Below is a quick guide for dumping and analyzing windows and linux memory. If you wish to utilize the volitility framework it can be found at volatilityfoundation.org. This guide will help you with some of the challenges available on CyDefe Labs. Check those out at Labs.CyDefe.com
Check back frequently for more guides, tips, and trick with DFIR, pentesting, reverse engineering and much much more. Many of the guides and tips we will be post will help you in real world environments and with our platform. Happy hacking everyone.
MEMORY ACQUSITION
WINPMEM/LINPMEM
1. Windows
a. C:\> winpmem_<version>.exe -o F:\mem.aff4
b. C:\> winpmem_<version>.exe F:\mem.aff4 -e PhysicalMemory -o mem.raw
2. Linux
a. ./linpmem_<version>.post4 -o F:\mem.aff4
b. ./linpmem_<version>.post4 F:\mem.aff4 -e PhysicalMemory -o mem.raw
3. Linux Alt
a. sudo dd if=/dev/fmem of=/tmp/memory.raw bs=1MB
VOLATILITY USAGE
Example usage: ./volatility_<version>_lin64_standalone --profile=<profile name> <command> -f <memory file name>
LISTING AVAILABLE PROFILES
1. info - Displays a list of profiles
a. ./volatility_<version>_lin64_standalone --info
ROGUE PROCESS IDENTIFICATION
1. pslist - High level view of running processes
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> pslist -f <memory file name>
2. psscan - Scan memory for EPROCESS blocks
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> psscan -f <memory file name>
3. pstree - Display parent-process relationships
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> pstree -f <memory file name>
ROOTKIT IDENTIFICATION
1. psxview - Find hidden processes using cross-view
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> psxview -f <memory file name>
2. modscan - Scan memory for loaded, unloaded, and
a. unlinked drivers
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> modscan -f <memory file name>
3. apihooks - Find API/DLL function hooks
a. -p Operate only on specific PIDs
b. -Q Only scan critical processes and DLLS
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> apihooks -f <memory file name>
4. ssdt - Hooks in System Service Descriptor Table
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> ssdt | egrep –v ‘(ntoskrnl|win32k)’ -f <memory file name>
5. driverirp - Identify I/O Request Packet (IRP) hooks
a. -r Analyze drivers matching REGEX name pattern
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> driverirp –r tcpip -f <memory file name>
6. idt - Display Interrupt Descriptor Table
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> idt -f <memory file name>
NETWORK ARTIFACTS
1. Connections - List of open TCP connections
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> connections -f <memory file name>
2. connscan - ID TCP connections, including closed
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> connscan -f <memory file name>
3. sockets - Print listening sockets (any protocol)
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> sockets -f <memory file name>
4. sockscan - ID sockets, including closed/unlinked
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> sockscan -f <memory file name>
5. netscan - Scan for connections and sockets
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> netscan -f <memory file name>