- https://www.magnetforensics.com/resources/magnet-ram-capture/
- https://github.com/Velocidex/WinPmem
内存取证的终点是strings+grep
比较全的使用手册:[[Volatility]]
如果要以进程树的形式查看进行列表,请使用pstree命令。他的原理和pslist相同,因此不会显示隐藏或未启动的进程.子进程使用缩进和.表示。
$ python vol.py -f ~/Desktop/win7_trial_64bit.raw --profile=Win7SP0x64 pstree
Volatility Foundation Volatility Framework 2.4
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ --------------------
0xfffffa80004b09e0:System 4 0 78 489 2012-02-22 19:58:20
. 0xfffffa8000ce97f0:smss.exe 208 4 2 29 2012-02-22 19:58:20
0xfffffa8000c006c0:csrss.exe 296 288 9 385 2012-02-22 19:58:24
0xfffffa8000c92300:wininit.exe 332 288 3 74 2012-02-22 19:58:30
. 0xfffffa8000c5eb30:services.exe 428 332 6 193 2012-02-22 19:58:32
.. 0xfffffa8000aa0b30:SearchIndexer. 1800 428 12 757 2012-02-22 20:02:26
.. 0xfffffa80007d09e0:svchost.exe 916 428 19 443 2012-02-22 19:58:43
.. 0xfffffa8000a4f630:svchost.exe 1432 428 12 350 2012-02-22 20:04:14
.. 0xfffffa800094d960:wlms.exe 1264 428 4 43 2012-02-22 20:02:11
.. 0xfffffa8001325950:sppsvc.exe 816 428 5 154 2012-02-22 19:58:41
.. 0xfffffa8000e86690:spoolsv.exe 1076 428 12 271 2012-02-22 20:02:10
.. 0xfffffa8001296b30:svchost.exe 568 428 10 352 2012-02-22 19:58:34
... 0xfffffa8000a03b30:rundll32.exe 2016 568 3 67 2012-02-22 20:03:16
...
python2 ./volatility2/vol.py -f OtterCTF.vmem --profile=Win7SP1x64 pslist要扫描所有的进程,请使用psscan命令。他可以找到之前已经终止了的进程、已经被rootkit隐藏的进程或者取消链接的进程。缺点就是rookit依然可以使用覆盖标签池的方法来隐藏进程。
$ python vol.py --profile=Win7SP0x86 -f win7.dmp psscan
Volatility Foundation Volatility Framework 2.0
Offset Name PID PPID PDB Time created Time exited
---------- ---------------- ------ ------ ---------- ------------------------ ------------------------
0x3e025ba8 svchost.exe 1116 508 0x3ecf1220 2010-06-16 15:25:25
0x3e04f070 svchost.exe 1152 508 0x3ecf1340 2010-06-16 15:27:40
0x3e144c08 dwm.exe 1540 832 0x3ecf12e0 2010-06-16 15:26:58
0x3e145c18 TPAutoConnSvc. 1900 508 0x3ecf1360 2010-06-16 15:25:41
0x3e3393f8 lsass.exe 516 392 0x3ecf10e0 2010-06-16 15:25:18
0x3e35b8f8 svchost.exe 628 508 0x3ecf1120 2010-06-16 15:25:19
0x3e383770 svchost.exe 832 508 0x3ecf11a0 2010-06-16 15:25:20
0x3e3949d0 svchost.exe 740 508 0x3ecf1160 2010-06-16 15:25:20
0x3e3a5100 svchost.exe 872 508 0x3ecf11c0 2010-06-16 15:25:20
0x3e3f64e8 svchost.exe 992 508 0x3ecf1200 2010-06-16 15:25:24
0x3e45a530 wininit.exe 392 316 0x3ecf10a0 2010-06-16 15:25:15
0x3e45d928 svchost.exe 1304 508 0x3ecf1260 2010-06-16 15:25:28
0x3e45f530 csrss.exe 400 384 0x3ecf1040 2010-06-16 15:25:15
0x3e4d89c8 vmtoolsd.exe 1436 508 0x3ecf1280 2010-06-16 15:25:30
