使用volatility dump从内存中重建PE文件(也可以是sys内核模块)——IAT函数出错的使用impscan解决
好了,书中,说了操作的步骤,我们再vol2里实验下。
查看进程:
PS D:\Application\volatility3-stable> python .\vol.py -f "D:\book\malwarecookbook-master\malwarecookbook-master\16\7\laqma.vmem\laqma.vmem" windows.pslist Volatility 3 Framework 2.4.1 Progress: 100.00 PDB scanning finished PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output 4 0 System 0x810b1660 57 182 N/A False N/A N/A Disabled 544 4 smss.exe 0xff2ab020 3 21 N/A False 2010-08-11 06:06:21.000000 N/A Disabled 608 544 csrss.exe 0xff1ecda0 10 378 0 False 2010-08-11 06:06:23.000000 N/A Disabled 632 544 winlogon.exe 0xff1ec978 18 511 0 False 2010-08-11 06:06:23.000000 N/A Disabled 676 632 services.exe 0xff247020 16 269 0 False 2010-08-11 06:06:24.000000 N/A Disabled 688 632 lsass.exe 0xff255020 19 344 0 False 2010-08-11 06:06:24.000000 N/A Disabled 844 676 vmacthlp.exe 0xff218230 1 24 0 False 2010-08-11 06:06:24.000000 N/A Disabled 856 676 svchost.exe 0x80ff88d8 17 199 0 False 2010-08-11 06:06:24.000000 N/A Disabled 936 676 svchost.exe 0xff217560 11 274 0 False 2010-08-11 06:06:24.000000 N/A Disabled 1028 676 svchost.exe 0x80fbf910 75 1373 0 False 2010-08-11 06:06:24.000000 N/A Disabled 1088 676 svchost.exe 0xff22d558 6 86 0 False 2010-08-11 06:06:25.000000 N/A Disabled 1148 676 svchost.exe 0xff203b80 14 209 0 False 2010-08-11 06:06:26.000000 N/A Disabled 1432 676 spoolsv.exe 0xff1d7da0 12 134 0 False 2010-08-11 06:06:26.000000 N/A Disabled 1668 676 vmtoolsd.exe 0xff1b8b28 5 221 0 False 2010-08-11 06:06:35.000000 N/A Disabled 1788 676 VMUpgradeHelper 0xff1fdc88 4 100 0 False 2010-08-11 06:06:38.000000 N/A Disabled 1968 676 TPAutoConnSvc.e 0xff143b28 5 100 0 False 2010-08-11 06:06:39.000000 N/A Disabled 216 676 alg.exe 0xff25a7e0 6 105 0 False 2010-08-11 06:06:39.000000 N/A Disabled 888 1028 wscntfy.exe 0xff364310 1 27 0 False 2010-08-11 06:06:49.000000 N/A Disabled 1084 1968 TPAutoConnect.e 0xff38b5f8 1 61 0 False 2010-08-11 06:06:52.000000 N/A Disabled 1724 1708 explorer.exe 0xff3865d0 13 326 0 False 2010-08-11 06:09:29.000000 N/A Disabled 432 1724 VMwareTray.exe 0xff3667e8 1 49 0 False 2010-08-11 06:09:31.000000 N/A Disabled 452 1724 VMwareUser.exe 0xff374980 8 206 0 False 2010-08-11 06:09:32.000000 N/A Disabled 468 1028 wuauclt.exe 0x80f94588 4 135 0 False 2010-08-11 06:09:37.000000 N/A Disabled 1180 1060 lanmanwrk.exe 0xff3825f8 2 75 0 False 2010-08-15 19:09:12.000000 N/A Disabled 1340 1724 IEXPLORE.EXE 0xff38a410 12 346 0 False 2010-08-15 19:09:26.000000 N/A Disabled 460 1668 cmd.exe 0xff1f9b08 0 - 0 False 2010-08-15 19:11:21.000000 2010-08-15 19:11:21.000000 Disabled
可以看到1180的pid是对应我们要找的恶意进程id!
