使用volatility dump从内存中重建PE文件——IAT函数出错的使用impscan解决

好了，书中，说了操作的步骤，我们再vol2里实验下。

查看进程：

PS D:\Application\volatility3-stable> python .\vol.py -f "D:\book\malwarecookbook-master\malwarecookbook-master\16\7\laqma.vmem\laqma.vmem" windows.pslist
Volatility 3 Framework 2.4.1
Progress:  100.00               PDB scanning finished
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime        File output

4       0       System  0x810b1660      57      182     N/A     False   N/A     N/A     Disabled
544     4       smss.exe        0xff2ab020      3       21      N/A     False   2010-08-11 06:06:21.000000      N/A     Disabled
608     544     csrss.exe       0xff1ecda0      10      378     0       False   2010-08-11 06:06:23.000000      N/A     Disabled
632     544     winlogon.exe    0xff1ec978      18      511     0       False   2010-08-11 06:06:23.000000      N/A     Disabled
676     632     services.exe    0xff247020      16      269     0       False   2010-08-11 06:06:24.000000      N/A     Disabled
688     632     lsass.exe       0xff255020      19      344     0       False   2010-08-11 06:06:24.000000      N/A     Disabled
844     676     vmacthlp.exe    0xff218230      1       24      0       False   2010-08-11 06:06:24.000000      N/A     Disabled
856     676     svchost.exe     0x80ff88d8      17      199     0       False   2010-08-11 06:06:24.000000      N/A     Disabled
936     676     svchost.exe     0xff217560      11      274     0       False   2010-08-11 06:06:24.000000      N/A     Disabled
1028    676     svchost.exe     0x80fbf910      75      1373    0       False   2010-08-11 06:06:24.000000      N/A     Disabled
1088    676     svchost.exe     0xff22d558      6       86      0       False   2010-08-11 06:06:25.000000      N/A     Disabled
1148    676     svchost.exe     0xff203b80      14      209     0       False   2010-08-11 06:06:26.000000      N/A     Disabled
1432    676     spoolsv.exe     0xff1d7da0      12      134     0       False   2010-08-11 06:06:26.000000      N/A     Disabled
1668    676     vmtoolsd.exe    0xff1b8b28      5       221     0       False   2010-08-11 06:06:35.000000      N/A     Disabled
1788    676     VMUpgradeHelper 0xff1fdc88      4       100     0       False   2010-08-11 06:06:38.000000      N/A     Disabled
1968    676     TPAutoConnSvc.e 0xff143b28      5       100     0       False   2010-08-11 06:06:39.000000      N/A     Disabled
216     676     alg.exe 0xff25a7e0      6       105     0       False   2010-08-11 06:06:39.000000      N/A     Disabled
888     1028    wscntfy.exe     0xff364310      1       27      0       False   2010-08-11 06:06:49.000000      N/A     Disabled
1084    1968    TPAutoConnect.e 0xff38b5f8      1       61      0       False   2010-08-11 06:06:52.000000      N/A     Disabled
1724    1708    explorer.exe    0xff3865d0      13      326     0       False   2010-08-11 06:09:29.000000      N/A     Disabled
432     1724    VMwareTray.exe  0xff3667e8      1       49      0       False   2010-08-11 06:09:31.000000      N/A     Disabled
452     1724    VMwareUser.exe  0xff374980      8       206     0       False   2010-08-11 06:09:32.000000      N/A     Disabled
468     1028    wuauclt.exe     0x80f94588      4       135     0       False   2010-08-11 06:09:37.000000      N/A     Disabled
1180    1060    lanmanwrk.exe   0xff3825f8      2       75      0       False   2010-08-15 19:09:12.000000      N/A     Disabled
1340    1724    IEXPLORE.EXE    0xff38a410      12      346     0       False   2010-08-15 19:09:26.000000      N/A     Disabled
460     1668    cmd.exe 0xff1f9b08      0       -       0       False   2010-08-15 19:11:21.000000      2010-08-15 19:11:21.000000      Disabled

 可以看到1180的pid是对应我们要找的恶意进程id！

首先是导出进程对应的PE文件：

PS D:\Application\volatility3-stable\prodmp_out> volatility26.exe -f "D:\book\malwarecookbook-master\malwarecookbook-master\16\7\laqma.vmem\laqma.vmem" procdump --dump-dir prodmp_out