0x3e4db030 spoolsv.exe 1268 508 0x3ecf1240 2010-06-16 15:25:28
0x3e50b318 services.exe 508 392 0x3ecf1080 2010-06-16 15:25:18
0x3e7f3d40 csrss.exe 352 316 0x3ecf1060 2010-06-16 15:25:12
0x3e7f5bc0 winlogon.exe 464 384 0x3ecf10c0 2010-06-16 15:25:18
0x3eac6030 SearchProtocol 2448 1168 0x3ecf15c0 2010-06-16 23:30:52 2010-06-16 23:33:14
0x3eb10030 SearchFilterHo 1812 1168 0x3ecf1480 2010-06-16 23:31:02 2010-06-16 23:33:14
[snip]
如果需要显示进程加载的dll,那么请使用dlllist命令。并且他还会告诉你这是一个静态加载还是动态加载。
$ python vol.py -f ~/Desktop/win7_trial_64bit.raw --profile=Win7SP0x64 dlllist
************************************************************************
wininit.exe pid: 332
Command line : wininit.exe
Base Size LoadCount Path
------------------ ------------------ ------------------ ----
0x00000000ff530000 0x23000 0xffff C:\Windows\system32\wininit.exe
0x0000000076d40000 0x1ab000 0xffff C:\Windows\SYSTEM32\ntdll.dll
0x0000000076b20000 0x11f000 0xffff C:\Windows\system32\kernel32.dll
0x000007fefcd50000 0x6b000 0xffff C:\Windows\system32\KERNELBASE.dll
0x0000000076c40000 0xfa000 0xffff C:\Windows\system32\USER32.dll
0x000007fefd7c0000 0x67000 0xffff C:\Windows\system32\GDI32.dll
0x000007fefe190000 0xe000 0xffff C:\Windows\system32\LPK.dll
0x000007fefef80000 0xca000 0xffff C:\Windows\system32\USP10.dll
0x000007fefd860000 0x9f000 0xffff C:\Windows\system32\msvcrt.dll
[snip]
如果要显示指定进程的dll,请使用-p或者--pid过滤
$ python vol.py -f ~/Desktop/win7_trial_64bit.raw --profile=Win7SP0x64 dlllist -p 1892
Volatility Foundation Volatility Framework 2.4
************************************************************************
iexplore.exe pid: 1892
Command line : "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Note: use ldrmodules for listing DLLs in Wow64 processes
Base Size LoadCount Path
------------------ ------------------ ------------------ ----
0x0000000000080000 0xa6000 0xffff C:\Program Files (x86)\Internet Explorer\iexplore.exe
0x0000000076d40000 0x1ab000 0xffff C:\Windows\SYSTEM32\ntdll.dll
0x00000000748d0000 0x3f000 0x3 C:\Windows\SYSTEM32\wow64.dll
0x0000000074870000 0x5c000 0x1 C:\Windows\SYSTEM32\wow64win.dll
0x0000000074940000 0x8000 0x1 C:\Windows\SYSTEM32\wow64cpu.dll
从内存镜像中把dll转存出来,请使用dlldump命令。语法和上面的dlllist类似。该命令拥有如下功能:
- 转存所有进程中的所有 DLL
- 转存指定的进程的所有 DLL(使用--pid=PID)
- 从隐藏/未链接的进程中转储所有 DLL(带有--offset=OFFSET)
- 从进程内存中的任何位置转储 PE(使用--base=BASEADDR),此选项对于提取隐藏的 DLL 很有用
- 转储匹配正则表达式 ( --regex=REGEX) 的一个或多个 DLL,区分大小写或不区分大小写 ( --ignore-case)
- 要指定输出目录,请使用--dump-dir=DIR或-d DIR。
$ python vol.py -f ~/Desktop/win7_trial_64bit.raw --profile=Win7SP0x64 dlldump -D dlls/
...
