Forensic - Volatility
Alasta 3 Décembre 2018 forensic shell cli security forensic memory analyse
Description : Nous allons nous initier à l'analyse mémoire avec l'outils Volatility.
Volatility
Volatility est un outils open source pour l’analyse de dump mémoire, c’est un framework écrit en Python.
Il permet d’analyser les dumps mémoires de Windows/Mac/Linux/Android et le framework est disponible sur Windows/Mac/Linux.
On peut aussi lui adjoindre une panoplie de plugins.
Environnement
On ne verra pas l’installation du framework, il faudra voir la doc officielle.
On utilisera les dumps de l’archive “Art of Memory Forensics Images”, le lien est fourni dans l’annexe.
C’est la version 2.6 qui sera utilisée.
C’est parti avec les commandes
Détermination du profile du dump
C’est la première chose à faire car ce profile sera utilisé pour toutes les autres commandes :
$ ./vol.py -f /tmp/sample001.bin imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/tmp/sample001.bin)
PAE type : No PAE
DTB : 0x39000L
KDBG : 0x8054cde0L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2012-11-27 01:57:28 UTC+0000
Image local date and time : 2012-11-26 19:57:28 -0600Ici il nous suggère 2 profiles WinXPSP2x86, WinXPSP3x86, il a lancer les tests avec WinXPSP2x86, c’est donc celui-ci que nous utiliserons.
Autre moyen, avec kdbgscan
./vol.py -f /tmp/sample001.bin kdbgscan
Volatility Foundation Volatility Framework 2.6
**************************************************
Instantiating KDBG using: Kernel AS WinXPSP2x86 (5.1.0 32bit)
Offset (V) : 0x8054cde0
Offset (P) : 0x54cde0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): WinXPSP3x86
Version64 : 0x8054cdb8 (Major: 15, Minor: 2600)
Service Pack (CmNtCSDVersion) : 3
Build string (NtBuildLab) : 2600.xpsp.080413-2111
PsActiveProcessHead : 0x80561358 (21 processes)
PsLoadedModuleList : 0x8055b1c0 (96 modules)
KernelBase : 0x804d7000 (Matches MZ: True)
Major (OptionalHeader) : 5
Minor (OptionalHeader) : 1
KPCR : 0xffdff000 (CPU 0)
**************************************************
Instantiating KDBG using: Kernel AS WinXPSP2x86 (5.1.0 32bit)
Offset (V) : 0x8054cde0
Offset (P) : 0x54cde0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): WinXPSP2x86
Version64 : 0x8054cdb8 (Major: 15, Minor: 2600)
Service Pack (CmNtCSDVersion) : 3
Build string (NtBuildLab) : 2600.xpsp.080413-2111
PsActiveProcessHead : 0x80561358 (21 processes)
PsLoadedModuleList : 0x8055b1c0 (96 modules)
KernelBase : 0x804d7000 (Matches MZ: True)
Major (OptionalHeader) : 5
Minor (OptionalHeader) : 1
KPCR : 0xffdff000 (CPU 0)Il trouve ici 2 structures qui sont identiques (voir les offsets), il y a des fois ou les offsets sont différents.
Il faut alors prendre celui ou les processes et les modules ne sont pas égales à 0.
Pour certains plugins, cela pause problème, il faut alors précicer quel offset utiliser en ajoutant –kdbg=@ffset.
Voici deux liens pour plus d’informations :
Liste des process
$ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x823c8830 System 4 0 51 271 ------ 0
0x821841c8 smss.exe 356 4 3 19 ------ 0 2012-11-26 22:03:28 UTC+0000
0x821b0020 csrss.exe 604 356 12 351 0 0 2012-11-26 22:03:29 UTC+0000
0x82189da0 winlogon.exe 628 356 18 653 0 0 2012-11-26 22:03:29 UTC+0000
0x82194650 services.exe 680 628 15 243 0 0 2012-11-26 22:03:30 UTC+0000
0x82244020 lsass.exe 692 628 22 407 0 0 2012-11-26 22:03:30 UTC+0000
0x8219e2c8 svchost.exe 852 680 14 187 0 0 2012-11-26 22:03:31 UTC+0000
0x82192b10 svchost.exe 940 680 9 258 0 0 2012-11-26 22:03:31 UTC+0000
0x820b3da0 svchost.exe 1024 680 76 1645 0 0 2012-11-26 22:03:32 UTC+0000
0x821a62e0 svchost.exe 1068 680 5 81 0 0 2012-11-26 22:03:32 UTC+0000
0x821a3c10 svchost.exe 1116 680 14 248 0 0 2012-11-26 22:03:33 UTC+0000
0x822e9700 spoolsv.exe 1348 680 10 105 0 0 2012-11-26 22:03:34 UTC+0000
0x8203c020 alg.exe 1888 680 6 105 0 0 2012-11-26 22:03:35 UTC+0000
0x8204f020 explorer.exe 284 244 9 372 0 0 2012-11-26 22:03:58 UTC+0000
0x82226650 msmsgs.exe 548 284 3 204 0 0 2012-11-26 22:04:03 UTC+0000
0x822408d0 ctfmon.exe 556 284 1 75 0 0 2012-11-26 22:04:03 UTC+0000
0x82045da0 wuauclt.exe 1628 1024 3 142 0 0 2012-11-26 22:04:43 UTC+0000
0x821feda0 msimn.exe 1984 284 7 359 0 0 2012-11-26 22:06:33 UTC+0000
0x82049690 wc.exe 364 1024 1 27 0 0 2012-11-27 01:30:00 UTC+0000
0x822d0828 cmd.exe 1796 284 1 33 0 0 2012-11-27 01:56:21 UTC+0000
0x820b13b8 mdd.exe 244 1796 1 24 0 0 2012-11-27 01:57:28 UTC+0000 ou
$ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin pstree
Volatility Foundation Volatility Framework 2.6
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x823c8830:System 4 0 51 271 1970-01-01 00:00:00 UTC+0000
. 0x821841c8:smss.exe 356 4 3 19 2012-11-26 22:03:28 UTC+0000
.. 0x82189da0:winlogon.exe 628 356 18 653 2012-11-26 22:03:29 UTC+0000
... 0x82194650:services.exe 680 628 15 243 2012-11-26 22:03:30 UTC+0000
.... 0x820b3da0:svchost.exe 1024 680 76 1645 2012-11-26 22:03:32 UTC+0000
..... 0x82045da0:wuauclt.exe 1628 1024 3 142 2012-11-26 22:04:43 UTC+0000
..... 0x82049690:wc.exe 364 1024 1 27 2012-11-27 01:30:00 UTC+0000
.... 0x8203c020:alg.exe 1888 680 6 105 2012-11-26 22:03:35 UTC+0000
.... 0x821a62e0:svchost.exe 1068 680 5 81 2012-11-26 22:03:32 UTC+0000
.... 0x822e9700:spoolsv.exe 1348 680 10 105 2012-11-26 22:03:34 UTC+0000
.... 0x82192b10:svchost.exe 940 680 9 258 2012-11-26 22:03:31 UTC+0000
.... 0x821a3c10:svchost.exe 1116 680 14 248 2012-11-26 22:03:33 UTC+0000
.... 0x8219e2c8:svchost.exe 852 680 14 187 2012-11-26 22:03:31 UTC+0000
... 0x82244020:lsass.exe 692 628 22 407 2012-11-26 22:03:30 UTC+0000
.. 0x821b0020:csrss.exe 604 356 12 351 2012-11-26 22:03:29 UTC+0000
0x8204f020:explorer.exe 284 244 9 372 2012-11-26 22:03:58 UTC+0000
. 0x82226650:msmsgs.exe 548 284 3 204 2012-11-26 22:04:03 UTC+0000
. 0x822d0828:cmd.exe 1796 284 1 33 2012-11-27 01:56:21 UTC+0000
.. 0x820b13b8:mdd.exe 244 1796 1 24 2012-11-27 01:57:28 UTC+0000
. 0x821feda0:msimn.exe 1984 284 7 359 2012-11-26 22:06:33 UTC+0000
. 0x822408d0:ctfmon.exe 556 284 1 75 2012-11-26 22:04:03 UTC+0000Avec psscan
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin psscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Name PID PPID PDB Time created Time exited
------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------
0x000000000203c020 alg.exe 1888 680 0x0903e000 2012-11-26 22:03:35 UTC+0000
0x0000000002045da0 wuauclt.exe 1628 1024 0x0d76d000 2012-11-26 22:04:43 UTC+0000
0x0000000002049690 wc.exe 364 1024 0x1441f000 2012-11-27 01:30:00 UTC+0000
0x000000000204f020 explorer.exe 284 244 0x0a016000 2012-11-26 22:03:58 UTC+0000
0x00000000020b13b8 mdd.exe 244 1796 0x172db000 2012-11-27 01:57:28 UTC+0000
0x00000000020b3da0 svchost.exe 1024 680 0x07401000 2012-11-26 22:03:32 UTC+0000
0x00000000020d0d20 services.exe 684 640 0x0923b000 2012-11-23 16:48:06 UTC+0000
0x00000000021841c8 smss.exe 356 4 0x05ae4000 2012-11-26 22:03:28 UTC+0000
0x0000000002189da0 winlogon.exe 628 356 0x0682e000 2012-11-26 22:03:29 UTC+0000
0x0000000002192b10 svchost.exe 940 680 0x0725b000 2012-11-26 22:03:31 UTC+0000
0x0000000002194650 services.exe 680 628 0x06afb000 2012-11-26 22:03:30 UTC+0000
--SNiP--Note : il peut y avoir plusieurs commandes qui donne le même résultat ou un résultat similaire, la différence (pas visible) c’est le mode de récupération de l’information (ils ne scanne pas les mêmes structures).
