Volatility

Volatility est un outils open source pour l'analyse de dump mémoire, c'est un framework écrit en Python.
Il permet d'analyser les dumps mémoires de Windows/Mac/Linux/Android et le framework est disponible sur Windows/Mac/Linux.
On peut aussi lui adjoindre une panoplie de plugins.

Environnement

On ne verra pas l'installation du framework, il faudra voir la doc officielle.
On utilisera les dumps de l'archive "Art of Memory Forensics Images", le lien est fourni dans l'annexe. C'est la version 2.6 qui sera utilisée.

C'est parti avec les commandes

Détermination du profile du dump

C'est la première chose à faire car ce profile sera utilisé pour toutes les autres commandes :

 1 $ ./vol.py -f /tmp/sample001.bin imageinfo
 2 Volatility Foundation Volatility Framework 2.6
 3 INFO    : volatility.debug    : Determining profile based on KDBG search...
 4           Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
 5                      AS Layer1 : IA32PagedMemory (Kernel AS)
 6                      AS Layer2 : FileAddressSpace (/tmp/sample001.bin)
 7                       PAE type : No PAE
 8                            DTB : 0x39000L
 9                           KDBG : 0x8054cde0L
10           Number of Processors : 1
11      Image Type (Service Pack) : 3
12                 KPCR for CPU 0 : 0xffdff000L
13              KUSER_SHARED_DATA : 0xffdf0000L
14            Image date and time : 2012-11-27 01:57:28 UTC+0000
15      Image local date and time : 2012-11-26 19:57:28 -0600

Ici il nous suggère 2 profiles WinXPSP2x86, WinXPSP3x86, il a lancer les tests avec WinXPSP2x86, c'est donc celui-ci que nous utiliserons.

Autre moyen, avec kdbgscan

 1  ./vol.py -f /tmp/sample001.bin kdbgscan
 2 Volatility Foundation Volatility Framework 2.6
 3 
 4 Instantiating KDBG using: Kernel AS WinXPSP2x86 (5.1.0 32bit)
 5 Offset (V)                    : 0x8054cde0
 6 Offset (P)                    : 0x54cde0
 7 KDBG owner tag check          : True
 8 Profile suggestion (KDBGHeader): WinXPSP3x86
 9 Version64                     : 0x8054cdb8 (Major: 15, Minor: 2600)
10 Service Pack (CmNtCSDVersion) : 3
11 Build string (NtBuildLab)     : 2600.xpsp.080413-2111
12 PsActiveProcessHead           : 0x80561358 (21 processes)
13 PsLoadedModuleList            : 0x8055b1c0 (96 modules)
14 KernelBase                    : 0x804d7000 (Matches MZ: True)
15 Major (OptionalHeader)        : 5
16 Minor (OptionalHeader)        : 1
17 KPCR                          : 0xffdff000 (CPU 0)
18 
19 
20 Instantiating KDBG using: Kernel AS WinXPSP2x86 (5.1.0 32bit)
21 Offset (V)                    : 0x8054cde0
22 Offset (P)                    : 0x54cde0
23 KDBG owner tag check          : True
24 Profile suggestion (KDBGHeader): WinXPSP2x86
25 Version64                     : 0x8054cdb8 (Major: 15, Minor: 2600)
26 Service Pack (CmNtCSDVersion) : 3
27 Build string (NtBuildLab)     : 2600.xpsp.080413-2111
28 PsActiveProcessHead           : 0x80561358 (21 processes)
29 PsLoadedModuleList            : 0x8055b1c0 (96 modules)
30 KernelBase                    : 0x804d7000 (Matches MZ: True)
31 Major (OptionalHeader)        : 5
32 Minor (OptionalHeader)        : 1
33 KPCR                          : 0xffdff000 (CPU 0)

Il trouve ici 2 structures qui sont identiques (voir les offsets), il y a des fois ou les offsets sont différents.
Il faut alors prendre celui ou les processes et les modules ne sont pas égales à 0. Pour certains plugins, cela pause problème, il faut alors précicer quel offset utiliser en ajoutant --kdbg=@ffset.

Voici deux liens pour plus d'informations :

Liste des process

 1 $ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin pslist
 2 Volatility Foundation Volatility Framework 2.6
 3 Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                        
4 ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 5 0x823c8830 System 4 0 51 271 ------ 0
6 0x821841c8 smss.exe 356 4 3 19 ------ 0 2012-11-26 22:03:28 UTC+0000 7 0x821b0020 csrss.exe 604 356 12 351 0 0 2012-11-26 22:03:29 UTC+0000 8 0x82189da0 winlogon.exe 628 356 18 653 0 0 2012-11-26 22:03:29 UTC+0000 9 0x82194650 services.exe 680 628 15 243 0 0 2012-11-26 22:03:30 UTC+0000 10 0x82244020 lsass.exe 692 628 22 407 0 0 2012-11-26 22:03:30 UTC+0000 11 0x8219e2c8 svchost.exe 852 680 14 187 0 0 2012-11-26 22:03:31 UTC+0000 12 0x82192b10 svchost.exe 940 680 9 258 0 0 2012-11-26 22:03:31 UTC+0000 13 0x820b3da0 svchost.exe 1024 680 76 1645 0 0 2012-11-26 22:03:32 UTC+0000 14 0x821a62e0 svchost.exe 1068 680 5 81 0 0 2012-11-26 22:03:32 UTC+0000 15 0x821a3c10 svchost.exe 1116 680 14 248 0 0 2012-11-26 22:03:33 UTC+0000 16 0x822e9700 spoolsv.exe 1348 680 10 105 0 0 2012-11-26 22:03:34 UTC+0000 17 0x8203c020 alg.exe 1888 680 6 105 0 0 2012-11-26 22:03:35 UTC+0000 18 0x8204f020 explorer.exe 284 244 9 372 0 0 2012-11-26 22:03:58 UTC+0000 19 0x82226650 msmsgs.exe 548 284 3 204 0 0 2012-11-26 22:04:03 UTC+0000 20 0x822408d0 ctfmon.exe 556 284 1 75 0 0 2012-11-26 22:04:03 UTC+0000 21 0x82045da0 wuauclt.exe 1628 1024 3 142 0 0 2012-11-26 22:04:43 UTC+0000 22 0x821feda0 msimn.exe 1984 284 7 359 0 0 2012-11-26 22:06:33 UTC+0000 23 0x82049690 wc.exe 364 1024 1 27 0 0 2012-11-27 01:30:00 UTC+0000 24 0x822d0828 cmd.exe 1796 284 1 33 0 0 2012-11-27 01:56:21 UTC+0000 25 0x820b13b8 mdd.exe 244 1796 1 24 0 0 2012-11-27 01:57:28 UTC+0000

ou

 1 $ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin pstree
 2 Volatility Foundation Volatility Framework 2.6
 3 Name                                                  Pid   PPid   Thds   Hnds Time
 4 -------------------------------------------------- ------ ------ ------ ------ ----
 5  0x823c8830:System                                      4      0     51    271 1970-01-01 00:00:00 UTC+0000
 6 . 0x821841c8:smss.exe                                 356      4      3     19 2012-11-26 22:03:28 UTC+0000
 7 .. 0x82189da0:winlogon.exe                            628    356     18    653 2012-11-26 22:03:29 UTC+0000
 8 ... 0x82194650:services.exe                           680    628     15    243 2012-11-26 22:03:30 UTC+0000
 9 .... 0x820b3da0:svchost.exe                          1024    680     76   1645 2012-11-26 22:03:32 UTC+0000
10 ..... 0x82045da0:wuauclt.exe                         1628   1024      3    142 2012-11-26 22:04:43 UTC+0000
11 ..... 0x82049690:wc.exe                               364   1024      1     27 2012-11-27 01:30:00 UTC+0000
12 .... 0x8203c020:alg.exe                              1888    680      6    105 2012-11-26 22:03:35 UTC+0000
13 .... 0x821a62e0:svchost.exe                          1068    680      5     81 2012-11-26 22:03:32 UTC+0000
14 .... 0x822e9700:spoolsv.exe                          1348    680     10    105 2012-11-26 22:03:34 UTC+0000
15 .... 0x82192b10:svchost.exe                           940    680      9    258 2012-11-26 22:03:31 UTC+0000
16 .... 0x821a3c10:svchost.exe                          1116    680     14    248 2012-11-26 22:03:33 UTC+0000
17 .... 0x8219e2c8:svchost.exe                           852    680     14    187 2012-11-26 22:03:31 UTC+0000
18 ... 0x82244020:lsass.exe                              692    628     22    407 2012-11-26 22:03:30 UTC+0000
19 .. 0x821b0020:csrss.exe                               604    356     12    351 2012-11-26 22:03:29 UTC+0000
20  0x8204f020:explorer.exe                              284    244      9    372 2012-11-26 22:03:58 UTC+0000
21 . 0x82226650:msmsgs.exe                               548    284      3    204 2012-11-26 22:04:03 UTC+0000
22 . 0x822d0828:cmd.exe                                 1796    284      1     33 2012-11-27 01:56:21 UTC+0000
23 .. 0x820b13b8:mdd.exe                                 244   1796      1     24 2012-11-27 01:57:28 UTC+0000
24 . 0x821feda0:msimn.exe                               1984    284      7    359 2012-11-26 22:06:33 UTC+0000
25 . 0x822408d0:ctfmon.exe                               556    284      1     75 2012-11-26 22:04:03 UTC+0000

Avec psscan

 1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin psscan
 2 Volatility Foundation Volatility Framework 2.6
 3 Offset(P)          Name                PID   PPID PDB        Time created                   Time exited                 
4 ------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------ 5 0x000000000203c020 alg.exe 1888 680 0x0903e000 2012-11-26 22:03:35 UTC+0000 6 0x0000000002045da0 wuauclt.exe 1628 1024 0x0d76d000 2012-11-26 22:04:43 UTC+0000 7 0x0000000002049690 wc.exe 364 1024 0x1441f000 2012-11-27 01:30:00 UTC+0000 8 0x000000000204f020 explorer.exe 284 244 0x0a016000 2012-11-26 22:03:58 UTC+0000 9 0x00000000020b13b8 mdd.exe 244 1796 0x172db000 2012-11-27 01:57:28 UTC+0000 10 0x00000000020b3da0 svchost.exe 1024 680 0x07401000 2012-11-26 22:03:32 UTC+0000 11 0x00000000020d0d20 services.exe 684 640 0x0923b000 2012-11-23 16:48:06 UTC+0000 12 0x00000000021841c8 smss.exe 356 4 0x05ae4000 2012-11-26 22:03:28 UTC+0000 13 0x0000000002189da0 winlogon.exe 628 356 0x0682e000 2012-11-26 22:03:29 UTC+0000 14 0x0000000002192b10 svchost.exe 940 680 0x0725b000 2012-11-26 22:03:31 UTC+0000 15 0x0000000002194650 services.exe 680 628 0x06afb000 2012-11-26 22:03:30 UTC+0000 16 --SNiP--

Note : il peut y avoir plusieurs commandes qui donne le même résultat ou un résultat similaire, la différence (pas visible) c'est le mode de récupération de l'information (ils ne scanne pas les mêmes structures).

