Forensic - Volatility
Alasta 3 Décembre 2018 forensic shell cli security forensic memory analyse
Description : Nous allons nous initier à l'analyse mémoire avec l'outils Volatility.
Volatility
Volatility est un outils open source pour l'analyse de dump mémoire, c'est un framework écrit en Python.
Il permet d'analyser les dumps mémoires de Windows/Mac/Linux/Android et le framework est disponible sur Windows/Mac/Linux.
On peut aussi lui adjoindre une panoplie de plugins.
Environnement
On ne verra pas l'installation du framework, il faudra voir la doc officielle.
On utilisera les dumps de l'archive "Art of Memory Forensics Images", le lien est fourni dans l'annexe.
C'est la version 2.6 qui sera utilisée.
C'est parti avec les commandes
Détermination du profile du dump
C'est la première chose à faire car ce profile sera utilisé pour toutes les autres commandes :
1 $ ./vol.py -f /tmp/sample001.bin imageinfo
2 Volatility Foundation Volatility Framework 2.6
3 INFO : volatility.debug : Determining profile based on KDBG search...
4 Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
5 AS Layer1 : IA32PagedMemory (Kernel AS)
6 AS Layer2 : FileAddressSpace (/tmp/sample001.bin)
7 PAE type : No PAE
8 DTB : 0x39000L
9 KDBG : 0x8054cde0L
10 Number of Processors : 1
11 Image Type (Service Pack) : 3
12 KPCR for CPU 0 : 0xffdff000L
13 KUSER_SHARED_DATA : 0xffdf0000L
14 Image date and time : 2012-11-27 01:57:28 UTC+0000
15 Image local date and time : 2012-11-26 19:57:28 -0600
Ici il nous suggère 2 profiles WinXPSP2x86, WinXPSP3x86, il a lancer les tests avec WinXPSP2x86, c'est donc celui-ci que nous utiliserons.
Autre moyen, avec kdbgscan
1 ./vol.py -f /tmp/sample001.bin kdbgscan
2 Volatility Foundation Volatility Framework 2.6
3
4 Instantiating KDBG using: Kernel AS WinXPSP2x86 (5.1.0 32bit)
5 Offset (V) : 0x8054cde0
6 Offset (P) : 0x54cde0
7 KDBG owner tag check : True
8 Profile suggestion (KDBGHeader): WinXPSP3x86
9 Version64 : 0x8054cdb8 (Major: 15, Minor: 2600)
10 Service Pack (CmNtCSDVersion) : 3
11 Build string (NtBuildLab) : 2600.xpsp.080413-2111
12 PsActiveProcessHead : 0x80561358 (21 processes)
13 PsLoadedModuleList : 0x8055b1c0 (96 modules)
14 KernelBase : 0x804d7000 (Matches MZ: True)
15 Major (OptionalHeader) : 5
16 Minor (OptionalHeader) : 1
17 KPCR : 0xffdff000 (CPU 0)
18
19
20 Instantiating KDBG using: Kernel AS WinXPSP2x86 (5.1.0 32bit)
21 Offset (V) : 0x8054cde0
22 Offset (P) : 0x54cde0
23 KDBG owner tag check : True
24 Profile suggestion (KDBGHeader): WinXPSP2x86
25 Version64 : 0x8054cdb8 (Major: 15, Minor: 2600)
26 Service Pack (CmNtCSDVersion) : 3
27 Build string (NtBuildLab) : 2600.xpsp.080413-2111
28 PsActiveProcessHead : 0x80561358 (21 processes)
29 PsLoadedModuleList : 0x8055b1c0 (96 modules)
30 KernelBase : 0x804d7000 (Matches MZ: True)
31 Major (OptionalHeader) : 5
32 Minor (OptionalHeader) : 1
33 KPCR : 0xffdff000 (CPU 0)
Il trouve ici 2 structures qui sont identiques (voir les offsets), il y a des fois ou les offsets sont différents.
Il faut alors prendre celui ou les processes et les modules ne sont pas égales à 0.
Pour certains plugins, cela pause problème, il faut alors précicer quel offset utiliser en ajoutant --kdbg=@ffset.