Affichers les Security Identifiers (SIDs) associés à un process
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin getsids -p 556
Volatility Foundation Volatility Framework 2.6
ctfmon.exe (556): S-1-5-21-219294376-1976090562-3929857903-1107 (callb)
ctfmon.exe (556): S-1-5-21-219294376-1976090562-3929857903-513 (Domain Users)
ctfmon.exe (556): S-1-1-0 (Everyone)
ctfmon.exe (556): S-1-5-32-544 (Administrators)
ctfmon.exe (556): S-1-5-32-545 (Users)
ctfmon.exe (556): S-1-5-4 (Interactive)
ctfmon.exe (556): S-1-5-11 (Authenticated Users)
ctfmon.exe (556): S-1-5-5-0-49497 (Logon Session)
ctfmon.exe (556): S-1-2-0 (Local (Users with the ability to log in locally))Historique des commandes
$ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin cmdscan
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: csrss.exe Pid: 604
CommandHistory: 0x4f4db0 Application: wc.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x424
**************************************************
CommandProcess: csrss.exe Pid: 604
CommandHistory: 0x11486f8 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 5 LastAdded: 4 LastDisplayed: 4
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x348
Cmd #0 @ 0x4f2f38: net use r: \\172.16.150.10\ITShare
Cmd #1 @ 0x4f1f68: cd\
Cmd #2 @ 0x4f32a0: copy r:\mdd.exe .
Cmd #3 @ 0x4f2720: dir
Cmd #4 @ 0x4f2e98: mdd.exe -o callb-memdump.bin
**************************************************
CommandProcess: csrss.exe Pid: 604
CommandHistory: 0x1148c28 Application: mdd.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x59cOu
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin consoles
Volatility Foundation Volatility Framework 2.6
**************************************************
ConsoleProcess: csrss.exe Pid: 604
Console: 0x4f2398 CommandHistorySize: 50
HistoryBufferCount: 3 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\system32\cmd.exe
Title: mdd - 50.09% complete
AttachedProcess: mdd.exe Pid: 244 Handle: 0x59c
AttachedProcess: cmd.exe Pid: 1796 Handle: 0x348
----
CommandHistory: 0x1148c28 Application: mdd.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x59c
----
CommandHistory: 0x1148a40 Application: net.exe Flags:
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x0
----
CommandHistory: 0x11486f8 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 5 LastAdded: 4 LastDisplayed: 4
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x348
Cmd #0 at 0x4f2f38: net use r: \\172.16.150.10\ITShare
Cmd #1 at 0x4f1f68: cd\
Cmd #2 at 0x4f32a0: copy r:\mdd.exe .
Cmd #3 at 0x4f2720: dir
Cmd #4 at 0x4f2e98: mdd.exe -o callb-memdump.bin
----
Screen 0x4f2a50 X:80 Y:300
Dump:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\callb>net use r: \\172.16.150.10\ITShare
The command completed successfully.
C:\Documents and Settings\callb>cd\
C:\>copy r:\mdd.exe .
1 file(s) copied.
C:\>dir
Volume in drive C has no label.
Volume Serial Number is 1044-534A
Directory of C:\
11/03/2012 09:50 AM 0 AUTOEXEC.BAT
11/03/2012 09:50 AM 0 CONFIG.SYS
11/03/2012 04:55 PM <DIR> Documents and Settings
11/26/2012 07:42 PM 95,104 mdd.exe
11/03/2012 04:50 PM <DIR> Program Files
11/26/2012 05:06 PM <DIR> WINDOWS
3 File(s) 95,104 bytes
3 Dir(s) 7,004,471,296 bytes free
C:\>mdd.exe -o callb-memdump.bin
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance
-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'
This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c' for details.
-> Dumping 511.48 MB of physical memory to file 'callb-memdump.bin'.
**************************************************
ConsoleProcess: csrss.exe Pid: 604
Console: 0x4f3318 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\System32\svchost.exe
Title: C:\WINDOWS\System32\svchost.exe
AttachedProcess: wc.exe Pid: 364 Handle: 0x424
----
CommandHistory: 0x4f4db0 Application: wc.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x424
----
Screen 0x4f3a20 X:80 Y:25
Dump:
WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security -
by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help. Afficher les DLL
Ici nous utiliserons l’option “-p PID” qui permet d’indiquer le PID d’un process sinon on a toutes les DLL de tous les process.
$ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin dlllist -p 556
Volatility Foundation Volatility Framework 2.6
************************************************************************
ctfmon.exe pid: 556
Command line : "C:\WINDOWS\system32\ctfmon.exe"
Service Pack 3
Base Size LoadCount Path
---------- ---------- ---------- ----
0x00400000 0x6000 0xffff C:\WINDOWS\system32\ctfmon.exe
0x7c900000 0xaf000 0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000 0xf6000 0xffff C:\WINDOWS\system32\kernel32.dll
0x77c10000 0x58000 0xffff C:\WINDOWS\system32\msvcrt.dll
0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 0x92000 0xffff C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000 0x11000 0xffff C:\WINDOWS\system32\Secur32.dll
0x7e410000 0x91000 0xffff C:\WINDOWS\system32\USER32.dll
0x77f10000 0x49000 0xffff C:\WINDOWS\system32\GDI32.dll
0x74720000 0x4c000 0xffff C:\WINDOWS\system32\MSCTF.dll
0x5fc10000 0x33000 0xffff C:\WINDOWS\system32\MSUTB.dll
0x5cb70000 0x26000 0x1 C:\WINDOWS\system32\ShimEng.dll
0x6f880000 0x1ca000 0x1 C:\WINDOWS\AppPatch\AcGenral.DLL
0x76b40000 0x2d000 0x2 C:\WINDOWS\system32\WINMM.dll
0x774e0000 0x13d000 0x5 C:\WINDOWS\system32\ole32.dll
0x77120000 0x8b000 0x1 C:\WINDOWS\system32\OLEAUT32.dll
0x77be0000 0x15000 0x1 C:\WINDOWS\system32\MSACM32.dll
0x77c00000 0x8000 0x1 C:\WINDOWS\system32\VERSION.dll
0x7c9c0000 0x817000 0x1 C:\WINDOWS\system32\SHELL32.dll
0x77f60000 0x76000 0x5 C:\WINDOWS\system32\SHLWAPI.dll
0x769c0000 0xb4000 0x1 C:\WINDOWS\system32\USERENV.dll
0x5ad70000 0x38000 0x4 C:\WINDOWS\system32\UxTheme.dll
0x76390000 0x1d000 0x4 C:\WINDOWS\system32\IMM32.DLL
0x773d0000 0x103000 0x2 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0x755c0000 0x2e000 0x2 C:\WINDOWS\system32\msctfime.imeOn récupère l’information sur la ligne de commande donc le PATH.
Les priviléges des process :
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin privs -p 556
Volatility Foundation Volatility Framework 2.6
Pid Process Value Privilege Attributes Description
-------- ---------------- ------ ------------------------------------ ------------------------ -----------
556 ctfmon.exe 23 SeChangeNotifyPrivilege Present,Enabled,Default Receive notifications of changes to files or directories
556 ctfmon.exe 8 SeSecurityPrivilege Present Manage auditing and security log
556 ctfmon.exe 17 SeBackupPrivilege Present Backup files and directories
556 ctfmon.exe 18 SeRestorePrivilege Present Restore files and directories
556 ctfmon.exe 12 SeSystemtimePrivilege Present Change the system time
556 ctfmon.exe 19 SeShutdownPrivilege Present Shut down the system
556 ctfmon.exe 24 SeRemoteShutdownPrivilege Present Force shutdown from a remote system
556 ctfmon.exe 9 SeTakeOwnershipPrivilege Present Take ownership of files/objects
556 ctfmon.exe 20 SeDebugPrivilege Present Debug programs
556 ctfmon.exe 22 SeSystemEnvironmentPrivilege Present Edit firmware environment values
556 ctfmon.exe 11 SeSystemProfilePrivilege Present Profile system performance
556 ctfmon.exe 13 SeProfileSingleProcessPrivilege Present Profile a single process
556 ctfmon.exe 14 SeIncreaseBasePriorityPrivilege Present Increase scheduling priority
556 ctfmon.exe 10 SeLoadDriverPrivilege Present,Enabled Load and unload device drivers
556 ctfmon.exe 15 SeCreatePagefilePrivilege Present Create a pagefile
556 ctfmon.exe 5 SeIncreaseQuotaPrivilege Present Increase quotas
556 ctfmon.exe 25 SeUndockPrivilege Present,Enabled Remove computer from docking station
556 ctfmon.exe 28 SeManageVolumePrivilege Present Manage the files on a volume
556 ctfmon.exe 30 SeCreateGlobalPrivilege Present,Enabled,Default Create global objects
556 ctfmon.exe 29 SeImpersonatePrivilege Present,Enabled,Default Impersonate a client after authenticationLe flag –silent n’affichera que les Present et Enabled, pas le reste, le flag –regex=REGEX permettra de filtrer la sortie de la commande sur le champ Privilege.
