Memory Analysis using Volatility - vaddump
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
vaddump – a volatility plugin that is used to dump out Virtual Address Descriptor sections to a file.
Virtual Address Descriptor – is used by the Windows memory manager to describe memory ranges used by a process as they are allocated. When a process allocates memory with VirtualAlloc, the memory manager creates an entry in the VAD tree.
Memory Permission to look for memory region:
PAGE_EXECUTE_READWRITE 0x40 – This memory region enables execute, read-only, or read/write access to the committed region of pages. A malware can inject its malicious code into the memory of a process by changing the memory permission to PAGE_EXECUTE_READWRITE. This allows the malware to use a legitimate process to execute its malicious intent to remain itself stealthy and bypass detection.
note: Not all that have this memory permission is malicious. We only identify this region malicious if this region has MZ or PE file inside or if the start of the instruction is either JMP, RET or Call.
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
Using Volatility vaddump plugin, we can extract all the memory region of a process specified after the -p parameter.
Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> vaddump -p <PID> -D <destination>
To dump a specific memory region we will use the -b option and then feed it with the address of our selected memory region.
Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> vaddump -p <PID> -b <addr> -D <destination>