首先是导出进程对应的PE文件:
PS D:\Application\volatility3-stable\prodmp_out> volatility26.exe -f "D:\book\malwarecookbook-master\malwarecookbook-master\16\7\laqma.vmem\laqma.vmem" procdump --dump-dir prodmp_out
目录: D:\Application\volatility3-stable\prodmp_out
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2023-05-03 20:55 14336 executable.1028.exe
-a---- 2023-05-03 20:55 446464 executable.1084.exe
-a---- 2023-05-03 20:55 14336 executable.1088.exe
-a---- 2023-05-03 20:55 29696 executable.1180.exe
-a---- 2023-05-03 21:13 16384 executable.1180.exe.id0
-a---- 2023-05-03 21:13 0 executable.1180.exe.id1
-a---- 2023-05-03 21:13 41 executable.1180.exe.id2
-a---- 2023-05-03 21:13 0 executable.1180.exe.nam
-a---- 2023-05-03 21:14 82 executable.1180.exe.til
-a---- 2023-05-03 20:55 93184 executable.1340.exe
-a---- 2023-05-03 20:55 57856 executable.1432.exe
-a---- 2023-05-03 20:55 65536 executable.1668.exe
-a---- 2023-05-03 20:55 1032192 executable.1724.exe
-a---- 2023-05-03 20:55 184320 executable.1788.exe
-a---- 2023-05-03 20:55 135168 executable.432.exe
-a---- 2023-05-03 20:55 1081344 executable.452.exe
-a---- 2023-05-03 20:55 111104 executable.468.exe
-a---- 2023-05-03 20:55 0 executable.608.exe
-a---- 2023-05-03 20:55 502272 executable.632.exe
-a---- 2023-05-03 20:55 108032 executable.676.exe
-a---- 2023-05-03 20:55 13312 executable.688.exe
-a---- 2023-05-03 20:55 14336 executable.936.exe
当然使用vol3也是可以的,python .\vol.py -f "D:\book\malwarecookbook-master\malwarecookbook-master\16\7\laqma.vmem\laqma.vmem" windows.pslist --dump
确实看到1180这个PE文件没有正确的IAT!!!然后我们再IDA里看下:
果然是看起来很蛋疼!然后使用impscan扫描:
PS D:\Application\volatility3-stable> volatility26.exe -f "D:\book\malwarecookbook-master\malwarecookbook-master\16\7\laqma.vmem\laqma.vmem" impscan -p 1180 Volatility Foundation Volatility Framework 2.6 IAT Call Module Function ---------- ---------- -------------------- -------- 0x00406000 0x77deb635 ADVAPI32.dll ControlService 0x00406004 0x77ddede5 ADVAPI32.dll RegDeleteValueA 0x00406008 0x77dd6bf0 ADVAPI32.dll RegCloseKey 0x0040600c 0x77e37311 ADVAPI32.dll DeleteService 0x00406010 0x77deada7 ADVAPI32.dll OpenSCManagerA 0x00406014 0x77e37071 ADVAPI32.dll CreateServiceA 0x00406018 0x77deb88c ADVAPI32.dll OpenServiceA 0x0040601c 0x77de5e4d ADVAPI32.dll CloseServiceHandle 0x00406020 0x77dd7883 ADVAPI32.dll RegQueryValueExA 0x00406024 0x77dfc41b ADVAPI32.dll RegOpenKeyA 0x0040602c 0x7c80b357 kernel32.dll GetModuleFileNameA 0x00406030 0x7c802442 kernel32.dll Sleep 0x00406034 0x7c81082f kernel32.dll CreateThread 0x00406038 0x7c82293b kernel32.dll GetWindowsDirectoryA 0x0040603c 0x7c81caa2 kernel32.dll ExitProcess 0x00406040 0x7c8092ac kernel32.dll GetTickCount 0x00406044 0x7c80c9c1 kernel32.dll GetLocalTime 0x00406048 0x7c810d34 kernel32.dll SystemTimeToFileTime 0x0040604c 0x7c80946c