    目录: D:\Application\volatility3-stable\prodmp_out


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        2023-05-03     20:55          14336 executable.1028.exe
-a----        2023-05-03     20:55         446464 executable.1084.exe
-a----        2023-05-03     20:55          14336 executable.1088.exe
-a----        2023-05-03     20:55          29696 executable.1180.exe
-a----        2023-05-03     21:13          16384 executable.1180.exe.id0
-a----        2023-05-03     21:13              0 executable.1180.exe.id1
-a----        2023-05-03     21:13             41 executable.1180.exe.id2
-a----        2023-05-03     21:13              0 executable.1180.exe.nam
-a----        2023-05-03     21:14             82 executable.1180.exe.til
-a----        2023-05-03     20:55          93184 executable.1340.exe
-a----        2023-05-03     20:55          57856 executable.1432.exe
-a----        2023-05-03     20:55          65536 executable.1668.exe
-a----        2023-05-03     20:55        1032192 executable.1724.exe
-a----        2023-05-03     20:55         184320 executable.1788.exe
-a----        2023-05-03     20:55         135168 executable.432.exe
-a----        2023-05-03     20:55        1081344 executable.452.exe
-a----        2023-05-03     20:55         111104 executable.468.exe
-a----        2023-05-03     20:55              0 executable.608.exe
-a----        2023-05-03     20:55         502272 executable.632.exe
-a----        2023-05-03     20:55         108032 executable.676.exe
-a----        2023-05-03     20:55          13312 executable.688.exe
-a----        2023-05-03     20:55          14336 executable.936.exe

当然使用vol3也是可以的，python .\vol.py -f "D:\book\malwarecookbook-master\malwarecookbook-master\16\7\laqma.vmem\laqma.vmem" windows.pslist --dump

