honeybeest / malwarecookbook Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/malwarecookbook
Automatically exported from code.google.com/p/malwarecookbook
it would be nice to let someone scan for yara sigs only. currently when you
scan for yara sigs, you also see the executable/VadS memory segments.
Original issue reported on code.google.com by [email protected]
on 17 Jun 2011 at 4:14
What steps will reproduce the problem?
1. run ssdeep_procs.py on x64 bit Windows 7 machine with 64 bit python and
pywin32
What is the expected output? What do you see instead?
What version of the product are you using? On what operating system?
Windows 7 x64 SP1
Python 3.2 - pywin32-216
Python 3.2.2 64 bit
Please provide any additional information below.
At first this seems because of incompatible size of MODULEENTRY32, szModule and
szExePath should be of c_wchar array but they are of type c_char.
but that will not fix this.
Original issue reported on code.google.com by [email protected]
on 22 Mar 2012 at 6:35
$ python vol.py -f ../VMwareShared/memory/rustock.vmem apihooks -K
Volatile Systems Volatility Framework 1.4_rc1
Name Type Target
Value
- inlinek ntoskrnl.exe!ExRaiseAccessViolation
0x8060ab58 PUSH 0xc0000005; RET (UNKNOWN)
- inlinek ntoskrnl.exe!IofCallDriver
0x804ee130 JMP [0x8054c280] =>> 0xb17a189d ('\\Driver\\pe386')
- inlinek ntoskrnl.exe!_purecall
0x80534d1e PUSH 0xc0000002; RET (UNKNOWN)
Original issue reported on code.google.com by [email protected]
on 1 Jun 2011 at 3:39
What steps will reproduce the problem?
1. Analyze 30,000 something PE malware
What is the expected output? What do you see instead?
najmi@vostro:~/malware-csm$ ./pescanner.py . > report.txt
Traceback (most recent call last):
File "./pescanner.py", line 391, in <module>
pescan.collect()
File "./pescanner.py", line 323, in collect
callbacks = self.check_tls(pe)
File "./pescanner.py", line 161, in check_tls
func = pe.get_dword_from_data(pe.get_data(callback_array_rva + 4 * idx, 4), 0)
File "/usr/local/lib/python2.7/dist-packages/pefile-1.2.10_107-py2.7.egg/pefile.py", line 3779, in get_data
raise PEFormatError, 'data at RVA can\'t be fetched. Corrupt header?'
pefile.PEFormatError: "data at RVA can't be fetched. Corrupt header?"
najmi@vostro:~/malware-csm$
What version of the product are you using? On what operating system?
Version: From malwarecookbook SVN
OS: On Ubuntu 11.04 Nawthy
Please provide any additional information below.
I have to segregate the PE samples into 100-200 files.. which is tedious since
there are 30,000 samples.
Badly need your help :)
Original issue reported on code.google.com by najmi.zabidi
on 18 Jun 2011 at 4:00
nt!CmpCallBackVector pre-Vista
nt!CallbackListHead post-Vista
and nt!CmpCallBackCount
Thanks Frank Boldewin for the suggestion and info.
Original issue reported on code.google.com by [email protected]
on 10 Jan 2011 at 6:30
Reported by Frank B.
kd> !drvobj \driver\atapi 2
Driver object (8216c878) is for:
\Driver\atapi
DriverEntry: f84e75f7
DriverStartIo: 81ca5292
DriverUnload: f84e3204
AddDevice: f84e1300
Dispatch routines:
[00] IRP_MJ_CREATE f84dc572 +0xf84dc572
[01] IRP_MJ_CREATE_NAMED_PIPE 804f320e nt!IopInvalidDeviceRequest
[02] IRP_MJ_CLOSE f84dc572 +0xf84dc572
[03] IRP_MJ_READ 804f320e nt!IopInvalidDeviceRequest
[04] IRP_MJ_WRITE 804f320e nt!IopInvalidDeviceRequest
[05] IRP_MJ_QUERY_INFORMATION 804f320e nt!IopInvalidDeviceRequest
[06] IRP_MJ_SET_INFORMATION 804f320e nt!IopInvalidDeviceRequest
[07] IRP_MJ_QUERY_EA 804f320e nt!IopInvalidDeviceRequest
[08] IRP_......
see DriverStartIo
kd> u 81ca5292
81ca5292 55 push ebp
81ca5293 8bec mov ebp,esp
81ca5295 8b4508 mov eax,dword ptr [ebp+8]
81ca5298 83ec0c sub esp,0Ch
81ca529b 3b0504b5ca81 cmp eax,dword ptr ds:[81CAB504h]
81ca52a1 a180b5ca81 mov eax,dword ptr ds:[81CAB580h]
81ca52a6 7503 jne 81ca52ab
81ca52a8 894508 mov dword ptr [ebp+8],eax
kd> !address 81ca5292
80fed000 - 01213000
Usage KernelSpaceUsageNonPagedPool
Original issue reported on code.google.com by [email protected]
on 7 Jan 2011 at 6:52
What steps will reproduce the problem?
1. Checkout volatility-read-only
2. sudo python setup.py install
3. vol.py -h
What is the expected output? What do you see instead?
Expect to see malware plugins, such as 'malfind'
Do not see these plugins
What version of the product are you using? On what operating system?
2.1 alpha on Ubuntu 10.04LTS
Please provide any additional information below.
I copied the malware directory from the source to
/usr/local/lib/python2.6/dist-packages/volatility/plugins and the malware
plugins I've tried so far seem to work. grep'd the source directory for
'malware' and noticed in vol.py it seems to state malware plugins aren't
installed if yara isn't found. There doesn't seem to be a clear warning about
that in the output of setup.py.
Original issue reported on code.google.com by [email protected]
on 23 Jun 2012 at 4:19
As the summary states, after using the clamav_to_yara.py script to convert
uncompressed ClamAV signature file to Yara signature, I'm seeing a lot of those
[invalid skip in string "$a1"]. Is this a bug?
