trexcheng / malwarecookbook Goto Github PK

What steps will reproduce the problem?
1. Analyze 30,000 something PE malware


What is the expected output? What do you see instead?

najmi@vostro:~/malware-csm$ ./pescanner.py . > report.txt
Traceback (most recent call last):
  File "./pescanner.py", line 391, in <module>
    pescan.collect()
  File "./pescanner.py", line 323, in collect
    callbacks = self.check_tls(pe)
  File "./pescanner.py", line 161, in check_tls
    func = pe.get_dword_from_data(pe.get_data(callback_array_rva + 4 * idx, 4), 0)
  File "/usr/local/lib/python2.7/dist-packages/pefile-1.2.10_107-py2.7.egg/pefile.py", line 3779, in get_data
    raise PEFormatError, 'data at RVA can\'t be fetched. Corrupt header?'
pefile.PEFormatError: "data at RVA can't be fetched. Corrupt header?"
najmi@vostro:~/malware-csm$


What version of the product are you using? On what operating system?

Version: From malwarecookbook SVN
OS: On Ubuntu 11.04 Nawthy


Please provide any additional information below.
I have to segregate the PE samples into 100-200 files.. which is tedious since 
there are 30,000 samples.

Badly need your help :)

iat: shell32.dll->SHLWAPI.dll
inline: kernel32.dll->KERNELBASE.dll

As reported by Lenny

"Writing MSR"

What steps will reproduce the problem?
1. Checkout volatility-read-only
2. sudo python setup.py install
3. vol.py -h

What is the expected output? What do you see instead?
Expect to see malware plugins, such as 'malfind'
Do not see these plugins

What version of the product are you using? On what operating system?
2.1 alpha on Ubuntu 10.04LTS

Please provide any additional information below.
I copied the malware directory from the source to 
/usr/local/lib/python2.6/dist-packages/volatility/plugins and the malware 
plugins I've tried so far seem to work. grep'd the source directory for 
'malware' and noticed in vol.py it seems to state malware plugins aren't 
installed if yara isn't found. There doesn't seem to be a clear warning about 
that in the output of setup.py.

VirusTotal has recently released VT API v2.0, moving v1.0 to depreciated 
status. avsubmit.py with API v1.0 still currently works, however access to v1.0 
may be removed at some point in the future.

API v2.0 uses new HTTP POST URLs for sending files and requesting reports. The 
new send file URL is "https://www.virustotal.com/vtapi/v2/file/scan" and the 
request report URL is "https://www.virustotal.com/vtapi/v2/file/report".

From reviewing the sample code on VT's website and avsubmit.py, converting the 
Virustotal.upload_file def to v2 should only require changing the HTTP POST URL.

Receiving the report and adding it to the database will require more changes 
than just updating the POST URL. Version 2 of the API now returns much more 
data and in a different format than v1. Version 2 uses a dictionary for each AV 
vendor with additional data included in the key:value pairs.

VirusTotal API v2.0 documentation and sample code available here: 
https://www.virustotal.com/documentation/public-api/

Reported by Frank B. 

this is what i currently get when i try to use impscan from a injected file 
called:

winlogon.exe.22e4da0.0ea00000-0ea3bfff.dmp

C:\forensics\Volatility-1.4_rc1>python volatility.py impscan -f 
..\malware-images\SpyEye.vmem -D dump -a 0x0ea00000 -s 0x3bfff -p 624