kernel32.dll CreateFileMappingA 0x00406050 0x7c81ff03 kernel32.dll FlushViewOfFile 0x00406054 0x7c801d77 kernel32.dll LoadLibraryA 0x00406058 0x7c80994e kernel32.dll GetCurrentProcessId 0x0040605c 0x7c910331 kernel32.dll GetLastError 0x00406060 0x7c80c729 kernel32.dll lstrcpyA 0x00406064 0x7c810c8f kernel32.dll GetFileSize 0x00406068 0x7c812851 kernel32.dll GetVersionExA 0x0040606c 0x7c80b529 kernel32.dll GetModuleHandleA 0x00406070 0x7c80ac28 kernel32.dll GetProcAddress 0x00406074 0x7c80c6e0 kernel32.dll lstrlenA 0x00406078 0x7c80b9fe kernel32.dll OpenFileMappingA 0x0040607c 0x7c80b78d kernel32.dll MapViewOfFile 0x00406080 0x7c80b7fc kernel32.dll UnmapViewOfFile 0x00406084 0x7c80c865 kernel32.dll GetSystemDefaultLCID 0x00406088 0x7c80d47e kernel32.dll GetLocaleInfoA 0x0040608c 0x7c80b929 kernel32.dll lstrcmpiA 0x00406090 0x7c9179fd kernel32.dll HeapReAlloc 0x00406094 0x7c9105d4 kernel32.dll HeapAlloc 0x00406098 0x7c80aa49 kernel32.dll GetProcessHeap 0x0040609c 0x7c91043d kernel32.dll HeapFree 0x004060a0 0x7c809b77 kernel32.dll CloseHandle 0x004060a4 0x7c801a24 kernel32.dll CreateFileA 0x004060a8 0x7c810f9f kernel32.dll WriteFile 0x004060ac 0x7c830053 kernel32.dll CopyFileA 0x004060b0 0x7c838fb9 kernel32.dll lstrcatA 0x004060b4 0x7c8394ae kernel32.dll GetTimeZoneInformation 0x004060bc 0x77d4df6b USER32.dll DefWindowProcA 0x004060c0 0x77d4e2ae USER32.dll SendMessageA 0x004060c4 0x77d6f3c6 USER32.dll FindWindowA 0x004060c8 0x77d4d7bb USER32.dll GetDesktopWindow 0x004060cc 0x77d4b57c USER32.dll GetWindowRect 0x004060d0 0x77d4bcbd USER32.dll DispatchMessageA 0x004060d4 0x77d4a2de USER32.dll wsprintfA 0x004060d8 0x77d52316 USER32.dll RegisterClassA 0x004060dc 0x77d5190b USER32.dll CreateWindowExA 0x004060e0 0x77d48bce USER32.dll TranslateMessage 0x004060e4 0x77d6ea45 USER32.dll GetMessageA 0x004060e8 0x77d48c06 USER32.dll SetTimer 0x004060f0 0x771d325f WININET.dll InternetQueryDataAvailable 0x004060f4 0x771c8c6a WININET.dll HttpQueryInfoA 0x004060f8 0x771c76b8 WININET.dll HttpSendRequestA 0x004060fc 0x771c4ac5 WININET.dll HttpOpenRequestA 0x00406100 0x771c61dc WININET.dll InternetCloseHandle 0x00406104 0x771c44db WININET.dll InternetConnectA 0x00406108 0x771c6d2a WININET.dll InternetOpenA 0x0040610c 0x771c8840 WININET.dll InternetCrackUrlA 0x00408a80 0x7c80180e kernel32.dll ReadFile 0x00408a84 0x7c81e85c kernel32.dll DeleteFileA 0x00408a88 0x7c801a24 kernel32.dll CreateFileA 0x00408a8c 0x7c830053 kernel32.dll CopyFileA 0x00408a90 0x7c809b77 kernel32.dll CloseHandle 0x00408a94 0x771c9555 WININET.dll InternetReadFile 0x00408a98 0x7c810f9f kernel32.dll WriteFile 0x00408a9c 0x77df3238 ADVAPI32.dll StartServiceA
将上述结果处理下,notepad++里查找替换:
^([0-9a-z]+)\s+[0-9a-z]+\s+[0-9a-z.]+\s+(\w+)$
MakeName\(\1, "\2"\);
变成IDA里能够识别的命令后,导入到IDA:
最后正确重建了IAT!!!GOOD!!!