Original issue reported on code.google.com by [email protected]
on 11 Feb 2014 at 2:09
VirusTotal has recently released VT API v2.0, moving v1.0 to depreciated
status. avsubmit.py with API v1.0 still currently works, however access to v1.0
may be removed at some point in the future.
API v2.0 uses new HTTP POST URLs for sending files and requesting reports. The
new send file URL is "https://www.virustotal.com/vtapi/v2/file/scan" and the
request report URL is "https://www.virustotal.com/vtapi/v2/file/report".
From reviewing the sample code on VT's website and avsubmit.py, converting the
Virustotal.upload_file def to v2 should only require changing the HTTP POST URL.
Receiving the report and adding it to the database will require more changes
than just updating the POST URL. Version 2 of the API now returns much more
data and in a different format than v1. Version 2 uses a dictionary for each AV
vendor with additional data included in the key:value pairs.
VirusTotal API v2.0 documentation and sample code available here:
https://www.virustotal.com/documentation/public-api/
Original issue reported on code.google.com by [email protected]
on 7 Feb 2012 at 11:19
Traceback (most recent call last):
File "vol.py", line 130, in <module>
main()
File "vol.py", line 121, in main
command.execute()
File "/TESTING/Volatility-1.4_rc1/volatility/commands.py", line 101, in execute
func(outfd, data)
File "/TESTING/Volatility-1.4_rc1/volatility/plugins/malware.py", line 900, in render_text
for (name,pid,start,end,tag,prx,fname,hits,chunk) in data:
File "/TESTING/Volatility-1.4_rc1/volatility/plugins/malware.py", line 769, in calculate
offset = addr_space.vtop(proc.obj_offset)
File "/TESTING/Volatility-1.4_rc1/volatility/plugins/addrspaces/intel.py", line 433, in vtop
pdpte = self.get_pdpte(vaddr)
File "/TESTING/Volatility-1.4_rc1/volatility/plugins/addrspaces/intel.py", line 376, in get_pdpte
return self.pdpte_cache[self.pdpte_index(vaddr)]
TypeError: tuple indices must be integers, not NoneObject
Original issue reported on code.google.com by [email protected]
on 15 Jun 2011 at 4:45
What steps will reproduce the problem?
1. install volatility from the 1.4 rc1 branch
2. run volatility with 'psxview' option
3. error
update malware.py to reference filescan.PSScan2 rather than modscan2.PSScan2
2844c2844
< return dict((p.UniqueProcessId.v(), p) for p in
modscan2.PSScan2(self._config).calculate() if p.ExitTime == 0)
---
> return dict((p.UniqueProcessId.v(), p) for p in
filescan.PSScan2(self._config).calculate() if p.ExitTime == 0)
Original issue reported on code.google.com by [email protected]
on 28 Apr 2011 at 4:45
Thanks to Xeno for noticing.
Original issue reported on code.google.com by [email protected]
on 2 Apr 2011 at 11:23
Attachments:
As reported by Lenny
Original issue reported on code.google.com by [email protected]
on 7 Dec 2011 at 2:45
use tasks.Peb.ImageBase to match the module's base address with
Original issue reported on code.google.com by [email protected]
on 4 Apr 2011 at 10:09
ie remove all these:
pspace = utils.load_as(self._config, astype = 'physical')
Original issue reported on code.google.com by [email protected]
on 28 Jun 2011 at 3:12
What steps will reproduce the problem?
1.vol.py --plugins=/usr/local/src/volatility-2.0/volatility/plugins -f
memory_dump.raw --profile=WinXPSP3x86 malfind -D malfind/ > malfind.out
2.
3.
What is the expected output? What do you see instead?
I get at least partial output, in that some sections are dumped, but this
particular image generates the below error.
What version of the product are you using? On what operating system?
# uname -a
Linux aardvark 2.6.32-32-generic #62-Ubuntu SMP Wed Apr 20 21:52:38 UTC 2011
x86_64 GNU/Linux
malware.py was installed on Nov. 18th...
Image was taken with Helix 2009 R3 live CD
Please provide any additional information below.
# vol.py --plugins=/usr/local/src/volatility-2.0/volatility/plugins -f
memory_dump.raw --profile=WinXPSP3x86 malfind -D malfind/ > malfind.out
Volatile Systems Volatility Framework 2.0
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 135, in <module>
main()
File "/usr/local/bin/vol.py", line 126, in main
command.execute()
File "/usr/local/lib/python2.6/dist-packages/volatility/commands.py", line 101, in execute
func(outfd, data)
File "/usr/local/src/volatility-2.0/volatility/plugins/malware.py", line 1042, in render_text
for (name,pid,start,end,tag,prx,fname,hits,chunk) in data:
File "/usr/local/src/volatility-2.0/volatility/plugins/malware.py", line 992, in calculate
for ps_ad, start, end, tag, prx, data in self.get_vads(proc):
File "/usr/local/src/volatility-2.0/volatility/plugins/malware.py", line 909, in get_vads
ps_ad = proc.get_process_address_space()
File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/overlays/windows/windows.py", line 197, in get_process_address_space
process_as = self.obj_vm.__class__(self.obj_vm.base, self.obj_vm.get_config(), dtb = directory_table_base)
File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/addrspaces/intel.py", line 89, in __init__
self.as_assert(getattr(volmag, checkname).v(), "Failed valid Address Space check")
File "/usr/local/lib/python2.6/dist-packages/volatility/obj.py", line 801, in v
return self.get_best_suggestion()
File "/usr/local/lib/python2.6/dist-packages/volatility/obj.py", line 827, in get_best_suggestion
for val in self.get_suggestions():
File "/usr/local/lib/python2.6/dist-packages/volatility/obj.py", line 819, in get_suggestions
for x in self.generate_suggestions():
File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/overlays/windows/windows.py", line 505, in generate_suggestions
if (self.obj_vm.vtop(0xffdf0000)) == (self.obj_vm.vtop(0x7ffe0000)):
File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/addrspaces/intel.py", line 447, in vtop
pte = self.get_pte(vaddr, pde)
File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/addrspaces/intel.py", line 414, in get_pte
return self._read_long_long_phys(pte_addr)
File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/addrspaces/intel.py", line 459, in _read_long_long_phys
string = self.base.read(addr, 8)
File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/addrspaces/standard.py", line 97, in read
self.fhandle.seek(addr)
IOError: [Errno 22] Invalid argument
Original issue reported on code.google.com by [email protected]
on 16 Dec 2011 at 7:47
What steps will reproduce the problem?
