Volatility 内存数字取证方法
计算机数字取证分为内存取证和磁盘取证,活取证与死取证,不管是那种取证方式,都应尽量避免破环犯罪现场,例如通过内存转储工具对内存进行快照,通过磁盘克隆工具对磁盘进行克隆,方便后期的分析工作,这里将研究内存的取证技术中的活取证。
工具地址: https://github.com/volatilityfoundation/volatility
查询镜像基本信息: volatility -f winxp.raw imageinfo
lyshark@Dell:/mnt/d$ volatility -f winxp.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/mnt/d/winxp.raw)
PAE type : PAE
DTB : 0xad6000L
KDBG : 0x80546ae0L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2020-03-13 02:08:21 UTC+0000
Image local date and time : 2020-03-13 10:08:21 +0800
查正在运行的进程: volatility -f winxp.raw --profile=WinXPSP3x86 pslist
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x821b9830 System 4 0 56 522 ------ 0
0x8210bd38 smss.exe 488 4 3 19 ------ 0 2020-01-19 01:52:22 UTC+0000
0x8203e020 csrss.exe 600 488 11 360 0 0 2020-01-19 01:52:22 UTC+0000
0x81bf61a8 winlogon.exe 624 488 17 435 0 0 2020-01-19 01:52:23 UTC+0000
0x8207ea88 services.exe 668 624 16 260 0 0 2020-01-19 01:52:23 UTC+0000
0x81f62238 lsass.exe 680 624 20 336 0 0 2020-01-19 01:52:23 UTC+0000
0x81b34020 cmd.exe 1580 1468 1 32 0 0 2020-03-13 02:08:14 UTC+0000
0x81bf4378 calc.exe 1512 1580 1 44 0 0 2020-03-13 02:08:16 UTC+0000
0x81b50020 DumpIt.exe 1008 1468 1 25 0 0 2020-03-13 02:08:19 UTC+0000
查正在运行的进程的进程树: volatility -f winxp.raw --profile=WinXPSP3x86 pstree
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 pstree
Volatility Foundation Volatility Framework 2.6
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x821b9830:System 4 0 56 522 1970-01-01 00:00:00 UTC+0000
. 0x8210bd38:smss.exe 488 4 3 19 2020-01-19 01:52:22 UTC+0000
.. 0x8203e020:csrss.exe 600 488 11 360 2020-01-19 01:52:22 UTC+0000
.. 0x81bf61a8:winlogon.exe 624 488 17 435 2020-01-19 01:52:23 UTC+0000
... 0x8207ea88:services.exe 668 624 16 260 2020-01-19 01:52:23 UTC+0000
.... 0x81f684c0:svchost.exe 1032 668 55 1194 2020-01-19 01:52:24 UTC+0000
..... 0x81e44da0:wscntfy.exe 880 1032 1 39 2020-03-13 01:52:46 UTC+0000
.... 0x820408b8:vmtoolsd.exe 1940 668 7 271 2020-01-19 01:52:37 UTC+0000
.... 0x81f71980:spoolsv.exe 1560 668 10 118 2020-01-19 01:52:29 UTC+0000
.... 0x81f865d8:svchost.exe 1192 668 8 92 2020-03-13 01:53:09 UTC+0000
.... 0x81cc6c30:svchost.exe 1072 668 4 77 2020-01-19 01:52:24 UTC+0000
.... 0x81fcad78:vmacthlp.exe 840 668 1 25 2020-01-19 01:52:24 UTC+0000
.... 0x81cc54e0:svchost.exe 936 668 10 252 2020-01-19 01:52:24 UTC+0000
.... 0x820873c0:svchost.exe 856 668 15 190 2020-01-19 01:52:24 UTC+0000
.... 0x82102020:svchost.exe 1116 668 15 209 2020-01-19 01:52:27 UTC+0000
.... 0x8206dd80:alg.exe 1252 668 6 106 2020-03-13 01:52:45 UTC+0000
.... 0x81c03020:imapi.exe 508 668 4 114 2020-03-13 01:52:44 UTC+0000
... 0x81f62238:lsass.exe 680 624 20 336 2020-01-19 01:52:23 UTC+0000
0x82135da0:explorer.exe 1468 1436 9 389 2020-01-19 01:52:28 UTC+0000
. 0x81ff7da0:ctfmon.exe 1732 1468 1 71 2020-01-19 01:52:31 UTC+0000
. 0x81b34020:cmd.exe 1580 1468 1 32 2020-03-13 02:08:14 UTC+0000
. 0x81e37020:FTPServer.exe 324 1468 3 118 2020-03-13 01:58:37 UTC+0000
将FTPServer.exe文件dump出来 volatility -f winxp.raw --profile=WinXPSP3x86 memdump -p 324 --dump-dir=/home/lyshark
lyshark@Dell:/mnt/d$ sudo volatility -f winxp.raw --profile=WinXPSP3x86 memdump -p 324 --dump-dir=/home/lyshark
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing FTPServer.exe [ 324] to 324.dmp
