# Volatility3 Exercise 1
### 1. Introduction
> When analyzing a memory image, it is nearly always important to understand what processes were running on the machine and what those processes were doing.
>
> This module introduces the basics of analyzing processes in the memory of Windows operating systems. The focus of this module is on using [Volatility 3](https://github.com/volatilityfoundation/volatility3) to list running processes and to examine the memory accessible by those processes.
### 2. About processes in Windows
The Windows operating system is written in C and therefore C structures are used internally in Windows to represent information.
The most important structure to be aware of regarding processes is the **EPROCESS** **structure** (**the E stands for executive**). This structure is defined in the Windows kernel and it is the base for all processes. It contains many attributes related to a given process and points to other structures that contain further information
Parsing the **EPROCESS structures** is one of the main ways that Volatility extracts information about processes from Windows memory images.
Here is a list of examples of what kind of information you can reach through the **EPROCESS structure**:
* When was the process started
* When did the process exit (or if it is still running)
* The ID of the process
* The filename of the executable of the process
* DLLs loaded by the process Working directory of the process
* Command line arguments
* Information about the memory allocated by a process
### 3. Volatility Pslist Plugin
The very first step in trying to understand the nature and activities of different processes in the machine is to obtain a list of processes present in the memory image. There are a couple of plugins in Volatility that help with this task. Open up a terminal window and prepare to explore these plugins in the following steps.
There is a Windows 10 memory image file named **win.raw** in the **/root/** directory and Volatility has been installed in the `/root/volatility3` directory. Try running the windows.pslist.PsList plugin with the win.raw image.
```
python3 volatility3/vol.py -f win.raw windows.pslist.PsList
```
At the bottom I can see a mimikatz process
### 3.1 Extracting the executable
I use the folllowing command to extract the mimikatz process
```
python3 volatility3/vol.py -f win.raw windows.pslist.PsList --dump --pid 3604
```
### 3.2 Volatility Pstree plugin
The `windows.pstree.PsTree` plugin helps visualize child-parent relationships between processes. This is useful if you are trying to figure out how a certain process got created.
The output of this plugin contains the same information that is present in the output of the PsList plugin. In addition to that, the relationships between processes are visualized using `*` symbols
Here we can see that **mimikatz.exe** is a child process of **powershell.exe**
### 3.3 Volatility PsScan plugin
The `windows.psscan.PsScan` plugin does not go through the linked list. Instead, it scans the memory image directly for EPROCESS structures. This approach will find any processes that have been unlinked from the list but still reside in memory.
Some malware might also attempt to unlink themselves from the list in order to try and hide their presence in the system. Searching for tricky malware is an entire topic on its own. However, just keep in mind that automatic tools can be misled and that they might also fail if the memory image is somehow corrupted or simply missing information. Things may not always work as expected and it is therefore important to have some understanding of what is happening under the hood to be better prepared to deal with any issues.
```
python3 volatility3/vol.py -f /root/prolaco.vmem windows.psscan.PsScan
```
Note some processes like `1_doc_RCData_61` are not listed wit the **pslist** command.
### 4. Virtual address descriptors
The **Virtual Address Descriptor (VAD)** is a data structure used in Windows. It describes memory ranges allocated by a process. The VAD stores information such as the range of the reserved addresses and protections applied for that range (e.g., if the memory range is read-only or read-write and so on).
The **VAD tree** of a process can be found by inspecting the **EPROCESS structure** mentioned earlier. Specifically, the EPROCESS structure contains a field named VadRoot that points to the root of the VAD tree.
Examining the VADs of a process is a convenient way to look at its memory. In the next steps you will experiment with the VadInfo and VadYaraScan plugins that parse the data in the VAD tree.
Let's check the VAD tree for mimikatz.exe
### 4.1 Extract data with vadplugin
Similar to the PsList plugin, you can use the --dump flag to extract the contents of VAD regions with the VadInfo plugin. By also specifying an address with the --address option, you can dump the region described by a single VAD node.
```
python3 volatility3/vol.py -f win.raw windows.vadinfo.VadInfo --pid 3604 --dump --address 0x240000
```
### 4.2 The VADYaraScan Plugin
The final plugin you are going to experiment with is the VadYaraScan plugin. This plugin allows you to directly scan VAD regions with YARA rules without having to first dump the memory.
You can specify a PID with the --pid flag if you would like to scan the memory of a specific process. The plugin accepts YARA rules in various formats.
Mimikatz yara rule:
```
rule mimikatz
{
meta:
description = "mimikatz"
author = "Benjamin DELPY (gentilkiwi)"
tool_author = "Benjamin DELPY (gentilkiwi)"
strings:
$exe_x86_1 = { 89 71 04 89 [0-3] 30 8d 04 bd }
$exe_x86_2 = { 8b 4d e? 8b 45 f4 89 75 e? 89 01 85 ff 74 }
$exe_x64_1 = { 33 ff 4? 89 37 4? 8b f3 45 85 c? 74}
$exe_x64_2 = { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 }
$dll_1 = { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 }
$dll_2 = { c7 0? 10 02 00 00 ?? 89 4? }
$sys_x86 = { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 }
$sys_x64 = { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 }
condition:
(all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*))
}
```
Volatility command:
```
python3 volatility3/vol.py -f win.raw windows.vadyarascan.VadYaraScan --pid 3604 --yara-file mimikatz.yara
```
As you can see we've got three matches!
