Volatility 3 使用入门笔记
下载恶意软件分析诀窍和工具DVD和vol3
下载地址:https://codeload.github.com/ganboing/malwarecookbook/zip/refs/heads/master
然后,下载vol3,并安装:
https://codeload.github.com/volatilityfoundation/volatility3/zip/refs/heads/stable
最初运行的时候,
python D:\Application\volatility3-stable\vol.py -f .\prolaco.vmem\prolaco.vmem windows.pstree.PsTree
Volatility 3 Framework 2.4.1
WARNING volatility3.framework.plugins: Automagic exception occurred: ValueError: Symbol type not in symbol_table_name1 SymbolTable: _ETHREAD
Unsatisfied requirement plugins.PsTree.kernel.symbol_table_name:
A symbol table requirement was not fulfilled. Please verify that:
The associated translation layer requirement was fulfilled
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.PsTree.kernel.symbol_table_name']
其中,prolaco.vmem来自恶意软件分析诀窍dvd的vmem数据。
上面的错误表明我的系统缺少了symbols文件,于是就需要:
下载符号表
各种操作系统的符号表包可从以下网址下载:
https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip
然后解压,我将其放到D:\Application\volatility3-stable\volatility3\symbols\windows\下
再运行上述命令:
python D:\Application\volatility3-stable\vol.py -f .\prolaco.vmem\prolaco.vmem windows.pstree.PsTree Volatility 3 Framework 2.4.1 Progress: 100.00 PDB scanning finished PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime 4 0 System 0x810b1660 56 253 N/A False N/A N/A * 544 4 smss.exe 0xff2ab020 3 21 N/A False 2010-08-11 06:06:21.000000 N/A ** 608 544 csrss.exe 0xff1ecda0 11 349 0 False 2010-08-11 06:06:23.000000 N/A ** 632 544 winlogon.exe 0xff1ec978 19 565 0 False 2010-08-11 06:06:23.000000 N/A *** 688 632 lsass.exe 0xff255020 19 341 0 False 2010-08-11 06:06:24.000000 N/A *** 676 632 services.exe 0xff247020 16 269 0 False 2010-08-11 06:06:24.000000 N/A **** 1088 676 svchost.exe 0xff22d558 4 75 0 False 2010-08-11 06:06:25.000000 N/A **** 1028 676 svchost.exe 0x80fbf910 63 1334 0 False 2010-08-11 06:06:24.000000 N/A ***** 888 1028 wscntfy.exe 0xff364310 1 27 0 False 2010-08-11 06:06:49.000000 N/A ***** 468 1028 wuauclt.exe 0x80f94588 3 130 0 False 2010-08-11 06:09:37.000000 N/A **** 1432 676 spoolsv.exe 0xff1d7da0 13 135 0 False 2010-08-11 06:06:26.000000 N/A **** 1668 676 vmtoolsd.exe 0xff1b8b28 5 219 0 False 2010-08-11 06:06:35.000000 N/A **** 1788 676 VMUpgradeHelper 0xff1fdc88 3 97 0 False 2010-08-11 06:06:38.000000 N/A **** 936 676 svchost.exe 0xff217560 9 256 0 False 2010-08-11 06:06:24.000000 N/A **** 844 676 vmacthlp.exe 0xff218230 1 24 0 False 2010-08-11 06:06:24.000000 N/A **** 1968 676 TPAutoConnSvc.e 0xff143b28 5 100 0 False 2010-08-11 06:06:39.000000 N/A ***** 1084 1968 TPAutoConnect.e 0xff38b5f8 1 61 0 False 2010-08-11 06:06:52.000000 N/A **** 856 676 svchost.exe 0x80ff88d8 16 198 0 False 2010-08-11 06:06:24.000000 N/A **** 1148 676 svchost.exe 0xff203b80 14 207 0 False 2010-08-11 06:06:26.000000 N/A **** 216 676 alg.exe 0xff25a7e0 6 104 0 False 2010-08-11 06:06:39.000000 N/A 1724 1708 explorer.exe 0xff3865d0 11 294 0 False 2010-08-11 06:09:29.000000 N/A * 432 1724 VMwareTray.exe 0xff3667e8 1 49 0 False 2010-08-11 06:09:31.000000 N/A * 452 1724 VMwareUser.exe 0xff374980 5 176 0 False 2010-08-11 06:09:32.000000 N/A * 1136 1724 ImmunityDebugge 0xff37a4b0 2 73 0 False 2010-08-11 16:50:19.000000 N/A PS D:\book\malwarecookbook-master\malwarecookbook-master\15\6> python D:\Application\volatility3-stable\vol.py -f .