最后,我们说下如何dump内核模块
我们的目标就是dump出所有的sys文件,然后交给病毒扫描程序。
其实分析思路和前面是一样的!无非命令不用而已。我直接贴下命令,方便以后查阅:
PS D:\Application\volatility3-stable> volatility26.exe -f "D:\book\malwarecookbook-master\malwarecookbook-master\16\7\laqma.vmem\laqma.vmem" modules
Volatility Foundation Volatility Framework 2.6
Offset(V) Name Base Size File
---------- -------------------- ---------- ---------- ----
0x810dbe68 ntoskrnl.exe 0x804d7000 0x1f6280 \WINDOWS\system32\ntkrnlpa.exe
0x810dbe00 hal.dll 0x806ce000 0x20380 \WINDOWS\system32\hal.dll
0x810dbd98 kdcom.dll 0xfc99b000 0x2000 \WINDOWS\system32\KDCOM.DLL
0x810dbd28 BOOTVID.dll 0xfc8ab000 0x3000 \WINDOWS\system32\BOOTVID.dll
0x810dbcc0 ACPI.sys 0xfc36c000 0x2e000 ACPI.sys
0x810d6008 WMILIB.SYS 0xfc99d000 0x2000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0x810d6fa0 pci.sys 0xfc35b000 0x11000 pci.sys
0x810d6f30 isapnp.sys 0xfc49b000 0x9000 isapnp.sys
0x810d6ec0 compbatt.sys 0xfc8af000 0x3000 compbatt.sys
0x810d6e58 BATTC.SYS 0xfc8b3000 0x4000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0x810d6de8 intelide.sys 0xfc99f000 0x2000 intelide.sys
0x810d6d78 PCIIDEX.SYS 0xfc71b000 0x7000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0x810d6d08 MountMgr.sys 0xfc4ab000 0xb000 MountMgr.sys
0x810d6c98 ftdisk.sys 0xfc33c000 0x1f000 ftdisk.sys
0x810d6c28 dmload.sys 0xfc9a1000 0x2000 dmload.sys
0x810d6bc0 dmio.sys 0xfc316000 0x26000 dmio.sys
0x810d6b50 PartMgr.sys 0xfc723000 0x5000 PartMgr.sys
0x810d6ae0 VolSnap.sys 0xfc4bb000 0xd000 VolSnap.sys
0x810d6a78 atapi.sys 0xfc2fe000 0x18000 atapi.sys
0x810d6a08 vmscsi.sys 0xfc8b7000 0x3000 vmscsi.sys
0x810d6998 SCSIPORT.SYS 0xfc2e6000 0x18000 \WINDOWS\system32\drivers\SCSIPORT.SYS
0x810d6930 disk.sys 0xfc4cb000 0x9000 disk.sys
0x810d68c0 CLASSPNP.SYS 0xfc4db000 0xd000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0x810d6850 fltMgr.sys 0xfc2c7000 0x1f000 fltMgr.sys
0x810d67e8 sr.sys 0xfc2b5000 0x12000 sr.sys
0x810d6778 KSecDD.sys 0xfc29e000 0x17000 KSecDD.sys
0x810d6710 Ntfs.sys 0xfc211000 0x8d000 Ntfs.sys
0x810d66a8 NDIS.sys 0xfc1e4000 0x2d000 NDIS.sys
0x810d6640 Mup.sys 0xfc1c9000 0x1b000 Mup.sys
0x810d65d0 agp440.sys 0xfc4eb000 0xb000 agp440.sys
0x80f0de60 i8042prt.sys 0xfc53b000 0xd000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x80fc0bb8 kbdclass.sys 0xfc75b000 0x6000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x80fbf378 vmmouse.sys 0xfc9a3000 0x2000 \SystemRoot\system32\DRIVERS\vmmouse.sys
0x80f66d68 mouclass.sys 0xfc763000 0x6000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x81005008 parport.sys 0xfc121000 0x14000 \SystemRoot\system32\DRIVERS\parport.sys
0x80fbf008 serial.sys 0xfc54b000 0x10000 \SystemRoot\system32\DRIVERS\serial.sys
0x80ef5d80 serenum.sys 0xfc93b000 0x4000 \SystemRoot\system32\DRIVERS\serenum.sys
0x80f66430 fdc.sys 0xfc76b000 0x7000 \SystemRoot\system32\DRIVERS\fdc.sys
0x80f663c8 imapi.sys 0xfc55b000 0xb000 \SystemRoot\system32\DRIVERS\imapi.sys
0x80fa67f0 cdrom.sys 0xfc56b000 0xd000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x80fa5d10 redbook.sys 0xfc57b000 0xf000 \SystemRoot\system32\DRIVERS\redbook.sys
0x80f79400 ks.sys 0xfc0fe000 0x23000 \SystemRoot\system32\DRIVERS\ks.sys