Affichers les Security Identifiers (SIDs) associés à un process

 1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin getsids -p 556
 2 Volatility Foundation Volatility Framework 2.6
 3 ctfmon.exe (556): S-1-5-21-219294376-1976090562-3929857903-1107 (callb)
 4 ctfmon.exe (556): S-1-5-21-219294376-1976090562-3929857903-513 (Domain Users)
 5 ctfmon.exe (556): S-1-1-0 (Everyone)
 6 ctfmon.exe (556): S-1-5-32-544 (Administrators)
 7 ctfmon.exe (556): S-1-5-32-545 (Users)
 8 ctfmon.exe (556): S-1-5-4 (Interactive)
 9 ctfmon.exe (556): S-1-5-11 (Authenticated Users)
10 ctfmon.exe (556): S-1-5-5-0-49497 (Logon Session)
11 ctfmon.exe (556): S-1-2-0 (Local (Users with the ability to log in locally))

Historique des commandes

 1 $ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin cmdscan
 2 Volatility Foundation Volatility Framework 2.6
 3 
 4 CommandProcess: csrss.exe Pid: 604
 5 CommandHistory: 0x4f4db0 Application: wc.exe Flags: Allocated
 6 CommandCount: 0 LastAdded: -1 LastDisplayed: -1
 7 FirstCommand: 0 CommandCountMax: 50
 8 ProcessHandle: 0x424
 9 
10 CommandProcess: csrss.exe Pid: 604
11 CommandHistory: 0x11486f8 Application: cmd.exe Flags: Allocated, Reset
12 CommandCount: 5 LastAdded: 4 LastDisplayed: 4
13 FirstCommand: 0 CommandCountMax: 50
14 ProcessHandle: 0x348
15 Cmd #0 @ 0x4f2f38: net use r: \172.16.150.10\ITShare
16 Cmd #1 @ 0x4f1f68: cd\
17 Cmd #2 @ 0x4f32a0: copy r:\mdd.exe .
18 Cmd #3 @ 0x4f2720: dir
19 Cmd #4 @ 0x4f2e98: mdd.exe -o callb-memdump.bin
20 **************************************************
21 CommandProcess: csrss.exe Pid: 604
22 CommandHistory: 0x1148c28 Application: mdd.exe Flags: Allocated
23 CommandCount: 0 LastAdded: -1 LastDisplayed: -1
24 FirstCommand: 0 CommandCountMax: 50
25 ProcessHandle: 0x59c

Ou

 1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin consoles
 2 Volatility Foundation Volatility Framework 2.6
 3 
 4 ConsoleProcess: csrss.exe Pid: 604
 5 Console: 0x4f2398 CommandHistorySize: 50
 6 HistoryBufferCount: 3 HistoryBufferMax: 4
 7 OriginalTitle: %SystemRoot%\system32\cmd.exe
 8 Title: mdd - 50.09% complete
 9 AttachedProcess: mdd.exe Pid: 244 Handle: 0x59c
10 AttachedProcess: cmd.exe Pid: 1796 Handle: 0x348
11 ----
12 CommandHistory: 0x1148c28 Application: mdd.exe Flags: Allocated
13 CommandCount: 0 LastAdded: -1 LastDisplayed: -1
14 FirstCommand: 0 CommandCountMax: 50
15 ProcessHandle: 0x59c
16 ----
17 CommandHistory: 0x1148a40 Application: net.exe Flags:
18 CommandCount: 0 LastAdded: -1 LastDisplayed: -1
19 FirstCommand: 0 CommandCountMax: 50
20 ProcessHandle: 0x0
21 ----
22 CommandHistory: 0x11486f8 Application: cmd.exe Flags: Allocated, Reset
23 CommandCount: 5 LastAdded: 4 LastDisplayed: 4
24 FirstCommand: 0 CommandCountMax: 50
25 ProcessHandle: 0x348
26 Cmd #0 at 0x4f2f38: net use r: \172.16.150.10\ITShare
27 Cmd #1 at 0x4f1f68: cd\
28 Cmd #2 at 0x4f32a0: copy r:\mdd.exe .
29 Cmd #3 at 0x4f2720: dir
30 Cmd #4 at 0x4f2e98: mdd.exe -o callb-memdump.bin
31 ----
32 Screen 0x4f2a50 X:80 Y:300
33 Dump:
34 Microsoft Windows XP [Version 5.1.2600]                                       
35 (C) Copyright 1985-2001 Microsoft Corp.
36
37 C:\Documents and Settings\callb>net use r: \172.16.150.10\ITShare
38 The command completed successfully.
39
40
41 C:\Documents and Settings\callb>cd\
42
43 C:\>copy r:\mdd.exe .
44 1 file(s) copied.
45
46 C:\>dir
47 Volume in drive C has no label.
48 Volume Serial Number is 1044-534A
49
50 Directory of C:\
51
52 11/03/2012 09:50 AM 0 AUTOEXEC.BAT
53 11/03/2012 09:50 AM 0 CONFIG.SYS
54 11/03/2012 04:55 PM <DIR> Documents and Settings
55 11/26/2012 07:42 PM 95,104 mdd.exe
56 11/03/2012 04:50 PM <DIR> Program Files
57 11/26/2012 05:06 PM <DIR> WINDOWS
58 3 File(s) 95,104 bytes
59 3 Dir(s) 7,004,471,296 bytes free
60
61 C:\>mdd.exe -o callb-memdump.bin
62 -> mdd
63 -> ManTech Physical Memory Dump Utility
64 Copyright (C) 2008 ManTech Security & Mission Assurance
65
66 -> This program comes with ABSOLUTELY NO WARRANTY; for details use option -w&#39; </span> <span class="lineno">67 </span><span class="sb"> This is free software, and you are welcome to redistribute it </span> <span class="lineno">68 </span><span class="sb"> under certain conditions; use option-c' for details. 69 70 -> Dumping 511.48 MB of physical memory to file 'callb-memdump.bin'.
71
72 ConsoleProcess: csrss.exe Pid: 604 73 Console: 0x4f3318 CommandHistorySize: 50 74 HistoryBufferCount: 1 HistoryBufferMax: 4 75 OriginalTitle: %SystemRoot%\System32\svchost.exe 76 Title: C:\WINDOWS\System32\svchost.exe 77 AttachedProcess: wc.exe Pid: 364 Handle: 0x424 78 ---- 79 CommandHistory: 0x4f4db0 Application: wc.exe Flags: Allocated 80 CommandCount: 0 LastAdded: -1 LastDisplayed: -1 81 FirstCommand: 0 CommandCountMax: 50 82 ProcessHandle: 0x424 83 ---- 84 Screen 0x4f3a20 X:80 Y:25 85 Dump: 86 WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - 87 by Hernan Ochoa (hernan@ampliasecurity.com)
88 Use -h for help.

Afficher les DLL

Ici nous utiliserons l'option "-p PID" qui permet d'indiquer le PID d'un process sinon on a toutes les DLL de tous les process.

 1 $ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin dlllist -p 556
 2 Volatility Foundation Volatility Framework 2.6
 3 ************************************************************************
 4 ctfmon.exe pid:    556
 5 Command line : "C:\WINDOWS\system32\ctfmon.exe"
 6 Service Pack 3
 7 
 8 Base             Size  LoadCount Path
 9 ---------- ---------- ---------- ----
10 0x00400000     0x6000     0xffff C:\WINDOWS\system32\ctfmon.exe
11 0x7c900000    0xaf000     0xffff C:\WINDOWS\system32\ntdll.dll
12 0x7c800000    0xf6000     0xffff C:\WINDOWS\system32\kernel32.dll
13 0x77c10000    0x58000     0xffff C:\WINDOWS\system32\msvcrt.dll
14 0x77dd0000    0x9b000     0xffff C:\WINDOWS\system32\ADVAPI32.dll
15 0x77e70000    0x92000     0xffff C:\WINDOWS\system32\RPCRT4.dll
16 0x77fe0000    0x11000     0xffff C:\WINDOWS\system32\Secur32.dll
17 0x7e410000    0x91000     0xffff C:\WINDOWS\system32\USER32.dll
18 0x77f10000    0x49000     0xffff C:\WINDOWS\system32\GDI32.dll
19 0x74720000    0x4c000     0xffff C:\WINDOWS\system32\MSCTF.dll
20 0x5fc10000    0x33000     0xffff C:\WINDOWS\system32\MSUTB.dll
21 0x5cb70000    0x26000        0x1 C:\WINDOWS\system32\ShimEng.dll
22 0x6f880000   0x1ca000        0x1 C:\WINDOWS\AppPatch\AcGenral.DLL
23 0x76b40000    0x2d000        0x2 C:\WINDOWS\system32\WINMM.dll
24 0x774e0000   0x13d000        0x5 C:\WINDOWS\system32\ole32.dll
25 0x77120000    0x8b000        0x1 C:\WINDOWS\system32\OLEAUT32.dll
26 0x77be0000    0x15000        0x1 C:\WINDOWS\system32\MSACM32.dll
27 0x77c00000     0x8000        0x1 C:\WINDOWS\system32\VERSION.dll
28 0x7c9c0000   0x817000        0x1 C:\WINDOWS\system32\SHELL32.dll
29 0x77f60000    0x76000        0x5 C:\WINDOWS\system32\SHLWAPI.dll
30 0x769c0000    0xb4000        0x1 C:\WINDOWS\system32\USERENV.dll
31 0x5ad70000    0x38000        0x4 C:\WINDOWS\system32\UxTheme.dll
32 0x76390000    0x1d000        0x4 C:\WINDOWS\system32\IMM32.DLL
33 0x773d0000   0x103000        0x2 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
34 0x755c0000    0x2e000        0x2 C:\WINDOWS\system32\msctfime.ime

On récupère l'information sur la ligne de commande donc le PATH.

