使用 volatility 发现内存中的恶意软件——malfind的核心是找到可疑的可执行的内存区域,然后反汇编结果给你让你排查,yarascan是搜索特征码
如果是vol3的话,我没有找到合适的命令行可以等价输出(感觉是vol3这块还没有足够成熟),因此:本文使用的是vol2,下载地址:http://downloads.volatilityfoundation.org/releases/2.6/volatility_2.6_win64_standalone.zip
因为有可执行文件,所以我直接加到了path里。
好了,我自己实验下:
volatility26 -f D:\book\malwarecookbook-master\malwarecookbook-master\17\1\zeus.vmem\zeus.vmem yarascan --yara-file .\sample.yara Volatility Foundation Volatility Framework 2.6 Rule: credentials Owner: Process svchost.exe Pid 1028 0x76da3f67 70 41 6e 64 41 6c 6c 6f 63 61 74 65 43 61 63 68 pAndAllocateCach 0x76da3f77 65 64 45 6e 74 72 79 3a 20 72 65 74 75 72 6e 69 edEntry:.returni 0x76da3f87 6e 67 20 63 61 63 68 65 64 20 65 6e 74 72 79 20 ng.cached.entry. 0x76da3f97 66 6f 72 20 64 6f 6d 61 69 6e 20 3c 25 77 73 3e for.domain.<%ws> 0x76da3fa7 2c 20 6e 65 74 77 6f 72 6b 20 3c 25 77 73 3e 0a ,.network.<%ws>. 0x76da3fb7 00 25 77 73 3a 20 25 77 73 3a 20 46 6f 75 6e 64 .%ws:.%ws:.Found 0x76da3fc7 20 63 61 63 68 65 20 65 6e 74 72 79 20 30 78 25 .cache.entry.0x% 0x76da3fd7 78 2f 25 64 2f 25 78 20 48 3a 25 64 20 54 3a 25 x/%d/%x.H:%d.T:% 0x76da3fe7 64 0a 00 8b 36 e9 b0 fe ff ff 90 90 90 90 90 68 d...6..........h 0x76da3ff7 84 00 00 00 68 d8 46 da 76 e8 14 d4 ff ff a1 00 ....h.F.v....... 0x76da4007 20 db 76 89 45 e4 8b 7d 08 89 7d ac 8b 75 0c 89 ..v.E..}..}..u.. 0x76da4017 75 b0 8b 45 18 89 45 98 8b 45 24 89 45 90 8b 45 u..E..E..E$.E..E 0x76da4027 28 89 45 a0 8b 4d 30 89 4d b4 8b 45 34 89 45 80 (.E..M0.M..E4.E. 0x76da4037 8b 55 38 89 55 94 c6 45 bf 00 33 db 89 5d c0 89 .U8.U..E..3..].. 0x76da4047 5d a4 89 5d 9c 89 5d fc 57 50 ff 75 2c 51 56 68 ]..]..].WP.u,QVh 0x76da4057 58 46 da 76 68 00 40 00 00 e8 9b d2 ff ff 83 c4 XF.vh.@.........
