Volatility 3 使用入门笔记

下载恶意软件分析诀窍和工具DVD和vol3

下载地址:https://codeload.github.com/ganboing/malwarecookbook/zip/refs/heads/master

然后,下载vol3,并安装:

https://codeload.github.com/volatilityfoundation/volatility3/zip/refs/heads/stable

最初运行的时候,

python D:\Application\volatility3-stable\vol.py -f .\prolaco.vmem\prolaco.vmem windows.pstree.PsTree
Volatility 3 Framework 2.4.1
WARNING  volatility3.framework.plugins: Automagic exception occurred: ValueError: Symbol type not in symbol_table_name1 SymbolTable: _ETHREAD

Unsatisfied requirement plugins.PsTree.kernel.symbol_table_name:

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsTree.kernel.symbol_table_name']

其中,prolaco.vmem来自恶意软件分析诀窍dvd的vmem数据。

上面的错误表明我的系统缺少了symbols文件,于是就需要:

下载符号表

各种操作系统的符号表包可从以下网址下载:

https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip

然后解压,我将其放到D:\Application\volatility3-stable\volatility3\symbols\windows\下

再运行上述命令:

python D:\Application\volatility3-stable\vol.py -f .\prolaco.vmem\prolaco.vmem windows.pstree.PsTree
Volatility 3 Framework 2.4.1
Progress:  100.00               PDB scanning finished
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime

4       0       System  0x810b1660      56      253     N/A     False   N/A     N/A
* 544   4       smss.exe        0xff2ab020      3       21      N/A     False   2010-08-11 06:06:21.000000      N/A
** 608  544     csrss.exe       0xff1ecda0      11      349     0       False   2010-08-11 06:06:23.000000      N/A
** 632  544     winlogon.exe    0xff1ec978      19      565     0       False   2010-08-11 06:06:23.000000      N/A
*** 688 632     lsass.exe       0xff255020      19      341     0       False   2010-08-11 06:06:24.000000      N/A
*** 676 632     services.exe    0xff247020      16      269     0       False   2010-08-11 06:06:24.000000      N/A
**** 1088       676     svchost.exe     0xff22d558      4       75      0       False   2010-08-11 06:06:25.000000     N/A
**** 1028       676     svchost.exe     0x80fbf910      63      1334    0       False   2010-08-11 06:06:24.000000     N/A
***** 888       1028    wscntfy.exe     0xff364310      1       27      0       False   2010-08-11 06:06:49.000000     N/A
***** 468       1028    wuauclt.exe     0x80f94588      3       130     0       False   2010-08-11 06:09:37.000000     N/A
**** 1432       676     spoolsv.exe     0xff1d7da0      13      135     0       False   2010-08-11 06:06:26.000000     N/A
**** 1668       676     vmtoolsd.exe    0xff1b8b28      5       219     0       False   2010-08-11 06:06:35.000000     N/A
**** 1788       676     VMUpgradeHelper 0xff1fdc88      3       97      0       False   2010-08-11 06:06:38.000000     N/A
**** 936        676     svchost.exe     0xff217560      9       256     0       False   2010-08-11 06:06:24.000000     N/A
**** 844        676     vmacthlp.exe    0xff218230      1       24      0       False   2010-08-11 06:06:24.000000     N/A
**** 1968       676     TPAutoConnSvc.e 0xff143b28      5       100     0       False   2010-08-11 06:06:39.000000     N/A
***** 1084      1968    TPAutoConnect.e 0xff38b5f8      1       61      0       False   2010-08-11 06:06:52.000000     N/A
**** 856        676     svchost.exe     0x80ff88d8      16      198     0       False   2010-08-11 06:06:24.000000     N/A
**** 1148       676     svchost.exe     0xff203b80      14      207     0       False   2010-08-11 06:06:26.000000     N/A
**** 216        676     alg.exe 0xff25a7e0      6       104     0       False   2010-08-11 06:06:39.000000      N/A
1724    1708    explorer.exe    0xff3865d0      11      294     0       False   2010-08-11 06:09:29.000000      N/A
* 432   1724    VMwareTray.exe  0xff3667e8      1       49      0       False   2010-08-11 06:09:31.000000      N/A
* 452   1724    VMwareUser.exe  0xff374980      5       176     0       False   2010-08-11 06:09:32.000000      N/A
* 1136  1724    ImmunityDebugge 0xff37a4b0      2       73      0       False   2010-08-11 16:50:19.000000      N/A
PS D:\book\malwarecookbook-master\malwarecookbook-master\15\6> python D:\Application\volatility3-stable\vol.py -f .\prolaco.vmem\prolaco.vmem windows.pstree.PsTree
Volatility 3 Framework 2.4.1
Progress:  100.00               PDB scanning finished
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime

4       0       System  0x810b1660      56      253     N/A     False   N/A     N/A
* 544   4       smss.exe        0xff2ab020      3       21      N/A     False   2010-08-11 06:06:21.000000      N/A
** 608  544     csrss.exe       0xff1ecda0      11      349     0       False   2010-08-11 06:06:23.000000      N/A
** 632  544     winlogon.exe    0xff1ec978      19      565     0       False   2010-08-11 06:06:23.000000      N/A
*** 688 632     lsass.exe       0xff255020      19      341     0       False   2010-08-11 06:06:24.000000      N/A
*** 676 632     services.exe    0xff247020      16      269     0       False   2010-08-11 06:06:24.000000      N/A
**** 1088       676     svchost.exe     0xff22d558      4       75      0       False   2010-08-11 06:06:25.000000     N/A
**** 1028       676     svchost.exe     0x80fbf910      63      1334    0       False   2010-08-11 06:06:24.000000     N/A
***** 888       1028    wscntfy.exe     0xff364310      1       27      0       False   2010-08-11 06:06:49.000000     N/A
***** 468       1028    wuauclt.exe     0x80f94588      3       130     0       False   2010-08-11 06:09:37.000000     N/A
**** 1432       676     spoolsv.exe     0xff1d7da0      13      135     0       False   2010-08-11 06:06:26.000000     N/A
**** 1668       676     vmtoolsd.exe    0xff1b8b28      5       219     0       False   2010-08-11 06:06:35.000000     N/A
**** 1788       676     VMUpgradeHelper 0xff1fdc88      3       97      0       False   2010-08-11 06:06:38.000000     N/A
**** 936        676     svchost.exe     0xff217560      9       256     0       False   2010-08-11 06:06:24.000000     N/A
**** 844        676     vmacthlp.exe    0xff218230      1       24      0       False   2010-08-11 06:06:24.000000     N/A
**** 1968       676     TPAutoConnSvc.e 0xff143b28      5       100     0       False   2010-08-11 06:06:39.000000     N/A
***** 1084      1968    TPAutoConnect.e 0xff38b5f8      1       61      0       False   2010-08-11 06:06:52.000000     N/A
**** 856        676     svchost.exe     0x80ff88d8      16      198     0       False   2010-08-11 06:06:24.000000     N/A
**** 1148       676     svchost.exe     0xff203b80      14      207     0       False   2010-08-11 06:06:26.000000     N/A
**** 216        676     alg.exe 0xff25a7e0      6       104     0       False   2010-08-11 06:06:39.000000      N/A
1724    1708    explorer.exe    0xff3865d0      11      294     0       False   2010-08-11 06:09:29.000000      N/A
* 432   1724    VMwareTray.exe  0xff3667e8      1       49      0       False   2010-08-11 06:09:31.000000      N/A
* 452   1724    VMwareUser.exe  0xff374980      5       176     0       False   2010-08-11 06:09:32.000000      N/A
* 1136  1724    ImmunityDebugge 0xff37a4b0      2       73      0       False   2010-08-11 16:50:19.000000      N/A

 

此外,为了专门测试vol3的常用命令,我从:http://webdiis.unizar.es/~ricardo/sbc-2021/adicional/volcados/alina1G.elf.tar.gz 下载了一个专门测试的vmem文件(虽然叫elf实际上还是windows的vmem),并将其放在在vol3目录,方便以后随时可以用来做命令测试。

python .\vol.py -f .\alina1G.elf windows.info
Volatility 3 Framework 2.4.1
Progress:  100.00               PDB scanning finished
Variable        Value

Kernel Base     0x82805000
DTB     0x185000
Symbols file:///D:/Application/volatility3-stable/volatility3/symbols/windows/ntkrnlmp.pdb/00625D7D36754CBEBA4533BA9A0F3FE2-2.json.xz
Is64Bit False
IsPAE   False
layer_name      0 WindowsIntel
memory_layer    1 Elf64Layer
base_layer      2 FileLayer
KdDebuggerDataBlock     0x82926c28
NTBuildLab      7601.17514.x86fre.win7sp1_rtm.10
CSDVersion      1
KdVersionBlock  0x82926c00
Major/Minor     15.7601
MachineType     332
KeNumberProcessors      1
SystemTime      2019-09-21 12:07:14
NtSystemRoot    C:\Windows
NtProductType   NtProductWinNt
NtMajorVersion  6
NtMinorVersion  1
PE MajorOperatingSystemVersion  6
PE MinorOperatingSystemVersion  1
PE Machine      332
PE TimeDateStamp        Sat Nov 20 08:42:46 2010

 

补充:如何生成vmem文件

DumpIt【不好用,我win10下会出问题】

DumpIt是一个故障转储工具,该工具是免费的Comae Memory Toolkit的一部分(此工具的早期版本由MoonSols发行,已不再可用)。DumpIt可以获取主机物理内存的快照,并支持使用相关内存取证分析工具如Volatility FrameworkRekallRedline 等进行分析。

该工具不适用红队渗透过程,因为产生的转储文件非常巨大,该方法通常用于恶意软件分析。

DumpIt下载地址:

Windows操作系统平台下的DumpIt是一个简单易用的计算机内存镜像获取工具。通常直接将该工具存放在大容量移动硬盘或优盘中。可直接在正在运行Windows系统的平台直接运行,根据提示操作即可。

图表 6 DumpIt内存镜像获取工具

 为了测试下这个工具是否好用,我在虚拟机里开几个进程,然后使用dumpit生成了桌面上的mp文件,大小2GB,因为我的内存空间刚好就是2G!