Process(V) Name Module Base Module Name Result
------------------ -------------------- ------------------ -------------------- ------
0xfffffa8000ce97f0 smss.exe 0x0000000047a90000 smss.exe OK: module.208.176e97f0.47a90000.dll
0xfffffa8000ce97f0 smss.exe 0x0000000076d40000 Error: DllBase is paged
0xfffffa8000c006c0 csrss.exe 0x0000000049700000 csrss.exe OK: module.296.176006c0.49700000.dll
0xfffffa8000c006c0 csrss.exe 0x0000000076d40000 ntdll.dll Error: DllBase is paged
0xfffffa8000c006c0 csrss.exe 0x000007fefd860000 msvcrt.dll Error: DllBase is paged
0xfffffa80011c5700 lsass.exe 0x000007fefcc40000 WINSTA.dll Error: DllBase is paged
0xfffffa80011c5700 lsass.exe 0x000007fefd7c0000 GDI32.dll OK: module.444.173c5700.7fefd7c0000.dll
0xfffffa80011c5700 lsass.exe 0x000007fefc270000 DNSAPI.dll OK: module.444.173c5700.7fefc270000.dll
0xfffffa80011c5700 lsass.exe 0x000007fefc5d0000 Secur32.dll OK: module.444.173c5700.7fefc5d0000.dll
...
它适用于文件、注册表、桌面、线程和其他所有类型的安全执行对象,从2.1版本开始,还会显示每个对象的句柄值和其权限
$ python vol.py -f ~/Desktop/win7_trial_64bit.raw --profile=Win7SP0x64 handles
Volatility Foundation Volatility Framework 2.4
Offset(V) Pid Handle Access Type Details
------------------ ------ ------------------ ------------------ ---------------- -------
0xfffffa80004b09e0 4 0x4 0x1fffff Process System(4)
0xfffff8a0000821a0 4 0x10 0x2001f Key MACHINE\SYSTEM\CONTROLSET001\CONTROL\PRODUCTOPTIONS
0xfffff8a00007e040 4 0x14 0xf003f Key MACHINE\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER\MEMORY MANAGEMENT\PREFETCHPARAMETERS
0xfffff8a000081fa0 4 0x18 0x2001f Key MACHINE\SYSTEM\SETUP
0xfffffa8000546990 4 0x1c 0x1f0001 ALPC Port PowerMonitorPort
0xfffffa800054d070 4 0x20 0x1f0001 ALPC Port PowerPort
0xfffff8a0000676a0 4 0x24 0x20019 Key MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MULTIFUNCTIONADAPTER
0xfffffa8000625460 4 0x28 0x1fffff Thread TID 160 PID 4
0xfffff8a00007f400 4 0x2c 0xf003f Key MACHINE\SYSTEM\CONTROLSET001
0xfffff8a00007f200 4 0x30 0xf003f Key MACHINE\SYSTEM\CONTROLSET001\ENUM
0xfffff8a000080d10 4 0x34 0xf003f Key MACHINE\SYSTEM\CONTROLSET001\CONTROL\CLASS
0xfffff8a00007f500 4 0x38 0xf003f Key MACHINE\SYSTEM\CONTROLSET001\SERVICES
0xfffff8a0001cd990 4 0x3c 0xe Token
0xfffff8a00007bfa0 4 0x40 0x20019 Key MACHINE\SYSTEM\CONTROLSET001\CONTROL\WMI\SECURITY
0xfffffa8000cd52b0 4 0x44 0x120116 File \Device\Mup
0xfffffa8000ce97f0 4 0x48 0x2a Process smss.exe(208)
0xfffffa8000df16f0 4 0x4c 0x120089 File \Device\HarddiskVolume2\Windows\System32\en-US\win32k.sys.mui
0xfffffa8000de37f0 4 0x50 0x12019f File \Device\clfsTxfLog
0xfffff8a000952fa0 4 0x54 0x2001f Key MACHINE\SYSTEM\CONTROLSET001\CONTROL\VIDEO\{6A8FC9DC-A76B-47FC-A703-17800182E1CE}\0000\VOLATILESETTINGS
0xfffffa800078da20 4 0x58 0x12019f File \Device\Tcp
0xfffff8a002e17610 4 0x5c 0x9 Key MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS
0xfffff8a0008f7b00 4 0x60 0x10 Key MACHINE\SYSTEM\CONTROLSET001\CONTROL\LSA
0xfffffa8000da2870 4 0x64 0x100001 File \Device\KsecDD
0xfffffa8000da3040 4 0x68 0x0 Thread TID 228 PID 4
...
