9. Inspecting Registry
From a forensics perspective, the registry can provide valuable information about the context of the malware. While discussing the persistence methods in Chapter 7, Malware Functionalities and Persistence, you saw how malicious programs add entries in the registry to survive the reboot. In addition to persistence, the malware uses the registry to store configuration data, encryption keys, and so on. To print the registry key, subkeys, and its values, you can use the printkey
plugin by providing the desired registry key path using the -K
(--key
) argument. In the following example of a memory image infected with Xtreme Rat, it adds the malicious executable C:\Windows\InstallDir\system.exe
in the Run registry key. As a result, the malicious executable will be executed every time the system starts:
$ python vol.py -f xrat.vmem --profile=Win7SP1x86 printkey -K "Microsoft\Windows\CurrentVersion\Run"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) ...