In the avsubmit.py script there are two issues i see
1) Under the novirusthanks class under "def upload_file" it should say:
conn = httplib.HTTPConnection('vscan.novirusthanks.org')
2) Submissions to Threatexpert fail
What is the expected output? What do you see instead?
$ python avsubmit.py -e -f setup.exe
Using ThreatExpert...
Checking ThreatExpert for file with MD5L 04b...
Analysis does not yet exist!
Nothing to add, submission failed.
This format works for all the other sites...
What version of the product are you using? On what operating system?
Ubuntu 10.04.1 Desktop
Please provide any additional information below.
I'm not much of a coder yet, but i'm learning, thanks for the great material! :D
Original issue reported on code.google.com by [email protected]
on 28 Jan 2011 at 8:45
so other plugins can reference malware.idt_info
Original issue reported on code.google.com by [email protected]
on 28 Jun 2011 at 3:13
from the plain ssdt command:
...
Entry 0x11f6: 0xf0fd05a6 (NtUserSendInput) owned by vsdatant.sys
... no more hooks ...
Entry 0x1299: 0xbf954c65 (NtGdiUMPDEngFreeUserMem) owned by win32k.sys
Entry 0x129a: 0xbf817637 (NtGdiDrawStream) owned by win32k.sys
SSDT[2] at e2187818 with 5 entries
Entry 0x2000: 0xefead620 (Unknown) owned by UNKNOWN
Entry 0x2001: 0xefead65e (Unknown) owned by UNKNOWN
...
From ssdt_by_thread
Entry 0x11db: 0xf0fd007a (NtUserPostMessage) owned by vsdatant.sys
Entry 0x11dc: 0xf0fd01b2 (NtUserPostThreadMessage) owned by vsdatant.sys
Entry 0x11dd: 0xf0f27480 (NtUserPrintWindow) owned by RapportPG.sys
Entry 0x11e3: 0xf0f21f56 (NtUserQueryWindow) owned by RapportPG.sys
Entry 0x11eb: 0xf0fcdb4c (NtUserRegisterRawInputDevices) owned by vsdatant.sys
Entry 0x11f6: 0xf0fd05a6 (NtUserSendInput) owned by vsdatant.sys
Traceback (most recent call last):
File "vol.py", line 130, in <module>
main()
File "vol.py", line 121, in main
command.execute()
File "C:\Volatility-1.4_rc1\volatility\commands.py", line 101, in execute
func(outfd, data)
File "C:\Volatility-1.4_rc1\volatility\plugins\malware.py", line 3154, in render_text
for (pid, tid, name, tbl, hooked) in data:
File "C:\Volatility-1.4_rc1\volatility\plugins\malware.py", line 3142, in calculate
if mod_name not in self.executive_modules[idx]:
IndexError: list index out of range
Original issue reported on code.google.com by [email protected]
on 28 Mar 2011 at 1:00
What steps will reproduce the problem?
1. "perl rip.pl -r SYSTEM -p pendingdelete"
*****
What is the expected output? What do you see instead?
expected output as described in malware cookbook
received the following error:
-----------------------
Launching pendingdelete v.20100809
PendingFileRenameOperations
ControlSet001\Control\Session Manager
LastWrite Time Mon Jul 12 13:16:21 2010 (UTC)
Error in plugins/pendingdelete.pl: Can't call method "get_data" on an undefined
value at plugins/pendingdelete.pl line 38.
-----------------------
*****
What version of the product are you using? On what operating system?
using current version, on Ubuntu 10.04. Error replicates both from Linux CLI
and wine cmd CLI using "perl rip.pl" and "rip.exe"
*****
Please provide any additional information below.
Disclaimer: I am not a Perl coder, but can usually figure out how to make it
work. I have performed a line by line comparison between the file I have (from
the book DVD) and the one in this repository. They are the same. This leads
me to believe the problem may be a missing Perl module or a configuration
problem on my end, but all the other RegRipper plugins and Perl scripts from
recipe 10-8 are working as expected. Looking at the code from the
Parse::Win32Registry module in CPAN, I can't see why pendingdelete is not
working and the others are. Any help would be appreciated! GREAT JOB on the
book, BTW. MUCH needed resource!
Original issue reported on code.google.com by [email protected]
on 9 Jan 2011 at 4:51
I have problem with impscan whenever I try to use it withh injected file , it
shows this output (I have tried -s and it does not work too)
C:\Volatility 2.0>python vol.py --profile=WinXPSP2x86 -f "Windows XP
Professional-Snapshot11.vmem" -p 2344 impscan -a 0x6fff0
000 -D test
Volatile Systems Volatility Framework 2.1_alpha
Traceback (most recent call last):
File "vol.py", line 135, in <module>
main()
File "vol.py", line 126, in main
command.execute()
File "C:\Volatility 2.0\volatility\commands.py", line 77, in execute
data = self.calculate()
File "C:\Volatility 2.0\volatility\plugins\malware.py", line 1516, in calculate
mods = list(self.list_modules(p))
AttributeError: 'ImpScan' object has no attribute 'list_modules'
Pleases guys any help would be appreciated
thanks
Original issue reported on code.google.com by [email protected]
on 30 Oct 2011 at 2:26
* KiNmiCallbackListHead
(http://www.moonsols.com/2011/02/17/global-windows-callbacks-and-windbg/)
* IoRegisterPlugPlayNotification
(http://www.securelist.com/en/analysis/204792157/TDSS_TDL_4)
Original issue reported on code.google.com by [email protected]
on 2 Mar 2011 at 1:40
Since mutants are returned with apostrophes in their name, suspicious mutants
are never highlighted because they are not matched. If you change the code
like so:
948 if mutants.has_key(ObjectNameString.replace("'", "")):
949 css = 'suspicious'
950 samples = '<br>'.join(mutants[ObjectNameString.replace("'", "")])
951 else:
952 css = samples = ''
You will get highlighted suspicious mutants.
