一、volatility workbench 介绍
Volatility目前是全球最好的内存取证工具,可以用于Windows、Linux、MacOS、Android四大主流平台的内存镜像分析。Volatility是一款开源内存取证框架,能够对导出的内存镜像进行分析,通过获取内核数据结构,使用插件获取内存的详细情况以及系统的运行状态。
而volatility workbench就相当于Volatility的可视化版本,将所有功能通过软件的形式一键展现,就不用我们去输入各种命令去检索了,属实方便了很多。
因为是最近接触了美亚杯,才了解到了volatility。volatility workbench是英文版的,同时分析出来的信息还是需要一点基础才能看得懂的。等过一段不忙的时候,我做一个中文版细化的小工具。例如添加镜像后,直接一键将 Windows 某用户的密码 NTLM Hash 提取出来,并 利用Hashcat(上一篇写过手动爆破用法) 进行一键爆破,最终软件展现的是该用户的明文密码。
二、工具下载
官网:点击下载最新版
3.0.1版本:https://pan.baidu.com/s/1WHdbXz-XPc_uzXrAiXrMHg?pwd=0dqb
三、简单实操
关于Windows平台的一些命令介绍:
windows.info:显示正在分析的内存样本的OS和内核详细信息
windows.callbacks:列出内核回调和通知例程
windows.cmdline:列出进程命令行参数
windows.dlldump:将进程内存范围DLL转储
windows.dlllist:列出Windows内存映像中已加载的dll模块
windows.driverirp:在Windows内存映像中列出驱动程序的IRP
windows.driverscan:扫描Windows内存映像中存在的驱动程序
windows.filescan:扫描Windows内存映像中存在的文件对象
windows.handles:列出进程打开的句柄
windows.malfind:列出可能包含注入代码的进程内存范围
windows.moddump:转储内核模块
windows.modscan:扫描Windows内存映像中存在的模块
windows.mutantscan:扫描Windows内存映像中存在的互斥锁
windows.pslist:列出Windows内存映像中存在的进程
windows.psscan:扫描Windows内存映像中存在的进程
windows.pstree:列出进程树
windows.procdump:转储处理可执行映像
windows.registry.certificates:列出注册表中存储的证书
windows.registry.hivelist:列出内存映像中存在的注册表配置单元
windows.registry.hivescan:扫描Windows内存映像中存在的注册表配置单元
windows.registry.printkey:在配置单元或特定键值下列出注册表项
windows.registry.userassist:打印用户助手注册表项和信息
windows.ssdt:列出系统调用表
windows.strings:读取字符串命令的输出,并指示每个字符串属于哪个进程
windows.svcscan:扫描Windows服务
windows.symlinkscan:扫描Windows内存映像中存在的链接3.1、分析操作系统与制作镜像时间
选择 Windows.info.Info 开始分析;
Time Stamp: Thu Nov 10 16:03:35 2022
"E:\VolatilityWorkbench\vol.exe" -f "E:\Vtm-computer-memdump.mem" windows.info.Info
Please wait, this may take a few minutes.
Volatility 3 Framework 1.0.0-beta.1
Variable Value
Kernel Base 0x81208000
DTB 0x1a8000
Symbols file:///E:/VolatilityWorkbench/symbols/windows/ntkrpamp.pdb/3a07902d18fd40ce929445d177770324-1.json.xz
primary 0 WindowsIntelPAE
memory_layer 1 FileLayer
KdDebuggerDataBlock 0x81437820
NTBuildLab 10240.16384.x86fre.th1.150709-17
CSDVersion 0
KdVersionBlock 0x81437ef0
Major/Minor 15.10240
MachineType 332
KeNumberProcessors 4
SystemTime 2021-10-19 10:49:51
NtSystemRoot C:\Windows
NtProductType NtProductWinNt
NtMajorVersion 10
NtMinorVersion 0
PE MajorOperatingSystemVersion 10
PE MinorOperatingSystemVersion 0
PE Machine 332
PE TimeDateStamp Fri Jul 10 03:39:14 2015
Time Stamp: Thu Nov 10 16:03:38 2022
******* End of command output ****** SystemTime可以看出镜像制作的时间 2021-10-19 10:49:51;
NTBuildLab 可以看出来是 Windows 10 操作系统(版本号可以复制到百度进行查找)。
3.2、列举所有进程
选择 Windows.pslist.Pslist 开始分析;
Time Stamp: Thu Nov 10 16:17:13 2022
"E:\VolatilityWorkbench\vol.exe" -f "E:\Vtm-computer-memdump.mem" windows.pslist.PsList
Please wait, this may take a few minutes.