Les variables d’environnement
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin envars -p 556
Volatility Foundation Volatility Framework 2.6
Pid Process Block Variable Value
-------- -------------------- ---------- ------------------------------ -----
556 ctfmon.exe 0x00010000 ALLUSERSPROFILE C:\Documents and Settings\All Users
556 ctfmon.exe 0x00010000 APPDATA C:\Documents and Settings\callb\Application Data
556 ctfmon.exe 0x00010000 CLIENTNAME Console
556 ctfmon.exe 0x00010000 CommonProgramFiles C:\Program Files\Common Files
556 ctfmon.exe 0x00010000 COMPUTERNAME ENG-USTXHOU-148
556 ctfmon.exe 0x00010000 ComSpec C:\WINDOWS\system32\cmd.exe
556 ctfmon.exe 0x00010000 FP_NO_HOST_CHECK NO
556 ctfmon.exe 0x00010000 HOMEDRIVE C:
556 ctfmon.exe 0x00010000 HOMEPATH \Documents and Settings\callb
556 ctfmon.exe 0x00010000 LOGONSERVER \\DC-USTXHOU
556 ctfmon.exe 0x00010000 NUMBER_OF_PROCESSORS 1
556 ctfmon.exe 0x00010000 OS Windows_NT
556 ctfmon.exe 0x00010000 Path C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
556 ctfmon.exe 0x00010000 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
556 ctfmon.exe 0x00010000 PROCESSOR_ARCHITECTURE x86
556 ctfmon.exe 0x00010000 PROCESSOR_IDENTIFIER x86 Family 15 Model 2 Stepping 8, GenuineIntel
556 ctfmon.exe 0x00010000 PROCESSOR_LEVEL 15
556 ctfmon.exe 0x00010000 PROCESSOR_REVISION 0208
556 ctfmon.exe 0x00010000 ProgramFiles C:\Program Files
556 ctfmon.exe 0x00010000 SESSIONNAME Console
556 ctfmon.exe 0x00010000 SystemDrive C:
556 ctfmon.exe 0x00010000 SystemRoot C:\WINDOWS
556 ctfmon.exe 0x00010000 TEMP C:\DOCUME~1\callb\LOCALS~1\Temp
556 ctfmon.exe 0x00010000 TMP C:\DOCUME~1\callb\LOCALS~1\Temp
556 ctfmon.exe 0x00010000 USERDNSDOMAIN PETRO-MARKET.ORG
556 ctfmon.exe 0x00010000 USERDOMAIN PETRO-MARKET
556 ctfmon.exe 0x00010000 USERNAME callb
556 ctfmon.exe 0x00010000 USERPROFILE C:\Documents and Settings\callb
556 ctfmon.exe 0x00010000 windir C:\WINDOWSInformation des PE
Afficher les informations embarquées dans les fichiers PE. Tous les fichiers PE ne disposent pas d’informations et souvent les auteurs de malware forgent de fausses informations.
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin verinfo
\SystemRoot\System32\smss.exe
C:\WINDOWS\system32\ntdll.dll
\??\C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\CSRSRV.dll
C:\WINDOWS\system32\basesrv.dll
C:\WINDOWS\system32\winsrv.dll
File version : 5.1.2600.5512
Product version : 5.1.2600.5512
Flags :
OS : Windows NT
File Type : Dynamic Link Library
File Date :
CompanyName : Microsoft Corporation
FileDescription : Windows Server DLL
FileVersion : 5.1.2600.5512 (xpsp.080413-2105)
InternalName : winsrv
LegalCopyright : \xa9 Microsoft Corporation. All rights reserved.
OriginalFilename : winsrv.dll
ProductName : Microsoft\xae Windows\xae Operating System
ProductVersion : 5.1.2600.5512
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\KERNEL32.dll
C:\WINDOWS\system32\USER32.dll
File version : 5.1.2600.5512
Product version : 5.1.2600.5512
Flags :
OS : Windows NT
File Type : Dynamic Link Library
File Date :
CompanyName : Microsoft Corporation
FileDescription : Windows XP USER API Client DLL
FileVersion : 5.1.2600.5512 (xpsp.080413-2105)
InternalName : user32
LegalCopyright : \xa9 Microsoft Corporation. All rights reserved.
OriginalFilename : user32
ProductName : Microsoft\xae Windows\xae Operating System
ProductVersion : 5.1.2600.5512
--SNiP--Dump de DLL
Il faudra au préalable créer ou indiquer un dossier dans lequel on fera le/les dump(s)
$ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin dlldump -p 556 -r SHELL32.dll -D dump
Volatility Foundation Volatility Framework 2.6
Process(V) Name Module Base Module Name Result
---------- -------------------- ----------- -------------------- ------
0x822408d0 ctfmon.exe 0x07c9c0000 SHELL32.dll OK: module.556.22408d0.7c9c0000.dllIci on a limité le dump au process 556 et à la DLL SHELL32.dll.
Il y a un nommage particulier : module.PID.Offset_Du_Binaire.ModuleBase.dll
L’offset du binaire est visible dans le pslist du début.
Le contenu de la DLL n’est pas lisible en l’état hormis avec strings.
Il peut y avoir des résultat de DLL avec le message suivant : Error: DllBase is paged , la DLL n’est plus en mémoire.
On peut peut être la récupérer avec valdump.
Les handles ouverts dans un process
Ici nous allons filtrer le process via le PID pour limiter la sortie de commande.
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin handles -p 556
Volatility Foundation Volatility Framework 2.6
Offset(V) Pid Handle Access Type Details
---------- ------ ---------- ---------- ---------------- -------
0xe10096e0 556 0x4 0xf0003 KeyedEvent CritSecOutOfMemoryEvent
0xe145e278 556 0x8 0x3 Directory KnownDlls
0x821cff90 556 0xc 0x100020 File \Device\HarddiskVolume1\Documents and Settings\callb
0x82237420 556 0x10 0x100003 Semaphore
0xe145d4e8 556 0x14 0xf000f Directory Windows
0xe1696638 556 0x18 0x21f0001 Port
0x82237488 556 0x1c 0x100003 Semaphore
0xe1562748 556 0x20 0x2000f Directory BaseNamedObjects
0x821d5aa0 556 0x24 0x1f0001 Mutant SHIMLIB_LOG_MUTEX
0xe1a374f0 556 0x28 0x20f003f Key MACHINE
0x82185df8 556 0x2c 0xf037f WindowStation WinSta0
0x821f33e0 556 0x30 0x21f0003 Event
0x822d6298 556 0x34 0xf01ff Desktop Default
0x82185df8 556 0x38 0xf037f WindowStation WinSta0
0xe197c040 556 0x3c 0xf0007 Section CiceroSharedMemDefaultS-1-5-21-219294376-1976090562-3929857903-1107
0x821df9f8 556 0x40 0x1f0001 Mutant CTF.LBES.MutexDefaultS-1-5-21-219294376-1976090562-3929857903-1107
0x8218e0f0 556 0x44 0x1f0001 Mutant CTF.Compart.MutexDefaultS-1-5-21-219294376-1976090562-3929857903-1107
0x822df480 556 0x48 0x1f0001 Mutant CTF.Asm.MutexDefaultS-1-5-21-219294376-1976090562-3929857903-1107
0x82202370 556 0x4c 0x1f0001 Mutant CTF.Layouts.MutexDefaultS-1-5-21-219294376-1976090562-3929857903-1107
0x82202320 556 0x50 0x1f0001 Mutant CTF.TMD.MutexDefaultS-1-5-21-219294376-1976090562-3929857903-1107
0xe1a8d250 556 0x54 0x20f003f Key USER\S-1-5-21-219294376-1976090562-3929857903-1107
0x821cc5a0 556 0x58 0x1f0003 Event
0x822373b8 556 0x5c 0x100003 Semaphore
0x82235be0 556 0x60 0x100003 Semaphore
0xe1a9bb50 556 0x64 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\DRIVERS32
0x82384568 556 0x68 0x100001 File \Device\KsecDD
0x821dfb08 556 0x6c 0x1f0003 Event
0x82075840 556 0x70 0x1f0003 Event
0xe1a54818 556 0x74 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\DRIVERS32
0x8225e2f0 556 0x78 0x1f0003 Semaphore shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
0x821a5590 556 0x7c 0x1f0003 Event userenv: User Profile setup event
0x82203840 556 0x80 0x100020 File \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
0x820bc5e0 556 0x84 0x100020 File \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
0xe1ab6718 556 0x88 0x1f0001 Port
0x82292440 556 0x8c 0x1f0001 Mutant CtfmonInstMutexDefaultS-1-5-21-219294376-1976090562-3929857903-1107
0xe1757d48 556 0x90 0x4 Section
0x822cc7a8 556 0x94 0x1f0001 Mutant CTF.TimListCache.FMPDefaultS-1-5-21-219294376-1976090562-3929857903-1107MUTEX.DefaultS-1-5-21-219294376-1976090562-3929857903-1107
