As part of the 2014 Volatility Plugin Contest, I created a plugin called idxparser, based off of Brian Baskin’s Java IDX Parser script. A sample IDX file is available at sample.idx and a sample memory image is available at voltest.zip. The plugin can be found on my volatility-plugins repo on GitHub.

I typically see a lot of drive by Java exploits and can usually trace where the malicious JAR file came from through a Java .idx file that was left behind. Often, these files are small enough that they are MFT-resident. Since this plugin works on a physical address space, you can actually pass an IDX file itself, an extracted MFT file, or a full memory dump to Volatility and have it extract any IDX files it finds.  It’s a useful plugin for quickly finding any IDX files in a memory image of a system that may have been compromised by a Java exploit.

Section 4 of the IDX file has sections identified by different opcodes. Brian Baskin’s original code limits the number of unknown opcodes printed to 5 before exiting. This plugin will print all the data in section 4 by default. The -U (for UNKNOWN) option will limit the plugin to only printing 5.

Below are samples of running it against an IDX file from a malicious JAR and a memory dump containing some IDX files associated with a Java game.

IDX File

$ vol.py --plugins=../plugins/ -f sample.idx idxparser
Volatility Foundation Volatility Framework 2.4
--------------------------------------------------------------------------------

[*] Section 1 (Metadata) found:
Content length: 7162
Last modified date: Thu, 26 Jul 2001 05:00:00 GMT (epoch: 996123600)
Section 2 length: 365
Section 3 length: 167
Section 4 length: 15

[*] Section 2 (Download History) found:
URL: http://83d2c156f3.gshjsawsf.su:82/forum/dare.php?hsh=6&key=b34a24eac5c7b57265d5b3d3f0abd2ab
IP: 50.7.219.70
<null>: HTTP/1.1 200 OK
content-length: 7162
last-modified: Mon, 26 Jul 2001 05:00:00 GMT
content-type: application/x-java-archive
date: Sun, 13 Jan 2013 16:22:01 GMT
server: nginx/1.0.15
deploy-request-content-type: application/x-java-archive

[*] Section 3 (Jar Manifest) found:
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.8.3
X-COMMENT: Main-Class will be added automatically by build
Class-Path:
Created-By: 1.7.0_07-b11 (Oracle Corporation)

[*] Section 4 (Code Signer) found:
[*] Found: Data block. Length: 4
Data: Hex: 00000000
[*] Found: Data block. Length: 3
Data: 0 Hex: 300d0a
--------------------------------------------------------------------------------

Memory Dump

$ vol.py --plugins=../plugins/ -f voltest.dmp idxparser
Volatility Foundation Volatility Framework 2.4
--------------------------------------------------------------------------------

[*] Section 1 (Metadata) found:
Content length: 61699
Last modified date: Fri, 10 Oct 2008 20:25:10 GMT (epoch: 1223670310)
Section 2 length: 438
Section 3 length: 22
Section 4 length: 15

[*] Section 2 (Download History) found:
URL: http://javagameplay.com/offroadrally/inthejar.jar
IP: 209.188.88.156
: HTTP/1.1 200 OK
content-length: 61699
last-modified: Fri, 10 Oct 2008 20:25:10 GMT
content-type: text/plain
date: Sat, 30 Aug 2014 19:53:56 GMT
server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
deploy-request-content-type: application/x-java-archive

[*] Section 3 (Jar Manifest) found:


[*] Section 4 (Code Signer) found:
[*] Found: Data block. Length: 4
Data:       	Hex: 00000000
[*] Found: Data block. Length: 3
Data: 0         	Hex: 300d0a
--------------------------------------------------------------------------------

[*] Section 1 (Metadata) found:
Content length: 158471
Last modified date: Fri, 10 Oct 2008 20:25:23 GMT (epoch: 1223670323)
Section 2 length: 434
Section 3 length: 22
Section 4 length: 15

[*] Section 2 (Download History) found:
URL: http://javagameplay.com/offroadrally/res.jar
IP: 209.188.88.156
: HTTP/1.1 200 OK
content-length: 158471
last-modified: Fri, 10 Oct 2008 20:25:23 GMT
content-type: text/plain
date: Sat, 30 Aug 2014 19:53:57 GMT
server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
deploy-request-content-type: application/x-java-archive

[*] Section 3 (Jar Manifest) found:


[*] Section 4 (Code Signer) found:
[*] Found: Data block. Length: 4
Data:       	Hex: 00000000
[*] Found: Data block. Length: 3
Data: 0         	Hex: 300d0a
--------------------------------------------------------------------------------

[*] Section 1 (Metadata) found:
Content length: 139622
Last modified date: Fri, 10 Oct 2008 20:25:16 GMT (epoch: 1223670316)
Section 2 length: 435
Section 3 length: 22
Section 4 length: 15

[*] Section 2 (Download History) found:
URL: http://javagameplay.com/offroadrally/jpct.jar
IP: 209.188.88.156
: HTTP/1.1 200 OK
content-length: 139622
last-modified: Fri, 10 Oct 2008 20:25:16 GMT
content-type: text/plain
date: Sat, 30 Aug 2014 19:53:56 GMT
server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
deploy-request-content-type: application/x-java-archive

[*] Section 3 (Jar Manifest) found:


[*] Section 4 (Code Signer) found:
[*] Found: Data block. Length: 4
Data:       	Hex: 00000000
[*] Found: Data block. Length: 3
Data: 0         	Hex: 300d0a
--------------------------------------------------------------------------------