0x80fa5128 vmci.sys 0xfc58b000 0xe000 \SystemRoot\system32\DRIVERS\vmci.sys
0x80fa4870 vmx_svga.sys 0xfc773000 0x6000 \SystemRoot\system32\DRIVERS\vmx_svga.sys
0x80fa4800 VIDEOPRT.SYS 0xfc0ea000 0x14000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0x80fa4618 usbuhci.sys 0xfc77b000 0x5000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x810041f8 USBPORT.SYS 0xfc0c7000 0x23000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x80fa3cb0 vmxnet.sys 0xfc783000 0x8000 \SystemRoot\system32\DRIVERS\vmxnet.sys
0x80fa3480 es1371mp.sys 0xfc59b000 0xa000 \SystemRoot\system32\drivers\es1371mp.sys
0x80fa2f98 portcls.sys 0xfc0a3000 0x24000 \SystemRoot\system32\drivers\portcls.sys
0x80fa3b58 drmk.sys 0xfc5ab000 0xf000 \SystemRoot\system32\drivers\drmk.sys
0x80f79390 usbehci.sys 0xfc78b000 0x7000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x80fa2a38 CmBatt.sys 0xfc943000 0x4000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x80fa2670 intelppm.sys 0xfc5bb000 0x9000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x80fa22a8 audstub.sys 0xfcbef000 0x1000 \SystemRoot\system32\DRIVERS\audstub.sys
0x80f30b18 rasl2tp.sys 0xfc5cb000 0xd000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xff3cbf98 ndistapi.sys 0xfc947000 0x3000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x80f30690 ndiswan.sys 0xfc08c000 0x17000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xff3c9970 raspppoe.sys 0xfc5db000 0xb000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xff3c8938 raspptp.sys 0xfc5eb000 0xc000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x81027e90 TDI.SYS 0xfc793000 0x5000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xff3c82a0 psched.sys 0xfc053000 0x11000 \SystemRoot\system32\DRIVERS\psched.sys
0xff3d87e0 msgpc.sys 0xfc5fb000 0x9000 \SystemRoot\system32\DRIVERS\msgpc.sys
0x80f30ec8 ptilink.sys 0xfc79b000 0x5000 \SystemRoot\system32\DRIVERS\ptilink.sys
0x80f4a638 raspti.sys 0xfc7a3000 0x5000 \SystemRoot\system32\DRIVERS\raspti.sys
0x810277d0 rdpdr.sys 0xfbf82000 0x31000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0x80feec08 termdd.sys 0xfc61b000 0xa000 \SystemRoot\system32\DRIVERS\termdd.sys
0x80f4d6d8 swenum.sys 0xfc9a5000 0x2000 \SystemRoot\system32\DRIVERS\swenum.sys
0x80f4ce78 update.sys 0xfbf4e000 0x34000 \SystemRoot\system32\DRIVERS\update.sys
0x80fedbb8 mssmbios.sys 0xfc967000 0x4000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x80fcf698 NDProxy.SYS 0xfc62b000 0xa000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x80fcf428 flpydisk.sys 0xfc7ab000 0x5000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0x80fba140 usbhub.sys 0xfc64b000 0xf000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x80ff4258 USBD.SYS 0xfc9a7000 0x2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x80ff5728 gameenum.sys 0xfc190000 0x3000 \SystemRoot\system32\DRIVERS\gameenum.sys
0xff3773b8 Fs_Rec.SYS 0xfc9af000 0x2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xff3af8e0 Null.SYS 0xfcac9000 0x1000 \SystemRoot\System32\Drivers\Null.SYS
0xff363398 Beep.SYS 0xfc9b1000 0x2000 \SystemRoot\System32\Drivers\Beep.SYS
