메모리덤프 분석
페이지 정보
작성자 sbLAB 댓글 0건 조회 5,629회 작성일 18-07-21 10:04본문
http://chosik.tistory.com/m/post/293
1. FTK Imager 다운로드 (메모리덤프) - 32bit, 64bit 용 확인
http://accessdata.com/product-download
※ memoryze 로도 덤프가능 (C:\Program Files\MANDIANT\Memoryze)
※ https://www.fireeye.com/services/freeware/memoryze.html
2. volatility stand_alone 다운로드(메모리분석) - ( volatility stand_alone 이므로)파이선 런타임 설치 불필요
https://code.google.com/p/volatility/downloads/detail?name=volatility-2.3.1.standalone.exe&can=2&q=
https://www.python.org/download/releases/2.7.1/
[사용예]
1. 우선 (FTK Imager) 로 메모리덤프
2. 분석 - Win7SP0x86 확인
volatility-2.3.1.standalone.exe -f memdump.mem imageinfo
Volatility Foundation Volatility Framework 2.3.1
Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP0x86, Win7SP1x86
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (C:\Users\main\Desktop\AccessData FTK Imager\volatility\memdump.mem)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x83377c28L
Number of Processors : 4
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0x83378c00L
KPCR for CPU 1 : 0x807c8000L
KPCR for CPU 2 : 0x8eb00000L
KPCR for CPU 3 : 0x8eb36000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2015-11-15 00:17:41 UTC+0000
Image local date and time : 2015-11-15 09:17:41 +0900
[프로세스 리스트 보기]
volatility-2.3.1.standalone.exe -f memdump.mem --profile=Win7SP0x86 pslist
[프로세스 리스트 트리형태 보기]
volatility-2.3.1.standalone.exe -f memdump.mem --profile=Win7SP0x86 pstree
[프로세스 리스트 스캔]
volatility-2.3.1.standalone.exe -f memdump.mem --profile=Win7SP0x86 psscan
[프로세스 리스트 은닉스캔] - psscan 은 True 인데, pslist 가 False 인경우
volatility-2.3.1.standalone.exe -f memdump.mem --profile=Win7SP0x86 psxview
[기타]
connscan - TCP 연결 목록
sockets - sockets list
sockscan - Opened sockets list
[더 많은 플러그인 리스트]
https://code.google.com/p/volatility/wiki/Plugins
Existing 2.0 plugins
Note: MHL's malware plugins for Volatility 2.0 can be found at The Malware Cookbook Code Repository (malware.py)
| Plugin | Description | Primary Maintainer | Core Vote |
| apihooks | Find API hooks | MHL | . |
| bioskbd | Reads the keyboard buffer from Real Mode memory | MA | Yes |
| connections | Print list of open connections | . | Yes |
| connscan2 | Scan Physical memory for TCPT_OBJECT objects (tcp connections) | . | Yes |
| crashinfo | Dump crash-dump information | . | Yes |
| csrpslist | Find hidden processes with csrss handles and CsrRootProcess | MHL | . |
| datetime | Get date/time information for image | MA | Yes |
| dlllist | Print list of loaded dlls for each process | . | Yes |
| dlldump | Dump a DLL from a process address space | MHL | Yes (in contrib folder) |
| driverirp | Driver IRP hook detection | MHL | . |
| driverscan | Scan for driver objects DRIVER_OBJECT | . | . |
| files | Print list of open files for each process | . | Yes |
| filescan | Scan Physical memory for FILE_OBJECT pool allocations | . | . |
| getsids | Print the SIDs owning each process | moyix | Yes |
| hashdump | Dumps passwords hashes (LM/NTLM) from memory | moyix | Yes |
| hibdump | Dumps the hibernation file to a raw file | . | Yes |
| hibinfo | Dump hibernation file information | . | Yes |
| hivedump | Prints out a hive | moyix | Yes |
| hivelist | Print list of registry hives. | moyix | Yes |
| hivescan | Scan Physical memory for CMHIVE objects (registry hives) | moyix | Yes |
| idt | Display Interrupt Descriptor Table | MHL | . |
| imageinfo | Identify information for the image | MA | Yes |
| impscan | Scan a module for imports (API calls) | MHL | . |
| ldrmodules | Detect unlinked DLLs | MHL | . |
| kpcrscan | Search for and dump potential KPCR values | scudette | Yes |
| lsadump | Dump (decrypted) LSA secrets from the registry | moyix | Yes |
| malfind | Find hidden and injected code | MHL | . |
| memdump | Dump the addressable memory for a process | . | Yes |
| memmap | Print the memory map | . | Yes |
| moddump | Dump out a kernel module (aka driver) | . | Yes (in contrib folder) |
| modscan2 | Scan Physical memory for LDR_DATA_TABLE_ENTRY objects | . | Yes |
| modules | Print list of loaded modules | MA | . |
| mutantscan | Scan for mutant objects KMUTANT | . | . |
| mutantscandb | mutantscan extension for highlighting suspicious mutexes | MHL | . |
| notifyroutines | Print system-wide notification routines | MHL | . |
| orphanthread | Locate hidden threads | MHL | . |
| patcher | Patches memory based on page scans | MA | Yes |
| printkey | Print a registry key, and its subkeys and values | moyix | Yes |
| procexedump | Dump a process to an executable file sample | . | Yes |
| procmemdump | Dump a process to an executable memory sample | . | Yes |
| pslist | print all running processes by following the EPROCESS lists | . | Yes |
| psscan | Scan Physical memory for EPROCESS objects | . | Yes |
| pstree | Print process list as a tree | scudette | Yes |
| regobjkeys | Print list of open regkeys for each process | MA | . |
| sockets | Print list of open sockets | . | Yes |
| sockscan | Scan Physical memory for ADDRESS_OBJECT objects (tcp sockets) | . | Yes |
| ssdt | Display SSDT entries | moyix | Yes |
| ssdt_by_threads | SSDT hooks by thread | MHL | . |
| ssdt_ex | SSDT Hook Explorer for IDA Pro (and SSDT by thread) | MHL | . |
| strings | Match physical offsets to virtual addresses (may take a while, VERY verbose) | . | . |
| svcscan | Scan for Windows services | MHL | . |
| thrdscan | Scan Physical memory for ETHREAD objects | . | Yes |
| thrdscan2 | Scan physical memory for ETHREAD objects | . | Yes |
| vaddump | Dumps out the vad sections to a file | . | . |
| vadinfo | Dump the VAD info | . | . |
| vadtree | Walk the VAD tree and display in tree format | . | . |
| vadwalk | Walk the VAD tree | . | . |
Plugins Left to Port to 2.0
| Plugin | Description | Primary Maintainer | Core Vote |
| objtypescan | Enumerates Windows kernel object types. (Note: If running the SVN version of Volatility, just install the plugin file from this archive) | . | Yes |
| psscan3 | Scans the physical address space looking for memory resident data structures associated with processes | . | Yes |
| raw2dmp | Convert a raw dump to a crash dump | . | . |
| symlinkobjscan | Extracts symbolic link objects from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.) | . | Yes |
Plugins (1.3)
| Plugin | Author | URL | Description | Status | Supported OSes | Core Vote |
| bioskbd | AB & MA | url | Reads the keyboard buffer from Real Mode memory | . | . | Yes |
| cryptoscan | JesseK | url | Finds Truecrypt passphrases | . | . | No |
| DriverIRP | MHL | url | Prints driver IRP function addresses |
첨부파일
- 마이설명서.rtf (413.1K) 4회 다운로드 | DATE : 2018-07-21 10:04:10
- Text Cleaver.exe (104.0K) 2회 다운로드 | DATE : 2018-07-21 10:04:10
댓글목록
등록된 댓글이 없습니다.