0xe1a34040 556 0x98 0xf0007 Section CTF.TimListCache.FMPDefaultS-1-5-21-219294376-1976090562-3929857903-1107SFM.DefaultS-1-5-21-219294376-1976090562-3929857903-1107
0x821b0b60 556 0x9c 0x1f0001 Mutant MSCTF.GCompartListMUTEX.DefaultS-1-5-21-219294376-1976090562-3929857903-1107
0xe199fed0 556 0xa0 0xf0007 Section MSCTF.GCompartListSFM.DefaultS-1-5-21-219294376-1976090562-3929857903-1107
0x821f0618 556 0xa4 0x1f0003 Event
0xe1a82e40 556 0xa8 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\KEYBOARD LAYOUT\TOGGLE
0xe124b510 556 0xac 0xf0007 Section CTF.AsmListCache.FMPDefaultS-1-5-21-219294376-1976090562-3929857903-1107
0x821f05e8 556 0xb0 0x1f0003 Event
0xe1a601f8 556 0xb4 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\CTF\TIP
0xe19b2d68 556 0xb8 0xf003f Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\SOFTWARE\MICROSOFT\WINDOWS\SHELLNOROAM
0xe1ab1d20 556 0xbc 0xf003f Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\SOFTWARE\MICROSOFT\WINDOWS\SHELLNOROAM\MUICACHE
0xe1ab4250 556 0xc0 0x20f003f Key USER
0x821f05b8 556 0xc4 0x1f0003 Event
0xe1a9a458 556 0xc8 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\KEYBOARD LAYOUT\PRELOAD
0x821f0588 556 0xcc 0x1f0003 Event
0xe1a88ba0 556 0xd0 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
0x821f0520 556 0xd4 0x1f0003 Event
0xe12c05d8 556 0xd8 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\SOFTWARE\MICROSOFT\CTF\TIP
0x821af5d8 556 0xdc 0x1f0003 Event
0xe194a020 556 0xe0 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\SOFTWARE\MICROSOFT\SPEECH
0x821af570 556 0xe4 0x1f0003 Event
0xe1aa5d98 556 0xe8 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\CONTROL PANEL\APPEARANCE
0x821cdcd8 556 0xec 0x1f0003 Event
0xe194a0d8 556 0xf0 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\CONTROL PANEL\COLORS
0x821cdc70 556 0xf4 0x1f0003 Event
0xe1ac0340 556 0xf8 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\CONTROL PANEL\DESKTOP\WINDOWMETRICS
0x821cdc08 556 0xfc 0x1f0003 Event
0xe1bcb020 556 0x100 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\SPEECH
0x821cdbd8 556 0x104 0x1f0003 Event
0xe1bc94b8 556 0x108 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\KEYBOARD LAYOUT
0x82384690 556 0x10c 0x1f0003 Event
0xe1bcb0b8 556 0x110 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\SOFTWARE\MICROSOFT\CTF\ASSEMBLIES
0x8218ddd0 556 0x114 0x120001 Mutant ShimCacheMutex
0x82229c80 556 0x118 0x1f0003 Event
0xe15d0918 556 0x11c 0x2 Section ShimSharedMemory
0x8224d230 556 0x120 0x1f0003 Event
0x8207f1e0 556 0x124 0x1f0003 Event
0xe1a3a0d0 556 0x128 0x20f003f Key USER\S-1-5-21-219294376-1976090562-3929857903-1107_CLASSES
0x8218a680 556 0x12c 0x100000 Event WinSta0_DesktopSwitchLes connexions réseaux
$ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin connections
Volatility Foundation Volatility Framework 2.6
Offset(V) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x8201f850 172.16.150.20:1292 172.16.150.10:445 4ou
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin connscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x01f60850 0.0.0.0:0 1.0.0.0:0 36569092
0x01ffa850 172.16.150.20:1291 58.64.132.141:80 1024
0x0201f850 172.16.150.20:1292 172.16.150.10:445 4
0x02084e68 172.16.150.20:1281 172.16.150.10:389 628
0x020f8988 172.16.150.20:2862 172.16.150.10:135 696
0x02201008 172.16.150.20:1280 172.16.150.10:389 628
0x18615850 172.16.150.20:1292 172.16.150.10:445 4
0x189e8850 172.16.150.20:1291 58.64.132.141:80 1024
0x18a97008 172.16.150.20:1280 172.16.150.10:389 628
0x18b8e850 0.0.0.0:0 1.0.0.0:0 36569092
0x18dce988 172.16.150.20:2862 172.16.150.10:135 696Les sockets
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin sockets
Volatility Foundation Volatility Framework 2.6
Offset(V) PID Port Proto Protocol Address Create Time
---------- -------- ------ ------ --------------- --------------- -----------
0x8207f298 4 0 47 GRE 0.0.0.0 2012-11-26 22:04:05 UTC+0000
0x82041878 4 1065 6 TCP 0.0.0.0 2012-11-26 22:04:05 UTC+0000
0x821afc70 692 500 17 UDP 0.0.0.0 2012-11-26 22:03:35 UTC+0000
0x82195e98 4 137 17 UDP 172.16.150.20 2012-11-26 22:03:28 UTC+0000
0x82196d00 4 445 6 TCP 0.0.0.0 2012-11-26 22:03:27 UTC+0000
0x821a2e98 940 135 6 TCP 0.0.0.0 2012-11-26 22:03:32 UTC+0000
0x8204d008 1024 1291 6 TCP 0.0.0.0 2012-11-27 01:56:30 UTC+0000
0x8219ec08 4 138 17 UDP 172.16.150.20 2012-11-26 22:03:28 UTC+0000
0x821cf008 692 0 255 Reserved 0.0.0.0 2012-11-26 22:03:35 UTC+0000
0x821d4e98 1024 123 17 UDP 127.0.0.1 2012-11-26 22:03:35 UTC+0000
0x82082458 1068 1025 17 UDP 0.0.0.0 2012-11-26 22:03:34 UTC+0000
0x821c28e0 1024 123 17 UDP 172.16.150.20 2012-11-26 22:03:35 UTC+0000
0x82276228 4 1292 6 TCP 0.0.0.0 2012-11-27 01:56:50 UTC+0000
0x82095d50 1068 1026 17 UDP 0.0.0.0 2012-11-26 22:03:34 UTC+0000
0x8223d840 1116 1900 17 UDP 127.0.0.1 2012-11-26 22:04:04 UTC+0000
0x821cfd08 692 4500 17 UDP 0.0.0.0 2012-11-26 22:03:35 UTC+0000
0x822e2760 1116 1900 17 UDP 172.16.150.20 2012-11-26 22:04:04 UTC+0000
0x821976e8 4 445 17 UDP 0.0.0.0 2012-11-26 22:03:27 UTC+0000
0x8222cd00 4 139 6 TCP 172.16.150.20 2012-11-26 22:03:28 UTC+0000
0x820382f8 1888 1035 6 TCP 127.0.0.1 2012-11-26 22:03:35 UTC+0000
0x821d1d10 628 1040 17 UDP 127.0.0.1 2012-11-26 22:03:36 UTC+0000ou
/vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin sockscan
Volatility Foundation Volatility Framework 2.6
Offset(P) PID Port Proto Protocol Address Create Time
---------- -------- ------ ------ --------------- --------------- -----------
0x01f60870 4 2947 6 TCP 172.16.150.20 2012-11-26 20:01:26 UTC+0000
0x02002880 692 1262 6 TCP 0.0.0.0 2012-11-27 01:31:16 UTC+0000
0x0201db78 512 1155 6 TCP 0.0.0.0 2012-11-26 23:11:32 UTC+0000
0x02022e98 1024 1290 6 TCP 0.0.0.0 2012-11-27 01:54:03 UTC+0000
0x02023880 4 1282 6 TCP 0.0.0.0 2012-11-27 01:45:26 UTC+0000
0x020382f8 1888 1035 6 TCP 127.0.0.1 2012-11-26 22:03:35 UTC+0000
0x02041878 4 1065 6 TCP 0.0.0.0 2012-11-26 22:04:05 UTC+0000
0x0204d008 1024 1291 6 TCP 0.0.0.0 2012-11-27 01:56:30 UTC+0000
0x0207b880 692 1032 6 TCP 0.0.0.0 2012-11-26 22:03:34 UTC+0000
0x0207f298 4 0 47 GRE 0.0.0.0 2012-11-26 22:04:05 UTC+0000
0x02082458 1068 1025 17 UDP 0.0.0.0 2012-11-26 22:03:34 UTC+0000
0x02095d50 1068 1026 17 UDP 0.0.0.0 2012-11-26 22:03:34 UTC+0000
0x0211ae00 1088 1025 17 UDP 0.0.0.0 2012-11-23 16:48:10 UTC+0000
0x0211f390 696 4500 17 UDP 0.0.0.0 2012-11-23 16:48:10 UTC+0000
0x0213cb68 696 0 255 Reserved 0.0.0.0 2012-11-23 16:48:10 UTC+0000
0x02195e98 4 137 17 UDP 172.16.150.20 2012-11-26 22:03:28 UTC+0000
0x02196d00 4 445 6 TCP 0.0.0.0 2012-11-26 22:03:27 UTC+0000
0x021976e8 4 445 17 UDP 0.0.0.0 2012-11-26 22:03:27 UTC+0000
0x0219ec08 4 138 17 UDP 172.16.150.20 2012-11-26 22:03:28 UTC+0000
0x021a2e98 940 135 6 TCP 0.0.0.0 2012-11-26 22:03:32 UTC+0000
0x021afc70 692 500 17 UDP 0.0.0.0 2012-11-26 22:03:35 UTC+0000
0x021c28e0 1024 123 17 UDP 172.16.150.20 2012-11-26 22:03:35 UTC+0000
0x021cf008 692 0 255 Reserved 0.0.0.0 2012-11-26 22:03:35 UTC+0000
0x021cfd08 692 4500 17 UDP 0.0.0.0 2012-11-26 22:03:35 UTC+0000
--SNiP--Base de Registre : localisation des hives dans les adresses virtuelles
$ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin hivelist