Original issue reported on code.google.com by [email protected]
on 20 Mar 2011 at 3:34
What steps will reproduce the problem?
C:\Users\dmk\volatility>vol.py -f ..\win7sp1x64.dmp --profile=Win7SP1x64 psxview
Volatile Systems Volatility Framework 2.1_alpha
*** Failed to import volatility.plugins.registry.lsadump (ImportError: DLL load
failed: %1 is not a valid Win32 application.)
Offset Name Pid pslist psscan thrdproc
pspcid csr_hnds csr_list
Traceback (most recent call last):
File "C:\Users\dmk\volatility\vol.py", line 135, in <module>
main()
File "C:\Users\dmk\volatility\vol.py", line 126, in main
command.execute()
File "C:\Users\dmk\volatility\volatility\commands.py", line 101, in execute
func(outfd, data)
File "C:\Users\dmk\volatility\volatility\plugins\malware.py", line 3057, in render_text
for pid, eproc, ps_sources in data:
File "C:\Users\dmk\volatility\volatility\plugins\malware.py", line 3029, in calculate
pspcid = self.check_pspcid(addr_space),
File "C:\Users\dmk\volatility\volatility\plugins\malware.py", line 3003, in check_pspcid
for h in PspCidTable.handles():
File "C:\Users\dmk\volatility\volatility\plugins\overlays\windows\windows.py", line 432, in handles
for h in self._make_handle_array(offset, table_levels):
File "C:\Users\dmk\volatility\volatility\plugins\overlays\windows\windows.py", line 382, in _make_handle_array
for h in self._make_handle_array(entry, level - 1, depth):
File "C:\Users\dmk\volatility\volatility\plugins\overlays\windows\windows.py", line 400, in _make_handle_array
item = self.get_item(entry, handle_value)
TypeError: get_item() takes exactly 2 arguments (3 given)
What version of the product are you using? On what operating system?
Volatility svn trunk version (latest).
malware2.1_alpha.py
Please provide any additional information below.
in volatility i changed plugins\overlays\windows\windows.py line 400 to
item = entry.Object.dereference_as("_OBJECT_HEADER", parent = entry,
handle_value = handle_value)
from
item = self.get_item(entry, handle_value)
This looks like solve the above issue, but i have a new:
C:\Users\dmk\volatility>vol.py -f ..\win7sp1x64.dmp --profile=Win7SP1x64 psxview
Volatile Systems Volatility Framework 2.1_alpha
*** Failed to import volatility.plugins.registry.lsadump (ImportError: DLL load
failed: %1 is not a valid Win32 application.)
Offset Name Pid pslist psscan thrdproc
pspcid csr_hnds csr_list
Traceback (most recent call last):
File "C:\Users\dmk\volatility\vol.py", line 135, in <module>
main()
File "C:\Users\dmk\volatility\vol.py", line 126, in main
command.execute()
File "C:\Users\dmk\volatility\volatility\commands.py", line 101, in execute
func(outfd, data)
File "C:\Users\dmk\volatility\volatility\plugins\malware.py", line 3057, in render_text
for pid, eproc, ps_sources in data:
File "C:\Users\dmk\volatility\volatility\plugins\malware.py", line 3029, in calculate
pspcid = self.check_pspcid(addr_space),
File "C:\Users\dmk\volatility\volatility\plugins\malware.py", line 3004, in check_pspcid
if self.is_process_object(h, addr_space):
AttributeError: 'PsXview' object has no attribute 'is_process_object'
Original issue reported on code.google.com by [email protected]
on 12 Feb 2012 at 12:53
...
> [INFO] Using MAL1 (uuid: 959271cf-28fd-4ad1-8f34-d696e5a8ffec)
> [INFO] Session state: Locked
> [INFO] Machine state: Running
> 'unicode' object has no attribute 'lockMachine'
> ...
>
> This happens at:
>
> vm.stop() in myvbox.py
>
> and this basically boils down to failing at this spot:
>
> def opensession(self):
>
> *session = self.ctx['global'].openMachineSession(self.mach.id)*
>
> mach = session.machine
>
> return (session, mach)
Original issue reported on code.google.com by [email protected]
on 22 Jun 2011 at 2:17
XP SP2 32bit.
Volatility SVN revision: 1247
C:\volatility>python --version
Python 2.7.1
C:\volatility>python vol.py malfind -f XP.vmem --dump-dir c:\tmp\
Volatile Systems Volatility Framework 2.1_alpha
Traceback (most recent call last):
File "vol.py", line 135, in <module>
main()
File "vol.py", line 126, in main
command.execute()
File "C:\volatility\volatility\commands.py", line 101, in execute
func(outfd, data)
File "C:\volatility\volatility\plugins\malware.py", line 1440, in render_text
for proc, vad, content in data:
File "C:\volatility\volatility\plugins\malware.py", line 1435, in calculate
for vad, data in proc.find_injections():
File "C:\volatility\volatility\plugins\malware.py", line 681, in find_injections
for vad in self.VadRoot.traverse():
File "C:\volatility\volatility\obj.py", line 335, in __getattr__
return getattr(proxied, attr)
AttributeError: 'long' object has no attribute 'traverse'
Original issue reported on code.google.com by [email protected]
on 17 Jan 2012 at 11:06
Combine the two plugins to create a single plugin that marks suspicious threads
based on:
1) orphaned threads per the usual
2) threads with hooked ssdts per the usual
3) threads in idle process with tid != 0
4) anything else?
Original issue reported on code.google.com by [email protected]
on 3 Apr 2011 at 5:52
>What steps will reproduce the problem?
vol.py --profile=WinXPSP3x86 -f d:\memimg\temp.vmem apihooks
>Output below:
Could not list tasks, please verify the --profile option and whether this image
is valid
What version of the product are you using? On what operating system?
This command works fine with malware.py r93.
