By ro0ted | May 21, 2015 - 17:10 | Posted in /b/ | 5 Comments
#ro0ted #OpNewblood What the blackhats dont want u to know: Meet the Auto Cousin of Volatility Framework

Problem with Volatility or the problem isn’t merely Volatility it’s how lazy a person can be. So you don’t need to install Volatility to a Virtual Machine but high recommended but if you still don’t care use Volix. This is an automatic setup for Volatility Framework which can own memory dumps to an extreme level.  – https://twitter.com/ro0ted/

 

So download the standalone .exe of Volatility here:
https://code.google.com/p/volatility/downloads/list

Untitled

Now download Volix:
http://www.it-forensik.fh-aachen.de/projekte/volix/13
Untitled

Now when first install Volix 2 this window will appear:
Untitled

Click the Volatility Paths tab
And enter the path to where you downloaded the Volatility standalone .exe:
Untitled
Click Miscellaneous, select a place for logs:
Untitled
Download John the Ripper:
http://www.openwall.com/john/
Click John and point to john.exe:
Untitled

Click Case>New:
Untitled

This window will pop up:
Enter the path to image file you want to inspect in this case I made a memory dump on this machine:

Untitled

Click okay and this menu will appear:

Untitled

There’s ton of information you can extract with this program in conjunction with the Volatility Framework.
Untitled

If you think your PC’s infected make a memory dump here in this tutorial:
https://archive.cyberguerrilla.org/a/2015/ro0ted-opnewblood-what-the-blackhats-dont-want-you-to-know-infected-machine-create-a-memory-dump/
Depending how large the memory dump is for your machine determines the time. In Forensics you want it to take as much as needed. After all, Computer Forensics is science of analyzing data.

I decided to use a Dark Comet Memory Sample.
This is to show if you don’t want to setup a VM or know any volatility commands you can still have fun in Windows.

Image Info of Subject DCM.raw:

Untitled

Connscan of Subject DCM.raw:
Untitled

Let’s say you don’t know the this malware was meant to execute on you. Well Volatility runs with several profiles of Windows, Linux, and Mac.
When you are at this menu after you upload your memory sample click this:
Untitled

It will take you here:
Untitled

Linux Module:
Untitled

Mac OS X Module:
UntitledUntitled

You really just have to play around with it yourself.
I usually am against Automatic tools but I am more against malware.
With this you can reverse the intruder to fullest extent.
Thanks for reading and supporting.
ro0ted

If you liked this tutorial,
Check out my last tutorial for the VM Setup in using Volatility on the Linux Distro Remnux; Watch how I owned the infamous ZeuS bot and extracted it out of an infected process here:
https://archive.cyberguerrilla.org/a/2015/ro0ted-opnewblood-what-the-blackhats-dont-want-you-to-know-analyzing-the-zeus-bot-part-2/

(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as Malwr.com

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1

Ollydbg on Steroids

Creating Patchers Part 1

Have you supported the gas mask campaign over the years?

Crack to win a gas mask gift pack

How to edit a register me crack me Pre Part 1

Unwinding Delphi Binaries Walk Through if not Preview

Cracking Delphi Part 2

Reversing Timed Trials: Ollydbg Tricks Part 3

Analyzing Adware

Preview Against Debugging

Bypassing Registering 101

Bypassing Part 2

Android/iOS Reversing

Introducing IDA Pro: Static Analyzing

Hacker’s Disassembler

Ripping Apart Adware

Never trust Warez or Cracked Programs: Reversing a Crypted IRC bot infected file

IDA PRO Book

Unpacking & Crypting there is a difference

Covert Debugging whitepaper from blackhat.com

Manually Unpacking with Ollydbg

Manually Unpacking Part 2

Manually Unpacking 101

ASM Injecting

ASM Injecting Part 2

ASM Injecting Part 3: Crypt your malicious file

Reversing Trials

Adding Your Menu

ASM Injecting Part 4

ASM Injecting Part 5

Finding Nag Screens & Removing them

REMnux: Linux Toolkit for Reverse-Engineering and Analyzing Malware

REMnux: Volatility Framework ~ Memory Forensics
Volatility Analyzing the ZeuS Bot Part 2
Infected Machine? Create a memory dump
What the gov doesn’t want you to know: All your pastebin data is being LOGGED
Connect to IRC more securely with SSL, add a fingerprint to your nick
Meet Volatility Frameworks automatic cousin: Volix +

(Visited 713 times, 1 visits today)


  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.

5 Responses to #ro0ted #OpNewblood What the blackhats dont want u to know: Meet the Auto Cousin of Volatility Framework

  1. Pingback: What the blackhats dont want u to know: Meet th...

    […] Problem with Volatility or the problem isn’t merely Volatility it’s how lazy a person can be. So you don’t…

  2. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewbl...

    […]   […]

  3. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood You have pictures of your face on the internet right?

    […] Last tutorial in the series: Meet Volatility Frameworks automatic cousin: Volix […]

  4. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know BE: think ur drive is really wiped?

    […] Last tutorial in the series: Meet Volatility Frameworks automatic cousin: Volix […]

  5. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want u to know: Memory Cloning + BE in Linux

    […] Random tutorial in the series: Meet Volatility Frameworks automatic cousin: Volix […]