\prolaco.vmem\prolaco.vmem windows.pstree.PsTree Volatility 3 Framework 2.4.1 Progress: 100.00 PDB scanning finished PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime 4 0 System 0x810b1660 56 253 N/A False N/A N/A * 544 4 smss.exe 0xff2ab020 3 21 N/A False 2010-08-11 06:06:21.000000 N/A ** 608 544 csrss.exe 0xff1ecda0 11 349 0 False 2010-08-11 06:06:23.000000 N/A ** 632 544 winlogon.exe 0xff1ec978 19 565 0 False 2010-08-11 06:06:23.000000 N/A *** 688 632 lsass.exe 0xff255020 19 341 0 False 2010-08-11 06:06:24.000000 N/A *** 676 632 services.exe 0xff247020 16 269 0 False 2010-08-11 06:06:24.000000 N/A **** 1088 676 svchost.exe 0xff22d558 4 75 0 False 2010-08-11 06:06:25.000000 N/A **** 1028 676 svchost.exe 0x80fbf910 63 1334 0 False 2010-08-11 06:06:24.000000 N/A ***** 888 1028 wscntfy.exe 0xff364310 1 27 0 False 2010-08-11 06:06:49.000000 N/A ***** 468 1028 wuauclt.exe 0x80f94588 3 130 0 False 2010-08-11 06:09:37.000000 N/A **** 1432 676 spoolsv.exe 0xff1d7da0 13 135 0 False 2010-08-11 06:06:26.000000 N/A **** 1668 676 vmtoolsd.exe 0xff1b8b28 5 219 0 False 2010-08-11 06:06:35.000000 N/A **** 1788 676 VMUpgradeHelper 0xff1fdc88 3 97 0 False 2010-08-11 06:06:38.000000 N/A **** 936 676 svchost.exe 0xff217560 9 256 0 False 2010-08-11 06:06:24.000000 N/A **** 844 676 vmacthlp.exe 0xff218230 1 24 0 False 2010-08-11 06:06:24.000000 N/A **** 1968 676 TPAutoConnSvc.e 0xff143b28 5 100 0 False 2010-08-11 06:06:39.000000 N/A ***** 1084 1968 TPAutoConnect.e 0xff38b5f8 1 61 0 False 2010-08-11 06:06:52.000000 N/A **** 856 676 svchost.exe 0x80ff88d8 16 198 0 False 2010-08-11 06:06:24.000000 N/A **** 1148 676 svchost.exe 0xff203b80 14 207 0 False 2010-08-11 06:06:26.000000 N/A **** 216 676 alg.exe 0xff25a7e0 6 104 0 False 2010-08-11 06:06:39.000000 N/A 1724 1708 explorer.exe 0xff3865d0 11 294 0 False 2010-08-11 06:09:29.000000 N/A * 432 1724 VMwareTray.exe 0xff3667e8 1 49 0 False 2010-08-11 06:09:31.000000 N/A * 452 1724 VMwareUser.exe 0xff374980 5 176 0 False 2010-08-11 06:09:32.000000 N/A * 1136 1724 ImmunityDebugge 0xff37a4b0 2 73 0 False 2010-08-11 16:50:19.000000 N/A
此外,为了专门测试vol3的常用命令,我从:http://webdiis.unizar.es/~ricardo/sbc-2021/adicional/volcados/alina1G.elf.tar.gz 下载了一个专门测试的vmem文件(虽然叫elf实际上还是windows的vmem),并将其放在在vol3目录,方便以后随时可以用来做命令测试。
python .\vol.py -f .\alina1G.elf windows.info Volatility 3 Framework 2.4.1 Progress: 100.00 PDB scanning finished Variable Value Kernel Base 0x82805000 DTB 0x185000 Symbols file:///D:/Application/volatility3-stable/volatility3/symbols/windows/ntkrnlmp.pdb/00625D7D36754CBEBA4533BA9A0F3FE2-2.json.xz Is64Bit False IsPAE False layer_name 0 WindowsIntel memory_layer 1 Elf64Layer base_layer 2 FileLayer KdDebuggerDataBlock 0x82926c28 NTBuildLab 7601.17514.x86fre.win7sp1_rtm.10 CSDVersion 1 KdVersionBlock 0x82926c00 Major/Minor 15.7601 MachineType 332 KeNumberProcessors 1 SystemTime 2019-09-21 12:07:14 NtSystemRoot C:\Windows NtProductType NtProductWinNt NtMajorVersion 6 NtMinorVersion 1 PE MajorOperatingSystemVersion 6 PE MinorOperatingSystemVersion 1 PE Machine 332 PE TimeDateStamp Sat Nov 20 08:42:46 2010
补充:如何生成vmem文件
DumpIt【不好用,我win10下会出问题】
DumpIt是一个故障转储工具,该工具是免费的Comae Memory Toolkit的一部分(此工具的早期版本由MoonSols发行,已不再可用)。DumpIt可以获取主机物理内存的快照,并支持使用相关内存取证分析工具如Volatility Framework 、Rekall或Redline 等进行分析。
该工具不适用红队渗透过程,因为产生的转储文件非常巨大,该方法通常用于恶意软件分析。
DumpIt下载地址:
-
https://github.com/thimbleweed/All-In-USB/tree/master/utilities/DumpIt
- https://codeload.github.com/h4sh5/DumpIt-mirror/zip/refs/heads/main 我用的这个
Windows操作系统平台下的DumpIt是一个简单易用的计算机内存镜像获取工具。通常直接将该工具存放在大容量移动硬盘或优盘中。可直接在正在运行Windows系统的平台直接运行,根据提示操作即可。
图表 6 DumpIt内存镜像获取工具
为了测试下这个工具是否好用,我在虚拟机里开几个进程,然后使用dumpit生成了桌面上的mp文件,大小2GB,因为我的内存空间刚好就是2G!
然后对dmp出来的文件分析,看看进程cmd列表:
python .\vol.py -f .\DESKTOP-JGUS422-20230502-143327.dmp windows.cmdline
Volatility 3 Framework 2.4.1
Progress: 100.00 PDB scanning finished
PID Process Args
4 System Required memory at 0x20 is not valid (process exited?)
88 Registry Required memory at 0x20 is not valid (process exited?)
332 smss.exe Required memory at 0x78 is not valid (process exited?)
448 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
524 wininit.exe wininit.exe
532 csrss.exe s(%d) tid(%x) %08X %ws
624 winlogon.exe winlogon.exe
636 services.exe C:\Windows\system32\services.exe
672 lsass.exe C:\Windows\system32\lsass.exe
784 fontdrvhost.ex Required memory at 0xf35ed79020 is inaccessible (swapped)
788 fontdrvhost.ex "fontdrvhost.exe"
800 svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p
900 svchost.exe C:\Windows\system32\svchost.exe -k RPCSS -p
1000 dwm.exe "dwm.exe"
372 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
724 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
668 svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p
1084 svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p
1212 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1220 svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p
1296 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p
1312 svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
1472 HipsDaemon.exe "C:\Program Files (x86)\Huorong\Sysdiag\bin\HipsDaemon.exe" -sHipsDaemon
1720 TrustedInstall C:\Windows\servicing\TrustedInstaller.exe
1732 MemCompression Required memory at 0x20 is not valid (process exited?)
1840 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1888 usysdiag.exe Required memory at 0xba2e22a020 is inaccessible (swapped)
2044 wsctrlsvc.exe "C:\Program Files (x86)\Huorong\Sysdiag\bin\wsctrlsvc.exe" /svc_run
1068 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
2000 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1792 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
2080 svchost.exe C:\Windows\system32\svchost.exe -k appmodel -p
2160 spoolsv.exe C:\Windows\System32\spoolsv.exe
2212 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
2268 CompatTelRunne C:\Windows\system32\compattelrunner.exe
2304 dasHost.exe dashost.exe {a4107603-4ae0-4d0b-b39719fff08b7465}
2432 svchost.exe C:\Windows\System32\svchost.exe -k utcsvc -p
2480 Sysmon64.exe C:\Windows\Sysmon64.exe
2504 VGAuthService. "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
2520 vm3dservice.ex Required memory at 0x1fb80151ae8 is inaccessible (swapped)
2540 vmtoolsd.exe "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
2640 vm3dservice.ex vm3dservice.exe -n
2768 unsecapp.exe ᬹᬹᬹᬹᬹᬹᬹᬹᬹᬹᬹᬹᬹᬹᬹᬹᬹᬹᬹᬹᬹᬹᬹᬹ
2936 svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p
2964 dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{4350C118-8E48-4788-9048-5D3B49268A2D}
2976 WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe
2584 vm3dservice.ex Required memory at 0x1f49c6b1ae8 is inaccessible (swapped)
2008 dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
3492 WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe
3688 msdtc.exe C:\Windows\System32\msdtc.exe
3840 VSSVC.exe C:\Windows\system32\vssvc.exe
4044 conhost.exe Required memory at 0x1919ef71ae8 is inaccessible (swapped)
3916 sihost.exe sihost.exe
3948 svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
3636 taskhostw.exe taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1608 ctfmon.exe "ctfmon.exe"
4112 userinit.exe Required memory at 0x2ac8722020 is not valid (process exited?)