Original issue reported on code.google.com by [email protected]
on 26 Jul 2011 at 10:25
a
Original issue reported on code.google.com by [email protected]
on 30 Jan 2014 at 7:39
Volatile Systems Volatility Framework 1.4_rc1
PID TID Create Time Exit Time Offset
StartAddress
------ ------ ------------------------- ------------------------- ----------
------------
Traceback (most recent call last):
File "vol.py", line 130, in <module>
main()
File "vol.py", line 121, in main
command.execute()
File "C:\Volatility-1.4_rc1\volatility\commands.py", line 101, in execute
func(outfd, data)
File "C:\Volatility-1.4_rc1\volatility\plugins\malware.py", line 2339, in render_text
for ethread in data:
File "C:\Volatility-1.4_rc1\volatility\plugins\malware.py", line 2327, in calculate
pid = [p.UniqueProcessId for p in tasks.pslist(addr_space) if str(p.ImageFileName) == "System"][0]
Original issue reported on code.google.com by [email protected]
on 28 Mar 2011 at 3:32
Requested by Frank:
further it would be nice if the driverirp feature also prints a disassembly
with for driverstartio when using -v
Original issue reported on code.google.com by [email protected]
on 5 Feb 2011 at 2:25
Reported by Frank B.
this is what i currently get when i try to use impscan from a injected file
called:
winlogon.exe.22e4da0.0ea00000-0ea3bfff.dmp
C:\forensics\Volatility-1.4_rc1>python volatility.py impscan -f
..\malware-images\SpyEye.vmem -D dump -a 0x0ea00000 -s 0x3bfff -p 624
ea17000 ADVAPI32.dll AllocateAndInitializeSid 77da7a91
ea17200 WS2_32.dll ntohs 71a12b66
ea17004 ADVAPI32.dll FreeSid 77da7a80
ea17008 ADVAPI32.dll GetUserNameA 77dcd4c9
ea1700c ADVAPI32.dll RegQueryValueExA 77da7883
ea17010 ADVAPI32.dll RegOpenKeyExA 77da761b
ea17258 ntdll.dll wcscat 7c92a359
ea17014 ADVAPI32.dll CheckTokenMembership 77da815e
ea17218 WS2_32.dll closesocket 71a19639
ea17204 WS2_32.dll inet_addr 71a12bf4
ea1701c GDI32.dll CreateCompatibleDC 77ef5e10
ea17020 GDI32.dll SelectObject 77ef59a0
ea17024 GDI32.dll BitBlt 77ef6dc0
ea17028 GDI32.dll DeleteObject 77ef6a3b
ea1705c kernel32.dll DeleteFileA 7c81e85c
ea1702c GDI32.dll DeleteDC 77ef6ca6
ea17030 GDI32.dll CreateCompatibleBitmap 77ef6e51
ea17208 WS2_32.dll inet_ntoa 71a13f41
ea17234 ntdll.dll memcmp 7c91214f
ea17238 ntdll.dll RtlInitUnicodeString 7c9112d6
ea1723c ntdll.dll ZwCreateMutant 7c91d700
ea17040 kernel32.dll Sleep 7c802442
ea17260 ntdll.dll ZwDuplicateObject 7c91d90d
ea17044 kernel32.dll CreateThread 7c81082f
ea17248 ntdll.dll atoi 7c934c29
ea1720c WS2_32.dll WSAGetLastError 71a194dc
ea1704c kernel32.dll GetCurrentProcessId 7c80994e
ea17250 ntdll.dll _itoa 7c93f23a
ea17054 kernel32.dll LoadLibraryA 7c801d77
ea17058 kernel32.dll HeapCreate 7c812929
ea17264 ntdll.dll ZwQueryObject 7c91e0d8
ea1725c ntdll.dll strstr 7c91ec6f
ea17060 kernel32.dll GetLastError 7c920331
ea17210 WS2_32.dll ntohs 71a12b66
ea17064 kernel32.dll WaitForSingleObject 7c802530
ea17068 kernel32.dll CreateMutexA 7c80eb3f
ea1706c kernel32.dll GetCurrentThread 7c809919
ea17070 kernel32.dll ExitProcess 7c81caa2
ea17268 ntdll.dll strtoul 7c980815
ea17274 ntdll.dll _stricmp 7c923374
ea17278 ntdll.dll sprintf 7c93912e
ea17214 WS2_32.dll getpeername 71a20b50
ea1727c ntdll.dll strcat 7c9128ec
ea17280 ntdll.dll strcpy 7c9128d7
ea17284 kernel32.dll HeapAlloc 7c9205d4
ea17088 kernel32.dll GetTickCount 7c8092ac
ea1726c ntdll.dll vsprintf 7c980848
ea1728c ntdll.dll strlen 7c912a9d
ea17290 ntdll.dll isalnum 7c97fc5c
ea17294 ntdll.dll RtlRandom 7c974eda
ea17298 kernel32.dll HeapFree 7c92043d
ea1709c kernel32.dll GetThreadSelectorEntry 7c859fd0
ea170a0 kernel32.dll GetThreadContext 7c838eeb
ea17270 ntdll.dll ZwQueryInformationThread 7c91e030
ea170a4 kernel32.dll lstrcmpiA 7c80b929
ea170a8 kernel32.dll WideCharToMultiByte 7c80a0c7
ea170ac kernel32.dll IsBadReadPtr 7c809eb3
ea170b0 kernel32.dll IsBadWritePtr 7c809f29
ea170b4 kernel32.dll MultiByteToWideChar 7c809cad
ea170b8 kernel32.dll lstrcpyA 7c80c729
ea17074 kernel32.dll CloseHandle 7c809b77
ea170bc kernel32.dll GetVolumeInformationA 7c827052
ea170c0 kernel32.dll GetSystemWindowsDirectoryA 7c8228c9
ea17220 ntdll.dll ZwQuerySystemInformation 7c91e1aa
ea170c4 kernel32.dll SizeofResource 7c80baf1
ea170c8 kernel32.dll TerminateThread 7c81cacb
ea170cc kernel32.dll GetWindowsDirectoryA 7c82293b
ea170d0 kernel32.dll GetSystemDirectoryA 7c814c63
ea17078 kernel32.dll SetLastError 7c920340
ea170d4 kernel32.dll OpenMutexA 7c80ec1b
ea170d8 kernel32.dll ExitThread 7c80cca9
ea17224 ntdll.dll strncmp 7c912c43
