We are excited to announce the results of the 1st Annual Volatility Plugin Contest. We were pleasantly surprised with 8 submissions to the contest. Each submission provides an exciting new capability to the memory analysis community or demonstrates the power of Volatility to solve a variety of real world problems. The submissions included everything from new plugins to new address spaces and operating system plugins to application plugins. We also had submissions for Linux, Windows, and OS X. It's great to see so many people giving back to the memory analysis community and taking this opportunity to do pioneering research in such an exciting field.

 

Given the number of deserving submissions we received, the judging took a little longer than we originally anticipated. We wanted to make sure that we were able to thoroughly test and verify each submission. We would like to thank all the participants for their submissions. A number of these submissions will be highlighted in upcoming blog posts and at OMFW 2013!

 

The winners of the 1st Annual Volatility Framework Plugin Contest are:

 

1. Mariano Graziano from EURECOM with Actaeon, Intel VT-x introspection.

2. Cem Gurkok with OS X rootkit detection and Window's security auditing plugins.

3. Jeff Bryner with the Facebook and Twitter artifact extraction.

4. Carl Pulley with a plugin to find the nearest function/method within a symbol table & Edwin Smulders with his Linux process information, stack analysis, and syscall register plugins [Note: Carl and Edwin tied for 4th place, this is not a joint submission]

5. Jamaal Speights with extracting networking packets from memory samples.

 

Honorable Mention: Jeremy Jones from Delphix with a plugin to convert VMware suspended state to Illumos debug format

 

Mariano Graziano from EURECOM with Actaeon, Intel VT-x introspection.

 

This submission enables memory forensics of guest operating systems in virtualization environments using Intel VT-x technology. This includes the ability to locate memory resident hypervisors and nested virtualization. It's current implementation enables virtual machine instrospection of 32-bit Windows guests. It was tested with KVM, Xen, VMware Workstation, VirtualBox and HyperDbg.

 

Download Link: http://downloads.volatilityfoundation.org/contest/2013/MarianoGraziano_Actaeon.zip

 

Related Links:

http://www.s3.eurecom.fr/tools/actaeon/

https://github.com/eurecom-s3/actaeon

http://www.s3.eurecom.fr/docs/raid13_graziano.pdf

 

Author's Twitter: @emd3l

 

 

Cem Gurkok with the Window's security permission plugin

 

This plugin displays the security permission information for files, processes, services, tokens, threads, devices, and registry keys. The information includes DACLs, SACLs (Discretionary/System access control lists), object integrity level, and object ownership. Security permission information is obtained from the object’s security descriptor. This plugin can help administrators proactively assess the security of their systems and can also help determine possible "holes" that led to successful privilege escalation attacks. This plugin dumps verbose information that you can categorize and filter for your needs, and it also supports all major 32-bit and 64-bit Windows operating systems.

 

Download Link: http://downloads.volatilityfoundation.org/contest/2013/CemGurkok_WindowsSecurity.zip

 

Author's Twitter: @CGurkok

 

 

Cem Gurkok with the OS X rootkit detection plugins

 

This submission provides detection capabilities for a number of rootkit hooking techniques within 64 bit OS X:

 

• Direct syscall table modification

• Syscall function inlining (ie DTrace hooks)

• Patching the syscall handler (ie, shadow sycall table)

• Hooked functions in kernel/kext symbol tables

• Modified IDT descriptors

• Modified IDT handlers

 

There is published research and example rootkits that are leveraging the exact hooking techniques detected by this plugin, and the addition of the plugin into the core framework will greatly enhance Volatility's Mac rootkit detection capabilities.

 

Download Link: http://downloads.volatilityfoundation.org/contest/2013/CemGurkok_OSXDetect.zip

 

Related Links:

http://siliconblade.blogspot.com/2013/07/idt-hooks-and-detecting-them-in-osx.html

http://siliconblade.blogspot.com/2013/07/back-to-defense-finding-hooks-in-os-x.html

http://siliconblade.blogspot.com/2013/07/offensive-volatility-messing-with-os-x.html

http://siliconblade.blogspot.com/2013/05/checkdtrace-volatility-plugin-arises.html

 

Author's Twitter: @CGurkok

 

 

Jeff Bryner with the Facebook and Twitter artifact extraction

 

This submission provides plugins for carving Twitter and Facebook artifacts from a process' address space. This is accomplished by scanning the address space for the json/html structures that are used by the social media applications. Examples of information extracted include: Twitter direct messages, identifying user information, Facebook direct messages, etc.

 

Download Link: http://downloads.volatilityfoundation.org/contest/2013/JeffBryner_FacebookTwitter.zip

 

Related Links:

https://github.com/jeffbryner/volatilityPlugins

http://www.youtube.com/watch?v=K_gBpdK936o

 

Author's Twitter: @0x7eff

 

 

Carl Pulley with a plugin to find the nearest function/method within a symbol table.

 

This submission demonstrates the usefulness of being able to dynamically extract Window's symbol information. It includes a plugin that will automatically extract symbol information from PDB files associated with memory resident modules. The submission also includes a "profile modification" that creates a new member of the _EPROCESS object, which facilitates "nearest symbol" lookups of addresses. This can be very useful when investigating unknown pointers or the control flow history of a corrupted execution stack.

 

Download Link: http://downloads.volatilityfoundation.org/contest/2013/CarlPulley_Symbols.zip

 

Related Links:

https://github.com/carlpulley/volatility/blob/master/symbols.py

https://code.google.com/p/pdbparse/issues/detail?id=13

 

Author's Github: https://github.com/carlpulley

 

 

Edwin Smulders with his Linux process information, stack analysis, and syscall register plugins

 

This submission provides plugins for extracting information from x86_64 Linux memory samples. They provide extensive insight into the state of the system at the time of the memory samples. Examples of the extracted information include:

 

• Detailed process information

• Networking data structures

• Detailed analysis and annotation of the execution stacks

• System call context

 

Download Link: http://downloads.volatilityfoundation.org/contest/2013/EdwinSmulders_Symbols.zip

 

Related Links:

https://github.com/Dutchy-/volatility-plugins

 

Author's Twitter: @0x445554434859

 

 

Jamaal Speights with a plugin that extracts networking packets from memory samples.

 

The ethscan plugin provides the ability to recover Ethernet frames from memory samples. It provides extraction support for both IPV4 and IPV6. It also provides the option to extract the frame data to either binary files or to a pcap file. It should work against any binary file (not just memory dumps).

 

Download Link: http://downloads.volatilityfoundation.org/contest/2013/JamaalSpeights_Network.zip

 

Related Links:

https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/ethscan.py

 

Author's Twitter: @jamaalspeights

 

Jeremy Jones from Delphix with a plugin to convert VMware suspended state to Illumos debug format

 

Description: This submission includes a plugin that converts a VMware suspended state file (.vmss) into a format supported by Illumos debugging tools (mdb, adb, etc.). It was tested on an OpenIndiana VM, which it converted successfully and whose files worked well when anaylzed with mdb. This plugin was created to solve a real world system administration challenge of collecting a crash dump from a system that was hanging during the boot process. It demonstrates the power of memory analysis beyond just forensics and security.

 

Download Link: http://downloads.volatilityfoundation.org/contest/2013/JeremyJones_Illumos.zip