Forums
Main Category
General (Technical,...
What can you do wit...
 
Notifications
Clear all

What can you do with disassembly in Volatility?

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by Audio 13 years ago
3 Posts
2 Users
0 Reactions
565 Views
RSS
 Audio
(@audio)
Estimable Member
Joined: 19 years ago
Posts: 149
Topic starter 08/04/2012 3:38 am  

I'm analyzing some malware in Volatility and malfind came up with a lot of what appears to be false positives and I'm assuming random disassembly.

However, I recognize a function prologue in some of the output and I went into volshell to disassemble more. Now here's the question… What the heck can you do with this? There are no symbols, no way to view what's in the registers, and when I try to disassemble the few CALL instructions I can with the limited information I have, I get no output.

Here is what I'm trying to work with.

>>> dis(0x07bc0000, 512)
0x7bc0000 55 PUSH EBP
0x7bc0001 8bec MOV EBP, ESP
0x7bc0003 83c4ec ADD ESP, -0x14
0x7bc0006 56 PUSH ESI
0x7bc0007 57 PUSH EDI
0x7bc0008 8b4508 MOV EAX, [EBP+0x8]
0x7bc000b 8bf0 MOV ESI, EAX
0x7bc000d 8d7dec LEA EDI, [EBP-0x14]
0x7bc0010 a5 MOVSD
0x7bc0011 a5 MOVSD
0x7bc0012 a5 MOVSD
0x7bc0013 a5 MOVSD
0x7bc0014 a5 MOVSD
0x7bc0015 ff75f8 PUSH DWORD [EBP-0x8]
0x7bc0018 ff55f4 CALL DWORD [EBP-0xc]
0x7bc001b ff75fc PUSH DWORD [EBP-0x4]
0x7bc001e 50 PUSH EAX
0x7bc001f ff55f0 CALL DWORD [EBP-0x10]
0x7bc0022 50 PUSH EAX
0x7bc0023 ff55ec CALL DWORD [EBP-0x14]
0x7bc0026 5f POP EDI
0x7bc0027 5e POP ESI
0x7bc0028 8be5 MOV ESP, EBP
0x7bc002a 5d POP EBP
0x7bc002b c20400 RET 0x4
0x7bc002e 8bc0 MOV EAX, EAX
0x7bc0030 53 PUSH EBX
0x7bc0031 56 PUSH ESI
0x7bc0032 57 PUSH EDI
0x7bc0033 55 PUSH EBP
0x7bc0034 83c4e8 ADD ESP, -0x18
0x7bc0037 8be9 MOV EBP, ECX
0x7bc0039 8bfa MOV EDI, EDX
0x7bc003b 8bd8 MOV EBX, EAX
0x7bc003d 33f6 XOR ESI, ESI
0x7bc003f 6800334000 PUSH DWORD 0x403300
0x7bc0044 6814334000 PUSH DWORD 0x403314
0x7bc0049 e85efaffff CALL 0x7bbfaac
0x7bc004e 50 PUSH EAX
0x7bc004f e860faffff CALL 0x7bbfab4
0x7bc0054 8944240c MOV [ESP+0xc], EAX
0x7bc0058 6820334000 PUSH DWORD 0x403320
0x7bc005d 6814334000 PUSH DWORD 0x403314
0x7bc0062 e845faffff CALL 0x7bbfaac
0x7bc0067 50 PUSH EAX
0x7bc0068 e847faffff CALL 0x7bbfab4
0x7bc006d 89442408 MOV [ESP+0x8], EAX
0x7bc0071 6830334000 PUSH DWORD 0x403330
0x7bc0076 6814334000 PUSH DWORD 0x403314
0x7bc007b e82cfaffff CALL 0x7bbfaac
0x7bc0080 50 PUSH EAX
0x7bc0081 e82efaffff CALL 0x7bbfab4
0x7bc0086 89442404 MOV [ESP+0x4], EAX
0x7bc008a 8bd5 MOV EDX, EBP
0x7bc008c 8bc3 MOV EAX, EBX
0x7bc008e 0000 ADD [EAX], AL
0x7bc0090 0000 ADD [EAX], AL
0x7bc0092 0000 ADD [EAX], AL
0x7bc0094 0000 ADD [EAX], AL
0x7bc0096 0000 ADD [EAX], AL
0x7bc0098 0000 ADD [EAX], AL
0x7bc009a 0000 ADD [EAX], AL
0x7bc009c 0000 ADD [EAX], AL
0x7bc009e 0000 ADD [EAX], AL
0x7bc00a0 0000 ADD [EAX], AL
0x7bc00a2 0000 ADD [EAX], AL
0x7bc00a4 0000 ADD [EAX], AL
0x7bc00a6 0000 ADD [EAX], AL
0x7bc00a8 0000 ADD [EAX], AL
0x7bc00aa 0000 ADD [EAX], AL
0x7bc00ac 0000 ADD [EAX], AL
0x7bc00ae 0000 ADD [EAX], AL
0x7bc00b0 0000 ADD [EAX], AL
0x7bc00b2 0000 ADD [EAX], AL
0x7bc00b4 0000 ADD [EAX], AL
0x7bc00b6 0000 ADD [EAX], AL
0x7bc00b8 0000 ADD [EAX], AL
0x7bc00ba 0000 ADD [EAX], AL
0x7bc00bc 0000 ADD [EAX], AL
0x7bc00be 0000 ADD [EAX], AL
0x7bc00c0 0000 ADD [EAX], AL
0x7bc00c2 0000 ADD [EAX], AL
0x7bc00c4 0000 ADD [EAX], AL
0x7bc00c6 0000 ADD [EAX], AL
>>> dis(0x7bbfaac)
>>> db(0x7bbfaac)
Memory unreadable at 07bbfaac


   
Quote
 Rossetoecioccolato
(@rossetoecioccolato)
Eminent Member
Joined: 18 years ago
Posts: 34
08/04/2012 8:21 am  

Why don't you try asking this question over on the vol-users mailing list as this is where Volatility is supported. http//lists.volatilesystems.com/mailman/listinfo/vol-users.


   
ReplyQuote
 Audio
(@audio)
Estimable Member
Joined: 19 years ago
Posts: 149
Topic starter 08/04/2012 8:25 am  

Why don't you try asking this question over on the vol-users mailing list as this is where Volatility is supported. http//lists.volatilesystems.com/mailman/listinfo/vol-users.

Good idea, thanks…


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: