Thursday, February 20, 2014

Finding malicious DLLs with Volatility

Colin and I were working on an memory image the other day and needed to find DLLs loaded by svchost.exe. We turned to everyone's default memory analysis tool Volatility. Volatility doesn't really give you a good option to search for loaded dlls by process name. You can specify a pid to do this, but when you have many processes that have the same name (ie svchost.exe) you can end up with a nasty command like this to do the trick.

This really wasn't working for us so we took a look at Volatility's source code and made some small adjustments.  We modified the module that ultimately affects the dlllist module. Normally if you select dlllist plugin with the -h option it gives you various options you can use such as an offset or a pid as seen below:

With our modified you have a new option for adding a process by name or a list of processes by name as seen below:

Now we can simply give it the svchost.exe process by name and get a list of loaded DLL's by processes running by that name. If you have a non-standard svchost.exe process running then this will pick it up as well, but that situation might also help identify a compromise :)

So executing volatility with the following command -f 7re-912d4ad7.vmem --profile Win7SP1x64 dlllist -n svchost.exe now gives an output of:

I am sure there are better ways at getting the same information, but this worked rather well for us and we thought we would share. You can get the module at our github repository.

To install it just replace the from your $VOLATILITYHOME/volatility/plugins directory with our

We have tested it on volatility 2.2, 2.3, 2.3.1 on XP and Windows 7 with no problems.