Results from the (5th Annual) 2017 Volatility Plugin Contest are in!

Published November 21, 2017

Michael Hale Ligh

Congratulations to all the participants! This year’s contest resulted in a ton of new and exciting functionality available to law enforcement agents, DF/IR practitioners, malware analysts, and researchers around the globe, which can immediately be transitioned into their workflows. That’s the whole spirit of open source memory forensics with Volatility, and we’re once again very proud to sponsor a contest with such impressive results.

After over 10 years of development with the Volatility Framework and 4 years of previous plugin contests, you might think that there’s nothing left to do, but the community continuously proves otherwise. This year, in particular, we were super impressed not only with the creativity and quality of the submissions, but the fact that several works were influenced by or in support of submissions from previous contests.

Everyone is a winner in this contest. Although a few developers will walk away with prizes, they all solved a problem that they (and inevitably others) faced, gained experience writing Python plugins, and learned some intricacies of memory analysis internals. The capability to program around technical issues and design/implement solutions is a gift. You can applaud by following the authors on Twitter/GitHub/LinkedIn, providing feedback on their ideas, and helping to improve their code with testing, documentation, or
contributing patches.

Here is a break down of the placements and prizes

1st place and $1500 USD cash or a Free Seat at Malware and Memory Forensics Training by the Volatility Project goes to:

Xabier Ugarte-Pedrero from Cisco Talos for PyREBox

2nd place and $500 USD cash goes to:

KSL Group (Kyle Ness, Shachaf Atun, and Liam Stein) for Threadmap

3rd place and $250 USD cash goes to:

Peter Kálnai and Michel Poslušný from ESET for Browserhooks

4th place and Volatility Swag goes to:

(tie) Michael Brown for SQLite Artifacts and Adam Bridge for Linux (X) Windows

5th place and Volatility Swag goes to:

Frank Block for Linux Glibc Heap Analysis

Here is a detailed summary of the submissions. If you have feedback for the authors, we’re sure they’d love to hear your thoughts.

1st: Xabier Ugarte-Pedrero (Cisco Talos): PyREBox

PyREBox provides an extensible reverse engineering sandbox that combines debugging capabilities with introspection. The analyst can interact with the whole system emulator, QEMU, guest either manually, using IPython, or by creating Python scripts. Unlike previous reverse engineering platforms, PyREBox, is explicitly designed for modern threat analysts and the tasks they commonly perform. PyREBox also leverages Volatility to help bridge the semantic gap challenges typically associated with virtual machine introspection.

https://www.talosintelligence.com/pyrebox
http://blog.talosintelligence.com/2017/07/pyrebox.html
https://github.com/Cisco-Talos/pyrebox
https://pyrebox.readthedocs.io/en/latest/

2nd: Liam, Shachaf and Kyle (KSL Group): Threadmap

The KSL Group (Kyle Ness, Shachaf Atun, Liam Stein) submitted the threadmap plugin, which is the result of their extensive research comparing and contrasting weaknesses in existing tools for identifying code injection based on process hollowing. The authors found an obvious gap between the prevalence of attacks in the wild that leverage process hollowing and the strength of tools that can perform detection reliably. Based on the documentation provided alongside the Volatility plugin, the authors not only analyzed existing malware samples (i.e. a reactive approach) but also developed their own variations of process hollowing that are likely to be seen in the near future – and included coverage for those types of attacks as well.

https://github.com/kslgroup/threadmap

3rd: Peter Kalnai and Michal Poslusny (ESET): Browserhooks

Something magical happens when reverse engineers write Volatility plugins. Peter and Michal from ESET have been tracking banking trojans and MITB malware for a while now, documenting the methods that malicious authors take to subvert victim systems – in particular, how they find and hook the SSL VMT (virtual method table) even in browsers such as Chromium-based browsers that static link with the SSL libraries, change regularly, and don’t export the table locations. Studying the pros/cons of attacker methodologies, learning from them in order to create a more robust detection platform, and immediately transitioning that knowledge into a capability analysts can use (via Volatility) requires a unique skill set. In addition to exploring these previously undetected API hooks, the authors also extended Volatility’s apihooks plugin to work on WOW64 processes (32-bit processes on a 64-bit architecture) and integrated their work into VolUtility – a submission to last year’s plugin contest.

https://github.com/eset/volatility-browserhooks
https://www.virusbulletin.com/conference/vb2017/abstracts/browser-attack-points-still-abused-banking-trojans
https://www.virusbulletin.com/uploads/pdf/conference_slides/2017/Kalnai-VB2017-browser-attack-points-trojans.pdf

4th (tie): Michael Brown: SQLite Artifacts

Michael Brown wrote a seriously cool set of Volatility plugins to interrogate SQL artifacts in RAM. Influenced by Dave Lassalle’s previous work for the 2014 Volatility Plugin Contest, Michael wrote a more generalized version of the SQL tools that can search for any table schema. In his own words, “You can enter your own schema, but Sqlitefind can also automatically find table definitions in the sqlite_master table, so the user doesn’t need to know the schema beforehand! You can even discover tables that you didn’t know were in memory.” Given the number of applications that rely on sqlite3 under the hood, this opens doors to an unexplored world of application artifacts.https://github.com/mbrown1413/SqliteFind