Les priviléges des process :

 1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin privs -p 556
 2 Volatility Foundation Volatility Framework 2.6
 3 Pid      Process          Value  Privilege                            Attributes               Description
 4 -------- ---------------- ------ ------------------------------------ ------------------------ -----------
 5      556 ctfmon.exe           23 SeChangeNotifyPrivilege              Present,Enabled,Default  Receive notifications of changes to files or directories
 6      556 ctfmon.exe            8 SeSecurityPrivilege                  Present                  Manage auditing and security log
 7      556 ctfmon.exe           17 SeBackupPrivilege                    Present                  Backup files and directories
 8      556 ctfmon.exe           18 SeRestorePrivilege                   Present                  Restore files and directories
 9      556 ctfmon.exe           12 SeSystemtimePrivilege                Present                  Change the system time
10      556 ctfmon.exe           19 SeShutdownPrivilege                  Present                  Shut down the system
11      556 ctfmon.exe           24 SeRemoteShutdownPrivilege            Present                  Force shutdown from a remote system
12      556 ctfmon.exe            9 SeTakeOwnershipPrivilege             Present                  Take ownership of files/objects
13      556 ctfmon.exe           20 SeDebugPrivilege                     Present                  Debug programs
14      556 ctfmon.exe           22 SeSystemEnvironmentPrivilege         Present                  Edit firmware environment values
15      556 ctfmon.exe           11 SeSystemProfilePrivilege             Present                  Profile system performance
16      556 ctfmon.exe           13 SeProfileSingleProcessPrivilege      Present                  Profile a single process
17      556 ctfmon.exe           14 SeIncreaseBasePriorityPrivilege      Present                  Increase scheduling priority
18      556 ctfmon.exe           10 SeLoadDriverPrivilege                Present,Enabled          Load and unload device drivers
19      556 ctfmon.exe           15 SeCreatePagefilePrivilege            Present                  Create a pagefile
20      556 ctfmon.exe            5 SeIncreaseQuotaPrivilege             Present                  Increase quotas
21      556 ctfmon.exe           25 SeUndockPrivilege                    Present,Enabled          Remove computer from docking station
22      556 ctfmon.exe           28 SeManageVolumePrivilege              Present                  Manage the files on a volume
23      556 ctfmon.exe           30 SeCreateGlobalPrivilege              Present,Enabled,Default  Create global objects
24      556 ctfmon.exe           29 SeImpersonatePrivilege               Present,Enabled,Default  Impersonate a client after authentication

Le flag --silent n'affichera que les Present et Enabled, pas le reste, le flag --regex=REGEX permettra de filtrer la sortie de la commande sur le champ Privilege.

Les variables d'environnement

 1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin envars -p 556
 2 Volatility Foundation Volatility Framework 2.6
 3 Pid      Process              Block      Variable                       Value
 4 -------- -------------------- ---------- ------------------------------ -----
 5      556 ctfmon.exe           0x00010000 ALLUSERSPROFILE                C:\Documents and Settings\All Users
 6      556 ctfmon.exe           0x00010000 APPDATA                        C:\Documents and Settings\callb\Application Data
 7      556 ctfmon.exe           0x00010000 CLIENTNAME                     Console
 8      556 ctfmon.exe           0x00010000 CommonProgramFiles             C:\Program Files\Common Files
 9      556 ctfmon.exe           0x00010000 COMPUTERNAME                   ENG-USTXHOU-148
10      556 ctfmon.exe           0x00010000 ComSpec                        C:\WINDOWS\system32\cmd.exe
11      556 ctfmon.exe           0x00010000 FP_NO_HOST_CHECK               NO
12      556 ctfmon.exe           0x00010000 HOMEDRIVE                      C:
13      556 ctfmon.exe           0x00010000 HOMEPATH                       \Documents and Settings\callb
14      556 ctfmon.exe           0x00010000 LOGONSERVER                    \DC-USTXHOU
15      556 ctfmon.exe           0x00010000 NUMBER_OF_PROCESSORS           1
16      556 ctfmon.exe           0x00010000 OS                             Windows_NT
17      556 ctfmon.exe           0x00010000 Path                           C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
18      556 ctfmon.exe           0x00010000 PATHEXT                        .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
19      556 ctfmon.exe           0x00010000 PROCESSOR_ARCHITECTURE         x86
20      556 ctfmon.exe           0x00010000 PROCESSOR_IDENTIFIER           x86 Family 15 Model 2 Stepping 8, GenuineIntel
21      556 ctfmon.exe           0x00010000 PROCESSOR_LEVEL                15
22      556 ctfmon.exe           0x00010000 PROCESSOR_REVISION             0208
23      556 ctfmon.exe           0x00010000 ProgramFiles                   C:\Program Files
24      556 ctfmon.exe           0x00010000 SESSIONNAME                    Console
25      556 ctfmon.exe           0x00010000 SystemDrive                    C:
26      556 ctfmon.exe           0x00010000 SystemRoot                     C:\WINDOWS
27      556 ctfmon.exe           0x00010000 TEMP                           C:\DOCUME~1\callb\LOCALS~1\Temp
28      556 ctfmon.exe           0x00010000 TMP                            C:\DOCUME~1\callb\LOCALS~1\Temp
29      556 ctfmon.exe           0x00010000 USERDNSDOMAIN                  PETRO-MARKET.ORG
30      556 ctfmon.exe           0x00010000 USERDOMAIN                     PETRO-MARKET
31      556 ctfmon.exe           0x00010000 USERNAME                       callb
32      556 ctfmon.exe           0x00010000 USERPROFILE                    C:\Documents and Settings\callb
33      556 ctfmon.exe           0x00010000 windir                         C:\WINDOWS

Information des PE

Afficher les informations embarquées dans les fichiers PE. Tous les fichiers PE ne disposent pas d'informations et souvent les auteurs de malware forgent de fausses informations.

 1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin verinfo
 2 \SystemRoot\System32\smss.exe
 3 C:\WINDOWS\system32\ntdll.dll
 4 \??\C:\WINDOWS\system32\csrss.exe
 5 C:\WINDOWS\system32\ntdll.dll
 6 C:\WINDOWS\system32\CSRSRV.dll
 7 C:\WINDOWS\system32\basesrv.dll
 8 C:\WINDOWS\system32\winsrv.dll
 9   File version    : 5.1.2600.5512
10   Product version : 5.1.2600.5512
11   Flags           :
12   OS              : Windows NT
13   File Type       : Dynamic Link Library
14   File Date       :
15   CompanyName : Microsoft Corporation
16   FileDescription : Windows Server DLL
17   FileVersion : 5.1.2600.5512 (xpsp.080413-2105)
18   InternalName : winsrv
19   LegalCopyright : \xa9 Microsoft Corporation. All rights reserved.
20   OriginalFilename : winsrv.dll
21   ProductName : Microsoft\xae Windows\xae Operating System
22   ProductVersion : 5.1.2600.5512
23 C:\WINDOWS\system32\GDI32.dll
24 C:\WINDOWS\system32\KERNEL32.dll
25 C:\WINDOWS\system32\USER32.dll
26   File version    : 5.1.2600.5512
27   Product version : 5.1.2600.5512
28   Flags           :
29   OS              : Windows NT
30   File Type       : Dynamic Link Library
31   File Date       :
32   CompanyName : Microsoft Corporation
33   FileDescription : Windows XP USER API Client DLL
34   FileVersion : 5.1.2600.5512 (xpsp.080413-2105)
35   InternalName : user32
36   LegalCopyright : \xa9 Microsoft Corporation. All rights reserved.
37   OriginalFilename : user32
38   ProductName : Microsoft\xae Windows\xae Operating System
39   ProductVersion : 5.1.2600.5512
40 --SNiP--

Dump de DLL

Il faudra au préalable créer ou indiquer un dossier dans lequel on fera le/les dump(s)

1 $ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin dlldump -p 556 -r SHELL32.dll -D dump
2 Volatility Foundation Volatility Framework 2.6
3 Process(V) Name                 Module Base Module Name          Result
4 ---------- -------------------- ----------- -------------------- ------
5 0x822408d0 ctfmon.exe           0x07c9c0000 SHELL32.dll          OK: module.556.22408d0.7c9c0000.dll

Ici on a limité le dump au process 556 et à la DLL SHELL32.dll.
Il y a un nommage particulier : module.PID.Offset_Du_Binaire.ModuleBase.dll
L'offset du binaire est visible dans le pslist du début.
Le contenu de la DLL n'est pas lisible en l'état hormis avec strings.
Il peut y avoir des résultat de DLL avec le message suivant : Error: DllBase is paged , la DLL n'est plus en mémoire.
On peut peut être la récupérer avec valdump.

Les handles ouverts dans un process

Ici nous allons filtrer le process via le PID pour limiter la sortie de commande.

 1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin handles -p 556
 2 Volatility Foundation Volatility Framework 2.6
 3 Offset(V)     Pid     Handle     Access Type             Details
 4 ---------- ------ ---------- ---------- ---------------- -------
 5 0xe10096e0    556        0x4    0xf0003 KeyedEvent       CritSecOutOfMemoryEvent
 6 0xe145e278    556        0x8        0x3 Directory        KnownDlls
 7 0x821cff90    556        0xc   0x100020 File             \Device\HarddiskVolume1\Documents and Settings\callb
 8 0x82237420    556       0x10   0x100003 Semaphore      
9 0xe145d4e8 556 0x14 0xf000f Directory Windows 10 0xe1696638 556 0x18 0x21f0001 Port
11 0x82237488 556 0x1c 0x100003 Semaphore
12 0xe1562748 556 0x20 0x2000f Directory BaseNamedObjects 13 0x821d5aa0 556 0x24 0x1f0001 Mutant SHIMLIB_LOG_MUTEX 14 0xe1a374f0 556 0x28 0x20f003f Key MACHINE 15 0x82185df8 556 0x2c 0xf037f WindowStation WinSta0 16 0x821f33e0 556 0x30 0x21f0003 Event
17 0x822d6298 556 0x34 0xf01ff Desktop Default 18 0x82185df8 556 0x38 0xf037f WindowStation WinSta0 19 0xe197c040 556 0x3c 0xf0007 Section CiceroSharedMemDefaultS-1-5-21-219294376-1976090562-3929857903-1107 20 0x821df9f8 556 0x40 0x1f0001 Mutant CTF.LBES.MutexDefaultS-1-5-21-219294376-1976090562-3929857903-1107 21 0x8218e0f0 556 0x44 0x1f0001 Mutant CTF.Compart.MutexDefaultS-1-5-21-219294376-1976090562-3929857903-1107 22 0x822df480 556 0x48 0x1f0001 Mutant CTF.Asm.MutexDefaultS-1-5-21-219294376-1976090562-3929857903-1107 23 0x82202370 556 0x4c 0x1f0001 Mutant CTF.Layouts.MutexDefaultS-1-5-21-219294376-1976090562-3929857903-1107 24 0x82202320 556 0x50 0x1f0001 Mutant CTF.TMD.MutexDefaultS-1-5-21-219294376-1976090562-3929857903-1107 25 0xe1a8d250 556 0x54 0x20f003f Key USER\S-1-5-21-219294376-1976090562-3929857903-1107 26 0x821cc5a0 556 0x58 0x1f0003 Event
27 0x822373b8 556 0x5c 0x100003 Semaphore
28 0x82235be0 556 0x60 0x100003 Semaphore
29 0xe1a9bb50 556 0x64 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\DRIVERS32 30 0x82384568 556 0x68 0x100001 File \Device\KsecDD 31 0x821dfb08 556 0x6c 0x1f0003 Event
32 0x82075840 556 0x70 0x1f0003 Event
33 0xe1a54818 556 0x74 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\DRIVERS32 34 0x8225e2f0 556 0x78 0x1f0003 Semaphore shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1} 35 0x821a5590 556 0x7c 0x1f0003 Event userenv: User Profile setup event 36 0x82203840 556 0x80 0x100020 File \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512x-ww_35d4ce83 37 0x820bc5e0 556 0x84 0x100020 File \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512x-ww_35d4ce83 38 0xe1ab6718 556 0x88 0x1f0001 Port
39 0x82292440 556 0x8c 0x1f0001 Mutant CtfmonInstMutexDefaultS-1-5-21-219294376-1976090562-3929857903-1107 40 0xe1757d48 556 0x90 0x4 Section
41 0x822cc7a8 556 0x94 0x1f0001 Mutant CTF.TimListCache.FMPDefaultS-1-5-21-219294376-1976090562-3929857903-1107MUTEX.DefaultS-1-5-21-219294376-1976090562-3929857903-1107 42 0xe1a34040 556 0x98 0xf0007 Section CTF.TimListCache.FMPDefaultS-1-5-21-219294376-1976090562-3929857903-1107SFM.DefaultS-1-5-21-219294376-1976090562-3929857903-1107 43 0x821b0b60 556 0x9c 0x1f0001 Mutant MSCTF.GCompartListMUTEX.DefaultS-1-5-21-219294376-1976090562-3929857903-1107 44 0xe199fed0 556 0xa0 0xf0007 Section MSCTF.GCompartListSFM.DefaultS-1-5-21-219294376-1976090562-3929857903-1107 45 0x821f0618 556 0xa4 0x1f0003 Event
46 0xe1a82e40 556 0xa8 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\KEYBOARD LAYOUT\TOGGLE 47 0xe124b510 556 0xac 0xf0007 Section CTF.AsmListCache.FMPDefaultS-1-5-21-219294376-1976090562-3929857903-1107 48 0x821f05e8 556 0xb0 0x1f0003 Event
49 0xe1a601f8 556 0xb4 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\CTF\TIP 50 0xe19b2d68 556 0xb8 0xf003f Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\SOFTWARE\MICROSOFT\WINDOWS\SHELLNOROAM 51 0xe1ab1d20 556 0xbc 0xf003f Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\SOFTWARE\MICROSOFT\WINDOWS\SHELLNOROAM\MUICACHE 52 0xe1ab4250 556 0xc0 0x20f003f Key USER 53 0x821f05b8 556 0xc4 0x1f0003 Event
54 0xe1a9a458 556 0xc8 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\KEYBOARD LAYOUT\PRELOAD 55 0x821f0588 556 0xcc 0x1f0003 Event
56 0xe1a88ba0 556 0xd0 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 57 0x821f0520 556 0xd4 0x1f0003 Event
58 0xe12c05d8 556 0xd8 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\SOFTWARE\MICROSOFT\CTF\TIP 59 0x821af5d8 556 0xdc 0x1f0003 Event
60 0xe194a020 556 0xe0 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\SOFTWARE\MICROSOFT\SPEECH 61 0x821af570 556 0xe4 0x1f0003 Event
62 0xe1aa5d98 556 0xe8 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\CONTROL PANEL\APPEARANCE 63 0x821cdcd8 556 0xec 0x1f0003 Event
64 0xe194a0d8 556 0xf0 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\CONTROL PANEL\COLORS 65 0x821cdc70 556 0xf4 0x1f0003 Event
66 0xe1ac0340 556 0xf8 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\CONTROL PANEL\DESKTOP\WINDOWMETRICS 67 0x821cdc08 556 0xfc 0x1f0003 Event
68 0xe1bcb020 556 0x100 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\SPEECH 69 0x821cdbd8 556 0x104 0x1f0003 Event
70 0xe1bc94b8 556 0x108 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\KEYBOARD LAYOUT 71 0x82384690 556 0x10c 0x1f0003 Event
72 0xe1bcb0b8 556 0x110 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\SOFTWARE\MICROSOFT\CTF\ASSEMBLIES 73 0x8218ddd0 556 0x114 0x120001 Mutant ShimCacheMutex 74 0x82229c80 556 0x118 0x1f0003 Event
75 0xe15d0918 556 0x11c 0x2 Section ShimSharedMemory 76 0x8224d230 556 0x120 0x1f0003 Event
77 0x8207f1e0 556 0x124 0x1f0003 Event
78 0xe1a3a0d0 556 0x128 0x20f003f Key USER\S-1-5-21-219294376-1976090562-3929857903-1107_CLASSES 79 0x8218a680 556 0x12c 0x100000 Event WinSta0_DesktopSwitch

Les connexions réseaux

1 $ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin connections
2 Volatility Foundation Volatility Framework 2.6
3 Offset(V)  Local Address             Remote Address            Pid
4 ---------- ------------------------- ------------------------- ---
5 0x8201f850 172.16.150.20:1292        172.16.150.10:445         4

ou

 1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin connscan
 2 Volatility Foundation Volatility Framework 2.6
 3 Offset(P)  Local Address             Remote Address            Pid
 4 ---------- ------------------------- ------------------------- ---
 5 0x01f60850 0.0.0.0:0                 1.0.0.0:0                 36569092
 6 0x01ffa850 172.16.150.20:1291        58.64.132.141:80          1024
 7 0x0201f850 172.16.150.20:1292        172.16.150.10:445         4
 8 0x02084e68 172.16.150.20:1281        172.16.150.10:389         628
 9 0x020f8988 172.16.150.20:2862        172.16.150.10:135         696
10 0x02201008 172.16.150.20:1280        172.16.150.10:389         628
11 0x18615850 172.16.150.20:1292        172.16.150.10:445         4
12 0x189e8850 172.16.150.20:1291        58.64.132.141:80          1024
13 0x18a97008 172.16.150.20:1280        172.16.150.10:389         628
14 0x18b8e850 0.0.0.0:0                 1.0.0.0:0                 36569092
15 0x18dce988 172.16.150.20:2862        172.16.150.10:135         696

Les sockets

 1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin sockets
 2 Volatility Foundation Volatility Framework 2.6
 3 Offset(V)       PID   Port  Proto Protocol        Address         Create Time
 4 ---------- -------- ------ ------ --------------- --------------- -----------
 5 0x8207f298        4      0     47 GRE             0.0.0.0         2012-11-26 22:04:05 UTC+0000
 6 0x82041878        4   1065      6 TCP             0.0.0.0         2012-11-26 22:04:05 UTC+0000
 7 0x821afc70      692    500     17 UDP             0.0.0.0         2012-11-26 22:03:35 UTC+0000
 8 0x82195e98        4    137     17 UDP             172.16.150.20   2012-11-26 22:03:28 UTC+0000
 9 0x82196d00        4    445      6 TCP             0.0.0.0         2012-11-26 22:03:27 UTC+0000
10 0x821a2e98      940    135      6 TCP             0.0.0.0         2012-11-26 22:03:32 UTC+0000
11 0x8204d008     1024   1291      6 TCP             0.0.0.0         2012-11-27 01:56:30 UTC+0000
12 0x8219ec08        4    138     17 UDP             172.16.150.20   2012-11-26 22:03:28 UTC+0000
13 0x821cf008      692      0    255 Reserved        0.0.0.0         2012-11-26 22:03:35 UTC+0000
14 0x821d4e98     1024    123     17 UDP             127.0.0.1       2012-11-26 22:03:35 UTC+0000
15 0x82082458     1068   1025     17 UDP             0.0.0.0         2012-11-26 22:03:34 UTC+0000
16 0x821c28e0     1024    123     17 UDP             172.16.150.20   2012-11-26 22:03:35 UTC+0000
17 0x82276228        4   1292      6 TCP             0.0.0.0         2012-11-27 01:56:50 UTC+0000
18 0x82095d50     1068   1026     17 UDP             0.0.0.0         2012-11-26 22:03:34 UTC+0000
19 0x8223d840     1116   1900     17 UDP             127.0.0.1       2012-11-26 22:04:04 UTC+0000
20 0x821cfd08      692   4500     17 UDP             0.0.0.0         2012-11-26 22:03:35 UTC+0000
21 0x822e2760     1116   1900     17 UDP             172.16.150.20   2012-11-26 22:04:04 UTC+0000
22 0x821976e8        4    445     17 UDP             0.0.0.0         2012-11-26 22:03:27 UTC+0000
23 0x8222cd00        4    139      6 TCP             172.16.150.20   2012-11-26 22:03:28 UTC+0000
24 0x820382f8     1888   1035      6 TCP             127.0.0.1       2012-11-26 22:03:35 UTC+0000
25 0x821d1d10      628   1040     17 UDP             127.0.0.1       2012-11-26 22:03:36 UTC+0000

ou

 1 /vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin sockscan
 2 Volatility Foundation Volatility Framework 2.6
 3 Offset(P)       PID   Port  Proto Protocol        Address         Create Time
 4 ---------- -------- ------ ------ --------------- --------------- -----------
 5 0x01f60870        4   2947      6 TCP             172.16.150.20   2012-11-26 20:01:26 UTC+0000
 6 0x02002880      692   1262      6 TCP             0.0.0.0         2012-11-27 01:31:16 UTC+0000
 7 0x0201db78      512   1155      6 TCP             0.0.0.0         2012-11-26 23:11:32 UTC+0000
 8 0x02022e98     1024   1290      6 TCP             0.0.0.0         2012-11-27 01:54:03 UTC+0000
 9 0x02023880        4   1282      6 TCP             0.0.0.0         2012-11-27 01:45:26 UTC+0000
10 0x020382f8     1888   1035      6 TCP             127.0.0.1       2012-11-26 22:03:35 UTC+0000
11 0x02041878        4   1065      6 TCP             0.0.0.0         2012-11-26 22:04:05 UTC+0000
12 0x0204d008     1024   1291      6 TCP             0.0.0.0         2012-11-27 01:56:30 UTC+0000
13 0x0207b880      692   1032      6 TCP             0.0.0.0         2012-11-26 22:03:34 UTC+0000
14 0x0207f298        4      0     47 GRE             0.0.0.0         2012-11-26 22:04:05 UTC+0000
15 0x02082458     1068   1025     17 UDP             0.0.0.0         2012-11-26 22:03:34 UTC+0000
16 0x02095d50     1068   1026     17 UDP             0.0.0.0         2012-11-26 22:03:34 UTC+0000
17 0x0211ae00     1088   1025     17 UDP             0.0.0.0         2012-11-23 16:48:10 UTC+0000
18 0x0211f390      696   4500     17 UDP             0.0.0.0         2012-11-23 16:48:10 UTC+0000
19 0x0213cb68      696      0    255 Reserved        0.0.0.0         2012-11-23 16:48:10 UTC+0000
20 0x02195e98        4    137     17 UDP             172.16.150.20   2012-11-26 22:03:28 UTC+0000
21 0x02196d00        4    445      6 TCP             0.0.0.0         2012-11-26 22:03:27 UTC+0000
22 0x021976e8        4    445     17 UDP             0.0.0.0         2012-11-26 22:03:27 UTC+0000
23 0x0219ec08        4    138     17 UDP             172.16.150.20   2012-11-26 22:03:28 UTC+0000
24 0x021a2e98      940    135      6 TCP             0.0.0.0         2012-11-26 22:03:32 UTC+0000
25 0x021afc70      692    500     17 UDP             0.0.0.0         2012-11-26 22:03:35 UTC+0000
26 0x021c28e0     1024    123     17 UDP             172.16.150.20   2012-11-26 22:03:35 UTC+0000
27 0x021cf008      692      0    255 Reserved        0.0.0.0         2012-11-26 22:03:35 UTC+0000
28 0x021cfd08      692   4500     17 UDP             0.0.0.0         2012-11-26 22:03:35 UTC+0000
29 --SNiP--

