Friday, October 12, 2012

Week 4 of the Month of Volatility Plugins posted!

I was writing to announce the last week of the month of Volatility plugins is finished, and we now have five more in-depth blog posts covering Windows and Linux internals and rootkit detection. These have all been posted on the Volatility Labs blog.

Post 1: Detecting Malware with GDI Timers and Callbacks

This posts covers analyzing malware samples that use timer callbacks to schedule actions.

Post 2: Taking Screenshots from Memory Dumps

This posts covers the data structures and algorithms required to recreate the state of the screen (a screenshot) at the time of the memory capture.

Post 3: Recovering Master Boot Records (MBRs) from Memory

This post covers recovering the MBR from memory and detecting bootkits.

Post 4: Cache Rules Everything Around Me(mory)

This post covers a new plugin that can recover in-tact files from the Windows Cache Manager.

Post 5: Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit

This post covers analyzing the Phalax2 rootkit with Volatility and other reversing tools.

This concludes the month of Volatlity, but do not fret, we have already posted a number of other non-MOVP posts and more are coming ;)