Volatility 3 Framework 1.0.0-beta.1
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime
4 0 System 0x89a74780 156 - N/A False 2021-09-18 01:39:37.000000 N/A
272 4 smss.exe 0x905c0c40 2 - N/A False 2021-09-18 01:39:37.000000 N/A
348 340 csrss.exe 0x9482cac0 10 - 0 False 2021-09-18 01:39:40.000000 N/A
416 340 wininit.exe 0x89ad1040 1 - 0 False 2021-09-18 01:39:40.000000 N/A
488 416 services.exe 0x89b502c0 6 - 0 False 2021-09-18 01:39:41.000000 N/A
504 416 lsass.exe 0x89af43c0 5 - 0 False 2021-09-18 01:39:41.000000 N/A
656 488 svchost.exe 0x9493d580 19 - 0 False 2021-09-18 01:39:41.000000 N/A
716 488 svchost.exe 0x9496e040 13 - 0 False 2021-09-18 01:39:41.000000 N/A
780 488 sppsvc.exe 0x94962c40 0 - 0 False 2021-09-18 01:39:41.000000 2021-09-18 01:41:08.000000
916 488 svchost.exe 0x949a02c0 25 - 0 False 2021-09-18 01:39:41.000000 N/A
1052 488 svchost.exe 0x949c6c40 21 - 0 False 2021-09-18 01:39:45.000000 N/A
1100 488 svchost.exe 0x949fc040 18 - 0 False 2021-09-18 01:39:45.000000 N/A
1172 488 svchost.exe 0x949e73c0 19 - 0 False 2021-09-18 01:39:46.000000 N/A
1232 488 svchost.exe 0x932fea00 50 - 0 False 2021-09-18 01:39:46.000000 N/A
1256 488 svchost.exe 0x9330d040 17 - 0 False 2021-09-18 01:39:46.000000 N/A
1800 488 spoolsv.exe 0x948a2c40 12 - 0 False 2021-09-18 01:39:47.000000 N/A
1964 488 svchost.exe 0xa0f07480 3 - 0 False 2021-09-18 01:39:48.000000 N/A
344 488 svchost.exe 0x933eb440 9 - 0 False 2021-09-18 01:39:48.000000 N/A
612 488 svchost.exe 0xa0fbda40 7 - 0 False 2021-09-18 01:39:48.000000 N/A
608 488 MsMpEng.exe 0xa0f32c00 7 - 0 False 2021-09-18 01:39:48.000000 N/A
2724 488 SearchIndexer. 0x8e456540 16 - 0 False 2021-09-18 01:39:54.000000 N/A
3768 488 svchost.exe 0x96ee8040 10 - 0 False 2021-09-18 01:39:57.000000 N/A
5880 488 sedsvc.exe 0xabc65c40 2 - 0 False 2021-10-02 07:17:35.000000 N/A
3972 488 svchost.exe 0x8f632040 3 - 0 False 2021-10-02 07:17:37.000000 N/A
4964 1100 audiodg.exe 0xb5694c40 4 - 0 False 2021-10-02 07:21:24.000000 N/A
924 5176 csrss.exe 0xa3d34c40 11 - 2 False 2021-10-15 02:13:52.000000 N/A
3792 5176 winlogon.exe 0x948053c0 4 - 2 False 2021-10-15 02:13:52.000000 N/A
4612 3792 dwm.exe 0x89acd040 11 - 2 False 2021-10-15 02:13:53.000000 N/A
560 1232 sihost.exe 0x8e431500 9 - 2 False 2021-10-19 10:42:46.000000 N/A
2972 1232 taskhostw.exe 0xabd8db40 9 - 2 False 2021-10-19 10:42:46.000000 N/A
1120 656 ChtIME.exe 0xabdab040 7 - 2 False 2021-10-19 10:42:46.000000 N/A
4204 3792 userinit.exe 0xec21ac40 0 - 2 False 2021-10-19 10:42:51.000000 2021-10-19 10:43:14.000000
452 4204 explorer.exe 0xa3d3bc40 49 - 2 False 2021-10-19 10:42:51.000000 N/A
3288 656 RuntimeBroker. 0x8ef4dc40 10 - 2 False 2021-10-19 10:42:51.000000 N/A
5608 656 ShellExperienc 0x8f6494c0 40 - 2 False 2021-10-19 10:42:51.000000 N/A