4132 explorer.exe C:\Windows\Explorer.EXE
4280 ChsIME.exe C:\Windows\System32\InputMethod\CHS\ChsIME.exe -Embedding
4508 svchost.exe C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
4796 ShellExperienc "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
4996 SearchUI.exe "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
4180 RuntimeBroker. Required memory at 0xa319252020 is inaccessible (swapped)
3480 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding
5152 ApplicationFra C:\Windows\system32\ApplicationFrameHost.exe -Embedding
5176 MicrosoftEdge. Required memory at 0x1175187020 is inaccessible (swapped)
5240 SkypeApp.exe Required memory at 0x84502b5020 is inaccessible (swapped)
5248 SkypeBackgroun Required memory at 0x90248d03 is inaccessible (swapped)
5280 YourPhone.exe Required memory at 0xe37569a020 is inaccessible (swapped)
5472 WmiApSrv.exe Required memory at 0x1fc8fec1ae8 is inaccessible (swapped)
5620 browser_broker Required memory at 0x315fff01315f is not valid (process exited?)
5792 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding
5952 RuntimeBroker.
6016 MicrosoftEdgeS C:\Windows\system32\MicrosoftEdgeSH.exe SCODEF:5176 CREDAT:9730 APH:7800000000006 JITHOST /prefetch:2
6060 MicrosoftEdgeC Required memory at 0xe02a58e020 is inaccessible (swapped)
2320 WindowsInterna "C:\Windows\SystemApps\InputApp_cw5n1h2txyewy\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe" -ServerName:App.AppXagta193n5rpf7mheremt3yyfa1g555vc.mca
6388 SearchIndexer. C:\Windows\system32\SearchIndexer.exe /Embedding
6568 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding
2752 dllhost.exe Required memory at 0x90ec228020 is inaccessible (swapped)
5020 SgrmBroker.exe Required memory at 0x9887344020 is not valid (process exited?)
6580 sppsvc.exe Required memory at 0x35e76fe020 is not valid (process exited?)
但是没有看到cacl.exe也是很诡异。难道是这个dump的文件有问题???应该是的!!!
使用vmvare自带的快照dump功能【好用,不会出问题】
继续使用vmvare原生的方法进行dump,先暂停下,然后去
搜索下就可以找到了。
然后继续使用vol3的cmdline命令,这下终于看到calclator.exe了!
python .\vol.py -f .\564d9712-503e-94dd-3e66-ff23e58d1a0e.vmem windows.cmdline
Volatility 3 Framework 2.4.1
Progress: 100.00 PDB scanning finished
PID Process Args
4 System Required memory at 0x20 is inaccessible (swapped)
88 Registry Required memory at 0x20 is not valid (process exited?)
332 smss.exe Required memory at 0x4f82e97020 is not valid (process exited?)
448 csrss.exe Required memory at 0x1df22602dc8 is inaccessible (swapped)
524 wininit.exe wininit.exe
532 csrss.exe Required memory at 0x179cf8033bc is inaccessible (swapped)
624 winlogon.exe Required memory at 0x7d52809020 is inaccessible (swapped)
636 services.exe C:\Windows\system32\services.exe
672 lsass.exe C:\Windows\system32\lsass.exe
784 fontdrvhost.ex Required memory at 0xf35ed79020 is inaccessible (swapped)
788 fontdrvhost.ex "fontdrvhost.exe"
800 svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p
900 svchost.exe C:\Windows\system32\svchost.exe -k RPCSS -p
1000 dwm.exe "dwm.exe"
372 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
724 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
668 svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p
1084 svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p
1212 svchost.exe Process 1212: Required memory at 0x30aaaf6020 is not valid (incomplete layer memory_layer?)