Voici deux liens pour plus d'informations :
Liste des process
1 $ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin pslist
2 Volatility Foundation Volatility Framework 2.6
3 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
4 ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
5 0x823c8830 System 4 0 51 271 ------ 0
6 0x821841c8 smss.exe 356 4 3 19 ------ 0 2012-11-26 22:03:28 UTC+0000
7 0x821b0020 csrss.exe 604 356 12 351 0 0 2012-11-26 22:03:29 UTC+0000
8 0x82189da0 winlogon.exe 628 356 18 653 0 0 2012-11-26 22:03:29 UTC+0000
9 0x82194650 services.exe 680 628 15 243 0 0 2012-11-26 22:03:30 UTC+0000
10 0x82244020 lsass.exe 692 628 22 407 0 0 2012-11-26 22:03:30 UTC+0000
11 0x8219e2c8 svchost.exe 852 680 14 187 0 0 2012-11-26 22:03:31 UTC+0000
12 0x82192b10 svchost.exe 940 680 9 258 0 0 2012-11-26 22:03:31 UTC+0000
13 0x820b3da0 svchost.exe 1024 680 76 1645 0 0 2012-11-26 22:03:32 UTC+0000
14 0x821a62e0 svchost.exe 1068 680 5 81 0 0 2012-11-26 22:03:32 UTC+0000
15 0x821a3c10 svchost.exe 1116 680 14 248 0 0 2012-11-26 22:03:33 UTC+0000
16 0x822e9700 spoolsv.exe 1348 680 10 105 0 0 2012-11-26 22:03:34 UTC+0000
17 0x8203c020 alg.exe 1888 680 6 105 0 0 2012-11-26 22:03:35 UTC+0000
18 0x8204f020 explorer.exe 284 244 9 372 0 0 2012-11-26 22:03:58 UTC+0000
19 0x82226650 msmsgs.exe 548 284 3 204 0 0 2012-11-26 22:04:03 UTC+0000
20 0x822408d0 ctfmon.exe 556 284 1 75 0 0 2012-11-26 22:04:03 UTC+0000
21 0x82045da0 wuauclt.exe 1628 1024 3 142 0 0 2012-11-26 22:04:43 UTC+0000
22 0x821feda0 msimn.exe 1984 284 7 359 0 0 2012-11-26 22:06:33 UTC+0000
23 0x82049690 wc.exe 364 1024 1 27 0 0 2012-11-27 01:30:00 UTC+0000
24 0x822d0828 cmd.exe 1796 284 1 33 0 0 2012-11-27 01:56:21 UTC+0000
25 0x820b13b8 mdd.exe 244 1796 1 24 0 0 2012-11-27 01:57:28 UTC+0000
ou
1 $ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin pstree
2 Volatility Foundation Volatility Framework 2.6
3 Name Pid PPid Thds Hnds Time
4 -------------------------------------------------- ------ ------ ------ ------ ----
5 0x823c8830:System 4 0 51 271 1970-01-01 00:00:00 UTC+0000
6 . 0x821841c8:smss.exe 356 4 3 19 2012-11-26 22:03:28 UTC+0000
7 .. 0x82189da0:winlogon.exe 628 356 18 653 2012-11-26 22:03:29 UTC+0000
8 ... 0x82194650:services.exe 680 628 15 243 2012-11-26 22:03:30 UTC+0000
9 .... 0x820b3da0:svchost.exe 1024 680 76 1645 2012-11-26 22:03:32 UTC+0000
10 ..... 0x82045da0:wuauclt.exe 1628 1024 3 142 2012-11-26 22:04:43 UTC+0000
11 ..... 0x82049690:wc.exe 364 1024 1 27 2012-11-27 01:30:00 UTC+0000
12 .... 0x8203c020:alg.exe 1888 680 6 105 2012-11-26 22:03:35 UTC+0000
13 .... 0x821a62e0:svchost.exe 1068 680 5 81 2012-11-26 22:03:32 UTC+0000
14 .... 0x822e9700:spoolsv.exe 1348 680 10 105 2012-11-26 22:03:34 UTC+0000
15 .... 0x82192b10:svchost.exe 940 680 9 258 2012-11-26 22:03:31 UTC+0000
