Saturday, August 4, 2012

Configure Volatility framework on Windows OS

Hi all,
it's past almost a year since I last wrote here in my blog, but the University is like a job and as well as all jobs, there isn't enough time to devote for hobbies. But as always I found a bit time to write some usefull/unuseful post :P.

This time I would like illustrate how to configure Volatility framework  on Windows OS.

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
Volatility under Linux OS has no problem to setup instead on Windows OS it is a little bit boring.
For this that I decided to post about volatility.

Below a list of all occurrences:

  • Python 2.7, the volatility core;
  • Volatility Framework ( no link because we'll use SVN later );
  • Visual C++ Express , to compile distorm3 library;
  • TortoiseSVN ( or other tools like this ), to download from SVN the last volatility and distorm3 source code;
  • YARA ,  a tool aimed at helping malware researchers to identify and classify malware samples, to resolve volatility plugin dependencies;
  • PyCrypto , Python cryptography package, also to resolve volatility plugin dependencies;
  • Distorm3, a Powerful Disassembler Library, also this to resolve volatility plugin dependencies ( no link because we'll use SVN later );
  • DumpIt, to memory dump.
Ok, now that we have all the ingredients let's go to cook a volatility cake. ;)

1. First of all download Python installer ( ver. 2.7 ) and install it. Don't change default install dir path, this must be C:\Python27. In the Path Environment Variable add ' C:\Python27 ' to call python.exe anywhere:



2. Then download and install TortoiseSVN.



- Create a directory under C:\ named 'Volatility';
- Mouse right-click in C:\ and click on SVN checkout. See figure below to set your own.
- Click ok and download starts. When it finished, click OK button and you can see in C:\Volatility directory all files like this:



3.  Now download yara-python-1.6.win32-py2.7.exe and install it. This setup solves dependencies for more plugin like yarascan command:


If installation is OK, in Python write import yara.  If no error occurred it's all OK.

4. Like YARA, download pycrypto-2.3.win32-py2.7.zip, unzip and install it. This setup also solves other dependencies:


If installation is OK, in Python write import Crypto.  If no error occurred it's all OK otherwise Google is your friend. ;)

5. Now download Visual C++ Express because we will compile distorm3 library. 
- When Visual C++ Express installation finishes let's go to C:\;
- Create in it a directory named 'distorm3';
- Mouse right-click and click on SVN checkout option;
- See below picture to configure your own:


- Click ok and download stars. When download finishes you can see all distorm files in distorm3 folder like follow screenshot:

- A this point we must set 2 Environment Variables otherwise we will have trouble building distorm library ( see also picture below ):

* Name: VS90COMNTOOLS         Value: C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\Tools\


* Name: VS100COMNTOOLS         Value: C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\Tools\


 - Open a command prompt: cd C:\distorm3python setup.py --verbose buildpython setup.py install. These 3 commands build distorm3 library.


- Now if all OK, in C:\Python27\Lib\site-packages we have a distorm3 folder as result of the build&install commands:




If installation is OK, in Python write import distorm3.  If no error occurred it's all OK otherwise check this link. ;)


OK, we finished installation phase. Now we try to launch volatility framework.

Open command prompt and go to C:\Volatility with cd then python vol.py -h. We will see similar to screenshot below:


No errors are prompted so it's all OK.

N.B. : The only problem that I encountered is with apihooks command. Shortly I'll try to post this problem at volatility community to see what's wrong in my configuration steps. Obviously if I'll resolve the problem I'll post about solution ( if there is one ). =)

So, volatility framework is configured now remains only to test it.

At top of the post I listed also DumpIt tool. This tool allows us to dump memory ( RAM ). Infact when you are analysing a malware you can run it ( in a safe environment of course ) and launch DumpIt to obtain a full memory dump which also includes malware run before and its informations. So a this point comes into play Volatility which helps us to carved out all digital artifacts and usefull information.



To see Volatility in action I recommend Evilcry's tutorial:

- Shylock via volatility
- Carberp Reverse Engineering

But also Frank Boldewin's paper

By the way a simple google search it is always a best action.

I hope this post is helpful to the reader.

Ok, for today is all, see you in the next post. =)

4 comments:

  1. Just FYI there's a standalone windows executable for volatility (http://volatility.googlecode.com/files/volatility-2.1.standalone.exe) with all the dependency libraries packed inside so you don't need to install anything if you don't want to.

    ReplyDelete
  2. By the way I added your article to the community documentation wiki: http://code.google.com/p/volatility/wiki/VolatilityDocumentationProject. Nice job!

    ReplyDelete
  3. Hi Michael, tnx for the feedback. Btw I know volatility standalone version ( in fact I'm using everyday this version =) ) but I wanted post this guideline just to configure volatility from zero and respective dependencies possibly with as few problems as possible like in Unix OS. In short, a sort of personal challenge.

    ReplyDelete