2013 Volatility Plugin Contest

The contest is straightforward: Create an innovative and useful extension to The Volatility Framework and win the contest!

 

  • 1st place wins one free seat at any future Windows Malware and Memory Forensics Training *or* 1500 USD cash

  • 2nd place wins 500 USD cash

  • 3rd place wins 250 USD cash

  • 4th and 5th place wins Volatility swag (T-shirts, Stickers, etc)

 

Everyone but the Volatility core developers can participate.

Results

We are excited to announce the results of the 1st Annual Volatility Plugin Contest. We were pleasantly surprised with 8 submissions to the contest. Each submission provides an exciting new capability to the memory analysis community or demonstrates the power of Volatility to solve a variety of real world problems. The submissions included everything from new plugins to new address spaces and operating system plugins to application plugins. We also had submissions for Linux, Windows, and OS X. It's great to see so many people giving back to the memory analysis community and taking this opportunity to do pioneering research in such an exciting field.

 

Given the number of deserving submissions we received, the judging took a little longer than we originally anticipated. We wanted to make sure that we were able to thoroughly test and verify each submission. We would like to thank all the participants for their submissions. A number of these submissions will be highlighted in upcoming blog posts and at OMFW 2013!

 

The winners of the 1st Annual Volatility Framework Plugin Contest are:

 

  1. Mariano Graziano from EURECOM with Actaeon, Intel VT-x introspection.

  2. Cem Gurkok with OS X rootkit detection and Window's security auditing plugins.

  3. Jeff Bryner with the Facebook and Twitter artifact extraction.

  4. Carl Pulley with a plugin to find the nearest function/method within a symbol table & Edwin Smulders with his Linux process information, stack analysis, and syscall register plugins [Note: Carl and Edwin tied for 4th place, this is not a joint submission]

  5. Jamaal Speights with extracting networking packets from memory samples.

 

Honorable Mention: Jeremy Jones from Delphix with a plugin to convert VMware suspended state to Illumos debug format

 

Mariano Graziano from EURECOM with Actaeon, Intel VT-x introspection.

 

This submission enables memory forensics of guest operating systems in virtualization environments using Intel VT-x technology. This includes the ability to locate memory resident hypervisors and nested virtualization. It's current implementation enables virtual machine instrospection of 32-bit Windows guests. It was tested with KVM, Xen, VMware Workstation, VirtualBox and HyperDbg.

 

Download Link: http://downloads.volatilityfoundation.org/contest/2013/MarianoGraziano_Actaeon.zip

 

Related Links:

http://www.s3.eurecom.fr/tools/actaeon/

https://github.com/eurecom-s3/actaeon

http://www.s3.eurecom.fr/docs/raid13_graziano.pdf

 

Author's Twitter: @emd3l

 

 

Cem Gurkok with the Window's security permission plugin

 

This plugin displays the security permission information for files, processes, services, tokens, threads, devices, and registry keys. The information includes DACLs, SACLs (Discretionary/System access control lists), object integrity level, and object ownership. Security permission information is obtained from the object’s security descriptor. This plugin can help administrators proactively assess the security of their systems and can also help determine possible "holes" that led to successful privilege escalation attacks. This plugin dumps verbose information that you can categorize and filter for your needs, and it also supports all major 32-bit and 64-bit Windows operating systems.

 

Download Link: http://downloads.volatilityfoundation.org/contest/2013/CemGurkok_WindowsSecurity.zip

 

Author's Twitter: @CGurkok

 

 

Cem Gurkok with the OS X rootkit detection plugins

 

This submission provides detection capabilities for a number of rootkit hooking techniques within 64 bit OS X:

 

  • Direct syscall table modification

  • Syscall function inlining (ie DTrace hooks)

  • Patching the syscall handler (ie, shadow sycall table)

  • Hooked functions in kernel/kext symbol tables

  • Modified IDT descriptors

  • Modified IDT handlers

 

There is published research and example rootkits that are leveraging the exact hooking techniques detected by this plugin, and the addition of the plugin into the core framework will greatly enhance Volatility's Mac rootkit detection capabilities.

 

Download Link: http://downloads.volatilityfoundation.org/contest/2013/CemGurkok_OSXDetect.zip

 

Related Links:

http://siliconblade.blogspot.com/2013/07/idt-hooks-and-detecting-them-in-osx.html

http://siliconblade.blogspot.com/2013/07/back-to-defense-finding-hooks-in-os-x.html

http://siliconblade.blogspot.com/2013/07/offensive-volatility-messing-with-os-x.html

http://siliconblade.blogspot.com/2013/05/checkdtrace-volatility-plugin-arises.html

 

Author's Twitter: @CGurkok

 

 

Jeff Bryner with the Facebook and Twitter artifact extraction

 

This submission provides plugins for carving Twitter and Facebook artifacts from a process' address space. This is accomplished by scanning the address space for the json/html structures that are used by the social media applications. Examples of information extracted include: Twitter direct messages, identifying user information, Facebook direct messages, etc.

