计算机数字取证分为内存取证和磁盘取证,活取证与死取证,不管是那种取证方式,都应尽量避免破环犯罪现场,例如通过内存转储工具对内存进行快照,通过磁盘克隆工具对磁盘进行克隆,方便后期的分析工作,这里将研究内存的取证技术中的活取证。
工具地址: https://github.com/volatilityfoundation/volatility
查询镜像基本信息: volatility -f winxp.raw imageinfo
lyshark@Dell:/mnt/d$ volatility -f winxp.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/mnt/d/winxp.raw)
PAE type : PAE
DTB : 0xad6000L
KDBG : 0x80546ae0L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2020-03-13 02:08:21 UTC+0000
Image local date and time : 2020-03-13 10:08:21 +0800
查正在运行的进程: volatility -f winxp.raw --profile=WinXPSP3x86 pslist
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x821b9830 System 4 0 56 522 ------ 0
0x8210bd38 smss.exe 488 4 3 19 ------ 0 2020-01-19 01:52:22 UTC+0000
0x8203e020 csrss.exe 600 488 11 360 0 0 2020-01-19 01:52:22 UTC+0000
0x81bf61a8 winlogon.exe 624 488 17 435 0 0 2020-01-19 01:52:23 UTC+0000
0x8207ea88 services.exe 668 624 16 260 0 0 2020-01-19 01:52:23 UTC+0000
0x81f62238 lsass.exe 680 624 20 336 0 0 2020-01-19 01:52:23 UTC+0000
0x81b34020 cmd.exe 1580 1468 1 32 0 0 2020-03-13 02:08:14 UTC+0000
0x81bf4378 calc.exe 1512 1580 1 44 0 0 2020-03-13 02:08:16 UTC+0000
0x81b50020 DumpIt.exe 1008 1468 1 25 0 0 2020-03-13 02:08:19 UTC+0000
查正在运行的进程的进程树: volatility -f winxp.raw --profile=WinXPSP3x86 pstree
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 pstree
Volatility Foundation Volatility Framework 2.6
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x821b9830:System 4 0 56 522 1970-01-01 00:00:00 UTC+0000
. 0x8210bd38:smss.exe 488 4 3 19 2020-01-19 01:52:22 UTC+0000
.. 0x8203e020:csrss.exe 600 488 11 360 2020-01-19 01:52:22 UTC+0000
.. 0x81bf61a8:winlogon.exe 624 488 17 435 2020-01-19 01:52:23 UTC+0000
... 0x8207ea88:services.exe 668 624 16 260 2020-01-19 01:52:23 UTC+0000
.... 0x81f684c0:svchost.exe 1032 668 55 1194 2020-01-19 01:52:24 UTC+0000
..... 0x81e44da0:wscntfy.exe 880 1032 1 39 2020-03-13 01:52:46 UTC+0000
.... 0x820408b8:vmtoolsd.exe 1940 668 7 271 2020-01-19 01:52:37 UTC+0000
.... 0x81f71980:spoolsv.exe 1560 668 10 118 2020-01-19 01:52:29 UTC+0000
.... 0x81f865d8:svchost.exe 1192 668 8 92 2020-03-13 01:53:09 UTC+0000
.... 0x81cc6c30:svchost.exe 1072 668 4 77 2020-01-19 01:52:24 UTC+0000
.... 0x81fcad78:vmacthlp.exe 840 668 1 25 2020-01-19 01:52:24 UTC+0000
.... 0x81cc54e0:svchost.exe 936 668 10 252 2020-01-19 01:52:24 UTC+0000
.... 0x820873c0:svchost.exe 856 668 15 190 2020-01-19 01:52:24 UTC+0000
.... 0x82102020:svchost.exe 1116 668 15 209 2020-01-19 01:52:27 UTC+0000
.... 0x8206dd80:alg.exe 1252 668 6 106 2020-03-13 01:52:45 UTC+0000
.... 0x81c03020:imapi.exe 508 668 4 114 2020-03-13 01:52:44 UTC+0000
... 0x81f62238:lsass.exe 680 624 20 336 2020-01-19 01:52:23 UTC+0000
0x82135da0:explorer.exe 1468 1436 9 389 2020-01-19 01:52:28 UTC+0000
. 0x81ff7da0:ctfmon.exe 1732 1468 1 71 2020-01-19 01:52:31 UTC+0000
. 0x81b34020:cmd.exe 1580 1468 1 32 2020-03-13 02:08:14 UTC+0000
. 0x81e37020:FTPServer.exe 324 1468 3 118 2020-03-13 01:58:37 UTC+0000
将FTPServer.exe文件dump出来 volatility -f winxp.raw --profile=WinXPSP3x86 memdump -p 324 --dump-dir=/home/lyshark
lyshark@Dell:/mnt/d$ sudo volatility -f winxp.raw --profile=WinXPSP3x86 memdump -p 324 --dump-dir=/home/lyshark
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing FTPServer.exe [ 324] to 324.dmp
lyshark@Dell:~$ hexedit 324.dmp
lyshark@Dell:~$ strings 324.dmp
检索命令历史 只能检索命令行历史 volatility -f winxp.raw --profile=WinXPSP3x86 cmdscan
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 cmdscan
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: csrss.exe Pid: 600
CommandHistory: 0x556bb8 Application: FTPServer.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x4a8
**************************************************
CommandProcess: csrss.exe Pid: 600
CommandHistory: 0x3667a30 Application: DumpIt.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x314
Cmd #2 @ 0xaf00af: ??`?????????? ????????????????????? ?????????????????????
Cmd #3 @ 0xaf00af: ??`?????????? ????????????????????? ?????????????????????
Cmd #4 @ 0xaf00af: ??`?????????? ????????????????????? ?????????????????????
Cmd #5 @ 0xaf00af: ??`?????????? ????????????????????? ?????????????????????
Cmd #43 @ 0x27008f: ?
Cmd #46 @ 0xaf00af: ??`?????????? ????????????????????? ?????????????????????
Cmd #48 @ 0xaf0027: ?????????????????????????? ??????????@????????????????????????????????`?????????? ????????????????????? ?????????????????????
Cmd #49 @ 0xaf00af: ??`?????????? ????????????????????? ?????????????????????
**************************************************
CommandProcess: csrss.exe Pid: 600
CommandHistory: 0x36688f0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 1 LastAdded: 0 LastDisplayed: 0
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x44c
Cmd #0 @ 0x3668f70: calc
检索已经建立起来的网络连接: volatility -f winxp.raw --profile=WinXPSP3x86 connscan
volatility -f winxp.raw --profile=WinXPSP3x86 connscan # 检索已经建立的网络链接
volatility -f winxp.raw --profile=WinXPSP3x86 netscan # 检索所有网络连接情况
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 connscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x020296c0 192.168.1.8:1049 66.175.114.213:80 1992
0x024a22c0 192.168.1.8:1051 192.168.1.2:8888 324
根据PID查询进程加载过的DLL
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 dlllist -p 324
Volatility Foundation Volatility Framework 2.6
************************************************************************
FTPServer.exe pid: 324
Command line : "C:\Documents and Settings\Administrator\桌面\FTPServer.exe"
Service Pack 3
Base Size LoadCount LoadTime Path
---------- ---------- ---------- ------------------------------ ----
0x00400000 0x1f000 0xffff C:\Documents and Settings\Administrator\桌面\FTPServer.exe
0x7c920000 0x93000 0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000 0x11e000 0xffff C:\WINDOWS\system32\kernel32.dll
0x62500000 0x8000 0xffff C:\Documents and Settings\Administrator\桌面\network.dll
0x77be0000 0x58000 0xffff C:\WINDOWS\system32\msvcrt.dll
0x71a20000 0x17000 0xffff C:\WINDOWS\system32\WS2_32.DLL
0x77da0000 0xa9000 0xffff C:\WINDOWS\system32\ADVAPI32.dll
0x77e50000 0x92000 0xffff C:\WINDOWS\system32\RPCRT4.dll
0x77fc0000 0x11000 0xffff C:\WINDOWS\system32\Secur32.dll
0x71a10000 0x8000 0xffff C:\WINDOWS\system32\WS2HELP.dll
0x76d70000 0x22000 0x1 C:\WINDOWS\system32\Apphelp.dll
0x77bd0000 0x8000 0x1 C:\WINDOWS\system32\VERSION.dll
0x7c340000 0x56000 0x1 C:\Documents and Settings\Administrator\桌面\msvcr71.dll
0x719c0000 0x3e000 0x2 C:\WINDOWS\system32\mswsock.dll
0x60fd0000 0x55000 0x1 C:\WINDOWS\system32\hnetcfg.dll
0x77ef0000 0x49000 0x49 C:\WINDOWS\system32\GDI32.dll
0x77d10000 0x90000 0x74 C:\WINDOWS\system32\USER32.dll
0x76300000 0x1d000 0x2 C:\WINDOWS\system32\IMM32.DLL
0x62c20000 0x9000 0x1 C:\WINDOWS\system32\LPK.DLL
0x73fa0000 0x6b000 0x1 C:\WINDOWS\system32\USP10.dll
0x71a00000 0x8000 0x1 C:\WINDOWS\System32\wshtcpip.dll
0x765e0000 0x93000 0x6 C:\WINDOWS\system32\CRYPT32.dll
0x76db0000 0x12000 0x4 C:\WINDOWS\system32\MSASN1.dll
0x76680000 0xa6000 0x2 C:\WINDOWS\system32\WININET.dll
0x770f0000 0x8b000 0xe C:\WINDOWS\system32\OLEAUT32.dll
反汇编内存代码
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 malfind -p 324
Volatility Foundation Volatility Framework 2.6
Process: FTPServer.exe Pid: 324 Address: 0x4c0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 45, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x004c0000 4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 64 MZ.....[REU....d
0x004c0010 13 00 00 ff d3 81 c3 95 a8 02 00 89 3b 53 6a 04 ............;Sj.
0x004c0020 50 ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 P...............
0x004c0030 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 ................
0x004c0000 4d DEC EBP
0x004c0001 5a POP EDX
0x004c0002 e800000000 CALL 0x4c0007
0x004c0007 5b POP EBX
0x004c0008 52 PUSH EDX
0x004c0009 45 INC EBP
0x004c000a 55 PUSH EBP
0x004c000b 89e5 MOV EBP, ESP
0x004c000d 81c364130000 ADD EBX, 0x1364
0x004c0013 ffd3 CALL EBX
0x004c0015 81c395a80200 ADD EBX, 0x2a895
0x004c001b 893b MOV [EBX], EDI
0x004c001d 53 PUSH EBX
0x004c001e 6a04 PUSH 0x4
0x004c0020 50 PUSH EAX
0x004c0021 ffd0 CALL EAX
0x004c0023 0000 ADD [EAX], AL
0x004c0025 0000 ADD [EAX], AL
0x004c0027 0000 ADD [EAX], AL
0x004c0029 0000 ADD [EAX], AL
0x004c002b 0000 ADD [EAX], AL
0x004c002d 0000 ADD [EAX], AL
0x004c002f 0000 ADD [EAX], AL
0x004c0031 0000 ADD [EAX], AL
0x004c0033 0000 ADD [EAX], AL
0x004c0035 0000 ADD [EAX], AL
0x004c0037 0000 ADD [EAX], AL
0x004c0039 0000 ADD [EAX], AL
0x004c003b 00f8 ADD AL, BH
0x004c003d 0000 ADD [EAX], AL
0x004c003f 00 DB 0x0
检索所有注册表蜂巢: volatility -f winxp.raw --profile=WinXPSP3x86 hivelist
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 hivelist
Volatility Foundation Volatility Framework 2.6
Virtual Physical Name
---------- ---------- ----
0xe17f9b60 0x0a0a2b60 \Device\HarddiskVolume1\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1c22500 0x0b9d8500 \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
0xe17fb9e8 0x0a0e49e8 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1a26b60 0x0a260b60 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
0xe1a188d8 0x0a1438d8 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1a0c008 0x0a0f3008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
0xe1452008 0x0803f008 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe1452b60 0x0803fb60 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe144e758 0x08037758 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe144f758 0x08038758 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe1036b60 0x02b09b60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
dump蜂巢文件(dump 账号密码): volatility -f winxp.raw --profile=WinXPSP3x86 hivedump -o 0xe144f758
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 hivedump -o 0xe144f758
Volatility Foundation Volatility Framework 2.6
Last Written Key
2020-03-01 04:53:50 UTC+0000 \SAM
2020-03-01 04:53:50 UTC+0000 \SAM\SAM
2020-03-01 04:53:50 UTC+0000 \SAM\SAM\Domains
2020-03-01 05:59:18 UTC+0000 \SAM\SAM\Domains\Account
2020-03-01 05:59:03 UTC+0000 \SAM\SAM\Domains\Account\Aliases
2020-03-01 05:59:18 UTC+0000 \SAM\SAM\Domains\Account\Aliases\000003E9
2020-03-01 05:59:18 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Members
2020-03-01 05:59:18 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Members\S-1-5-21-1343024091-152049171-1801674531
2020-03-01 05:59:18 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Members\S-1-5-21-1343024091-152049171-1801674531\000003EA
2020-03-01 05:59:03 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Names
2020-03-01 05:59:03 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Names\HelpServicesGroup