1220 svchost.exe Required memory at 0xb5fcd9a020 is inaccessible (swapped)
1296 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p
1312 svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
1472 HipsDaemon.exe "C:\Program Files (x86)\Huorong\Sysdiag\bin\HipsDaemon.exe" -sHipsDaemon
1732 MemCompression Required memory at 0x20 is not valid (process exited?)
1840 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1888 usysdiag.exe Required memory at 0xba2e22a020 is inaccessible (swapped)
2044 wsctrlsvc.exe Required memory at 0xe1e020 is inaccessible (swapped)
1068 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
2000 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1792 svchost.exe Required memory at 0x5f5347c8 is not valid (process exited?)
2080 svchost.exe C:\Windows\system32\svchost.exe -k appmodel -p
2160 spoolsv.exe Required memory at 0x3f804fb04677 is not valid (process exited?)
2212 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
2304 dasHost.exe dashost.exe {a4107603-4ae0-4d0b-b39719fff08b7465}
2432 svchost.exe C:\Windows\System32\svchost.exe -k utcsvc -p
2480 Sysmon64.exe C:\Windows\Sysmon64.exe
2504 VGAuthService. Process 2504: Required memory at 0x7c946d3020 is not valid (incomplete layer memory_layer?)
2520 vm3dservice.ex Required memory at 0x2813ec1020 is inaccessible (swapped)
2540 vmtoolsd.exe "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
2640 vm3dservice.ex Process 2640: Required memory at 0x33c4827020 is not valid (incomplete layer memory_layer?)
2768 unsecapp.exe C:\Windows\system32\wbem\unsecapp.exe -Embedding
2976 WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe
2584 vm3dservice.ex Required memory at 0x473ca1f020 is inaccessible (swapped)
2008 dllhost.exe Required memory at 0x9b99370020 is inaccessible (swapped)
3492 WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe
3688 msdtc.exe Required memory at 0x7fa2d611ff79 is not valid (process exited?)
3916 sihost.exe sihost.exe
3948 svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
3636 taskhostw.exe taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1608 ctfmon.exe "ctfmon.exe"
4112 userinit.exe Required memory at 0x2ac8722020 is not valid (process exited?)
4132 explorer.exe C:\Windows\Explorer.EXE
4280 ChsIME.exe C:\Windows\System32\InputMethod\CHS\ChsIME.exe -Embedding
4508 svchost.exe C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
4796 ShellExperienc "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
4996 SearchUI.exe Required memory at 0x20b45c034d8 is inaccessible (swapped)
4180 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding
3480 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding
5152 ApplicationFra C:\Windows\system32\ApplicationFrameHost.exe -Embedding
5176 MicrosoftEdge. Process 5176: Required memory at 0x1175187020 is not valid (incomplete layer memory_layer?)
5240 SkypeApp.exe Process 5240: Required memory at 0x4502b5020 is not valid (incomplete layer memory_layer?)
5248 SkypeBackgroun Required memory at 0x8228ff5020 is inaccessible (swapped)
5280 YourPhone.exe Process 5280: Required memory at 0x637569a020 is not valid (incomplete layer memory_layer?)
5620 browser_broker Required memory at 0x29d8640020 is inaccessible (swapped)
5792 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding
5952 RuntimeBroker. Required memory at 0xd3f46d7020 is inaccessible (swapped)
6016 MicrosoftEdgeS Required memory at 0x137b0a03518 is inaccessible (swapped)
6060 MicrosoftEdgeC Process 6060: Required memory at 0x602a58e020 is not valid (incomplete layer memory_layer?)
2320 WindowsInterna "C:\Windows\SystemApps\InputApp_cw5n1h2txyewy\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe" -ServerName:App.AppXagta193n5rpf7mheremt3yyfa1g555vc.mca