我的结果和作者的不一样。奇怪。。。。
yara文件:
rule credentials
{
meta:
description = "Malfind w/ Yara Example"
strings:
$a = "PaNdA" nocase
condition:
any of them
}
如果是使用winhex找字符串呢?如下:
第一个就是yarascan搜索到的结果,另外几个很可能不是:
所以这个例子和书中结果有出入,很可能是zeus.vmem不对。
我们继续另外一个例子:
也就是说malfind的核心是找到可疑的可执行的内存区域,然后反汇编结果给你。
python .\vol.py -f D:\book\malwarecookbook-master\malwarecookbook-master\16\6\coreflood.vmem\coreflood.vmem windows.malfind 或者: volatility26.exe -f D:\book\malwarecookbook-master\malwarecookbook-master\16\6\coreflood.vmem\coreflood.vmem malfind
vol3或者vol26版本已经不支持-p参数了,我查了下官方文档,https://blog.onfvp.com/post/volatility-cheatsheet/,最新的版本也的确是废弃了pid参数。
上面的命令输出类似:
PS D:\Application\volatility3-stable> python .\vol.py -f D:\book\malwarecookbook-master\malwarecookbook-master\16\6\coreflood.vmem\coreflood.vmem windows.malfind Volatility 3 Framework 2.4.1 Progress: 100.00 PDB scanning finished PID Process Start VPN End VPN Tag Protection CommitCharge PrivateMemory File output Hexdump Disasm 608 csrss.exe 0x7f6f0000 0x7f7effff Vad PAGE_EXECUTE_READWRITE 0 0 Disabled c8 00 00 00 ff 01 00 00 ........ ff ee ff ee 08 70 00 00 .....p.. 08 00 00 00 00 fe 00 00 ........ 00 00 10 00 00 20 00 00 ........ 00 02 00 00 00 20 00 00 ........ 8d 01 00 00 ff ef fd 7f ........ 03 00 08 06 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 0x7f6f0000: enter 0, 0 0x7f6f0004: inc dword ptr [ecx] 0x7f6f0006: add byte ptr [eax], al 632 winlogon.exe 0x2c930000 0x2c933fff VadS PAGE_EXECUTE_READWRITE 4 1 Disabled 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 25 00 25 00 ....%.%. 01 00 00 00 00 00 00 00 ........ 0x2c930000: add byte ptr [eax], al 0x2c930002: add byte ptr [eax], al 0x2c930004: add byte ptr [eax], al 0x2c930006: add byte ptr [eax], al 0x2c930008: add byte ptr [eax], al 0x2c93000a: add byte ptr [eax], al 0x2c93000c: add byte ptr [eax], al 0x2c93000e: add byte ptr [eax], al 0x2c930010: add byte ptr [eax], al 0x2c930012: add byte ptr [eax], al 0x2c930014: add byte ptr [eax], al 0x2c930016: add byte ptr [eax], al 0x2c930018: add byte ptr [eax], al 0x2c93001a: add byte ptr [eax], al 0x2c93001c: add byte ptr [eax], al 0x2c93001e: add byte ptr [eax], al 0x2c930020: add byte ptr [eax], al 0x2c930022: add byte ptr [eax], al 0x2c930024: add byte ptr [eax], al 0x2c930026: add byte ptr [eax], al 0x2c930028: add byte ptr [eax], al 0x2c93002a: add byte ptr [eax], al 0x2c93002c: add byte ptr [eax], al 0x2c93002e: add byte ptr [eax], al 0x2c930030: add byte ptr [eax], al 0x2c930032: add byte ptr [eax], al 0x2c930034: and eax, 0x1002500 0x2c930039: add byte ptr [eax], al 0x2c93003b: add byte ptr [eax], al 0x2c93003d: add byte ptr [eax], al 632 winlogon.exe 0x37ec0000 0x37ec3fff VadS PAGE_EXECUTE_READWRITE 4 1 Disabled 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 2b 00 2b 00 ....+.+. 01 00 00 00 00 00 00 00 ........ 