 

然后对dmp出来的文件分析,看看进程cmd列表:

 python .\vol.py -f .\DESKTOP-JGUS422-20230502-143327.dmp windows.cmdline
Volatility 3 Framework 2.4.1
Progress:  100.00               PDB scanning finished
PID     Process Args

4       System  Required memory at 0x20 is not valid (process exited?)
88      Registry        Required memory at 0x20 is not valid (process exited?)
332     smss.exe        Required memory at 0x78 is not valid (process exited?)
448     csrss.exe       %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
524     wininit.exe     wininit.exe
532     csrss.exe       s(%d) tid(%x) %08X %ws
624     winlogon.exe    winlogon.exe
636     services.exe    C:\Windows\system32\services.exe
672     lsass.exe       C:\Windows\system32\lsass.exe
784     fontdrvhost.ex  Required memory at 0xf35ed79020 is inaccessible (swapped)
788     fontdrvhost.ex  "fontdrvhost.exe"
800     svchost.exe     C:\Windows\system32\svchost.exe -k DcomLaunch -p
900     svchost.exe     C:\Windows\system32\svchost.exe -k RPCSS -p
1000    dwm.exe "dwm.exe"
372     svchost.exe     C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
724     svchost.exe     C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
668     svchost.exe     C:\Windows\system32\svchost.exe -k LocalService -p
1084    svchost.exe     C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p
1212    svchost.exe     C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1220    svchost.exe     C:\Windows\system32\svchost.exe -k LocalService -p
1296    svchost.exe     C:\Windows\system32\svchost.exe -k netsvcs -p
1312    svchost.exe     C:\Windows\System32\svchost.exe -k NetworkService -p
1472    HipsDaemon.exe  "C:\Program Files (x86)\Huorong\Sysdiag\bin\HipsDaemon.exe" -sHipsDaemon
1720    TrustedInstall  C:\Windows\servicing\TrustedInstaller.exe
1732    MemCompression  Required memory at 0x20 is not valid (process exited?)
1840    svchost.exe     C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1888    usysdiag.exe    Required memory at 0xba2e22a020 is inaccessible (swapped)
2044    wsctrlsvc.exe   "C:\Program Files (x86)\Huorong\Sysdiag\bin\wsctrlsvc.exe" /svc_run
1068    svchost.exe     C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
2000    svchost.exe     C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1792    svchost.exe     C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
2080    svchost.exe     C:\Windows\system32\svchost.exe -k appmodel -p
2160    spoolsv.exe     C:\Windows\System32\spoolsv.exe
2212    svchost.exe     C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
2268    CompatTelRunne  C:\Windows\system32\compattelrunner.exe
2304    dasHost.exe     dashost.exe {a4107603-4ae0-4d0b-b39719fff08b7465}
2432    svchost.exe     C:\Windows\System32\svchost.exe -k utcsvc -p
2480    Sysmon64.exe    C:\Windows\Sysmon64.exe
2504    VGAuthService.  "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
2520    vm3dservice.ex  Required memory at 0x1fb80151ae8 is inaccessible (swapped)
2540    vmtoolsd.exe    "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
2640    vm3dservice.ex  vm3dservice.exe -n
2768    unsecapp.exe    ᬹ＀ᬹ＀ᬹ＀ᬹ＀ᬹ＀ᬹ＀ᬹ＀ᬹ＀ᬹ＀ᬹ＀ᬹ＀ᬹ＀ᬹ＀ᬹ＀ᬹ＀ᬹ＀ᬹ＀ᬹ＀ᬹ＀ᬹ＀ᬹ＀ᬹ＀ᬹ＀ᬹ＀
2936    svchost.exe     C:\Windows\system32\svchost.exe -k wsappx -p
2964    dllhost.exe     C:\Windows\system32\dllhost.exe /Processid:{4350C118-8E48-4788-9048-5D3B49268A2D}
2976    WmiPrvSE.exe    C:\Windows\system32\wbem\wmiprvse.exe
2584    vm3dservice.ex  Required memory at 0x1f49c6b1ae8 is inaccessible (swapped)
2008    dllhost.exe     C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
3492    WmiPrvSE.exe    C:\Windows\system32\wbem\wmiprvse.exe
3688    msdtc.exe       C:\Windows\System32\msdtc.exe
3840    VSSVC.exe       C:\Windows\system32\vssvc.exe
4044    conhost.exe     Required memory at 0x1919ef71ae8 is inaccessible (swapped)
3916    sihost.exe      sihost.exe
3948    svchost.exe     C:\Windows\system32\svchost.exe -k UnistackSvcGroup
3636    taskhostw.exe   taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1608    ctfmon.exe      "ctfmon.exe"
4112    userinit.exe    Required memory at 0x2ac8722020 is not valid (process exited?)
4132    explorer.exe    C:\Windows\Explorer.EXE
4280    ChsIME.exe      C:\Windows\System32\InputMethod\CHS\ChsIME.exe -Embedding
4508    svchost.exe     C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
4796    ShellExperienc  "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
4996    SearchUI.exe    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
4180    RuntimeBroker.  Required memory at 0xa319252020 is inaccessible (swapped)
3480    RuntimeBroker.  C:\Windows\System32\RuntimeBroker.exe -Embedding
5152    ApplicationFra  C:\Windows\system32\ApplicationFrameHost.exe -Embedding
5176    MicrosoftEdge.  Required memory at 0x1175187020 is inaccessible (swapped)
5240    SkypeApp.exe    Required memory at 0x84502b5020 is inaccessible (swapped)
5248    SkypeBackgroun  Required memory at 0x90248d03 is inaccessible (swapped)
5280    YourPhone.exe   Required memory at 0xe37569a020 is inaccessible (swapped)
5472    WmiApSrv.exe    Required memory at 0x1fc8fec1ae8 is inaccessible (swapped)
5620    browser_broker  Required memory at 0x315fff01315f is not valid (process exited?)
5792    RuntimeBroker.  C:\Windows\System32\RuntimeBroker.exe -Embedding
5952    RuntimeBroker.
6016    MicrosoftEdgeS  C:\Windows\system32\MicrosoftEdgeSH.exe SCODEF:5176 CREDAT:9730 APH:7800000000006 JITHOST /prefetch:2
6060    MicrosoftEdgeC  Required memory at 0xe02a58e020 is inaccessible (swapped)
2320    WindowsInterna  "C:\Windows\SystemApps\InputApp_cw5n1h2txyewy\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe" -ServerName:App.AppXagta193n5rpf7mheremt3yyfa1g555vc.mca
6388    SearchIndexer.  C:\Windows\system32\SearchIndexer.exe /Embedding
6568    RuntimeBroker.  C:\Windows\System32\RuntimeBroker.exe -Embedding
2752    dllhost.exe     Required memory at 0x90ec228020 is inaccessible (swapped)
5020    SgrmBroker.exe  Required memory at 0x9887344020 is not valid (process exited?)
6580    sppsvc.exe      Required memory at 0x35e76fe020 is not valid (process exited?)

