Plugin Post: Moddump

By now, you all probably know that you can dump running programs from memory using the procdump module in Volatility. But not all malware runs as a user-mode process. What about malicious kernel modules?


As it turns out, dumping these is also quite straightforward, and it's easy to write a plugin to do it. In fact, it's downright trivial -- kernel modules are just PE files mapped into kernel memory (in exactly the same way as normal programs are PE files mapped into user memory). So to dump a particular kernel module, we can use Volatility's built-in PE dumper (the source is in forensics/win32/executable.py, and point it at the memory address of a kernel module.


Naturally, I've made a plugin that implements this: grab moddump.py and put it in your memory_plugins directory, and you'll be good to go. Here's what it looks like in action:

$ python volatility moddump --help
Usage: moddump [options] (see --help)

Options:
  -h, --help            show this help message and exit
  -f FILENAME, --file=FILENAME
                        (required) XP SP2 Image file
  -b BASE, --base=BASE  (optional, otherwise best guess is made)
                        Physical offset (in hex) of directory
                        table base
  -t TYPE, --type=TYPE  (optional, default="auto") Identify the
                        image type (pae, nopae, auto)
  -m MODE, --mode=MODE  strategy to use when saving executable.
                        Use "disk" to save using disk-based section
                        sizes, "mem" for memory-based sections.
                        (default: "mem")
  -u, --unsafe          do not perform sanity checks on sections
                        when dumping
  -o OFFSET, --offset=OFFSET
                        dump module whose base address is OFFSET (hex)
  -p REGEX, --pattern=REGEX
                        dump modules matching REGEX
  -i, --ignore-case     ignore case in pattern match


The "mode" and "unsafe" options do the same thing as in the procdump module. The other options are new though, so I'll go through them briefly here.


The -p option allows you to give a regular expression to specify which modules to dump. The -i option allows you to make this match case insensitive. If you don't give any way of specifying a module, it will simply dump all modules in the kernel's loaded module list.


Of course, if a driver is being stealthy, it could unlink itself from the kernel's list of loaded modules (just as processes can be hidden by removing from the systemwide process list). Often, these hidden drivers can be found by scanning memory for the data structure that represents a kernel module; Volatility's modscan and modscan2 are good for this. Once you've found the hidden module, you can pass its base address to moddump using the -o option.


Regardless of how you choose the modules to dump, they will be saved in a file called driver.BASE_ADDRESS.sys, where BASE_ADDRESS is the module's address im memory.


Anyway, I hope you'll get some good use out of this. It's also possible to create a similar plugin that dumps DLLs loaded in a process, but I haven't gotten around to writing it yet, so if anyone's looking to get their feet wet with writing plugins for Volatility it could be a fun first project.


Cheers and Happy New Year until next time!

Comments

Jamie Levy said…
Cool! Keep up the good work! and Happy New Year :-)
January 6, 2009 at 9:23 AM
echo6 said…
Nice Moyix, please find more time do the dll plugin ;-)
January 6, 2009 at 2:27 PM
H. Carvey said…
Brendan,

Very nice! Always something good coming from your corner of the blogosphere.

What would it take to push the current Volatility capability beyond XP, to 2003 and Vista? I'd like to do what I can to help with that, even if it means learning Python (I really like what JL did w/ vol2html.pl and have some ideas for expanding that...)

Keep up the good work!
January 7, 2009 at 8:30 AM
John Musbach said…
Hi, this looks like a very useful module...however with the latest version of volatility all I'm able to get is 0 byte files from this plugin. I'm using the command "python vol.py --profile -f moddump -D -o -u".

Where am I going wrong?
May 13, 2012 at 2:59 PM
John Musbach said…
Sorry, for some reason part of my post got stripped...

For the "-f" parameter I use the image file name.

For "--profile" parameter I use the volatility profile name.

for "-D" I pass the destination directory.

For "-o" I pass the memory offset.

If you any ideas where I'm going wrong I'm all ears. Thanks!
May 13, 2012 at 3:01 PM
John Musbach said…
My issue was resolved in volatility bug report 254 (http://code.google.com/p/volatility/issues/detail?id=254). Basically despite this blog post saying "-o" expects the offset being passed to it, you need to pass the value from the "modules" volatility command's base column to "-o" for moddump to work with a specific module.
May 13, 2012 at 4:41 PM
Post a Comment

Popular posts from this blog

Someone’s Been Messing With My Subnormals!

Image
TL;DR: After noticing an annoying warning, I went on an absurd yak shave, and discovered that because of a tiny handful of Python packages built with an appealing-sounding but dangerous compiler option, more than 2,500 Python packages—some with more than a million downloads per month—could end up causing any program that uses them to compute incorrect numerical results. Once Upon a Time in My Terminal Recently, whenever I tried to import certain Python packages (notably, some models from Huggingface Transformers), I would see this weird and unsightly warning: Python 3.8.10 (default, Jun 22 2022, 20:18:18)   Type 'copyright', 'credits' or 'license' for more information IPython 8.4.0 -- An enhanced Interactive Python. Type '?' for help. In [ 1 ]: from transformers import CodeGenForCausalLM /home/moyix/.virtualenvs/sfcodegen/lib/python3.8/site-packages/numpy/core/getlimits.py:498: UserWarning: The value of the smallest subnormal for <class 'numpy.
Read more

Decrypting LSA Secrets

The LSA secrets store is a protected storage area used the the Local Security Authority (LSA) system in Windows to keep important pieces of information safe from prying eyes. As with Syskey, however, we will see that these secrets are only obfuscated, and once the mechanism is known, we can extract them from the registry with ease. Even without knowing the obfuscation algorithm, however, it is possible to read the values of this data using the LsarQuerySecret function exported by lsasrv.dll, but only if one has the LocalSystem privilege (for example, if the process is running under the SYSTEM account). What kind of data is stored in these secrets? Here are a few that I've come across: $MACHINE.ACC : has to do with domain authentication, see KB175468 DefaultPassword : password used to logon to Windows if auto-logon is enabled NL$KM : secret key used to encrypt cached domain passwords L$RTMTIMEBOMB_[...] : FILETIME giving the date when an unactivated copy of Windows w
Read more

SysKey and the SAM

The Security Accounts Manager The Security Accounts Manager , or SAM, has been used by Windows since the days of NT to store information on local user accounts (or, in the case of a domain controller, the accounts for all users on the domain). It takes the form of a registry hive, and is stored in %WINDIR%\system32\config . Generally, two types of hash are stored in the SAM: the LanMan hash and the NT hash. The LanMan hash has many flaws: It is not salted, and is thus vulnerable to precomputed dictionary attacks such as rainbow tables . The hash is split into two 7-byte pieces, which allows attacks to be performed against each piece at the same time. This also means that if the password is shorter than 7 characters, the last half of the hash will be a constant value. The password is converted to uppercase before hashing, which reduces the keyspace. The LM hash is computed by padding or truncating the password to 14 characters, splitting it into two halves, and then usin
Read more