ea17000 ADVAPI32.dll AllocateAndInitializeSid 77da7a91
ea17200 WS2_32.dll ntohs 71a12b66
ea17004 ADVAPI32.dll FreeSid 77da7a80
ea17008 ADVAPI32.dll GetUserNameA 77dcd4c9
ea1700c ADVAPI32.dll RegQueryValueExA 77da7883
ea17010 ADVAPI32.dll RegOpenKeyExA 77da761b
ea17258 ntdll.dll wcscat 7c92a359
ea17014 ADVAPI32.dll CheckTokenMembership 77da815e
ea17218 WS2_32.dll closesocket 71a19639
ea17204 WS2_32.dll inet_addr 71a12bf4
ea1701c GDI32.dll CreateCompatibleDC 77ef5e10
ea17020 GDI32.dll SelectObject 77ef59a0
ea17024 GDI32.dll BitBlt 77ef6dc0
ea17028 GDI32.dll DeleteObject 77ef6a3b
ea1705c kernel32.dll DeleteFileA 7c81e85c
ea1702c GDI32.dll DeleteDC 77ef6ca6
ea17030 GDI32.dll CreateCompatibleBitmap 77ef6e51
ea17208 WS2_32.dll inet_ntoa 71a13f41
ea17234 ntdll.dll memcmp 7c91214f
ea17238 ntdll.dll RtlInitUnicodeString 7c9112d6
ea1723c ntdll.dll ZwCreateMutant 7c91d700
ea17040 kernel32.dll Sleep 7c802442
ea17260 ntdll.dll ZwDuplicateObject 7c91d90d
ea17044 kernel32.dll CreateThread 7c81082f
ea17248 ntdll.dll atoi 7c934c29
ea1720c WS2_32.dll WSAGetLastError 71a194dc
ea1704c kernel32.dll GetCurrentProcessId 7c80994e
ea17250 ntdll.dll _itoa 7c93f23a
ea17054 kernel32.dll LoadLibraryA 7c801d77
ea17058 kernel32.dll HeapCreate 7c812929
ea17264 ntdll.dll ZwQueryObject 7c91e0d8
ea1725c ntdll.dll strstr 7c91ec6f
ea17060 kernel32.dll GetLastError 7c920331
ea17210 WS2_32.dll ntohs 71a12b66
ea17064 kernel32.dll WaitForSingleObject 7c802530
ea17068 kernel32.dll CreateMutexA 7c80eb3f
ea1706c kernel32.dll GetCurrentThread 7c809919
ea17070 kernel32.dll ExitProcess 7c81caa2
ea17268 ntdll.dll strtoul 7c980815
ea17274 ntdll.dll _stricmp 7c923374
ea17278 ntdll.dll sprintf 7c93912e
ea17214 WS2_32.dll getpeername 71a20b50
ea1727c ntdll.dll strcat 7c9128ec
ea17280 ntdll.dll strcpy 7c9128d7
ea17284 kernel32.dll HeapAlloc 7c9205d4
ea17088 kernel32.dll GetTickCount 7c8092ac
ea1726c ntdll.dll vsprintf 7c980848
ea1728c ntdll.dll strlen 7c912a9d
ea17290 ntdll.dll isalnum 7c97fc5c
ea17294 ntdll.dll RtlRandom 7c974eda
ea17298 kernel32.dll HeapFree 7c92043d
ea1709c kernel32.dll GetThreadSelectorEntry 7c859fd0
ea170a0 kernel32.dll GetThreadContext 7c838eeb
ea17270 ntdll.dll ZwQueryInformationThread 7c91e030
ea170a4 kernel32.dll lstrcmpiA 7c80b929
ea170a8 kernel32.dll WideCharToMultiByte 7c80a0c7
ea170ac kernel32.dll IsBadReadPtr 7c809eb3
ea170b0 kernel32.dll IsBadWritePtr 7c809f29
ea170b4 kernel32.dll MultiByteToWideChar 7c809cad
ea170b8 kernel32.dll lstrcpyA 7c80c729
ea17074 kernel32.dll CloseHandle 7c809b77
ea170bc kernel32.dll GetVolumeInformationA 7c827052
ea170c0 kernel32.dll GetSystemWindowsDirectoryA 7c8228c9
ea17220 ntdll.dll ZwQuerySystemInformation 7c91e1aa
ea170c4 kernel32.dll SizeofResource 7c80baf1
ea170c8 kernel32.dll TerminateThread 7c81cacb
ea170cc kernel32.dll GetWindowsDirectoryA 7c82293b
ea170d0 kernel32.dll GetSystemDirectoryA 7c814c63
ea17078 kernel32.dll SetLastError 7c920340
ea170d4 kernel32.dll OpenMutexA 7c80ec1b
ea170d8 kernel32.dll ExitThread 7c80cca9
ea17224 ntdll.dll strncmp 7c912c43
ea170dc kernel32.dll WriteFile 7c810f9f
ea170e0 kernel32.dll CreateFileA 7c801a24
ea170e4 kernel32.dll lstrlenA 7c80c6e0
ea170e8 kernel32.dll lstrcpynA 7c810311
ea1707c kernel32.dll GetVersionExA 7c812851
ea170ec kernel32.dll lstrlenW 7c809a39
ea170f0 kernel32.dll ReadFile 7c80180e
ea17228 ntdll.dll _strlwr 7c9802bc
ea170f4 kernel32.dll SetNamedPipeHandleState 7c81f654
ea170f8 kernel32.dll SetHandleCount 7c80c6cf
ea170fc kernel32.dll CreateFileW 7c810976
ea17100 kernel32.dll lstrcatW 7c81114a
ea17080 kernel32.dll GetTimeZoneInformation 7c8394ae
ea17104 kernel32.dll lstrcpyW 7c80b8ec
ea17108 kernel32.dll OpenProcess 7c81e079
ea1722c ntdll.dll RtlAdjustPrivilege 7c939e8c
ea1710c kernel32.dll SetFileAttributesA 7c81fb44
ea17114 kernel32.dll VirtualProtect 7c801ad0
ea17118 kernel32.dll HeapFree 7c92043d
ea17084 kernel32.dll GetUserDefaultLangID 7c81e685
ea1711c kernel32.dll GetProcessHeap 7c80aa49
ea17120 kernel32.dll VirtualFree 7c809b14
ea17230 ntdll.dll ZwQueryInformationProcess 7c91e01b
ea17124 kernel32.dll HeapAlloc 7c9205d4
ea17128 kernel32.dll LoadResource 7c80a065
ea1712c kernel32.dll TerminateProcess 7c801e16
ea17130 kernel32.dll GetCurrentProcess 7c80e00d
ea17134 kernel32.dll UnhandledExceptionFilter 7c862b8a
ea17138 kernel32.dll SetUnhandledExceptionFilter 7c810386
ea1713c kernel32.dll SystemTimeToFileTime 7c810d34
ea17140 kernel32.dll SetFilePointer 7c810da6
ea17144 kernel32.dll GlobalAlloc 7c80ff2d
ea17148 kernel32.dll GlobalFree 7c80fe2f
ea1708c kernel32.dll GetLocalTime 7c80c9c1
ea1714c kernel32.dll DuplicateHandle 7c80e016
ea17150 kernel32.dll lstrcmpA 7c81ee79
ea17038 kernel32.dll GetCurrentDirectoryA 7c8397a1
ea17154 kernel32.dll LocalFileTimeToFileTime 7c8395ea
ea17158 kernel32.dll CreateDirectoryA 7c826219
ea1715c kernel32.dll GetExitCodeThread 7c8229a2
ea17160 kernel32.dll CreateDirectoryW 7c81e968
ea17090 kernel32.dll GetModuleFileNameA 7c80b357
ea17164 kernel32.dll FindResourceA 7c80c7b1
ea17168 kernel32.dll SetFileTime 7c81f955
ea1703c kernel32.dll lstrcatA 7c838fb9
ea1716c kernel32.dll GetComputerNameA 7c8260a9
ea17170 kernel32.dll WaitNamedPipeW 7c8343d8
ea17178 SHELL32.dll SHFileOperationA 7ca7d4a1
ea17094 kernel32.dll FreeLibrary 7c80aa66
ea1717c SHELL32.dll SHGetFolderPathA 7ca483b0
ea17180 SHELL32.dll StrStrIA 7cba93c0
ea17240 ntdll.dll ZwClose 7c91d586
ea17184 SHELL32.dll StrCmpNIA 7cba9352
ea17188 SHELL32.dll StrStrW 7cba93cb
ea17244 ntdll.dll wcslen 7c92035a
ea171a0 USER32.dll CharLowerA 77d3eed5
ea171a4 USER32.dll SetWindowLongA 77d1ded3
ea171a8 USER32.dll GetWindowLongA 77d1947c
ea1729c ntdll.dll strcmp 7c9129d1
ea171ac USER32.dll CallWindowProcA 77d1e34b
ea171b0 USER32.dll EnumWindows 77d1d935
ea17048 kernel32.dll GetProcAddress 7c80ac28
ea171b4 USER32.dll GetWindowDC 77d18ff9
ea171b8 USER32.dll GetWindowRect 77d1b57c
ea171bc USER32.dll GetCursorPos 77d1c566
ea171c0 USER32.dll ReleaseDC 77d1866d
ea172a0 ntdll.dll _allmul 7c9119d0
ea171c4 USER32.dll LoadCursorA 77d1e8fa
ea171c8 USER32.dll GetIconInfo 77d1e9a1
ea1724c ntdll.dll _chkstk 7c911a09
ea171cc USER32.dll DrawIcon 77d301ef
ea171d0 USER32.dll GetKeyboardState 77d1ef35
ea171d4 USER32.dll ToUnicode 77d6628a
ea171d8 USER32.dll wsprintfA 77d1a2de
ea17050 kernel32.dll GetModuleHandleA 7c80b529
ea172a8 ole32.dll CreateStreamOnHGlobal 774c974a
ea17254 ntdll.dll wcscpy 7c923473
ea171fc WS2_32.dll connect 71a1406a
Volatile Systems Volatility Framework 1.4_rc1
Traceback (most recent call last):
 File "volatility.py", line 126, in <module>
   main()
 File "volatility.py", line 117, in main
   command.execute()
 File "C:\forensics\Volatility-1.4_rc1\volatility\commands.py", line 77, in execute
   data = self.calculate()
 File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line 1508, in calculate
   data = self.rebuild(addr_space, base)
 File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line 597, in rebuild
   for offset, code in self.get_image(sys.stdout, addr_space, start):
 File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\procdump.py", line 167, in get_image
   for sect in self.get_sections(addr_space, nt_header):
 File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\procdump.py", line 100, in get_sections
   self.sanity_check_section(sect, nt_header.OptionalHeader.SizeOfImage)
 File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\procdump.py", line 109, in sanity_check_section
   raise ValueError('VirtualSize {0:08x} is larger than image size.'.format(sect.Misc.VirtualSize))
ValueError: VirtualSize 00361000 is larger than image size. 

