Let’s go down a bit more deeply in the system, and let’s go to find kernel modules into the memory dump. modules To view the list of kernel drivers loaded on the system, use the modules command. This walks the doubly-linked list of LDR_DATA_TABLE_ENTRY structures pointed to by PsLoadedModuleList. Similar to the pslist command, this relies on […]
Let’s try to analyze the memory in more detail… If we try to analyze the memory more thoroughly, without focusing only on the processes, we can find other interesting information. memmap The memmap command shows you exactly which pages are memory resident, given a specific process DTB (or kernel DTB if you use this plugin on […]
Once identified the correct profile, we can start to analyze the processes in the memory and, when the dump come from a windows system, the loaded DLLs. pslist To list the processes of a system, use the pslist command. This walks the doubly-linked list pointed to by PsActiveProcessHead and shows the offset, process name, process ID, the parent process […]
In order to start a memory analysis with Volatility, the identification of the type of memory image is a mandatory step. Here some usefull commands. imageinfo For a high level summary of the memory sample you’re analyzing, use the imageinfo command. Most often this command is used to identify the operating system, service pack, and […]
Cutting out the manual tasks in the first steps of memory analysis When you study new malware or wish to analyse suspicious executables you need to to extract the binary file and all the different injections and strings decrypted during the malware’s execution.