lyshark@Dell:~$ hexedit 324.dmp
lyshark@Dell:~$ strings 324.dmp
检索命令历史 只能检索命令行历史 volatility -f winxp.raw --profile=WinXPSP3x86 cmdscan
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 cmdscan
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: csrss.exe Pid: 600
CommandHistory: 0x556bb8 Application: FTPServer.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x4a8
**************************************************
CommandProcess: csrss.exe Pid: 600
CommandHistory: 0x3667a30 Application: DumpIt.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x314
Cmd #2 @ 0xaf00af: ??`?????????? ????????????????????? ?????????????????????
Cmd #3 @ 0xaf00af: ??`?????????? ????????????????????? ?????????????????????
Cmd #4 @ 0xaf00af: ??`?????????? ????????????????????? ?????????????????????
Cmd #5 @ 0xaf00af: ??`?????????? ????????????????????? ?????????????????????
Cmd #43 @ 0x27008f: ?
Cmd #46 @ 0xaf00af: ??`?????????? ????????????????????? ?????????????????????
Cmd #48 @ 0xaf0027: ?????????????????????????? ??????????@????????????????????????????????`?????????? ????????????????????? ?????????????????????
Cmd #49 @ 0xaf00af: ??`?????????? ????????????????????? ?????????????????????
**************************************************
CommandProcess: csrss.exe Pid: 600
CommandHistory: 0x36688f0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 1 LastAdded: 0 LastDisplayed: 0
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x44c
Cmd #0 @ 0x3668f70: calc
检索已经建立起来的网络连接: volatility -f winxp.raw --profile=WinXPSP3x86 connscan
volatility -f winxp.raw --profile=WinXPSP3x86 connscan # 检索已经建立的网络链接
volatility -f winxp.raw --profile=WinXPSP3x86 netscan # 检索所有网络连接情况
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 connscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x020296c0 192.168.1.8:1049 66.175.114.213:80 1992
0x024a22c0 192.168.1.8:1051 192.168.1.2:8888 324
根据PID查询进程加载过的DLL
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 dlllist -p 324
Volatility Foundation Volatility Framework 2.6
************************************************************************
FTPServer.exe pid: 324
Command line : "C:\Documents and Settings\Administrator\桌面\FTPServer.exe"
Service Pack 3
Base Size LoadCount LoadTime Path
---------- ---------- ---------- ------------------------------ ----
0x00400000 0x1f000 0xffff C:\Documents and Settings\Administrator\桌面\FTPServer.exe
0x7c920000 0x93000 0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000 0x11e000 0xffff C:\WINDOWS\system32\kernel32.dll
0x62500000 0x8000 0xffff C:\Documents and Settings\Administrator\桌面\network.dll
0x77be0000 0x58000 0xffff C:\WINDOWS\system32\msvcrt.dll
0x71a20000 0x17000 0xffff C:\WINDOWS\system32\WS2_32.DLL
0x77da0000 0xa9000 0xffff C:\WINDOWS\system32\ADVAPI32.dll
0x77e50000 0x92000 0xffff C:\WINDOWS\system32\RPCRT4.dll
0x77fc0000 0x11000 0xffff C:\WINDOWS\system32\Secur32.dll
0x71a10000 0x8000 0xffff C:\WINDOWS\system32\WS2HELP.dll
0x76d70000 0x22000 0x1 C:\WINDOWS\system32\Apphelp.dll
0x77bd0000 0x8000 0x1 C:\WINDOWS\system32\VERSION.dll
0x7c340000 0x56000 0x1 C:\Documents and Settings\Administrator\桌面\msvcr71.dll
0x719c0000 0x3e000 0x2 C:\WINDOWS\system32\mswsock.dll
0x60fd0000 0x55000 0x1 C:\WINDOWS\system32\hnetcfg.dll
0x77ef0000 0x49000 0x49 C:\WINDOWS\system32\GDI32.dll