ea170dc kernel32.dll WriteFile 7c810f9f
ea170e0 kernel32.dll CreateFileA 7c801a24
ea170e4 kernel32.dll lstrlenA 7c80c6e0
ea170e8 kernel32.dll lstrcpynA 7c810311
ea1707c kernel32.dll GetVersionExA 7c812851
ea170ec kernel32.dll lstrlenW 7c809a39
ea170f0 kernel32.dll ReadFile 7c80180e
ea17228 ntdll.dll _strlwr 7c9802bc
ea170f4 kernel32.dll SetNamedPipeHandleState 7c81f654
ea170f8 kernel32.dll SetHandleCount 7c80c6cf
ea170fc kernel32.dll CreateFileW 7c810976
ea17100 kernel32.dll lstrcatW 7c81114a
ea17080 kernel32.dll GetTimeZoneInformation 7c8394ae
ea17104 kernel32.dll lstrcpyW 7c80b8ec
ea17108 kernel32.dll OpenProcess 7c81e079
ea1722c ntdll.dll RtlAdjustPrivilege 7c939e8c
ea1710c kernel32.dll SetFileAttributesA 7c81fb44
ea17114 kernel32.dll VirtualProtect 7c801ad0
ea17118 kernel32.dll HeapFree 7c92043d
ea17084 kernel32.dll GetUserDefaultLangID 7c81e685
ea1711c kernel32.dll GetProcessHeap 7c80aa49
ea17120 kernel32.dll VirtualFree 7c809b14
ea17230 ntdll.dll ZwQueryInformationProcess 7c91e01b
ea17124 kernel32.dll HeapAlloc 7c9205d4
ea17128 kernel32.dll LoadResource 7c80a065
ea1712c kernel32.dll TerminateProcess 7c801e16
ea17130 kernel32.dll GetCurrentProcess 7c80e00d
ea17134 kernel32.dll UnhandledExceptionFilter 7c862b8a
ea17138 kernel32.dll SetUnhandledExceptionFilter 7c810386
ea1713c kernel32.dll SystemTimeToFileTime 7c810d34
ea17140 kernel32.dll SetFilePointer 7c810da6
ea17144 kernel32.dll GlobalAlloc 7c80ff2d
ea17148 kernel32.dll GlobalFree 7c80fe2f
ea1708c kernel32.dll GetLocalTime 7c80c9c1
ea1714c kernel32.dll DuplicateHandle 7c80e016
ea17150 kernel32.dll lstrcmpA 7c81ee79
ea17038 kernel32.dll GetCurrentDirectoryA 7c8397a1
ea17154 kernel32.dll LocalFileTimeToFileTime 7c8395ea
ea17158 kernel32.dll CreateDirectoryA 7c826219
ea1715c kernel32.dll GetExitCodeThread 7c8229a2
ea17160 kernel32.dll CreateDirectoryW 7c81e968
ea17090 kernel32.dll GetModuleFileNameA 7c80b357
ea17164 kernel32.dll FindResourceA 7c80c7b1
ea17168 kernel32.dll SetFileTime 7c81f955
ea1703c kernel32.dll lstrcatA 7c838fb9
ea1716c kernel32.dll GetComputerNameA 7c8260a9
ea17170 kernel32.dll WaitNamedPipeW 7c8343d8
ea17178 SHELL32.dll SHFileOperationA 7ca7d4a1
ea17094 kernel32.dll FreeLibrary 7c80aa66
ea1717c SHELL32.dll SHGetFolderPathA 7ca483b0
ea17180 SHELL32.dll StrStrIA 7cba93c0
ea17240 ntdll.dll ZwClose 7c91d586
ea17184 SHELL32.dll StrCmpNIA 7cba9352
ea17188 SHELL32.dll StrStrW 7cba93cb
ea17244 ntdll.dll wcslen 7c92035a
ea171a0 USER32.dll CharLowerA 77d3eed5
ea171a4 USER32.dll SetWindowLongA 77d1ded3
ea171a8 USER32.dll GetWindowLongA 77d1947c
ea1729c ntdll.dll strcmp 7c9129d1
ea171ac USER32.dll CallWindowProcA 77d1e34b
ea171b0 USER32.dll EnumWindows 77d1d935
ea17048 kernel32.dll GetProcAddress 7c80ac28
ea171b4 USER32.dll GetWindowDC 77d18ff9
ea171b8 USER32.dll GetWindowRect 77d1b57c
ea171bc USER32.dll GetCursorPos 77d1c566
ea171c0 USER32.dll ReleaseDC 77d1866d
ea172a0 ntdll.dll _allmul 7c9119d0
ea171c4 USER32.dll LoadCursorA 77d1e8fa
ea171c8 USER32.dll GetIconInfo 77d1e9a1
ea1724c ntdll.dll _chkstk 7c911a09
ea171cc USER32.dll DrawIcon 77d301ef
ea171d0 USER32.dll GetKeyboardState 77d1ef35
ea171d4 USER32.dll ToUnicode 77d6628a
ea171d8 USER32.dll wsprintfA 77d1a2de
ea17050 kernel32.dll GetModuleHandleA 7c80b529
ea172a8 ole32.dll CreateStreamOnHGlobal 774c974a
ea17254 ntdll.dll wcscpy 7c923473
ea171fc WS2_32.dll connect 71a1406a
Volatile Systems Volatility Framework 1.4_rc1
Traceback (most recent call last):
File "volatility.py", line 126, in <module>
main()
File "volatility.py", line 117, in main
command.execute()
File "C:\forensics\Volatility-1.4_rc1\volatility\commands.py", line 77, in execute
data = self.calculate()
File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line 1508, in calculate
data = self.rebuild(addr_space, base)
File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line 597, in rebuild
for offset, code in self.get_image(sys.stdout, addr_space, start):
File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\procdump.py", line 167, in get_image
for sect in self.get_sections(addr_space, nt_header):
File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\procdump.py", line 100, in get_sections
self.sanity_check_section(sect, nt_header.OptionalHeader.SizeOfImage)
File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\procdump.py", line 109, in sanity_check_section
raise ValueError('VirtualSize {0:08x} is larger than image size.'.format(sect.Misc.VirtualSize))
ValueError: VirtualSize 00361000 is larger than image size.
