volatility 网络相关的命令,使用时注意 一些比较过时
volatility 2.4手册里说的:
vol3里就只有:
windows.netscan.NetScan
Scans for network objects present in a particular windows memory image.
我自己实验下:
PS D:\Application\volatility3-stable\moddmp_out> volatility26 -f D:\book\malwarecookbook-master\malwarecookbook-master\17\1\zeus.vmem\zeus.vmem sockets
Volatility Foundation Volatility Framework 2.6
Offset(V) PID Port Proto Protocol Address Create Time
---------- -------- ------ ------ --------------- --------------- -----------
0x80fd1008 4 0 47 GRE 0.0.0.0 2010-08-11 06:08:00 UTC+0000
0xff258008 688 500 17 UDP 0.0.0.0 2010-08-11 06:06:35 UTC+0000
0xff367008 4 445 6 TCP 0.0.0.0 2010-08-11 06:06:17 UTC+0000
0x80ffc128 936 135 6 TCP 0.0.0.0 2010-08-11 06:06:24 UTC+0000
0xff37cd28 1028 1058 6 TCP 0.0.0.0 2010-08-15 19:17:56 UTC+0000
0xff20c478 856 29220 6 TCP 0.0.0.0 2010-08-15 19:17:27 UTC+0000
0xff225b70 688 0 255 Reserved 0.0.0.0 2010-08-11 06:06:35 UTC+0000
0xff254008 1028 123 17 UDP 127.0.0.1 2010-08-15 19:17:56 UTC+0000
0x80fce930 1088 1025 17 UDP 0.0.0.0 2010-08-11 06:06:38 UTC+0000
0xff127d28 216 1026 6 TCP 127.0.0.1 2010-08-11 06:06:39 UTC+0000
0xff206a20 1148 1900 17 UDP 127.0.0.1 2010-08-15 19:17:56 UTC+0000
0xff1b8250 688 4500 17 UDP 0.0.0.0 2010-08-11 06:06:35 UTC+0000
0xff382e98 4 1033 6 TCP 0.0.0.0 2010-08-11 06:08:00 UTC+0000
0x80fbdc40 4 445 17 UDP 0.0.0.0 2010-08-11 06:06:17 UTC+0000
PS D:\Application\volatility3-stable\moddmp_out> volatility26 -f D:\book\malwarecookbook-master\malwarecookbook-master\17\1\zeus.vmem\zeus.vmem sockscan
Volatility Foundation Volatility Framework 2.6
Offset(P) PID Port Proto Protocol Address Create Time
---------- -------- ------ ------ --------------- --------------- -----------
0x007c0a20 1148 1900 17 UDP 172.16.176.143 2010-08-15 19:15:43 UTC+0000
0x01120c40 4 445 17 UDP 0.0.0.0 2010-08-11 06:06:17 UTC+0000
0x01131930 1088 1025 17 UDP 0.0.0.0 2010-08-11 06:06:38 UTC+0000
0x01134008 4 0 47 GRE 0.0.0.0 2010-08-11 06:08:00 UTC+0000
0x011568a8 4 138 17 UDP 172.16.176.143 2010-08-15 19:15:43 UTC+0000
0x0115f128 936 135 6 TCP 0.0.0.0 2010-08-11 06:06:24 UTC+0000
0x02daad28 216 1026 6 TCP 127.0.0.1 2010-08-11 06:06:39 UTC+0000
0x04863458 4 139 6 TCP 172.16.176.143 2010-08-15 19:15:43 UTC+0000
0x04864578 1028 68 17 UDP 172.16.176.143 2010-08-15 19:17:26 UTC+0000
0x04864a08 4 137 17 UDP 172.16.176.143 2010-08-15 19:15:43 UTC+0000
0x04a4be98 4 1033 6 TCP 0.0.0.0 2010-08-11 06:08:00 UTC+0000
0x04a51d28 1028 1058 6 TCP 0.0.0.0 2010-08-15 19:17:56 UTC+0000
0x04be7008 4 445 6 TCP 0.0.0.0 2010-08-11 06:06:17 UTC+0000
0x05dee200 1028 123 17 UDP 127.0.0.1 2010-08-15 19:15:43 UTC+0000
0x05e33d68 1148 1900 17 UDP 127.0.0.1 2010-08-15 19:15:43 UTC+0000
0x05f44008 688 500 17 UDP 0.0.0.0 2010-08-11 06:06:35 UTC+0000
0x05f48008 1028 123 17 UDP 127.0.0.1 2010-08-15 19:17:56 UTC+0000
0x06236e98 1028 68 17 UDP 172.16.176.143 2010-08-15 19:17:56 UTC+0000
0x06237b70 688 0 255 Reserved 0.0.0.0 2010-08-11 06:06:35 UTC+0000
0x06450478 856 29220 6 TCP 0.0.0.0 2010-08-15 19:17:27 UTC+0000
0x06496a20 1148 1900 17 UDP 127.0.0.1 2010-08-15 19:17:56 UTC+0000
0x069d5250 688 4500 17 UDP 0.0.0.0 2010-08-11 06:06:35 UTC+0000
PS D:\Application\volatility3-stable\moddmp_out> volatility26 -f D:\book\malwarecookbook-master\malwarecookbook-master\17\1\zeus.vmem\zeus.vmem connscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x02214988 172.16.176.143:1054 193.104.41.75:80 856
0x06015ab0 0.0.0.0:1056 193.104.41.75:80 856
PS D:\Application\volatility3-stable\moddmp_out> volatility26 -f D:\book\malwarecookbook-master\malwarecookbook-master\17\1\zeus.vmem\zeus.vmem files
Volatility Foundation Volatility Framework 2.6
ERROR : volatility.debug : You must specify something to do (try -h)
PS D:\Application\volatility3-stable\moddmp_out> volatility26 -f D:\book\malwarecookbook-master\malwarecookbook-master\17\1\zeus.vmem\zeus.vmem filescan
Volatility Foundation Volatility Framework 2.6
Offset(P) #Ptr #Hnd Access Name
------------------ ------ ------ ------ ----
0x0000000000096ca0 1 0 R--r-d \Device\HarddiskVolume1\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
0x0000000000353ad0 1 0 R--rwd \Device\HarddiskVolume1\WINDOWS\system32\crypt32.dll
0x0000000000353cb8 1 0 R--rwd \Device\HarddiskVolume1\WINDOWS\system32\apphelp.dll
0x00000000003f34f8 3 0 RWD--- \Device\HarddiskVolume1\$Directory
0x00000000003f3f08 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\system32\ipconf.tsp
0x0000000000471028 4 1 RW---- \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
0x0000000000471170 1 0 R--r-- \Device\HarddiskVolume1\WINDOWS\system32\wzcdlg.dll
0x0000000000471208 1 0 -WD--- \Device\HarddiskVolume1\System Volume Information\_restore{4DA604DF-69BB-4F4A-9B3B-BBAA44DAE949}\RP15\snapshot\ComDb.Dat
0x00000000004715c0 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\system32\cnbjmon.dll
0x00000000004a06a0 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\system32\urlmon.dll
0x00000000004a09c8 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\system32\localspl.dll
0x00000000004aa4a0 3 0 RWD--- \Device\HarddiskVolume1\$Directory
0x00000000004aac10 3 1 RW-r-- \Device\HarddiskVolume1\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
0x00000000004aaef8 3 1 RW-r-- \Device\HarddiskVolume1\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
0x00000000004aaf90 3 1 RW-r-- \Device\HarddiskVolume1\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
