読者です 読者をやめる 読者になる 読者になる

[memory] Volatility

A)メモリのダンプ

MoonSols DumpIt
MoonSols DumpIt goes mainstream ! | MoonSols
screenshot


B)メモリの解析
Volatility-2.0
https://www.volatilesystems.com/default/volatility

Usage: Volatility - A memory forensics analysis platform.

Options:
-h, --help list all available options and their default values.
Default values may be set in the configuration file
(/etc/volatilityrc)
-d, --debug Debug volatility
--info Print information about all registered objects
--plugins=PLUGINS Additional plugin directories to use (colon separated)
--cache-directory=C:\Documents and Settings\Administrator/.cache\volatility
Directory where cache files are stored
--no-cache Disable caching
--tz=TZ Sets the timezone for displaying timestamps
-f FILENAME, --filename=FILENAME
Filename to use when opening an image
-k KPCR, --kpcr=KPCR Specify a specific KPCR address
--output=text Output in this format (format support is module
specific)
--output-file=OUTPUT_FILE
write output in this file
-v, --verbose Verbose information
-g KDBG, --kdbg=KDBG Specify a specific KDBG virtual address
--dtb=DTB DTB Address
--cache-dtb Cache virtual to physical mappings
--use-old-as Use the legacy address spaces
-w, --write Enable write support
--profile=WinXPSP2x86
Name of the profile to load
-l LOCATION, --location=LOCATION
A URN location from which to load an address space

Supported Plugin Commands:

bioskbd Reads the keyboard buffer from Real Mode memory
connections Print list of open connections [Windows XP Only]
connscan Scan Physical memory for _TCPT_OBJECT objects (tcp connections)
crashinfo Dump crash-dump information
dlldump Dump DLLs from a process address space
dlllist Print list of loaded dlls for each process
driverscan Scan for driver objects _DRIVER_OBJECT
filescan Scan Physical memory for _FILE_OBJECT pool allocations
getsids Print the SIDs owning each process
handles Print list of open handles for each process
hashdump Dumps passwords hashes (LM/NTLM) from memory
hibinfo Dump hibernation file information
hivedump Prints out a hive
hivelist Print list of registry hives.
hivescan Scan Physical memory for _CMHIVE objects (registry hives)
imagecopy Copies a physical address space out as a raw DD image
imageinfo Identify information for the image
inspectcache Inspect the contents of a cache
kdbgscan Search for and dump potential KDBG values
kpcrscan Search for and dump potential KPCR values
lsadump Dump (decrypted) LSA secrets from the registry
memdump Dump the addressable memory for a process
memmap Print the memory map
moddump Dump a kernel driver to an executable file sample
modscan Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
modules Print list of loaded modules
mutantscan Scan for mutant objects _KMUTANT
netscan Scan a Vista, 2008 or Windows 7 image for connections and sockets
patcher Patches memory based on page scans
printkey Print a registry key, and its subkeys and values
procexedump Dump a process to an executable file sample
procmemdump Dump a process to an executable memory sample
pslist print all running processes by following the EPROCESS lists
psscan Scan Physical memory for _EPROCESS pool allocations
pstree Print process list as a tree
sockets Print list of open sockets
sockscan Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)
ssdt Display SSDT entries
strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
testsuite Run unit test suit using the Cache
thrdscan Scan physical memory for _ETHREAD objects
userassist Print userassist registry keys and information
vaddump Dumps out the vad sections to a file
vadinfo Dump the VAD info
vadtree Walk the VAD tree and display in tree format
vadwalk Walk the VAD tree
volshell Shell in the memory image


>volatility.exe pslist -f TEST-20120203-025123.raw --profile=WinXPSP2x86 > pslist.txt

Offset(V) Name PID PPID Thds Hnds Time

                    • -------------------- ------ ------ ------ ------ -------------------

0x82bc2830 System 4 0 69 515 1970-01-01 00:00:00
0x8255b660 smss.exe 836 4 3 19 2012-02-03 02:50:09
0x8288e020 csrss.exe 932 836 15 539 2012-02-03 02:50:10
0x82b014f0 winlogon.exe 956 836 25 478 2012-02-03 02:50:11
0x82ac35a0 services.exe 1000 956 15 260 2012-02-03 02:50:11
0x829cb3f8 lsass.exe 1012 956 27 375 2012-02-03 02:50:11
0x82a9a690 vmacthlp.exe 1172 1000 1 25 2012-02-03 02:50:11
0x826583d0 svchost.exe 1204 1000 21 206 2012-02-03 02:50:12
0x82990368 svchost.exe 1316 1000 9 248 2012-02-03 02:50:13
0x829855a8 svchost.exe 1452 1000 71 1315 2012-02-03 02:50:13
0x827f8da0 svchost.exe 1604 1000 5 59 2012-02-03 02:50:14
0x82adfda0 svchost.exe 1712 1000 13 170 2012-02-03 02:50:14
0x82704be0 spoolsv.exe 1864 1000 13 128 2012-02-03 02:50:15
0x82a903c8 svchost.exe 1972 1000 6 106 2012-02-03 02:50:23
0x82655880 avp.exe 2008 1000 96 1400 2012-02-03 02:50:23
0x8261a6a8 vmtoolsd.exe 588 1000 8 266 2012-02-03 02:50:25
0x826e9580 wuauclt.exe 1556 1452 8 136 2012-02-03 02:50:28
0x828733a8 wmiprvse.exe 2068 1204 10 234 2012-02-03 02:50:31
0x82452a90 explorer.exe 2080 1368 11 355 2012-02-03 02:50:31
0x822ce440 alg.exe 2768 1000 7 105 2012-02-03 02:50:34
0x822ce8f0 avp.exe 2912 2080 24 457 2012-02-03 02:50:35
0x8253a5d0 wscntfy.exe 2940 1452 1 31 2012-02-03 02:50:35
0x82477aa8 VMwareTray.exe 2984 2080 1 54 2012-02-03 02:50:35
0x82199308 vmtoolsd.exe 3024 2080 3 140 2012-02-03 02:50:36
0x829913b8 ctfmon.exe 3080 2080 1 71 2012-02-03 02:50:36
0x82185020 msmsgs.exe 3128 2080 5 184 2012-02-03 02:50:36
0x81eeab68 cmd.exe 3076 2080 1 35 2012-02-03 02:50:51
0x81ee6b28 conime.exe 3124 3076 1 61 2012-02-03 02:50:51
0x81edf648 DumpIt.exe 4032 3076 1 25 2012-02-03 02:51:23