工具学习-内存取证-Volatility

发布于 2022-11-15  625 次阅读


Volatility

工具简介:

Volatility 是由 Volatility Foundation 开发和维护的免费内存取证工具,通常由蓝队内的恶意软件和SOC分析师使用,或作为其检测和监控解决方案的一部分。Volatility 是用 Python 编写的,由 Python 插件和模块组成,设计为分析内存转储的即插即用方式。

Volatility 适用于 Windows、Linux和 Mac OS,并且完全用 Python 编写。

版本

目前主流的有Volatility2和Volatility3两个版本

Volatility2
很完善的一个版本,各个插件都有,除了他的开发版本,还有他的编译版本,较为方便

Volatility3
处于一个刚开始的阶段,各方面不是特别完善

Volatility2的所有语法在 volatility3 中都发生了变化,这里我们学习最新的volatility3语法

下载地址

Volatility2:https://github.com/volatilityfoundation/volatility

Volatility3:https://github.com/volatilityfoundation/volatility3

这里优先使用git下载Volatility3

git clone https://github.com/volatilityfoundation/volatility3.git

Volatility3使用方法

使用上述命令clone项目后进入文件夹
使用命令

python3 vol.py -h

查看帮助

帮助菜单

python3 vol.py -h
Volatility 3 Framework 2.4.1
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]]
                  [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG]
                  [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE] [--write-config]
                  [--save-config SAVE_CONFIG] [--clear-cache] [--cache-path CACHE_PATH]
                  [--offline] [--single-location SINGLE_LOCATION]
                  [--stackers [STACKERS ...]]
                  [--single-swap-locations [SINGLE_SWAP_LOCATIONS ...]]
                  plugin ...

An open-source memory forensics framework

options:
  -h, --help            Show this help message and exit, for specific plugin options
                        use 'volatility <pluginname> --help'
  -c CONFIG, --config CONFIG
                        Load the configuration from a json file
  --parallelism [{processes,threads,off}]
                        Enables parallelism (defaults to off if no argument given)
  -e EXTEND, --extend EXTEND
                        Extend the configuration with a new (or changed) setting
  -p PLUGIN_DIRS, --plugin-dirs PLUGIN_DIRS
                        Semi-colon separated list of paths to find plugins
  -s SYMBOL_DIRS, --symbol-dirs SYMBOL_DIRS
                        Semi-colon separated list of paths to find symbols
  -v, --verbosity       Increase output verbosity
  -l LOG, --log LOG     Log output to a file as well as the console
  -o OUTPUT_DIR, --output-dir OUTPUT_DIR
                        Directory in which to output any generated files
  -q, --quiet           Remove progress feedback
  -r RENDERER, --renderer RENDERER
                        Determines how to render the output (quick, none, csv, pretty,
                        json, jsonl)
  -f FILE, --file FILE  Shorthand for --single-location=file:// if single-location is
                        not defined
  --write-config        Write configuration JSON file out to config.json
  --save-config SAVE_CONFIG
                        Save configuration JSON file to a file
  --clear-cache         Clears out all short-term cached items
  --cache-path CACHE_PATH
                        Change the default path (/root/.cache/volatility3) used to
                        store the cache
  --offline             Do not search online for additional JSON files
  --single-location SINGLE_LOCATION
                        Specifies a base location on which to stack
  --stackers [STACKERS ...]
                        List of stackers
  --single-swap-locations [SINGLE_SWAP_LOCATIONS ...]
                        Specifies a list of swap layer URIs for use with single-
                        location

Plugins:
  For plugin specific options, run 'volatility <plugin> --help'