Original issue reported on code.google.com by [email protected]
on 6 Jan 2011 at 2:32
What steps will reproduce the problem?
1.C:\Python27\Scripts>python vol.py apihooks -f
"D:\X-Ways-Images\Malware\silentbanker.vmem"
2. A testsuite run outputs the following
C:\Python27\Scripts>python vol.py testsuite -f
"D:\X-Ways-Images\Malware\silentbanker.vme
Volatile Systems Volatility Framework 2.0
Executing dlldump
Executing vadtree
Error running userassist - option -o/--hive-offset: conflicting option
string(s): -o
Executing procmemdump
Executing procexedump
Error running lsadump - option -s/--sec-offset: conflicting option string(s): -s
Executing moddump
Executing handles
Error running handles - maximum recursion depth exceeded while calling a Python
object
Executing dlllist
Executing psxview
Error running psxview - maximum recursion depth exceeded while calling a Python
object
Executing vadinfo
Executing memmap
Executing memdump
Error running svcscan - option -y/--yara-rules-only: conflicting option
string(s): -y
Error running malfind - option -K/--kernel: conflicting option string(s): -K
Error running hashdump - option -s/--sam-offset: conflicting option string(s):
-s
Error running imagecopy - option -b/--blocksize: conflicting option string(s):
-b
Executing vadwalk
Error running threads - option -s/--size: conflicting option string(s): -s
Executing vaddump
Error running ssdt_ex - no such option '--yara-rules-only'
Error running impscan - option -y/--yara-rules-only: conflicting option
string(s): -y
Error running callbacks - no such option '--kernel'
Executing getsids
Error running idt - option -K/--kernel: conflicting option string(s): -K
Executing ldrmodules
Executing pslist
Executing apihooks
Finished after 113.459000111 seconds
Error running apihooks - local variable 'flat_x' referenced before assignment
Executing driverirp
Error running driverirp - maximum recursion depth exceeded while calling a
Python object
Error running strings - option -s/--string-file: conflicting option string(s):
-s
What is the expected output? What do you see instead?
Volatile Systems Volatility Framework 2.0
Name Type Target
Value
Finished after 115.231999874 seconds
What version of the product are you using? On what operating system?
Volatility 2.0 an Malware.py R97
Original issue reported on code.google.com by [email protected]
on 15 Aug 2011 at 12:05
What steps will reproduce the problem?
1. running pymon normally
2.
3.
What is the expected output? What do you see instead?
it crashes and does not create a report
What version of the product are you using? On what operating system?
latest version from svn... XP SP3, Python25
Please provide any additional information below.
error message attached
Original issue reported on code.google.com by [email protected]
on 17 Jun 2011 at 3:50
Attachments:
Add MITRE's IDT hooking detection to the IDT plugin.
Original issue reported on code.google.com by [email protected]
on 28 Feb 2011 at 5:23
What steps will reproduce the problem?
1.installed latest volatility
2.typed 'vol.py malfind -f coreflood.vmem -dump-dir=outdir
--yara-rules=./aa.yara'
3.then i got 'vol.py: error: no such option: --dump-dir'
i saw the 'Malware Analyst's Cookbook', and i follow Receipe 16-6.
i wonder how can i fix it.
What version of the product are you using? On what operating system?
latest volatility 2.1_alpha, win7 32bit
Original issue reported on code.google.com by [email protected]
on 18 Apr 2012 at 3:26
"Writing MSR"
Original issue reported on code.google.com by [email protected]
on 2 May 2014 at 8:52
Attachments:
To detect Rustock. Thanks to Frank B. for the suggestion and methods.
Original issue reported on code.google.com by [email protected]
on 10 Jan 2011 at 5:46
see the flags
http://www.reactos.org/pipermail/ros-diffs/2010-October/038897.html
Original issue reported on code.google.com by [email protected]
on 27 Jun 2011 at 1:02
What steps will reproduce the problem?
1. Run av_multiscan.py
What version of the product are you using? On what operating system?
python 2.7+ and av_multiscan.py r73
Please provide any additional information below.
Looks like the change in r73 (the comments added) messed up the indent level
for fpscan. Simple fix but halts the program never-the-less.
$ python av_multiscan.py
File "av_multiscan.py", line 101
if os.path.isfile(path_to_fpscan):
^
IndentationError: unexpected indent
Original issue reported on code.google.com by [email protected]
on 5 Dec 2012 at 2:44
What steps will reproduce the problem?
1. line #52 needs to be changed from 'file.append(line)' to 'files.append(line)'
simple little change - without it, an AttributeError is thrown as it's trying
to parse it's contents into the DB and will result in the program exiting:
" AttributeError: type object 'file' has no attribute 'append' "
Original issue reported on code.google.com by [email protected]
on 26 Sep 2012 at 5:02
iat: shell32.dll->SHLWAPI.dll
inline: kernel32.dll->KERNELBASE.dll
Original issue reported on code.google.com by [email protected]
on 15 Jun 2011 at 3:34
so users can search unlinked processes
Original issue reported on code.google.com by [email protected]
on 6 Apr 2011 at 5:46
>What steps will reproduce the problem?
vol.py -f d:\memimg\temp.vmem apihooks
>What is the expected output? What do you see instead?
Expected output is the same but in shorter time.