6388 SearchIndexer. C:\Windows\system32\SearchIndexer.exe /Embedding
6568 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding
6852 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding
6940 smartscreen.ex C:\Windows\System32\smartscreen.exe -Embedding
6996 SecurityHealth Required memory at 0x7e6dc0d020 is inaccessible (swapped)
7036 SecurityHealth C:\Windows\system32\SecurityHealthService.exe
7048 vmtoolsd.exe "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
7108 HipsTray.exe Required memory at 0x96a020 is not valid (process exited?)
6184 OneDrive.exe "C:\Users\bonelee\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
6896 HipsTray.exe "C:\Program Files (x86)\Huorong\Sysdiag\\bin\HipsTray.exe"
7264 HipsTray.exe Required memory at 0xbcf020 is not valid (process exited?)
7528 Microsoft.Shar Required memory at 0x51b9f5020 is not valid (process exited?)
376 dllhost.exe Required memory at 0x7279e72020 is inaccessible (swapped)
7200 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\bonelee\Desktop\normal.html
7296 iexplore.exe Required memory at 0x2f21cc8 is inaccessible (swapped)
4808 iexplore.exe Required memory at 0xbe1cc8 is inaccessible (swapped)
7668 WinStore.App.e Process 7668: Required memory at 0x2bf38034b8 is not valid (incomplete layer memory_layer?)
3008 Calculator.exe "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
2076 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding
388 RuntimeBroker. Required memory at 0xdc50f22020 is inaccessible (swapped)
6216 ChsIME.exe Process 6216: Required memory at 0x7bbfc70020 is not valid (incomplete layer memory_layer?)
5020 SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
6448 uhssvc.exe Process 6448: Required memory at 0x2d911d1ae8 is not valid (incomplete layer memory_layer?)
6764 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
4480 DumpIt.exe Required memory at 0x53d7897020 is inaccessible (swapped)
7836 Microsoft.Phot Required memory at 0xffffffffffe8 is not valid (process exited?)
1260 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding
2036 svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
2100 svchost.exe C:\Windows\system32\svchost.exe -k SDRSVC
1256 svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p
其他补充:Windows操作系统平台支持内存获取的常见工具有: ==》基本上都很难下到,todo,实际客户环境里遇到的话,肯定会使用的!
- DumpIt (早期版本名为Win32dd)
- Belkasoft RAMCapturer
- Magnet RAM Capture
- WinEn
- Winpmem
- EnCase Imager
- FTK Imager
Linux操作系统常见的内存获取工具:
- dd (适合Linux早期版本)
- LiME http://code.google.com/p/lime-forensics/
- linpmem
- Draugr http://code.google.com/p/draugr/
- Volatilitux http://code.google.com/p/volatilitux/
- Memfetch http://lcamtuf.coredump.cx/
- Memdump
Mac OSX操作系统内存获取工具有:
- MacMemoryReader
- osxpmem
- Recon for Mac OSX
- Blackbag MacQuisition
我们看下vol3的最新使用方法:
python .\vol.py -h
Volatility 3 Framework 2.4.1
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]] [-e EXTEND] [-p PLUGIN_DIRS]
[-s SYMBOL_DIRS] [-v] [-l LOG] [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE] [--write-config]
[--save-config SAVE_CONFIG] [--clear-cache] [--cache-path CACHE_PATH] [--offline]
[--single-location SINGLE_LOCATION] [--stackers [STACKERS ...]]
[--single-swap-locations [SINGLE_SWAP_LOCATIONS ...]]
plugin ...
An open-source memory forensics framework
Plugins:
For plugin specific options, run 'volatility <plugin> --help'
plugin
banners.Banners Attempts to identify potential linux banners in an image
configwriter.ConfigWriter
Runs the automagics and both prints and outputs configuration in the output directory.
frameworkinfo.FrameworkInfo
Plugin to list the various modular components of Volatility
isfinfo.IsfInfo Determines information about the currently available ISF files, or a specific one
layerwriter.LayerWriter
Runs the automagics and writes out the primary layer produced by the stacker.
linux和mac的插件。。。。
timeliner.Timeliner
Runs all relevant plugins that provide time related information and orders the results by
time.
windows的比较多:
windows.bigpools.BigPools
List big page pools.
windows.cachedump.Cachedump
Dumps lsa secrets from memory
windows.callbacks.Callbacks
Lists kernel callbacks and notification routines.
windows.cmdline.CmdLine
Lists process command line arguments.
windows.crashinfo.Crashinfo
windows.devicetree.DeviceTree
Listing tree based on drivers and attached devices in a particular windows memory image.
windows.dlllist.DllList
Lists the loaded modules in a particular windows memory image.
windows.driverirp.DriverIrp
List IRPs for drivers in a particular windows memory image.
windows.drivermodule.DriverModule
Determines if any loaded drivers were hidden by a rootkit
windows.driverscan.DriverScan
Scans for drivers present in a particular windows memory image.
windows.dumpfiles.DumpFiles
Dumps cached file contents from Windows memory samples.