it would be nice to let someone scan for yara sigs only. currently when you 
scan for yara sigs, you also see the executable/VadS memory segments. 

see the flags 
http://www.reactos.org/pipermail/ros-diffs/2010-October/038897.html

>What steps will reproduce the problem?
vol.py --profile=WinXPSP3x86 -f d:\memimg\temp.vmem apihooks

>Output below:

Could not list tasks, please verify the --profile option and whether this image 
is valid
What version of the product are you using? On what operating system?


This command works fine with malware.py r93.

XP SP2 32bit.
Volatility SVN revision: 1247

C:\volatility>python --version
Python 2.7.1

C:\volatility>python vol.py malfind -f XP.vmem --dump-dir c:\tmp\
Volatile Systems Volatility Framework 2.1_alpha
Traceback (most recent call last):
  File "vol.py", line 135, in <module>
    main()
  File "vol.py", line 126, in main
    command.execute()
  File "C:\volatility\volatility\commands.py", line 101, in execute
    func(outfd, data)
  File "C:\volatility\volatility\plugins\malware.py", line 1440, in render_text
    for proc, vad, content in data:
  File "C:\volatility\volatility\plugins\malware.py", line 1435, in calculate
    for vad, data in proc.find_injections():
  File "C:\volatility\volatility\plugins\malware.py", line 681, in find_injections
    for vad in self.VadRoot.traverse():
  File "C:\volatility\volatility\obj.py", line 335, in __getattr__
    return getattr(proxied, attr)
AttributeError: 'long' object has no attribute 'traverse'

What steps will reproduce the problem?
1.C:\Python27\Scripts>python vol.py apihooks -f 
"D:\X-Ways-Images\Malware\silentbanker.vmem"

