zoukankan      html  css  js  c++  java
  • 内存取证-volatility

    centos7中安装volatility3
    参考
    https://blog.csdn.net/Cony_14/article/details/109230474


    简介:
    2019年后,volatility重构出第3个版本,即volatility3
    volatility3的开发文档如下:
    https://volatility3.readthedocs.io/en/latest/
    volatility3的源码如下:(python3的)
    https://github.com/volatilityfoundation/volatility3

    python3和模块安装
    yum install python3 # 已经安装python3,忽略此行
    yum install python3-devel
    pip3 install pefile
    pip3 install capstone

    下载volatility源码安装包
    git clone https://github.com/volatilityfoundation/volatility3.git --depth 1


    使用volatility
    查看帮助
    python3 vol.py -h

    查看插件帮助
    python3 vol.py windows.pslist -h

    查看内存数据文件
    python3 vol.py -f /home/user/samples/1.dmp windows.info
    输出:
    [root@mylinuxc1 ~/download/volatility3-develop]# python3 vol.py -f /root/mem/1.raw windows.info
    Volatility 3 Framework 1.0.1
    Progress: 100.00 PDB scanning finished
    Variable Value

    Kernel Base 0xf80003e4b000
    DTB 0x187000
    Symbols file:///root/download/volatility3-develop/volatility3/symbols/windows/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA-2.json.xz
    Is64Bit True
    IsPAE False
    primary 0 WindowsIntel32e
    memory_layer 1 FileLayer
    KdDebuggerDataBlock 0xf8000403c0a0
    NTBuildLab 7601.17514.amd64fre.win7sp1_rtm.
    CSDVersion 1
    KdVersionBlock 0xf8000403c068
    Major/Minor 15.7601
    MachineType 34404
    KeNumberProcessors 1
    SystemTime 2021-03-30 06:08:34
    NtSystemRoot C:Windows
    NtProductType NtProductWinNt
    NtMajorVersion 6
    NtMinorVersion 1
    PE MajorOperatingSystemVersion 6
    PE MinorOperatingSystemVersion 1
    PE Machine 34404
    PE TimeDateStamp Sat Nov 20 09:30:02 2010


    查看进程信息
    python3 vol.py -f /root/mem/1.raw windows.pslist
    或者
    python3 vol.py -f /root/mem/1.raw windows.cmdline.CmdLine

    输出:
    [root@mylinuxc1 ~/download/volatility3-develop]# python3 vol.py -f /root/mem/1.raw windows.pslist
    Volatility 3 Framework 1.0.1
    Progress: 100.00 PDB scanning finished
    PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output

    4 0 System 0xfa80018bab30 95 755 N/A False 2020-12-03 08:16:16.000000 N/A Disabled
    2744 2804 explorer.exe 0xfa8001d6eb30 43 1509 2 False 2020-12-03 08:20:37.000000 N/A Disabled
    2692 2744 Everything.exe 0xfa8004100060 18 586 2 False 2020-12-03 08:20:37.000000 N/A Disabled
    5008 2692 SogouCloud.exe 0xfa80035bcb30 21 443 2 True 2021-01-13 02:40:05.000000 N/A Disabled
    2236 976 firefox.exe 0xfa80032b4120 0 - 2 False 2021-01-13 08:07:05.000000 2021-03-30 06:04:37.000000 Disabled
    5508 5836 httpd.exe 0xfa80032df370 3 141 2 True 2021-01-13 08:24:27.000000 N/A Disabled
    4180 5836 mysqld.exe 0xfa80036748a0 27 542 2 True 2021-01-13 08:24:27.000000 N/A Disabled
    3456 2744 notepad++.exe 0xfa800410d520 0 - 2 False 2021-01-13 08:52:47.000000 2021-01-13 08:52:48.000000 Disabled
    4968 2744 notepad++.exe 0xfa800248bb30 0 - 2 False 2021-01-13 08:54:41.000000 2021-01-13 08:54:41.000000 Disabled
    5084 2744 notepad++.exe 0xfa80044dc060 0 - 2 False 2021-01-13 08:56:03.000000 2021-01-13 08:56:03.000000 Disabled
    3808 2744 notepad++.exe 0xfa80051fb1d0 0 - 2 False 2021-01-13 09:03:21.000000 2021-01-13 09:03:21.000000 Disabled
    5548 2744 calc.exe 0xfa80024eb060 3 76 2 False 2021-03-30 06:07:51.000000 N/A Disabled
    3684 2744 mspaint.exe 0xfa800376ab30 7 121 2 False 2021-03-30 06:08:05.000000 N/A Disabled
    1788 2744 DumpIt.exe 0xfa8003174390 2 45 2 True 2021-03-30 06:08:31.000000 N/A Disabled


    查看蜂巢hive
    [root@mylinuxc1 ~/download/volatility3-develop]# python3 vol.py -f /root/mem/1.raw windows.registry.hivelist
    Volatility 3 Framework 1.0.1
    Progress: 100.00 PDB scanning finished
    Offset FileFullPath File output

