📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. About processes in Windows
  • 3. Volatility Pslist Plugin
  • 3.1 Extracting the executable
  • 3.2 Volatility Pstree plugin
  • 3.3 Volatility PsScan plugin
  • 4. Virtual address descriptors
  • 4.1 Extract data with vadplugin
  • 4.2 The VADYaraScan Plugin

Was this helpful?

  1. Forensic Exercises
  2. Memory Forensics

Volatility3 Exercise 1

PreviousVolatility2 Exercise 1NextVolatility3 Exercise 2

Last updated 2 years ago

Was this helpful?

1. Introduction

When analyzing a memory image, it is nearly always important to understand what processes were running on the machine and what those processes were doing.

This module introduces the basics of analyzing processes in the memory of Windows operating systems. The focus of this module is on using to list running processes and to examine the memory accessible by those processes.

2. About processes in Windows

The Windows operating system is written in C and therefore C structures are used internally in Windows to represent information.

The most important structure to be aware of regarding processes is the EPROCESS structure (the E stands for executive). This structure is defined in the Windows kernel and it is the base for all processes. It contains many attributes related to a given process and points to other structures that contain further information

Parsing the EPROCESS structures is one of the main ways that Volatility extracts information about processes from Windows memory images.

Here is a list of examples of what kind of information you can reach through the EPROCESS structure:

  • When was the process started

  • When did the process exit (or if it is still running)

  • The ID of the process

  • The filename of the executable of the process

  • DLLs loaded by the process Working directory of the process

  • Command line arguments

  • Information about the memory allocated by a process

3. Volatility Pslist Plugin

The very first step in trying to understand the nature and activities of different processes in the machine is to obtain a list of processes present in the memory image. There are a couple of plugins in Volatility that help with this task. Open up a terminal window and prepare to explore these plugins in the following steps.

There is a Windows 10 memory image file named win.raw in the /root/ directory and Volatility has been installed in the /root/volatility3 directory. Try running the windows.pslist.PsList plugin with the win.raw image.

python3 volatility3/vol.py -f win.raw windows.pslist.PsList

At the bottom I can see a mimikatz process

3.1 Extracting the executable

I use the folllowing command to extract the mimikatz process

python3 volatility3/vol.py -f win.raw windows.pslist.PsList --dump --pid 3604

3.2 Volatility Pstree plugin

The windows.pstree.PsTree plugin helps visualize child-parent relationships between processes. This is useful if you are trying to figure out how a certain process got created.

The output of this plugin contains the same information that is present in the output of the PsList plugin. In addition to that, the relationships between processes are visualized using * symbols

Here we can see that mimikatz.exe is a child process of powershell.exe

3.3 Volatility PsScan plugin

The windows.psscan.PsScan plugin does not go through the linked list. Instead, it scans the memory image directly for EPROCESS structures. This approach will find any processes that have been unlinked from the list but still reside in memory.

Some malware might also attempt to unlink themselves from the list in order to try and hide their presence in the system. Searching for tricky malware is an entire topic on its own. However, just keep in mind that automatic tools can be misled and that they might also fail if the memory image is somehow corrupted or simply missing information. Things may not always work as expected and it is therefore important to have some understanding of what is happening under the hood to be better prepared to deal with any issues.

python3 volatility3/vol.py -f /root/prolaco.vmem windows.psscan.PsScan

Note some processes like 1_doc_RCData_61 are not listed wit the pslist command.

4. Virtual address descriptors

The Virtual Address Descriptor (VAD) is a data structure used in Windows. It describes memory ranges allocated by a process. The VAD stores information such as the range of the reserved addresses and protections applied for that range (e.g., if the memory range is read-only or read-write and so on).

The VAD tree of a process can be found by inspecting the EPROCESS structure mentioned earlier. Specifically, the EPROCESS structure contains a field named VadRoot that points to the root of the VAD tree.

Examining the VADs of a process is a convenient way to look at its memory. In the next steps you will experiment with the VadInfo and VadYaraScan plugins that parse the data in the VAD tree.

Let's check the VAD tree for mimikatz.exe

4.1 Extract data with vadplugin

Similar to the PsList plugin, you can use the --dump flag to extract the contents of VAD regions with the VadInfo plugin. By also specifying an address with the --address option, you can dump the region described by a single VAD node.

python3 volatility3/vol.py -f win.raw windows.vadinfo.VadInfo --pid 3604 --dump --address 0x240000 

4.2 The VADYaraScan Plugin

The final plugin you are going to experiment with is the VadYaraScan plugin. This plugin allows you to directly scan VAD regions with YARA rules without having to first dump the memory.

You can specify a PID with the --pid flag if you would like to scan the memory of a specific process. The plugin accepts YARA rules in various formats.

Mimikatz yara rule:

rule mimikatz
{
        meta:
                description             = "mimikatz"
                author                  = "Benjamin DELPY (gentilkiwi)"
                tool_author             = "Benjamin DELPY (gentilkiwi)"

        strings:
                $exe_x86_1              = { 89 71 04 89 [0-3] 30 8d 04 bd }
                $exe_x86_2              = { 8b 4d e? 8b 45 f4 89 75 e? 89 01 85 ff 74 }

                $exe_x64_1              = { 33 ff 4? 89 37 4? 8b f3 45 85 c? 74}
                $exe_x64_2              = { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 }

                $dll_1                  = { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 }
                $dll_2                  = { c7 0? 10 02 00 00 ?? 89 4? }

                $sys_x86                = { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 }
                $sys_x64                = { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 }

        condition:
                (all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*))
}

Volatility command:

python3 volatility3/vol.py -f win.raw windows.vadyarascan.VadYaraScan --pid 3604 --yara-file mimikatz.yara

As you can see we've got three matches!

Volatility 3