Study a live Windows memory dump - Volatility
This section explains the main commands in Volatility to analyze a Windows memory dump.
Windows Environment
- See environment variables like the number of CPUs installed, the hardware architecture, the process’s current directory, temporary directory, session name, computer name, user name… :
$ volatility -f mem.dmp --profile=Win7SP0x64 envars
Volatility Foundation Volatility Framework 2.4
Pid Process Block Variable Value
-------- -------------------- ------------------ ------------------------------ -----
296 csrss.exe 0x00000000003d1320 ComSpec C:\Windows\system32\cmd.exe
296 csrss.exe 0x00000000003d1320 FP_NO_HOST_CHECK NO
296 csrss.exe 0x00000000003d1320 NUMBER_OF_PROCESSORS 1
296 csrss.exe 0x00000000003d1320 OS Windows_NT
296 csrss.exe 0x00000000003d1320 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
296 csrss.exe 0x00000000003d1320 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
296 csrss.exe 0x00000000003d1320 PROCESSOR_ARCHITECTURE AMD64
296 csrss.exe 0x00000000003d1320 PROCESSOR_IDENTIFIER Intel64 Family 6 Model 2 Stepping 3, GenuineIntel
296 csrss.exe 0x00000000003d1320 PROCESSOR_LEVEL 6
296 csrss.exe 0x00000000003d1320 PROCESSOR_REVISION 0203
296 csrss.exe 0x00000000003d1320 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
296 csrss.exe 0x00000000003d1320 SystemDrive C:
296 csrss.exe 0x00000000003d1320 SystemRoot C:\Windows
296 csrss.exe 0x00000000003d1320 TEMP C:\Windows\TEMP
296 csrss.exe 0x00000000003d1320 TMP C:\Windows\TEMP
296 csrss.exe 0x00000000003d1320 USERNAME SYSTEM
296 csrss.exe 0x00000000003d1320 windir C:\Windows
- Get domain credentials :
$ volatility -f mem.dmp --profile=Win7SP1x86 hashdump > password.txt
$ cat password.txt
Administrator:500:08f3a52bdd35f179c81667e9d738c5d9:ed88cccbc08d1c18bcded317112555f4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:ddd4c9c883a8ecb2078f88d729ba2e67:e78d693bc40f92a534197dc1d3a6d34f:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8bfd47482583168a0ae5ab020e1186a9:::
phoenix:1003:07b8418e83fad948aad3b435b51404ee:53905140b80b6d8cbe1ab5953f7c1c51:::
ASPNET:1004:2b5f618079400df84f9346ce3e830467:aef73a8bb65a0f01d9470fadc55a411c:::
S----:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Then, with crackstation, or John with a good dictionary, you can recover passwords.
Windows Processes
- See the tree of processes :
$ volatility -f mem.dmp --profile=Win7SP0x64 pstree
Volatility Foundation Volatility Framework 2.4
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ --------------------
0xfffffa80004b09e0:System 4 0 78 489 2012-02-22 19:58:20
. 0xfffffa8000ce97f0:smss.exe 208 4 2 29 2012-02-22 19:58:20
0xfffffa8000c006c0:csrss.exe 296 288 9 385 2012-02-22 19:58:24
0xfffffa8000c92300:wininit.exe 332 288 3 74 2012-02-22 19:58:30
. 0xfffffa8000c5eb30:services.exe 428 332 6 193 2012-02-22 19:58:32
.. 0xfffffa8000aa0b30:SearchIndexer. 1800 428 12 757 2012-02-22 20:02:26
.. 0xfffffa80007d09e0:svchost.exe 916 428 19 443 2012-02-22 19:58:43
.. 0xfffffa8000a4f630:svchost.exe 1432 428 12 350 2012-02-22 20:04:14
.. 0xfffffa800094d960:wlms.exe 1264 428 4 43 2012-02-22 20:02:11
.. 0xfffffa8001325950:sppsvc.exe 816 428 5 154 2012-02-22 19:58:41
.. 0xfffffa8000e86690:spoolsv.exe 1076 428 12 271 2012-02-22 20:02:10
.. 0xfffffa8001296b30:svchost.exe 568 428 10 352 2012-02-22 19:58:34
... 0xfffffa8000a03b30:rundll32.exe 2016 568 3 67 2012-02-22 20:03:16
...