  plugin
    banners.Banners     Attempts to identify potential linux banners in an image
    configwriter.ConfigWriter
                        Runs the automagics and both prints and outputs configuration
                        in the output directory.
    frameworkinfo.FrameworkInfo
                        Plugin to list the various modular components of Volatility
    isfinfo.IsfInfo     Determines information about the currently available ISF files,
                        or a specific one
    layerwriter.LayerWriter
                        Runs the automagics and writes out the primary layer produced
                        by the stacker.
    linux.bash.Bash     Recovers bash command history from memory.
    linux.check_afinfo.Check_afinfo
                        Verifies the operation function pointers of network protocols.
    linux.check_creds.Check_creds
                        Checks if any processes are sharing credential structures
    linux.check_idt.Check_idt
                        Checks if the IDT has been altered
    linux.check_modules.Check_modules
                        Compares module list to sysfs info, if available
    linux.check_syscall.Check_syscall
                        Check system call table for hooks.
    linux.elfs.Elfs     Lists all memory mapped ELF files for all processes.
    linux.keyboard_notifiers.Keyboard_notifiers
                        Parses the keyboard notifier call chain
    linux.kmsg.Kmsg     Kernel log buffer reader
    linux.lsmod.Lsmod   Lists loaded kernel modules.
    linux.lsof.Lsof     Lists all memory maps for all processes.
    linux.malfind.Malfind
                        Lists process memory ranges that potentially contain injected
                        code.
    linux.mountinfo.MountInfo
                        Lists mount points on processes mount namespaces
    linux.proc.Maps     Lists all memory maps for all processes.
    linux.psaux.PsAux   Lists processes with their command line arguments
    linux.pslist.PsList
                        Lists the processes present in a particular linux memory image.
    linux.pstree.PsTree
                        Plugin for listing processes in a tree based on their parent
                        process ID.
    linux.tty_check.tty_check
                        Checks tty devices for hooks
    mac.bash.Bash       Recovers bash command history from memory.
    mac.check_syscall.Check_syscall
                        Check system call table for hooks.
    mac.check_sysctl.Check_sysctl
                        Check sysctl handlers for hooks.
    mac.check_trap_table.Check_trap_table
                        Check mach trap table for hooks.
    mac.ifconfig.Ifconfig
                        Lists network interface information for all devices
    mac.kauth_listeners.Kauth_listeners
                        Lists kauth listeners and their status
    mac.kauth_scopes.Kauth_scopes
                        Lists kauth scopes and their status
    mac.kevents.Kevents
                        Lists event handlers registered by processes
    mac.list_files.List_Files
                        Lists all open file descriptors for all processes.
    mac.lsmod.Lsmod     Lists loaded kernel modules.
    mac.lsof.Lsof       Lists all open file descriptors for all processes.
    mac.malfind.Malfind
                        Lists process memory ranges that potentially contain injected
                        code.
    mac.mount.Mount     A module containing a collection of plugins that produce data
                        typically found in Mac's mount command
    mac.netstat.Netstat
                        Lists all network connections for all processes.
    mac.proc_maps.Maps  Lists process memory ranges that potentially contain injected
                        code.
    mac.psaux.Psaux     Recovers program command line arguments.
    mac.pslist.PsList   Lists the processes present in a particular mac memory image.
    mac.pstree.PsTree   Plugin for listing processes in a tree based on their parent
                        process ID.
    mac.socket_filters.Socket_filters
                        Enumerates kernel socket filters.
    mac.timers.Timers   Check for malicious kernel timers.
    mac.trustedbsd.Trustedbsd
                        Checks for malicious trustedbsd modules
    mac.vfsevents.VFSevents
                        Lists processes that are filtering file system events
    timeliner.Timeliner
                        Runs all relevant plugins that provide time related information
                        and orders the results by time.
    windows.bigpools.BigPools
                        List big page pools.
    windows.callbacks.Callbacks
                        Lists kernel callbacks and notification routines.
    windows.cmdline.CmdLine
                        Lists process command line arguments.
    windows.crashinfo.Crashinfo
    windows.devicetree.DeviceTree
                        Listing tree based on drivers and attached devices in a
                        particular windows memory image.
    windows.dlllist.DllList
                        Lists the loaded modules in a particular windows memory image.
    windows.driverirp.DriverIrp
                        List IRPs for drivers in a particular windows memory image.
    windows.driverscan.DriverScan
                        Scans for drivers present in a particular windows memory image.
    windows.dumpfiles.DumpFiles
                        Dumps cached file contents from Windows memory samples.
    windows.envars.Envars
                        Display process environment variables
    windows.filescan.FileScan
                        Scans for file objects present in a particular windows memory
                        image.
    windows.getservicesids.GetServiceSIDs
                        Lists process token sids.
    windows.getsids.GetSIDs
                        Print the SIDs owning each process
    windows.handles.Handles
                        Lists process open handles.
    windows.info.Info   Show OS & kernel details of the memory sample being analyzed.
    windows.joblinks.JobLinks
                        Print process job link information
    windows.ldrmodules.LdrModules
    windows.malfind.Malfind
                        Lists process memory ranges that potentially contain injected
                        code.
    windows.mbrscan.MBRScan
                        Scans for and parses potential Master Boot Records (MBRs)
    windows.memmap.Memmap
                        Prints the memory map
    windows.mftscan.MFTScan
                        Scans for MFT FILE objects present in a particular windows
                        memory image.
    windows.modscan.ModScan
                        Scans for modules present in a particular windows memory image.
    windows.modules.Modules
                        Lists the loaded kernel modules.
    windows.mutantscan.MutantScan
                        Scans for mutexes present in a particular windows memory image.
    windows.netscan.NetScan
                        Scans for network objects present in a particular windows
                        memory image.
    windows.netstat.NetStat
                        Traverses network tracking structures present in a particular
                        windows memory image.
    windows.poolscanner.PoolScanner
                        A generic pool scanner plugin.
    windows.privileges.Privs
                        Lists process token privileges
    windows.pslist.PsList
                        Lists the processes present in a particular windows memory
                        image.
    windows.psscan.PsScan
                        Scans for processes present in a particular windows memory
                        image.
    windows.pstree.PsTree
                        Plugin for listing processes in a tree based on their parent
                        process ID.
    windows.registry.certificates.Certificates
                        Lists the certificates in the registry's Certificate Store.
    windows.registry.hivelist.HiveList
                        Lists the registry hives present in a particular memory image.
    windows.registry.hivescan.HiveScan
                        Scans for registry hives present in a particular windows memory
                        image.
    windows.registry.printkey.PrintKey
                        Lists the registry keys under a hive or specific key value.
    windows.registry.userassist.UserAssist
                        Print userassist registry keys and information.
    windows.sessions.Sessions
                        lists Processes with Session information extracted from
                        Environmental Variables
    windows.skeleton_key_check.Skeleton_Key_Check
                        Looks for signs of Skeleton Key malware
    windows.ssdt.SSDT   Lists the system call table.
    windows.statistics.Statistics
    windows.strings.Strings
                        Reads output from the strings command and indicates which
                        process(es) each string belongs to.
    windows.svcscan.SvcScan
                        Scans for windows services.
    windows.symlinkscan.SymlinkScan
                        Scans for links present in a particular windows memory image.
    windows.vadinfo.VadInfo
                        Lists process memory ranges.
    windows.vadyarascan.VadYaraScan
                        Scans all the Virtual Address Descriptor memory maps using
                        yara.
    windows.verinfo.VerInfo
                        Lists version information from PE files.
    windows.virtmap.VirtMap
                        Lists virtual mapped sections.
    yarascan.YaraScan   Scans kernel memory using yara rules (string or file).

