Learning Volatility: TryHackMe
For the longest time, I wanted to explore the field of forensics. And there wouldn’t be any great way to start into a particular infosec field without learning it through TryHackMe. So, here I am today with another walkthrough of a TryHackMe room called “Volatility”. TryHackMe has very kind enough to keep this room free, which means non-subscribers can also join the room.
[Task1]: Installing
This task includes installing the tool Volatility itself. However, I couldn't install Volatility using the command mentioned in the room. So, went for the manual approach.
I would be using Volatility2(as recommended by others) for this room, which is written in Python2. I spent over an hour or so, trying to install volatility in my Kali Linux machine, but didn't succeed. So rather went on using the standalone executable of Volatility. To can download the executable from their official site.
wget http://downloads.volatilityfoundation.org/releases/2.6/volatility_2.6_lin64_standalone.zipAfter downloading the compressed file, lets extract the file change the permissions of the binary and add it to our PATH, so that we can easily access it from anywhere.
unzip volatility_2.6_lin64_standalone.zipsudo cp volatility_2.6_lin64_standalone/volatility_2.6_lin64_standalone /usr/local/bin/volatilitysudo chmod +xr /usr/local/bin/volatility
[Task2]: Obtaining memory samples
(#1) What memory format is the most common?
As mentioned in the description given, .raw is the most commonly used memory format.
(#2) What file contains a compressed memory image?
The hiberfil.sys contains the compressed memory image from the previous boot. It is used by Windows in order to speed up the booting process.
(#2) How about if we wanted to perform memory forensics on a VMware-based virtual machine?
The .vmem file is the memory image that belongs to VMware-based virtual machines.
[Task3]: Examining Our Patient
(#1) Viewing profiles
Volatility treats each memory dump belonging to different Windows systems differently. During a forensic investigation, it is difficult to guess the exact Operating system version, service pack, build number etc. To, overcome this volatility has a plugin called “KDBGScan” which is has the capability to analyze the memory dump and predict that exact version of the operating system. To view the possible profiles, that our memory dump can be, we us the following command:
volatility -f cridex.vmem imageinfo
(#2) Guessing the profile
Out of the 2 profiles that KDBG predicted, we need to now check which belongs to us using the trial-and-error method.
Now lets check whether, we get an needed output using any one of these 2 profiles available with us.
volatility -f cridex.vmem --profile=WinXPSP2x86 pslist
(#3) Finding PID’s using “pslist” plugin
Out of the 2 profiles that KDBG predicted, we need to now check which belongs to us using the trial-and-error method.
volatility -f cridex.vmem --profile=WinXPSP2x86 pslist
(#4) Viewing active network connections
Volatility contains a plugin called netscan which allows us to active network connections. But this plugin doesn't support old systems. This means that our memory dump is from an Operating System version that “netscan” plugin doesn't support. Hence, we get the following error.
(#5) Viewing hidden processes
Malware usually have the tendency of running stealthily. Hence, they try to hide themselves and the processes associated with them. But with the help of psxviewplugin we can view these hidden processes. It compares the processes from PSActiveProcessHead with other process listings like EProcess, crss.exe, Ethread, csrss handle table etc. To find this we find a process that has only one value as “False”.That means the process was made hidden and the analyst should consider that process as a suspicious one.
volatility -f cridex.vmem --profile=WinXPSP2x86 psxview
(#6) Viewing hidden DLL’s
One of the ways of hiding DLL is to unlink it from PEB Linked List. However, when this is done there is information remaining in the VAD(Virtual Address Descriptor) which can identify the base address of the DLL and its full path on the disk. This plugin outputs three columns namely, InLoad, InInit, InMem. If any of these are false, that module has likely been injected which is a really bad thing.
volatility -f cridex.vmem --profile=WinXPSP2x86 ldrmodulesBut the above command gives us an extensive list DLLs’. But we are only interested in the ones that have “False” in any one of the columns. So, we make use of a command-line utility called ‘grep’, to extract the results only which we are interested in.
volatility -f cridex.vmem --profile=WinXPSP2x86 ldrmodules | grep "False"
(#7) Viewing unexpected API hooks
Malware can hook, API calls made by the target process and reroutes them to control the execution. Detecting these hooks is possible with the help of the apihooks plugin.
volatility -f cridex.vmem --profile=WinXPSP2x86 apihooks
(#8) Dumping malicious code
With the help of malfind plugin we can find the malicious code and also able to dump that code. Further, we can conduct manual analysis on it.
volatility -f cridex.vmem --profile=WinXPSP2x86 malfind -D /tmp/test
(#9) Viewing all DLL loaded into the memory
The dlllist plugin helps to view all the DLL’s loaded into the memory.
volatility -f cridex.vmem --profile=WinXPSP2x86 dlllist
[Task4]: Post Actions
(#1) Uploading the memory dumps to VirusTotal
VirusTotal is one of the most famous online tool for detecting malware based on signatures & hashes. Virustotal maintains a humongous database of malicious file hashes. So, whenever we upload a file to VirusTotal, it checks whether there is any matching hash in its database. Each hash value has also some information associated with it which helps a person classify whether the file is safe to use or not.
Now that we had extracted the malicious DLL we can upload them to VirusTotal and check whether they are actually malicious or not.
Out of the 12 uploaded DLL, one of them showed that it was infected by the Cridex malware.
That's it guys!!, with this, we complete our room. Although this room didn't cover any of the ways of memory forensics in detail, but it gave us a higher overview of how memory forensics take place using Volatility.
There is still very much to explore in the capabilities of the Volatility. We can wait for TryHackMe to release another in-depth room on Volatility 😂 or try out ourselves to learn it from different sources.