 

 但是没有看到cacl.exe也是很诡异。难道是这个dump的文件有问题???应该是的!!!

使用vmvare自带的快照dump功能【好用,不会出问题】

继续使用vmvare原生的方法进行dump,先暂停下,然后去

 搜索下就可以找到了。

然后继续使用vol3的cmdline命令,这下终于看到calclator.exe了!

python .\vol.py -f .\564d9712-503e-94dd-3e66-ff23e58d1a0e.vmem windows.cmdline
Volatility 3 Framework 2.4.1
Progress:  100.00               PDB scanning finished
PID     Process Args

4       System  Required memory at 0x20 is inaccessible (swapped)
88      Registry        Required memory at 0x20 is not valid (process exited?)
332     smss.exe        Required memory at 0x4f82e97020 is not valid (process exited?)
448     csrss.exe       Required memory at 0x1df22602dc8 is inaccessible (swapped)
524     wininit.exe     wininit.exe
532     csrss.exe       Required memory at 0x179cf8033bc is inaccessible (swapped)
624     winlogon.exe    Required memory at 0x7d52809020 is inaccessible (swapped)
636     services.exe    C:\Windows\system32\services.exe
672     lsass.exe       C:\Windows\system32\lsass.exe
784     fontdrvhost.ex  Required memory at 0xf35ed79020 is inaccessible (swapped)
788     fontdrvhost.ex  "fontdrvhost.exe"
800     svchost.exe     C:\Windows\system32\svchost.exe -k DcomLaunch -p
900     svchost.exe     C:\Windows\system32\svchost.exe -k RPCSS -p
1000    dwm.exe "dwm.exe"
372     svchost.exe     C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
724     svchost.exe     C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
668     svchost.exe     C:\Windows\system32\svchost.exe -k LocalService -p
1084    svchost.exe     C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p
1212    svchost.exe     Process 1212: Required memory at 0x30aaaf6020 is not valid (incomplete layer memory_layer?)
1220    svchost.exe     Required memory at 0xb5fcd9a020 is inaccessible (swapped)
1296    svchost.exe     C:\Windows\system32\svchost.exe -k netsvcs -p
1312    svchost.exe     C:\Windows\System32\svchost.exe -k NetworkService -p
1472    HipsDaemon.exe  "C:\Program Files (x86)\Huorong\Sysdiag\bin\HipsDaemon.exe" -sHipsDaemon
1732    MemCompression  Required memory at 0x20 is not valid (process exited?)
1840    svchost.exe     C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1888    usysdiag.exe    Required memory at 0xba2e22a020 is inaccessible (swapped)
2044    wsctrlsvc.exe   Required memory at 0xe1e020 is inaccessible (swapped)
1068    svchost.exe     C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
2000    svchost.exe     C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1792    svchost.exe     Required memory at 0x5f5347c8 is not valid (process exited?)
2080    svchost.exe     C:\Windows\system32\svchost.exe -k appmodel -p
2160    spoolsv.exe     Required memory at 0x3f804fb04677 is not valid (process exited?)
2212    svchost.exe     C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
2304    dasHost.exe     dashost.exe {a4107603-4ae0-4d0b-b39719fff08b7465}
2432    svchost.exe     C:\Windows\System32\svchost.exe -k utcsvc -p
2480    Sysmon64.exe    C:\Windows\Sysmon64.exe
2504    VGAuthService.  Process 2504: Required memory at 0x7c946d3020 is not valid (incomplete layer memory_layer?)
2520    vm3dservice.ex  Required memory at 0x2813ec1020 is inaccessible (swapped)
2540    vmtoolsd.exe    "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
2640    vm3dservice.ex  Process 2640: Required memory at 0x33c4827020 is not valid (incomplete layer memory_layer?)
2768    unsecapp.exe    C:\Windows\system32\wbem\unsecapp.exe -Embedding
2976    WmiPrvSE.exe    C:\Windows\system32\wbem\wmiprvse.exe
2584    vm3dservice.ex  Required memory at 0x473ca1f020 is inaccessible (swapped)
2008    dllhost.exe     Required memory at 0x9b99370020 is inaccessible (swapped)
3492    WmiPrvSE.exe    C:\Windows\system32\wbem\wmiprvse.exe
3688    msdtc.exe       Required memory at 0x7fa2d611ff79 is not valid (process exited?)
3916    sihost.exe      sihost.exe
3948    svchost.exe     C:\Windows\system32\svchost.exe -k UnistackSvcGroup
3636    taskhostw.exe   taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1608    ctfmon.exe      "ctfmon.exe"
4112    userinit.exe    Required memory at 0x2ac8722020 is not valid (process exited?)