2. A testsuite run outputs the following
C:\Python27\Scripts>python vol.py testsuite -f 
"D:\X-Ways-Images\Malware\silentbanker.vme
Volatile Systems Volatility Framework 2.0
Executing dlldump
Executing vadtree
Error running userassist - option -o/--hive-offset: conflicting option 
string(s): -o
Executing procmemdump
Executing procexedump
Error running lsadump - option -s/--sec-offset: conflicting option string(s): -s
Executing moddump
Executing handles
Error running handles - maximum recursion depth exceeded while calling a Python 
object
Executing dlllist
Executing psxview
Error running psxview - maximum recursion depth exceeded while calling a Python 
object
Executing vadinfo
Executing memmap
Executing memdump
Error running svcscan - option -y/--yara-rules-only: conflicting option 
string(s): -y
Error running malfind - option -K/--kernel: conflicting option string(s): -K
Error running hashdump - option -s/--sam-offset: conflicting option string(s): 
-s
Error running imagecopy - option -b/--blocksize: conflicting option string(s): 
-b
Executing vadwalk
Error running threads - option -s/--size: conflicting option string(s): -s
Executing vaddump
Error running ssdt_ex - no such option '--yara-rules-only'
Error running impscan - option -y/--yara-rules-only: conflicting option 
string(s): -y
Error running callbacks - no such option '--kernel'
Executing getsids
Error running idt - option -K/--kernel: conflicting option string(s): -K
Executing ldrmodules
Executing pslist
Executing apihooks
Finished after 113.459000111 seconds
Error running apihooks - local variable 'flat_x' referenced before assignment
Executing driverirp
Error running driverirp - maximum recursion depth exceeded while calling a 
Python object
Error running strings - option -s/--string-file: conflicting option string(s): 
-s

What is the expected output? What do you see instead?

Volatile Systems Volatility Framework 2.0
Name                             Type     Target                                
   Value
Finished after 115.231999874 seconds
What version of the product are you using? On what operating system?
Volatility 2.0 an Malware.py R97

nt!CmpCallBackVector pre-Vista 
nt!CallbackListHead post-Vista
and nt!CmpCallBackCount

Thanks Frank Boldewin for the suggestion and info. 

Hi,

There seems to be a change in the peid resources.
The only available userdb.txt is found here: 
http://research.pandasecurity.com/blogs/images/userdb.txt

Extract from the file shows:
;  Made with Add Signature v2.00 by BoB / BobSoft ..
;  3520 Signatures in list ..

[Native UD Packer 1.1 (Modded Poison Ivy Shellcode) -> okkixot]
signature = 31 C0 31 DB 31 C9 EB 0E 6A 00 6A 00 6A 00 6A 00 FF 15 28 41 40 00 
FF 15 94 40 40 00 89 C7 68 88 13 00 00 FF 15 98 40 40 00 FF 15 94 40 40 00 81 
C7 88 13 00 00 39 F8 73 05 E9 84 00 00 00 6A 40 $
ep_only = true

[Obsidium v1.3.0.0 -> Obsidium Software (h)]
signature = EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C 
EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 
05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 $
ep_only = true

Running the script with verbose output results in:

./peid_to_yara.py -f userdb.txt -o peid.yara -v
Found 0 signatures in PEiD input file
Wrote 0 rules to peid.yara

I have not worked through the python script yet but I would expect the syntax 
changed somewhere.

Although the yara wiki contains some peid examples they seem to fall short of 
the 3000+ listed in the userdb.txt

Volatile Systems Volatility Framework 1.4_rc1
PID    TID    Create Time               Exit Time                 Offset     
StartAddress
------ ------ ------------------------- ------------------------- ---------- 
------------
Traceback (most recent call last):
  File "vol.py", line 130, in <module>
    main()
  File "vol.py", line 121, in main
    command.execute()
  File "C:\Volatility-1.4_rc1\volatility\commands.py", line 101, in execute
    func(outfd, data)
  File "C:\Volatility-1.4_rc1\volatility\plugins\malware.py", line 2339, in render_text
    for ethread in data:
  File "C:\Volatility-1.4_rc1\volatility\plugins\malware.py", line 2327, in calculate
    pid = [p.UniqueProcessId for p in tasks.pslist(addr_space) if str(p.ImageFileName) == "System"][0]

What steps will reproduce the problem?
1.vol.py --plugins=/usr/local/src/volatility-2.0/volatility/plugins -f 
memory_dump.raw --profile=WinXPSP3x86 malfind -D malfind/ > malfind.out
2.
3.

What is the expected output? What do you see instead?
I get at least partial output, in that some sections are dumped, but this 
particular image generates the below error.

What version of the product are you using? On what operating system?
# uname -a
Linux aardvark 2.6.32-32-generic #62-Ubuntu SMP Wed Apr 20 21:52:38 UTC 2011 
x86_64 GNU/Linux

malware.py was installed on Nov. 18th...

Image was taken with Helix 2009 R3 live CD

Please provide any additional information below.

# vol.py --plugins=/usr/local/src/volatility-2.0/volatility/plugins -f 
memory_dump.raw --profile=WinXPSP3x86 malfind -D malfind/ > malfind.out
Volatile Systems Volatility Framework 2.0
Traceback (most recent call last):
  File "/usr/local/bin/vol.py", line 135, in <module>
    main()
  File "/usr/local/bin/vol.py", line 126, in main
    command.execute()
  File "/usr/local/lib/python2.6/dist-packages/volatility/commands.py", line 101, in execute
    func(outfd, data)
  File "/usr/local/src/volatility-2.0/volatility/plugins/malware.py", line 1042, in render_text
    for (name,pid,start,end,tag,prx,fname,hits,chunk) in data:
  File "/usr/local/src/volatility-2.0/volatility/plugins/malware.py", line 992, in calculate
    for ps_ad, start, end, tag, prx, data in self.get_vads(proc):
  File "/usr/local/src/volatility-2.0/volatility/plugins/malware.py", line 909, in get_vads
    ps_ad = proc.get_process_address_space()
  File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/overlays/windows/windows.py", line 197, in get_process_address_space
    process_as = self.obj_vm.__class__(self.obj_vm.base, self.obj_vm.get_config(), dtb = directory_table_base)
  File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/addrspaces/intel.py", line 89, in __init__
    self.as_assert(getattr(volmag, checkname).v(), "Failed valid Address Space check")
  File "/usr/local/lib/python2.6/dist-packages/volatility/obj.py", line 801, in v
    return self.get_best_suggestion()
  File "/usr/local/lib/python2.6/dist-packages/volatility/obj.py", line 827, in get_best_suggestion
    for val in self.get_suggestions():
  File "/usr/local/lib/python2.6/dist-packages/volatility/obj.py", line 819, in get_suggestions
    for x in self.generate_suggestions():
  File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/overlays/windows/windows.py", line 505, in generate_suggestions
    if (self.obj_vm.vtop(0xffdf0000)) == (self.obj_vm.vtop(0x7ffe0000)):
  File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/addrspaces/intel.py", line 447, in vtop
    pte = self.get_pte(vaddr, pde)
  File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/addrspaces/intel.py", line 414, in get_pte
    return self._read_long_long_phys(pte_addr)
  File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/addrspaces/intel.py", line 459, in _read_long_long_phys
    string = self.base.read(addr, 8)
  File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/addrspaces/standard.py", line 97, in read
    self.fhandle.seek(addr)
IOError: [Errno 22] Invalid argument

What steps will reproduce the problem?
1. line #52 needs to be changed from 'file.append(line)' to 'files.append(line)'

simple little change - without it, an AttributeError is thrown as it's trying 
to parse it's contents into the DB and will result in the program exiting:

" AttributeError: type object 'file' has no attribute 'append' "

What steps will reproduce the problem?
1. running pymon normally
2.
3.

What is the expected output? What do you see instead?
it crashes and does not create a report

What version of the product are you using? On what operating system?
latest version from svn... XP SP3, Python25

Please provide any additional information below.
error message attached

What steps will reproduce the problem?
C:\Users\dmk\volatility>vol.py -f ..\win7sp1x64.dmp --profile=Win7SP1x64 psxview
Volatile Systems Volatility Framework 2.1_alpha
*** Failed to import volatility.plugins.registry.lsadump (ImportError: DLL load 
failed: %1 is not a valid Win32 application.)
Offset       Name                 Pid      pslist     psscan     thrdproc   
pspcid     csr_hnds   csr_list
Traceback (most recent call last):
  File "C:\Users\dmk\volatility\vol.py", line 135, in <module>
    main()
  File "C:\Users\dmk\volatility\vol.py", line 126, in main
    command.execute()
  File "C:\Users\dmk\volatility\volatility\commands.py", line 101, in execute
    func(outfd, data)
  File "C:\Users\dmk\volatility\volatility\plugins\malware.py", line 3057, in render_text
    for pid, eproc, ps_sources in data:
  File "C:\Users\dmk\volatility\volatility\plugins\malware.py", line 3029, in calculate
    pspcid      = self.check_pspcid(addr_space),
  File "C:\Users\dmk\volatility\volatility\plugins\malware.py", line 3003, in check_pspcid
    for h in PspCidTable.handles():
  File "C:\Users\dmk\volatility\volatility\plugins\overlays\windows\windows.py", line 432, in handles
    for h in self._make_handle_array(offset, table_levels):
  File "C:\Users\dmk\volatility\volatility\plugins\overlays\windows\windows.py", line 382, in _make_handle_array
    for h in self._make_handle_array(entry, level - 1, depth):
  File "C:\Users\dmk\volatility\volatility\plugins\overlays\windows\windows.py", line 400, in _make_handle_array
    item = self.get_item(entry, handle_value)
TypeError: get_item() takes exactly 2 arguments (3 given)

What version of the product are you using? On what operating system?
Volatility svn trunk version (latest). 

malware2.1_alpha.py

Please provide any additional information below.

in volatility i changed plugins\overlays\windows\windows.py line 400 to
item = entry.Object.dereference_as("_OBJECT_HEADER", parent = entry, 
handle_value = handle_value)
from
item = self.get_item(entry, handle_value)

This looks like solve the above issue, but i have a new:
C:\Users\dmk\volatility>vol.py -f ..\win7sp1x64.dmp --profile=Win7SP1x64 psxview
Volatile Systems Volatility Framework 2.1_alpha
*** Failed to import volatility.plugins.registry.lsadump (ImportError: DLL load 
failed: %1 is not a valid Win32 application.)
Offset       Name                 Pid      pslist     psscan     thrdproc   
pspcid     csr_hnds   csr_list
Traceback (most recent call last):
  File "C:\Users\dmk\volatility\vol.py", line 135, in <module>
    main()
  File "C:\Users\dmk\volatility\vol.py", line 126, in main
    command.execute()
  File "C:\Users\dmk\volatility\volatility\commands.py", line 101, in execute
    func(outfd, data)
  File "C:\Users\dmk\volatility\volatility\plugins\malware.py", line 3057, in render_text
    for pid, eproc, ps_sources in data:
  File "C:\Users\dmk\volatility\volatility\plugins\malware.py", line 3029, in calculate
    pspcid      = self.check_pspcid(addr_space),
  File "C:\Users\dmk\volatility\volatility\plugins\malware.py", line 3004, in check_pspcid
    if self.is_process_object(h, addr_space):
AttributeError: 'PsXview' object has no attribute 'is_process_object'

What steps will reproduce the problem?
1.installed latest volatility
2.typed 'vol.py malfind -f coreflood.vmem -dump-dir=outdir 
--yara-rules=./aa.yara'
3.then i got 'vol.py: error: no such option: --dump-dir'

i saw the 'Malware Analyst's Cookbook', and i follow Receipe 16-6.
i wonder how can i fix it.