16 .... 0x821a3c10:svchost.exe 1116 680 14 248 2012-11-26 22:03:33 UTC+0000
17 .... 0x8219e2c8:svchost.exe 852 680 14 187 2012-11-26 22:03:31 UTC+0000
18 ... 0x82244020:lsass.exe 692 628 22 407 2012-11-26 22:03:30 UTC+0000
19 .. 0x821b0020:csrss.exe 604 356 12 351 2012-11-26 22:03:29 UTC+0000
20 0x8204f020:explorer.exe 284 244 9 372 2012-11-26 22:03:58 UTC+0000
21 . 0x82226650:msmsgs.exe 548 284 3 204 2012-11-26 22:04:03 UTC+0000
22 . 0x822d0828:cmd.exe 1796 284 1 33 2012-11-27 01:56:21 UTC+0000
23 .. 0x820b13b8:mdd.exe 244 1796 1 24 2012-11-27 01:57:28 UTC+0000
24 . 0x821feda0:msimn.exe 1984 284 7 359 2012-11-26 22:06:33 UTC+0000
25 . 0x822408d0:ctfmon.exe 556 284 1 75 2012-11-26 22:04:03 UTC+0000
Avec psscan
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin psscan
2 Volatility Foundation Volatility Framework 2.6
3 Offset(P) Name PID PPID PDB Time created Time exited
4 ------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------
5 0x000000000203c020 alg.exe 1888 680 0x0903e000 2012-11-26 22:03:35 UTC+0000
6 0x0000000002045da0 wuauclt.exe 1628 1024 0x0d76d000 2012-11-26 22:04:43 UTC+0000
7 0x0000000002049690 wc.exe 364 1024 0x1441f000 2012-11-27 01:30:00 UTC+0000
8 0x000000000204f020 explorer.exe 284 244 0x0a016000 2012-11-26 22:03:58 UTC+0000
9 0x00000000020b13b8 mdd.exe 244 1796 0x172db000 2012-11-27 01:57:28 UTC+0000
10 0x00000000020b3da0 svchost.exe 1024 680 0x07401000 2012-11-26 22:03:32 UTC+0000
11 0x00000000020d0d20 services.exe 684 640 0x0923b000 2012-11-23 16:48:06 UTC+0000
12 0x00000000021841c8 smss.exe 356 4 0x05ae4000 2012-11-26 22:03:28 UTC+0000
13 0x0000000002189da0 winlogon.exe 628 356 0x0682e000 2012-11-26 22:03:29 UTC+0000
14 0x0000000002192b10 svchost.exe 940 680 0x0725b000 2012-11-26 22:03:31 UTC+0000
15 0x0000000002194650 services.exe 680 628 0x06afb000 2012-11-26 22:03:30 UTC+0000
16 --SNiP--
Note : il peut y avoir plusieurs commandes qui donne le même résultat ou un résultat similaire, la différence (pas visible) c'est le mode de récupération de l'information (ils ne scanne pas les mêmes structures).
Affichers les Security Identifiers (SIDs) associés à un process
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin getsids -p 556
2 Volatility Foundation Volatility Framework 2.6
3 ctfmon.exe (556): S-1-5-21-219294376-1976090562-3929857903-1107 (callb)
4 ctfmon.exe (556): S-1-5-21-219294376-1976090562-3929857903-513 (Domain Users)
5 ctfmon.exe (556): S-1-1-0 (Everyone)
6 ctfmon.exe (556): S-1-5-32-544 (Administrators)
7 ctfmon.exe (556): S-1-5-32-545 (Users)
8 ctfmon.exe (556): S-1-5-4 (Interactive)
9 ctfmon.exe (556): S-1-5-11 (Authenticated Users)
10 ctfmon.exe (556): S-1-5-5-0-49497 (Logon Session)
11 ctfmon.exe (556): S-1-2-0 (Local (Users with the ability to log in locally))
