Volatility Help - pagefile & hiberfil
Hi all. I've been poking around trying to analyze a pagefile and hiberfil I recovered, but for the life of me, I can't get volatility to play nice with me.
So for starters, I've confirmed via the registry that the processor is AMD64 architecture and that it's Windows 10 19041.1.vbrelease.191206-1406. I've tried using volatility to convert to a raw image (vol -f file.sys imagecopy -O target.raw) and no matter what profile I apply - which, ostensibly should be Win10x6419041 - no plugins will take against it. Not in Volatility 2.6, 3.1, or 3.2. In the latter two, imagecopy is not an available plugin.
I am not sure what I am doing wrong, if I am missing plugins, or what have you, but I would appreciate any guidance. I would buy Arsenal Recon's tools, but that isn't currently an option.
๐ฃKillithidMindslayer
Volatility won't help you out with your pagefile. You're better off trying bulk extractor, Yara, or even strings.
๐คBad_Grammer_Girl
๐@malwr
Hi all. I've been poking around trying to analyze a pagefile and hiberfil I recovered, but for the life of me, I can't get volatility to play nice with me.
So for starters, I've confirmed via the registry that the processor is AMD64 architecture and that it's Windows 10 19041.1.vbrelease.191206-1406. I've tried using volatility to convert to a raw image (vol -f file.sys imagecopy -O target.raw) and no matter what profile I apply - which, ostensibly should be Win10x6419041 - no plugins will take against it. Not in Volatility 2.6, 3.1, or 3.2. In the latter two, imagecopy is not an available plugin.
I am not sure what I am doing wrong, if I am missing plugins, or what have you, but I would appreciate any guidance. I would buy Arsenal Recon's tools, but that isn't currently an option.
๐ฃKillithidMindslayer
Volatility won't help you out with your pagefile. You're better off trying bulk extractor, Yara, or even strings.
๐คBad_Grammer_Girl
๐@malwr
Reddit
r/computerforensics on Reddit: Volatility Help - pagefile & hiberfil
Posted by u/KillithidMindslayer - 5 votes and 3 comments
๐จ CVE-2022-34502
Radare2 v5.7.0 was discovered to contain a heap buffer overflow via the function consume_encoded_name_new at format/wasm/wasm.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted binary file.
๐@cveNotify
Radare2 v5.7.0 was discovered to contain a heap buffer overflow via the function consume_encoded_name_new at format/wasm/wasm.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted binary file.
๐@cveNotify
GitHub
heap-buffer-overflow in WASM name handling after 5.7.0 release ยท Issue #20336 ยท radareorg/radare2
Environment Mon Jun 20 03:01:00 PM CST 2022 radare2 5.7.0 28296 @ linux-x86-64 git.5.7.0 commit: 09569c1d5c324df7f23bdc9ad864ac1c25925745 build: 2022-06-20__11:48:07 Linux x86_64 Description After ...
IDA Pro 8.0 released!
โน๏ธ Golang 1.18
โน๏ธ iOS 16 dyld shared cache support
โน๏ธ ARC decompiler
โน๏ธ Better firmware analysis
โน๏ธ FLAIR pattern generator (makepat)
https://hex-rays.com/products/ida/news/8_0/
๐@cveNotify
โน๏ธ Golang 1.18
โน๏ธ iOS 16 dyld shared cache support
โน๏ธ ARC decompiler
โน๏ธ Better firmware analysis
โน๏ธ FLAIR pattern generator (makepat)
https://hex-rays.com/products/ida/news/8_0/
๐@cveNotify
Hex-Rays
IDA 8.0 | Hex-Rays Docs
๐คฎ4๐3
How does AV know when a process is malicious if it doesnt have a known hash?
๐ฃDiesl
All AVs have a database of known malicious code and extensions. If the hash is unrecognized it may get quarantined.
๐คlatnGemin616
๐@malwr
๐ฃDiesl
All AVs have a database of known malicious code and extensions. If the hash is unrecognized it may get quarantined.
๐คlatnGemin616
๐@malwr
Culbert Report
How AV Hooks NTDLL
How Does AV Know? Have you ever wondered how AV knows what that the application youโre trying to run is malicious when it doesnโt have a known signature? NTDLL is the answer.
