Hi all,
it's past almost a year since I last wrote here in my blog, but the University is like a job and as well as all jobs, there isn't enough time to devote for hobbies. But as always I found a bit time to write some usefull/unuseful post :P.
This time I would like illustrate how to configure
Volatility framework on Windows OS.
The Volatility Framework is a completely open collection of tools,
implemented in Python under the GNU General Public License, for the
extraction of digital artifacts from volatile memory (RAM) samples. The
extraction techniques are performed completely independent of the system
being investigated but offer unprecedented visibilty into the runtime
state of the system. The framework is intended to introduce people to
the techniques and complexities associated with extracting digital
artifacts from volatile memory samples and provide a platform for
further work into this exciting area of research.
Volatility under Linux OS has no problem to setup instead on Windows OS it is a little bit boring.
For this that I decided to post about volatility.
Below a list of all occurrences:
- Python 2.7, the volatility core;
- Volatility Framework ( no link because we'll use SVN later );
- Visual C++ Express , to compile distorm3 library;
- TortoiseSVN ( or other tools like this ), to download from SVN the last volatility and distorm3 source code;
- YARA , a tool aimed at helping malware researchers to identify and classify malware samples, to resolve volatility plugin dependencies;
- PyCrypto , Python cryptography package, also to resolve volatility plugin dependencies;
- Distorm3, a Powerful Disassembler Library, also this to resolve volatility plugin dependencies ( no link because we'll use SVN later );
- DumpIt, to memory dump.
Ok, now that we have all the ingredients let's go to cook a volatility cake. ;)
1. First of all download Python installer ( ver. 2.7 ) and install it. Don't change default install dir path, this must be C:\Python27. In the Path Environment Variable add ' C:\Python27 ' to call python.exe anywhere:
2. Then download and install TortoiseSVN.
- Create a directory under C:\ named 'Volatility';
- Mouse right-click in C:\ and click on SVN checkout. See figure below to set your own.
- Click ok and download starts. When it finished, click OK button and you can see in C:\Volatility directory all files like this:
3. Now download yara-python-1.6.win32-py2.7.exe and install it. This setup solves
dependencies for more plugin like yarascan command:
If installation is OK, in Python write
import yara. If no error occurred it's all OK.
4. Like YARA, download pycrypto-2.3.win32-py2.7.zip, unzip and install it. This setup also solves other
dependencies:
If installation is OK, in Python write import Crypto. If no error occurred it's all OK otherwise Google is your friend. ;)
5. Now download Visual C++ Express because we will compile distorm3 library.
- When Visual C++ Express installation finishes let's go to C:\;
- Create in it a directory named 'distorm3';
- Mouse right-click and click on SVN checkout option;
- See below picture to configure your own:
- Click ok and download stars. When download finishes you can see all distorm files in distorm3 folder like follow screenshot:
- A this point we must set 2 Environment Variables otherwise we will have trouble building distorm library ( see also picture below ):
* Name: VS90COMNTOOLS Value: C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\Tools\
*
Name:
VS100COMNTOOLS Value: C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\Tools\
- Open a command prompt: cd C:\distorm3, python setup.py --verbose build, python setup.py install. These 3 commands build distorm3 library.
- Now if all OK, in C:\Python27\Lib\site-packages we have a distorm3 folder as result of the build&install commands:
If installation is OK, in Python write
import distorm3. If no error occurred it's all OK otherwise check this
link. ;)
OK, we finished installation phase. Now we try to launch volatility framework.
Open command prompt and go to C:\Volatility with cd then
python vol.py -h. We will see similar to screenshot below:
No errors are prompted so it's all OK.
N.B. : The only problem that I encountered is with apihooks command. Shortly I'll try to post this problem at volatility community to see what's wrong in my configuration steps. Obviously if I'll resolve the problem I'll post about solution ( if there is one ). =)
So, volatility framework is configured now remains only to test it.
At top of the post I listed also DumpIt tool. This tool allows us to dump memory ( RAM ). Infact when you are analysing a malware you can run it ( in a safe environment of course ) and launch DumpIt to obtain a full memory dump which also includes malware run before and its informations. So a this point
comes into play Volatility which helps us to carved out all digital artifacts and usefull information.
To see Volatility in action I recommend Evilcry's tutorial:
-
Shylock via volatility
-
Carberp Reverse Engineering
But also
Frank Boldewin's paper
By the way a simple google search it is always a best action.
I hope this post is helpful to the reader.
Ok, for today is all, see you in the next post. =)