Volatility Foundation Volatility Framework 2.6
Virtual Physical Name
---------- ---------- ----
0xe1903008 0x08892008 \Device\HarddiskVolume1\Documents and Settings\callb\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1968720 0x0c516720 \Device\HarddiskVolume1\Documents and Settings\callb\NTUSER.DAT
0xe183b008 0x078cd008 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1837b60 0x07917b60 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
0xe169c008 0x06f55008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe16ab008 0x07126008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
0xe1460b60 0x05ab9b60 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe1467b60 0x05bb2b60 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe1461008 0x05a6c008 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe1451758 0x057f3758 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe1345b60 0x02a4bb60 [no name]
0xe1035b60 0x02739b60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008 0x02733008 [no name]Base de Registre : Afficher les clés de la hive(rvche) SAM
$ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin hivedump -o 0xe1461008
Volatility Foundation Volatility Framework 2.6
Last Written Key
2012-11-03 09:35:47 UTC+0000 \SAM
2012-11-03 09:35:47 UTC+0000 \SAM\SAM
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains
2012-11-26 19:32:35 UTC+0000 \SAM\SAM\Domains\Account
2012-11-03 15:49:40 UTC+0000 \SAM\SAM\Domains\Account\Aliases
2012-11-03 15:49:50 UTC+0000 \SAM\SAM\Domains\Account\Aliases\000003E9
2012-11-03 15:49:50 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Members
2012-11-03 15:49:50 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Members\S-1-5-21-1390067357-920026266-725345543
2012-11-03 15:49:50 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Members\S-1-5-21-1390067357-920026266-725345543\000003EA
2012-11-03 15:49:40 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Names
2012-11-03 15:49:40 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Names\HelpServicesGroup
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Account\Groups
2012-11-25 19:10:32 UTC+0000 \SAM\SAM\Domains\Account\Groups\00000201
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Account\Groups\Names
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Account\Groups\Names\None
2012-11-25 19:10:32 UTC+0000 \SAM\SAM\Domains\Account\Users
2012-11-03 20:27:30 UTC+0000 \SAM\SAM\Domains\Account\Users\000001F4
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Account\Users\000001F5
2012-11-03 15:48:33 UTC+0000 \SAM\SAM\Domains\Account\Users\000003E8
2012-11-03 15:49:50 UTC+0000 \SAM\SAM\Domains\Account\Users\000003EA
2012-11-26 19:32:35 UTC+0000 \SAM\SAM\Domains\Account\Users\000003EC
2012-11-25 19:10:32 UTC+0000 \SAM\SAM\Domains\Account\Users\Names
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Account\Users\Names\Administrator
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Account\Users\Names\Guest
2012-11-03 15:48:33 UTC+0000 \SAM\SAM\Domains\Account\Users\Names\HelpAssistant
2012-11-03 15:49:50 UTC+0000 \SAM\SAM\Domains\Account\Users\Names\SUPPORT_388945a0
2012-11-25 19:10:32 UTC+0000 \SAM\SAM\Domains\Account\Users\Names\sysbackup
2012-11-25 19:11:09 UTC+0000 \SAM\SAM\Domains\Builtin
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases
2012-11-25 19:11:09 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\00000220
2012-11-25 19:10:32 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\00000221
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\00000222
2012-11-03 22:59:29 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\00000223
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\00000227
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\00000228
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\0000022B
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\0000022C
2012-11-03 21:20:16 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members
2012-11-03 09:36:27 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5
2012-11-03 09:36:27 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5\00000004
2012-11-03 09:36:27 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5\0000000B
2012-11-25 19:10:32 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-1390067357-920026266-725345543
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-1390067357-920026266-725345543\000001F4
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-1390067357-920026266-725345543\000001F5
2012-11-25 19:11:09 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-1390067357-920026266-725345543\000003EC
2012-11-03 22:59:29 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-219294376-1976090562-3929857903
2012-11-03 21:20:16 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-219294376-1976090562-3929857903\00000200
2012-11-03 21:20:16 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-219294376-1976090562-3929857903\00000201
2012-11-03 22:59:29 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-219294376-1976090562-3929857903\00000453
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Administrators
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Backup Operators
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Guests
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Network Configuration Operators
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Power Users
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Remote Desktop Users
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Replicator
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Users
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Groups
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Groups\Names
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Users
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Users\Names
2012-11-03 09:35:47 UTC+0000 \SAM\SAM\RXACTOn peut voir des noms d’utilisateurs, groupes.
Une clès de registre
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin printkey -K "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\callb\NTUSER.DAT
Key name: Internet Settings (S)
Last updated: 2012-11-24 18:20:49 UTC+0000
Subkeys:
(S) 5.0
(S) Cache
(S) Connections
(S) Lockdown_Zones
(S) Passport
(S) ZoneMap
(S) Zones
Values:
REG_SZ User Agent : (S) Mozilla/4.0 (compatible; MSIE 8.0; Win32)
REG_SZ IE5_UA_Backup_Flag : (S) 5.0
REG_DWORD NoNetAutodial : (S) 0
REG_DWORD MigrateProxy : (S) 1
REG_DWORD EnableNegotiate : (S) 1
REG_DWORD ProxyEnable : (S) 0
REG_SZ EmailName : (S) IEUser@
REG_SZ AutoConfigProxy : (S) wininet.dll
REG_SZ MimeExclusionListForCache : (S) multipart/mixed multipart/x-mixed-replace multipart/x-byteranges
REG_BINARY WarnOnPost : (S)
0x00000000 01 00 00 00 ....
REG_BINARY UseSchannelDirectly : (S)
0x00000000 01 00 00 00 ....
REG_DWORD EnableHttp1_1 : (S) 1
REG_DWORD PrivacyAdvanced : (S) 0
REG_DWORD UrlEncoding : (S) 0
REG_DWORD SecureProtocols : (S) 160
REG_DWORD PrivDiscUiShown : (S) 1
REG_BINARY ZonesSecurityUpgrade : (S)
0x00000000 90 98 08 d8 9f c9 cd 01 ........
REG_DWORD DisableCachingOfSSLPages : (S) 0
REG_DWORD WarnonZoneCrossing : (S) 0
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
Key name: Internet Settings (S)
Last updated: 2012-11-03 15:53:16 UTC+0000
Subkeys:
(S) 5.0
(S) Cache
(S) Connections
(S) Passport
(S) ZoneMap
(S) Zones
Values:
REG_SZ User Agent : (S) Mozilla/4.0 (compatible; MSIE 6.0; Win32)
REG_SZ IE5_UA_Backup_Flag : (S) 5.0
REG_DWORD NoNetAutodial : (S) 0
REG_DWORD MigrateProxy : (S) 0
REG_DWORD EnableNegotiate : (S) 1
REG_DWORD ProxyEnable : (S) 0
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\default
Key name: Internet Settings (S)
Last updated: 2012-11-03 15:49:42 UTC+0000
Subkeys:
(S) 5.0
(S) Cache
(S) Connections
(S) Passport
(S) ZoneMap
(S) Zones
Values:
REG_SZ User Agent : (S) Mozilla/4.0 (compatible; MSIE 6.0; Win32)
REG_SZ IE5_UA_Backup_Flag : (S) 5.0
REG_DWORD NoNetAutodial : (S) 0
REG_DWORD MigrateProxy : (S) 0
REG_DWORD EnableNegotiate : (S) 1
REG_DWORD ProxyEnable : (S) 0
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
Key name: Internet Settings (S)
Last updated: 2012-11-03 15:53:16 UTC+0000
Subkeys:
(S) 5.0
(S) Cache
(S) Connections
(S) Passport
(S) ZoneMap
(S) Zones
Values:
REG_SZ User Agent : (S) Mozilla/4.0 (compatible; MSIE 6.0; Win32)
REG_SZ IE5_UA_Backup_Flag : (S) 5.0
REG_DWORD NoNetAutodial : (S) 0
REG_DWORD MigrateProxy : (S) 0
REG_DWORD EnableNegotiate : (S) 1
REG_DWORD ProxyEnable : (S) 0ou via un offset (offset 0xe1460b60 qui correspond à \Device\HarddiskVolume1\WINDOWS\system32\config\software récupéré via hivelist)
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin printkey --hive-offset 0xe1460b60
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\software
Key name: $$$PROTO.HIV (S)
Last updated: 2012-11-03 15:56:53 UTC+0000
Subkeys:
(S) C07ft5Y
(S) Classes
(S) Clients
(S) Gemplus
(S) Microsoft
(S) ODBC
(S) Policies
(S) Program Groups
(S) Schlumberger
(S) Secure
(S) Windows 3.1 Migration Status
Values:Allons voir le contenu de la sous-clés Clients
/vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin printkey --hive-offset 0xe1460b60 --key Clients
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\software
Key name: Clients (S)
Last updated: 2012-11-03 15:50:15 UTC+0000
Subkeys:
(S) Contacts
(S) IM
(S) Internet Call
(S) JavaVM
(S) Mail
(S) Media
(S) News
(S) StartMenuInternet
Values:Et de manière itérative on peut aller récupérer une valeur dans les sous-clés :
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin printkey --hive-offset 0xe1460b60 --key "Clients\Contacts\Address Book\shell\open\command"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\software
Key name: command (S)
Last updated: 2012-11-03 15:50:15 UTC+0000
Subkeys:
Values:
REG_SZ : (S) "C:\Program Files\Outlook Express\wab.exe" /showexistingNote :
Via printkey on peut récupérer les programmes qui sont lancés à la connexion :
- Software\Microsoft\Windows\CurrentVersion\Run
- Software\Microsoft\Windows\CurrentVersion\RunOnce
Extraction des hashs du cache stoqués dans le registre
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:b7ae6225a35c376da8d03b0a558fdf1f:159cb99e6dfd8830d25e8592c505d4be:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:42dbf333659cabcd0b546a25124a5476:dfd19a421051e8329e0c7b5aa7fe7dbe:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:5168fdd9d699311c78acabde3c849622:::
sysbackup:1004:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057:::Les users/password sont stoqués sous forme de hash dans la registry.
Il faudra utiliser un brute force ou des rainbows tables pour casser ces hashs.
Dump des LSA
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin lsadump
Volatility Foundation Volatility Framework 2.6
_SC_Alerter
0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantAccount
0x00000000 54 00 6b 00 24 00 37 00 43 00 6c 00 75 00 58 00 T.k.$.7.C.l.u.X.
0x00000010 47 00 7a 00 57 00 56 00 4b 00 30 00 00 00 G.z.W.V.K.0...
0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantSID
0x00000000 01 05 00 00 00 00 00 05 15 00 00 00 9d be da 52 ...............R
0x00000010 9a 7c d6 36 07 e5 3b 2b e8 03 00 00 .|.6..;+....
_SC_WebClient
20ed87e2-3b82-4114-81f9-5e219ed4c481-SALEMHELPACCOUNT
_SC_SSDPSRV
DPAPI_SYSTEM
0x00000000 01 00 00 00 41 fb ae d7 f4 40 54 e3 ce be c5 dd ....A....@T.....
0x00000010 95 3d 8d b4 22 54 e8 eb db 20 d0 d5 c2 93 1f 58 .=.."T.........X
0x00000020 71 e1 ff 6f 6d cb a0 2f f6 16 0a 15 q..om../....
_SC_MSDTC
SAC
0x00000000 02 00 00 00 ....
L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75
0x00000000 52 53 41 32 48 00 00 00 00 02 00 00 3f 00 00 00 RSA2H.......?...
0x00000010 01 00 01 00 8b 5d 4b f9 38 ab 8c 9e b0 8b 69 1b .....]K.8.....i.
0x00000020 98 10 60 ae 35 e2 c8 71 cb d9 43 e4 0d 65 07 8d ..`.5..q..C..e..
0x00000030 6d 19 d8 a2 87 c1 e0 4e 28 41 4d d5 0b ce 68 22 m......N(AM...h"
0x00000040 be 9e 91 93 0b fc 00 57 fa 31 16 6b 20 62 d7 6a .......W.1.k.b.j
0x00000050 7a 87 67 bc 00 00 00 00 00 00 00 00 53 6d 42 38 z.g.........SmB8
0x00000060 8e fb f4 de ab 93 74 d9 a1 e8 ad de f5 7c 5b f6 ......t......|[.
0x00000070 df b7 20 db ae bd 3d b8 38 02 50 f6 00 00 00 00 ......=.8.P.....
0x00000080 e9 0f 1a 62 31 70 70 90 e0 71 b8 58 3c 9f 81 a0 ...b1pp..q.X<...
0x00000090 1f e6 ff 85 02 87 94 d2 51 0c 8d 31 5f 79 d0 c3 ........Q..1_y..
0x000000a0 00 00 00 00 3f 35 da 1c 5a 35 15 cc 59 75 48 19 ....?5..Z5..YuH.
0x000000b0 d6 1e c2 ae 7e 4b c6 a0 44 df a8 25 0b 73 f1 ed ....~K..D..%.s..
0x000000c0 e8 c8 e8 b4 00 00 00 00 b9 b3 37 67 47 32 ad 30 ..........7gG2.0
0x000000d0 f6 f5 38 3a c2 ed a5 92 e6 59 2f 32 77 76 20 f2 ..8:.....Y/2wv..
0x000000e0 73 e5 83 6a 6c 42 c1 2c 00 00 00 00 ac 9d ed cc s..jlB.,........
0x000000f0 c0 db b8 5c 8e e9 57 fb c7 90 58 aa a5 64 3b c5 ...\..W...X..d;.
0x00000100 74 ab 5c e9 31 94 eb 91 04 47 03 98 00 00 00 00 t.\.1....G......
0x00000110 91 8f 2a ac 34 76 56 66 11 ab 8a 56 89 24 48 1b ..*.4vVf...V.$H.
0x00000120 8f bd d2 dd 3e e1 4a 73 bd 85 7f e5 16 fc b0 88 ....>.Js........
0x00000130 ae 76 4b 4e 43 0b e3 2c 45 6a ee 3b 95 77 89 a7 .vKNC..,Ej.;.w..
0x00000140 a3 fd 4f b1 0f f8 d9 57 d7 25 c8 3f 54 ac bb 44 ..O....W.%.?T..D
0x00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000170 00 00 00 00 00 00 00 00 00 00 00 00 ............
$MACHINE.ACC
0x00000000 2b 00 41 00 3b 00 64 00 68 00 7a 00 6a 00 25 00 +.A.;.d.h.z.j.%.
0x00000010 6f 00 3c 00 38 00 78 00 70 00 44 00 40 00 2c 00 o.<.8.x.p.D.@.,.
0x00000020 70 00 35 00 76 00 29 00 43 00 3a 00 70 00 32 00 p.5.v.).C.:.p.2.
0x00000030 25 00 3f 00 31 00 4e 00 6b 00 78 00 26 00 35 00 %.?.1.N.k.x.&.5.
0x00000040 4f 00 55 00 21 00 63 00 5b 00 77 00 74 00 35 00 O.U.!.c.[.w.t.5.
0x00000050 42 00 67 00 56 00 27 00 72 00 34 00 70 00 37 00 B.g.V.'.r.4.p.7.
0x00000060 2f 00 6c 00 57 00 63 00 5b 00 60 00 58 00 57 00 /.l.W.c.[.`.X.W.
0x00000070 50 00 70 00 4e 00 2f 00 2e 00 64 00 24 00 49 00 P.p.N./...d.$.I.
0x00000080 2e 00 55 00 62 00 63 00 2d 00 37 00 63 00 20 00 ..U.b.c.-.7.c...
0x00000090 24 00 2d 00 61 00 70 00 28 00 40 00 3f 00 49 00 $.-.a.p.(.@.?.I.
0x000000a0 37 00 53 00 36 00 53 00 44 00 28 00 55 00 2d 00 7.S.6.S.D.(.U.-.
0x000000b0 7a 00 62 00 64 00 51 00 48 00 67 00 54 00 32 00 z.b.d.Q.H.g.T.2.
0x000000c0 26 00 20 00 75 00 5c 00 72 00 67 00 6b 00 28 00 &...u.\.r.g.k.(.
0x000000d0 67 00 61 00 3f 00 79 00 2b 00 47 00 47 00 45 00 g.a.?.y.+.G.G.E.
0x000000e0 2a 00 45 00 5f 00 30 00 2f 00 32 00 51 00 73 00 *.E._.0./.2.Q.s.
_SC_Dnscache
_SC_LmHosts
_SC_ALG
_SC_RpcLocator
_SC_upnphost
G${ED8F4747-E13D-47bc-856B-5CEFE1A81A7F}
0x00000000 93 19 18 48 e4 9c 0b 46 90 79 b2 e2 60 03 d7 79 ...H...F.y..`..y
L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588
0x00000000 80 96 f2 dc 27 18 ce 01 ....'...