4132    explorer.exe    C:\Windows\Explorer.EXE
4280    ChsIME.exe      C:\Windows\System32\InputMethod\CHS\ChsIME.exe -Embedding
4508    svchost.exe     C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
4796    ShellExperienc  "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
4996    SearchUI.exe    Required memory at 0x20b45c034d8 is inaccessible (swapped)
4180    RuntimeBroker.  C:\Windows\System32\RuntimeBroker.exe -Embedding
3480    RuntimeBroker.  C:\Windows\System32\RuntimeBroker.exe -Embedding
5152    ApplicationFra  C:\Windows\system32\ApplicationFrameHost.exe -Embedding
5176    MicrosoftEdge.  Process 5176: Required memory at 0x1175187020 is not valid (incomplete layer memory_layer?)
5240    SkypeApp.exe    Process 5240: Required memory at 0x4502b5020 is not valid (incomplete layer memory_layer?)
5248    SkypeBackgroun  Required memory at 0x8228ff5020 is inaccessible (swapped)
5280    YourPhone.exe   Process 5280: Required memory at 0x637569a020 is not valid (incomplete layer memory_layer?)
5620    browser_broker  Required memory at 0x29d8640020 is inaccessible (swapped)
5792    RuntimeBroker.  C:\Windows\System32\RuntimeBroker.exe -Embedding
5952    RuntimeBroker.  Required memory at 0xd3f46d7020 is inaccessible (swapped)
6016    MicrosoftEdgeS  Required memory at 0x137b0a03518 is inaccessible (swapped)
6060    MicrosoftEdgeC  Process 6060: Required memory at 0x602a58e020 is not valid (incomplete layer memory_layer?)
2320    WindowsInterna  "C:\Windows\SystemApps\InputApp_cw5n1h2txyewy\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe" -ServerName:App.AppXagta193n5rpf7mheremt3yyfa1g555vc.mca
6388    SearchIndexer.  C:\Windows\system32\SearchIndexer.exe /Embedding
6568    RuntimeBroker.  C:\Windows\System32\RuntimeBroker.exe -Embedding
6852    RuntimeBroker.  C:\Windows\System32\RuntimeBroker.exe -Embedding
6940    smartscreen.ex  C:\Windows\System32\smartscreen.exe -Embedding
6996    SecurityHealth  Required memory at 0x7e6dc0d020 is inaccessible (swapped)
7036    SecurityHealth  C:\Windows\system32\SecurityHealthService.exe
7048    vmtoolsd.exe    "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
7108    HipsTray.exe    Required memory at 0x96a020 is not valid (process exited?)
6184    OneDrive.exe    "C:\Users\bonelee\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
6896    HipsTray.exe    "C:\Program Files (x86)\Huorong\Sysdiag\\bin\HipsTray.exe"
7264    HipsTray.exe    Required memory at 0xbcf020 is not valid (process exited?)
7528    Microsoft.Shar  Required memory at 0x51b9f5020 is not valid (process exited?)
376     dllhost.exe     Required memory at 0x7279e72020 is inaccessible (swapped)
7200    iexplore.exe    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\bonelee\Desktop\normal.html
7296    iexplore.exe    Required memory at 0x2f21cc8 is inaccessible (swapped)
4808    iexplore.exe    Required memory at 0xbe1cc8 is inaccessible (swapped)
7668    WinStore.App.e  Process 7668: Required memory at 0x2bf38034b8 is not valid (incomplete layer memory_layer?)
3008    Calculator.exe  "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
2076    RuntimeBroker.  C:\Windows\System32\RuntimeBroker.exe -Embedding
388     RuntimeBroker.  Required memory at 0xdc50f22020 is inaccessible (swapped)
6216    ChsIME.exe      Process 6216: Required memory at 0x7bbfc70020 is not valid (incomplete layer memory_layer?)
5020    SgrmBroker.exe  C:\Windows\system32\SgrmBroker.exe
6448    uhssvc.exe      Process 6448: Required memory at 0x2d911d1ae8 is not valid (incomplete layer memory_layer?)
6764    svchost.exe     C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
4480    DumpIt.exe      Required memory at 0x53d7897020 is inaccessible (swapped)
7836    Microsoft.Phot  Required memory at 0xffffffffffe8 is not valid (process exited?)
1260    RuntimeBroker.  C:\Windows\System32\RuntimeBroker.exe -Embedding
2036    svchost.exe     C:\Windows\System32\svchost.exe -k NetworkService -p
2100    svchost.exe     C:\Windows\system32\svchost.exe -k SDRSVC
1256    svchost.exe     C:\Windows\system32\svchost.exe -k wsappx -p

