LDR modules

A common practice with malware coders is attempting to hide the activities of the malware. One technique is to attempt to hide the DLL files associated with the malicious code. This can be accomplished by unlinking the suspect DLL from the ProcessEnvironmentBlock (PEB). While this may provide some obfuscation on the surface, there is still trace evidence of the DLLs existence, contained within the VirtualAddressDescriptor (VAD). The VAD is a mechanism that identifies a DLL file's base address and full path. The ldrmodules plugin compares the list of processes and determines if they are in the PEB. The following command runs the ldrmodules against the image file:

forensics@ubuntu:~/Documents$ volatility -f stuxnet.vmem --profile=WinXPSP2x86 ...

Get Digital Forensics and Incident Response now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.