使用volatility3识别进程上下文——识别进程名欺骗、父进程欺骗、进程镂空(进程掏空)
注意:我自己使用vol3实验了下,pslist和pstree都看不到进程的完整磁盘路径,但是使用dlllist可以。如下:
PS D:\Application\volatility3-stable> python .\vol.py -f D:\book\malwarecookbook-master\malwarecookbook-master\15\6\prolaco.vmem\prolaco.vmem windows.dlllist --pid 1136 Volatility 3 Framework 2.4.1 Progress: 100.00 PDB scanning finished PID Process Base Size Name Path LoadTime File output 1136 ImmunityDebugge 0x400000 0x1c5000 ImmunityDebugger.exe C:\Program Files\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe N/A Disabled ==》这不就是看到了吗! 1136 ImmunityDebugge 0x7c900000 0xb0000 - - N/A Disabled 1136 ImmunityDebugge 0x7c800000 0xf4000 kernel32.dll C:\WINDOWS\system32\kernel32.dll N/A Disabled 1136 ImmunityDebugge 0x77dd0000 0x9b000 ADVAPI32.DLL C:\WINDOWS\system32\ADVAPI32.DLL N/A Disabled 1136 ImmunityDebugge 0x77e70000 0x91000 RPCRT4.dll C:\WINDOWS\system32\RPCRT4.dll N/A Disabled 1136 ImmunityDebugge 0x77c00000 0x8000 VERSION.DLL C:\WINDOWS\system32\VERSION.DLL N/A Disabled 1136 ImmunityDebugge 0x71ad0000 0x9000 WSOCK32.DLL C:\WINDOWS\system32\WSOCK32.DLL N/A Disabled 1136 ImmunityDebugge 0x71ab0000 0x17000 WS2_32.dll C:\WINDOWS\system32\WS2_32.dll N/A Disabled 1136 ImmunityDebugge 0x77c10000 0x58000 msvcrt.dll C:\WINDOWS\system32\msvcrt.dll N/A Disabled 1136 ImmunityDebugge 0x71aa0000 0x8000 WS2HELP.dll C:\WINDOWS\system32\WS2HELP.dll N/A Disabled 1136 ImmunityDebugge 0x5d090000 0x97000 COMCTL32.DLL C:\WINDOWS\system32\COMCTL32.DLL N/A Disabled 1136 ImmunityDebugge 0x77f10000 0x46000 GDI32.dll C:\WINDOWS\system32\GDI32.dll N/A Disabled 1136 ImmunityDebugge 0x77d40000 0x90000 USER32.dll C:\WINDOWS\system32\USER32.dll N/A Disabled 1136 ImmunityDebugge 0x763b0000 0x49000 COMDLG32.DLL C:\WINDOWS\system32\COMDLG32.DLL N/A Disabled 1136 ImmunityDebugge 0x77f60000 0x76000 SHLWAPI.dll C:\WINDOWS\system32\SHLWAPI.dll N/A Disabled 1136 ImmunityDebugge 0x7c9c0000 0x814000 SHELL32.dll C:\WINDOWS\system32\SHELL32.dll N/A Disabled 1136 ImmunityDebugge 0x774e0000 0x13c000 OLE32.DLL C:\WINDOWS\system32\OLE32.DLL N/A Disabled 1136 ImmunityDebugge 0x77120000 0x8c000 OLEAUT32.DLL C:\WINDOWS\system32\OLEAUT32.DLL N/A Disabled 1136 ImmunityDebugge 0x1e000000 0x206000 PYTHON25.DLL C:\WINDOWS\system32\PYTHON25.DLL N/A Disabled 1136 ImmunityDebugge 0x7c340000 0x56000 MSVCR71.dll C:\WINDOWS\system32\MSVCR71.dll N/A Disabled 1136 ImmunityDebugge 0x773d0000 0x102000 comctl32.dll C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll N/A Disabled 1136 ImmunityDebugge 0x5ad70000 0x38000 uxtheme.dll C:\WINDOWS\system32\uxtheme.dll N/A Disabled 1136 ImmunityDebugge 0x76bf0000 0xb000 PSAPI.DLL C:\WINDOWS\system32\PSAPI.DLL