 

 

 

 

其他补充:Windows操作系统平台支持内存获取的常见工具有: ==》基本上都很难下到,todo,实际客户环境里遇到的话,肯定会使用的!

  • DumpIt (早期版本名为Win32dd)
  • Belkasoft RAMCapturer
  • Magnet RAM Capture
  • WinEn
  • Winpmem
  • EnCase Imager
  • FTK Imager

 

Linux操作系统常见的内存获取工具:

  • dd (适合Linux早期版本)
  • LiME  http://code.google.com/p/lime-forensics/
  • linpmem
  • Draugr  http://code.google.com/p/draugr/
  • Volatilitux  http://code.google.com/p/volatilitux/
  • Memfetch  http://lcamtuf.coredump.cx/
  • Memdump

 

Mac OSX操作系统内存获取工具有:

  • MacMemoryReader
  • osxpmem
  • Recon for Mac OSX
  • Blackbag MacQuisition

 

我们看下vol3的最新使用方法:

python .\vol.py -h
Volatility 3 Framework 2.4.1
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]] [-e EXTEND] [-p PLUGIN_DIRS]
                  [-s SYMBOL_DIRS] [-v] [-l LOG] [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE] [--write-config]
                  [--save-config SAVE_CONFIG] [--clear-cache] [--cache-path CACHE_PATH] [--offline]
                  [--single-location SINGLE_LOCATION] [--stackers [STACKERS ...]]
                  [--single-swap-locations [SINGLE_SWAP_LOCATIONS ...]]
                  plugin ...

An open-source memory forensics framework

Plugins:
  For plugin specific options, run 'volatility <plugin> --help'

  plugin
    banners.Banners     Attempts to identify potential linux banners in an image
    configwriter.ConfigWriter
                        Runs the automagics and both prints and outputs configuration in the output directory.
    frameworkinfo.FrameworkInfo
                        Plugin to list the various modular components of Volatility
    isfinfo.IsfInfo     Determines information about the currently available ISF files, or a specific one
    layerwriter.LayerWriter
                        Runs the automagics and writes out the primary layer produced by the stacker.
   linux和mac的插件。。。。
    timeliner.Timeliner
                        Runs all relevant plugins that provide time related information and orders the results by
                        time.