Base de Registre : localisation des hives dans les adresses virtuelles

 1 $ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin hivelist
 2 Volatility Foundation Volatility Framework 2.6
 3 Virtual    Physical   Name
 4 ---------- ---------- ----
 5 0xe1903008 0x08892008 \Device\HarddiskVolume1\Documents and Settings\callb\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
 6 0xe1968720 0x0c516720 \Device\HarddiskVolume1\Documents and Settings\callb\NTUSER.DAT
 7 0xe183b008 0x078cd008 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
 8 0xe1837b60 0x07917b60 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
 9 0xe169c008 0x06f55008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
10 0xe16ab008 0x07126008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
11 0xe1460b60 0x05ab9b60 \Device\HarddiskVolume1\WINDOWS\system32\config\software
12 0xe1467b60 0x05bb2b60 \Device\HarddiskVolume1\WINDOWS\system32\config\default
13 0xe1461008 0x05a6c008 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
14 0xe1451758 0x057f3758 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
15 0xe1345b60 0x02a4bb60 [no name]
16 0xe1035b60 0x02739b60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
17 0xe102e008 0x02733008 [no name]

Base de Registre : Afficher les clés de la hive(rvche) SAM

 1 $ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin hivedump -o 0xe1461008
 2 Volatility Foundation Volatility Framework 2.6
 3 Last Written         Key
 4 2012-11-03 09:35:47 UTC+0000 \SAM
 5 2012-11-03 09:35:47 UTC+0000 \SAM\SAM
 6 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains
 7 2012-11-26 19:32:35 UTC+0000 \SAM\SAM\Domains\Account
 8 2012-11-03 15:49:40 UTC+0000 \SAM\SAM\Domains\Account\Aliases
 9 2012-11-03 15:49:50 UTC+0000 \SAM\SAM\Domains\Account\Aliases\000003E9
10 2012-11-03 15:49:50 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Members
11 2012-11-03 15:49:50 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Members\S-1-5-21-1390067357-920026266-725345543
12 2012-11-03 15:49:50 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Members\S-1-5-21-1390067357-920026266-725345543\000003EA
13 2012-11-03 15:49:40 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Names
14 2012-11-03 15:49:40 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Names\HelpServicesGroup
15 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Account\Groups
16 2012-11-25 19:10:32 UTC+0000 \SAM\SAM\Domains\Account\Groups\00000201
17 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Account\Groups\Names
18 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Account\Groups\Names\None
19 2012-11-25 19:10:32 UTC+0000 \SAM\SAM\Domains\Account\Users
20 2012-11-03 20:27:30 UTC+0000 \SAM\SAM\Domains\Account\Users\000001F4
21 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Account\Users\000001F5
22 2012-11-03 15:48:33 UTC+0000 \SAM\SAM\Domains\Account\Users\000003E8
23 2012-11-03 15:49:50 UTC+0000 \SAM\SAM\Domains\Account\Users\000003EA
24 2012-11-26 19:32:35 UTC+0000 \SAM\SAM\Domains\Account\Users\000003EC
25 2012-11-25 19:10:32 UTC+0000 \SAM\SAM\Domains\Account\Users\Names
26 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Account\Users\Names\Administrator
27 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Account\Users\Names\Guest
28 2012-11-03 15:48:33 UTC+0000 \SAM\SAM\Domains\Account\Users\Names\HelpAssistant
29 2012-11-03 15:49:50 UTC+0000 \SAM\SAM\Domains\Account\Users\Names\SUPPORT_388945a0
30 2012-11-25 19:10:32 UTC+0000 \SAM\SAM\Domains\Account\Users\Names\sysbackup
31 2012-11-25 19:11:09 UTC+0000 \SAM\SAM\Domains\Builtin
32 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases
33 2012-11-25 19:11:09 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\00000220
34 2012-11-25 19:10:32 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\00000221
35 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\00000222
36 2012-11-03 22:59:29 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\00000223
37 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\00000227
38 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\00000228
39 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\0000022B
40 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\0000022C
41 2012-11-03 21:20:16 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members
42 2012-11-03 09:36:27 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5
43 2012-11-03 09:36:27 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5\00000004
44 2012-11-03 09:36:27 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5\0000000B
45 2012-11-25 19:10:32 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-1390067357-920026266-725345543
46 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-1390067357-920026266-725345543\000001F4
47 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-1390067357-920026266-725345543\000001F5
48 2012-11-25 19:11:09 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-1390067357-920026266-725345543\000003EC
49 2012-11-03 22:59:29 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-219294376-1976090562-3929857903
50 2012-11-03 21:20:16 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-219294376-1976090562-3929857903\00000200
51 2012-11-03 21:20:16 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-219294376-1976090562-3929857903\00000201
52 2012-11-03 22:59:29 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-219294376-1976090562-3929857903\00000453
53 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names
54 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Administrators
55 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Backup Operators
56 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Guests
57 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Network Configuration Operators
58 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Power Users
59 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Remote Desktop Users
60 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Replicator
61 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Users
62 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Groups
63 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Groups\Names
64 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Users
65 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Users\Names
66 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\RXACT

On peut voir des noms d'utilisateurs, groupes.

Une clès de registre

  1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin printkey -K "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
  2 Volatility Foundation Volatility Framework 2.6
  3 Legend: (S) = Stable   (V) = Volatile
  4 
  5 ----------------------------
  6 Registry: \Device\HarddiskVolume1\Documents and Settings\callb\NTUSER.DAT
  7 Key name: Internet Settings (S)
  8 Last updated: 2012-11-24 18:20:49 UTC+0000
  9 
 10 Subkeys:
 11   (S) 5.0
 12   (S) Cache
 13   (S) Connections
 14   (S) Lockdown_Zones
 15   (S) Passport
 16   (S) ZoneMap
 17   (S) Zones
 18 
 19 Values:
 20 REG_SZ        User Agent      : (S) Mozilla/4.0 (compatible; MSIE 8.0; Win32)
 21 REG_SZ        IE5_UA_Backup_Flag : (S) 5.0
 22 REG_DWORD     NoNetAutodial   : (S) 0
 23 REG_DWORD     MigrateProxy    : (S) 1
 24 REG_DWORD     EnableNegotiate : (S) 1
 25 REG_DWORD     ProxyEnable     : (S) 0
 26 REG_SZ        EmailName       : (S) IEUser@
 27 REG_SZ        AutoConfigProxy : (S) wininet.dll
 28 REG_SZ        MimeExclusionListForCache : (S) multipart/mixed multipart/x-mixed-replace multipart/x-byteranges
 29 REG_BINARY    WarnOnPost      : (S)
 30 0x00000000  01 00 00 00                                       ....
 31 REG_BINARY    UseSchannelDirectly : (S)
 32 0x00000000  01 00 00 00                                       ....
 33 REG_DWORD     EnableHttp1_1   : (S) 1
 34 REG_DWORD     PrivacyAdvanced : (S) 0
 35 REG_DWORD     UrlEncoding     : (S) 0
 36 REG_DWORD     SecureProtocols : (S) 160
 37 REG_DWORD     PrivDiscUiShown : (S) 1
 38 REG_BINARY    ZonesSecurityUpgrade : (S)
 39 0x00000000  90 98 08 d8 9f c9 cd 01                           ........
 40 REG_DWORD     DisableCachingOfSSLPages : (S) 0
 41 REG_DWORD     WarnonZoneCrossing : (S) 0
 42 ----------------------------
 43 Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
 44 Key name: Internet Settings (S)
 45 Last updated: 2012-11-03 15:53:16 UTC+0000
 46 
 47 Subkeys:
 48   (S) 5.0
 49   (S) Cache
 50   (S) Connections
 51   (S) Passport
 52   (S) ZoneMap
 53   (S) Zones
 54 
 55 Values:
 56 REG_SZ        User Agent      : (S) Mozilla/4.0 (compatible; MSIE 6.0; Win32)
 57 REG_SZ        IE5_UA_Backup_Flag : (S) 5.0
 58 REG_DWORD     NoNetAutodial   : (S) 0
 59 REG_DWORD     MigrateProxy    : (S) 0
 60 REG_DWORD     EnableNegotiate : (S) 1
 61 REG_DWORD     ProxyEnable     : (S) 0
 62 ----------------------------
 63 Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\default
 64 Key name: Internet Settings (S)
 65 Last updated: 2012-11-03 15:49:42 UTC+0000
 66 
 67 Subkeys:
 68   (S) 5.0
 69   (S) Cache
 70   (S) Connections
 71   (S) Passport
 72   (S) ZoneMap
 73   (S) Zones
 74 
 75 Values:
 76 REG_SZ        User Agent      : (S) Mozilla/4.0 (compatible; MSIE 6.0; Win32)
 77 REG_SZ        IE5_UA_Backup_Flag : (S) 5.0
 78 REG_DWORD     NoNetAutodial   : (S) 0
 79 REG_DWORD     MigrateProxy    : (S) 0
 80 REG_DWORD     EnableNegotiate : (S) 1
 81 REG_DWORD     ProxyEnable     : (S) 0
 82 ----------------------------
 83 Registry: \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
 84 Key name: Internet Settings (S)
 85 Last updated: 2012-11-03 15:53:16 UTC+0000
 86 
 87 Subkeys:
 88   (S) 5.0
 89   (S) Cache
 90   (S) Connections
 91   (S) Passport
 92   (S) ZoneMap
 93   (S) Zones
 94 
 95 Values:
 96 REG_SZ        User Agent      : (S) Mozilla/4.0 (compatible; MSIE 6.0; Win32)
 97 REG_SZ        IE5_UA_Backup_Flag : (S) 5.0
 98 REG_DWORD     NoNetAutodial   : (S) 0
 99 REG_DWORD     MigrateProxy    : (S) 0
100 REG_DWORD     EnableNegotiate : (S) 1
101 REG_DWORD     ProxyEnable     : (S) 0

ou via un offset (offset 0xe1460b60 qui correspond à \Device\HarddiskVolume1\WINDOWS\system32\config\software récupéré via hivelist)

 1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin printkey --hive-offset 0xe1460b60
 2 Volatility Foundation Volatility Framework 2.6
 3 Legend: (S) = Stable   (V) = Volatile
 4 
 5 ----------------------------
 6 Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\software
 7 Key name: $$$PROTO.HIV (S)
 8 Last updated: 2012-11-03 15:56:53 UTC+0000
 9 
10 Subkeys:
11   (S) C07ft5Y
12   (S) Classes
13   (S) Clients
14   (S) Gemplus
15   (S) Microsoft
16   (S) ODBC
17   (S) Policies
18   (S) Program Groups
19   (S) Schlumberger
20   (S) Secure
21   (S) Windows 3.1 Migration Status
22 
23 Values:

Allons voir le contenu de la sous-clés Clients

 1 /vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin printkey --hive-offset 0xe1460b60 --key Clients
 2 Volatility Foundation Volatility Framework 2.6
 3 Legend: (S) = Stable   (V) = Volatile
 4 
 5 ----------------------------
 6 Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\software
 7 Key name: Clients (S)
 8 Last updated: 2012-11-03 15:50:15 UTC+0000
 9 
10 Subkeys:
11   (S) Contacts
12   (S) IM
13   (S) Internet Call
14   (S) JavaVM
15   (S) Mail
16   (S) Media
17   (S) News
18   (S) StartMenuInternet
19 
20 Values:

Et de manière itérative on peut aller récupérer une valeur dans les sous-clés :

 1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin printkey --hive-offset 0xe1460b60 --key "Clients\Contacts\Address Book\shell\open\command"
 2 Volatility Foundation Volatility Framework 2.6
 3 Legend: (S) = Stable   (V) = Volatile
 4 
 5 ----------------------------
 6 Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\software
 7 Key name: command (S)
 8 Last updated: 2012-11-03 15:50:15 UTC+0000
 9 
10 Subkeys:
11 
12 Values:
13 REG_SZ                        : (S) "C:\Program Files\Outlook Express\wab.exe" /showexisting

Note :
Via printkey on peut récupérer les programmes qui sont lancés à la connexion :

  • Software\Microsoft\Windows\CurrentVersion\Run
  • Software\Microsoft\Windows\CurrentVersion\RunOnce

Extraction des hashs du cache stoqués dans le registre

1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin hashdump
2 Volatility Foundation Volatility Framework 2.6
3 Administrator:500:b7ae6225a35c376da8d03b0a558fdf1f:159cb99e6dfd8830d25e8592c505d4be:::
4 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
5 HelpAssistant:1000:42dbf333659cabcd0b546a25124a5476:dfd19a421051e8329e0c7b5aa7fe7dbe:::
6 SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:5168fdd9d699311c78acabde3c849622:::
7 sysbackup:1004:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057:::

Les users/password sont stoqués sous forme de hash dans la registry.
Il faudra utiliser un brute force ou des rainbows tables pour casser ces hashs.

Dump des LSA

./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin lsadump
Volatility Foundation Volatility Framework 2.6
_SC_Alerter

0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantAccount
0x00000000  54 00 6b 00 24 00 37 00 43 00 6c 00 75 00 58 00   T.k.$.7.C.l.u.X.
0x00000010  47 00 7a 00 57 00 56 00 4b 00 30 00 00 00         G.z.W.V.K.0...

0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantSID
0x00000000  01 05 00 00 00 00 00 05 15 00 00 00 9d be da 52   ...............R
0x00000010  9a 7c d6 36 07 e5 3b 2b e8 03 00 00               .|.6..;+....

_SC_WebClient

20ed87e2-3b82-4114-81f9-5e219ed4c481-SALEMHELPACCOUNT

_SC_SSDPSRV

DPAPI_SYSTEM
0x00000000  01 00 00 00 41 fb ae d7 f4 40 54 e3 ce be c5 dd   ....A....@T.....
0x00000010  95 3d 8d b4 22 54 e8 eb db 20 d0 d5 c2 93 1f 58   .=.."T.........X
0x00000020  71 e1 ff 6f 6d cb a0 2f f6 16 0a 15               q..om../....

_SC_MSDTC

SAC
0x00000000  02 00 00 00                                       ....

L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75
0x00000000  52 53 41 32 48 00 00 00 00 02 00 00 3f 00 00 00   RSA2H.......?...
0x00000010  01 00 01 00 8b 5d 4b f9 38 ab 8c 9e b0 8b 69 1b   .....]K.8.....i.
0x00000020  98 10 60 ae 35 e2 c8 71 cb d9 43 e4 0d 65 07 8d   ..`.5..q..C..e..
0x00000030  6d 19 d8 a2 87 c1 e0 4e 28 41 4d d5 0b ce 68 22   m......N(AM...h"
0x00000040  be 9e 91 93 0b fc 00 57 fa 31 16 6b 20 62 d7 6a   .......W.1.k.b.j
0x00000050  7a 87 67 bc 00 00 00 00 00 00 00 00 53 6d 42 38   z.g.........SmB8
0x00000060  8e fb f4 de ab 93 74 d9 a1 e8 ad de f5 7c 5b f6   ......t......|[.
0x00000070  df b7 20 db ae bd 3d b8 38 02 50 f6 00 00 00 00   ......=.8.P.....
0x00000080  e9 0f 1a 62 31 70 70 90 e0 71 b8 58 3c 9f 81 a0   ...b1pp..q.X<...
0x00000090  1f e6 ff 85 02 87 94 d2 51 0c 8d 31 5f 79 d0 c3   ........Q..1_y..
0x000000a0  00 00 00 00 3f 35 da 1c 5a 35 15 cc 59 75 48 19   ....?5..Z5..YuH.
0x000000b0  d6 1e c2 ae 7e 4b c6 a0 44 df a8 25 0b 73 f1 ed   ....~K..D..%.s..
0x000000c0  e8 c8 e8 b4 00 00 00 00 b9 b3 37 67 47 32 ad 30   ..........7gG2.0
0x000000d0  f6 f5 38 3a c2 ed a5 92 e6 59 2f 32 77 76 20 f2   ..8:.....Y/2wv..
0x000000e0  73 e5 83 6a 6c 42 c1 2c 00 00 00 00 ac 9d ed cc   s..jlB.,........
0x000000f0  c0 db b8 5c 8e e9 57 fb c7 90 58 aa a5 64 3b c5   ...\..W...X..d;.
0x00000100  74 ab 5c e9 31 94 eb 91 04 47 03 98 00 00 00 00   t.\.1....G......
0x00000110  91 8f 2a ac 34 76 56 66 11 ab 8a 56 89 24 48 1b   ..*.4vVf...V.$H.
0x00000120  8f bd d2 dd 3e e1 4a 73 bd 85 7f e5 16 fc b0 88   ....>.Js........
0x00000130  ae 76 4b 4e 43 0b e3 2c 45 6a ee 3b 95 77 89 a7   .vKNC..,Ej.;.w..
0x00000140  a3 fd 4f b1 0f f8 d9 57 d7 25 c8 3f 54 ac bb 44   ..O....W.%.?T..D
0x00000150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000160  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000170  00 00 00 00 00 00 00 00 00 00 00 00               ............

$MACHINE.ACC
0x00000000  2b 00 41 00 3b 00 64 00 68 00 7a 00 6a 00 25 00   +.A.;.d.h.z.j.%.
0x00000010  6f 00 3c 00 38 00 78 00 70 00 44 00 40 00 2c 00   o.<.8.x.p.D.@.,.
0x00000020  70 00 35 00 76 00 29 00 43 00 3a 00 70 00 32 00   p.5.v.).C.:.p.2.
0x00000030  25 00 3f 00 31 00 4e 00 6b 00 78 00 26 00 35 00   %.?.1.N.k.x.&.5.
0x00000040  4f 00 55 00 21 00 63 00 5b 00 77 00 74 00 35 00   O.U.!.c.[.w.t.5.
0x00000050  42 00 67 00 56 00 27 00 72 00 34 00 70 00 37 00   B.g.V.'.r.4.p.7.
0x00000060  2f 00 6c 00 57 00 63 00 5b 00 60 00 58 00 57 00   /.l.W.c.[.`.X.W.
0x00000070  50 00 70 00 4e 00 2f 00 2e 00 64 00 24 00 49 00   P.p.N./...d.$.I.
0x00000080  2e 00 55 00 62 00 63 00 2d 00 37 00 63 00 20 00   ..U.b.c.-.7.c...
0x00000090  24 00 2d 00 61 00 70 00 28 00 40 00 3f 00 49 00   $.-.a.p.(.@.?.I.
0x000000a0  37 00 53 00 36 00 53 00 44 00 28 00 55 00 2d 00   7.S.6.S.D.(.U.-.
0x000000b0  7a 00 62 00 64 00 51 00 48 00 67 00 54 00 32 00   z.b.d.Q.H.g.T.2.
0x000000c0  26 00 20 00 75 00 5c 00 72 00 67 00 6b 00 28 00   &...u.\.r.g.k.(.
0x000000d0  67 00 61 00 3f 00 79 00 2b 00 47 00 47 00 45 00   g.a.?.y.+.G.G.E.
0x000000e0  2a 00 45 00 5f 00 30 00 2f 00 32 00 51 00 73 00   *.E._.0./.2.Q.s.

_SC_Dnscache

_SC_LmHosts

_SC_ALG

_SC_RpcLocator

_SC_upnphost

G${ED8F4747-E13D-47bc-856B-5CEFE1A81A7F}
0x00000000  93 19 18 48 e4 9c 0b 46 90 79 b2 e2 60 03 d7 79   ...H...F.y..`..y

L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588
0x00000000  80 96 f2 dc 27 18 ce 01                           ....'...

DefaultPassword

NL$KM
0x00000000  b5 17 53 78 5f bb f3 0b fe ab 2e 43 5f 0a b6 8d   ..Sx_......C_...
0x00000010  fd 9d 1f df 6b 9b 67 a6 51 81 ba a0 77 f9 5f f1   ....k.g.Q...w._.
0x00000020  dc cc f9 3c 80 15 8c 16 44 cc 0f 74 c1 7f 8e e4   ...<....D..t....
0x00000030  b6 70 09 d6 af 31 e2 ed b6 c3 02 21 6d 0e c3 8c   .p...1.....!m...

L${6B3E6424-AF3E-4bff-ACB6-DA535F0DDC0A}
0x00000000  ff 62 37 13 60 5a 8b 2b 4f 0e 28 c4 d8 97 be 54   .b7.`Z.+O.(....T
0x00000010  0e 90 24 1a 4c 91 8d 8a 6d 6b 69 71 53 7e d4 f8   ..$.L...mkiqS~..
0x00000020  b5 95 03 47 4b e3 27 9c 0a 9b 1f ed 9b 51 ed 7c   ...GK.'......Q.|
0x00000030  76 ec 2b 5f 03 5e aa 5a                           v.+_.^.Z

SAI
0x00000000  02 00 00 00                                       ....

Exemples d'infos sympa :

  • $MACHINE.ACC: has to do with domain authentication, see KB175468
  • DefaultPassword: password used to logon to Windows if auto-logon is enabled
  • NL$KM: secret key used to encrypt cached domain passwords
  • L$RTMTIMEBOMB_[...]: FILETIME giving the date when an unactivated copy of Windows will stop working

Decrypt LSA Secrets.