Historique des commandes
1 $ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin cmdscan
2 Volatility Foundation Volatility Framework 2.6
3
4 CommandProcess: csrss.exe Pid: 604
5 CommandHistory: 0x4f4db0 Application: wc.exe Flags: Allocated
6 CommandCount: 0 LastAdded: -1 LastDisplayed: -1
7 FirstCommand: 0 CommandCountMax: 50
8 ProcessHandle: 0x424
9
10 CommandProcess: csrss.exe Pid: 604
11 CommandHistory: 0x11486f8 Application: cmd.exe Flags: Allocated, Reset
12 CommandCount: 5 LastAdded: 4 LastDisplayed: 4
13 FirstCommand: 0 CommandCountMax: 50
14 ProcessHandle: 0x348
15 Cmd #0 @ 0x4f2f38: net use r: \172.16.150.10\ITShare
16 Cmd #1 @ 0x4f1f68: cd\
17 Cmd #2 @ 0x4f32a0: copy r:\mdd.exe .
18 Cmd #3 @ 0x4f2720: dir
19 Cmd #4 @ 0x4f2e98: mdd.exe -o callb-memdump.bin
20 **************************************************
21 CommandProcess: csrss.exe Pid: 604
22 CommandHistory: 0x1148c28 Application: mdd.exe Flags: Allocated
23 CommandCount: 0 LastAdded: -1 LastDisplayed: -1
24 FirstCommand: 0 CommandCountMax: 50
25 ProcessHandle: 0x59c
Ou
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin consoles
2 Volatility Foundation Volatility Framework 2.6
3
4 ConsoleProcess: csrss.exe Pid: 604
5 Console: 0x4f2398 CommandHistorySize: 50
6 HistoryBufferCount: 3 HistoryBufferMax: 4
7 OriginalTitle: %SystemRoot%\system32\cmd.exe
8 Title: mdd - 50.09% complete
9 AttachedProcess: mdd.exe Pid: 244 Handle: 0x59c
10 AttachedProcess: cmd.exe Pid: 1796 Handle: 0x348
11 ----
12 CommandHistory: 0x1148c28 Application: mdd.exe Flags: Allocated
13 CommandCount: 0 LastAdded: -1 LastDisplayed: -1
14 FirstCommand: 0 CommandCountMax: 50
15 ProcessHandle: 0x59c
16 ----
17 CommandHistory: 0x1148a40 Application: net.exe Flags:
18 CommandCount: 0 LastAdded: -1 LastDisplayed: -1
19 FirstCommand: 0 CommandCountMax: 50
20 ProcessHandle: 0x0
21 ----
22 CommandHistory: 0x11486f8 Application: cmd.exe Flags: Allocated, Reset
23 CommandCount: 5 LastAdded: 4 LastDisplayed: 4
24 FirstCommand: 0 CommandCountMax: 50
25 ProcessHandle: 0x348
26 Cmd #0 at 0x4f2f38: net use r: \172.16.150.10\ITShare
27 Cmd #1 at 0x4f1f68: cd\
28 Cmd #2 at 0x4f32a0: copy r:\mdd.exe .
29 Cmd #3 at 0x4f2720: dir
30 Cmd #4 at 0x4f2e98: mdd.exe -o callb-memdump.bin
31 ----
32 Screen 0x4f2a50 X:80 Y:300
33 Dump:
34 Microsoft Windows XP [Version 5.1.2600]
35 (C) Copyright 1985-2001 Microsoft Corp.
36
37 C:\Documents and Settings\callb>net use r: \172.16.150.10\ITShare
38 The command completed successfully.
39
40
41 C:\Documents and Settings\callb>cd\
42
43 C:\>copy r:\mdd.exe .
44 1 file(s) copied.
45
46 C:\>dir
47 Volume in drive C has no label.
48 Volume Serial Number is 1044-534A
49
50 Directory of C:\
51
52 11/03/2012 09:50 AM 0 AUTOEXEC.BAT
53 11/03/2012 09:50 AM 0 CONFIG.SYS
54 11/03/2012 04:55 PM <DIR> Documents and Settings
55 11/26/2012 07:42 PM 95,104 mdd.exe
56 11/03/2012 04:50 PM <DIR> Program Files
57 11/26/2012 05:06 PM <DIR> WINDOWS
58 3 File(s) 95,104 bytes
59 3 Dir(s) 7,004,471,296 bytes free
60
61 C:\>mdd.exe -o callb-memdump.bin
62 -> mdd
63 -> ManTech Physical Memory Dump Utility
64 Copyright (C) 2008 ManTech Security & Mission Assurance
65
66 -> This program comes with ABSOLUTELY NO WARRANTY; for details use option -w' </span>
<span class="lineno">67 </span><span class="sb"> This is free software, and you are welcome to redistribute it </span>
<span class="lineno">68 </span><span class="sb"> under certain conditions; use option-c' for details.
69
70 -> Dumping 511.48 MB of physical memory to file 'callb-memdump.bin'.
