Memory Analysis using Volatility - vadinfo
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
vadinfo – a volatility plugin that is used to dump Virtual Address Descriptor info.
Virtual Address Descriptor – is used by the Windows memory manager to describe memory ranges used by a process as they are allocated. When a process allocates memory with VirtualAlloc, the memory manager creates an entry in the VAD tree.
Memory Permission to look for memory region:
PAGE_EXECUTE_READWRITE 0x40 – This memory region enables execute, read-only, or read/write access to the committed region of pages. A malware can inject its malicious code into the memory of a process by changing the memory permission to PAGE_EXECUTE_READWRITE. This allows the malware to use a legitimate process to execute its malicious intent to remain itself stealthy and bypass detection.
note: Not all that has this memory permission is malicious, we only identify this region malicious if this region has MZ or PE file inside or if the start of the instruction is either JMP, RET or Call.
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
In this sample we extract the vad information or the memory regions of the process notepad.exe(1).
at (2) is the start address of the memory region inside the process memory.
at (3) is the Protection or the Permission this region have.
Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> vadinfo -p <PID>
#note: This Volatility plugin will display the whole memory region it detects. This means that when you solely execute it inside the command prompt this will give you a lot of information. The best approach is extract is as a .txt file.
In this sample, we extract vad information into a text file and use a text editor for filtering.
We can see that there are regions that has PAGE_EXECUTE_READWRITE permission.