 

Download Link: http://downloads.volatilityfoundation.org/contest/2013/JeffBryner_FacebookTwitter.zip

 

Related Links:

https://github.com/jeffbryner/volatilityPlugins

http://www.youtube.com/watch?v=K_gBpdK936o

 

Author's Twitter: @0x7eff

 

 

Carl Pulley with a plugin to find the nearest function/method within a symbol table.

 

This submission demonstrates the usefulness of being able to dynamically extract Window's symbol information. It includes a plugin that will automatically extract symbol information from PDB files associated with memory resident modules. The submission also includes a "profile modification" that creates a new member of the _EPROCESS object, which facilitates "nearest symbol" lookups of addresses. This can be very useful when investigating unknown pointers or the control flow history of a corrupted execution stack.

 

Download Link: http://downloads.volatilityfoundation.org/contest/2013/CarlPulley_Symbols.zip

 

Related Links:

https://github.com/carlpulley/volatility/blob/master/symbols.py

https://code.google.com/p/pdbparse/issues/detail?id=13

 

Author's Github: https://github.com/carlpulley

 

 

Edwin Smulders with his Linux process information, stack analysis, and syscall register plugins

 

This submission provides plugins for extracting information from x86_64 Linux memory samples. They provide extensive insight into the state of the system at the time of the memory samples. Examples of the extracted information include:

 

  • Detailed process information

  • Networking data structures

  • Detailed analysis and annotation of the execution stacks

  • System call context

 

Download Link: http://downloads.volatilityfoundation.org/contest/2013/EdwinSmulders_Symbols.zip

 

Related Links:

https://github.com/Dutchy-/volatility-plugins

 

Author's Twitter: @0x445554434859

 

 

Jamaal Speights with a plugin that extracts networking packets from memory samples.

 

The ethscan plugin provides the ability to recover Ethernet frames from memory samples. It provides extraction support for both IPV4 and IPV6. It also provides the option to extract the frame data to either binary files or to a pcap file. It should work against any binary file (not just memory dumps).

 

Download Link: http://downloads.volatilityfoundation.org/contest/2013/JamaalSpeights_Network.zip

 

Related Links:

https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/ethscan.py

 

Author's Twitter: @jamaalspeights

 

Jeremy Jones from Delphix with a plugin to convert VMware suspended state to Illumos debug format

 

Description: This submission includes a plugin that converts a VMware suspended state file (.vmss) into a format supported by Illumos debugging tools (mdb, adb, etc.). It was tested on an OpenIndiana VM, which it converted successfully and whose files worked well when anaylzed with mdb. This plugin was created to solve a real world system administration challenge of collecting a crash dump from a system that was hanging during the boot process. It demonstrates the power of memory analysis beyond just forensics and security.

 

Download Link: http://downloads.volatilityfoundation.org/contest/2013/JeremyJones_Illumos.zip

 

Acknowledgements

A special thanks goes out to the Hex-Rays team for providing the inspiration and template for this contest.

Rules of Engagement

  1. The goal of the contest is to create innovative, interesting, and useful extensions for The Volatility Framework. While extensions written in Python are preferred, extensions written in other languages will also be considered.

  2. The submitted extensions should work with the Volatility 2.2 (or greater) release and should have been implemented after the initial contest announcement (1/14/2013).

  3. The top 5 winners of the contest will get the prizes mentioned above.

  4. Volatility core developers are not eligible.

  5. Submissions should be sent to volcon2013@memoryanalysis.net. The submission should include the source code, a short description of how the extension is used, and a signed "Individual Contributor License Agreement".

  6. By submitting an entry, you declare that you own the copyright to the source code and are authorized to submit it.

  7. All submissions should be received no later than August 1, 2013. The winner will be announced the following week. We recommend submitting early. In the case of similar submissions, preference will be shown to early submissions.

  8. The Volatility Project core developers will decide the winners based on the following criteria: creativity, usefulness, effort, completeness, submission date, and clarity of documentation.

  9. In order to collect the cash prizes, the winner will need to provide a legal picture identification and bank account information within 30 days of notification. The bank transfer will be made within two weeks after the winner is authenticated.

  10. Group entries are allowed; the prize will be paid (or seat will be registered, if the training option is desired) to the person designated by the group.

  11. Upon approval from the winners, their names/aliases will be listed on the "Volatility Hall of Fame" web page for the world to admire.

  12. Selected contestants may also be asked to present their work at the 2013 Open Memory Forensics Workshop or have their research featured on the Volatility Labs Blog.

 

 

© 2020 The Volatility Foundation