windows.envars.Envars
Display process environment variables
windows.filescan.FileScan
Scans for file objects present in a particular windows memory image.
windows.getservicesids.GetServiceSIDs
Lists process token sids.
windows.getsids.GetSIDs
Print the SIDs owning each process
windows.handles.Handles
Lists process open handles.
windows.hashdump.Hashdump
Dumps user hashes from memory
windows.info.Info Show OS & kernel details of the memory sample being analyzed.
windows.joblinks.JobLinks
Print process job link information
windows.ldrmodules.LdrModules
windows.lsadump.Lsadump
Dumps lsa secrets from memory
windows.malfind.Malfind
Lists process memory ranges that potentially contain injected code.
windows.mbrscan.MBRScan
Scans for and parses potential Master Boot Records (MBRs)
windows.memmap.Memmap
Prints the memory map
windows.mftscan.MFTScan
Scans for MFT FILE objects present in a particular windows memory image.
windows.modscan.ModScan
Scans for modules present in a particular windows memory image.
windows.modules.Modules
Lists the loaded kernel modules.
windows.mutantscan.MutantScan
Scans for mutexes present in a particular windows memory image.
windows.netscan.NetScan
Scans for network objects present in a particular windows memory image.
windows.netstat.NetStat
Traverses network tracking structures present in a particular windows memory image.
windows.poolscanner.PoolScanner
A generic pool scanner plugin.
windows.privileges.Privs
Lists process token privileges
windows.pslist.PsList
Lists the processes present in a particular windows memory image.
windows.psscan.PsScan
Scans for processes present in a particular windows memory image.
windows.pstree.PsTree
Plugin for listing processes in a tree based on their parent process ID.
windows.registry.certificates.Certificates
Lists the certificates in the registry's Certificate Store.
windows.registry.hivelist.HiveList
Lists the registry hives present in a particular memory image.
windows.registry.hivescan.HiveScan
Scans for registry hives present in a particular windows memory image.
windows.registry.printkey.PrintKey
Lists the registry keys under a hive or specific key value.
windows.registry.userassist.UserAssist
Print userassist registry keys and information.
windows.sessions.Sessions
lists Processes with Session information extracted from Environmental Variables
windows.skeleton_key_check.Skeleton_Key_Check
Looks for signs of Skeleton Key malware
windows.ssdt.SSDT Lists the system call table.
windows.statistics.Statistics
windows.strings.Strings
Reads output from the strings command and indicates which process(es) each string belongs to.
windows.svcscan.SvcScan
Scans for windows services.
windows.symlinkscan.SymlinkScan
Scans for links present in a particular windows memory image.
windows.vadinfo.VadInfo
Lists process memory ranges.
windows.vadwalk.VadWalk
Walk the VAD tree.
windows.vadyarascan.VadYaraScan
Scans all the Virtual Address Descriptor memory maps using yara.
windows.verinfo.VerInfo
Lists version information from PE files.
windows.virtmap.VirtMap
Lists virtual mapped sections.
yarascan.YaraScan Scans kernel memory using yara rules (string or file).
例如,我要看进程对应的cmdline:
python .\vol.py -f .\alina1G.elf windows.cmdline Volatility 3 Framework 2.4.1 Progress: 100.00 PDB scanning finished PID Process Args 4 System Required memory at 0x10 is not valid (process exited?) 268 smss.exe \SystemRoot\System32\smss.exe 348 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 384 wininit.exe wininit.exe 392 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 432 winlogon.exe winlogon.exe 476 services.exe C:\Windows\system32\services.exe 484 lsass.exe C:\Windows\system32\lsass.exe 492 lsm.exe C:\Windows\system32\lsm.exe 596 svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch 660 VBoxService.ex system32\VBoxService.exe 712 svchost.exe C:\Windows\system32\svchost.exe -k RPCSS 764 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted 884 svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted 928 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs 988 audiodg.exe C:\Windows\system32\AUDIODG.EXE 0x2b4 1096 svchost.exe C:\Windows\system32\svchost.exe -k LocalService 1228 svchost.exe C:\Windows\system32\svchost.exe -k NetworkService 1308 spoolsv.exe C:\Windows\System32\spoolsv.exe 1344 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork 1448 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation 1864 taskhost.exe "taskhost.exe" 1924 dwm.exe "C:\Windows\system32\Dwm.exe" 1940 explorer.exe C:\Windows\Explorer.EXE 316 VBoxTray.exe "C:\Windows\System32\VBoxTray.exe" 1876 SearchIndexer. C:\Windows\system32\SearchIndexer.exe /Embedding 320 SearchProtocol "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1943312967-2543331679-1049226392-10021_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1943312967-2543331679-1049226392-10021 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1" 1128 SearchFilterHo "C:\Windows\system32\SearchFilterHost.exe" 0 504 508 516 65536 512 1828 ALINA_CJLXYJ.e ALINA=C:\Users\Usuario\Desktop\ALINA_mod.exe
接下来就是孰能生巧了!一些常用命令我摘录下:pstree看起来通过***区分层级也还不错!