0x77d10000 0x90000 0x74 C:\WINDOWS\system32\USER32.dll
0x76300000 0x1d000 0x2 C:\WINDOWS\system32\IMM32.DLL
0x62c20000 0x9000 0x1 C:\WINDOWS\system32\LPK.DLL
0x73fa0000 0x6b000 0x1 C:\WINDOWS\system32\USP10.dll
0x71a00000 0x8000 0x1 C:\WINDOWS\System32\wshtcpip.dll
0x765e0000 0x93000 0x6 C:\WINDOWS\system32\CRYPT32.dll
0x76db0000 0x12000 0x4 C:\WINDOWS\system32\MSASN1.dll
0x76680000 0xa6000 0x2 C:\WINDOWS\system32\WININET.dll
0x770f0000 0x8b000 0xe C:\WINDOWS\system32\OLEAUT32.dll
反汇编内存代码
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 malfind -p 324
Volatility Foundation Volatility Framework 2.6
Process: FTPServer.exe Pid: 324 Address: 0x4c0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 45, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x004c0000 4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 64 MZ.....[REU....d
0x004c0010 13 00 00 ff d3 81 c3 95 a8 02 00 89 3b 53 6a 04 ............;Sj.
0x004c0020 50 ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 P...............
0x004c0030 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 ................
0x004c0000 4d DEC EBP
0x004c0001 5a POP EDX
0x004c0002 e800000000 CALL 0x4c0007
0x004c0007 5b POP EBX
0x004c0008 52 PUSH EDX
0x004c0009 45 INC EBP
0x004c000a 55 PUSH EBP
0x004c000b 89e5 MOV EBP, ESP
0x004c000d 81c364130000 ADD EBX, 0x1364
0x004c0013 ffd3 CALL EBX
0x004c0015 81c395a80200 ADD EBX, 0x2a895
0x004c001b 893b MOV [EBX], EDI
0x004c001d 53 PUSH EBX
0x004c001e 6a04 PUSH 0x4
0x004c0020 50 PUSH EAX
0x004c0021 ffd0 CALL EAX
0x004c0023 0000 ADD [EAX], AL
0x004c0025 0000 ADD [EAX], AL
0x004c0027 0000 ADD [EAX], AL
0x004c0029 0000 ADD [EAX], AL
0x004c002b 0000 ADD [EAX], AL
0x004c002d 0000 ADD [EAX], AL
0x004c002f 0000 ADD [EAX], AL
0x004c0031 0000 ADD [EAX], AL
0x004c0033 0000 ADD [EAX], AL
0x004c0035 0000 ADD [EAX], AL
0x004c0037 0000 ADD [EAX], AL
0x004c0039 0000 ADD [EAX], AL
0x004c003b 00f8 ADD AL, BH
0x004c003d 0000 ADD [EAX], AL
0x004c003f 00 DB 0x0
检索所有注册表蜂巢: volatility -f winxp.raw --profile=WinXPSP3x86 hivelist
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 hivelist
Volatility Foundation Volatility Framework 2.6
Virtual Physical Name
---------- ---------- ----
0xe17f9b60 0x0a0a2b60 \Device\HarddiskVolume1\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1c22500 0x0b9d8500 \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
0xe17fb9e8 0x0a0e49e8 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1a26b60 0x0a260b60 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
0xe1a188d8 0x0a1438d8 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1a0c008 0x0a0f3008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
0xe1452008 0x0803f008 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe1452b60 0x0803fb60 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe144e758 0x08037758 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe144f758 0x08038758 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe1036b60 0x02b09b60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
dump蜂巢文件(dump 账号密码): volatility -f winxp.raw --profile=WinXPSP3x86 hivedump -o 0xe144f758
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 hivedump -o 0xe144f758
Volatility Foundation Volatility Framework 2.6
Last Written Key
2020-03-01 04:53:50 UTC+0000 \SAM
