User Tools

Site Tools


SANS Sift Workstation

Download: login/pass: sansforensics/forensics


VMWare crap

Reinstalling VMware tools to enable sharing was brutal.
copy the linux.iso from the installation software location to a place where you can mount it as cdrom image from the VMWare.
Then copy the content of the VMWare Tools folder to /tmp

tar xvzf VMwareTools-10.3.23-16594550.tar.gz 
cd vmware-tools-distrib/
sudo vmhgfs-fuse .host:/Share /mnt/windows_mount -o allow_other -o uid=1000

Share is the name of my shared folder

Yara rules

yara rules can be found on git :

sudo su
cd /opt
mkdir yara
cd yara
git clone
chown -Rh sansforensics /opt/yara

Fix volatility-yara

  • edit /usr/local/lib/python2.7/dist-packages/volatility/plugins/malware/
185     def __init__(self, config, *args, **kwargs):
186         taskmods.DllList.__init__(self, config, *args, **kwargs)
187         config.add_option("ALL", short_option = 'A', default = False, action = 'store_true',
188                         help = 'Scan both process and kernel memory')
189         config.add_option("CASE", short_option = 'c', default = False, action = 'store_true',
190                         help = 'Make the search case insensitive')
191         config.add_option("KERNEL", short_option = 'K', default = False, action = 'store_true',
192                         help = 'Scan kernel modules')
193         config.add_option("WIDE", short_option = 'W', default = False, action = 'store_true',
194                         help = 'Match wide (unicode) strings')
195         config.add_option('YARA-RULES', short_option = 'U', default = None,
196                         help = 'Yara rules (as a string)')

Change line 189 short_option = 'C' for 'c' and line 195 short_option = 'Y' for 'U'

If you don't do that:

$ -f black_energy.vmem --profile=WinXPSP2x86 yarascan -h
Volatility Foundation Volatility Framework 2.6.1
Traceback (most recent call last):
  File "/usr/local/bin/", line 192, in <module>
  File "/usr/local/bin/", line 174, in main
    command = cmds[module](config)
  File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/malware/", line 190, in __init__
    help = 'Make the search case insensitive')        
  File "/usr/local/lib/python2.7/dist-packages/volatility/", line 363, in add_option
    self.optparser.add_option("-{0}".format(short_option), "--{0}".format(option), **args)
  File "/usr/lib/python2.7/", line 1021, in add_option
  File "/usr/lib/python2.7/", line 996, in _check_conflict
optparse.OptionConflictError: option -C/--case: conflicting option string(s): -C

yara rules fix

Some malware rules are broken

  • /opt/yara/rules/malware_index.yar line 104
//include "./malware/MALW_AZORULT.yar"
os/kali/sansdift.txt · Last modified: 2021/12/29 21:03 by warnaud