The following plugins could not be loaded (use -vv to see why):
volatility3.plugins.windows.cachedump, volatility3.plugins.windows.hashdump,
volatility3.plugins.windows.lsadump

常见命令:

识别主机的相关信息

python3 vol.py -f 镜像文件 windows.info/linux.info/mac.info

Volatility3 弃用了Volatility2中最常用的imageinfo命令,如果我们仍然想从内存转储中提供有关主机的信息,则需要改用windows.info/linux.info/mac.info 命令

实例:使用windows info命令获取主机信息


列出进程和连接

Volatility3 中的五个不同插件允许您转储进程和网络连接,每个都使用不同的技术。在此任务中,当涉及到对手使用的规避技术时,我们将讨论每种技术及其优缺点。

pslist

列出进程的最基本方法是使用pslist; 该插件将从跟踪内存中进程的双向链表中获取进程列表,相当于任务管理器中的进程列表。该插件的输出将包括所有当前进程和终止进程及其退出时间。

命令:

python3 vol.py -f <file> windows.pslist

实例:

psscan

某些恶意软件(通常是 Rootkit)会试图隐藏它们的进程,并从列表中取消链接。通过从列表中取消链接,您在使用时将不再看到他们的进程pslist。为了对抗这种规避技术,我们可以使用psscan这种列出进程的技术将通过查找匹配的数据结构来定位进程_EPROCESS。虽然这种技术可以帮助规避对策,但它也可能导致误报。

命令:

python3 vol.py -f <file> windows.psscan

实例:

pstree

进程插件pstree没有像最后两个插件那样提供任何其他类型的特殊技术来帮助识别逃避;但是,此插件将根据其父进程 ID 列出所有进程,使用与pslist. 这对于分析师获取流程的完整故事以及提取时可能发生的情况很有用。