71
72 ConsoleProcess: csrss.exe Pid: 604
73 Console: 0x4f3318 CommandHistorySize: 50
74 HistoryBufferCount: 1 HistoryBufferMax: 4
75 OriginalTitle: %SystemRoot%\System32\svchost.exe
76 Title: C:\WINDOWS\System32\svchost.exe
77 AttachedProcess: wc.exe Pid: 364 Handle: 0x424
78 ----
79 CommandHistory: 0x4f4db0 Application: wc.exe Flags: Allocated
80 CommandCount: 0 LastAdded: -1 LastDisplayed: -1
81 FirstCommand: 0 CommandCountMax: 50
82 ProcessHandle: 0x424
83 ----
84 Screen 0x4f3a20 X:80 Y:25
85 Dump:
86 WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security -
87 by Hernan Ochoa (hernan@ampliasecurity.com)
88 Use -h for help.
Afficher les DLL
Ici nous utiliserons l'option "-p PID" qui permet d'indiquer le PID d'un process sinon on a toutes les DLL de tous les process.
1 $ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin dlllist -p 556
2 Volatility Foundation Volatility Framework 2.6
3 ************************************************************************
4 ctfmon.exe pid: 556
5 Command line : "C:\WINDOWS\system32\ctfmon.exe"
6 Service Pack 3
7
8 Base Size LoadCount Path
9 ---------- ---------- ---------- ----
10 0x00400000 0x6000 0xffff C:\WINDOWS\system32\ctfmon.exe
11 0x7c900000 0xaf000 0xffff C:\WINDOWS\system32\ntdll.dll
12 0x7c800000 0xf6000 0xffff C:\WINDOWS\system32\kernel32.dll
13 0x77c10000 0x58000 0xffff C:\WINDOWS\system32\msvcrt.dll
14 0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll
15 0x77e70000 0x92000 0xffff C:\WINDOWS\system32\RPCRT4.dll
16 0x77fe0000 0x11000 0xffff C:\WINDOWS\system32\Secur32.dll
17 0x7e410000 0x91000 0xffff C:\WINDOWS\system32\USER32.dll
18 0x77f10000 0x49000 0xffff C:\WINDOWS\system32\GDI32.dll
19 0x74720000 0x4c000 0xffff C:\WINDOWS\system32\MSCTF.dll
20 0x5fc10000 0x33000 0xffff C:\WINDOWS\system32\MSUTB.dll
21 0x5cb70000 0x26000 0x1 C:\WINDOWS\system32\ShimEng.dll
22 0x6f880000 0x1ca000 0x1 C:\WINDOWS\AppPatch\AcGenral.DLL
23 0x76b40000 0x2d000 0x2 C:\WINDOWS\system32\WINMM.dll
24 0x774e0000 0x13d000 0x5 C:\WINDOWS\system32\ole32.dll
25 0x77120000 0x8b000 0x1 C:\WINDOWS\system32\OLEAUT32.dll
26 0x77be0000 0x15000 0x1 C:\WINDOWS\system32\MSACM32.dll
27 0x77c00000 0x8000 0x1 C:\WINDOWS\system32\VERSION.dll
28 0x7c9c0000 0x817000 0x1 C:\WINDOWS\system32\SHELL32.dll
29 0x77f60000 0x76000 0x5 C:\WINDOWS\system32\SHLWAPI.dll
30 0x769c0000 0xb4000 0x1 C:\WINDOWS\system32\USERENV.dll
31 0x5ad70000 0x38000 0x4 C:\WINDOWS\system32\UxTheme.dll
32 0x76390000 0x1d000 0x4 C:\WINDOWS\system32\IMM32.DLL
33 0x773d0000 0x103000 0x2 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
34 0x755c0000 0x2e000 0x2 C:\WINDOWS\system32\msctfime.ime
On récupère l'information sur la ligne de commande donc le PATH.