2020-03-01 04:53:50 UTC+0000 \SAM\SAM\Domains\Account\Groups
2020-03-01 05:59:18 UTC+0000 \SAM\SAM\Domains\Account\Groups\00000201
2020-03-01 04:53:50 UTC+0000 \SAM\SAM\Domains\Account\Groups\Names
2020-03-01 04:53:50 UTC+0000 \SAM\SAM\Domains\Account\Groups\Names\None
dump蜂巢文件(dump 系统安装的软件列表): volatility -f winxp.raw --profile=WinXPSP3x86 hivedump -o 0xe1452008
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 hivedump -o 0xe1452008
Volatility Foundation Volatility Framework 2.6
Last Written Key
2020-03-13 01:54:54 UTC+0000 \$$$PROTO.HIV
2020-03-01 05:58:23 UTC+0000 \$$$PROTO.HIV\C07ft5Y
2020-03-01 05:58:23 UTC+0000 \$$$PROTO.HIV\C07ft5Y\WinXP
2020-03-13 01:54:54 UTC+0000 \$$$PROTO.HIV\Classes
2020-03-01 05:58:34 UTC+0000 \$$$PROTO.HIV\Classes\*
2020-03-01 05:58:34 UTC+0000 \$$$PROTO.HIV\Classes\*\OpenWithList
2020-03-01 05:58:34 UTC+0000 \$$$PROTO.HIV\Classes\*\OpenWithList\Excel.exe
2020-03-01 05:58:34 UTC+0000 \$$$PROTO.HIV\Classes\*\OpenWithList\IExplore.exe
2020-03-01 05:57:20 UTC+0000 \$$$PROTO.HIV\Classes\*\OpenWithList\MSPaint.exe
2020-03-01 04:55:48 UTC+0000 \$$$PROTO.HIV\Classes\*\OpenWithList\Notepad.exe
2020-03-01 05:58:34 UTC+0000 \$$$PROTO.HIV\Classes\*\OpenWithList\Winword.exe
2020-03-01 05:57:20 UTC+0000 \$$$PROTO.HIV\Classes\*\OpenWithList\WordPad.exe
检索注册表中账号密码: volatility -f winxp.raw --profile=WinXPSP3x86 printkey -K "SAM\Domains\Account\Users\Names"
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 printkey -K "SAM\Domains\Account\Users\Names"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
Key name: Names (S)
Last updated: 2020-03-01 05:59:18 UTC+0000
Subkeys:
(S) Administrator
(S) Guest
(S) HelpAssistant
(S) SUPPORT_388945a0
Values:
REG_NONE : (S)
查最后登录的用户 volatility -f winxp.raw --profile=WinXPSP3x86 printkey -K "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 printkey -K "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
Key name: Winlogon (S)
Last updated: 2020-03-01 06:03:14 UTC+0000
Subkeys:
Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
Key name: Winlogon (S)
Last updated: 2020-03-13 01:52:45 UTC+0000
Subkeys:
Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600
查询程序运行次数: volatility -f winxp.raw --profile=WinXPSP3x86 userassist
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 userassist
Volatility Foundation Volatility Framework 2.6
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Last updated: 2020-03-13 01:58:36 UTC+0000
Subkeys:
Values:
REG_BINARY UEME_CTLSESSION : Raw Data:
0x00000000 d7 c6 af 0e 02 00 00 00 ........
REG_BINARY UEME_CTLCUACount:ctor :
ID: 1
Count: 2
Last updated: 1970-01-01 00:00:00 UTC+0000
Raw Data:
0x00000000 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................
REG_BINARY UEME_UITOOLBAR :
ID: 1
Count: 1
Last updated: 2020-03-01 06:19:01 UTC+0000
Raw Data:
0x00000000 01 00 00 00 06 00 00 00 20 77 09 4d 91 ef d5 01 .........w.M....
REG_BINARY UEME_UITOOLBAR:0x1,120 :
ID: 1
Count: 1
Last updated: 2020-03-01 06:19:01 UTC+0000
Raw Data:
0x00000000 01 00 00 00 06 00 00 00 20 77 09 4d 91 ef d5 01 .........w.M....