Cache de credentials

1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin cachedump
2 Volatility Foundation Volatility Framework 2.6
3 administrator:00c2bcc2230054581d3551a9fdcf4893:petro-market:petro-market.org
4 callb:178526e1cb2fdfc36d764595f1ddd0f7:petro-market:petro-market.org

Les shellbags

 1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin shellbags
 2 Volatility Foundation Volatility Framework 2.6
 3 Scanning for registries....
 4 Gathering shellbag items and building path tree...
 5 
 6 Registry: \Device\HarddiskVolume1\Documents and Settings\callb\NTUSER.DAT
 7 Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU
 8 Last updated: 2012-11-24 18:12:40 UTC+0000
 9 Value   Mru   Entry Type     GUID                                     GUID Description     Folder IDs
10 ------- ----- -------------- ---------------------------------------- -------------------- ----------
11 0       0     Folder Entry   20d04fe0-3aea-1069-a2d8-08002b30309d     My Computer          EXPLORER, MY_COMPUTER
12 
13 
14 
15 Registry: \Device\HarddiskVolume1\Documents and Settings\callb\NTUSER.DAT
16 Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0
17 Last updated: 2012-11-24 18:12:40 UTC+0000
18 Value   Mru   Entry Type     Path
19 ------- ----- -------------- ----
20 0       1     Volume Name    Z:\
21 

Shellbags : dossiers/fichiers accédés récemment.
Korben Shellbags.

Activité utilisateur

 1 $ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin userassist
 2 Volatility Foundation Volatility Framework 2.6
 3 ----------------------------
 4 Registry: \Device\HarddiskVolume1\Documents and Settings\callb\NTUSER.DAT
 5 Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
 6 Last updated: 2012-11-24 18:12:53 UTC+0000
 7 
 8 Subkeys:
 9 
10 Values:
11 
12 REG_BINARY    UEME_CTLSESSION : Raw Data:
13 0x00000000  7a 53 6e 0e 03 00 00 00                           zSn.....
14 ----------------------------
15 Registry: \Device\HarddiskVolume1\Documents and Settings\callb\NTUSER.DAT
16 Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{75048700-EF1F-11D0-9888-006097DEACF9}\Count
17 Last updated: 2012-11-27 01:56:21 UTC+0000
18 
19 Subkeys:
20 
21 Values:
22 
23 REG_BINARY    UEME_CTLSESSION : Raw Data:
24 0x00000000  93 60 6e 0e 03 00 00 00                           .`n.....
25 
26 REG_BINARY    UEME_RUNPIDL:C:\Documents and Settings\All Users\Start Menu\Set Program Access and Defaults.lnk :
27 ID:             1
28 Count:          14
29 Last updated:   2012-11-03 22:53:49 UTC+0000
30 Raw Data:
31 0x00000000  01 00 00 00 13 00 00 00 00 f7 81 16 16 ba cd 01   ................
32 
33 REG_BINARY    UEME_RUNPIDL:%csidl2%\MSN Explorer.lnk : 
34 ID:             1
35 Count:          13
36 Last updated:   2012-11-03 22:53:49 UTC+0000
37 Raw Data:
38 0x00000000  01 00 00 00 12 00 00 00 00 f7 81 16 16 ba cd 01   ................
39 
40 REG_BINARY    UEME_RUNPIDL:%csidl2%\Windows Media Player.lnk :
41 ID:             1
42 Count:          12
43 Last updated:   2012-11-03 22:53:49 UTC+0000
44 Raw Data:
45 0x00000000  01 00 00 00 11 00 00 00 00 f7 81 16 16 ba cd 01   ................

Dump de la registry

  1  ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin dumpregistry -D dump
  2 Volatility Foundation Volatility Framework 2.6
  3 
  4 Writing out registry: registry.0xe1968720.NTUSERDAT.reg
  5 
  6 
  7 
  8 Writing out registry: registry.0xe1837b60.NTUSERDAT.reg
  9 
 10 
 11 
 12 Writing out registry: registry.0xe1467b60.default.reg
 13 
 14 
 15 
 16 Writing out registry: registry.0xe102e008.no_name.reg
 17 
 18 
 19 
 20 Writing out registry: registry.0xe1903008.UsrClassdat.reg
 21 
 22 
 23 
 24 Writing out registry: registry.0xe1035b60.system.reg
 25 
 26 Physical layer returned None for index 3000, filling with NULL
 27 Physical layer returned None for index 4000, filling with NULL
 28 Physical layer returned None for index e000, filling with NULL
 29 Physical layer returned None for index 10000, filling with NULL
 30 Physical layer returned None for index 11000, filling with NULL
 31 Physical layer returned None for index 12000, filling with NULL
 32 Physical layer returned None for index 1c000, filling with NULL
 33 Physical layer returned None for index 1d000, filling with NULL
 34 Physical layer returned None for index 1e000, filling with NULL
 35 Physical layer returned None for index 31000, filling with NULL
 36 Physical layer returned None for index 32000, filling with NULL
 37 Physical layer returned None for index 34000, filling with NULL
 38 Physical layer returned None for index 35000, filling with NULL
 39 Physical layer returned None for index 37000, filling with NULL
 40 Physical layer returned None for index 3a000, filling with NULL
 41 Physical layer returned None for index 3b000, filling with NULL
 42 Physical layer returned None for index 3e000, filling with NULL
 43 Physical layer returned None for index 46000, filling with NULL
 44 Physical layer returned None for index 47000, filling with NULL
 45 Physical layer returned None for index 48000, filling with NULL
 46 Physical layer returned None for index 4a000, filling with NULL
 47 Physical layer returned None for index 4f000, filling with NULL
 48 Physical layer returned None for index 50000, filling with NULL
 49 Physical layer returned None for index 51000, filling with NULL
 50 Physical layer returned None for index 5a000, filling with NULL
 51 Physical layer returned None for index ba000, filling with NULL
 52 Physical layer returned None for index c5000, filling with NULL
 53 Physical layer returned None for index c6000, filling with NULL
 54 Physical layer returned None for index c7000, filling with NULL
 55 Physical layer returned None for index 167000, filling with NULL
 56 Physical layer returned None for index 168000, filling with NULL
 57 Physical layer returned None for index 16a000, filling with NULL
 58 Physical layer returned None for index 16b000, filling with NULL
 59 Physical layer returned None for index 16c000, filling with NULL
 60 Physical layer returned None for index 16d000, filling with NULL
 61 Physical layer returned None for index 1a7000, filling with NULL
 62 Physical layer returned None for index 1a9000, filling with NULL
 63 Physical layer returned None for index 1aa000, filling with NULL
 64 Physical layer returned None for index 1ab000, filling with NULL
 65 Physical layer returned None for index 1ae000, filling with NULL
 66 Physical layer returned None for index 1b4000, filling with NULL
 67 Physical layer returned None for index 1b6000, filling with NULL
 68 Physical layer returned None for index 1b7000, filling with NULL
 69 Physical layer returned None for index 1c3000, filling with NULL
 70 Physical layer returned None for index 1f0000, filling with NULL
 71 Physical layer returned None for index 24a000, filling with NULL
 72 Physical layer returned None for index 257000, filling with NULL
 73 Physical layer returned None for index 258000, filling with NULL
 74 Physical layer returned None for index 259000, filling with NULL
 75 Physical layer returned None for index 25a000, filling with NULL
 76 Physical layer returned None for index 25b000, filling with NULL
 77 Physical layer returned None for index 25f000, filling with NULL
 78 Physical layer returned None for index 260000, filling with NULL
 79 Physical layer returned None for index 273000, filling with NULL
 80 Physical layer returned None for index 284000, filling with NULL
 81 Physical layer returned None for index 288000, filling with NULL
 82 Physical layer returned None for index 289000, filling with NULL
 83 Physical layer returned None for index 296000, filling with NULL
 84 Physical layer returned None for index 297000, filling with NULL
 85 Physical layer returned None for index 298000, filling with NULL
 86 Physical layer returned None for index 299000, filling with NULL
 87 Physical layer returned None for index 29a000, filling with NULL
 88 Physical layer returned None for index 29b000, filling with NULL
 89 Physical layer returned None for index 2b2000, filling with NULL
 90 Physical layer returned None for index 2b7000, filling with NULL
 91 Physical layer returned None for index 2ca000, filling with NULL
 92 Physical layer returned None for index 2d4000, filling with NULL
 93 Physical layer returned None for index 2f0000, filling with NULL
 94 Physical layer returned None for index 2f1000, filling with NULL
 95 Physical layer returned None for index 2f3000, filling with NULL
 96 
 97 
 98 Writing out registry: registry.0xe16ab008.NTUSERDAT.reg
 99 
100 
101 
102 Writing out registry: registry.0xe1461008.SAM.reg
103 
104 
105 
106 Writing out registry: registry.0xe1460b60.software.reg
107 
108 
109 
110 Writing out registry: registry.0xe183b008.UsrClassdat.reg
111 
112 
113 
114 Writing out registry: registry.0xe1451758.SECURITY.reg
115 
116 
117 
118 Writing out registry: registry.0xe1345b60.no_name.reg
119 
120 
121 **************************************************
122 Writing out registry: registry.0xe169c008.UsrClassdat.reg

On peut utiliser xxd pour afficher le contenu des fichiers .reg.

Mapping mémoire

 1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin memmap
 2 Volatility Foundation Volatility Framework 2.6
 3 System pid:      4
 4 Virtual    Physical         Size DumpFileOffset
 5 ---------- ---------- ---------- --------------
 6 0x00010000 0x02725000     0x1000            0x0
 7 0x00011000 0x02726000     0x1000         0x1000
 8 0x00012000 0x02727000     0x1000         0x2000
 9 0x00013000 0x02708000     0x1000         0x3000
10 0x00014000 0x02709000     0x1000         0x4000
11 0x00015000 0x0270a000     0x1000         0x5000
12 0x00016000 0x0270b000     0x1000         0x6000
13 0x00017000 0x0270c000     0x1000         0x7000
14 0x00018000 0x0270d000     0x1000         0x8000
15 0x00019000 0x0270e000     0x1000         0x9000
16 0x0001a000 0x0270f000     0x1000         0xa000
17 0x0001b000 0x02710000     0x1000         0xb000
18 0x0001c000 0x02711000     0x1000         0xc000
19 0x0001d000 0x02712000     0x1000         0xd000
20 0x0001e000 0x02713000     0x1000         0xe000
21 0x0001f000 0x02714000     0x1000         0xf000
22 0x00020000 0x02715000     0x1000        0x10000
23 0x00021000 0x02716000     0x1000        0x11000
24 --SNiP--

Dump mémoire de process

1  ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin memdump -p 556 -D dump
2 Volatility Foundation Volatility Framework 2.6
3 ************************************************************************
4 Writing ctfmon.exe [   556] to 556.dmp

Il faut au préalable avoir créer le dossier de sortie, ici dump.
Si le PID n'est pas fourni, il dumpera tous les process.

Dump process

1  ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin procdump -p 556 -D dump
2 Volatility Foundation Volatility Framework 2.6
3 Process(V) ImageBase  Name                 Result
4 ---------- ---------- -------------------- ------
5 0x822408d0 0x00400000 ctfmon.exe           OK: executable.556.exe

Dump des événements

1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin evtlogs -D dump
2 Volatility Foundation Volatility Framework 2.6
3 Parsed data sent to internet.txt
4 Parsed data sent to appevent.txt
5 Parsed data sent to sysevent.txt
6 Parsed data sent to secevent.txt

L'option --save-evt permet aussi de dumper les événements au format raw.