2020-03-01 04:53:50 UTC+0000 \SAM\SAM
2020-03-01 04:53:50 UTC+0000 \SAM\SAM\Domains
2020-03-01 05:59:18 UTC+0000 \SAM\SAM\Domains\Account
2020-03-01 05:59:03 UTC+0000 \SAM\SAM\Domains\Account\Aliases
2020-03-01 05:59:18 UTC+0000 \SAM\SAM\Domains\Account\Aliases\000003E9
2020-03-01 05:59:18 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Members
2020-03-01 05:59:18 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Members\S-1-5-21-1343024091-152049171-1801674531
2020-03-01 05:59:18 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Members\S-1-5-21-1343024091-152049171-1801674531\000003EA
2020-03-01 05:59:03 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Names
2020-03-01 05:59:03 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Names\HelpServicesGroup
2020-03-01 04:53:50 UTC+0000 \SAM\SAM\Domains\Account\Groups
2020-03-01 05:59:18 UTC+0000 \SAM\SAM\Domains\Account\Groups\00000201
2020-03-01 04:53:50 UTC+0000 \SAM\SAM\Domains\Account\Groups\Names
2020-03-01 04:53:50 UTC+0000 \SAM\SAM\Domains\Account\Groups\Names\None
dump蜂巢文件(dump 系统安装的软件列表): volatility -f winxp.raw --profile=WinXPSP3x86 hivedump -o 0xe1452008
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 hivedump -o 0xe1452008
Volatility Foundation Volatility Framework 2.6
Last Written Key
2020-03-13 01:54:54 UTC+0000 \$$$PROTO.HIV
2020-03-01 05:58:23 UTC+0000 \$$$PROTO.HIV\C07ft5Y
2020-03-01 05:58:23 UTC+0000 \$$$PROTO.HIV\C07ft5Y\WinXP
2020-03-13 01:54:54 UTC+0000 \$$$PROTO.HIV\Classes
2020-03-01 05:58:34 UTC+0000 \$$$PROTO.HIV\Classes\*
2020-03-01 05:58:34 UTC+0000 \$$$PROTO.HIV\Classes\*\OpenWithList
2020-03-01 05:58:34 UTC+0000 \$$$PROTO.HIV\Classes\*\OpenWithList\Excel.exe
2020-03-01 05:58:34 UTC+0000 \$$$PROTO.HIV\Classes\*\OpenWithList\IExplore.exe
2020-03-01 05:57:20 UTC+0000 \$$$PROTO.HIV\Classes\*\OpenWithList\MSPaint.exe
2020-03-01 04:55:48 UTC+0000 \$$$PROTO.HIV\Classes\*\OpenWithList\Notepad.exe
2020-03-01 05:58:34 UTC+0000 \$$$PROTO.HIV\Classes\*\OpenWithList\Winword.exe
2020-03-01 05:57:20 UTC+0000 \$$$PROTO.HIV\Classes\*\OpenWithList\WordPad.exe
检索注册表中账号密码: volatility -f winxp.raw --profile=WinXPSP3x86 printkey -K "SAM\Domains\Account\Users\Names"
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 printkey -K "SAM\Domains\Account\Users\Names"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
Key name: Names (S)
Last updated: 2020-03-01 05:59:18 UTC+0000
Subkeys:
(S) Administrator
(S) Guest
(S) HelpAssistant
(S) SUPPORT_388945a0
Values:
REG_NONE : (S)
查最后登录的用户 volatility -f winxp.raw --profile=WinXPSP3x86 printkey -K "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 printkey -K "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
Key name: Winlogon (S)
Last updated: 2020-03-01 06:03:14 UTC+0000
Subkeys:
Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
Key name: Winlogon (S)
Last updated: 2020-03-13 01:52:45 UTC+0000
Subkeys:
Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600
查询程序运行次数: volatility -f winxp.raw --profile=WinXPSP3x86 userassist
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 userassist
Volatility Foundation Volatility Framework 2.6
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Last updated: 2020-03-13 01:58:36 UTC+0000
Subkeys:
Values:
REG_BINARY UEME_CTLSESSION : Raw Data:
0x00000000 d7 c6 af 0e 02 00 00 00 ........
REG_BINARY UEME_CTLCUACount:ctor :
ID: 1
Count: 2
Last updated: 1970-01-01 00:00:00 UTC+0000
Raw Data:
0x00000000 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................
REG_BINARY UEME_UITOOLBAR :
ID: 1
Count: 1
Last updated: 2020-03-01 06:19:01 UTC+0000
Raw Data:
0x00000000 01 00 00 00 06 00 00 00 20 77 09 4d 91 ef d5 01 .........w.M....
REG_BINARY UEME_UITOOLBAR:0x1,120 :
ID: 1
Count: 1
Last updated: 2020-03-01 06:19:01 UTC+0000
Raw Data:
0x00000000 01 00 00 00 06 00 00 00 20 77 09 4d 91 ef d5 01 .........w.M....
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Last updated: 2020-03-13 02:08:19 UTC+0000
dump 用户名密码hash 需要配合两个文件的地址,才能dump出密码。
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 hivelist
Volatility Foundation Volatility Framework 2.6
Virtual Physical Name
---------- ---------- ----
0xe17f9b60 0x0a0a2b60 \Device\HarddiskVolume1\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1c22500 0x0b9d8500 \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
0xe17fb9e8 0x0a0e49e8 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1a26b60 0x0a260b60 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
0xe1a188d8 0x0a1438d8 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1a0c008 0x0a0f3008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
0xe1452008 0x0803f008 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe1452b60 0x0803fb60 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe144e758 0x08037758 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe144f758 0x08038758 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe1294b60 0x02d2ab60 [no name]
0xe1036b60 0x02b09b60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008 0x02b02008 [no name]
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 hashdump -y 0xe1036b60 -s 0xe144f758
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:9f17bb7d77a274f1d01bc972226c8a81:c28826f36523c96b0035431d28c1a2fb:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:14b41dba4b82f80b88ce2035785bc73d:::
lyshark@Dell:/mnt/d$
procdump: https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
C:\Users\LyShark\Desktop>procdump.exe -ma ollyice.exe ollyice.dmp
ProcDump v9.0 - Sysinternals process dump utility
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[16:03:51] Dump 1 initiated: C:\Users\LyShark\Desktop\ollyice.dmp
[16:03:52] Dump 1 writing: Estimated dump file size is 94 MB.
[16:03:52] Dump 1 complete: 94 MB written in 0.5 seconds
[16:03:52] Dump count reached.
strings提取特殊字符: https://technet.microsoft.com/en-us/sysinternals/bb897439.aspx
C:\Users\LyShark\Desktop>strings.exe ollyice.dmp > ollyice.log
Strings v2.53 - Search for ANSI and Unicode strings in binary images.
