Modex is a Volatility 3 plugin to extract a module as complete as possible from a Windows 10 memory dump. To do that, the plugin collects all the pages of a particular module that are mapped in each process and then performs a mixture to obtain a single file which contains as many pages as possible.
In order to run the plugin, Python 3 (version 3.9 or greater) and Volatility 3 have to be installed on the machine where Modex is going to be used. Also, the following Python packages have to be installed: py-tlsh, tabulate. Additionally, the Modex plugin depends on the SimplePteEnumerator plugin (file named simple_pteenum.py that can be found here). The SimplePteEnumerator plugin allows Modex to know which pages are mapped in a given range inside the private address space of a process, and to differentiate between private and shared pages.
After installing Volatility 3, the modex.py file in this repository and all the Python files present in here must be placed in the volatility3/framework/plugins/windows directory, which is inside the cloned Volatility 3 repository.
To use the Modex plugin, you must provide the module that you want to extract. Below is the command to extract the kernel32.dll module as complete as possible from a given memory dump:
python3 vol.py -f MemoryDumpFile windows.modex --module kernel32.dll
After running a command like the one above, Modex will generate a directory containing the following files:
- .dmp file: The module after performing the mixture.
- .json file: The metadata about the extracted module.
- .txt file: A log file with information about the Modex execution.
Sometimes, Modex finds anomalies. For us, an anomaly happens when various shared pages with the same offset have different contents. In such cases, we detect the anomaly and report it. If you want to dump the pages that contain the anomalies, you can supply the --dump-anomalies option. For more information, you can run the following command: python3 vol.py windows.modex -h.
Note: Right now, in the tests we have performed, Modex finishes with an ImportError (ImportError: sys.meta_path is None, Python is likely shutting down), however, this error does not have an effect on the results. We are working to solve this issue, but it is irrelevant to the final Modex output.
You can also check if the output generated by Modex is valid. For that, run the tests.py program as follows:
python3 tests.py modex_output
For more information about the tests.py program, use the command python3 tests.py -h.
In addition to the Modex plugin, this repository also contains the InterModex tool (inter_modex.py). InterModex uses the Modex plugin to extract the same module from different memory dumps which were taken from the same Windows 10 machine (before turning it off) and performs a mixture of all of them.
InterModex is a Python 3 command line tool that depends on the Modex plugin, as a result, the Modex plugin needs to be installed to make use of InterModex. Additionally, Volatility 3 has to be installed as a Python package, which is not necessary for Modex, but it is for InterModex. The installation as a Python package must be done after copying the necessary files (mentioned in the Installation section of Modex) inside the volatility3/framework/plugins/windows directory. If it was done before, just run the following commands from the cloned Volatility 3 repository to make Volatility 3 aware of the new plugins:
python3 setup.py build
python3 setup.py install
InterModex offers the option to perform a derelocation process on the final module. For this optional derelocation process, InterModex depends on SUM (Similarity Unrelocated Module), so SUM has to be installed on the system where InterModex will be used. All the information to install SUM is in its repository. One aspect to take into account is that SUM a Python 2 tool that is designed to work on Linux systems, as a result, we recommend to use InterModex on Linux systems if you want to perform a derelocation process on the extracted module.
Here is how to use the InterModex tool:
usage: inter_modex.py [-h] [-a] [-d MEMORY_DUMPS_DIRECTORY] [--detect] [-l {DEBUG,INFO,WARNING,ERROR,CRITICAL}] [-m MODULE] [-o MODEX_OUTPUTS_DIRECTORY] [-p] [-r]
[-s SUM_PATH] [-t VOLATILITY_PATH] [-v]
Extracts a module as complete as possible from multiple memory dumps
optional arguments:
-h, --help show this help message and exit
-a, --dump-anomalies When there are different shared pages at the same offset, dump those pages
-d MEMORY_DUMPS_DIRECTORY, --memory-dumps-directory MEMORY_DUMPS_DIRECTORY
directory where the memory dumps are (the Modex plugin will be called)
--detect detect the presence of the DLL hijacking technique
-l {DEBUG,INFO,WARNING,ERROR,CRITICAL}, --log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}
logging level
-m MODULE, --module MODULE
name of the module to extract
-o MODEX_OUTPUTS_DIRECTORY, --modex-outputs-directory MODEX_OUTPUTS_DIRECTORY
directory where the Modex outputs are (the Modex plugin will not be called)
-p, --perform-derelocation
perform a derelocation process after extracting the module
-r, --remove-modex-outputs
remove the outputs generated by the Modex plugin (only if the Modex plugin is called)
-s SUM_PATH, --sum-path SUM_PATH
path where the sum.py file is
-t VOLATILITY_PATH, --volatility-path VOLATILITY_PATH
path where the vol.py file is
-v, --version show the program version and exit
As a concrete example, in order to extract the kernel32.dll module as complete as possible taking into account data from different memory dumps which are all inside the same directory, you can run the following command:
python3 inter_modex.py --memory-dumps-directory MemoryDumpsDirectory --volatility-path VolatilityPath --module kernel32.dll
Additionally, for InterModex to work, the python3 command has to be a valid command in the command line (and also the python2 command if you want to derelocate the extracted module with SUM). Finally, the outputs produced by the InterModex tool are very similar to the ones generated by Modex, and the tests.py file can also be used to check if an InterModex output is correct.
In addition to extracting a module as complete as possible, Modex and InterModex can also be used to detect the DLL hijacking technique. For that, the --detect option must be supplied. When this option is provided, the output is a directory that contains a JSON file and a text file. The JSON file contains information about the detection, and the text file is a log file with details about the execution.
Licensed under the GNU GPLv3 license.