0x37ec0000: add byte ptr [eax], al 0x37ec0002: add byte ptr [eax], al 0x37ec0004: add byte ptr [eax], al 0x37ec0006: add byte ptr [eax], al 0x37ec0008: add byte ptr [eax], al 0x37ec000a: add byte ptr [eax], al 0x37ec000c: add byte ptr [eax], al 0x37ec000e: add byte ptr [eax], al 0x37ec0010: add byte ptr [eax], al 0x37ec0012: add byte ptr [eax], al 0x37ec0014: add byte ptr [eax], al 0x37ec0016: add byte ptr [eax], al 0x37ec0018: add byte ptr [eax], al 0x37ec001a: add byte ptr [eax], al 0x37ec001c: add byte ptr [eax], al 0x37ec001e: add byte ptr [eax], al 0x37ec0020: add byte ptr [eax], al 0x37ec0022: add byte ptr [eax], al 0x37ec0024: add byte ptr [eax], al 0x37ec0026: add byte ptr [eax], al 0x37ec0028: add byte ptr [eax], al 0x37ec002a: add byte ptr [eax], al 0x37ec002c: add byte ptr [eax], al 0x37ec002e: add byte ptr [eax], al 0x37ec0030: add byte ptr [eax], al 0x37ec0032: add byte ptr [eax], al 0x37ec0034: sub eax, dword ptr [eax] 0x37ec0036: sub eax, dword ptr [eax] 0x37ec0038: add dword ptr [eax], eax 0x37ec003a: add byte ptr [eax], al 0x37ec003c: add byte ptr [eax], al 0x37ec003e: add byte ptr [eax], al 632 winlogon.exe 0x33470000 0x33473fff VadS PAGE_EXECUTE_READWRITE 4 1 Disabled 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 29 00 29 00 ....).). 01 00 00 00 00 00 00 00 ........ 0x33470000: add byte ptr [eax], al 0x33470002: add byte ptr [eax], al 0x33470004: add byte ptr [eax], al 0x33470006: add byte ptr [eax], al 0x33470008: add byte ptr [eax], al 0x3347000a: add byte ptr [eax], al 0x3347000c: add byte ptr [eax], al 0x3347000e: add byte ptr [eax], al 0x33470010: add byte ptr [eax], al 0x33470012: add byte ptr [eax], al 0x33470014: add byte ptr [eax], al 0x33470016: add byte ptr [eax], al 0x33470018: add byte ptr [eax], al 0x3347001a: add byte ptr [eax], al 0x3347001c: add byte ptr [eax], al 0x3347001e: add byte ptr [eax], al 0x33470020: add byte ptr [eax], al 0x33470022: add byte ptr [eax], al 0x33470024: add byte ptr [eax], al 0x33470026: add byte ptr [eax], al 0x33470028: add byte ptr [eax], al 0x3347002a: add byte ptr [eax], al 0x3347002c: add byte ptr [eax], al 0x3347002e: add byte ptr [eax], al 0x33470030: add byte ptr [eax], al 0x33470032: add byte ptr [eax], al 0x33470034: sub dword ptr [eax], eax 0x33470036: sub dword ptr [eax], eax 0x33470038: add dword ptr [eax], eax 0x3347003a: add byte ptr [eax], al 0x3347003c: add byte ptr [eax], al 0x3347003e: add byte ptr [eax], al 632 winlogon.exe 0x71ee0000 0x71ee3fff VadS PAGE_EXECUTE_READWRITE 4 1 Disabled 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 29 00 29 00 ....).). 01 00 00 00 00 00 00 00 ........ 0x71ee0000: add byte ptr [eax], al 0x71ee0002: add byte ptr [eax], al 0x71ee0004: add byte ptr [eax], al 0x71ee0006: add byte ptr [eax], al 0x71ee0008: add byte ptr [eax], al 0x71ee000a: add byte ptr [eax], al 0x71ee000c: add byte ptr [eax], al 0x71ee000e: add byte ptr [eax], al 0x71ee0010: add byte ptr [eax], al 0x71ee0012: add byte ptr [eax], al 0x71ee0014: add byte ptr [eax], al 0x71ee0016: add byte ptr [eax], al 0x71ee0018: add byte ptr [eax], al 0x71ee001a: add byte ptr [eax], al 0x71ee001c: add byte ptr [eax], al 0x71ee001e: add byte ptr [eax], al 0x71ee0020: add byte ptr [eax], al 0x71ee0022: add byte ptr [eax], al 0x71ee0024: add byte ptr [eax], al 0x71ee0026: add byte ptr [eax], al 0x71ee0028: add byte ptr [eax], al 0x71ee002a: add byte ptr [eax], al 0x71ee002c: add byte ptr [eax], al 0x71ee002e: add byte ptr [eax], al 0x71ee0030: add byte ptr [eax], al 0x71ee0032: add byte ptr [eax], al 0x71ee0034: sub dword ptr [eax], eax 0x71ee0036: sub dword ptr [eax], eax 0x71ee0038: add dword ptr [eax], eax 0x71ee003a: add byte ptr [eax], al 0x71ee003c: add byte ptr [eax], al 0x71ee003e: add byte ptr [eax], al 632 winlogon.exe 0x78850000 0x78853fff VadS PAGE_EXECUTE_READWRITE 4 1 Disabled 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 27 00 27 00 ....'