5.1 Listing Kernel Modules Using driverscan

Another method for listing the kernel modules is to use the driverscan plugin, as shown in the following code. The driverscan plugin gets the information related to kernel modules from a structure named DRIVER_OBJECT. To be specific, the driverscan plugin uses pool tag scanning to find the driver objects in the physical address space. The first column, Offset(P), specifies the physical address where the DRIVER_OBJECT structure was found, the second column, Start, contains the base address of the module, and the Driver Name column displays the name of the Driver. For example, the driver name DriverBeep is the same as Beep.sys, and the last entry shows the malicious driver, Driver2683608180e436a1, associated with the Necurs rootkit. The driverscan plugin is another way of listing the kernel modules and can be useful when the rootkit tries to hide from the modules and the modscan plugin:

$ python vol.py -f necurs.vmem --profile=Win7SP1x86 driverscan
Volatility Foundation Volatility Framework 2.6
Offset(P)           Start     Size   Service Key  Name   Driver Name
------------------ --------  ------- ----------- ------ -----------
0x00000000108b9030 0x88148000 0x8000  RDPENCDD  RDPENCDD DriverRDPENCDD
0x00000000108b9478 0x97023000 0xb7000 DXGKrnl   DXGKrnl  DriverDXGKrnl
0x00000000108b9870 0x88150000 0x8000  RDPREFMP  RDPREFMP DriverRDPREFMP
0x0000000010b3b1d0 0x96ef6000 0x41000 rdbss     rdbss    FileSystem
dbss
0x0000000011781188 0x88171000 0x17000 tdx       tdx      Driver	dx
0x0000000011ff6a00 0x881ed000 0xd000  kbdclass  kbdclass Driverkbdclass
0x0000000011ff6ba0 0x880f2000 0x7000  Beep      Beep     DriverBeep
[REMOVED]
0x000000001e155668 0x851ab000 0xd000 2683608180e436a1 26836...36a1 Driver2683608180e436a1

To list the kernel modules with the kernel debugger (Windbg), use the lm k command as follows. For verbose output, you can use the lm kv command:

kd> lm k
start end module name
80bb4000 80bbc000 kdcom (deferred) 
82a03000 82a3a000 hal (deferred) 
82a3a000 82e56000 nt (pdb symbols)
8b200000 8b20e000 WDFLDR (deferred) 
8b20e000 8b22a800 vmhgfs (deferred) 
8b22b000 8b2b0000 mcupdate_GenuineIntel (deferred) 
8b2b0000 8b2c1000 PSHED (deferred) 
8b2c1000 8b2c9000 BOOTVID (deferred) 
8b2c9000 8b30b000 CLFS (deferred) 
[REMOVED]

After you identify the malicious kernel module, you can dump it from memory to disk using the moddump plugin. To dump the module to disk, you need to specify the base address of the module, which you can get from the modules, modscan, or driverscan plugins. In the following example, the malicious driver of the Necurs rootkit is dumped to disk using its base address, as follows:

$ python vol.py -f necurs.vmem --profile=Win7SP1x86 moddump -b 0x851ab000 -D dump/
Volatility Foundation Volatility Framework 2.6
Module Base   Module Name      Result
-----------  --------------    ------
0x0851ab000    UNKNOWN         OK: driver.851ab000.sys
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.220.1.239