What version of the product are you using? On what operating system?
latest volatility 2.1_alpha, win7 32bit

Requested by Frank:

further it would be nice if the driverirp feature also prints a disassembly 
with for driverstartio when using -v

...
> [INFO]  Using MAL1 (uuid: 959271cf-28fd-4ad1-8f34-d696e5a8ffec)
> [INFO]  Session state: Locked
> [INFO]  Machine state: Running
> 'unicode' object has no attribute 'lockMachine'
> ...
>
> This happens at:
>
> vm.stop() in myvbox.py
>
> and this basically boils down to failing at this spot:
>
>     def opensession(self):
>
>         *session = self.ctx['global'].openMachineSession(self.mach.id)*
>
>         mach = session.machine
>
>         return (session, mach)

Add MITRE's IDT hooking detection to the IDT plugin. 

What steps will reproduce the problem?

1. "perl rip.pl -r SYSTEM -p pendingdelete"

*****

What is the expected output? What do you see instead?

expected output as described in malware cookbook

received the following error:
-----------------------
Launching pendingdelete v.20100809
PendingFileRenameOperations
ControlSet001\Control\Session Manager
LastWrite Time Mon Jul 12 13:16:21 2010 (UTC)

Error in plugins/pendingdelete.pl: Can't call method "get_data" on an undefined 
value at plugins/pendingdelete.pl line 38.
-----------------------

*****

What version of the product are you using? On what operating system?

using current version, on Ubuntu 10.04.  Error replicates both from Linux CLI 
and wine cmd CLI using "perl rip.pl" and "rip.exe"

*****

Please provide any additional information below.

Disclaimer: I am not a Perl coder, but can usually figure out how to make it 
work.  I have performed a line by line comparison between the file I have (from 
the book DVD) and the one in this repository.  They are the same.  This leads 
me to believe the problem may be a missing Perl module or a configuration 
problem on my end, but all the other RegRipper plugins and Perl scripts from 
recipe 10-8 are working as expected.  Looking at the code from the 
Parse::Win32Registry module in CPAN, I can't see why pendingdelete is not 
working and the others are.  Any help would be appreciated!  GREAT JOB on the 
book, BTW.  MUCH needed resource!

What steps will reproduce the problem?
1. Run av_multiscan.py

What version of the product are you using? On what operating system?
python 2.7+ and av_multiscan.py r73

Please provide any additional information below.
Looks like the change in r73 (the comments added) messed up the indent level 
for fpscan.  Simple fix but halts the program never-the-less.

$ python av_multiscan.py
  File "av_multiscan.py", line 101
    if os.path.isfile(path_to_fpscan):
    ^
IndentationError: unexpected indent

To detect Rustock. Thanks to Frank B. for the suggestion and methods. 

Thanks to Xeno for noticing. 

Also we should rename csrpslist to altpslist or something that doesn't focus on 
csrss now that we've added other sources.

Since mutants are returned with apostrophes in their name, suspicious mutants 
are never highlighted because they are not matched.  If you change the code 
like so:

 948             if mutants.has_key(ObjectNameString.replace("'", "")):
 949                 css = 'suspicious'
 950                 samples = '<br>'.join(mutants[ObjectNameString.replace("'", "")])
 951             else:
 952                 css = samples = ''


You will get highlighted suspicious mutants.  

Combine the two plugins to create a single plugin that marks suspicious threads 
based on:

1) orphaned threads per the usual 
2) threads with hooked ssdts per the usual
3) threads in idle process with tid != 0 
4) anything else?

>What steps will reproduce the problem?
vol.py -f d:\memimg\temp.vmem apihooks


>What is the expected output? What do you see instead?

Expected output is the same but in shorter time.

Volatile Systems Volatility Framework 1.4_rc1
Name                             Type     Target                                
   Value
lsass.exe[664]                   inline   
pstorsvc.dll!PSTOREServiceMain[0x743a1459L] 0x743a1459 CALL [0x743a1010] =>> 
0x77df3e57 (ADVAPI32.dll)
svchost.exe[1032]                inline   
cryptsvc.dll!CryptServiceMain[0x76ce1579L] 0x76ce1579 CALL [0x76ce10a0] =>> 
0x77df3e57 (ADVAPI32.dll)
TOTALCMD.EXE[1976]@totalcmd.exe  iat      winmm.dll!*invalid*                   
   0x0 0x7752bb33 (ole32.dll)
TOTALCMD.EXE[1976]@totalcmd.exe  iat      gdi32.dll!*invalid*                   
   0x0 0x77df1576 (advapi32.dll)
TOTALCMD.EXE[1976]@totalcmd.exe  iat      advapi32.dll!*invalid*                
   0x0 0x77f1a8cb (GDI32.dll)
TOTALCMD.EXE[1976]@totalcmd.exe  iat      user32.dll!*invalid*                  
   0x0 0x77dd79db (advapi32.dll)
TOTALCMD.EXE[1976]@totalcmd.exe  iat      user32.dll!*invalid*                  
   0x0 0x77dd7328 (advapi32.dll)

Finished after 558.667999983 seconds


>What version of the product are you using? On what operating system?

Latest volatility + malware.py (r93). Operating system is Windows 7 64-bit.

If it should take this long, this issue can be removed.