要查看与进程关联的 SID(安全标识符),请使用 getsids 命令。这可以帮助你识别具有恶意升级权限的进程以及哪些进程属于特定用户。
$ python vol.py -f ~/Desktop/win7_trial_64bit.raw --profile=Win7SP0x64 getsids
Volatility Foundation Volatility Framework 2.4
System (4): S-1-5-18 (Local System)
System (4): S-1-5-32-544 (Administrators)
System (4): S-1-1-0 (Everyone)
System (4): S-1-5-11 (Authenticated Users)
System (4): S-1-16-16384 (System Mandatory Level)
smss.exe (208): S-1-5-18 (Local System)
smss.exe (208): S-1-5-32-544 (Administrators)
smss.exe (208): S-1-1-0 (Everyone)
smss.exe (208): S-1-5-11 (Authenticated Users)
smss.exe (208): S-1-16-16384 (System Mandatory Level)
[snip]
与cmdscan类似,控制台插件会查找攻击者键入 cmd.exe 或通过后门执行的命令。但是,此插件不是扫描 COMMAND_HISTORY,而是扫描 CONSOLE_INFORMATION。这个插件的主要优点是它不仅打印攻击者输入的命令,而且收集整个屏幕缓冲区(输入和输出)。例如,您不仅会看到“dir”,还会看到攻击者看到的确切内容,包括“dir”命令列出的所有文件和目录。 此外,此插件还会输出以下内容:
- 原始控制台窗口标题和当前控制台窗口标题
- 附加进程的名称和 pid(遍历 LIST_ENTRY 以枚举所有进程,如果多个)
- 与执行的命令关联的任何别名。例如,攻击者可以注册一个别名,这样键入“hello”实际上会执行“cd system”
- cmd.exe控制台的屏幕坐标
$ python vol.py -f xp-laptop-2005-07-04-1430.img consoles
Volatility Foundation Volatility Framework 2.4
[csrss.exe @ 0x821c11a8 pid 456 console @ 0x4e23b0]
OriginalTitle: '%SystemRoot%\\system32\\cmd.exe'
Title: 'C:\\WINDOWS\\system32\\cmd.exe - dd if=\\\\.\\PhysicalMemory of=c:\\xp-2005-07-04-1430.img conv=noerror'
HistoryBufferCount: 2
HistoryBufferMax: 4
CommandHistorySize: 50
[history @ 0x4e4008]
CommandCount: 0
CommandCountMax: 50
Application: 'dd.exe'
[history @ 0x4e4d88]
CommandCount: 20
CommandCountMax: 50
Application: 'cmd.exe'
Cmd #0 @ 0x4e1f90: 'dd'
Cmd #1 @ 0x4e2cb8: 'cd\\'
Cmd #2 @ 0x4e2d18: 'dr'
Cmd #3 @ 0x4e2d28: 'ee:'
Cmd #4 @ 0x4e2d38: 'e;'
Cmd #5 @ 0x4e2d48: 'e:'
Cmd #6 @ 0x4e2d58: 'dr'
Cmd #7 @ 0x4e2d68: 'd;'
Cmd #8 @ 0x4e2d78: 'd:'
Cmd #9 @ 0x4e2d88: 'dr'
Cmd #10 @ 0x4e2d98: 'ls'
Cmd #11 @ 0x4e2da8: 'cd Docu'
Cmd #12 @ 0x4e2dc0: 'cd Documents and'
Cmd #13 @ 0x4e2e58: 'dr'
Cmd #14 @ 0x4e2e68: 'd:'
Cmd #15 @ 0x4e2e78: 'cd dd\\'
Cmd #16 @ 0x4e2e90: 'cd UnicodeRelease'
Cmd #17 @ 0x4e2ec0: 'dr'
Cmd #18 @ 0x4e2ed0: 'dd '
Cmd #19 @ 0x4e4100: 'dd if=\\\\.\\PhysicalMemory of=c:\\xp-2005-07-04-1430.img conv=noerror'
[screen @ 0x4e2460 X:80 Y:300]
Output: Microsoft Windows XP [Version 5.1.2600]
Output: (C) Copyright 1985-2001 Microsoft Corp.
