Dailydave mailing list archives
Week 1 of the Month of Volatility Plugins is now posted
From: Andrew Case <atcuno () gmail com>
Date: Fri, 14 Sep 2012 11:07:36 -0500
Hello All, I was writing to announce that week 1 of the month of Volatility plugins is finished, and we now have five in-depth blog posts covering Windows and Linux internals and rootkit detection. Post 1: Logon Sessions, Processes, and Images This Windows focused post covers linking processes to their logon session, detecting hidden processes using session structures, and determining the loaded the drivers mapped into each session. http://volatility-labs.blogspot.com/2012/09/movp-11-logon-sessions-processes-and.html Post 2: Window Stations and Clipboard Malware This Windows focused post covers enumerating and analyzing window stations and clipboard monitoring malware. http://volatility-labs.blogspot.com/2012/09/movp-12-window-stations-and-clipboard.html Post 3: Desktops, Heaps, and Ransomware This Windows focused post covers finding rogue desktops used to hide applications and created by ransomware, linking threads to desktops, analyzing the desktop heap for memory corruptions, and profiling heap allocations to locate USER objects. http://volatility-labs.blogspot.com/2012/09/movp-13-desktops-heaps-and-ransomware.html Post 4: Average Coder Rootkit, Bash History, and Elevated Processes This Linux focused post covers analyzing the Average Coder rootkit, recovering .bash_history from memory, even when faced with anti-forensics, and finding elevated processes. http://volatility-labs.blogspot.com/2012/09/movp-14-average-coder-rootkit-bash.html Post 5: KBeast Rootkit, Detecting Hidden Modules, and sysfs This Linux focused post covers analyzing the KBeast rootkit, finding modules unlinked from the module list, and the forensic values of sysfs. http://volatility-labs.blogspot.com/2012/09/movp-15-kbeast-rootkit-detecting-hidden.html If you have any questions or comments on the posts, either leave a comment on the respective post or be brave and reply to the list ;) We will continue our daily blog posts, Monday through Friday, for the next three weeks, so check back often if you have enjoyed these. Thanks, Andrew _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Week 1 of the Month of Volatility Plugins is now posted Andrew Case (Sep 18)