windows的比较多:
    windows.bigpools.BigPools
                        List big page pools.
    windows.cachedump.Cachedump
                        Dumps lsa secrets from memory
    windows.callbacks.Callbacks
                        Lists kernel callbacks and notification routines.
    windows.cmdline.CmdLine
                        Lists process command line arguments.
    windows.crashinfo.Crashinfo
    windows.devicetree.DeviceTree
                        Listing tree based on drivers and attached devices in a particular windows memory image.
    windows.dlllist.DllList
                        Lists the loaded modules in a particular windows memory image.
    windows.driverirp.DriverIrp
                        List IRPs for drivers in a particular windows memory image.
    windows.drivermodule.DriverModule
                        Determines if any loaded drivers were hidden by a rootkit
    windows.driverscan.DriverScan
                        Scans for drivers present in a particular windows memory image.
    windows.dumpfiles.DumpFiles
                        Dumps cached file contents from Windows memory samples.
    windows.envars.Envars
                        Display process environment variables
    windows.filescan.FileScan
                        Scans for file objects present in a particular windows memory image.
    windows.getservicesids.GetServiceSIDs
                        Lists process token sids.
    windows.getsids.GetSIDs
                        Print the SIDs owning each process
    windows.handles.Handles
                        Lists process open handles.
    windows.hashdump.Hashdump
                        Dumps user hashes from memory
    windows.info.Info   Show OS & kernel details of the memory sample being analyzed.
    windows.joblinks.JobLinks
                        Print process job link information
    windows.ldrmodules.LdrModules
    windows.lsadump.Lsadump
                        Dumps lsa secrets from memory
    windows.malfind.Malfind
                        Lists process memory ranges that potentially contain injected code.
    windows.mbrscan.MBRScan
                        Scans for and parses potential Master Boot Records (MBRs)
    windows.memmap.Memmap
                        Prints the memory map
    windows.mftscan.MFTScan
                        Scans for MFT FILE objects present in a particular windows memory image.
    windows.modscan.ModScan
                        Scans for modules present in a particular windows memory image.
    windows.modules.Modules
                        Lists the loaded kernel modules.
    windows.mutantscan.MutantScan
                        Scans for mutexes present in a particular windows memory image.
    windows.netscan.NetScan
                        Scans for network objects present in a particular windows memory image.
    windows.netstat.NetStat
                        Traverses network tracking structures present in a particular windows memory image.
    windows.poolscanner.PoolScanner
                        A generic pool scanner plugin.
    windows.privileges.Privs
                        Lists process token privileges
    windows.pslist.PsList
                        Lists the processes present in a particular windows memory image.
    windows.psscan.PsScan
                        Scans for processes present in a particular windows memory image.
    windows.pstree.PsTree
                        Plugin for listing processes in a tree based on their parent process ID.
    windows.registry.certificates.Certificates
                        Lists the certificates in the registry's Certificate Store.
    windows.registry.hivelist.HiveList
                        Lists the registry hives present in a particular memory image.
    windows.registry.hivescan.HiveScan
                        Scans for registry hives present in a particular windows memory image.
    windows.registry.printkey.PrintKey
                        Lists the registry keys under a hive or specific key value.
    windows.registry.userassist.UserAssist
                        Print userassist registry keys and information.
    windows.sessions.Sessions
                        lists Processes with Session information extracted from Environmental Variables
    windows.skeleton_key_check.Skeleton_Key_Check
                        Looks for signs of Skeleton Key malware
    windows.ssdt.SSDT   Lists the system call table.
    windows.statistics.Statistics
    windows.strings.Strings
                        Reads output from the strings command and indicates which process(es) each string belongs to.
    windows.svcscan.SvcScan
                        Scans for windows services.
    windows.symlinkscan.SymlinkScan
                        Scans for links present in a particular windows memory image.
    windows.vadinfo.VadInfo
                        Lists process memory ranges.
    windows.vadwalk.VadWalk
                        Walk the VAD tree.
    windows.vadyarascan.VadYaraScan
                        Scans all the Virtual Address Descriptor memory maps using yara.
    windows.verinfo.VerInfo
                        Lists version information from PE files.
    windows.virtmap.VirtMap
                        Lists virtual mapped sections.
    yarascan.YaraScan   Scans kernel memory using yara rules (string or file).

 

例如,我要看进程对应的cmdline:

python .\vol.py -f .\alina1G.elf windows.cmdline
Volatility 3 Framework 2.4.1
Progress:  100.00               PDB scanning finished
PID     Process Args

4       System  Required memory at 0x10 is not valid (process exited?)
268     smss.exe        \SystemRoot\System32\smss.exe
348     csrss.exe       %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
384     wininit.exe     wininit.exe
392     csrss.exe       %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
432     winlogon.exe    winlogon.exe
476     services.exe    C:\Windows\system32\services.exe
484     lsass.exe       C:\Windows\system32\lsass.exe
492     lsm.exe C:\Windows\system32\lsm.exe
596     svchost.exe     C:\Windows\system32\svchost.exe -k DcomLaunch
660     VBoxService.ex  system32\VBoxService.exe
712     svchost.exe     C:\Windows\system32\svchost.exe -k RPCSS
764     svchost.exe     C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
884     svchost.exe     C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
928     svchost.exe     C:\Windows\system32\svchost.exe -k netsvcs
988     audiodg.exe     C:\Windows\system32\AUDIODG.EXE 0x2b4
1096    svchost.exe     C:\Windows\system32\svchost.exe -k LocalService
1228    svchost.exe     C:\Windows\system32\svchost.exe -k NetworkService
1308    spoolsv.exe     C:\Windows\System32\spoolsv.exe
1344    svchost.exe     C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1448    svchost.exe     C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1864    taskhost.exe    "taskhost.exe"
1924    dwm.exe "C:\Windows\system32\Dwm.exe"
1940    explorer.exe    C:\Windows\Explorer.EXE
316     VBoxTray.exe    "C:\Windows\System32\VBoxTray.exe"
1876    SearchIndexer.  C:\Windows\system32\SearchIndexer.exe /Embedding
320     SearchProtocol  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1943312967-2543331679-1049226392-10021_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1943312967-2543331679-1049226392-10021 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
1128    SearchFilterHo  "C:\Windows\system32\SearchFilterHost.exe" 0 504 508 516 65536 512
1828    ALINA_CJLXYJ.e  ALINA=C:\Users\Usuario\Desktop\ALINA_mod.exe