Copyright (C) 1999-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
volatility 常用命令总结
volatility -f winxp.raw imageinfo # 查询镜像基本信息
volatility -f winxp.raw --profile=WinXPSP3x86 pstree # 查运行进程进程树
volatility -f winxp.raw --profile=WinXPSP3x86 pslist # 查正在运行的进程
volatility -f winxp.raw --profile=WinXPSP3x86 memdump -p 324 --dump-dir=/home/lyshark # 将PID=324的进程dump出来
volatility -f winxp.raw --profile=WinXPSP3x86 procdump -p 324 --dump-dir=/home/lyshark # 将PID=324进程导出为exe
volatility -f winxp.raw --profile=WinXPSP3x86 dlldump -p 324 --dump-dir=/home/lyshark # 将PID=324进程的所有DLL导出
volatility -f winxp.raw --profile=WinXPSP3x86 getsids -p 324 # 查询指定进程的SID
volatility -f winxp.raw --profile=WinXPSP3x86 dlllist -p 324 # 查询指定进程加载过的DLL
volatility -f winxp.raw --profile=WinXPSP3x86 threads -p 324 # 列出当前进程中活跃的线程
volatility -f winxp.raw --profile=WinXPSP3x86 drivermodule # 列出目标中驱动加载情况
volatility -f winxp.raw --profile=WinXPSP3x86 malfind -p 324 -D /home/lyshark # 检索内存读写执行页
volatility -f winxp.raw --profile=WinXPSP3x86 iehistory # 检索IE浏览器历史记录
volatility -f winxp.raw --profile=WinXPSP3x86 joblinks # 检索计划任务
volatility -f winxp.raw --profile=WinXPSP3x86 cmdscan # 只能检索命令行历史
volatility -f winxp.raw --profile=WinXPSP3x86 consoles # 抓取控制台下执行的命令以及回显数据
volatility -f winxp.raw --profile=WinXPSP3x86 cmdline # 列出所有命令行下运行的程序
volatility -f winxp.raw --profile=WinXPSP3x86 connscan # 检索已经建立的网络链接
volatility -f winxp.raw --profile=WinXPSP3x86 connections # 检索已经建立的网络链接
volatility -f winxp.raw --profile=WinXPSP3x86 netscan # 检索所有网络连接情况
volatility -f winxp.raw --profile=WinXPSP3x86 sockscan # TrueCrypt摘要TrueCrypt摘要
volatility -f winxp.raw --profile=WinXPSP3x86 timeliner # 尽可能多的发现目标主机痕迹
volatility -f winxp.raw --profile=WinXPSP3x86 hivelist # 检索所有注册表蜂巢
volatility -f winxp.raw --profile=WinXPSP3x86 hivedump -o 0xe144f758 # 检索SAM注册表键值对
volatility -f winxp.raw --profile=WinXPSP3x86 printkey -K "SAM\Domains\Account\Users\Names" # 检索注册表中账号密码
volatility -f winxp.raw --profile=WinXPSP3x86 hashdump -y system地址 -s SAM地址 # dump目标账号Hash值
volatility -f winxp.raw --profile=WinXPSP3x86 printkey -K "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" # 查最后登录的用户
volatility -f winxp.raw --profile=WinXPSP3x86 userassist # 查询程序运行次数
转储文件后通过windbg分析
Volatility 内存数字取证方法的更多相关文章
- CTF取证方法大汇总,建议收藏!
站在巨人的肩头才会看见更远的世界,这是一篇来自技术牛人的神总结,运用多年实战经验总结的CTF取证方法,全面细致,通俗易懂,掌握了这个技能定会让你在CTF路上少走很多弯路,不看真的会后悔! 本篇文章大约 ...
- 【DFIR】数字取证与事件应急响应---初识
应急响应 适用于负责现场应急,找出可疑的程序,恶意代码的安全工程师.这些可疑恶意程序或代码由另外的专家进行逆向分析. 前言 首先,什么是DRIF? DRIR:Digital Forensics and ...
- Linux下清理内存和Cache方法 /proc/sys/vm/drop_caches
Linux下清理内存和Cache方法 /proc/sys/vm/drop_caches 频繁的文件访问会导致系统的Cache使用量大增 $ free -m total used free shared ...
- iOS AFNetworking内存泄漏处理方法
iOS AFN内存泄漏处理方法 细心的你是否也发现AFN的内存泄漏的问题了呢. 在这里给大家提供一个解决AFN内存泄漏的方法. 单例解决AFN内存泄漏 + (AFHTTPSessionManager ...