.'. 01 00 00 00 00 00 00 00 ........ 0x78850000: add byte ptr [eax], al 0x78850002: add byte ptr [eax], al 0x78850004: add byte ptr [eax], al 0x78850006: add byte ptr [eax], al 0x78850008: add byte ptr [eax], al 0x7885000a: add byte ptr [eax], al 0x7885000c: add byte ptr [eax], al 0x7885000e: add byte ptr [eax], al 0x78850010: add byte ptr [eax], al 0x78850012: add byte ptr [eax], al 0x78850014: add byte ptr [eax], al 0x78850016: add byte ptr [eax], al 0x78850018: add byte ptr [eax], al 0x7885001a: add byte ptr [eax], al 0x7885001c: add byte ptr [eax], al 0x7885001e: add byte ptr [eax], al 0x78850020: add byte ptr [eax], al 0x78850022: add byte ptr [eax], al 0x78850024: add byte ptr [eax], al 0x78850026: add byte ptr [eax], al 0x78850028: add byte ptr [eax], al 0x7885002a: add byte ptr [eax], al 0x7885002c: add byte ptr [eax], al 0x7885002e: add byte ptr [eax], al 0x78850030: add byte ptr [eax], al 0x78850032: add byte ptr [eax], al 0x78850034: daa 0x78850035: add byte ptr [edi], ah 0x78850037: add byte ptr [ecx], al 0x78850039: add byte ptr [eax], al 0x7885003b: add byte ptr [eax], al 0x7885003d: add byte ptr [eax], al 632 winlogon.exe 0x793e0000 0x793e3fff VadS PAGE_EXECUTE_READWRITE 4 1 Disabled 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 2b 00 2b 00 ....+.+. 01 00 00 00 00 00 00 00 ........ 0x793e0000: add byte ptr [eax], al 0x793e0002: add byte ptr [eax], al 0x793e0004: add byte ptr [eax], al 0x793e0006: add byte ptr [eax], al 0x793e0008: add byte ptr [eax], al 0x793e000a: add byte ptr [eax], al 0x793e000c: add byte ptr [eax], al 0x793e000e: add byte ptr [eax], al 0x793e0010: add byte ptr [eax], al 0x793e0012: add byte ptr [eax], al 0x793e0014: add byte ptr [eax], al 0x793e0016: add byte ptr [eax], al 0x793e0018: add byte ptr [eax], al 0x793e001a: add byte ptr [eax], al 0x793e001c: add byte ptr [eax], al 0x793e001e: add byte ptr [eax], al 0x793e0020: add byte ptr [eax], al 0x793e0022: add byte ptr [eax], al 0x793e0024: add byte ptr [eax], al 0x793e0026: add byte ptr [eax], al 0x793e0028: add byte ptr [eax], al 0x793e002a: add byte ptr [eax], al 0x793e002c: add byte ptr [eax], al 0x793e002e: add byte ptr [eax], al 0x793e0030: add byte ptr [eax], al 0x793e0032: add byte ptr [eax], al 0x793e0034: sub eax, dword ptr [eax] 0x793e0036: sub eax, dword ptr [eax] 0x793e0038: add dword ptr [eax], eax 0x793e003a: add byte ptr [eax], al 0x793e003c: add byte ptr [eax], al 0x793e003e: add byte ptr [eax], al 1724 explorer.exe 0x1b20000 0x1b20fff VadS PAGE_EXECUTE_READWRITE 1 1 Disabled 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 b2 01 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 10 00 b2 01 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 20 00 b2 01 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 0x1b20000: add byte ptr [eax], al 0x1b20002: add byte ptr [eax], al 0x1b20004: add byte ptr [eax], al 0x1b20006: add byte ptr [eax], al 0x1b20008: add byte ptr [eax], al 0x1b2000a: add byte ptr [eax], al 0x1b2000c: add byte ptr [eax], al 0x1b2000e: add byte ptr [eax], al 0x1b20010: add byte ptr [eax], al 0x1b20012: mov dl, 1 0x1b20014: add byte