4824 656 SearchUI.exe 0xafa5ac40 32 - 2 False 2021-10-19 10:42:51.000000 N/A
1572 452 OneDrive.exe 0x8eed9700 9 - 2 False 2021-10-19 10:43:01.000000 N/A
624 656 ChtIME.exe 0xa3dc93c0 7 - 2 False 2021-10-19 10:43:07.000000 N/A
4496 3288 cmd.exe 0x9336c980 1 - 2 False 2021-10-19 10:43:09.000000 N/A
572 4496 conhost.exe 0xb78cbc40 2 - 2 False 2021-10-19 10:43:09.000000 N/A
3716 656 ApplicationFra 0x9331ab40 2 - 2 False 2021-10-19 10:43:25.000000 N/A
5196 488 svchost.exe 0xb5680200 3 - 2 False 2021-10-19 10:44:46.000000 N/A
1508 488 svchost.exe 0x94932c40 4 - 0 False 2021-10-19 10:45:41.000000 N/A
4912 488 RtkAudioServic 0x948de180 2 - 0 False 2021-10-19 10:46:19.000000 N/A
4448 1052 WUDFHost.exe 0xabcbcb00 10 - 0 False 2021-10-19 10:48:49.000000 N/A
6136 4496 FTK Imager.exe 0xb563d900 21 - 2 False 2021-10-19 10:49:27.000000 N/A
1244 1232 WMIADAP.exe 0x948e2380 8 - 0 False 2021-10-19 10:49:49.000000 N/A
5072 656 WmiPrvSE.exe 0xafb6b040 6 - 0 False 2021-10-19 10:49:49.000000 N/A
2152 1232 taskeng.exe 0xa3dde040 8 - 0 False 2021-10-19 10:50:41.000000 N/A
Time Stamp: Thu Nov 10 16:17:17 2022
******* End of command output ****** 3.2、识别子进程和父进程
选择 Windows.pstree.Pstree 开始分析,可以识别出隐藏的 木马病毒 文件;
Time Stamp: Thu Nov 10 16:21:45 2022
"E:\VolatilityWorkbench\vol.exe" -f "E:\Vtm-computer-memdump.mem" windows.pstree.PsTree
Please wait, this may take a few minutes.
Volatility 3 Framework 1.0.0-beta.1
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime
4 0 System 0xa3dde040 156 - N/A False 2021-09-18 01:39:37.000000 N/A
*272 4 smss.exe 0xa3dde040 2 - N/A False 2021-09-18 01:39:37.000000 N/A
348 340 csrss.exe 0xa3dde040 10 - 0 False 2021-09-18 01:39:40.000000 N/A
416 340 wininit.exe 0xa3dde040 1 - 0 False 2021-09-18 01:39:40.000000 N/A
*488 416 services.exe 0xa3dde040 6 - 0 False 2021-09-18 01:39:41.000000 N/A
**3972 488 svchost.exe 0xa3dde040 3 - 0 False 2021-10-02 07:17:37.000000 N/A
**1800 488 spoolsv.exe 0xa3dde040 12 - 0 False 2021-09-18 01:39:47.000000 N/A
**780 488 sppsvc.exe 0xa3dde040 0 - 0 False 2021-09-18 01:39:41.000000 2021-09-18 01:41:08.000000
**656 488 svchost.exe 0xa3dde040 19 - 0 False 2021-09-18 01:39:41.000000 N/A
***1120 656 ChtIME.exe 0xa3dde040 7 - 2 False 2021-10-19 10:42:46.000000 N/A
***3716 656 ApplicationFra 0xa3dde040 2 - 2 False 2021-10-19 10:43:25.000000 N/A
***5608 656 ShellExperienc 0xa3dde040 40 - 2 False 2021-10-19 10:42:51.000000 N/A
***624 656 ChtIME.exe 0xa3dde040 7 - 2 False 2021-10-19 10:43:07.000000 N/A
***5072 656 WmiPrvSE.exe 0xa3dde040 6 - 0 False 2021-10-19 10:49:49.000000 N/A
***4824 656 SearchUI.exe 0xa3dde040 32 - 2 False 2021-10-19 10:42:51.000000 N/A
***3288 656 RuntimeBroker. 