确实看到1180这个PE文件没有正确的IAT！！！然后我们再IDA里看下：

果然是看起来很蛋疼！然后使用impscan扫描：

PS D:\Application\volatility3-stable> volatility26.exe -f "D:\book\malwarecookbook-master\malwarecookbook-master\16\7\laqma.vmem\laqma.vmem" impscan -p 1180
Volatility Foundation Volatility Framework 2.6
IAT        Call       Module               Function
---------- ---------- -------------------- --------
0x00406000 0x77deb635 ADVAPI32.dll         ControlService
0x00406004 0x77ddede5 ADVAPI32.dll         RegDeleteValueA
0x00406008 0x77dd6bf0 ADVAPI32.dll         RegCloseKey
0x0040600c 0x77e37311 ADVAPI32.dll         DeleteService
0x00406010 0x77deada7 ADVAPI32.dll         OpenSCManagerA
0x00406014 0x77e37071 ADVAPI32.dll         CreateServiceA
0x00406018 0x77deb88c ADVAPI32.dll         OpenServiceA
0x0040601c 0x77de5e4d ADVAPI32.dll         CloseServiceHandle
0x00406020 0x77dd7883 ADVAPI32.dll         RegQueryValueExA
0x00406024 0x77dfc41b ADVAPI32.dll         RegOpenKeyA
0x0040602c 0x7c80b357 kernel32.dll         GetModuleFileNameA
0x00406030 0x7c802442 kernel32.dll         Sleep
0x00406034 0x7c81082f kernel32.dll         CreateThread
0x00406038 0x7c82293b kernel32.dll         GetWindowsDirectoryA
0x0040603c 0x7c81caa2 kernel32.dll         ExitProcess
0x00406040 0x7c8092ac kernel32.dll         GetTickCount
0x00406044 0x7c80c9c1 kernel32.dll         GetLocalTime
0x00406048 0x7c810d34 kernel32.dll         SystemTimeToFileTime
0x0040604c 0x7c80946c kernel32.dll         CreateFileMappingA
0x00406050 0x7c81ff03 kernel32.dll         FlushViewOfFile
0x00406054 0x7c801d77 kernel32.dll         LoadLibraryA
0x00406058 0x7c80994e kernel32.dll         GetCurrentProcessId
0x0040605c 0x7c910331 kernel32.dll         GetLastError
0x00406060 0x7c80c729 kernel32.dll         lstrcpyA
0x00406064 0x7c810c8f kernel32.dll         GetFileSize
0x00406068 0x7c812851 kernel32.dll         GetVersionExA
0x0040606c 0x7c80b529 kernel32.dll         GetModuleHandleA
0x00406070 0x7c80ac28 kernel32.dll         GetProcAddress
0x00406074 0x7c80c6e0 kernel32.dll         lstrlenA
0x00406078 0x7c80b9fe kernel32.dll         OpenFileMappingA
0x0040607c 0x7c80b78d kernel32.dll         MapViewOfFile
0x00406080 0x7c80b7fc kernel32.dll         UnmapViewOfFile
0x00406084 0x7c80c865 kernel32.dll         GetSystemDefaultLCID
0x00406088 0x7c80d47e kernel32.dll         GetLocaleInfoA
0x0040608c 0x7c80b929 kernel32.dll         lstrcmpiA
0x00406090 0x7c9179fd kernel32.dll         HeapReAlloc
0x00406094 0x7c9105d4 kernel32.dll         HeapAlloc
0x00406098 0x7c80aa49 kernel32.dll         GetProcessHeap
0x0040609c 0x7c91043d kernel32.dll         HeapFree
0x004060a0 0x7c809b77 kernel32.dll         CloseHandle
0x004060a4 0x7c801a24 kernel32.dll         CreateFileA
0x004060a8 0x7c810f9f kernel32.dll         WriteFile
0x004060ac 0x7c830053 kernel32.dll         CopyFileA
0x004060b0 0x7c838fb9 kernel32.dll         lstrcatA
0x004060b4 0x7c8394ae kernel32.dll         GetTimeZoneInformation
0x004060bc 0x77d4df6b USER32.dll           DefWindowProcA
0x004060c0 0x77d4e2ae USER32.dll           SendMessageA
0x004060c4 0x77d6f3c6 USER32.dll           FindWindowA
0x004060c8 0x77d4d7bb USER32.dll           GetDesktopWindow
0x004060cc 0x77d4b57c USER32.dll           GetWindowRect
0x004060d0 0x77d4bcbd USER32.dll           DispatchMessageA
0x004060d4 0x77d4a2de USER32.dll           wsprintfA
0x004060d8 0x77d52316 USER32.dll           RegisterClassA
0x004060dc 0x77d5190b USER32.dll           CreateWindowExA
0x004060e0 0x77d48bce USER32.dll           TranslateMessage
0x004060e4 0x77d6ea45 USER32.dll           GetMessageA
0x004060e8 0x77d48c06 USER32.dll           SetTimer
0x004060f0 0x771d325f WININET.dll          InternetQueryDataAvailable
0x004060f4 0x771c8c6a WININET.dll          HttpQueryInfoA
0x004060f8 0x771c76b8 WININET.dll          HttpSendRequestA
0x004060fc 0x771c4ac5 WININET.dll          HttpOpenRequestA
0x00406100 0x771c61dc WININET.dll          InternetCloseHandle
0x00406104 0x771c44db WININET.dll          InternetConnectA
0x00406108 0x771c6d2a WININET.dll          InternetOpenA
0x0040610c 0x771c8840 WININET.dll          InternetCrackUrlA
0x00408a80 0x7c80180e kernel32.dll         ReadFile
0x00408a84 0x7c81e85c kernel32.dll         DeleteFileA
0x00408a88 0x7c801a24 kernel32.dll         CreateFileA
0x00408a8c 0x7c830053 kernel32.dll         CopyFileA
0x00408a90 0x7c809b77 kernel32.dll         CloseHandle
0x00408a94 0x771c9555 WININET.dll          InternetReadFile
0x00408a98 0x7c810f9f kernel32.dll         WriteFile
0x00408a9c 0x77df3238 ADVAPI32.dll         StartServiceA

 将上述结果处理下，notepad++里查找替换：

^([0-9a-z]+)\s+[0-9a-z]+\s+[0-9a-z.]+\s+(\w+)$

MakeName\(\1, "\2"\);

变成IDA里能够识别的命令后，导入到IDA：

 最后正确重建了IAT！！！GOOD！！！