Volatility3 Exercise 1

1. Introduction

When analyzing a memory image, it is nearly always important to understand what processes were running on the machine and what those processes were doing.

This module introduces the basics of analyzing processes in the memory of Windows operating systems. The focus of this module is on using Volatility 3 to list running processes and to examine the memory accessible by those processes.

2. About processes in Windows

The Windows operating system is written in C and therefore C structures are used internally in Windows to represent information.

The most important structure to be aware of regarding processes is the EPROCESS structure (the E stands for executive). This structure is defined in the Windows kernel and it is the base for all processes. It contains many attributes related to a given process and points to other structures that contain further information

Parsing the EPROCESS structures is one of the main ways that Volatility extracts information about processes from Windows memory images.

Here is a list of examples of what kind of information you can reach through the EPROCESS structure:

• When was the process started

• When did the process exit (or if it is still running)

• The ID of the process

• The filename of the executable of the process

• DLLs loaded by the process Working directory of the process

• Command line arguments

• Information about the memory allocated by a process

3. Volatility Pslist Plugin

The very first step in trying to understand the nature and activities of different processes in the machine is to obtain a list of processes present in the memory image. There are a couple of plugins in Volatility that help with this task. Open up a terminal window and prepare to explore these plugins in the following steps.

There is a Windows 10 memory image file named win.raw in the /root/ directory and Volatility has been installed in the /root/volatility3 directory. Try running the windows.pslist.PsList plugin with the win.raw image.

python3 volatility3/vol.py -f win.raw windows.pslist.PsList

At the bottom I can see a mimikatz process

3.1 Extracting the executable

I use the folllowing command to extract the mimikatz process

python3 volatility3/vol.py -f win.raw windows.pslist.PsList --dump --pid 3604

3.2 Volatility Pstree plugin

The windows.pstree.PsTree plugin helps visualize child-parent relationships between processes. This is useful if you are trying to figure out how a certain process got created.

The output of this plugin contains the same information that is present in the output of the PsList plugin. In addition to that, the relationships between processes are visualized using * symbols

Here we can see that mimikatz.exe is a child process of powershell.exe

3.3 Volatility PsScan plugin

The windows.psscan.PsScan plugin does not go through the linked list. Instead, it scans the memory image directly for EPROCESS structures. This approach will find any processes that have been unlinked from the list but still reside in memory.

Some malware might also attempt to unlink themselves from the list in order to try and hide their presence in the system. Searching for tricky malware is an entire topic on its own. However, just keep in mind that automatic tools can be misled and that they might also fail if the memory image is somehow corrupted or simply missing information. Things may not always work as expected and it is therefore important to have some understanding of what is happening under the hood to be better prepared to deal with any issues.

python3 volatility3/vol.py -f /root/prolaco.vmem windows.psscan.PsScan

Note some processes like 1_doc_RCData_61 are not listed wit the pslist command.

4. Virtual address descriptors

The Virtual Address Descriptor (VAD) is a data structure used in Windows. It describes memory ranges allocated by a process. The VAD stores information such as the range of the reserved addresses and protections applied for that range (e.g., if the memory range is read-only or read-write and so on).

The VAD tree of a process can be found by inspecting the EPROCESS structure mentioned earlier. Specifically, the EPROCESS structure contains a field named VadRoot that points to the root of the VAD tree.

Examining the VADs of a process is a convenient way to look at its memory. In the next steps you will experiment with the VadInfo and VadYaraScan plugins that parse the data in the VAD tree.

Let's check the VAD tree for mimikatz.exe

4.1 Extract data with vadplugin

Similar to the PsList plugin, you can use the --dump flag to extract the contents of VAD regions with the VadInfo plugin. By also specifying an address with the --address option, you can dump the region described by a single VAD node.

python3 volatility3/vol.py -f win.raw windows.vadinfo.VadInfo --pid 3604 --dump --address 0x240000 

4.2 The VADYaraScan Plugin

The final plugin you are going to experiment with is the VadYaraScan plugin. This plugin allows you to directly scan VAD regions with YARA rules without having to first dump the memory.

You can specify a PID with the --pid flag if you would like to scan the memory of a specific process. The plugin accepts YARA rules in various formats.

Mimikatz yara rule:

rule mimikatz
{
        meta:
                description             = "mimikatz"
                author                  = "Benjamin DELPY (gentilkiwi)"
                tool_author             = "Benjamin DELPY (gentilkiwi)"

        strings:
                $exe_x86_1              = { 89 71 04 89 [0-3] 30 8d 04 bd }
                $exe_x86_2              = { 8b 4d e? 8b 45 f4 89 75 e? 89 01 85 ff 74 }

                $exe_x64_1              = { 33 ff 4? 89 37 4? 8b f3 45 85 c? 74}
                $exe_x64_2              = { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 }

                $dll_1                  = { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 }
                $dll_2                  = { c7 0? 10 02 00 00 ?? 89 4? }

                $sys_x86                = { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 }
                $sys_x64                = { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 }

        condition:
                (all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*))
}

Volatility command:

python3 volatility3/vol.py -f win.raw windows.vadyarascan.VadYaraScan --pid 3604 --yara-file mimikatz.yara

As you can see we've got three matches!