The post provides a detailed walkthrough of using Volatility, a forensic analysis tool, to investigate a memory dump and identify malicious processes. This video also provides the walkthrough of TryHackMe Volatility room.

OSCP Study Notes

Computer Forensics Study Notes

Overview

  • Objective: Analyze a memory dump using Volatility to identify malicious processes.
  • Scenario: A memory dump (vmem file) is provided from a virtual machine, and the task is to locate and investigate potential malware.

Key Steps

1. Identifying the Operating System Profile

Command:

volatility -f <memory_dump>.vmem imageinfo
    • Output suggests possible OS profiles, such as WinXP SP2 x86 or WinXP SP3 x86.
  • Choose the correct profile for further analysis.

2. Listing Running Processes

  • Command:
volatility -f <memory_dump>.vmem --profile=<OS_profile> pslist
    • Displays processes running at the time of the memory capture.
    • Look for anomalies like:
      • Unfamiliar processes.
      • Suspiciously named executables.
    • Example Suspicious Processes:
      • smss.exe (could be legitimate but often targeted by process injection).
      • csrss.exe.

3. Detecting Hidden Processes

  • Use psxview to find discrepancies between process lists.
  • Command:
volatility -f <memory_dump>.vmem --profile=<OS_profile> psxview
    • Flags processes that are hidden or tampered with.
    • Look for processes with False in certain columns (e.g., PsActiveProcessHead, CSRSS).

4. Analyzing Process Modules

  • Command:
volatility -f <memory_dump>.vmem --profile=<OS_profile> ldrmodules
    • Identifies injected DLLs or tampered processes.
    • Focus on processes with False in the Load, Init, or Mem columns.

5. Dumping Suspicious Processes

  • Command:
volatility -f <memory_dump>.vmem --profile=<OS_profile> procdump -p <pid> -D <output_dir>
    • Dumps the process executable for offline analysis.

6. Analyzing Dumped Files

  • Upload dumped files to online malware analysis tools like:
    • VirusTotal.
    • Hybrid Analysis.
  • Example:
    • A dumped process flagged as malicious by multiple antivirus engines.

7. Investigating API Hooks

  • Check for unexpected or unknown API hooks, often a sign of process injection.
  • Command:
volatility -f <memory_dump>.vmem --profile=<OS_profile> apihooks
    • Look for hooks marked as Unknown.

Findings and Highlights

  1. Identified Malicious Processes:
    • csrss.exe and smss.exe were flagged due to discrepancies in psxview and ldrmodules.
    • Dumped executables confirmed malware after online analysis.
  2. Behavior of Malicious Processes:
    • Evidence of code injection and hooking was found, pointing to advanced techniques used by the attacker.

Recommendations for Further Analysis

  1. Offline Tools:
    • Reverse engineer dumped executables using tools like IDA Pro or Ghidra.
  2. Correlate Findings:
    • Cross-check process activity with network logs or other forensic artifacts.
  3. Report Findings:
    • Document malicious behaviors and provide remediation steps.

Let me know if you need further details or additional help with memory forensics!

TryHackMe Volatility | Room Answers

What memory format is the most common?

.raw

The Window’s system we’re looking to perform memory forensics on was turned off by mistake. What file contains a compressed memory image?

hiberfil.sys

How about if we wanted to perform memory forensics on a VMware-based virtual machine?

.vmem

First, let’s figure out what profile we need to use. Profiles determine how Volatility treats our memory image since every version of Windows is a little bit different. Let’s see our options now with the command volatility -f MEMORY_FILE.raw imageinfo

No answer needed

Running the imageinfo command in Volatility will provide us with a number of profiles we can test with, however, only one will be correct. We can test these profiles using the pslist command, validating our profile selection by the sheer number of returned results. Do this now with the command volatility -f MEMORY_FILE.raw --profile=PROFILE pslist. What profile is correct for this memory image?

WinXPSP2x86

Take a look through the processes within our image. What is the process ID for the smss.exe process? If results are scrolling off-screen, try piping your output into less

368

In addition to viewing active processes, we can also view active network connections at the time of image creation! Let’s do this now with the command volatility -f MEMORY_FILE.raw --profile=PROFILE netscan. Unfortunately, something not great is going to happen here due to the sheer age of the target operating system as the command netscan doesn’t support it.

No answer needed

It’s fairly common for malware to attempt to hide itself and the process associated with it. That being said, we can view intentionally hidden processes via the command psxview. What process has only one ‘False’ listed?

csrss.exe

In addition to viewing hidden processes via psxview, we can also check this with a greater focus via the command ‘ldrmodules’. Three columns will appear here in the middle, InLoad, InInit, InMem. If any of these are false, that module has likely been injected which is a really bad thing. On a normal system the grep statement above should return no output. Which process has all three columns listed as ‘False’ (other than System)?

csrss.exe

Processes aren’t the only area we’re concerned with when we’re examining a machine. Using the ‘apihooks’ command we can view unexpected patches in the standard system DLLs. If we see an instance where Hooking module: that’s really bad. This command will take a while to run, however, it will show you all of the extraneous code introduced by the malware.

No answer needed

Injected code can be a huge issue and is highly indicative of very very bad things. We can check for this with the command malfind. Using the full command volatility -f MEMORY_FILE.raw --profile=PROFILE malfind -D <Destination Directory> we can not only find this code, but also dump it to our specified directory. Let’s do this now! We’ll use this dump later for more analysis. How many files does this generate?

12

Last but certainly not least we can view all of the DLLs loaded into memory. DLLs are shared system libraries utilized in system processes. These are commonly subjected to hijacking and other side-loading attacks, making them a key target for forensics. Let’s list all of the DLLs in memory now with the command dlllist

No answer needed

Now that we’ve seen all of the DLLs running in memory, let’s go a step further and pull them out! Do this now with the command volatility -f MEMORY_FILE.raw --profile=PROFILE --pid=PID dlldump -D <Destination Directory> where the PID is the process ID of the infected process we identified earlier (questions five and six). How many DLLs does this end up pulling?

12
What malware has our sample been infected with? You can find this in the results of VirusTotal and Hybrid Anaylsis.

Cridex

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles