keyword: forensic 取證
volatility --help
volatility --info
volatility -f boom-
6452e9b9.vmem imageinfo
指定profile,使用具體的命令
iehistory 是看瀏覽器的程序,pslist是ps命令(也可以用psscan)
volatility -f boom-
6452e9b9.vmem -
-profile=win7sp1x64 iehistory
查詢並dump相應程序的可執行程式
root@kali:
~/desktop# volatility -f mem.raw --profile=win7sp1x86_bba98f40 pslist | grep notepad
volatility foundation volatility framework 2.5
0x8398dad8 notepad.exe 3524
1636261
102019-09
-1613:
53:51 utc+
0000
root@kali:
~/desktop# volatility -f mem.raw --profile=win7sp1x86_bba98f40 procdump -p 3524 -d ./
volatility foundation volatility framework 2.5
process(v) imagebase name result--
----
----
----
----
----
----
----
----
----
----
----
0x8398dad8
0x00be0000 notepad.exe ok: executable.3524.exe
查詢並dump程序記憶體
root@kali:
~/desktop# volatility -f mem.raw --profile=win7sp1x86_bba98f40 pslist | grep notepad
volatility foundation volatility framework 2.5
0x8398dad8 notepad.exe 3524
1636261
102019-09
-1613:
53:51 utc+
0000
root@kali:
~/desktop# volatility -f mem.raw --profile=win7sp1x86_bba98f40 memdump -p 3524 -d ./
volatility foundation volatility framework 2.5**
****
****
****
****
****
****
****
****
****
****
****
****
****
****
****
****
****
**writing notepad.exe [
3524
] to 3524.dmp
查詢並dump檔案
root@kali:
~/desktop# volatility -f mem.raw --profile=win7sp1x86_bba98f40 filescan | grep key
volatility foundation volatility framework 2.5
0x000000001e10a86811
----
-- \device\namedpipe\keysvc
0x000000001e10a92021
----
-- \device\namedpipe\keysvc
0x000000001e10aa9011
----
-- \device\namedpipe\keysvc
0x000000001efb9370
10 r-
-rw- \device\harddiskvolume2\users\lethal\desktop\key
root@kali:
~/desktop# volatility -f mem.raw --profile=win7sp1x86_bba98f40 dumpfiles -q 0x000000001efb9370 -d ./
volatility foundation volatility framework 2.5
datasectionobject 0x1efb9370 none \device\harddiskvolume2\users\lethal\desktop\key
部分感覺有用的外掛程式命令
clipboard extract the contents of the windows clipboard
cmdline display process command-line arguments
cmdscan extract command history by scanning for _command_history
consoles extract command history by scanning for _console_information
deskscan poolscaner for tagdesktop (desktops)
dumpcerts dump rsa private and public ssl keys
dumpregistry dumps registry files out to disk
editbox displays information about edit controls. (listbox experimental.)
filescan pool scanner for file objects
lsadump dump (decrypted) lsa secrets from the registry # 已登入使用者密碼明文
hashdump dumps passwords hashes (lm/ntlm) from memory # 已登入使用者密碼hash
imageinfo identify information for the image
malfind find hidden and injected code
memdump dump the addressable memory for a process
raw2dmp converts a physical memory sample to a windbg crash dump
mftparser scans for and parses potential mft entries
notepad list currently displayed notepad text
procdump dump a process to an executable file sample
pslist print all running processes by following the eprocess lists
psscan pool scanner for process objects
pstree print process list as a tree
psxview find hidden processes with various process listings
timeliner creates a timeline from various artifacts in memory
truecryptmaster recover truecrypt 7.1a master keys
truecryptpassphrase truecrypt cached passphrase finder
truecryptsummary truecrypt summary
windows print desktop windows (verbose details)
wintree print z-order desktop windows tree
2019/10/22
volatility 記憶體取證的簡單用法
apt get install volatility檢測目標系統資訊 volatility f win7.raw imageinfo檢視執行的程序資訊 volatility f win7.raw profile win7spix64 pslist3.檢視檔案列表 volatility f win7....
volatility記憶體取證學習
linux環境 apt get install volatility各種依賴的安裝,視情況安裝 distorm3 牛逼的反編譯庫 pip install distorm3 yara 惡意軟體分類工具 pip install yara pycrypto 加密工具集 pip install pycryp...
python基本用法 Python基本用法總結
python 的設計具有很強的可讀性,易於使用。這裡對python基本用法做乙個總結介紹。一 變數型別 1 變數賦值 python中的變數賦值不需要型別宣告,每個變數在使用前都必須賦值,變數賦值之後才會被建立。使用等號進行變數的賦值。2 多個變數賦值 為多個變數賦值時或進行列表內資料的交換時,可以使...