Volatility内存取证使用
文章目录
- 前言
- 环境
- 使用Dumpit生成内存镜像
- 使用VMware的内存镜像
- 安装Volatility
- 使用HollowFind
- 常见问题
- Failed to import volatility.plugins.registry.shutdown (ImportError: XXX
- 解决方案
- No suitable address space mapping found
前言
Volatility是一款开源内存取证框架,能够对导出的内存镜像进行分析,通过获取内核数据结构,使用插件获取内存的详细情况以及系统的运行状态。
而Dumpit是用于生成Windows机器的物理内存转储,可运行在32位/64位系统中,可完美地部署在USB闪存盘上,快速响应事件。
HollowFind插件是用来检测HollowProcoss的Volatility插件。
环境
Volatility 2.5(因为后面使用的hollowfind似乎2.6不支持)
win10
(注意:hollowfind插件只能查win7的)
Vmware 14
win7
python2.7
DumpIt.exe
使用Dumpit生成内存镜像
具体用法参考:
Volatility内存取证使用 生成的是xxx.raw
使用VMware的内存镜像
暂停vm虚拟机 对应的虚拟机文件夹中找到.vmem文件
我这里是win7的虚拟机
安装Volatility
安装
python setup.py install
执行
进程列表
python vol.py -f svchost.DMP pslist
使用HollowFind
[翻译]使用HollowFind插件来检测各种进程注入技术HollowFind原理
python vol.py -f xxxx.vmem --profile=xxxx hollowfind
我是有python2.7和用的powershell 且必须是vmware虚拟机的win7的镜像内存(hollowfind只支持volatility2.5且win7),故这样写:
python27.exe .\vol.py -f ..\replace_process_win7.vmem --profile=Win2008R2SP0x64 hollowfind
运行结果:
PS D:\workspace\2013\Github\volatility-master\volatility-2.5> python27.exe .\vol.py -f ..\replace_process_win7.vmem --profile=Win2008R2SP0x64 hollowfind
Volatility Foundation Volatility Framework 2.5
Hollowed Process Information:
Process: GoogleUpdate.e PID: 2912
Parent Process: taskeng.exe PPID: 2864
Creation Time: 2022-06-14 06:39:27 UTC+0000
Process Base Name(PEB): GoogleUpdate.exe
Command Line(PEB): "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /c
Hollow Type: No VAD Entry For Process Executable
VAD and PEB Comparison:
Base Address(VAD): 0x0
Process Path(VAD): NA
Vad Protection: NA
Vad Tag: NA
Base Address(PEB): 0xe80000
Process Path(PEB): C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Memory Protection: PAGE_EXECUTE_WRITECOPY
Memory Tag: Vad
No Hexdump: Memory Unreadable at 0x00e80000
Similar Processes:
GoogleUpdate.e(2912) Parent:taskeng.exe(2864) Start:2022-06-14 06:39:27 UTC+0000
GoogleUpdate.e(3708) Parent:GoogleUpdate.e(2912) Start:2022-06-14 06:39:45 UTC+0000
GoogleUpdate.e(3784) Parent:GoogleUpdate.e(2912) Start:2022-06-14 06:39:47 UTC+0000
Suspicious Memory Regions:
0x1a0000(No PE/Possibly Code) Protection: PAGE_EXECUTE_READWRITE Tag: VadS
---------------------------------------------------
Hollowed Process Information:
Process: svchost.exe PID: 892
Parent Process: services.exe PPID: 536
Creation Time: 2022-06-14 06:39:10 UTC+0000
Process Base Name(PEB): svchost.exe
Command Line(PEB): C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
Hollow Type: Process Base Address and Memory Protection Discrepancy
VAD and PEB Comparison:
Base Address(VAD): 0xff6c0000
Process Path(VAD): \Windows\System32\services.exe
Vad Protection: PAGE_EXECUTE_WRITECOPY
Vad Tag: Vad
Base Address(PEB): 0xff550000
Process Path(PEB): C:\Windows\System32\svchost.exe
Memory Protection: PAGE_EXECUTE_WRITECOPY
Memory Tag: Vad
0xff550000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0xff550010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0xff550020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xff550030 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 ................