Historique IE

1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin iehistory
2 Volatility Foundation Volatility Framework 2.6
3 **************************************************
4 Process: 284 explorer.exe
5 Cache type "DEST" at 0xdcb69
6 Last modified: 2012-11-26 17:01:53 UTC+0000
7 Last accessed: 2012-11-26 23:01:54 UTC+0000
8 URL: callb@http://58.64.132.8/download/Symantec-1.43-1.exe

Timeline des process

 1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin timeliner
 2 Volatility Foundation Volatility Framework 2.6
 3 2012-11-27 01:57:28 UTC+0000|[LIVE RESPONSE]| (System time)|
 4 2012-11-26 22:03:29 UTC+0000|[PROCESS]| winlogon.exe| PID: 628/PPID: 356/POffset: 0x02189da0
 5 2012-11-26 22:03:29 UTC+0000|[PROCESS LastTrimTime]| winlogon.exe| PID: 628/PPID: 356/POffset: 0x02189da0
 6 2012-11-26 22:03:29 UTC+0000|[Handle (Key)]| MACHINE| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
 7 2012-11-24 18:05:47 UTC+0000|[Handle (Key)]| MACHINE\SOFTWARE\CLASSES| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
 8 2012-11-27 00:48:19 UTC+0000|[Handle (Key)]| USER\.DEFAULT| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
 9 2012-11-23 16:26:23 UTC+0000|[Handle (Key)]| MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
10 2012-11-23 16:26:23 UTC+0000|[Handle (Key)]| MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\NAMESPACE_CATALOG5| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
11 2012-11-03 09:36:28 UTC+0000|[Handle (Key)]| MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\CRYPT32CHAIN| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
12 2012-11-03 09:36:28 UTC+0000|[Handle (Key)]| MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\CRYPTNET| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
13 2012-11-03 15:49:58 UTC+0000|[Handle (Key)]| MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\SCLGNTFY| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
14 2012-11-26 22:03:30 UTC+0000|[Handle (Key)]| MACHINE\SYSTEM\CONTROLSET001\CONTROL\LSA| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
15 --SNiP--

N'affiche pas spécialement dans l'ordre chronologique.

YARA

Kézako YARA, YARA est un outils très apprécié pour l'analyse de malware. On peut créer des fichiers de règles ou des patterns pour chercher des malwares.

 1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin yarascan -Y http
 2 Volatility Foundation Volatility Framework 2.6
 3 Rule: r1
 4 Owner: Process csrss.exe Pid 604
 5 0x008105df  68 74 74 70 73 3a 2f 2f 77 77 77 2e 76 65 72 69   https://www.veri
 6 0x008105ef  73 69 67 6e 2e 63 6f 6d 2f 72 70 61 20 28 63 29   sign.com/rpa.(c)
 7 0x008105ff  30 31 31 27 30 25 06 03 55 04 03 13 1e 56 65 72   011'0%..U....Ver
 8 0x0081060f  69 53 69 67 6e 20 54 69 6d 65 20 53 74 61 6d 70   iSign.Time.Stamp
 9 0x0081061f  69 6e 67 20 53 65 72 76 69 63 65 30 82 01 22 30   ing.Service0.."0
10 0x0081062f  0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82   ....H..........
11 0x0081063f  01 0f 00 30 82 01 0a 02 82 01 01 00 c0 7a 61 87   ...0.........za.
12 0x0081064f  eb b2 a7 03 63 1b 2b 1a 61 de 80 b7 15 1d a0 8b   ....c.+.a.......
13 0x0081065f  90 3d bb 27 92 84 14 39 eb 85 ce 29 92 06 66 48   .=.'...9...)..fH
14 0x0081066f  a4 03 4f 8d e8 4f a7 f0 af 5e d1 2f 19 c7 91 f1   ..O..O...^./....
15 0x0081067f  b5 9e 7b 91 21 ce e9 ff e3 4e f0 fc af 95 58 b8   ..{.!....N....X.
16 0x0081068f  63 2d e6 8e f6 29 18 cd 70 8e 50 c3 ed 96 bb 40   c-...)..p.P....@
17 0x0081069f  db be 25 e8 42 55 d6 f6 85 f2 06 e7 8b 99 1c 31   ..%.BU.........1
18 0x008106af  f3 03 0f d4 4c 9c 24 2a dc 1b 1b 8f 82 f3 b0 ef   ....L.$........
19 0x008106bf  a7 4d e3 14 a7 e0 8f d6 c7 68 c2 61 58 a9 72 d4   .M.......h.aX.r.
20 0x008106cf  f8 30 48 4f d9 2f 6f 63 20 d9 89 ca 82 7b c2 4b   .0HO./oc.....{.K
21 Rule: r1
22 Owner: Process csrss.exe Pid 604
23 0x00810774  68 74 74 70 3a 2f 2f 6f 63 73 70 2e 76 65 72 69   http://ocsp.veri
24 0x00810784  73 69 67 6e 2e 63 6f 6d 2f 6f 63 73 70 2f 73 74   sign.com/ocsp/st
25 0x00810794  61 74 75 73 30 09 06 03 55 1d 13 04 02 30 00 30   atus0...U....0.0
26 0x008107a4  44 06 03 55 1d 20 04 3d 30 3b 30 39 06 0b 60 86   D..U...=0;09..</span><span class="o">.</span>
<span class="lineno">27 </span><span class="mh">0x008107b4</span>  <span class="mi">48</span> <span class="mo">01</span> <span class="mi">86</span> <span class="n">f8</span> <span class="mi">45</span> <span class="mo">01</span> <span class="mo">07</span> <span class="mo">01</span> <span class="mo">01</span> <span class="mi">30</span> <span class="mi">2</span><span class="n">a</span> <span class="mi">30</span> <span class="mi">28</span> <span class="mo">06</span> <span class="mi">08</span> <span class="mi">2</span><span class="n">b</span>   <span class="n">H</span><span class="o">...</span><span class="n">E</span><span class="o">....</span><span class="mi">0</span><span class="o">*</span><span class="mi">0</span><span class="p">(</span><span class="o">..+</span>
<span class="lineno">28 </span><span class="mh">0x008107c4</span>  <span class="mo">06</span> <span class="mo">01</span> <span class="mo">05</span> <span class="mo">05</span> <span class="mo">07</span> <span class="mo">02</span> <span class="mo">01</span> <span class="mi">16</span> <span class="mi">1</span><span class="n">c</span> <span class="mi">68</span> <span class="mi">74</span> <span class="mi">74</span> <span class="mi">70</span> <span class="mi">73</span> <span class="mi">3</span><span class="n">a</span> <span class="mi">2</span><span class="n">f</span>   <span class="o">.........</span><span class="ss">https</span><span class="p">:</span><span class="sr">/</span>
<span class="lineno">29 </span><span class="sr">0x008107d4  2f 77 77 77 2e 76 65 72 69 73 69 67 6e 2e 63 6f   /</span><span class="n">www</span><span class="o">.</span><span class="n">verisign</span><span class="o">.</span><span class="n">co</span>
<span class="lineno">30 </span><span class="mh">0x008107e4</span>  <span class="mi">6</span><span class="n">d</span> <span class="mi">2</span><span class="n">f</span> <span class="mi">72</span> <span class="mi">70</span> <span class="mi">61</span> <span class="mi">30</span> <span class="mi">13</span> <span class="mo">06</span> <span class="mo">03</span> <span class="mi">55</span> <span class="mi">1</span><span class="n">d</span> <span class="mi">25</span> <span class="mo">04</span> <span class="mi">0</span><span class="n">c</span> <span class="mi">30</span> <span class="mi">0</span><span class="n">a</span>   <span class="n">m</span><span class="o">/</span><span class="n">rpa0</span><span class="o">...</span><span class="n">U</span><span class="o">.</span><span class="n n-Operator">%</span><span class="o">..</span><span class="mi">0</span><span class="o">.</span>
<span class="lineno">31 </span><span class="mh">0x008107f4</span>  <span class="mo">06</span> <span class="mi">08</span> <span class="mi">2</span><span class="n">b</span> <span class="mo">06</span> <span class="mo">01</span> <span class="mo">05</span> <span class="mo">05</span> <span class="mo">07</span> <span class="mo">03</span> <span class="mi">08</span> <span class="mi">30</span> <span class="mi">0</span><span class="n">b</span> <span class="mo">06</span> <span class="mo">03</span> <span class="mi">55</span> <span class="mi">1</span><span class="n">d</span>   <span class="o">..+.......</span><span class="mi">0</span><span class="o">...</span><span class="n">U</span><span class="o">.</span>
<span class="lineno">32 </span><span class="mh">0x00810804</span>  <span class="mi">0</span><span class="n">f</span> <span class="mo">04</span> <span class="mo">04</span> <span class="mo">03</span> <span class="mo">02</span> <span class="mo">06</span> <span class="n">c0</span> <span class="mi">30</span> <span class="mi">0</span><span class="n">d</span> <span class="mo">06</span> <span class="mi">09</span> <span class="mi">2</span><span class="n">a</span> <span class="mi">86</span> <span class="mi">48</span> <span class="mi">86</span> <span class="n">f7</span>   <span class="o">.......</span><span class="mi">0</span><span class="o">...*.</span><span class="n">H</span><span class="o">..</span>
<span class="lineno">33 </span><span class="mh">0x00810814</span>  <span class="mi">0</span><span class="n">d</span> <span class="mo">01</span> <span class="mo">01</span> <span class="mo">04</span> <span class="mo">05</span> <span class="mo">00</span> <span class="mo">03</span> <span class="mi">81</span> <span class="mi">81</span> <span class="mo">00</span> <span class="mi">2</span><span class="n">d</span> <span class="n">f3</span> <span class="mi">4</span><span class="n">f</span> <span class="mi">63</span> <span class="mi">60</span> <span class="mi">2</span><span class="n">c</span>   <span class="o">..........</span><span class="n n-Operator">-</span><span class="o">.</span><span class="n">Oc</span><span class="sb">,
34 0x00810824  18 da f5 24 0f 52 b3 0c eb b3 bc 67 85 c2 23 ed   ...$.R.....g..#.
35 0x00810834  8f 46 0d cf 1a 4d be f3 7c 7a 20 30 32 18 68 8b   .F...M..|z.02.h.
36 0x00810844  92 bb 32 99 f0 93 b8 3b 15 06 27 7b 3e 02 06 00   ..2....;..'{>...
37 0x00810854  a4 21 92 84 13 0a c5 98 e5 40 57 c5 05 25 e8 af   .!.......@W..%..
38 0x00810864  af 11 6a a9 e5 3b cb e9 23 f6 94 29 5d 40 55 f3   ..j..;..#..)]@U.
39 --SNiP--

Avec -Y on recherche un pattern, -y on lui fourni un fichier de règle.

Autres

La liste des options est ici très incomplète, il faut se référer à l'aide du binaire et/ou la doc officielle en ligne.
Voici un lien proposant une liste de commande Volatility pour la recherche de malware.

Annexes

Site Volatility
Samples de dumps mémoire sur divers OS utilisés dans ce billet
Volatility : command reference