Memory Analysis using Volatility - dlllist
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
dlllist – a volatility plugin that is used to display and print all the listed loaded modules of a process.
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
We can extract the process’s loaded modules using the Volatility plugin dlllist.
We can use the -p parameter and supply the target Process ID we are investigating.
In our sample, we supply the process id 2076(Notepad.exe) to list its loaded modules.
This plugin can be used to detect suspicious modules that is loaded into a process, especially when that module resides in a non legitimate directory path.
Our syntax will be like: vol.exe -f <memory_dump> –profile=<OS_version> dlllist -p <PID>
In this sample, we use the Volatility dlllist plugin to list all loaded modules from a suspected process.
We dumped the modules, hash it, and send the sample to VirusTotal[.]com. We can see that it flagged as Sinowal Malware.
#note: We see that this module is not at its proper directory path which is SYSTEM32.