With this command, you can see suspicious processes. For example, when you replace l with I (lass.exe by Iass.exe), or when you find a suspicious cmd.exe, son of basic process (like iexplore.exe).
- See the absolute path of the executable and his associate DLLs :
$ volatility -f mem.dmp --profile=Win7SP0x64 dlllist -p 1892
Volatility Foundation Volatility Framework 2.4
************************************************************************
iexplore.exe pid: 1892
Command line : "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Note: use ldrmodules for listing DLLs in Wow64 processes
Base Size LoadCount Path
------------------ ------------------ ------------------ ----
0x0000000000080000 0xa6000 0xffff C:\Program Files (x86)\Internet Explorer\iexplore.exe
0x0000000076d40000 0x1ab000 0xffff C:\Windows\SYSTEM32\ntdll.dll
0x00000000748d0000 0x3f000 0x3 C:\Windows\SYSTEM32\wow64.dll
0x0000000074870000 0x5c000 0x1 C:\Windows\SYSTEM32\wow64win.dll
0x0000000074940000 0x8000 0x1 C:\Windows\SYSTEM32\wow64cpu.dll
You can delete the option -p/--pid
to discover all executables and their DLLs
With this command, you can see suspicious processes. For example, if you find an executable found out of C:\Program Files (x86)\
, or DLL out of C:\Windows\SYSTEM32\
- Print current commands :
$ volatility -f mem.dmp --profile Win7SP1x86 cmdline
AvastUI.exe pid: 2720
Command line : "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
************************************************************************
StikyNot.exe pid: 2744
Command line : "C:\Windows\System32\StikyNot.exe"
************************************************************************
iexplore.exe pid: 2772
Command line : "C:\Users\John Doe\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\iexplore.exe"
************************************************************************
SearchIndexer. pid: 2900
Command line : C:\Windows\system32\SearchIndexer.exe /Embedding
************************************************************************
wmpnetwk.exe pid: 3176
Command line : "C:\Program Files\Windows Media Player\wmpnetwk.exe"
************************************************************************
- Print registry values :
$ volatility -f mem.dmp --profile Win7SP1x86 printkey -K "Software\Microsoft\Windows\CurrentVersion\Run"
----------------------------
Registry: \??\C:\Users\John Doe\ntuser.dat
Key name: Run (S)
Last updated: 2013-01-12 14:13:19
Subkeys:
Values:
REG_SZ RESTART_STICKY_NOTES : (S) C:\Windows\System32\Malware.exe
REG_SZ IEPreload : (S) "C:\Users\John Doe\AppData\Roaming\malware.exe
- Dump a process’s executable :
$ volatility -f mem.dmp --profile=Win7SP0x64 procdump -D dmp/ -p 296
Volatility Foundation Volatility Framework 2.4
************************************************************************
Dumping csrss.exe, pid: 296 output: executable.296.exe
$ file dmp/executable.296.exe
dump/executable.296.exe: PE32+ executable for MS Windows (native) Mono/.Net assembly
- Extract all memory resident pages in a process into an individual file :
$ volatility -f mem.dmp --profile=Win7SP0x64 memdump -p 4 -D dmp/
Volatility Foundation Volatility Framework 2.4
************************************************************************
Writing System [ 4] to 4.dmp
$ ls -alh dmp/4.dmp
-rw-r--r-- 1 Michael staff 111M Jun 24 15:47 dump/4.dmp
Windows files
- List cached files :
$ volatility -f mem.dmp --profile=Win7SP0x64 filescan
Volatility Foundation Volatility Framework 2.4
Offset(P) #Ptr #Hnd Access Name
------------------ ------ ------ ------ ----
0x000000000126f3a0 14 0 R--r-d \Windows\System32\mswsock.dll
0x000000000126fdc0 11 0 R--r-d \Windows\System32\ssdpsrv.dll
0x000000000468f7e0 6 0 R--r-d \Windows\System32\cryptsp.dll
0x000000000468fdc0 16 0 R--r-d \Windows\System32\Apphlpdm.dll
0x00000000048223a0 1 1 ------ \Endpoint
0x0000000004822a30 16 0 R--r-d \Windows\System32\kerberos.dll
0x0000000004906070 13 0 R--r-d \Windows\System32\wbem\repdrvfs.dll
0x0000000004906580 9 0 R--r-d \Windows\SysWOW64\netprofm.dll
0x0000000004906bf0 9 0 R--r-d \Windows\System32\wbem\wmiutils.dll
0x00000000049ce8e0 2 1 R--rwd \$Extend\$ObjId
0x00000000049cedd0 1 1 R--r-d \Windows\System32\en-US\vsstrace.dll.mui
0x0000000004a71070 17 1 R--r-d \Windows\System32\en-US\pnidui.dll.mui
0x0000000004a71440 11 0 R--r-d \Windows\System32\nci.dll
0x0000000004a719c0 1 1 ------ \srvsvc
- extract mapped memory and cached files of a process :
$ volatility -f mem.dmp --profile=Win7SP0x86 dumpfiles -n -p 3224 -D dmp/
- extract all cached files (very expensive) :
$ volatility -f mem.dmp --profile=Win7SP0x86 dumpfiles -D dmp/
- extract a file at a specific offset (unsafe mode), using the file name (
-n
) and summarizing informations in a specific text file (summary.txt
) :
$ volatility -f mem.dmp --profile=Win7SP0x86 dumpfiles -Q 0x00000000007f3270 -D dmp/ -u -n -S summary.txt
- extract files with a specific substring in the name :
$ volatility -f mem.dmp --profile=Win7SP0x86 dumpfiles -D output/ -r ABCDE -i -S summary.txt
Windows networking
- View active TCP connections :
$ volatility -f mem.dmp --profile=Win2003SP2x64 connections
Volatile Systems Volatility Framework 2.1_alpha
Offset(V) Local Address Remote Address Pid
------------------ ------------------------- ------------------------- ------
0xfffffadfe6f2e2f0 172.16.237.150:1408 72.246.25.25:80 2136
0xfffffadfe72e8080 172.16.237.150:1369 64.4.11.30:80 2136
0xfffffadfe622d010 172.16.237.150:1403 74.125.229.188:80 2136
0xfffffadfe62e09e0 172.16.237.150:1352 64.4.11.20:80 2136
0xfffffadfe6f2e630 172.16.237.150:1389 209.191.122.70:80 2136
0xfffffadfe5e7a610 172.16.237.150:1419 74.125.229.187:80 2136
0xfffffadfe7321bc0 172.16.237.150:1418 74.125.229.188:80 2136
0xfffffadfe5ea3c90 172.16.237.150:1393 216.115.98.241:80 2136
0xfffffadfe72a3a80 172.16.237.150:1391 209.191.122.70:80 2136
0xfffffadfe5ed8560 172.16.237.150:1402 74.125.229.188:80 2136
This command works for x86 and x64 Windows XP and Windows 2003 Server only.
- Detect listening sockets for any protocol (TCP, UDP, RAW, etc) :
$ volatility -f mem.dmp --profile=Win2003SP2x64 sockets
Volatility Foundation Volatility Framework 2.4
Offset(V) PID Port Proto Protocol Address Create Time
------------------ ------ ------ ------ --------------- --------------- -----------
0xfffffadfe71bbda0 432 1025 6 TCP 0.0.0.0 2012-01-23 18:20:01
0xfffffadfe7350490 776 1028 17 UDP 0.0.0.0 2012-01-23 18:21:44
0xfffffadfe6281120 804 123 17 UDP 127.0.0.1 2012-06-25 12:40:55
0xfffffadfe7549010 432 500 17 UDP 0.0.0.0 2012-01-23 18:20:09
0xfffffadfe5ee8400 4 0 47 GRE 0.0.0.0 2012-02-24 18:09:07
0xfffffadfe606dc90 4 445 6 TCP 0.0.0.0 2012-01-23 18:19:38
0xfffffadfe6eef770 4 445 17 UDP 0.0.0.0 2012-01-23 18:19:38
0xfffffadfe7055210 2136 1321 17 UDP 127.0.0.1 2012-05-09 02:09:59
0xfffffadfe750c010 4 139 6 TCP 172.16.237.150 2012-06-25 12:40:55
0xfffffadfe745f610 4 138 17 UDP 172.16.237.150 2012-06-25 12:40:55
0xfffffadfe6096560 4 137 17 UDP 172.16.237.150 2012-06-25 12:40:55
0xfffffadfe7236da0 720 135 6 TCP 0.0.0.0 2012-01-23 18:19:51
0xfffffadfe755c5b0 2136 1419 6 TCP 0.0.0.0 2012-06-25 12:42:37
0xfffffadfe6f36510 2136 1418 6 TCP 0.0.0.0 2012-06-25 12:42:37
This command works for x86 and x64 Windows XP and Windows 2003 Server only.