๐1
Image displays its own MD5 hash
๐ฃASIC_SP
Absolute noob question incoming... What are some practical uses for this?
๐คWhatArghThose
There's a mathematical function (maybe in parametric form) whose graph is the "picture of the algebraic equation" of the function itself. I can't find it right now. [not exactly correct, see below\]
EDIT:
Tupper's self-referential formula:
https://en.wikipedia.org/wiki/Tupper%27s_self-referential_formula
๐คAcrobatic-Cause-4925
See also: This PDF is an NES ROM that prints its own MD5 hash!
๐คcbarrick
๐@malwr
๐ฃASIC_SP
Absolute noob question incoming... What are some practical uses for this?
๐คWhatArghThose
There's a mathematical function (maybe in parametric form) whose graph is the "picture of the algebraic equation" of the function itself. I can't find it right now. [not exactly correct, see below\]
EDIT:
Tupper's self-referential formula:
https://en.wikipedia.org/wiki/Tupper%27s_self-referential_formula
๐คAcrobatic-Cause-4925
See also: This PDF is an NES ROM that prints its own MD5 hash!
๐คcbarrick
๐@malwr
๐1
Downrange: A Survey of Chinaโs Cyber Ranges - Center for Security and Emerging Technology
๐ฃdigicat
๐@malwr
๐ฃdigicat
๐@malwr
Center for Security and Emerging Technology
Downrange: A Survey of Chinaโs Cyber Ranges | Center for Security and Emerging Technology
China is rapidly building cyber ranges that allow cybersecurity teams to test new tools, practice attack and defense, and evaluate the cybersecurity of a particular product or service. The presence of these facilities suggests a concerted effort on the partโฆ
git-vuln-finder v1.3 released - a python tool to find potential software vulnerabilities from git commit messages. The output format is a JSON with the associated commit which could contain a fix regarding a software vulnerability.
๐ฃdigicat
๐@malwr
๐ฃdigicat
๐@malwr
GitHub
Release git-vuln-finder v1.3 released - bug fixes release ยท cve-search/git-vuln-finder
git-vuln-finder v1.3 released - bug fixes released.
git-vuln-finder is a python tool to find potential software vulnerabilities from git commit messages. The output format is a JSON with the associ...
git-vuln-finder is a python tool to find potential software vulnerabilities from git commit messages. The output format is a JSON with the associ...
Cronos: PoC for a new sleep obfuscation technique leveraging waitable timers to evade memory scanners - leveraging waitable timers to RC4 encrypt the current process and change the permissions from RW to RX
๐ฃdigicat
๐@malwr
๐ฃdigicat
๐@malwr
GitHub
GitHub - Idov31/Cronos: PoC for a sleep obfuscation technique leveraging waitable timers to evade memory scanners.
PoC for a sleep obfuscation technique leveraging waitable timers to evade memory scanners. - Idov31/Cronos
๐1
List of Free Cybersecurity Services and Tools curated by CISA
https://www.cisa.gov/free-cybersecurity-services-and-tools
๐ฃapes_2gether_strong
๐@malwr
https://www.cisa.gov/free-cybersecurity-services-and-tools
๐ฃapes_2gether_strong
๐@malwr
Cybersecurity and Infrastructure Security Agency CISA
No-Cost Cybersecurity Services & Tools | CISA
BumbleBee: Round Two - In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector to deploy Cobalt Strike and Meterpreter.
๐ฃdigicat
๐@malwr
๐ฃdigicat
๐@malwr
The DFIR Report
BumbleBee: Round Two
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates. โฆ
Exploit for Arbitrary File Move vulnerability in ZoneAlarm AV [PDF+EXPLOIT](https://github.com/Wh04m1001/ZoneAlarmEoP)
๐ฃsoupcreamychicken
๐@malwr
๐ฃsoupcreamychicken
๐@malwr
GitHub
GitHub - Wh04m1001/ZoneAlarmEoP: Exploit for Arbitrary File Move vulnerability in ZoneAlarm AV
Exploit for Arbitrary File Move vulnerability in ZoneAlarm AV - GitHub - Wh04m1001/ZoneAlarmEoP: Exploit for Arbitrary File Move vulnerability in ZoneAlarm AV