Output:
Output: C:\Documents and Settings\Sarah>dd
Output: 'dd' is not recognized as an internal or external command,
Output: operable program or batch file.
Output:
Output: C:\Documents and Settings\Sarah>cd\
Output:
Output: C:\>dr
Output: 'dr' is not recognized as an internal or external command,
Output: operable program or batch file.
Output:
Output: C:\>ee:
Output: 'ee:' is not recognized as an internal or external command,
Output: operable program or batch file.
Output:
Output: C:\>e;
Output: 'e' is not recognized as an internal or external command,
Output: operable program or batch file.
Output:
Output: C:\>e:
Output: The system cannot find the drive specified.
Output:
Output: C:\>dr
Output: 'dr' is not recognized as an internal or external command,
Output: operable program or batch file.
Output:
Output: C:\>d;
Output: 'd' is not recognized as an internal or external command,
Output: operable program or batch file.
Output:
Output: C:\>d:
Output:
Output: D:\>dr
Output: 'dr' is not recognized as an internal or external command,
Output: operable program or batch file.
Output:
Output: D:\>dr
Output: 'dr' is not recognized as an internal or external command,
Output: operable program or batch file.
Output:
Output: D:\>ls
Output: 'ls' is not recognized as an internal or external command,
Output: operable program or batch file.
Output:
Output: D:\>cd Docu
Output: The system cannot find the path specified.
Output:
Output: D:\>cd Documents and
Output: The system cannot find the path specified.
Output:
Output: D:\>dr
Output: 'dr' is not recognized as an internal or external command,
Output: operable program or batch file.
Output:
Output: D:\>d:
Output:
Output: D:\>cd dd\
Output:
Output: D:\dd>
Output: D:\dd>cd UnicodeRelease
Output:
Output: D:\dd\UnicodeRelease>dr
Output: 'dr' is not recognized as an internal or external command,
Output: operable program or batch file.
Output:
Output: D:\dd\UnicodeRelease>dd
Output:
Output: 0+0 records in
Output: 0+0 records out
Output: ^C
Output: D:\dd\UnicodeRelease>dd if=\\.\PhysicalMemory of=c:\xp-2005-07-04-1430.img conv=
Output: noerror
Output: Forensic Acquisition Utilities, 1, 0, 0, 1035
Output: dd, 3, 16, 2, 1035
Output: Copyright (C) 2002-2004 George M. Garner Jr.
Output:
Output: Command Line: dd if=\\.\PhysicalMemory of=c:\xp-2005-07-04-1430.img conv=noerror
Output:
Output: Based on original version developed by Paul Rubin, David MacKenzie, and Stuart K
Output: emp
Output: Microsoft Windows: Version 5.1 (Build 2600.Professional Service Pack 2)
Output:
Output: 04/07/2005 18:30:32 (UTC)
Output: 04/07/2005 14:30:32 (local time)
Output:
Output: Current User: SPLATITUDE\Sarah
Output:
Output: Total physical memory reported: 523676 KB
Output: Copying physical memory...
Output: Physical memory in the range 0x00004000-0x00004000 could not be read.
