6a 0a ff b0 60 ad 32 75 ff 15 d8 u.VRQj...`.2u...
0x752bd434 90 32 75 5e c9 c2 04 00 90 90 90 90 90 ff 25 e4 .2u^..........%.
0x752bd444 13 2b 75 90 90 90 90 90 6a 64 68 80 d5 2b 75 e8 .+u.....jdh..+u.
0x752bd454 9c 41 ff ff 33 f6 89 75 e0 c6 45 e7 00 c6 45 e6 .A..3..u..E...E.
0x752bd464 00 32 db 89 75 d0 89 75 dc 33 d2 42 89 55 d4 89 .2..u..u.3.B.U..
0x752bd474 75 cc 6a 07 59 33 c0 8d 7d b0 f3 ab 6a 09 59 8d u.j.Y3..}...j.Y.
0x752bd484 7d 8c f3 ab 89 75 fc 52 56 56 ff 15 8c 92 32 75 }....u.RVV....2u
0x752bd494 89 45 d0 3b c6 0f 84 bc 16 00 00 68 85 00 00 00 .E.;.......h....
Hook user mode APIs
Install Kernel Drive to hook tcpip.sys driver
Create a driver, NDIS, to operate lower than Winsock2 and bypass socket and connection object creation
Pooltag scanning eliminates these. Also finding IP packets or eth frames in memory dump.
*Note: DKOM does not work on TCP/IP structures, but you can overwrite pool tags. *
Admin processes can enable raw sockets through Winsock2.
Enable programs to access transport layer data and forge/spoof packets.
Can use raw sockets in promiscuous mode and capture information going over wire.
Two types:
SOCKET s = socket(AF_INET, SOCK_RAW, IPPROTO_IP);
Live: Promiscdetect
Volatility: Sockets or Handles
Look for oddly named protocols
$ python vol.py sockets -f ursniff.vmem --profile=WinXPSP3x86
Volatility Foundation Volatility Framework 2.4
PID Port Proto Protocol Address Create Time
-------- ------ ------ --------------- --------------- -----------
1052 123 17 UDP 172.16.99.130 2009-11-18 01:23:24
716 500 17 UDP 0.0.0.0 2009-11-18 01:23:20
1824 0 0 HOPOPT 172.16.99.130 2010-01-07 20:29:10
[...]
$ python vol.py files -p 1824 -f ursniff.vmem --profile=WinXPSP3x86
Volatility Foundation Volatility Framework 2.4
Offset(V) Pid Handle Access Type Details
---------- ------ ---------- ---------- ---------------- -------
0x818f9f90 1824 0xa0 0x1f01ff File \Device\Afd\Endpoint
0x814d4b70 1824 0xa8 0x1f01ff File \Device\RawIp\0
0x8145bf90 1824 0xd0 0x1f01ff File \Device\Afd\Endpoint
0x8155cf90 1824 0xd4 0x1f01ff File \Device\Tcp
[...]
Chrome and Firefox use a SQLite database.
Internet Explorer
[root&windows]#volatility -f Lab2.vmem --profile=WinXPSP2x86 pslist | grep iexplore
Volatility Foundation Volatility Framework 2.4
0x81d79da0 iexplore.exe 1052 1756 12 484 0 0 2015-04-06 19:03:42 UTC+0000
0x81fa8ad0 iexplore.exe 1332 1052 20 797 0 0 2015-04-06 19:03:46 UTC+0000
[root&windows]#volatility -f Lab2.vmem --profile=WinXPSP2x86 yarascan -p 1052,1332 -Y "/(URL |REDR|LEAK)/"
Owner: Process iexplore.exe Pid 1332
0x01115600 55 52 4c 20 02 00 00 00 f0 9a ab 8d 76 70 d0 01 URL.........vp..
0x01115610 f0 a2 81 76 a0 70 d0 01 a2 46 18 9c 00 00 00 00 ...v.p...F......
0x01115620 00 00 00 00 00 00 00 00 00 00 00 00 80 51 01 00 .............Q..
0x01115630 60 00 00 00 68 00 00 00 fe 00 10 10 00 00 00 00 `...h...........
0x01115640 04 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x01115650 86 46 18 9c 01 00 00 00 00 00 00 00 00 00 00 00 .F..............