ptr [eax], al 0x1b20016: add byte ptr [eax], al 0x1b20018: add byte ptr [eax], al 0x1b2001a: add byte ptr [eax], al 0x1b2001c: add byte ptr [eax], al 0x1b2001e: add byte ptr [eax], al 0x1b20020: adc byte ptr [eax], al 0x1b20022: mov dl, 1 0x1b20024: add byte ptr [eax], al 0x1b20026: add byte ptr [eax], al 0x1b20028: add byte ptr [eax], al 0x1b2002a: add byte ptr [eax], al 0x1b2002c: add byte ptr [eax], al 0x1b2002e: add byte ptr [eax], al 0x1b20030: and byte ptr [eax], al 0x1b20032: mov dl, 1 0x1b20034: add byte ptr [eax], al 0x1b20036: add byte ptr [eax], al 0x1b20038: add byte ptr [eax], al 0x1b2003a: add byte ptr [eax], al 0x1b2003c: add byte ptr [eax], al 0x1b2003e: add byte ptr [eax], al 2044 IEXPLORE.EXE 0x7ff80000 0x7ffadfff VadS PAGE_EXECUTE_READWRITE 45 1 Disabled 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 0x7ff80000: add byte ptr [eax], al 0x7ff80002: add byte ptr [eax], al 0x7ff80004: add byte ptr [eax], al 0x7ff80006: add byte ptr [eax], al 0x7ff80008: add byte ptr [eax], al 0x7ff8000a: add byte ptr [eax], al 0x7ff8000c: add byte ptr [eax], al 0x7ff8000e: add byte ptr [eax], al 0x7ff80010: add byte ptr [eax], al 0x7ff80012: add byte ptr [eax], al 0x7ff80014: add byte ptr [eax], al 0x7ff80016: add byte ptr [eax], al 0x7ff80018: add byte ptr [eax], al 0x7ff8001a: add byte ptr [eax], al 0x7ff8001c: add byte ptr [eax], al 0x7ff8001e: add byte ptr [eax], al 0x7ff80020: add byte ptr [eax], al 0x7ff80022: add byte ptr [eax], al 0x7ff80024: add byte ptr [eax], al 0x7ff80026: add byte ptr [eax], al 0x7ff80028: add byte ptr [eax], al 0x7ff8002a: add byte ptr [eax], al 0x7ff8002c: add byte ptr [eax], al 0x7ff8002e: add byte ptr [eax], al 0x7ff80030: add byte ptr [eax], al 0x7ff80032: add byte ptr [eax], al 0x7ff80034: add byte ptr [eax], al 0x7ff80036: add byte ptr [eax], al 0x7ff80038: add byte ptr [eax], al 0x7ff8003a: add byte ptr [eax], al 0x7ff8003c: add byte ptr [eax], al 0x7ff8003e: add byte ptr [eax], al
和作者的结果还是不一样,罢了!
最后试试silent banker:
python .\vol.py -f D:\book\malwarecookbook-master\malwarecookbook-master\16\6\silentbanker.vmem\silentbanker.vmem windows.malfind 然后终于看到有类似书中提到的silent banker的注入技术了!
Volatility 3 Framework 2.4.1 PID Process Start VPN End VPN Tag Protection CommitCharge PrivateMemory File output Hexdump Disasm 608 csrss.exe 0x7f6f0000 0x7f7effff Vad PAGE_EXECUTE_READWRITE 0 0 Disabled c8 00 00 00 ff 01 00 00 ........ ff ee ff ee 08 70 00 00 .....p.. 08 00 00 00 00 fe 00 00 ........ 00 00 10 00 00 20 00 00 ........ 00 02 00 00 00 20 00 00 ........ 8d 01 00 00 ff ef fd 7f ........ 03 00 08 06 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 0x7f6f0000: enter 0, 0 0x7f6f0004: inc dword ptr [ecx] 0x7f6f0006: add byte ptr [eax], al bla bla... 1884 IEXPLORE.EXE 0x10c0000 0x10c0fff VadS PAGE_EXECUTE_READWRITE 1 1 Disabled 58 68 05 00 0d 01 68 00 Xh....h. 00 00 00 68 00 00 80 7c ...h...| 68 28 18 03 10 50 68 bc h(...Ph. 9f 02 10 c3 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 0x10c0000: pop eax 0x10c0001: push 0x10d0005 0x10c0006: push 0 0x10c000b: push 0x7c800000 0x10c0010: push 0x10031828 0x10c0015: push eax 0x10c0016: push 0x10029fbc 0x10c001b: ret 0x10c001c: add byte ptr [eax], al 0x10c001e: add byte ptr [eax], al 0x10c0020: add byte ptr [eax], al 0x10c0022: add byte ptr [eax], al