 

接下来就是孰能生巧了!一些常用命令我摘录下:pstree看起来通过***区分层级也还不错!

python .\vol.py -f .\alina1G.elf windows.pstree
Volatility 3 Framework 2.4.1
Progress:  100.00               PDB scanning finished
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime

4       0       System  0x84233750      81      481     N/A     False   2019-09-21 12:06:32.000000      N/A
* 268   4       smss.exe        0x85095180      4       29      N/A     False   2019-09-21 12:06:32.000000      N/A
348     340     csrss.exe       0x8587b030      8       355     0       False   2019-09-21 12:06:34.000000      N/A
384     340     wininit.exe     0x85884d40      7       90      0       False   2019-09-21 12:06:34.000000      N/A
* 492   384     lsm.exe 0x858f0b48      11      155     0       False   2019-09-21 12:06:34.000000      N/A
* 476   384     services.exe    0x858e8948      18      203     0       False   2019-09-21 12:06:34.000000      N/A
** 928  476     svchost.exe     0x85a06478      42      748     0       False   2019-09-21 12:06:35.000000      N/A
** 1344 476     svchost.exe     0x85ab9360      22      313     0       False   2019-09-21 12:06:36.000000      N/A
** 712  476     svchost.exe     0x85951458      10      235     0       False   2019-09-21 12:06:35.000000      N/A
** 1096 476     svchost.exe     0x85a631a0      16      246     0       False   2019-09-21 12:06:35.000000      N/A
** 1448 476     svchost.exe     0x859b7030      13      172     0       False   2019-09-21 12:06:36.000000      N/A
** 1864 476     taskhost.exe    0x859b3858      10      173     1       False   2019-09-21 12:06:39.000000      N/A
** 1228 476     svchost.exe     0x85a7ed40      18      350     0       False   2019-09-21 12:06:35.000000      N/A
** 660  476     VBoxService.ex  0x8594a030      12      117     0       False   2019-09-21 12:06:35.000000      N/A
** 596  476     svchost.exe     0x859318d8      15      358     0       False   2019-09-21 12:06:35.000000      N/A
** 884  476     svchost.exe     0x859d4530      23      421     0       False   2019-09-21 12:06:35.000000      N/A
*** 1924        884     dwm.exe 0x85279368      5       71      1       False   2019-09-21 12:06:39.000000      N/A
** 1308 476     spoolsv.exe     0x85a96498      15      295     0       False   2019-09-21 12:06:36.000000      N/A
** 1876 476     SearchIndexer.  0x859cca68      13      613     0       False   2019-09-21 12:06:45.000000      N/A
*** 320 1876    SearchProtocol  0x842ccd40      7       256     1       False   2019-09-21 12:06:46.000000      N/A
*** 1128        1876    SearchFilterHo  0x85cefc88      5       79      0       False   2019-09-21 12:06:46.000000      N/A
** 764  476     svchost.exe     0x851a4158      20      392     0       False   2019-09-21 12:06:35.000000      N/A
*** 988 764     audiodg.exe     0x85a3a530      7       133     0       False   2019-09-21 12:06:35.000000      N/A
* 484   384     lsass.exe       0x858eea00      9       483     0       False   2019-09-21 12:06:34.000000      N/A
392     376     csrss.exe       0x842a4508      7       166     1       False   2019-09-21 12:06:34.000000      N/A
432     376     winlogon.exe    0x858d2c28      6       138     1       False   2019-09-21 12:06:34.000000      N/A
1940    1916    explorer.exe    0x84b2ed40      31      668     1       False   2019-09-21 12:06:39.000000      N/A
* 316   1940    VBoxTray.exe    0x85cc5030      11      102     1       False   2019-09-21 12:06:40.000000      N/A
1828    628     ALINA_CJLXYJ.e  0x85d01c48      2       47      1       False   2019-09-21 12:07:04.000000      N/A

 

posted @ 2023-05-02 23:00  bonelee  阅读(1466)  评论(0编辑  收藏  举报