要显示进程的环境变量,请使用 envars 插件。通常它会显示安装的 CPU 数量和硬件架构(尽管kdbgscan输出是一个更可靠的来源)、进程的当前目录、临时目录、会话名称、计算机名称、用户名和各种其他的内容。
$ python vol.py -f ~/Desktop/win7_trial_64bit.raw --profile=Win7SP0x64 envars
Volatility Foundation Volatility Framework 2.4
Pid Process Block Variable Value
-------- -------------------- ------------------ ------------------------------ -----
296 csrss.exe 0x00000000003d1320 ComSpec C:\Windows\system32\cmd.exe
296 csrss.exe 0x00000000003d1320 FP_NO_HOST_CHECK NO
296 csrss.exe 0x00000000003d1320 NUMBER_OF_PROCESSORS 1
296 csrss.exe 0x00000000003d1320 OS Windows_NT
296 csrss.exe 0x00000000003d1320 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
296 csrss.exe 0x00000000003d1320 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
296 csrss.exe 0x00000000003d1320 PROCESSOR_ARCHITECTURE AMD64
296 csrss.exe 0x00000000003d1320 PROCESSOR_IDENTIFIER Intel64 Family 6 Model 2 Stepping 3, GenuineIntel
296 csrss.exe 0x00000000003d1320 PROCESSOR_LEVEL 6
296 csrss.exe 0x00000000003d1320 PROCESSOR_REVISION 0203
296 csrss.exe 0x00000000003d1320 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
296 csrss.exe 0x00000000003d1320 SystemDrive C:
296 csrss.exe 0x00000000003d1320 SystemRoot C:\Windows
296 csrss.exe 0x00000000003d1320 TEMP C:\Windows\TEMP
296 csrss.exe 0x00000000003d1320 TMP C:\Windows\TEMP
296 csrss.exe 0x00000000003d1320 USERNAME SYSTEM
296 csrss.exe 0x00000000003d1320 windir C:\Windows
Volatility在使用模块的时候(非imageinfo这类通用型),需要指定符号表(—profile参数)才可以正常工作,拿到检材后的第一件事,便是识别出检材的类型,已经提取自何种设备,所使用的模块是imageinfo
python2 ./volatility2/vol.py -f ./OtterCTF.vmem imageinfo对于非WIndows系统的设备提取出来的内存镜像,Volatility无法正确识别出设备的内存情况,这个时候需要使用strings+grep直接对内存镜像中的数据进行筛选,通过关键字判断内存提取自何种设备
在使用设备打开文件的时候,文件数据就会被从磁盘中加载到内存中,这便在便在内存中留下了文件数据。所使用的模块是filescan
# 扫盘
python2 ./volatility2/vol.py -f OtterCTF.vmem --profile=Win7SP1x64 filescan
# 搜文件
python2 ./volatility2/vol.py -f OtterCTF.vmem --profile=Win7SP1x64 filescan | grep Desktopfilescan所输出的数据量是十分庞大的,所以想要增加效率的话,可以使用grep+关键词来对数据进行筛选。关键词可以使用例如Desktop,桌面(中文用户的桌面路径),secret,hint,flag等等。 同时需要注意的是,使用grep对结果进行筛选的时候,关键词是有大小写敏感的
比如存在
0x000000007d660500 2 0 -W-r-- \Device\HarddiskVolume1\Users\Rick\Desktop\READ_IT.txt
使用dumpfiles导出
python2 ./volatility2/vol.py -f OtterCTF.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007d660500 -D ./提取出来的文件名为:file.None.<PHYSOFFSET>.dat
那么就可以浏览目标文件的数据了:
randark@randark-virtual-machine:~$ cat file.None.0xfffffa801b2def10.dat
Your files have been encrypted.
Read the Program for more information
read program for more information.
比如发现可疑进程
0xfffffa801b486b30 Rick And Morty 3820 2728 4 185 1 1 2018-08-04 19:32:55 UTC+0000那么就可以使用memdump模块将程序的可寻址的内存数据提取出来,并对数据进行分析,查看程序都加载并操作了哪些数据:
python2 ./volatility2/vol.py -f OtterCTF.vmem --profile=Win7SP1x64 memdump -p 3820 -D ./输出的文件名格式为:<pid of process>.dmp
然后就可以利用strings对提取出来的数据进行分析:
randark@randark-virtual-machine:~$ strings 3820.dmp
vn*u
=Atw
Temp
Temp
Temp
Temp
Temp
X=!u
~M!u
=Atw
Wow64ApcRoutine
......
