Skip to content

Volatility plugin to search for all Autostart Extensibility Points (AESPs)

License

Notifications You must be signed in to change notification settings

reverseame/winesap

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Winesap - Volatility Plugin

Winesap for Volatility 2.6 aims to search for all Autostart Extensibility Points (AESPs), the subset of OS and application extensibility points that allow a program to auto-start without any explicit user invocation.

Specifically, it tries to search AESPs according to this taxonomy:

Taxonomy of Windows ASEPs

NOTE: you can read more about this taxonomy in this paper.

License: AGPL v3

Usage

---------------------------------
Module Winesap
---------------------------------

Search for all Autostart Extensibility Points (AESPs)

    Options:
        --match: only shows suspicious entries

You need to provide this project path as first parameter to Volatility:

$ python vol.py --plugins /path/to/winesap --profile WinProfile -f /path/to/memory.dump winesap --match
Volatility Foundation Volatility Framework 2.6

------------------------------
WARNING: Suspicious path file, Suspicious shell execution
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\0001
RunMyApp: REG_SZ: rundll32.exe shell32.dll,ShellExec_RunDLL C:\Users\User\AppData\Roaming\Btyzjscppg\cmd.exe
------------------------------
WARNING: Suspicious path file, Suspicious shell execution
HKLM\System\ControlSet001\services\Wevbqmpyfl
ImagePath: REG_EXPAND_SZ: rundll32.exe shell32.dll,ShellExec_RunDLL C:\Users\User\AppData\Roaming\Pojgcucima\cmd.exe
------------------------------
WARNING: Suspicious path file
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe
Debugger: REG_SZ: C:\Users\User\AppData\Roaming\Aorafljuaz\cmd.exe
------------------------------

License

Licensed under the GNU AGPLv3 license.