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Last updated: 2020-03-13 02:08:19 UTC+0000
dump 用户名密码hash 需要配合两个文件的地址,才能dump出密码。
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 hivelist
Volatility Foundation Volatility Framework 2.6
Virtual Physical Name
---------- ---------- ----
0xe17f9b60 0x0a0a2b60 \Device\HarddiskVolume1\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1c22500 0x0b9d8500 \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
0xe17fb9e8 0x0a0e49e8 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1a26b60 0x0a260b60 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
0xe1a188d8 0x0a1438d8 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1a0c008 0x0a0f3008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
0xe1452008 0x0803f008 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe1452b60 0x0803fb60 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe144e758 0x08037758 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe144f758 0x08038758 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe1294b60 0x02d2ab60 [no name]
0xe1036b60 0x02b09b60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008 0x02b02008 [no name]
lyshark@Dell:/mnt/d$ volatility -f winxp.raw --profile=WinXPSP3x86 hashdump -y 0xe1036b60 -s 0xe144f758
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:9f17bb7d77a274f1d01bc972226c8a81:c28826f36523c96b0035431d28c1a2fb:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:14b41dba4b82f80b88ce2035785bc73d:::
lyshark@Dell:/mnt/d$
procdump: https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
C:\Users\LyShark\Desktop>procdump.exe -ma ollyice.exe ollyice.dmp
ProcDump v9.0 - Sysinternals process dump utility
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[16:03:51] Dump 1 initiated: C:\Users\LyShark\Desktop\ollyice.dmp
[16:03:52] Dump 1 writing: Estimated dump file size is 94 MB.
[16:03:52] Dump 1 complete: 94 MB written in 0.5 seconds
[16:03:52] Dump count reached.
strings提取特殊字符: https://technet.microsoft.com/en-us/sysinternals/bb897439.aspx
C:\Users\LyShark\Desktop>strings.exe ollyice.dmp > ollyice.log
Strings v2.53 - Search for ANSI and Unicode strings in binary images.
Copyright (C) 1999-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
volatility 常用命令总结
volatility -f winxp.raw imageinfo # 查询镜像基本信息
volatility -f winxp.raw --profile=WinXPSP3x86 pstree # 查运行进程进程树
volatility -f winxp.raw --profile=WinXPSP3x86 pslist # 查正在运行的进程
volatility -f winxp.raw --profile=WinXPSP3x86 memdump -p 324 --dump-dir=/home/lyshark # 将PID=324的进程dump出来
volatility -f winxp.raw --profile=WinXPSP3x86 procdump -p 324 --dump-dir=/home/lyshark # 将PID=324进程导出为exe
volatility -f winxp.raw --profile=WinXPSP3x86 dlldump -p 324 --dump-dir=/home/lyshark # 将PID=324进程的所有DLL导出
volatility -f winxp.raw --profile=WinXPSP3x86 getsids -p 324 # 查询指定进程的SID
volatility -f winxp.raw --profile=WinXPSP3x86 dlllist -p 324 # 查询指定进程加载过的DLL
volatility -f winxp.raw --profile=WinXPSP3x86 threads -p 324 # 列出当前进程中活跃的线程
volatility -f winxp.raw --profile=WinXPSP3x86 drivermodule # 列出目标中驱动加载情况
volatility -f winxp.raw --profile=WinXPSP3x86 malfind -p 324 -D /home/lyshark # 检索内存读写执行页
volatility -f winxp.raw --profile=WinXPSP3x86 iehistory # 检索IE浏览器历史记录
volatility -f winxp.raw --profile=WinXPSP3x86 joblinks # 检索计划任务
volatility -f winxp.raw --profile=WinXPSP3x86 cmdscan # 只能检索命令行历史
volatility -f winxp.raw --profile=WinXPSP3x86 consoles # 抓取控制台下执行的命令以及回显数据
volatility -f winxp.raw --profile=WinXPSP3x86 cmdline # 列出所有命令行下运行的程序
volatility -f winxp.raw --profile=WinXPSP3x86 connscan # 检索已经建立的网络链接
volatility -f winxp.raw --profile=WinXPSP3x86 connections # 检索已经建立的网络链接
volatility -f winxp.raw --profile=WinXPSP3x86 netscan # 检索所有网络连接情况
volatility -f winxp.raw --profile=WinXPSP3x86 sockscan # TrueCrypt摘要TrueCrypt摘要
volatility -f winxp.raw --profile=WinXPSP3x86 timeliner # 尽可能多的发现目标主机痕迹
volatility -f winxp.raw --profile=WinXPSP3x86 hivelist # 检索所有注册表蜂巢
volatility -f winxp.raw --profile=WinXPSP3x86 hivedump -o 0xe144f758 # 检索SAM注册表键值对
volatility -f winxp.raw --profile=WinXPSP3x86 printkey -K "SAM\Domains\Account\Users\Names" # 检索注册表中账号密码
volatility -f winxp.raw --profile=WinXPSP3x86 hashdump -y system地址 -s SAM地址 # dump目标账号Hash值
volatility -f winxp.raw --profile=WinXPSP3x86 printkey -K "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" # 查最后登录的用户
volatility -f winxp.raw --profile=WinXPSP3x86 userassist # 查询程序运行次数
转储文件后通过windbg分析