Memory Forensics Part 2

During my memory forensic tasking I ran into a very useful python module called Frida . Frida allows a user to manipulate memory in real time. It provides the same type of ability and functionality as Volatility plus more but in a python module. Frida has a lot of really cool features like allowing the injection of custom Javascript into a process to provide debugging. I plan to play with the javascript injection and post about that process at a later date. Below is a script I wrote just to learn how to use some of the basics. I am aware the script itself is rather useless, but it shows how to use Frida to interact with processes and use some of the basic functions.

#! /usr/bin/env python
import sys
import argparse
import frida

def parseOptions():
 parser=argparse.ArgumentParser(description="Provides interactive prompt to use basic frida functions on running process")
 parser.add_argument(dest="pid",action="store",type=int,help="Process ID of process to attach too",metavar="PID")
 args = parser.parse_args()
 return args

if __name__=='__main__':

 #parse options
 options = parseOptions()

 try:
  p = frida.attach(options.pid)
  print "Attached to process."
 except SystemError as err:
  print("Could not attach to process: {}".format(err))
  sys.exit(-1)
 
 exit=False

 while(exit==False):
  print "-------------------"
  print "Available Commands:"
  print "--------------------"
  print " listModules"
  print " enumRanges"
  print " readBytes"
  print " exit"

  inputString = raw_input("--> ")
  
  if inputString == "listModules":
   try:
    print([x.name for x in p.enumerate_modules()])
   except Exception as err:
    print("Could not enumerate modules: {}".format(err))

  elif inputString == "enumRanges":
   perms = raw_input("Please enter mask for memory space searching for. (ie. rwx,r-w,r--,r-x,etc):")
   try:
    print(p.enumerate_ranges(perms))
   except Exception as err:
    print("Could not enumerate ranges: {}".format(err))
  elif inputString == "readBytes":
   try:
    add = int(raw_input("Please enter address: (0xfffffff): "),16)
    num = int(input("Please enter number of bytes to read: "))
    outFormat = raw_input("Please enter format to display memory (ascii or hex): ")
    print p.read_bytes(add,num).encode(outFormat)
   except Exception as err:
     print("Could not read bytes: {}".format(err))
  elif inputString == "exit":
   exit=True
  else:
   print "Bad input. Try again"
 print "Detaching from process"
 p.detach()

Another tool I ran into is called Memoryze by Mandiant. I was able to pull and memory image from a Windows machine while it was running. I then fed this memory image into Volatility for analysis. Very easy to use and thought it deserved a shoot out.