N/A Disabled 1136 ImmunityDebugge 0x76c90000 0x28000 IMAGEHLP.DLL C:\WINDOWS\system32\IMAGEHLP.DLL N/A Disabled 1136 ImmunityDebugge 0x59a60000 0xa1000 DBGHELP.DLL C:\WINDOWS\system32\DBGHELP.DLL N/A Disabled 1136 ImmunityDebugge 0x77b40000 0x22000 Apphelp.dll C:\WINDOWS\system32\Apphelp.dll N/A Disabled 1136 ImmunityDebugge 0x2920000 0x45000 Bookmark.dll C:\Program Files\Immunity Inc\Immunity Debugger\Bookmark.dll N/A Disabled 1136 ImmunityDebugge 0x2ad0000 0x52000 Cmdline.dll C:\Program Files\Immunity Inc\Immunity Debugger\Cmdline.dll N/A Disabled 1136 ImmunityDebugge 0x71a50000 0x3f000 mswsock.dll C:\WINDOWS\system32\mswsock.dll N/A Disabled 1136 ImmunityDebugge 0x662b0000 0x58000 hnetcfg.dll C:\WINDOWS\system32\hnetcfg.dll N/A Disabled 1136 ImmunityDebugge 0x71a90000 0x8000 wshtcpip.dll C:\WINDOWS\System32\wshtcpip.dll N/A Disabled 1136 ImmunityDebugge 0x76f20000 0x27000 DNSAPI.dll C:\WINDOWS\system32\DNSAPI.dll N/A Disabled 1136 ImmunityDebugge 0x76fb0000 0x8000 winrnr.dll C:\WINDOWS\System32\winrnr.dll N/A Disabled 1136 ImmunityDebugge 0x76f60000 0x2c000 WLDAP32.dll C:\WINDOWS\system32\WLDAP32.dll N/A Disabled 1136 ImmunityDebugge 0x76fc0000 0x6000 rasadhlp.dll C:\WINDOWS\system32\rasadhlp.dll N/A Disabled
当然,最简单的使用cmdline:
PS D:\Application\volatility3-stable> python .\vol.py -f D:\book\malwarecookbook-master\malwarecookbook-master\15\6\prolaco.vmem\prolaco.vmem windows.cmdline --pid 1136 Volatility 3 Framework 2.4.1 Progress: 100.00 PDB scanning finished PID Process Args 1136 ImmunityDebugge "C:\Program Files\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe" "C:\Documents and Settings\Administrator\Desktop\1_doc_RCData_612.exe"
继续讨论进程镂空:
最后如何通过sid识别我没有太命令,vol3里的命令示例如下:
PS D:\Application\volatility3-stable> python .\vol.py -f D:\book\malwarecookbook-master\malwarecookbook-master\15\6\prolaco.vmem\prolaco.vmem windows.getsids Volatility 3 Framework 2.4.1 Progress: 100.00 PDB scanning finished PID Process SID Name 4 System S-1-5-18 Local System 4 System S-1-5-32-544 Administrators 4 System S-1-1-0 Everyone 4 System S-1-5-11 Authenticated Users 544 smss.exe S-1-5-18 Local System 544 smss.exe S-1-5-32-544 Administrators 544 smss.exe S-1-1-0 Everyone 544 smss.exe S-1-5-11 Authenticated Users 608 csrss.exe S-1-5-18 Local System 608 csrss.exe S-1-5-32-544 Administrators 608 csrss.exe S-1-1-0 Everyone 608 csrss.exe S-1-5-11 Authenticated Users 632 winlogon.exe S-1-5-18 Local System 632 winlogon.exe S-1-5-32-544 Administrators 632 winlogon.exe S-1-1-0 Everyone 632 winlogon.exe S-1-5-11 Authenticated Users
不过,从os api调用角度看,如果有创建进程然后暂停,并写入该进程,同时有setthread context,resume 线程运行,那么肯定就是进程镂空了!