We would like to proudly present to you the newest Hakin9 workshop issue. In this eBook you will find materials presented in the course “Malware Analysis with Volatility”. Volatility introduced people to the power of analyzing the runtime state of a system using the data found in volatile storage (RAM). It also provided a cross-platform, modular, and extensible platform to encourage further work into this exciting area of research. Another major goal of the project was to encourage the collaboration, innovation, and accessibility to knowledge that had been common within the offensive software communities.
Note: Some of the materials, like videos and exercises, are not presented in this issue. If you would like to gain access to all the materials, you have to buy the course.
To make this issue more interesting we decided to add some extra materials. Finding Advanced Malware Using Volatility by Monnappa KA, that will help you understand how this tool works. In this case scenario you will learn how to detect advanced malware and understand memory forensics. Next two articles were written by Dr. Paulo Henrique Pereira (who is also an instructor of Malware Analysis with Volatility and Live Analysis with Rekall). His first article is about Redline - a tool can collect and analyze data with some scripts. If you want to learn more about that, don’t forget to read Practical Live Analysis and Auditing Using Redline IOC Models.
Using n1n3 to simulate an evasive “fileless” malware is a second article written by not only Dr. Pereira, but also by Thiago Geronimo Ferreira, Rubens Louro Vieira, and Renato Basante Borbolla. This article is part of research called Forensics Malware with the use of reverse engineering and is still in progress at the University Nove de Julho (Uninove, Brazil).
The main aim of this eBook is to present our reading materials from our online courses to a wider range of readers. We hope we can meet your expectations. We would also want to thank you for all your support. We appreciate it alot. If you like this publication you can share it and tell your friends about it! Every comment means alot to us. Special thanks to the Proofreader who helped with this issue.
Enjoy your reading,
This eBook contains text materials from the course and extra materials
Module 1: Introduction to Volatility
- Presentation of Volatility environment for forensic purposes
- Presentation of module functions in Volatility
Module 2: The architecture of the GUI Windows system from the forensics point of view
- Memory Forensics plugins for forensics analysis of the GUI Windows.
Module 3: Nefarious actions under the Windows architecture
- Using Volatility plugins to understand malicious activity.
Module 4: The malicious intelligence from behind the instruction codes and the artifacts in memory
- The exploitation of system resources to obtain privileges and analyzing algorithm for data capture
- Research Callbacks
- Analysis system subclasses
- Looking for code injection in DLLs
- Enumerating object types
Finding Advanced Malware Using Volatility
by Monnappa Ka
Practical Live Analysis and Auditing Using Redline IOC Models
Paulo Henrique Pereira, PHD.
Using n1n3 to simulate an evasive “fileless” malware
By Paulo Henrique Pereira, Thiago Geronimo Ferreira, Rubens Louro Vieira, Renato Basante Borbolla
This course covers malware analysis using the Volatility framework addressing the Windows system. The main focus of the course is to present a set of Volatility plugins that allow you to perform malware forensic analysis. The course covers an introduction to Volatility and guides you through the creation of a laboratory before going into practical tasks, which can then be performed both in the Linux and the Windows environments.