4th (tie): Adam Bridge: Linux (X) Windows & Atoms

Adam’s contribution to this year’s contest is the first of its kind – a set of plugins to analyze forensic artifacts of the X Window System environment on Linux. The data structures recovered by the plugins are tied to the X server itself, thus they work independently of the Linux distribution or window manager. Captured information includes details about each window, such as X and Y co-ordinates, width and height dimensions, parent window objects, window IDs, color schemes, and atom associations. Natively, the plugins can be used to determine titles of browser windows (URLs visited), titles of LibreOffice applications (opened documents), and in the future – potentially even a screen shots plugin for Linux!

https://twitter.com/bridgeythegeek
https://github.com/bridgeythegeek

5th: Frank Block: Linux Glibc Heap Analysis

Frank’s submission to this year’s contest introduces a library to parse the user mode heap of a process using Glibc (currently supports x86/x64 and Glibc versions 2.20 – 2.25), an API for developers to create their own plugins, and two example plugins that demonstrate the forensic value – command shell history (zsh) and password management (keepassx). We are super impressed with the level of effort Frank put into this suite of tools. Not only did he implement a model of multiple Glibc versions, but he documented the library’s internals, produced a 60+ page academic technical report and published a condensed 10-page DFRWS paper.

https://authors.elsevier.com/sd/article/S1742287617301895 (DFRWS Paper)
https://opus4.kobv.de/opus4-fau/frontdoor/index/index/docId/8340
https://insinuator.net/author/fblock/

The following submissions appear in the order they were received. As previously mentioned, these developers deserve huge props. We look forward to seeing future work by these authors!

Mark McKinnon: Volatility Autopsy Modules

Mark’s work on integrating Volatility output into the Autopsy GUI will undoubtedly make life easier for many investigators. Whether they’re not familiar with using command line tools, they’re uncomfortable in a Linux environment, or if they just want to save time and visualize memory artifacts across various different cases in the same interface, this is a huge advantage for Autopsy users. The module includes a generic interface that allows running any Volatility plugin that supports SQLite rendering. It also contains more specialized modules that take the output of Volatility’s dumpfiles (extract files from RAM) and imagecopy (convert hiber/crash to raw) plugins and make their results available in Autopsy as well, creating a near full circle of analysis between disk and memory, all captured in the same GUI.

https://twitter.com/markmckinnon
https://github.com/markmckinnon
https://www.linkedin.com/in/mark-mckinnon-9b08715
https://medium.com/@markmckinnon_80619
https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Volatility
https://medium.com/@markmckinnon_80619/volatility-autopsy-plugin-module-8beecea6396

Javier Vicente Vallejo: Symbolizemod

As a malware analyst, Javier starts most of his work with Windbg or Volatility and then pivots to IDA Pro to gain a detailed understanding of the malicious code. In this line of work, having access to symbols for the malware being disassembled or debugged is practically a requirement if you want to be efficient. The symbolizemod plugin lets you extract variables and symbols from a particular memory region and exports them as a DBG file, which is a common format understood by IDA Pro and Windbg. The end goal is similar to Volatility’s existing impscan plugin, except impscan only exports in text and IDC formats. In fact, symbolizemod also includes a command line switch to leverage impscan’s engine for enumerating symbols. By default, however, symbolizemod uses its own engine (called “raw mode”) which in some cases can produce different results.

( X blogger.com/goog_2111376355)
https://vallejo.cc/
https://github.com/vallejocc
https://twitter.com/vallejocc

Alessandro De Vito: Chrome Ragamuffin

Chrome Ragamuffin is part of a larger research project started by Alessandro over a year ago. Although the research is ongoing, Alessandro’s Volatility plugin is already full of features and it’s one of the most compelling examples of recovering application level artifacts that we’ve seen. Overcoming challenges such as incognito mode and the fact that Chrome updates automatically nearly every time you launch it, Alessandro managed to dissect critical in-memory data structures related to the browser’s DOM and the user’s navigation. Alessandro has presented his work at OSDFC and Bsides Zurich, showing how to analyze memory to detect CSRF, clickjacking, phishing, and malicious redirects.

https://twitter.com/_cube0x8

https://github.com/cube0x8/chrome_ragamuffin

( X bsideszh.ch//srv/htdocs/wp-content/uploads/2017/10/BSides-Zurich-How_I_Met_Your_Browser.pdf)

https://bsideszh.ch//srv/htdocs/wp-content/uploads/2017/10/BSides-Zurich-How_I_Met_Your_Browser.pdf
http://www.osdfcon.org/presentations/2017/Alessandro_DeVito-How-I-Met-Your-Browser.pdf

Here are a few additional resources regarding previous contests and community-driven plugins:

Volatility Foundation Contest Home Page: https://volatilityfoundation.org/contest
Volatility 2016 Plugin Contest Results: https://volatilityfoundation.org/2016
Volatility 2015 Plugin Contest Results: https://volatilityfoundation.org/2015Volatility 2014 Plugin Contest Results: https://volatilityfoundation.org/2014-cjpn
Volatility 2013 Plugin Contest Results: https://volatilityfoundation.org/2013-c19yz
Volatility Community GitHub Repository: https://github.com/volatilityfoundation/community

Return to Blog