As part of the 2014 Volatility Plugin Contest, I created a plugin called idxparser, based off of Brian Baskin’s Java IDX Parser script. A sample IDX file is available at sample.idx and a sample memory image is available at voltest.zip. The plugin can be found on my volatility-plugins repo on GitHub.
I typically see a lot of drive by Java exploits and can usually trace where the malicious JAR file came from through a Java .idx file that was left behind. Often, these files are small enough that they are MFT-resident. Since this plugin works on a physical address space, you can actually pass an IDX file itself, an extracted MFT file, or a full memory dump to Volatility and have it extract any IDX files it finds. It’s a useful plugin for quickly finding any IDX files in a memory image of a system that may have been compromised by a Java exploit.
Section 4 of the IDX file has sections identified by different opcodes. Brian Baskin’s original code limits the number of unknown opcodes printed to 5 before exiting. This plugin will print all the data in section 4 by default. The -U (for UNKNOWN) option will limit the plugin to only printing 5.
Below are samples of running it against an IDX file from a malicious JAR and a memory dump containing some IDX files associated with a Java game.
IDX File
$ vol.py --plugins=../plugins/ -f sample.idx idxparser Volatility Foundation Volatility Framework 2.4 -------------------------------------------------------------------------------- [*] Section 1 (Metadata) found: Content length: 7162 Last modified date: Thu, 26 Jul 2001 05:00:00 GMT (epoch: 996123600) Section 2 length: 365 Section 3 length: 167 Section 4 length: 15 [*] Section 2 (Download History) found: URL: http://83d2c156f3.gshjsawsf.su:82/forum/dare.php?hsh=6&key=b34a24eac5c7b57265d5b3d3f0abd2ab IP: 50.7.219.70 <null>: HTTP/1.1 200 OK content-length: 7162 last-modified: Mon, 26 Jul 2001 05:00:00 GMT content-type: application/x-java-archive date: Sun, 13 Jan 2013 16:22:01 GMT server: nginx/1.0.15 deploy-request-content-type: application/x-java-archive [*] Section 3 (Jar Manifest) found: Manifest-Version: 1.0 Ant-Version: Apache Ant 1.8.3 X-COMMENT: Main-Class will be added automatically by build Class-Path: Created-By: 1.7.0_07-b11 (Oracle Corporation) [*] Section 4 (Code Signer) found: [*] Found: Data block. Length: 4 Data: Hex: 00000000 [*] Found: Data block. Length: 3 Data: 0 Hex: 300d0a --------------------------------------------------------------------------------
Memory Dump
$ vol.py --plugins=../plugins/ -f voltest.dmp idxparser Volatility Foundation Volatility Framework 2.4 -------------------------------------------------------------------------------- [*] Section 1 (Metadata) found: Content length: 61699 Last modified date: Fri, 10 Oct 2008 20:25:10 GMT (epoch: 1223670310) Section 2 length: 438 Section 3 length: 22 Section 4 length: 15 [*] Section 2 (Download History) found: URL: http://javagameplay.com/offroadrally/inthejar.jar IP: 209.188.88.156 : HTTP/1.1 200 OK content-length: 61699 last-modified: Fri, 10 Oct 2008 20:25:10 GMT content-type: text/plain date: Sat, 30 Aug 2014 19:53:56 GMT server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 deploy-request-content-type: application/x-java-archive [*] Section 3 (Jar Manifest) found: [*] Section 4 (Code Signer) found: [*] Found: Data block. Length: 4 Data: Hex: 00000000 [*] Found: Data block. Length: 3 Data: 0 Hex: 300d0a -------------------------------------------------------------------------------- [*] Section 1 (Metadata) found: Content length: 158471 Last modified date: Fri, 10 Oct 2008 20:25:23 GMT (epoch: 1223670323) Section 2 length: 434 Section 3 length: 22 Section 4 length: 15 [*] Section 2 (Download History) found: URL: http://javagameplay.com/offroadrally/res.jar IP: 209.188.88.156 : HTTP/1.1 200 OK content-length: 158471 last-modified: Fri, 10 Oct 2008 20:25:23 GMT content-type: text/plain date: Sat, 30 Aug 2014 19:53:57 GMT server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 deploy-request-content-type: application/x-java-archive [*] Section 3 (Jar Manifest) found: [*] Section 4 (Code Signer) found: [*] Found: Data block. Length: 4 Data: Hex: 00000000 [*] Found: Data block. Length: 3 Data: 0 Hex: 300d0a -------------------------------------------------------------------------------- [*] Section 1 (Metadata) found: Content length: 139622 Last modified date: Fri, 10 Oct 2008 20:25:16 GMT (epoch: 1223670316) Section 2 length: 435 Section 3 length: 22 Section 4 length: 15 [*] Section 2 (Download History) found: URL: http://javagameplay.com/offroadrally/jpct.jar IP: 209.188.88.156 : HTTP/1.1 200 OK content-length: 139622 last-modified: Fri, 10 Oct 2008 20:25:16 GMT content-type: text/plain date: Sat, 30 Aug 2014 19:53:56 GMT server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 deploy-request-content-type: application/x-java-archive [*] Section 3 (Jar Manifest) found: [*] Section 4 (Code Signer) found: [*] Found: Data block. Length: 4 Data: Hex: 00000000 [*] Found: Data block. Length: 3 Data: 0 Hex: 300d0a --------------------------------------------------------------------------------
Pingback: Volatility Plugin: Java IDX Parser | infopunk.org