C:\forensics\Volatility-1.4_rc1>python volatility.py apihooks -f 
..\malware-images\rustock.vmem
Volatile Systems Volatility Framework 1.4_rc1
Name                             Type     Function 
Value
Traceback (most recent call last):
  File "volatility.py", line 126, in <module>
    main()
  File "volatility.py", line 117, in main
    command.execute()
  File "C:\forensics\Volatility-1.4_rc1\volatility\commands.py", line 101, 
in execute
    func(outfd, data)
  File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line 
1939, in render_text
    for (proc, type, current_mod, mod, func, src, dst, hooker, instruction) 
in data:
  File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line 
1899, in calculate
    for val in self.get_all_hooks(p, ps_ad, procs, mods, mod_addrs):
  File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line 
1854, in get_all_hooks
    for val in self.get_hooks(proc, space, mods, mod_addrs, mod, name):
  File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line 
1699, in get_hooks
    for exp in mod.exports():
  File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line 
528, in exports
    for exp in exp_dir.get_exports():
  File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line 
418, in get_exports
    func_rva = address_of_functions[ordinal]
  File "C:\forensics\Volatility-1.4_rc1\volatility\obj.py", line 655, in 
__getitem__
    pos * self.current.size()
TypeError: unsupported operand type(s) for *: 'NoneObject' and 'int'

What steps will reproduce the problem?
1. Use av_multiscan.py from Chapter 3

What is the expected output? What do you see instead?
It does not append the result from Linux F-Port

What version of the product are you using? On what operating system?
Version: 6.3.3.5015 
OS: Ubuntu 11.04


najmi@vostro:~/malware$ fpscan --version
F-PROT Antivirus version 6.3.3.5015 (built: 2009-12-23T13-43-55)


FRISK Software International (C) Copyright 1989-2009
Engine version:   4.5.1.85
Arguments:        --version
Virus signatures: 201106191228b0d2a90521b6711b1b1f6782a3bd350e
                  (/home/najmi/f-prot/antivir.def)

Please provide any additional information below.
Line 102:

Original;
  #result = output.split('\n')[8].split('\t')[0]

Correct;
result = output.split('\n')[10].split('\t')[0]


Otherwise the result won't appended on the display.

What steps will reproduce the problem?

In the avsubmit.py script there are two issues i see

1) Under the novirusthanks class under "def upload_file" it should say:

conn = httplib.HTTPConnection('vscan.novirusthanks.org')

2) Submissions to Threatexpert fail

What is the expected output? What do you see instead?

$ python avsubmit.py -e -f setup.exe
Using ThreatExpert...
Checking ThreatExpert for file with MD5L 04b...
Analysis does not yet exist!
Nothing to add, submission failed.

This format works for all the other sites...

What version of the product are you using? On what operating system?

Ubuntu 10.04.1 Desktop

Please provide any additional information below.

I'm not much of a coder yet, but i'm learning, thanks for the great material! :D

What steps will reproduce the problem?
1. install volatility from the 1.4 rc1 branch
2. run volatility with 'psxview' option
3. error

update malware.py to reference filescan.PSScan2 rather than modscan2.PSScan2

2844c2844
<         return dict((p.UniqueProcessId.v(), p) for p in 
modscan2.PSScan2(self._config).calculate() if p.ExitTime == 0)

---
>         return dict((p.UniqueProcessId.v(), p) for p in 
filescan.PSScan2(self._config).calculate() if p.ExitTime == 0)

a

so other plugins can reference malware.idt_info 

I've tried converting clamAV signature files to YARA but the converted yara 
file contain lots of invalid jumps like [4-4]. I've tried this on Windows 7 SP1 
x64 and Ubuntu 11.10 x64. The python version is 2.7. Yara version tried 1.5 and 
1.6. 

$ python vol.py -f ../VMwareShared/memory/rustock.vmem apihooks -K
Volatile Systems Volatility Framework 1.4_rc1
Name                             Type     Target                                
   Value
-                                inlinek  ntoskrnl.exe!ExRaiseAccessViolation   
   0x8060ab58 PUSH 0xc0000005; RET (UNKNOWN)
-                                inlinek  ntoskrnl.exe!IofCallDriver            
   0x804ee130 JMP [0x8054c280] =>> 0xb17a189d ('\\Driver\\pe386')
-                                inlinek  ntoskrnl.exe!_purecall                
   0x80534d1e PUSH 0xc0000002; RET (UNKNOWN)

What steps will reproduce the problem?
1. run ssdeep_procs.py on x64 bit Windows 7 machine with 64 bit python and 
pywin32

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?
Windows 7 x64 SP1
Python 3.2 - pywin32-216 
Python 3.2.2 64 bit

Please provide any additional information below.

At first this seems because of incompatible size of MODULEENTRY32, szModule and 
szExePath should be of c_wchar array but they are of type c_char.

but that will not fix this.

Reported by Frank B. 

kd> !drvobj \driver\atapi 2
Driver object (8216c878) is for:
\Driver\atapi
DriverEntry:   f84e75f7    
DriverStartIo: 81ca5292    
DriverUnload:  f84e3204    
AddDevice:     f84e1300    

Dispatch routines:
[00] IRP_MJ_CREATE                      f84dc572    +0xf84dc572
[01] IRP_MJ_CREATE_NAMED_PIPE           804f320e    nt!IopInvalidDeviceRequest
[02] IRP_MJ_CLOSE                       f84dc572    +0xf84dc572
[03] IRP_MJ_READ                        804f320e    nt!IopInvalidDeviceRequest
[04] IRP_MJ_WRITE                       804f320e    nt!IopInvalidDeviceRequest
[05] IRP_MJ_QUERY_INFORMATION           804f320e    nt!IopInvalidDeviceRequest
[06] IRP_MJ_SET_INFORMATION             804f320e    nt!IopInvalidDeviceRequest
[07] IRP_MJ_QUERY_EA                    804f320e    nt!IopInvalidDeviceRequest
[08] IRP_......
see DriverStartIo
kd> u 81ca5292
81ca5292 55              push    ebp
81ca5293 8bec            mov     ebp,esp
81ca5295 8b4508          mov     eax,dword ptr [ebp+8]
81ca5298 83ec0c          sub     esp,0Ch
81ca529b 3b0504b5ca81    cmp     eax,dword ptr ds:[81CAB504h]
81ca52a1 a180b5ca81      mov     eax,dword ptr ds:[81CAB580h]
81ca52a6 7503            jne     81ca52ab
81ca52a8 894508          mov     dword ptr [ebp+8],eax
kd> !address 81ca5292
 80fed000 - 01213000                           
         Usage       KernelSpaceUsageNonPagedPool

from the plain ssdt command:

...
Entry 0x11f6: 0xf0fd05a6 (NtUserSendInput) owned by vsdatant.sys
... no more hooks ...
Entry 0x1299: 0xbf954c65 (NtGdiUMPDEngFreeUserMem) owned by win32k.sys
Entry 0x129a: 0xbf817637 (NtGdiDrawStream) owned by win32k.sys
SSDT[2] at e2187818 with 5 entries
  Entry 0x2000: 0xefead620 (Unknown) owned by UNKNOWN
  Entry 0x2001: 0xefead65e (Unknown) owned by UNKNOWN
...

From ssdt_by_thread

  Entry 0x11db: 0xf0fd007a (NtUserPostMessage) owned by vsdatant.sys
  Entry 0x11dc: 0xf0fd01b2 (NtUserPostThreadMessage) owned by vsdatant.sys
  Entry 0x11dd: 0xf0f27480 (NtUserPrintWindow) owned by RapportPG.sys
  Entry 0x11e3: 0xf0f21f56 (NtUserQueryWindow) owned by RapportPG.sys
  Entry 0x11eb: 0xf0fcdb4c (NtUserRegisterRawInputDevices) owned by vsdatant.sys
  Entry 0x11f6: 0xf0fd05a6 (NtUserSendInput) owned by vsdatant.sys
Traceback (most recent call last):
  File "vol.py", line 130, in <module>
    main()
  File "vol.py", line 121, in main
    command.execute()
  File "C:\Volatility-1.4_rc1\volatility\commands.py", line 101, in execute
    func(outfd, data)
  File "C:\Volatility-1.4_rc1\volatility\plugins\malware.py", line 3154, in render_text
    for (pid, tid, name, tbl, hooked) in data:
  File "C:\Volatility-1.4_rc1\volatility\plugins\malware.py", line 3142, in calculate
    if mod_name not in self.executive_modules[idx]:
IndexError: list index out of range

use tasks.Peb.ImageBase to match the module's base address with

* KiNmiCallbackListHead 
(http://www.moonsols.com/2011/02/17/global-windows-callbacks-and-windbg/)
* IoRegisterPlugPlayNotification 
(http://www.securelist.com/en/analysis/204792157/TDSS_TDL_4)

so users can search unlinked processes

As the summary states, after using the clamav_to_yara.py script to convert 
uncompressed ClamAV signature file to Yara signature, I'm seeing a lot of those 
 [invalid skip in string  "$a1"]. Is this a bug?

Traceback (most recent call last):

  File "vol.py", line 130, in <module>

    main()

  File "vol.py", line 121, in main

    command.execute()

  File "/TESTING/Volatility-1.4_rc1/volatility/commands.py", line 101, in execute

    func(outfd, data)

  File "/TESTING/Volatility-1.4_rc1/volatility/plugins/malware.py", line 900, in render_text

    for (name,pid,start,end,tag,prx,fname,hits,chunk) in data:

  File "/TESTING/Volatility-1.4_rc1/volatility/plugins/malware.py", line 769, in calculate

    offset = addr_space.vtop(proc.obj_offset)

  File "/TESTING/Volatility-1.4_rc1/volatility/plugins/addrspaces/intel.py", line 433, in vtop

    pdpte = self.get_pdpte(vaddr)

  File "/TESTING/Volatility-1.4_rc1/volatility/plugins/addrspaces/intel.py", line 376, in get_pdpte

    return self.pdpte_cache[self.pdpte_index(vaddr)]

TypeError: tuple indices must be integers, not NoneObject

I have problem with impscan whenever I try to use it withh injected file , it 
shows this output (I have tried -s and it does not work too) 


C:\Volatility 2.0>python vol.py --profile=WinXPSP2x86 -f "Windows XP 
Professional-Snapshot11.vmem" -p 2344 impscan -a 0x6fff0
000 -D test
Volatile Systems Volatility Framework 2.1_alpha
Traceback (most recent call last):
  File "vol.py", line 135, in <module>
    main()
  File "vol.py", line 126, in main
    command.execute()
  File "C:\Volatility 2.0\volatility\commands.py", line 77, in execute
    data = self.calculate()
  File "C:\Volatility 2.0\volatility\plugins\malware.py", line 1516, in calculate
    mods = list(self.list_modules(p))
AttributeError: 'ImpScan' object has no attribute 'list_modules'

Pleases guys any help would be appreciated

thanks  

As I was testing pescanner.py, I came across a potential typo. The problem
I ran into was that the tool would not show me the output of clamscan when
I scanned known malicious files. I traced the issue to this code fragment:

 def check_clam(self, file):
        if os.path.isfile(clamscan_path):
            status, output = commands.getstatusoutput("%s %s" %
(clamscan_path, file))
            if status == 0:
                return "Clamav: %s" % output.split("\n")[0]
        return ''

I think the status check should say "!=" instead of "==". Clamscan (at
least on Ubuntu) returns zero if the file is clean; it return a non-zero
value (256 in my testing) if the file is malicious.

ie remove all these:

pspace = utils.load_as(self._config, astype = 'physical')