- Scan for network artifacts in 32 and 64-bit Windows Vista, Windows 2008 Server and Windows 7 memory dumps. This finds TCP endpoints, TCP listeners, UDP endpoints, and UDP listeners :
$ volatility -f mem.dmp --profile=Win7SP0x64 netscan
Volatility Foundation Volatility Framework 2.4
Offset(P) Proto Local Address Foreign Address State Pid Owner Created
0xf882a30 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 628 svchost.exe
0xfc13770 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 916 svchost.exe
0xfdda1e0 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 916 svchost.exe
0xfdda1e0 TCPv6 :::49154 :::0 LISTENING 916 svchost.exe
0x1121b7b0 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 628 svchost.exe
0x1121b7b0 TCPv6 :::135 :::0 LISTENING 628 svchost.exe
0x11431360 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 332 wininit.exe
0x11431360 TCPv6 :::49152 :::0 LISTENING 332 wininit.exe
[snip]
0x17de8980 TCPv6 :::49153 :::0 LISTENING 444 lsass.exe
0x17f35240 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 880 svchost.exe
0x17f362b0 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 880 svchost.exe
0x17f362b0 TCPv6 :::49155 :::0 LISTENING 880 svchost.exe
0xfd96570 TCPv4 -:0 232.9.125.0:0 CLOSED 1 ?C?
0x17236010 TCPv4 -:49227 184.26.31.55:80 CLOSED 2820 iexplore.exe
0x1725d010 TCPv4 -:49359 93.184.220.20:80 CLOSED 2820 iexplore.exe
0x17270530 TCPv4 10.0.2.15:49363 173.194.35.38:80 ESTABLISHED 2820 iexplore.exe
0x17285010 TCPv4 -:49341 82.165.218.111:80 CLOSED 2820 iexplore.exe
0x17288a90 TCPv4 10.0.2.15:49254 74.125.31.157:80 CLOSE_WAIT 2820 iexplore.exe
0x1728f6b0 TCPv4 10.0.2.15:49171 204.245.34.130:80 ESTABLISHED 2820 iexplore.exe
0x17291ba0 TCPv4 10.0.2.15:49347 173.194.35.36:80 CLOSE_WAIT 2820 iexplore.exe
[snip]
0x17854010 TCPv4 -:49168 157.55.15.32:80 CLOSED 2820 iexplore.exe
0x178a2a20 TCPv4 -:0 88.183.123.0:0 CLOSED 504 svchost.exe
0x178f5b00 TCPv4 10.0.2.15:49362 173.194.35.38:80 CLOSE_WAIT 2820 iexplore.exe
0x17922910 TCPv4 -:49262 184.26.31.55:80 CLOSED 2820 iexplore.exe
0x17a9d860 TCPv4 10.0.2.15:49221 204.245.34.130:80 ESTABLISHED 2820 iexplore.exe
0x17ac84d0 TCPv4 10.0.2.15:49241 74.125.31.157:80 CLOSE_WAIT 2820 iexplore.exe
0x17b9acf0 TCPv4 10.0.2.15:49319 74.125.127.148:80 CLOSE_WAIT 2820 iexplore.exe
0x10f38d70 UDPv4 10.0.2.15:1900 *:* 1736 svchost.exe 2012-02-22 20:04:12
0x173b3dc0 UDPv4 0.0.0.0:59362 *:* 1736 svchost.exe 2012-02-22 20:02:27
0x173b3dc0 UDPv6 :::59362 *:* 1736 svchost.exe 2012-02-22 20:02:27
0x173b4cf0 UDPv4 0.0.0.0:3702 *:* 1736 svchost.exe 2012-02-22 20:02:27
0x173b4cf0 UDPv6 :::3702 *:*
For more information, check this link