Volatility3 Exercise 1
Last updated
Was this helpful?
Last updated
Was this helpful?
When analyzing a memory image, it is nearly always important to understand what processes were running on the machine and what those processes were doing.
This module introduces the basics of analyzing processes in the memory of Windows operating systems. The focus of this module is on using to list running processes and to examine the memory accessible by those processes.
The Windows operating system is written in C and therefore C structures are used internally in Windows to represent information.
The most important structure to be aware of regarding processes is the EPROCESS structure (the E stands for executive). This structure is defined in the Windows kernel and it is the base for all processes. It contains many attributes related to a given process and points to other structures that contain further information
Parsing the EPROCESS structures is one of the main ways that Volatility extracts information about processes from Windows memory images.
Here is a list of examples of what kind of information you can reach through the EPROCESS structure:
When was the process started
When did the process exit (or if it is still running)
The ID of the process
The filename of the executable of the process
DLLs loaded by the process Working directory of the process
Command line arguments
Information about the memory allocated by a process
The very first step in trying to understand the nature and activities of different processes in the machine is to obtain a list of processes present in the memory image. There are a couple of plugins in Volatility that help with this task. Open up a terminal window and prepare to explore these plugins in the following steps.
There is a Windows 10 memory image file named win.raw in the /root/ directory and Volatility has been installed in the /root/volatility3 directory. Try running the windows.pslist.PsList plugin with the win.raw image.
At the bottom I can see a mimikatz process
I use the folllowing command to extract the mimikatz process
The windows.pstree.PsTree plugin helps visualize child-parent relationships between processes. This is useful if you are trying to figure out how a certain process got created.
The output of this plugin contains the same information that is present in the output of the PsList plugin. In addition to that, the relationships between processes are visualized using * symbols
Here we can see that mimikatz.exe is a child process of powershell.exe
The windows.psscan.PsScan plugin does not go through the linked list. Instead, it scans the memory image directly for EPROCESS structures. This approach will find any processes that have been unlinked from the list but still reside in memory.
Some malware might also attempt to unlink themselves from the list in order to try and hide their presence in the system. Searching for tricky malware is an entire topic on its own. However, just keep in mind that automatic tools can be misled and that they might also fail if the memory image is somehow corrupted or simply missing information. Things may not always work as expected and it is therefore important to have some understanding of what is happening under the hood to be better prepared to deal with any issues.
Note some processes like 1_doc_RCData_61 are not listed wit the pslist command.
The Virtual Address Descriptor (VAD) is a data structure used in Windows. It describes memory ranges allocated by a process. The VAD stores information such as the range of the reserved addresses and protections applied for that range (e.g., if the memory range is read-only or read-write and so on).
The VAD tree of a process can be found by inspecting the EPROCESS structure mentioned earlier. Specifically, the EPROCESS structure contains a field named VadRoot that points to the root of the VAD tree.
Examining the VADs of a process is a convenient way to look at its memory. In the next steps you will experiment with the VadInfo and VadYaraScan plugins that parse the data in the VAD tree.
Let's check the VAD tree for mimikatz.exe
Similar to the PsList plugin, you can use the --dump flag to extract the contents of VAD regions with the VadInfo plugin. By also specifying an address with the --address option, you can dump the region described by a single VAD node.
The final plugin you are going to experiment with is the VadYaraScan plugin. This plugin allows you to directly scan VAD regions with YARA rules without having to first dump the memory.
You can specify a PID with the --pid flag if you would like to scan the memory of a specific process. The plugin accepts YARA rules in various formats.
Mimikatz yara rule:
Volatility command:
As you can see we've got three matches!