    0xf8a00000f010 Disabled
    0xf8a000024010 REGISTRYMACHINESYSTEM Disabled
    0xf8a000058010 REGISTRYMACHINEHARDWARE Disabled
    0xf8a00011a010 DeviceHarddiskVolume1BootBCD Disabled
    0xf8a00083b010 SystemRootSystem32ConfigSOFTWARE Disabled
    0xf8a000b8a410 SystemRootSystem32ConfigSAM Disabled
    0xf8a000c64010 ??C:UsersAdministratorAppDataLocalMicrosoftWindowsUsrClass.dat Disabled
    0xf8a000cc3010 SystemRootSystem32ConfigSECURITY Disabled
    0xf8a000d9f010 ??C:WindowsServiceProfilesNetworkServiceNTUSER.DAT Disabled
    0xf8a000e2f010 ??C:WindowsServiceProfilesLocalServiceNTUSER.DAT Disabled
    0xf8a0015ff010 ??C:UsersAdministrator tuser.dat Disabled
    0xf8a00259c010 ??C:System Volume InformationSyscache.hve Disabled
    0xf8a006733010 SystemRootSystem32ConfigDEFAULT Disabled

    查看端口信息
    python3 vol.py -f /root/mem/1.raw windows.netscan.NetScan
    输出:
    [root@mylinuxc1 ~/download/volatility3-develop]# python3 vol.py -f /root/mem/1.raw windows.netscan.NetScan
    Volatility 3 Framework 1.0.1
    Progress: 100.00 PDB scanning finished
    Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Created

    0x14947510 TCPv4 0.0.0.0 80 0.0.0.0 0 LISTENING 5508 httpd.exe -
    0x14947510 TCPv6 :: 80 :: 0 LISTENING 5508 httpd.exe -
    0x3a802010 UDPv4 0.0.0.0 5355 * 0 320 svchost.exe 2021-03-30 06:02:49.000000
    0x495633b0 TCPv4 - 9745 101.71.72.212 443 CLOSED 2236 firefox.exe -
    0x50eb0960 TCPv4 - 9773 123.125.52.87 443 CLOSED 2236 firefox.exe -
    0x7d473010 TCPv4 - 10294 211.159.235.178 80 CLOSED 2236 firefox.exe -
    0x7d5bb010 TCPv4 - 10201 218.11.11.191 443 CLOSED 2236 firefox.exe -
    0x7da728e0 UDPv4 192.168.8.200 1900 * 0 1856 svchost.exe 2021-03-12 11:11:09.000000
    0x7da98b40 TCPv4 0.0.0.0 3306 0.0.0.0 0 LISTENING 4180 mysqld.exe -

    查看CA证书信息
    [root@mylinuxc1 ~/download/volatility3-develop]# python3 vol.py -f /root/mem/1.raw windows.registry.certificates.Certificates
    Volatility 3 Framework 1.0.1
    Progress: 100.00 PDB scanning finished
    Certificate path Certificate section Certificate ID Certificate name

    MicrosoftSystemCertificates AuthRoot 02FAF3E291435468607857694DF5E45B68851868 Sectigo (AddTrust)
    MicrosoftSystemCertificates AuthRoot 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 DigiCert
    MicrosoftSystemCertificates AuthRoot 97817950D81C9670CC34D809CF794431367EF474 DigiCert Global Root
    MicrosoftSystemCertificates AuthRoot A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 DigiCert
    MicrosoftSystemCertificates AuthRoot B1BC968BD4F49D622AA89A81F2150152A41D829C GlobalSign Root CA - R1
    MicrosoftSystemCertificates AuthRoot D4DE20D05E66FC53FE1A50882C78DB2852CAE474 DigiCert Baltimore Root
    MicrosoftSystemCertificates AuthRoot D69B561148F01C77C54578C10926DF5B856976AD GlobalSign Root CA - R3
    MicrosoftSystemCertificates AuthRoot DAC9024F54D8F6DF94935FB1732638CA6AD77C13 DST Root CA X3
    MicrosoftSystemCertificates CA 109F1CAED645BB78B3EA2B94C0697C740733031C -
    MicrosoftSystemCertificates ROOT A43489159A520F0D93D032CCAF37E7FE20A8B419 Microsoft Root Authority

    查看程序启动和退出时间
    python3 vol.py -f /root/mem/1.raw windows.psscan.PsScan

    ====================================================================================

    给Kali安装pip
    参考
    https://blog.csdn.net/chaojianmo/article/details/101058452
    1、下载和安装
    curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py # 下载安装脚本
    sudo python3 get-pip.py # 运行安装脚本

    2、更新国内源
    cd ~
    mkdir -p .config/pip/
    vim ~/.config/pip/pip.conf
    [global]
    index-url = https://pypi.tuna.tsinghua.edu.cn/simple

    sudo cat ~/.config/pip/pip.conf

    3、升级pip
    sudo python3 -m pip install --upgrade pip


    安装取证分析工具
    参考:https://blog.csdn.net/weixin_39559369/article/details/111061945
    git clone https://github.com/volatilityfoundation/volatility.git --depth 1

    pip install distorm3
    pip install yara
    pip install pycrypto
    pip install Pillow
    pip install openpyxl
    pip install ujson

    python3安装volatility
    参考:
    https://blog.csdn.net/qq_41122834/article/details/106292343

    使用
    参考
    https://www.freebuf.com/articles/system/26763.html
    sudo python3 /home/kali/volatility3/vol.py -h

    sudo vol -h


    使用vin7版本的volatility(亲测有效)
    下载
    https://download.csdn.net/download/xueteng71/11119820?utm_medium=distribute.pc_relevant.none-task-download-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-8.control&dist_request_id=1328740.51660.16170967934900087&depth_1-utm_source=distribute.pc_relevant.none-task-download-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-8.control
    使用
    https://www.icode9.com/content-3-741286.html
    https://cloud.tencent.com/developer/article/1562899
    https://blog.csdn.net/weixin_39559369/article/details/111061945

    查看内存文件宿主机类型
    查看帮助、插件
    volatility.exe -h
    查看版本
    volatility.exe -v
    # 关注profile信息
    volatility.exe -f 1.raw imageinfo

    Volatile Systems Volatility Framework 2.0
    Determining profile based on KDBG search...

    Suggested Profile(s) : Win7SP0x64 (Instantiated with no profile)
    AS Layer1 : FileAddressSpace (D:a0memeryfenxiv1.raw)
    PAE type : No PAE


    Volatile Systems Volatility Framework 2.0
    Determining profile based on KDBG search...

    Suggested Profile(s) : Win7SP0x64, Win7SP0x64, Win7SP0x64 (Instantiated with no profile)
    AS Layer1 : FileAddressSpace (D:1SZASS-20210330-100249.dmp)
    PAE type : No PAE


    插件的使用
    # 查看内存中的进程信息(结合前面查询到的profile值)
    volatility.exe -f 1.raw --profile=Win7SP0x64 pslist
    volatility.exe -f 1.raw --profile=Win7SP0x64 pstree

    # 查看数据库信息(包括注册表)
    volatility.exe -f 1.raw --profile=Win7SP0x64 hivelist

    # 导出一个子库信息
    volatility.exe -f 1.raw --profile=Win7SP0x64 hivedump -o 第一列的虚拟地址


    volatility.exe -f 1.raw --profile=Win7SP0x64 userassist

    ====================================================================================


    win7版本的volatility2
    参考
    https://blog.csdn.net/Soda_199/article/details/79644303?utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-2.control&dist_request_id=1328761.423.16171711007969129&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-2.control
    下载(官方各自2版本的)
    https://www.volatilityfoundation.org/releases

    vol第三方插件的使用

    1、获取python2版本的vol2.6的源码
    https://downloads.volatilityfoundation.org/releases/2.6/volatility-2.6.zip
    参考官网:https://www.volatilityfoundation.org/releases

    2、安装
    python2 setup.py install

    3、获取第三方插件
    https://downloads.volatilityfoundation.org/contest/2014/DaveLasalle_ForensicSuite.zip

    4、安装插件
    解压插件,拷贝到volatility/plugins目录下


    win7下的一些问题和解决办法
    1、提示:*** Failed to import volatility.plugins.registry.shutdown (ImportError: No module named Crypto.Hash)
    解决办法:安装/distorm3
    https://blog.csdn.net/my_xxh/article/details/51603953
    下载:distorm3
    https://github.com/gdabah/distorm/releases
    https://github.com/volatilityfoundation/volatility/wiki/Installation
    安装
    cd distorm3
    python2 setup.py build install

    2、提示:error: Microsoft Visual C++ 9.0 is required (Unable to find vcvarsall.bat). Get it from http://aka.ms/vcpython27
    解决办法:安装win7组件VCForPython27.msi
    https://blog.csdn.net/xxm524/article/details/47360229/
    https://blog.csdn.net/ylh071032/article/details/53435793?utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-2.control&dist_request_id=&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-2.control
    下载:win7组件VCForPython27.msi
    https://download.microsoft.com/download/7/9/6/796EF2E4-801B-4FC4-AB28-B59FBF6D907B/VCForPython27.msi

    3、安装其他python组件
    pip2 install Pillow
    pip2 install openpyxl
    pip2 install ujson==1.35

    解决办法:

  • 相关阅读:
    JAVA 大数相加 POJ 1503
    Gao the Grid ZOJ 3647 数三角形
    为Layouts中的页面应用站点母版页的方法
    跨页面传值
    SharePoint Designer + InfoPath 无代码工作流设计实例
    自定义moss主题样式
    修改sharepoint文档库文件类型显示图标
    Workflow成功案例展示BingoSoft
    Walkthrough: 应用EventHandle开发的一个发邮件的小项目
    InfoPath + Workflow + MOSS
  • 原文地址:https://www.cnblogs.com/andy9468/p/14808089.html
Copyright © 2011-2022 走看看