0xa3dde040 10 - 2 False 2021-10-19 10:42:51.000000 N/A
****4496 3288 cmd.exe 0xa3dde040 1 - 2 False 2021-10-19 10:43:09.000000 N/A
*****6136 4496 FTK Imager.exe 0xa3dde040 21 - 2 False 2021-10-19 10:49:27.000000 N/A
*****572 4496 conhost.exe 0xa3dde040 2 - 2 False 2021-10-19 10:43:09.000000 N/A
**916 488 svchost.exe 0xa3dde040 25 - 0 False 2021-09-18 01:39:41.000000 N/A
**1172 488 svchost.exe 0xa3dde040 19 - 0 False 2021-09-18 01:39:46.000000 N/A
**1052 488 svchost.exe 0xa3dde040 21 - 0 False 2021-09-18 01:39:45.000000 N/A
***4448 1052 WUDFHost.exe 0xa3dde040 10 - 0 False 2021-10-19 10:48:49.000000 N/A
**2724 488 SearchIndexer. 0xa3dde040 16 - 0 False 2021-09-18 01:39:54.000000 N/A
**1964 488 svchost.exe 0xa3dde040 3 - 0 False 2021-09-18 01:39:48.000000 N/A
**4912 488 RtkAudioServic 0xa3dde040 2 - 0 False 2021-10-19 10:46:19.000000 N/A
**3768 488 svchost.exe 0xa3dde040 10 - 0 False 2021-09-18 01:39:57.000000 N/A
**716 488 svchost.exe 0xa3dde040 13 - 0 False 2021-09-18 01:39:41.000000 N/A
**1100 488 svchost.exe 0xa3dde040 18 - 0 False 2021-09-18 01:39:45.000000 N/A
***4964 1100 audiodg.exe 0xa3dde040 4 - 0 False 2021-10-02 07:21:24.000000 N/A
**5196 488 svchost.exe 0xa3dde040 3 - 2 False 2021-10-19 10:44:46.000000 N/A
**1232 488 svchost.exe 0xa3dde040 50 - 0 False 2021-09-18 01:39:46.000000 N/A
***560 1232 sihost.exe 0xa3dde040 9 - 2 False 2021-10-19 10:42:46.000000 N/A
***1244 1232 WMIADAP.exe 0xa3dde040 8 - 0 False 2021-10-19 10:49:49.000000 N/A
***2972 1232 taskhostw.exe 0xa3dde040 9 - 2 False 2021-10-19 10:42:46.000000 N/A
***2152 1232 taskeng.exe 0xa3dde040 8 - 0 False 2021-10-19 10:50:41.000000 N/A
**344 488 svchost.exe 0xa3dde040 9 - 0 False 2021-09-18 01:39:48.000000 N/A
**608 488 MsMpEng.exe 0xa3dde040 7 - 0 False 2021-09-18 01:39:48.000000 N/A
**612 488 svchost.exe 0xa3dde040 7 - 0 False 2021-09-18 01:39:48.000000 N/A
**1508 488 svchost.exe 0xa3dde040 4 - 0 False 2021-10-19 10:45:41.000000 N/A
**1256 488 svchost.exe 0xa3dde040 17 - 0 False 2021-09-18 01:39:46.000000 N/A
**5880 488 sedsvc.exe 0xa3dde040 2 - 0 False 2021-10-02 07:17:35.000000 N/A
*504 416 lsass.exe 0xa3dde040 5 - 0 False 2021-09-18 01:39:41.000000 N/A
924 5176 csrss.exe 0xa3dde040 11 - 2 False 2021-10-15 02:13:52.000000 N/A
3792 5176 winlogon.exe 0xa3dde040 4 - 2 False 2021-10-15 02:13:52.000000 N/A
*4204 3792 userinit.exe 0xa3dde040 0 - 2 False 2021-10-19 10:42:51.000000 2021-10-19 10:43:14.000000
**452 4204 explorer.exe 0xa3dde040 49 - 2 False 2021-10-19 10:42:51.000000 N/A
***1572 452 OneDrive.exe 0xa3dde040 9 - 2 False 2021-10-19 10:43:01.000000 N/A
*4612 3792 dwm.exe 0xa3dde040 11 - 2 False 2021-10-15 02:13:53.000000 N/A
Time Stamp: Thu Nov 10 16:21:49 2022
******* End of command output ******
列出进程后,我们找出可疑的文件进行提取。但是好像 volatility workbench 没这个功能..?
好吧,以后还是得学习 volatility 了..
