In addition to processes and threads, it is important to examine drivers loaded on a Windows system. The following output of the modules option in Volatility shows the “msdirectx.dll” component of the FUTo rootkit (below in bold). If there is a chance that a module is hidden or exited, the modscan option of Volatility may be more effective.
E:\Volatility>E:\Python25\python volatility modules -f FUTo-memory-20070909.dd <cut for brevity>
\??\C:\WINDOWS\system32\win32k.sys 0x00bf800000 0x1b8000 win32k.sys \??\C:\WINDOWS\system32\watchdog.sys 0x00f0baa000 0x004000 watchdog.sys \SystemRoot\System32\drivers\dxg.sys 0x00bff80000 0x011000 dxg.sys \SystemRoot\System32\drivers\dxgthk.sys 0x00f9c4e000 0x001000 dxgthk.sys \SystemRoot\System32\ialmdnt5.dll 0x00bf9b8000 0x015000 ialmdnt5.dll \SystemRoot\System32\ialmdev5.DLL 0x00bf9cd000 0x017000 ialmdev5.DLL \SystemRoot\System32\ialmdd5.DLL 0x00bf9e4000 0x04b000 ialmdd5.DLL \SystemRoot\System32\drivers\afd.sys 0x00f07a3000 0x020000 afd.sys \SystemRoot\System32\DRIVERS\irda.sys 0x00f9768000 0x00e000 irda.sys \SystemRoot\System32\DRIVERS\ndisuio.sys 0x00f081b000 0x003000 ndisuio.sys \SystemRoot\System32\DRIVERS\mrxdav.sys 0x00f0570000 0x02b000 mrxdav.sys \SystemRoot\System32\Drivers\ParVdm.SYS 0x00f9a30000 0x002000 ParVdm.SYS \SystemRoot\System32\DRIVERS\srv.sys 0x00f0407000 0x051000 srv.sys \SystemRoot\system32\drivers\sysaudio.sys 0x00f05db000 0x00f000 sysaudio.sys \SystemRoot\system32\drivers\wdmaud.sys 0x00f02c0000 0x014000 wdmaud.sys
\??\C:\I386\SYSTEM32\msdirectx.sys 0x00efee0000 0x010000 msdirectx.sys
\SystemRoot\system32\drivers\kmixer.sys 0x00efe81000 0x027000 kmixer.sys \SystemRoot\System32\ATMFD.DLL 0x00bffa0000 0x043000 ATMFD.DLL \SystemRoot\System32\DRIVERS\ohci1394.sys 0x00effd0000 0x00e000 ohci1394.sys \SystemRoot\System32\DRIVERS\1394BUS.SYS 0x00f05bb000 0x00d000 1394BUS.SYS \SystemRoot\System32\DRIVERS\nic1394.sys 0x00f0050000 0x00e000 nic1394.sys \SystemRoot\System32\DRIVERS\arp1394.sys 0x00eff10000 0x00e000 arp1394.sys \SystemRoot\System32\DRIVERS\sbp2port.sys 0x00eff40000 0x00a000 sbp2port.sys \SystemRoot\System32\Drivers\Fastfat.SYS 0x00efe1f000 0x024000 Fastfat.SYS
Like listdlls on a running system mentioned in Chapter 1, Volatility can be used to list the dynamic link libraries (DLLs) for each process. In the FUTo scenario, listing DLLs reveals that a component of KeyLogger named “kls.dll” (shown in bold below) is attached to two running processes: “explorer.exe” and “helix.exe.” The fact that KeyLogger was attached to “helix.exe” demonstrates the potential of malware undermining incident response tools.
The command volatility dlllist -f FUTo-memory-20070909.dd lists all of the DDLs each running process is using. A portion of the output from this command is shown below for “explorer. exe,” which has a keylogger attached to the process. Although this feature does not currently work on hidden processes, in Volatility version 1.3, all the commands related to processes can have the process object specified as a physical offset.
explorer.exe pid: 412
Command line : C:\WINDOWS\Explorer.EXE Base Size Path
0x1000000 0xf7000 C:\WINDOWS\Explorer.EXE 0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll 0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll
<cut for brevity>
0x10000000 0x14000 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll 0x73dd0000 0xf2000 C:\WINDOWS\System32\MFC42.DLL
0x76400000 0x1fb000 C:\WINDOWS\System32\msi.dll
0xd20000 0xe000 C:\Program Files\KeyLogger\kls.dll
0x74b80000 0x82000 C:\WINDOWS\System32\printui.dll 0x73000000 0x23000 C:\WINDOWS\System32\WINSPOOL.DRV 0x74ae0000 0x7000 C:\WINDOWS\System32\CFGMGR32.dll 0x71b20000 0x11000 C:\WINDOWS\system32\MPR.dll 0x75f60000 0x6000 C:\WINDOWS\System32\drprov.dll 0x71c10000 0xd000 C:\WINDOWS\System32\ntlanman.dll 0x75970000 0xf1000 C:\WINDOWS\System32\MSGINA.dll 0x1f7b0000 0x31000 C:\WINDOWS\System32\ODBC32.dll 0x763b0000 0x45000 C:\WINDOWS\system32\comdlg32.dll 0x1f850000 0x16000 C:\WINDOWS\System32\odbcint.dll 0x1af0000 0x36000 C:\WINDOWS\System32\igfxpph.dll 0x1b30000 0x1d000 C:\WINDOWS\System32\hccutils.DLL 0x72410000 0x19000 C:\WINDOWS\System32\mydocs.dll ************************************************************************ helix.exe pid: 1204
Command line : D:\helix.exe Base Size Path
0x400000 0x29d000 D:\helix.exe
0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll 0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll
0x76b40000 0x2c000 C:\WINDOWS\System32\WINMM.dll 0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll
<cut for brevity>
0x71c80000 0x6000 C:\WINDOWS\System32\NETRAP.dll 0x75f70000 0x9000 C:\WINDOWS\System32\davclnt.dll 0x75970000 0xf1000 C:\WINDOWS\System32\MSGINA.dll 0x1f7b0000 0x31000 C:\WINDOWS\System32\ODBC32.dll 0x1f850000 0x16000 C:\WINDOWS\System32\odbcint.dll
0x23e0000 0xe000 C:\Program Files\KeyLogger\kls.dll
In other cases, it is necessary to understand the function of a certain library to determine whether it is normal or not. For example, knowing that “wsock32” provides network connectivity (e.g., wsock32) functions, should raise a red flag when it is being called by a program that does not require network access.