0x01115660 00 00 00 00 ef be ad de 3a 32 30 31 35 30 34 30 ........:2015040
0x01115670 36 32 30 31 35 30 34 30 37 3a 20 41 64 6d 69 6e 620150407:.Admin
0x01115680 40 68 74 74 70 3a 2f 2f 77 77 77 2e 68 61 6e 64 @http://www.hand
0x01115690 67 72 65 70 2e 73 65 2f 72 65 70 6f 73 69 74 6f grep.se/reposito
0x011156a0 72 79 2f 73 6f 75 72 63 65 73 2f 52 6f 6f 74 6b ry/sources/Rootk
0x011156b0 69 74 73 2f 64 72 69 76 65 72 5f 6c 6f 61 64 65 its/driver_loade
0x011156c0 72 2e 63 00 ef be ad de ef be ad de ef be ad de r.c.............
Rule: r1
Owner: Process iexplore.exe Pid 1052
0x00b08b80 55 52 4c 20 02 00 00 00 30 39 6d cd a0 70 d0 01 URL.....09m..p..
0x00b08b90 30 39 6d cd a0 70 d0 01 a2 46 83 9b 00 00 00 00 09m..p...F......
0x00b08ba0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00b08bb0 60 00 00 00 68 00 00 00 fe 00 10 10 00 00 00 00 `...h...........
0x00b08bc0 01 00 20 00 9c 00 00 00 14 00 00 00 00 00 00 00 ................
0x00b08bd0 86 46 67 9c 01 00 00 00 00 00 00 00 00 00 00 00 .Fg.............
0x00b08be0 00 00 00 00 ef be ad de 56 69 73 69 74 65 64 3a ........Visited:
0x00b08bf0 20 41 64 6d 69 6e 40 68 74 74 70 3a 2f 2f 77 77 .Admin@http://ww
0x00b08c00 77 2e 6f 73 72 6f 6e 6c 69 6e 65 2e 63 6f 6d 2f w.osronline.com/
0x00b08c10 6c 6f 67 69 6e 2e 63 66 6d 00 ad de 10 00 02 00 login.cfm.......
Rule: r1
Owner: Process iexplore.exe Pid 1052
0x00b06700 55 52 4c 20 02 00 00 00 e0 2a 22 d1 a0 70 d0 01 URL......*"..p..
0x00b06710 e0 2a 22 d1 a0 70 d0 01 a2 46 86 9b 00 00 00 00 .*"..p...F......
0x00b06720 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00b06730 60 00 00 00 68 00 00 00 fe 00 10 10 00 00 00 00 `...h...........
0x00b06740 01 00 20 00 98 00 00 00 14 00 00 00 00 00 00 00 ................
0x00b06750 86 46 6a 9c 01 00 00 00 00 00 00 00 00 00 00 00 .Fj.............
0x00b06760 00 00 00 00 ef be ad de 56 69 73 69 74 65 64 3a ........Visited:
0x00b06770 20 41 64 6d 69 6e 40 66 69 6c 65 3a 2f 2f 2f 43 .Admin@file:///C
0x00b06780 3a 2f 62 69 6e 2f 6f 73 72 6c 6f 61 64 65 72 76 :/bin/osrloaderv
0x00b06790 33 30 2e 7a 69 70 00 de 10 00 02 00 00 00 00 10 30.zip..........
Rule: r1
Owner: Process iexplore.exe Pid 1052
0x00b01c80 55 52 4c 20 02 00 00 00 b0 57 91 27 8c 6d d0 01 URL......W.'.m..
0x00b01c90 b0 57 91 27 8c 6d d0 01 9c 46 bb ab 00 00 00 00 .W.'.m...F......
0x00b01ca0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00b01cb0 60 00 00 00 68 00 00 00 fe 00 10 10 00 00 00 00 `...h...........
0x00b01cc0 01 00 20 00 90 00 00 00 14 00 00 00 00 00 00 00 ................
0x00b01cd0 82 46 bb ab 01 00 00 00 00 00 00 00 00 00 00 00 .F..............
0x00b01ce0 00 00 00 00 ef be ad de 56 69 73 69 74 65 64 3a ........Visited:
0x00b01cf0 20 41 64 6d 69 6e 40 66 69 6c 65 3a 2f 2f 2f 43 .Admin@file:///C
0x00b01d00 3a 2f 62 69 6e 2f 67 65 74 70 69 70 2e 70 79 00 :/bin/getpip.py.
Owner: Process iexplore.exe Pid 1052
0x00b00d00 55 52 4c 20 04 00 00 00 10 18 6c 73 8b 6d d0 01 URL.......ls.m..
0x00b00d10 00 62 6e 73 8b 6d d0 01 9c 46 19 ab 00 00 00 00 .bns.m...F......