在一些情况下,我们还需要对程序本体进行逆向分析,但是memdump模块输出的数据量太大了,对于仅仅只需要提取程序本体的需求显然不符合,那么就需要用到procdump模块。如上文,还是对
0xfffffa801b486b30 Rick And Morty 3820 2728 4 185 1 1 2018-08-04 19:32:55 UTC+0000
这个进程进行操作:
python2 ./volatility2/vol.py -f OtterCTF.vmem --profile=Win7SP1x64 procdump -p 3820 -D ./
提取出来的文件名格式为:executable.<pid of process>.<exe/elf>
然后便可以对目标进程的程序本体进行逆向分析:
![[Pasted image 20230730234016.png]]
![[Pasted image 20230730234207.png]]
kdbgscan主要用于识别正确的porfile和正确的KDBG。该插件主要用于扫描连接到内存配置文件的KDBG Header签名,如果你已经知道了profile那么你完全可以直接使用此插件
$ python vol.py -f Win2K3SP2x64-6f1bedec.vmem --profile=Win2003SP2x64 kdbgscan
Volatility Foundation Volatility Framework 2.4
**************************************************
Instantiating KDBG using: Kernel AS Win2003SP2x64 (5.2.3791 64bit)
Offset (V) : 0xf80001172cb0
Offset (P) : 0x1172cb0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2003SP2x64
Version64 : 0xf80001172c70 (Major: 15, Minor: 3790)
Service Pack (CmNtCSDVersion) : 0
Build string (NtBuildLab) : T?
PsActiveProcessHead : 0xfffff800011947f0 (0 processes)
PsLoadedModuleList : 0xfffff80001197ac0 (0 modules)
KernelBase : 0xfffff80001000000 (Matches MZ: True)
Major (OptionalHeader) : 5
Minor (OptionalHeader) : 2
**************************************************
Instantiating KDBG using: Kernel AS Win2003SP2x64 (5.2.3791 64bit)
Offset (V) : 0xf80001175cf0
Offset (P) : 0x1175cf0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2003SP2x64
Version64 : 0xf80001175cb0 (Major: 15, Minor: 3790)
Service Pack (CmNtCSDVersion) : 2
Build string (NtBuildLab) : 3790.srv03_sp2_rtm.070216-1710
PsActiveProcessHead : 0xfffff800011977f0 (37 processes)
PsLoadedModuleList : 0xfffff8000119aae0 (116 modules)
KernelBase : 0xfffff80001000000 (Matches MZ: True)
Major (OptionalHeader) : 5
Minor (OptionalHeader) : 2
KPCR : 0xfffff80001177000 (CPU 0)使用本命令可以扫描到KPCR结构。在多核系统中,每个处理器都有自己的KPCR。因为通过这个命令,你可以看到每个处理器的详细信息。当前、空闲和下一个线程;CPU的型号,CR3等等
$ python vol.py -f dang_win7_x64.raw --profile=Win7SP1x64 kpcrscan
Volatility Foundation Volatility Framework 2.4
**************************************************
Offset (V) : 0xf800029ead00
Offset (P) : 0x29ead00
KdVersionBlock : 0x0
IDT : 0xfffff80000b95080
GDT : 0xfffff80000b95000
CurrentThread : 0xfffffa800cf694d0 TID 2148 (kd.exe:2964)
IdleThread : 0xfffff800029f8c40 TID 0 (Idle:0)
Details : CPU 0 (GenuineIntel @ 2128 MHz)
CR3/DTB : 0x1dcec000
**************************************************
Offset (V) : 0xf880009e7000
Offset (P) : 0x4d9e000
KdVersionBlock : 0x0
IDT : 0xfffff880009f2540
GDT : 0xfffff880009f24c0
CurrentThread : 0xfffffa800cf694d0 TID 2148 (kd.exe:2964)
IdleThread : 0xfffff880009f1f40 TID 0 (Idle:0)
Details : CPU 1 (GenuineIntel @ 2220 MHz)
CR3/DTB : 0x1dcec000
vol -f OtterCTF.vmem windows.info# 同样使用的是pslist模块,只不过不需要指定系统信息(符号表)
vol -f OtterCTF.vmem windows.pslistvol -f OtterCTF.vmem windows.filescanvol -f OtterCTF.vmem windows.filescan | grep READ_IT
vol -f OtterCTF.vmem windows.dumpfiles --physaddr 0x7d660500
cat file.0x7d660500.0xfa801b2def10.DataSectionObject.READ_IT.txt.dat - [[CheatSheet.html]]
- https://www.forensics-wiki.com/volatility/winvol.html#dlldump