使用volatility3识别进程上下文——识别进程名欺骗、父进程欺骗、进程镂空(进程掏空)

 

注意:我自己使用vol3实验了下,pslist和pstree都看不到进程的完整磁盘路径,但是使用dlllist可以。如下:

PS D:\Application\volatility3-stable> python .\vol.py -f D:\book\malwarecookbook-master\malwarecookbook-master\15\6\prolaco.vmem\prolaco.vmem windows.dlllist --pid 1136
Volatility 3 Framework 2.4.1
Progress:  100.00               PDB scanning finished
PID     Process Base    Size    Name    Path    LoadTime        File output

1136    ImmunityDebugge 0x400000        0x1c5000        ImmunityDebugger.exe    C:\Program Files\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe    N/A     Disabled ==》这不就是看到了吗!
1136    ImmunityDebugge 0x7c900000      0xb0000 -       -       N/A     Disabled
1136    ImmunityDebugge 0x7c800000      0xf4000 kernel32.dll    C:\WINDOWS\system32\kernel32.dll        N/A     Disabled
1136    ImmunityDebugge 0x77dd0000      0x9b000 ADVAPI32.DLL    C:\WINDOWS\system32\ADVAPI32.DLL        N/A     Disabled
1136    ImmunityDebugge 0x77e70000      0x91000 RPCRT4.dll      C:\WINDOWS\system32\RPCRT4.dll  N/A     Disabled
1136    ImmunityDebugge 0x77c00000      0x8000  VERSION.DLL     C:\WINDOWS\system32\VERSION.DLL N/A     Disabled
1136    ImmunityDebugge 0x71ad0000      0x9000  WSOCK32.DLL     C:\WINDOWS\system32\WSOCK32.DLL N/A     Disabled
1136    ImmunityDebugge 0x71ab0000      0x17000 WS2_32.dll      C:\WINDOWS\system32\WS2_32.dll  N/A     Disabled
1136    ImmunityDebugge 0x77c10000      0x58000 msvcrt.dll      C:\WINDOWS\system32\msvcrt.dll  N/A     Disabled
1136    ImmunityDebugge 0x71aa0000      0x8000  WS2HELP.dll     C:\WINDOWS\system32\WS2HELP.dll N/A     Disabled
1136    ImmunityDebugge 0x5d090000      0x97000 COMCTL32.DLL    C:\WINDOWS\system32\COMCTL32.DLL        N/A     Disabled
1136    ImmunityDebugge 0x77f10000      0x46000 GDI32.dll       C:\WINDOWS\system32\GDI32.dll   N/A     Disabled
1136    ImmunityDebugge 0x77d40000      0x90000 USER32.dll      C:\WINDOWS\system32\USER32.dll  N/A     Disabled
1136    ImmunityDebugge 0x763b0000      0x49000 COMDLG32.DLL    C:\WINDOWS\system32\COMDLG32.DLL        N/A     Disabled
1136    ImmunityDebugge 0x77f60000      0x76000 SHLWAPI.dll     C:\WINDOWS\system32\SHLWAPI.dll N/A     Disabled
1136    ImmunityDebugge 0x7c9c0000      0x814000        SHELL32.dll     C:\WINDOWS\system32\SHELL32.dll N/A     Disabled
1136    ImmunityDebugge 0x774e0000      0x13c000        OLE32.DLL       C:\WINDOWS\system32\OLE32.DLL   N/A     Disabled
1136    ImmunityDebugge 0x77120000      0x8c000 OLEAUT32.DLL    C:\WINDOWS\system32\OLEAUT32.DLL        N/A     Disabled
1136    ImmunityDebugge 0x1e000000      0x206000        PYTHON25.DLL    C:\WINDOWS\system32\PYTHON25.DLL        N/A     Disabled
1136    ImmunityDebugge 0x7c340000      0x56000 MSVCR71.dll     C:\WINDOWS\system32\MSVCR71.dll N/A     Disabled
1136    ImmunityDebugge 0x773d0000      0x102000        comctl32.dll    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll       N/A     Disabled
1136    ImmunityDebugge 0x5ad70000      0x38000 uxtheme.dll     C:\WINDOWS\system32\uxtheme.dll N/A     Disabled
1136    ImmunityDebugge 0x76bf0000      0xb000  PSAPI.DLL       C:\WINDOWS\system32\PSAPI.DLL   N/A     Disabled
1136    ImmunityDebugge 0x76c90000      0x28000 IMAGEHLP.DLL    C:\WINDOWS\system32\IMAGEHLP.DLL        N/A     Disabled
1136    ImmunityDebugge 0x59a60000      0xa1000 DBGHELP.DLL     C:\WINDOWS\system32\DBGHELP.DLL N/A     Disabled
1136    ImmunityDebugge 0x77b40000      0x22000 Apphelp.dll     C:\WINDOWS\system32\Apphelp.dll N/A     Disabled
1136    ImmunityDebugge 0x2920000       0x45000 Bookmark.dll    C:\Program Files\Immunity Inc\Immunity Debugger\Bookmark.dll    N/A     Disabled
1136    ImmunityDebugge 0x2ad0000       0x52000 Cmdline.dll     C:\Program Files\Immunity Inc\Immunity Debugger\Cmdline.dll     N/A     Disabled
1136    ImmunityDebugge 0x71a50000      0x3f000 mswsock.dll     C:\WINDOWS\system32\mswsock.dll N/A     Disabled
1136    ImmunityDebugge 0x662b0000      0x58000 hnetcfg.dll     C:\WINDOWS\system32\hnetcfg.dll N/A     Disabled
1136    ImmunityDebugge 0x71a90000      0x8000  wshtcpip.dll    C:\WINDOWS\System32\wshtcpip.dll        N/A     Disabled
1136    ImmunityDebugge 0x76f20000      0x27000 DNSAPI.dll      C:\WINDOWS\system32\DNSAPI.dll  N/A     Disabled
1136    ImmunityDebugge 0x76fb0000      0x8000  winrnr.dll      C:\WINDOWS\System32\winrnr.dll  N/A     Disabled
1136    ImmunityDebugge 0x76f60000      0x2c000 WLDAP32.dll     C:\WINDOWS\system32\WLDAP32.dll N/A     Disabled
1136    ImmunityDebugge 0x76fc0000      0x6000  rasadhlp.dll    C:\WINDOWS\system32\rasadhlp.dll        N/A     Disabled