Similar Processes:
svchost.exe(892) Parent:services.exe(536) Start:2022-06-14 06:39:10 UTC+0000
svchost.exe(1160) Parent:services.exe(536) Start:2022-06-14 06:39:11 UTC+0000
svchost.exe(108) Parent:services.exe(536) Start:2022-06-14 06:39:10 UTC+0000
svchost.exe(3440) Parent:services.exe(536) Start:2022-06-14 06:39:41 UTC+0000
svchost.exe(792) Parent:services.exe(536) Start:2022-06-14 06:39:10 UTC+0000
svchost.exe(924) Parent:services.exe(536) Start:2022-06-14 06:39:10 UTC+0000
svchost.exe(1264) Parent:services.exe(536) Start:2022-06-14 06:39:21 UTC+0000
svchost.exe(688) Parent:services.exe(536) Start:2022-06-14 06:39:09 UTC+0000
svchost.exe(2832) Parent:explorer.exe(2712) Start:2022-06-14 06:39:33 UTC+0000
svchost.exe(3260) Parent:ReplaceProcess(3076) Start:2022-06-14 06:40:32 UTC+0000
svchost.exe(396) Parent:services.exe(536) Start:2022-06-14 06:39:10 UTC+0000
svchost.exe(952) Parent:services.exe(536) Start:2022-06-14 06:39:10 UTC+0000
svchost.exe(1488) Parent:services.exe(536) Start:2022-06-14 06:39:21 UTC+0000
Suspicious Memory Regions:
0x7feff000000(No PE/Possibly Code) Protection: PAGE_EXECUTE_WRITECOPY Tag: Vad
---------------------------------------------------
Hollowed Process Information:
Process: GoogleUpdate.e PID: 3708
Parent Process: GoogleUpdate.e PPID: 2912
Creation Time: 2022-06-14 06:39:45 UTC+0000
Process Base Name(PEB): GoogleUpdate.exe
Command Line(PEB): "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /cr
Hollow Type: No VAD Entry For Process Executable
VAD and PEB Comparison:
Base Address(VAD): 0x0
Process Path(VAD): NA
Vad Protection: NA
Vad Tag: NA
Base Address(PEB): 0xe80000
Process Path(PEB): C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Memory Protection: PAGE_EXECUTE_WRITECOPY
Memory Tag: Vad
No Hexdump: Memory Unreadable at 0x00e80000
Similar Processes:
GoogleUpdate.e(3708) Parent:GoogleUpdate.e(2912) Start:2022-06-14 06:39:45 UTC+0000
GoogleUpdate.e(3784) Parent:GoogleUpdate.e(2912) Start:2022-06-14 06:39:47 UTC+0000
GoogleUpdate.e(2912) Parent:taskeng.exe(2864) Start:2022-06-14 06:39:27 UTC+0000
Suspicious Memory Regions:
0x40000(No PE/Possibly Code) Protection: PAGE_EXECUTE_WRITECOPY Tag: Vad
---------------------------------------------------
常见问题
Failed to import volatility.plugins.registry.shutdown (ImportError: XXX
执行时
python27.exe .\vol.py -f D:\workspace\2013\Github\volatility-master\svchost.DMP hollowfind
报错
Volatility Foundation Volatility Framework 2.6.1
*** Failed to import volatility.plugins.registry.shutdown (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.getservicesids (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.timeliner (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.malware.servicediff (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.userassist (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.getsids (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.shellbags (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.evtlogs (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.tcaudit (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.dumpregistry (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.lsadump (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: Error loading the diStorm dynamic library (or cannot load library into process).)
解决方案
https://github.com/volatilityfoundation/volatility/issues/535
pip install distorm3 pycrypto openpyxl Pillow
也可以这样 这样pip和python用的就是同一版本
python -m pip install distorm3 pycrypto openpyxl Pillow
No suitable address space mapping found
可参考:https://github.com/volatilityfoundation/volatility/issues/698
我主要看后面一个kdbgscan可以执行成功了 就根据kdbgscan输出的profile 再添加–profile=xxxx到需要执行的命令中。
python27.exe .\vol.py -f D:\workspace\vms\windows_10_business_editions_version_1903_x64_dvd_e001dd2c.iso\windows_10_business_editions_version_1903_x64_dvd_e001dd2c.iso-6f11cc0a.vmem --profile=Win10x64_18362 pslist