python .\vol.py -f .\alina1G.elf windows.pstree Volatility 3 Framework 2.4.1 Progress: 100.00 PDB scanning finished PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime 4 0 System 0x84233750 81 481 N/A False 2019-09-21 12:06:32.000000 N/A * 268 4 smss.exe 0x85095180 4 29 N/A False 2019-09-21 12:06:32.000000 N/A 348 340 csrss.exe 0x8587b030 8 355 0 False 2019-09-21 12:06:34.000000 N/A 384 340 wininit.exe 0x85884d40 7 90 0 False 2019-09-21 12:06:34.000000 N/A * 492 384 lsm.exe 0x858f0b48 11 155 0 False 2019-09-21 12:06:34.000000 N/A * 476 384 services.exe 0x858e8948 18 203 0 False 2019-09-21 12:06:34.000000 N/A ** 928 476 svchost.exe 0x85a06478 42 748 0 False 2019-09-21 12:06:35.000000 N/A ** 1344 476 svchost.exe 0x85ab9360 22 313 0 False 2019-09-21 12:06:36.000000 N/A ** 712 476 svchost.exe 0x85951458 10 235 0 False 2019-09-21 12:06:35.000000 N/A ** 1096 476 svchost.exe 0x85a631a0 16 246 0 False 2019-09-21 12:06:35.000000 N/A ** 1448 476 svchost.exe 0x859b7030 13 172 0 False 2019-09-21 12:06:36.000000 N/A ** 1864 476 taskhost.exe 0x859b3858 10 173 1 False 2019-09-21 12:06:39.000000 N/A ** 1228 476 svchost.exe 0x85a7ed40 18 350 0 False 2019-09-21 12:06:35.000000 N/A ** 660 476 VBoxService.ex 0x8594a030 12 117 0 False 2019-09-21 12:06:35.000000 N/A ** 596 476 svchost.exe 0x859318d8 15 358 0 False 2019-09-21 12:06:35.000000 N/A ** 884 476 svchost.exe 0x859d4530 23 421 0 False 2019-09-21 12:06:35.000000 N/A *** 1924 884 dwm.exe 0x85279368 5 71 1 False 2019-09-21 12:06:39.000000 N/A ** 1308 476 spoolsv.exe 0x85a96498 15 295 0 False 2019-09-21 12:06:36.000000 N/A ** 1876 476 SearchIndexer. 0x859cca68 13 613 0 False 2019-09-21 12:06:45.000000 N/A *** 320 1876 SearchProtocol 0x842ccd40 7 256 1 False 2019-09-21 12:06:46.000000 N/A *** 1128 1876 SearchFilterHo 0x85cefc88 5 79 0 False 2019-09-21 12:06:46.000000 N/A ** 764 476 svchost.exe 0x851a4158 20 392 0 False 2019-09-21 12:06:35.000000 N/A *** 988 764 audiodg.exe 0x85a3a530 7 133 0 False 2019-09-21 12:06:35.000000 N/A * 484 384 lsass.exe 0x858eea00 9 483 0 False 2019-09-21 12:06:34.000000 N/A 392 376 csrss.exe 0x842a4508 7 166 1 False 2019-09-21 12:06:34.000000 N/A 432 376 winlogon.exe 0x858d2c28 6 138 1 False 2019-09-21 12:06:34.000000 N/A 1940 1916 explorer.exe 0x84b2ed40 31 668 1 False 2019-09-21 12:06:39.000000 N/A * 316 1940 VBoxTray.exe 0x85cc5030 11 102 1 False 2019-09-21 12:06:40.000000 N/A 1828 628 ALINA_CJLXYJ.e 0x85d01c48 2 47 1 False 2019-09-21 12:07:04.000000 N/A
