Saturday, February 11, 2012

Perl Script to Look for Meterpreter with Volatility Output

So I do not know if you guys read my blog posting which talked about memory analysis.One of the things I mentioned was looking for dll's meterpreter uses in processes where they normally should not be. That was based on a post originating from Command Line Kung Foo (we're not worthy! we're not worthy!). So I had to do some meterpreter stuff for work and decided I would do a blog posting about forensics about it.One of the things I did was a memory dump and ran the dlllist module. I started using Mandiant's Highlighter (a pretty awesome tool, wish I started using it sooner) and started to get a bit lazy. I thought.... wouldn't it be awesome if there was a script which would list all processes and then if they used either rsaenh.dll or iphlpapi.dll....

So as I am not feeling too well and sitting here watching my hockey team even though I am +5 from the east coast, I decided why not write a script to do just that. It's not hard!

So here you have my Meterpreter Finder Script!

Its pretty easy to navigate. If you are running from Windows, make sure you have ActiveState Perl installed. It asks for your input file (your dlllist output from Volatility) as well as where you want to direct the output to.

Entering Your Input/Output

It should not take too long and you should then be presented with the following screen. This reminds you which processes uses the two dll's regularly (and valid usage too).

Script Done!
So the output file is not pretty by any means but it gets the jo(r)b done.

Snippet of Output File
So I know there are many ways to do this, YARA would probably work, another meterpreter script, a bit more fiddling with Highlighter... so just consider this (yet another) possibility to quickly see what processes are running these two dll's. If you see the dll's being used by a process other than the normal ones listed and you are unsure if they are normally used... run the program on a known clean system, do a memory dump then run volatility module dlllist and check the process yourself.

Posted by at Saturday, February 11, 2012
Labels: , , , , , ,

2 comments:

-Sketchymoose said...

So I know the script leaves a lot to be desired... it was something quick I wrote up last night. I will probably fix it up (along with my other script too that people made suggestions to)

3:49 AM
Michael Hale Ligh said...

Try something like this http://pastebin.com/5TQXhBcc

4:27 PM

Post a Comment

Subscribe to: Post Comments (Atom)