Volatile Systems Volatility Framework 1.4_rc1
Name Type Target
Value
lsass.exe[664] inline
pstorsvc.dll!PSTOREServiceMain[0x743a1459L] 0x743a1459 CALL [0x743a1010] =>>
0x77df3e57 (ADVAPI32.dll)
svchost.exe[1032] inline
cryptsvc.dll!CryptServiceMain[0x76ce1579L] 0x76ce1579 CALL [0x76ce10a0] =>>
0x77df3e57 (ADVAPI32.dll)
TOTALCMD.EXE[1976]@totalcmd.exe iat winmm.dll!*invalid*
0x0 0x7752bb33 (ole32.dll)
TOTALCMD.EXE[1976]@totalcmd.exe iat gdi32.dll!*invalid*
0x0 0x77df1576 (advapi32.dll)
TOTALCMD.EXE[1976]@totalcmd.exe iat advapi32.dll!*invalid*
0x0 0x77f1a8cb (GDI32.dll)
TOTALCMD.EXE[1976]@totalcmd.exe iat user32.dll!*invalid*
0x0 0x77dd79db (advapi32.dll)
TOTALCMD.EXE[1976]@totalcmd.exe iat user32.dll!*invalid*
0x0 0x77dd7328 (advapi32.dll)
Finished after 558.667999983 seconds
>What version of the product are you using? On what operating system?
Latest volatility + malware.py (r93). Operating system is Windows 7 64-bit.
If it should take this long, this issue can be removed.
Original issue reported on code.google.com by [email protected]
on 26 Jul 2011 at 10:14
What steps will reproduce the problem?
1. Use av_multiscan.py from Chapter 3
What is the expected output? What do you see instead?
It does not append the result from Linux F-Port
What version of the product are you using? On what operating system?
Version: 6.3.3.5015
OS: Ubuntu 11.04
najmi@vostro:~/malware$ fpscan --version
F-PROT Antivirus version 6.3.3.5015 (built: 2009-12-23T13-43-55)
FRISK Software International (C) Copyright 1989-2009
Engine version: 4.5.1.85
Arguments: --version
Virus signatures: 201106191228b0d2a90521b6711b1b1f6782a3bd350e
(/home/najmi/f-prot/antivir.def)
Please provide any additional information below.
Line 102:
Original;
#result = output.split('\n')[8].split('\t')[0]
Correct;
result = output.split('\n')[10].split('\t')[0]
Otherwise the result won't appended on the display.
Original issue reported on code.google.com by najmi.zabidi
on 19 Jun 2011 at 4:47
Hi,
There seems to be a change in the peid resources.
The only available userdb.txt is found here:
http://research.pandasecurity.com/blogs/images/userdb.txt
Extract from the file shows:
; Made with Add Signature v2.00 by BoB / BobSoft ..
; 3520 Signatures in list ..
[Native UD Packer 1.1 (Modded Poison Ivy Shellcode) -> okkixot]
signature = 31 C0 31 DB 31 C9 EB 0E 6A 00 6A 00 6A 00 6A 00 FF 15 28 41 40 00
FF 15 94 40 40 00 89 C7 68 88 13 00 00 FF 15 98 40 40 00 FF 15 94 40 40 00 81
C7 88 13 00 00 39 F8 73 05 E9 84 00 00 00 6A 40 $
ep_only = true
[Obsidium v1.3.0.0 -> Obsidium Software (h)]
signature = EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C
EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04
05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 $
ep_only = true
Running the script with verbose output results in:
./peid_to_yara.py -f userdb.txt -o peid.yara -v
Found 0 signatures in PEiD input file
Wrote 0 rules to peid.yara
I have not worked through the python script yet but I would expect the syntax
changed somewhere.
Although the yara wiki contains some peid examples they seem to fall short of
the 3000+ listed in the userdb.txt
Original issue reported on code.google.com by [email protected]
on 22 Jan 2013 at 11:16
Attachments:
I've tried converting clamAV signature files to YARA but the converted yara
file contain lots of invalid jumps like [4-4]. I've tried this on Windows 7 SP1
x64 and Ubuntu 11.10 x64. The python version is 2.7. Yara version tried 1.5 and
1.6.
Original issue reported on code.google.com by [email protected]
on 17 Nov 2011 at 8:41
Also we should rename csrpslist to altpslist or something that doesn't focus on
csrss now that we've added other sources.
Original issue reported on code.google.com by [email protected]
on 28 Feb 2011 at 5:21
C:\forensics\Volatility-1.4_rc1>python volatility.py apihooks -f
..\malware-images\rustock.vmem
Volatile Systems Volatility Framework 1.4_rc1
Name Type Function
Value
Traceback (most recent call last):
File "volatility.py", line 126, in <module>
main()
File "volatility.py", line 117, in main
command.execute()
File "C:\forensics\Volatility-1.4_rc1\volatility\commands.py", line 101,
in execute
func(outfd, data)
File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line
1939, in render_text
for (proc, type, current_mod, mod, func, src, dst, hooker, instruction)
in data:
File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line
1899, in calculate
for val in self.get_all_hooks(p, ps_ad, procs, mods, mod_addrs):
File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line
1854, in get_all_hooks
for val in self.get_hooks(proc, space, mods, mod_addrs, mod, name):
File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line
1699, in get_hooks
for exp in mod.exports():
File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line
528, in exports
for exp in exp_dir.get_exports():
File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line
418, in get_exports
func_rva = address_of_functions[ordinal]
File "C:\forensics\Volatility-1.4_rc1\volatility\obj.py", line 655, in
__getitem__
pos * self.current.size()
TypeError: unsupported operand type(s) for *: 'NoneObject' and 'int'
Original issue reported on code.google.com by [email protected]
on 6 Jan 2011 at 2:31
As I was testing pescanner.py, I came across a potential typo. The problem
I ran into was that the tool would not show me the output of clamscan when
I scanned known malicious files. I traced the issue to this code fragment:
def check_clam(self, file):
if os.path.isfile(clamscan_path):
status, output = commands.getstatusoutput("%s %s" %
(clamscan_path, file))
if status == 0:
return "Clamav: %s" % output.split("\n")[0]
return ''
I think the status check should say "!=" instead of "==". Clamscan (at
least on Ubuntu) returns zero if the file is clean; it return a non-zero
value (256 in my testing) if the file is malicious.
Original issue reported on code.google.com by [email protected]
on 5 Dec 2011 at 3:06
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.