 

 当然,最简单的使用cmdline:

PS D:\Application\volatility3-stable> python .\vol.py -f D:\book\malwarecookbook-master\malwarecookbook-master\15\6\prolaco.vmem\prolaco.vmem windows.cmdline --pid 1136
Volatility 3 Framework 2.4.1
Progress:  100.00               PDB scanning finished
PID     Process Args

1136    ImmunityDebugge "C:\Program Files\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe" "C:\Documents and Settings\Administrator\Desktop\1_doc_RCData_612.exe"

 继续讨论进程镂空:

 最后如何通过sid识别我没有太命令,vol3里的命令示例如下:

PS D:\Application\volatility3-stable> python .\vol.py -f D:\book\malwarecookbook-master\malwarecookbook-master\15\6\prolaco.vmem\prolaco.vmem windows.getsids
Volatility 3 Framework 2.4.1
Progress:  100.00               PDB scanning finished
PID     Process SID     Name

4       System  S-1-5-18        Local System
4       System  S-1-5-32-544    Administrators
4       System  S-1-1-0 Everyone
4       System  S-1-5-11        Authenticated Users
544     smss.exe        S-1-5-18        Local System
544     smss.exe        S-1-5-32-544    Administrators
544     smss.exe        S-1-1-0 Everyone
544     smss.exe        S-1-5-11        Authenticated Users
608     csrss.exe       S-1-5-18        Local System
608     csrss.exe       S-1-5-32-544    Administrators
608     csrss.exe       S-1-1-0 Everyone
608     csrss.exe       S-1-5-11        Authenticated Users
632     winlogon.exe    S-1-5-18        Local System
632     winlogon.exe    S-1-5-32-544    Administrators
632     winlogon.exe    S-1-1-0 Everyone
632     winlogon.exe    S-1-5-11        Authenticated Users

 不过,从os api调用角度看,如果有创建进程然后暂停,并写入该进程,同时有setthread context,resume 线程运行,那么肯定就是进程镂空了!

 

posted @ 2023-05-03 12:10  bonelee  阅读(223)  评论(0编辑  收藏  举报