使用volatility3识别进程上下文——识别进程名欺骗、父进程欺骗、进程镂空(进程掏空)
注意:我自己使用vol3实验了下,pslist和pstree都看不到进程的完整磁盘路径,但是使用dlllist可以。如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | PS D:\Application\volatility3-stable> python .\vol.py -f D:\book\malwarecookbook-master\malwarecookbook-master\15\6\prolaco.vmem\prolaco.vmem windows.dlllist --pid 1136Volatility 3 Framework 2.4.1Progress: 100.00 PDB scanning finishedPID Process Base Size Name Path LoadTime File output1136 ImmunityDebugge 0x400000 0x1c5000 ImmunityDebugger.exe C:\Program Files\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe N/A Disabled ==》这不就是看到了吗!1136 ImmunityDebugge 0x7c900000 0xb0000 - - N/A Disabled1136 ImmunityDebugge 0x7c800000 0xf4000 kernel32.dll C:\WINDOWS\system32\kernel32.dll N/A Disabled1136 ImmunityDebugge 0x77dd0000 0x9b000 ADVAPI32.DLL C:\WINDOWS\system32\ADVAPI32.DLL N/A Disabled1136 ImmunityDebugge 0x77e70000 0x91000 RPCRT4.dll C:\WINDOWS\system32\RPCRT4.dll N/A Disabled1136 ImmunityDebugge 0x77c00000 0x8000 VERSION.DLL C:\WINDOWS\system32\VERSION.DLL N/A Disabled1136 ImmunityDebugge 0x71ad0000 0x9000 WSOCK32.DLL C:\WINDOWS\system32\WSOCK32.DLL N/A Disabled1136 ImmunityDebugge 0x71ab0000 0x17000 WS2_32.dll C:\WINDOWS\system32\WS2_32.dll N/A Disabled1136 ImmunityDebugge 0x77c10000 0x58000 msvcrt.dll C:\WINDOWS\system32\msvcrt.dll N/A Disabled1136 ImmunityDebugge 0x71aa0000 0x8000 WS2HELP.dll C:\WINDOWS\system32\WS2HELP.dll N/A Disabled1136 ImmunityDebugge 0x5d090000 0x97000 COMCTL32.DLL C:\WINDOWS\system32\COMCTL32.DLL N/A Disabled1136 ImmunityDebugge 0x77f10000 0x46000 GDI32.dll C:\WINDOWS\system32\GDI32.dll N/A Disabled1136 ImmunityDebugge 0x77d40000 0x90000 USER32.dll C:\WINDOWS\system32\USER32.dll N/A Disabled1136 ImmunityDebugge 0x763b0000 0x49000 COMDLG32.DLL C:\WINDOWS\system32\COMDLG32.DLL N/A Disabled1136 ImmunityDebugge 0x77f60000 0x76000 SHLWAPI.dll C:\WINDOWS\system32\SHLWAPI.dll N/A Disabled1136 ImmunityDebugge 0x7c9c0000 0x814000 SHELL32.dll C:\WINDOWS\system32\SHELL32.dll N/A Disabled1136 ImmunityDebugge 0x774e0000 0x13c000 OLE32.DLL C:\WINDOWS\system32\OLE32.DLL N/A Disabled1136 ImmunityDebugge 0x77120000 0x8c000 OLEAUT32.DLL C:\WINDOWS\system32\OLEAUT32.DLL N/A Disabled1136 ImmunityDebugge 0x1e000000 0x206000 PYTHON25.DLL C:\WINDOWS\system32\PYTHON25.DLL N/A Disabled1136 ImmunityDebugge 0x7c340000 0x56000 MSVCR71.dll C:\WINDOWS\system32\MSVCR71.dll N/A Disabled1136 ImmunityDebugge 0x773d0000 0x102000 comctl32.dll C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll N/A Disabled1136 ImmunityDebugge 0x5ad70000 0x38000 uxtheme.dll C:\WINDOWS\system32\uxtheme.dll N/A Disabled1136 ImmunityDebugge 0x76bf0000 0xb000 PSAPI.DLL C:\WINDOWS\system32\PSAPI.DLL N/A Disabled1136 ImmunityDebugge 0x76c90000 0x28000 IMAGEHLP.DLL C:\WINDOWS\system32\IMAGEHLP.DLL N/A Disabled1136 ImmunityDebugge 0x59a60000 0xa1000 DBGHELP.DLL C:\WINDOWS\system32\DBGHELP.DLL N/A Disabled1136 ImmunityDebugge 