DefaultPassword
NL$KM
0x00000000 b5 17 53 78 5f bb f3 0b fe ab 2e 43 5f 0a b6 8d ..Sx_......C_...
0x00000010 fd 9d 1f df 6b 9b 67 a6 51 81 ba a0 77 f9 5f f1 ....k.g.Q...w._.
0x00000020 dc cc f9 3c 80 15 8c 16 44 cc 0f 74 c1 7f 8e e4 ...<....D..t....
0x00000030 b6 70 09 d6 af 31 e2 ed b6 c3 02 21 6d 0e c3 8c .p...1.....!m...
L${6B3E6424-AF3E-4bff-ACB6-DA535F0DDC0A}
0x00000000 ff 62 37 13 60 5a 8b 2b 4f 0e 28 c4 d8 97 be 54 .b7.`Z.+O.(....T
0x00000010 0e 90 24 1a 4c 91 8d 8a 6d 6b 69 71 53 7e d4 f8 ..$.L...mkiqS~..
0x00000020 b5 95 03 47 4b e3 27 9c 0a 9b 1f ed 9b 51 ed 7c ...GK.'......Q.|
0x00000030 76 ec 2b 5f 03 5e aa 5a v.+_.^.Z
SAI
0x00000000 02 00 00 00 ....
Exemples d’infos sympa :
- $MACHINE.ACC: has to do with domain authentication, see KB175468
- DefaultPassword: password used to logon to Windows if auto-logon is enabled
- NL$KM: secret key used to encrypt cached domain passwords
- L$RTMTIMEBOMB_[…]: FILETIME giving the date when an unactivated copy of Windows will stop working
Cache de credentials
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin cachedump
Volatility Foundation Volatility Framework 2.6
administrator:00c2bcc2230054581d3551a9fdcf4893:petro-market:petro-market.org
callb:178526e1cb2fdfc36d764595f1ddd0f7:petro-market:petro-market.orgLes shellbags
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin shellbags
Volatility Foundation Volatility Framework 2.6
Scanning for registries....
Gathering shellbag items and building path tree...
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\callb\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU
Last updated: 2012-11-24 18:12:40 UTC+0000
Value Mru Entry Type GUID GUID Description Folder IDs
------- ----- -------------- ---------------------------------------- -------------------- ----------
0 0 Folder Entry 20d04fe0-3aea-1069-a2d8-08002b30309d My Computer EXPLORER, MY_COMPUTER
***************************************************************************
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\callb\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0
Last updated: 2012-11-24 18:12:40 UTC+0000
Value Mru Entry Type Path
------- ----- -------------- ----
0 1 Volume Name Z:\
***************************************************************************Shellbags : dossiers/fichiers accédés récemment.
Korben Shellbags.
Activité utilisateur
$ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin userassist
Volatility Foundation Volatility Framework 2.6
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\callb\NTUSER.DAT
Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Last updated: 2012-11-24 18:12:53 UTC+0000
Subkeys:
Values:
REG_BINARY UEME_CTLSESSION : Raw Data:
0x00000000 7a 53 6e 0e 03 00 00 00 zSn.....
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\callb\NTUSER.DAT
Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Last updated: 2012-11-27 01:56:21 UTC+0000
Subkeys:
Values:
REG_BINARY UEME_CTLSESSION : Raw Data:
0x00000000 93 60 6e 0e 03 00 00 00 .`n.....
REG_BINARY UEME_RUNPIDL:C:\Documents and Settings\All Users\Start Menu\Set Program Access and Defaults.lnk :
ID: 1
Count: 14
Last updated: 2012-11-03 22:53:49 UTC+0000
Raw Data:
0x00000000 01 00 00 00 13 00 00 00 00 f7 81 16 16 ba cd 01 ................
REG_BINARY UEME_RUNPIDL:%csidl2%\MSN Explorer.lnk :
ID: 1
Count: 13
Last updated: 2012-11-03 22:53:49 UTC+0000
Raw Data:
0x00000000 01 00 00 00 12 00 00 00 00 f7 81 16 16 ba cd 01 ................
REG_BINARY UEME_RUNPIDL:%csidl2%\Windows Media Player.lnk :
ID: 1
Count: 12
Last updated: 2012-11-03 22:53:49 UTC+0000
Raw Data:
0x00000000 01 00 00 00 11 00 00 00 00 f7 81 16 16 ba cd 01 ................Dump de la registry
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin dumpregistry -D dump
Volatility Foundation Volatility Framework 2.6
**************************************************
Writing out registry: registry.0xe1968720.NTUSERDAT.reg
**************************************************
**************************************************
Writing out registry: registry.0xe1837b60.NTUSERDAT.reg
**************************************************
**************************************************
Writing out registry: registry.0xe1467b60.default.reg
**************************************************
**************************************************
Writing out registry: registry.0xe102e008.no_name.reg
**************************************************
**************************************************
Writing out registry: registry.0xe1903008.UsrClassdat.reg
**************************************************
**************************************************
Writing out registry: registry.0xe1035b60.system.reg
Physical layer returned None for index 3000, filling with NULL
Physical layer returned None for index 4000, filling with NULL
Physical layer returned None for index e000, filling with NULL
Physical layer returned None for index 10000, filling with NULL
Physical layer returned None for index 11000, filling with NULL
Physical layer returned None for index 12000, filling with NULL
Physical layer returned None for index 1c000, filling with NULL
Physical layer returned None for index 1d000, filling with NULL
Physical layer returned None for index 1e000, filling with NULL
Physical layer returned None for index 31000, filling with NULL
Physical layer returned None for index 32000, filling with NULL
Physical layer returned None for index 34000, filling with NULL
Physical layer returned None for index 35000, filling with NULL
Physical layer returned None for index 37000, filling with NULL
Physical layer returned None for index 3a000, filling with NULL
Physical layer returned None for index 3b000, filling with NULL
Physical layer returned None for index 3e000, filling with NULL
Physical layer returned None for index 46000, filling with NULL
Physical layer returned None for index 47000, filling with NULL
Physical layer returned None for index 48000, filling with NULL
Physical layer returned None for index 4a000, filling with NULL
Physical layer returned None for index 4f000, filling with NULL
Physical layer returned None for index 50000, filling with NULL
Physical layer returned None for index 51000, filling with NULL
Physical layer returned None for index 5a000, filling with NULL
Physical layer returned None for index ba000, filling with NULL
Physical layer returned None for index c5000, filling with NULL
Physical layer returned None for index c6000, filling with NULL
Physical layer returned None for index c7000, filling with NULL
Physical layer returned None for index 167000, filling with NULL
Physical layer returned None for index 168000, filling with NULL
Physical layer returned None for index 16a000, filling with NULL
Physical layer returned None for index 16b000, filling with NULL
Physical layer returned None for index 16c000, filling with NULL
Physical layer returned None for index 16d000, filling with NULL
Physical layer returned None for index 1a7000, filling with NULL
Physical layer returned None for index 1a9000, filling with NULL
Physical layer returned None for index 1aa000, filling with NULL
Physical layer returned None for index 1ab000, filling with NULL
Physical layer returned None for index 1ae000, filling with NULL
Physical layer returned None for index 1b4000, filling with NULL
Physical layer returned None for index 1b6000, filling with NULL
Physical layer returned None for index 1b7000, filling with NULL
Physical layer returned None for index 1c3000, filling with NULL
Physical layer returned None for index 1f0000, filling with NULL
Physical layer returned None for index 24a000, filling with NULL
Physical layer returned None for index 257000, filling with NULL
Physical layer returned None for index 258000, filling with NULL
Physical layer returned None for index 259000, filling with NULL
Physical layer returned None for index 25a000, filling with NULL
Physical layer returned None for index 25b000, filling with NULL
Physical layer returned None for index 25f000, filling with NULL
Physical layer returned None for index 260000, filling with NULL
Physical layer returned None for index 273000, filling with NULL
Physical layer returned None for index 284000, filling with NULL
Physical layer returned None for index 288000, filling with NULL
Physical layer returned None for index 289000, filling with NULL
Physical layer returned None for index 296000, filling with NULL
Physical layer returned None for index 297000, filling with NULL
Physical layer returned None for index 298000, filling with NULL
Physical layer returned None for index 299000, filling with NULL
Physical layer returned None for index 29a000, filling with NULL
Physical layer returned None for index 29b000, filling with NULL
Physical layer returned None for index 2b2000, filling with NULL
Physical layer returned None for index 2b7000, filling with NULL
Physical layer returned None for index 2ca000, filling with NULL
Physical layer returned None for index 2d4000, filling with NULL
Physical layer returned None for index 2f0000, filling with NULL
Physical layer returned None for index 2f1000, filling with NULL
Physical layer returned None for index 2f3000, filling with NULL
**************************************************
**************************************************
Writing out registry: registry.0xe16ab008.NTUSERDAT.reg
**************************************************
**************************************************
Writing out registry: registry.0xe1461008.SAM.reg
**************************************************
**************************************************
Writing out registry: registry.0xe1460b60.software.reg
**************************************************
**************************************************
Writing out registry: registry.0xe183b008.UsrClassdat.reg
**************************************************
**************************************************
Writing out registry: registry.0xe1451758.SECURITY.reg
**************************************************
**************************************************
Writing out registry: registry.0xe1345b60.no_name.reg
**************************************************
**************************************************
Writing out registry: registry.0xe169c008.UsrClassdat.regOn peut utiliser xxd pour afficher le contenu des fichiers .reg.