0x00b00d20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00b00d30 60 00 00 00 68 00 00 00 fe 00 10 10 00 00 00 00 `...h...........
0x00b00d40 01 00 20 00 cc 00 00 00 bc 00 00 00 00 00 00 00 ................
0x00b00d50 82 46 19 ab 1b 00 00 00 00 00 00 00 00 00 00 00 .F..............
0x00b00d60 00 00 00 00 ef be ad de 56 69 73 69 74 65 64 3a ........Visited:
0x00b00d70 20 41 64 6d 69 6e 40 68 74 74 70 73 3a 2f 2f 69 .Admin@https://i
0x00b00d80 73 63 2e 73 61 6e 73 2e 65 64 75 2f 2f 64 69 61 sc.sans.edu//dia
0x00b00d90 72 79 2f 57 69 6e 70 6d 65 6d 2b 2d 2b 4d 69 6c ry/Winpmem+-+Mil
0x00b00da0 64 2b 6d 61 6e 6e 65 72 65 64 2b 6d 65 6d 6f 72 d+mannered+memor
0x00b00db0 79 2b 61 71 75 69 73 69 74 69 6f 6e 2b 74 6f 6f y+aquisition+too
0x00b00dc0 6c 3f 25 33 66 2f 31 37 30 35 34 00 10 00 02 00 l?%3f/17054.....
0x00b00dd0 00 00 00 00 00 00 00 00 00 00 00 00 a8 00 10 1f ................
0x00b00de0 49 00 6e 00 66 00 6f 00 53 00 65 00 63 00 20 00 I.n.f.o.S.e.c...
0x00b00df0 48 00 61 00 6e 00 64 00 6c 00 65 00 72 00 73 00 H.a.n.d.l.e.r.s.
We know pip was at least downloaded
We know OSRLOADER was downloaded
We know winpmem was accessed from the web
Reconstruct Internet Explorer cache / history
Output IE history in csv or text
-o OFFSET, --offset=OFFSET
EPROCESS offset (in hex) in the physical address space
-p PID, --pid=PID Operate on these Process IDs (comma-separated)
-n NAME, --name=NAME Operate on these process names (regex)
-L, --leak Find LEAK records (deleted)
-R, --redr Find REDR records (redirected)
[root&windows]#volatility -f Lab2.vmem --profile=WinXPSP2x86 iehistory -p 1052,1332
Volatility Foundation Volatility Framework 2.4
**************************************************
Process: 1052 iexplore.exe
Cache type "URL " at 0xae5000
Record length: 0x100
Location: Cookie:[email protected]/
Last modified: 2015-04-02 19:50:50 UTC+0000
Last accessed: 2015-04-06 19:34:03 UTC+0000
File Offset: 0x100, Data Offset: 0x84, Data Length: 0x0
File: UAPOKXN1.txt
**************************************************
Process: 1332 iexplore.exe
Cache type "URL " at 0x1075400
Record length: 0x100
Location: DOMStore:http://pip.pypa.io/
Last modified: 1970-01-01 00:00:00 UTC+0000
Last accessed: 2015-04-02 21:28:24 UTC+0000
File Offset: 0x100, Data Offset: 0x88, Data Length: 0x0
File: pip.pypa[1].xml
**************************************************
Brute force!
Use regex and yara!
Websites: "/[a-zA-Z0-9-.]+.(com|org|net|mil|edu|biz|name|info)/"
Mail: ((mailto\:|(news|(ht|f)tp(s?))\://){1}\S+)
Http: ^http\://[a-zA-Z0-9-.]+.[a-zA-Z]{2,3}(/\S*)?$
Svchost.exe runs DNS resolver
system32\drivers\etc\hosts
[root&windows]#volatility -f Lab2.vmem --profile=WinXPSP2x86 filescan | grep hosts
Volatility Foundation Volatility Framework 2.4
0x0000000002089028 1 0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts
[root&windows]#mkdir hosts
/bin/mkdir: created directory `hosts'
[root&windows]#volatility -f Lab2.vmem --profile=WinXPSP2x86 dumpfiles -Q 0x0000000002089028 -D hosts/ --name
Volatility Foundation Volatility Framework 2.4
DataSectionObject 0x02089028 None \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts
[root&windows]#cat hosts/file.None.0x8221fb30.hosts.dat
127.0.0.1 localhost
Table of Contents | t |
---|---|
Exposé | ESC |
Full screen slides | e |
Presenter View | p |
Source Files | s |
Slide Numbers | n |
Toggle screen blanking | b |
Show/hide slide context | c |
Notes | 2 |
Help | h |