0x77b40000 0x22000 Apphelp.dll C:\WINDOWS\system32\Apphelp.dll N/A Disabled1136 ImmunityDebugge 0x2920000 0x45000 Bookmark.dll C:\Program Files\Immunity Inc\Immunity Debugger\Bookmark.dll N/A Disabled1136 ImmunityDebugge 0x2ad0000 0x52000 Cmdline.dll C:\Program Files\Immunity Inc\Immunity Debugger\Cmdline.dll N/A Disabled1136 ImmunityDebugge 0x71a50000 0x3f000 mswsock.dll C:\WINDOWS\system32\mswsock.dll N/A Disabled1136 ImmunityDebugge 0x662b0000 0x58000 hnetcfg.dll C:\WINDOWS\system32\hnetcfg.dll N/A Disabled1136 ImmunityDebugge 0x71a90000 0x8000 wshtcpip.dll C:\WINDOWS\System32\wshtcpip.dll N/A Disabled1136 ImmunityDebugge 0x76f20000 0x27000 DNSAPI.dll C:\WINDOWS\system32\DNSAPI.dll N/A Disabled1136 ImmunityDebugge 0x76fb0000 0x8000 winrnr.dll C:\WINDOWS\System32\winrnr.dll N/A Disabled1136 ImmunityDebugge 0x76f60000 0x2c000 WLDAP32.dll C:\WINDOWS\system32\WLDAP32.dll N/A Disabled1136 ImmunityDebugge 0x76fc0000 0x6000 rasadhlp.dll C:\WINDOWS\system32\rasadhlp.dll N/A Disabled |
当然,最简单的使用cmdline:
1 2 3 4 5 6 | PS D:\Application\volatility3-stable> python .\vol.py -f D:\book\malwarecookbook-master\malwarecookbook-master\15\6\prolaco.vmem\prolaco.vmem windows.cmdline --pid 1136Volatility 3 Framework 2.4.1Progress: 100.00 PDB scanning finishedPID Process Args1136 ImmunityDebugge "C:\Program Files\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe" "C:\Documents and Settings\Administrator\Desktop\1_doc_RCData_612.exe" |
继续讨论进程镂空:
最后如何通过sid识别我没有太命令,vol3里的命令示例如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | PS D:\Application\volatility3-stable> python .\vol.py -f D:\book\malwarecookbook-master\malwarecookbook-master\15\6\prolaco.vmem\prolaco.vmem windows.getsidsVolatility 3 Framework 2.4.1Progress: 100.00 PDB scanning finishedPID Process SID Name4 System S-1-5-18 Local System4 System S-1-5-32-544 Administrators4 System S-1-1-0 Everyone4 System S-1-5-11 Authenticated Users544 smss.exe S-1-5-18 Local System544 smss.exe S-1-5-32-544 Administrators544 smss.exe S-1-1-0 Everyone544 smss.exe S-1-5-11 Authenticated Users608 csrss.exe S-1-5-18 Local System608 csrss.exe S-1-5-32-544 Administrators608 csrss.exe S-1-1-0 Everyone608 csrss.exe S-1-5-11 Authenticated Users632 winlogon.exe S-1-5-18 Local System632 winlogon.exe S-1-5-32-544 Administrators632 winlogon.exe S-1-1-0 Everyone632 winlogon.exe S-1-5-11 Authenticated Users |
不过,从os api调用角度看,如果有创建进程然后暂停,并写入该进程,同时有setthread context,resume 线程运行,那么肯定就是进程镂空了!
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 全程不用写代码,我用AI程序员写了一个飞机大战
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
· DeepSeek 开源周回顾「GitHub 热点速览」
2021-05-03 站点的源码 可以从菜鸟源码以及闲鱼、淘宝上去购买(小众)
2021-05-03 CMS和中间件识别指纹库——在线的有云悉,也可以自己写代码硬刚
2021-05-03 docker vulhub漏洞环境搭建和使用
2021-05-03 Apache HTTPD 多后缀解析漏洞
2021-05-03 加速国内 Github 访问,下载,的9种方案!——第一种直接替换域名的方式即可受到不错效果
2021-05-03 web中间件常见漏洞总结2020
2017-05-03 xubuntu 17.04 和 iphone 6互传文件方法——使用libimobiledevice就可以像u盘一样操作文件了