Mapping mémoire
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin memmap
Volatility Foundation Volatility Framework 2.6
System pid: 4
Virtual Physical Size DumpFileOffset
---------- ---------- ---------- --------------
0x00010000 0x02725000 0x1000 0x0
0x00011000 0x02726000 0x1000 0x1000
0x00012000 0x02727000 0x1000 0x2000
0x00013000 0x02708000 0x1000 0x3000
0x00014000 0x02709000 0x1000 0x4000
0x00015000 0x0270a000 0x1000 0x5000
0x00016000 0x0270b000 0x1000 0x6000
0x00017000 0x0270c000 0x1000 0x7000
0x00018000 0x0270d000 0x1000 0x8000
0x00019000 0x0270e000 0x1000 0x9000
0x0001a000 0x0270f000 0x1000 0xa000
0x0001b000 0x02710000 0x1000 0xb000
0x0001c000 0x02711000 0x1000 0xc000
0x0001d000 0x02712000 0x1000 0xd000
0x0001e000 0x02713000 0x1000 0xe000
0x0001f000 0x02714000 0x1000 0xf000
0x00020000 0x02715000 0x1000 0x10000
0x00021000 0x02716000 0x1000 0x11000
--SNiP--Dump mémoire de process
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin memdump -p 556 -D dump
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing ctfmon.exe [ 556] to 556.dmpIl faut au préalable avoir créer le dossier de sortie, ici dump.
Si le PID n’est pas fourni, il dumpera tous les process.
Dump process
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin procdump -p 556 -D dump
Volatility Foundation Volatility Framework 2.6
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0x822408d0 0x00400000 ctfmon.exe OK: executable.556.exeDump des événements
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin evtlogs -D dump
Volatility Foundation Volatility Framework 2.6
Parsed data sent to internet.txt
Parsed data sent to appevent.txt
Parsed data sent to sysevent.txt
Parsed data sent to secevent.txtL’option –save-evt permet aussi de dumper les événements au format raw.
Historique IE
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin iehistory
Volatility Foundation Volatility Framework 2.6
**************************************************
Process: 284 explorer.exe
Cache type "DEST" at 0xdcb69
Last modified: 2012-11-26 17:01:53 UTC+0000
Last accessed: 2012-11-26 23:01:54 UTC+0000
URL: callb@http://58.64.132.8/download/Symantec-1.43-1.exeTimeline des process
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin timeliner
Volatility Foundation Volatility Framework 2.6
2012-11-27 01:57:28 UTC+0000|[LIVE RESPONSE]| (System time)|
2012-11-26 22:03:29 UTC+0000|[PROCESS]| winlogon.exe| PID: 628/PPID: 356/POffset: 0x02189da0
2012-11-26 22:03:29 UTC+0000|[PROCESS LastTrimTime]| winlogon.exe| PID: 628/PPID: 356/POffset: 0x02189da0
2012-11-26 22:03:29 UTC+0000|[Handle (Key)]| MACHINE| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
2012-11-24 18:05:47 UTC+0000|[Handle (Key)]| MACHINE\SOFTWARE\CLASSES| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
2012-11-27 00:48:19 UTC+0000|[Handle (Key)]| USER\.DEFAULT| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
2012-11-23 16:26:23 UTC+0000|[Handle (Key)]| MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
2012-11-23 16:26:23 UTC+0000|[Handle (Key)]| MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\NAMESPACE_CATALOG5| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
2012-11-03 09:36:28 UTC+0000|[Handle (Key)]| MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\CRYPT32CHAIN| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
2012-11-03 09:36:28 UTC+0000|[Handle (Key)]| MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\CRYPTNET| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
2012-11-03 15:49:58 UTC+0000|[Handle (Key)]| MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\SCLGNTFY| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
2012-11-26 22:03:30 UTC+0000|[Handle (Key)]| MACHINE\SYSTEM\CONTROLSET001\CONTROL\LSA| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
--SNiP--N’affiche pas spécialement dans l’ordre chronologique.
YARA
Kézako YARA, YARA est un outils très apprécié pour l’analyse de malware. On peut créer des fichiers de règles ou des patterns pour chercher des malwares.
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin yarascan -Y http
Volatility Foundation Volatility Framework 2.6
Rule: r1
Owner: Process csrss.exe Pid 604
0x008105df 68 74 74 70 73 3a 2f 2f 77 77 77 2e 76 65 72 69 https://www.veri
0x008105ef 73 69 67 6e 2e 63 6f 6d 2f 72 70 61 20 28 63 29 sign.com/rpa.(c)
0x008105ff 30 31 31 27 30 25 06 03 55 04 03 13 1e 56 65 72 011'0%..U....Ver
0x0081060f 69 53 69 67 6e 20 54 69 6d 65 20 53 74 61 6d 70 iSign.Time.Stamp
0x0081061f 69 6e 67 20 53 65 72 76 69 63 65 30 82 01 22 30 ing.Service0.."0
0x0081062f 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 ...*.H..........
0x0081063f 01 0f 00 30 82 01 0a 02 82 01 01 00 c0 7a 61 87 ...0.........za.
0x0081064f eb b2 a7 03 63 1b 2b 1a 61 de 80 b7 15 1d a0 8b ....c.+.a.......
0x0081065f 90 3d bb 27 92 84 14 39 eb 85 ce 29 92 06 66 48 .=.'...9...)..fH
0x0081066f a4 03 4f 8d e8 4f a7 f0 af 5e d1 2f 19 c7 91 f1 ..O..O...^./....
0x0081067f b5 9e 7b 91 21 ce e9 ff e3 4e f0 fc af 95 58 b8 ..{.!....N....X.
0x0081068f 63 2d e6 8e f6 29 18 cd 70 8e 50 c3 ed 96 bb 40 c-...)..p.P....@
0x0081069f db be 25 e8 42 55 d6 f6 85 f2 06 e7 8b 99 1c 31 ..%.BU.........1
0x008106af f3 03 0f d4 4c 9c 24 2a dc 1b 1b 8f 82 f3 b0 ef ....L.$*........
0x008106bf a7 4d e3 14 a7 e0 8f d6 c7 68 c2 61 58 a9 72 d4 .M.......h.aX.r.
0x008106cf f8 30 48 4f d9 2f 6f 63 20 d9 89 ca 82 7b c2 4b .0HO./oc.....{.K
Rule: r1
Owner: Process csrss.exe Pid 604
0x00810774 68 74 74 70 3a 2f 2f 6f 63 73 70 2e 76 65 72 69 http://ocsp.veri
0x00810784 73 69 67 6e 2e 63 6f 6d 2f 6f 63 73 70 2f 73 74 sign.com/ocsp/st
0x00810794 61 74 75 73 30 09 06 03 55 1d 13 04 02 30 00 30 atus0...U....0.0
0x008107a4 44 06 03 55 1d 20 04 3d 30 3b 30 39 06 0b 60 86 D..U...=0;09..`.
0x008107b4 48 01 86 f8 45 01 07 01 01 30 2a 30 28 06 08 2b H...E....0*0(..+
0x008107c4 06 01 05 05 07 02 01 16 1c 68 74 74 70 73 3a 2f .........https:/
0x008107d4 2f 77 77 77 2e 76 65 72 69 73 69 67 6e 2e 63 6f /www.verisign.co
0x008107e4 6d 2f 72 70 61 30 13 06 03 55 1d 25 04 0c 30 0a m/rpa0...U.%..0.
0x008107f4 06 08 2b 06 01 05 05 07 03 08 30 0b 06 03 55 1d ..+.......0...U.
0x00810804 0f 04 04 03 02 06 c0 30 0d 06 09 2a 86 48 86 f7 .......0...*.H..
0x00810814 0d 01 01 04 05 00 03 81 81 00 2d f3 4f 63 60 2c ..........-.Oc`,
0x00810824 18 da f5 24 0f 52 b3 0c eb b3 bc 67 85 c2 23 ed ...$.R.....g..#.
0x00810834 8f 46 0d cf 1a 4d be f3 7c 7a 20 30 32 18 68 8b .F...M..|z.02.h.
0x00810844 92 bb 32 99 f0 93 b8 3b 15 06 27 7b 3e 02 06 00 ..2....;..'{>...
0x00810854 a4 21 92 84 13 0a c5 98 e5 40 57 c5 05 25 e8 af .!.......@W..%..
0x00810864 af 11 6a a9 e5 3b cb e9 23 f6 94 29 5d 40 55 f3 ..j..;..#..)]@U.
--SNiP--Avec -Y on recherche un pattern, -y on lui fourni un fichier de règle.
Autres
La liste des options est ici très incomplète, il faut se référer à l’aide du binaire et/ou la doc officielle en ligne.
Voici un lien proposant une liste de commande Volatility pour la recherche de malware.
Annexes
Site Volatility
Samples de dumps mémoire sur divers OS utilisés dans ce billet
Volatility : command reference