0xff367398 vga.sys 0xfc7bb000 0x6000 \SystemRoot\System32\drivers\vga.sys
0xff362a50 mnmdd.SYS 0xfc9b3000 0x2000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xff366e80 RDPCDD.sys 0xfc9b5000 0x2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x80f0c8c8 Msfs.SYS 0xfc7c3000 0x5000 \SystemRoot\System32\Drivers\Msfs.SYS
0xff36a628 Npfs.SYS 0xfc7cb000 0x8000 \SystemRoot\System32\Drivers\Npfs.SYS
0x80f0c050 rasacd.sys 0xfc174000 0x3000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xff36ae78 ipsec.sys 0xf3c01000 0x13000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xff3903a8 tcpip.sys 0xf3ba9000 0x58000 \SystemRoot\system32\DRIVERS\tcpip.sys
0x80f65a08 netbt.sys 0xf3b81000 0x28000 \SystemRoot\system32\DRIVERS\netbt.sys
0x80f65998 ws2ifsl.sys 0xfc170000 0x3000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xff3c5110 afd.sys 0xf3b5f000 0x22000 \SystemRoot\System32\drivers\afd.sys
0x80f65478 netbios.sys 0xfc65b000 0x9000 \SystemRoot\system32\DRIVERS\netbios.sys
0x80febb00 vmhgfs.sys 0xf3b41000 0x1e000 \SystemRoot\System32\DRIVERS\vmhgfs.sys
0x81003580 rdbss.sys 0xf3b15000 0x2c000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x81003510 mrxsmb.sys 0xf3aa6000 0x6f000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xff3c57e0 Fips.SYS 0xfc67b000 0x9000 \SystemRoot\System32\Drivers\Fips.SYS
0x80f78a80 ipnat.sys 0xf3a85000 0x21000 \SystemRoot\system32\DRIVERS\ipnat.sys
0x80f78760 wanarp.sys 0xfc68b000 0x9000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x80fb88d8 Cdfs.SYS 0xfc6bb000 0x10000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x80f724f8 usbccgp.sys 0xfc7e3000 0x8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x80fb6c88 hidusb.sys 0xfbf42000 0x3000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x80f4f0c0 HIDCLASS.SYS 0xfc6fb000 0x9000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x80f2c340 HIDPARSE.SYS 0xfc7eb000 0x7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x80f2f008 mouhid.sys 0xfbf3e000 0x3000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x80f28e28 dump_scsiport.sys 0xfbf3a000 0x4000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x80efc0c8 dump_vmscsi.sys 0xfbf36000 0x3000 \SystemRoot\System32\Drivers\dump_vmscsi.sys
0xff1ec2a0 win32k.sys 0xbf800000 0x1c1000 \SystemRoot\System32\win32k.sys
0x80f29008 watchdog.sys 0xfc7f3000 0x5000 \SystemRoot\System32\watchdog.sys
0x80fcef38 Dxapi.sys 0xfc98b000 0x3000 \SystemRoot\System32\drivers\Dxapi.sys
0xff3bb7f8 dxg.sys 0xbf9c1000 0x12000 \SystemRoot\System32\drivers\dxg.sys
0xff215108 dxgthk.sys 0xfcb25000 0x1000 \SystemRoot\System32\drivers\dxgthk.sys
0xff37c230 vmx_fb.dll 0xbf9d3000 0x34000 \SystemRoot\System32\vmx_fb.dll
0xff1fa420 ndisuio.sys 0xf386d000 0x4000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x80f04700 mrxdav.sys 0xf35d8000 0x2d000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x80f64800 ParVdm.SYS 0xfc9f5000 0x2000 \SystemRoot\System32\Drivers\ParVdm.SYS
0x80ef7d70 vmmemctl.sys 0xfc9f7000 0x2000 \??\C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys
0x80f034a8 srv.sys 0xf355d000 0x53000 \SystemRoot\system32\DRIVERS\srv.sys