- jmeter 内存溢出解决方法
执行“评论新鲜事”200并发就内存溢出 解决方法: [caozijuan@test09 bin]$ vi jmeter JVM_ARGS="-Xms1024m -Xmx4096m" ...
- C++程序内存泄漏检测方法
一.前言 在Linux平台上有valgrind可以非常方便的帮助我们定位内存泄漏,因为Linux在开发领域的使用场景大多是跑服务器,再加上它的开源属性,相对而言,处理问题容易形成“统一”的标准.而在W ...
- XCode编译文件过多导致内存吃紧解决方法
XCode编译文件过多导致内存吃紧解决方法 /Users/~~/Library/Developer/Xcode/DerivedData 1) 然后 找到编译文件 删除 就好了哦 快去试试看吧
- 字符串--java中判断字符串是否为数字的方法的几种方法?
ava中判断字符串是否为数字的方法: 1.用JAVA自带的函数 public static boolean isNumeric(String str){ for (int i = 0; i < ...
- VS2005内存泄漏检测方法[转载]
一.非MFC程序可以用以下方法检测内存泄露: 1. 程序开始包含如下定义: #ifdef _DEBUG #define DEBUG_CLIENTBLOCK new( _CLIENT_BLOCK, __ ...
- Android内存管理(5)*官方教程:Logcat内存日志各字段含义,查看当前内存快照,跟踪记录内存分配,用adb查看内存情况时各行列的含义,捕获内存快照的3种方法,如何让程序暴漏内存泄漏的方法
Investigating Your RAM Usage In this document Interpreting Log Messages 内存分析日志中各消息的含 ...
随机推荐
- xv6book阅读 chapter1
xv6book主要研究了xv6如何实现它的类Unix接口,但是其思想和概念不仅仅适用于Unix.任何操作系统都必须将进程多路复用到底层硬件上,相互隔离进程,并提供受控制的进程间通信机制. 1 了解xv ...
- 【计算机网络】JWT token、Session
JWT token https://www.bilibili.com/video/BV1VM4y117qr/?spm_id_from=333.999.0.0&vd_source=d112766 ...
- element-ui 实现行合并-亲测有效!
目标样式: 首先先来看下我们拿到的返回数据: scheduleList: [ { date: '第一天', journey: '报道', lecturer: '', }, { date: '第二天', ...
- 理解 Kubernetes volume 和 共享存储
1. Kubernetes volume 文章 介绍了 Docker volume.与 docker volume 类似的,在 kubernetes 中存在 Pod 级别的 volume,Pod 的 ...
- 一文搞清楚Java中的包、类、接口
写在开头 包.类.接口.方法.变量.参数.代码块,这些都是构成Java程序的核心部分,即便最简单的一段代码里都至少要包含里面的三四个内容,这两天花点时间梳理了一下,理解又深刻了几分. Java中的包 ...
- spring boot 中WebMvcConfigurer相关使用总结
本文为博主原创,未经允许不得转载: WebMvcConfigurer 为spring boot中的一个接口,用来配置web相关的属性或工具插件,比如消息转换器,拦截器,视图处理器,跨域设置等等. 在S ...
- 23- 数码管动态显示02-转换BCD码
1.BCD码 数码管动态显示的data[19:0]使用二进制数表示的多位十进制数,不能直接生成段选和片选信号,需要使用BCD码表示的十进制数 BCD码(Binary-Coded Decimal),又称 ...
- 【C/C++】 变参函数
#include <stdio.h> #include <stdbool.h> #include <stdarg.h> #define MLA_ASSERT(exp ...
- ECharts——快速入门
ECharts快速入门 引入 ECharts <!DOCTYPE html> <html> <head> <meta charset="utf-8& ...
- [转帖]Nginx access log 按日期保存记录
https://cloud.tencent.com/developer/article/1958304 $time_iso8601 生成格式:2021-09-18T15:16:35+08:00 ...