Post

Volatility

install

standalone 보다는 Source code로 직접 받아야 profile을 추가할 수 있다. Source code 압축 해제하면 setup.py가 있는데 import volatility할거 아니면 안하는게 좋다. 그냥 디렉토리 적당한 곳으로 옮기고, vol.py에 symlink 걸어서 사용하면 끝이다.

profile 추가

Windows profile은 기본적으로 같이 설치되지만 LInux profile은 포함되어 있지 않다. --profile옵션을 지정해주어야 분석이 가능하기 때문에 추가해주어야 한다. * 이미지가 Volatility에 없는 profile인 경우 결과를 출력하기 까지 굉장히 오래 걸린다. * 모든 profile을 추가하면 volatility가 굉장히 느려지므로, 사용할 profile만 선택적으로 옮긴다.

1
2
3
## git clone<https://github.com/volatilityfoundation/profiles>
## cp -r ~/profiles/Linux/Ubuntu /usr/share/volatility/volatility/plugins/overlays/linux/Ubuntu

따로 제공하는 profile에도 없는 kernel인 경우 profile을 직접 만들어야한다.

F-INSIGHT-Generating-Volatility-Linux-Profile.pdf

https://cpuu.postype.com/post/665132

Commands
1
2
## volatility -f Ubuntu\_blue-48ffaa7c.vmem imageinfo

https://github.com/volatilityfoundation/volatility/wiki/Linux-Command-Reference

windows analysis

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
**cmdscan** 
Extract command history by scanning for \_COMMAND\_HISTORY
\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
CommandProcess: conhost.exe Pid: 1868
CommandHistory: 0x31e818 Application: svchost.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x190
Cmd #11 @ 0x10000: ?????
Cmd #37 @ 0x10000: ?????
\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
CommandProcess: conhost.exe Pid: 1868
CommandHistory: 0x33a338 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 2 LastAdded: 1 LastDisplayed: 1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x58
Cmd #0 @ 0x33a700: cd %temp%
Cmd #1 @ 0x2d3b38: svchost.exe 1.tmp 0x0 1


**cmdline** Display process command-line arguments
svchost.exe pid:   3828
Command line : svchost.exe  1.tmp 0x0 1

process dump
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
**pstree** 
Print process list as a tree.
explorer 밑에 scvhost.exe 있을리가.
0x88bbaab8:explorer.exe                              940    356     31    865 2017-04-11 0 2:28:23 UTC+0000
. 0x8691c030:cmd.exe                                 4080    940      1     20 2017-04-11 0 2:32:02 UTC+0000
.. 0x88abfa78:svchost.exe                            3828   4080      1      7 2017-04-11 0 2:35:18 UTC+0000
. 0x88bca030:vmtoolsd.exe                            2216    940      6    191 2017-04-11 0 2:28:51 UTC+0000

  

**dlllist** Print list of loaded dlls for each process.
실행한 프로세스의 경로와 Command line 보여준다.
svchost.exe pid:   3828
Command line : svchost.exe  1.tmp 0x0 1
Service Pack 1
Base             Size  LoadCount Path
---------- ---------- ---------- ----
0x00ed0000     0x6000     0xffff C:\Users\Taro\AppData\Local\Temp\svchost.exe
0x77560000   0x13c000     0xffff C:\Windows\SYSTEM32\ntdll.dll

  

**dlldump** Dump DLLs from a process address space
Process(V) Name                 Module Base Module Name          Result
---------- -------------------- ----------- -------------------- ------
0x88abfa78 svchost.exe          0x000ed0000 svchost.exe          OK: module.3828.a269a78.ed0000.dll
0x88abfa78 svchost.exe          0x077560000 ntdll.dll            OK: module.3828.a269a78.77560000.dll

  

**handles** Print list of open handles for each process
Offset(V)     Pid     Handle     Access Type             Details
---------- ------ ---------- ---------- ---------------- -------
0x8db9f5e0   3828        0x4        0x3 Directory        KnownDlls
0x89b6b420   3828        0xc   0x1f0003 Event
0x88baf038   3828       0x10   0x1f0001 ALPC Port
0x9540c300   3828       0x18    0x20019 Key              MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\SORTING\VERSIONS
0x88bb47c0   3828       0x1c   0x120089 File             \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\1.tmp

  

**memdump** Dump the addressable memory for a process
 처럼 file handle 가지고 있는 경우, process memory fread 읽어온 file data 남아 있을
가능성이 크기 때문에 memdump 얻어낼 수도 있으나 process memory  file data 위치를
알아내기 어려운 경우**dumpfiles**  사용하는 편이  쉽다.

**memmap** Print the memory map
svchost.exe pid:   3828
Virtual    Physical         Size DumpFileOffset
---------- ---------- ---------- --------------
0x000d0000 0x09c95000     0x1000        0x13000

file dump
1
2
3
4
5
6
7
8
9
10
11
12
13
14
**filescan** 
Pool scanner for file objects
Offset(P)            #Ptr   #Hnd Access Name
------------------ ------ ------ ------ ----
0x000000000a0c07c0     10      1 R--rw- \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\1.tmp

  

**dumpfiles** 
-D "./dump" -Q 0x000000000a0c07c0 또는 -p 3828
DataSectionObject 0x0a0c07c0   None   \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\1.tmp
SharedCacheMap 0x0a0c07c0   None   \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\1.tmp

1
2
3
4
5
6
7
8
9
10
**malfind** Find hidden and injected code
Process: svchost.exe Pid: 3828 Address: 0xd0000
Vad Tag: VadS Protection: PAGE\_EXECUTE\_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x000d0000  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
....
0x000d0000 90               NOP
0x000d0001 90               NOP
....

Windows Memory Dump Analysis

Volatility command 2.1 [보안프로젝트]

This post is licensed under CC BY 4.0 by the author.