0x80f55508 HTTP.sys 0xf329c000 0x41000 \SystemRoot\System32\Drivers\HTTP.sys
0x80fb16c0 wdmaud.sys 0xf3147000 0x15000 \SystemRoot\system32\drivers\wdmaud.sys
0xff381bd8 sysaudio.sys 0xf337d000 0xf000 \SystemRoot\system32\drivers\sysaudio.sys
0xff2837e8 Fastfat.SYS 0xf2ef5000 0x23000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x80fae8b0 lanmandrv.sys 0xfca29000 0x2000 \??\C:\WINDOWS\System32\lanmandrv.sys
0xff147970 kmixer.sys 0xf2ecb000 0x2a000 \SystemRoot\system32\drivers\kmixer.sys
PS D:\Application\volatility3-stable> volatility26.exe -f "D:\book\malwarecookbook-master\malwarecookbook-master\16\7\laqma.vmem\laqma.vmem" moddump --dump-dir moddmp_out
Volatility Foundation Volatility Framework 2.6
PS D:\Application\volatility3-stable\moddmp_out> dir
目录: D:\Application\volatility3-stable\moddmp_out
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2023-05-03 21:44 2056832 driver.804d7000.sys
-a---- 2023-05-03 21:44 131968 driver.806ce000.sys
-a---- 2023-05-03 21:44 1835904 driver.bf800000.sys
-a---- 2023-05-03 21:44 211072 driver.bf9d3000.sys
-a---- 2023-05-03 21:44 171776 driver.f2ecb000.sys
-a---- 2023-05-03 21:44 143360 driver.f2ef5000.sys
-a---- 2023-05-03 21:44 82944 driver.f3147000.sys
-a---- 2023-05-03 21:44 263040 driver.f329c000.sys
-a---- 2023-05-03 21:44 60800 driver.f337d000.sys
-a---- 2023-05-03 21:44 336256 driver.f355d000.sys
-a---- 2023-05-03 21:44 181248 driver.f35d8000.sys
...
至于使用impscan重建iat,我自己没有操作成功!我看源码,也没有搞明白:
class ImpScan(common.AbstractWindowsCommand):
"""Scan for calls to imported functions"""
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
# Define a new PID option instead of inheriting from
# taskmods.DllList because this one cannot be a comma
# separated list of PIDs.
config.remove_option('PID')
config.add_option('PID', short_option = 'p', default = None,
help = 'Process ID (leave off to scan kernel memory)',
action = 'store', type = 'int')
config.add_option('OFFSET', short_option = 'o', default = None,
help = 'EPROCESS offset (in hex) in the physical address space',
action = 'store', type = 'int')
# The base address in kernel or process memory where
# we begin scanning. This is an executable region with
# assembly instructions like a .text or .code PE section.
config.add_option('BASE', short_option = 'b', default = None,
help = 'Base address in process memory if --pid ' +
'is supplied, otherwise an address in kernel space',
action = 'store', type = 'int')
# The size in bytes of data to scan from the base address.
config.add_option('SIZE', short_option = 's', default = None,
help = 'Size of memory to scan',
action = 'store', type = 'int')
因为modules里根本没有pid!蛋疼!todo!
PS D:\Application\volatility3-stable\moddmp_out> volatility26.exe -f "D:\book\malwarecookbook-master\malwarecookbook-master\16\7\laqma.vmem\laqma.vmem" impscan -o 0xfc9a7000 -b 0x80ef7d70 Volatility Foundation Volatility Framework 2.6 IAT Call Module Function ---------- ---------- -------------------- -------- ERROR : volatility.debug : You must supply an active PID
https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf 看了下手册:
看来确实是要指定pid。