命令:

python3 vol.py -f <file> windows.pstree

实例:

netstat

netstat可以尝试识别具有网络连接的所有内存结构,但是可能非常不稳定,尤其是在旧的 Windows 版本中

命令:

python3 vol.py -f <file> windows.netstat

dlllist

该插件将列出提取时与进程关联的所有DLL 。一旦您进行了进一步的分析并可以将输出过滤到特定的 DLL,这可能会特别有用,该 DLL 可能是您认为系统上存在的特定类型的恶意软件的指标。

python3 vol.py -f <file> windows.dlllist

实例:

恶意进程追踪和检测

malfind

该插件将尝试识别注入的进程及其 PID,以及受感染区域的偏移地址和 Hex、Ascii 和反汇编视图。该插件通过扫描堆并识别设置了可执行位RWE or RX和/或磁盘上没有内存映射文件(无文件恶意软件)的进程来工作。

根据malfind识别的内容,注入的区域会发生变化。MZ 标头是 Windows 可执行文件的指示符。注入的区域也可以指向需要进一步分析的 shellcode。

命令:

python3 vol.py -f <file> windows.malfind

实例:

yarascan

yarascan将针对规则集搜索字符串、模式和复合规则。您可以使用 YARA 文件作为参数或在命令行中列出规则。

命令:

python3 vol.py -f <file> windows.yarascan

高级内存取证

ssdt

该ssdt插件将搜索挂钩并输出其结果。合法的应用程序可以使用挂钩,因此由您作为分析师来识别什么是恶意的。简要概述什么是 SSDT 挂钩:SSDT代表系统服务描述符表; Windows 内核使用此表来查找系统功能。攻击者可以挂接到此表并修改指针以指向 rootkit 控制的位置。

可能有数百个表条目ssdt将被转储;然后,您将不得不进一步分析输出或与基线进行比较。建议在调查最初的妥协并将其作为您的主要调查的一部分进行处理后使用此插件。
命令:

python3 vol.py -f <file> windows.ssdt

实例:

Volatility 提供了两个插件来列出驱动程序。

modules

该modules插件将转储已加载内核模块的列表;这对于识别活动的恶意软件很有用。但是,如果恶意文件正在等待或隐藏,此插件可能会错过它。

一旦您进一步调查并找到可用作搜索和过滤输入的潜在指标,最好使用此插件。

命令:

python3 vol.py -f <file> windows.modules

实例:

driverscan

该driverscan插件将在提取时扫描系统上存在的驱动程序。该插件可以帮助识别内核中modules插件可能遗漏或隐藏的驱动程序文件。

与上一个插件一样,再次建议在继续使用此插件之前先进行调查。也建议modules之前看一下插件driverscan。

命令:

python3 vol.py -f <file> windows.driverscan

实例:

实操



开始实操

通过以上命令得知1,2两道题答案

第三小题:

结合题目简介中的提示伪装成 Adobe 文档的银行木马
判断可疑进程为reader_sl.exe

第四,五,六小题:

ppid代表当前进程的父进程ID
所以定位到父进程为explorer.exe

下面一个问题百度了下
在 volatility2 以及 volatility3 beta 版本中,允许使用 procdump 来转储进程,
但这一插件在新版本的 volatility3 中被取消,我们应该使用:

python vol.py -f mydump.vmem -o <out_path> windows.memmap.Memmap --pid <pid> --dump

进行转储(本地测试有时候会失败),或者使用:

python vol.py -f mydump.vmem -o <out_path> windows.pslist.PsList --pid <pid> --dump

如果不加 -o 参数即保存在当前路径下

这里我们用了下面一个命令转储

接着使用string命令检索关键字

strings dump.vmem | grep -i "user-agent"

成功找到用户代理

下面一个问题,继续使用命令检索

strings dump.vmem | grep -i "Chase"

检索到大量关键字,证明存在


case 2

python3 vol.py -f /Scenarios/Investigations/Investigation-2.raw windows.pstree

找到pid740的进程


python3 vol.py -f /Scenarios/Investigations/Investigation-2.raw windows.dll | grep 740

成功找到路径

python3 vol.py -f /Scenarios/Investigations/Investigation-2.raw windows.pstree

同样还是在

python3 vol.py -f /Scenarios/Investigations/Investigation-2.raw windows.pstree


接下来一个问题谷歌了下


最后几道题目连分析带猜的
病毒详细分析见吾爱大佬分析文章:
https://www.52pojie.cn/thread-1573058-1-1.html

届ける言葉を今は育ててる
最后更新于 2022-11-15