使用volatility——扫描互斥体和隐藏服务,隐藏服务本质上和隐藏进程一样

隐藏服务本质上和隐藏进程没有区别!

svcscan原理:

因此,要找到隐藏的服务就需要使用svcscan,同时结合sc query看到的可见服务进行对比,以发现隐藏服务!

 

PS D:\Application\volatility3-stable\moddmp_out> volatility26.exe -f "D:\book\malwarecookbook-master\malwarecookbook-master\17\6\be2.vmem\be2.vmem" svcscan >service.result.txt
Volatility Foundation Volatility Framework 2.6
PS D:\Application\volatility3-stable\moddmp_out> notepad.exe .\service.result.txt

 结果类似:

Offset: 0x6e1e90
Order: 1
Start: SERVICE_DISABLED
Process ID: -
Service Name: Abiosdsk
Display Name: Abiosdsk
Service Type: SERVICE_KERNEL_DRIVER
Service State: SERVICE_STOPPED
Binary Path: -

Offset: 0x6e1f20
Order: 2
Start: SERVICE_DISABLED
Process ID: -
Service Name: abp480n5
Display Name: abp480n5
Service Type: SERVICE_KERNEL_DRIVER
Service State: SERVICE_STOPPED
Binary Path: -

Offset: 0x6e1fb0
Order: 3
Start: SERVICE_BOOT_START
Process ID: -
Service Name: ACPI
Display Name: Microsoft ACPI Driver
Service Type: SERVICE_KERNEL_DRIVER
Service State: SERVICE_RUNNING
Binary Path: \Driver\ACPI

 

最后,补充下互斥体扫描(注意仅仅是扫描,是否恶意还要进一步判断)使用:

PS D:\Application\volatility3-stable\moddmp_out> volatility26 -f D:\book\malwarecookbook-master\malwarecookbook-master\17\1\zeus.vmem\zeus.vmem mutantscan -s
Volatility Foundation Volatility Framework 2.6
Offset(P)              #Ptr     #Hnd Signal Thread           CID Name
------------------ -------- -------- ------ ---------- --------- ----
0x00000000000962c0        1        1      1 0x00000000
0x00000000007c0840        1        1      1 0x00000000
0x00000000009d86e0        1        1      1 0x00000000
0x00000000009d90d8        1        1      1 0x00000000
0x0000000000eda878        1        1      1 0x00000000
0x0000000000edae88        1        1      1 0x00000000
0x000000000105a278        1        1      1 0x00000000
0x000000000105a2e8        1        1      1 0x00000000
0x000000000105aa38        7        6      1 0x00000000           _!MSFTHISTORY!_
0x000000000105acf0        2        1      0 0xff3ba880   888:912 wscntfy_mtx
0x000000000105e900        1        1      1 0x00000000
0x0000000001061fe0        2        1      1 0x00000000           542B5ABE01CB391B000003A82
0x00000000010633b8        2        1      1 0x00000000           msgina: InteractiveLogonRequestMutex
0x0000000001066480        2        1      1 0x00000000           PerfOS_Perf_Library_Lock_PID_684
0x00000000010669d0        2        1      1 0x00000000           winlogon: Logon UserProfileMapping Mutex
0x0000000001066bd0        2        1      1 0x00000000           PerfProc_Perf_Library_Lock_PID_684
0x00000000010676d8        2        1      1 0x00000000           RemoteAccess_Perf_Library_Lock_PID_684
0x0000000001067d60        1        1      1 0x00000000
0x0000000001069fa8        2        1      1 0x00000000           WmiApRpl_Perf_Library_Lock_PID_684
0x000000000106fb60        3        2      1 0x00000000           WininetProxyRegistryMutex
0x0000000001070380        2        1      1 0x00000000           Spooler_Perf_Library_Lock_PID_684
0x00000000010719b0        2        1      1 0x00000000           ContentFilter_Perf_Library_Lock_PID_684
0x0000000001071e40        1        1      1 0x00000000

 

 


 

 

posted @ 2023-05-04 01:08  bonelee  阅读(94)  评论(0编辑  收藏  举报