Les priviléges des process :
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin privs -p 556
2 Volatility Foundation Volatility Framework 2.6
3 Pid Process Value Privilege Attributes Description
4 -------- ---------------- ------ ------------------------------------ ------------------------ -----------
5 556 ctfmon.exe 23 SeChangeNotifyPrivilege Present,Enabled,Default Receive notifications of changes to files or directories
6 556 ctfmon.exe 8 SeSecurityPrivilege Present Manage auditing and security log
7 556 ctfmon.exe 17 SeBackupPrivilege Present Backup files and directories
8 556 ctfmon.exe 18 SeRestorePrivilege Present Restore files and directories
9 556 ctfmon.exe 12 SeSystemtimePrivilege Present Change the system time
10 556 ctfmon.exe 19 SeShutdownPrivilege Present Shut down the system
11 556 ctfmon.exe 24 SeRemoteShutdownPrivilege Present Force shutdown from a remote system
12 556 ctfmon.exe 9 SeTakeOwnershipPrivilege Present Take ownership of files/objects
13 556 ctfmon.exe 20 SeDebugPrivilege Present Debug programs
14 556 ctfmon.exe 22 SeSystemEnvironmentPrivilege Present Edit firmware environment values
15 556 ctfmon.exe 11 SeSystemProfilePrivilege Present Profile system performance
16 556 ctfmon.exe 13 SeProfileSingleProcessPrivilege Present Profile a single process
17 556 ctfmon.exe 14 SeIncreaseBasePriorityPrivilege Present Increase scheduling priority
18 556 ctfmon.exe 10 SeLoadDriverPrivilege Present,Enabled Load and unload device drivers
19 556 ctfmon.exe 15 SeCreatePagefilePrivilege Present Create a pagefile
20 556 ctfmon.exe 5 SeIncreaseQuotaPrivilege Present Increase quotas
21 556 ctfmon.exe 25 SeUndockPrivilege Present,Enabled Remove computer from docking station
22 556 ctfmon.exe 28 SeManageVolumePrivilege Present Manage the files on a volume
23 556 ctfmon.exe 30 SeCreateGlobalPrivilege Present,Enabled,Default Create global objects
24 556 ctfmon.exe 29 SeImpersonatePrivilege Present,Enabled,Default Impersonate a client after authentication
Le flag --silent n'affichera que les Present et Enabled, pas le reste, le flag --regex=REGEX permettra de filtrer la sortie de la commande sur le champ Privilege.
Les variables d'environnement
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin envars -p 556
2 Volatility Foundation Volatility Framework 2.6
3 Pid Process Block Variable Value
4 -------- -------------------- ---------- ------------------------------ -----
5 556 ctfmon.exe 0x00010000 ALLUSERSPROFILE C:\Documents and Settings\All Users
6 556 ctfmon.exe 0x00010000 APPDATA C:\Documents and Settings\callb\Application Data
7 556 ctfmon.exe 0x00010000 CLIENTNAME Console
8 556 ctfmon.exe 0x00010000 CommonProgramFiles C:\Program Files\Common Files
9 556 ctfmon.exe 0x00010000 COMPUTERNAME ENG-USTXHOU-148
10 556 ctfmon.exe 0x00010000 ComSpec C:\WINDOWS\system32\cmd.exe
11 556 ctfmon.exe 0x00010000 FP_NO_HOST_CHECK NO
12 556 ctfmon.exe 0x00010000 HOMEDRIVE C:
13 556 ctfmon.exe 0x00010000 HOMEPATH \Documents and Settings\callb
14 556 ctfmon.exe 0x00010000 LOGONSERVER \DC-USTXHOU
15 556 ctfmon.exe 0x00010000 NUMBER_OF_PROCESSORS 1
16 556 ctfmon.exe 0x00010000 OS Windows_NT
17 556 ctfmon.exe 0x00010000 Path C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
18 556 ctfmon.exe 0x00010000 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
19 556 ctfmon.exe 0x00010000 PROCESSOR_ARCHITECTURE x86
20 556 ctfmon.exe 0x00010000 PROCESSOR_IDENTIFIER x86 Family 15 Model 2 Stepping 8, GenuineIntel
21 556 ctfmon.exe 0x00010000 PROCESSOR_LEVEL 15
22 556 ctfmon.exe 0x00010000 PROCESSOR_REVISION 0208
23 556 ctfmon.exe 0x00010000 ProgramFiles C:\Program Files
24 556 ctfmon.exe 0x00010000 SESSIONNAME Console
25 556 ctfmon.exe 0x00010000 SystemDrive C:
26 556 ctfmon.exe 0x00010000 SystemRoot C:\WINDOWS
27 556 ctfmon.exe 0x00010000 TEMP C:\DOCUME~1\callb\LOCALS~1\Temp
28 556 ctfmon.exe 0x00010000 TMP C:\DOCUME~1\callb\LOCALS~1\Temp
29 556 ctfmon.exe 0x00010000 USERDNSDOMAIN PETRO-MARKET.ORG
30 556 ctfmon.exe 0x00010000 USERDOMAIN PETRO-MARKET
31 556 ctfmon.exe 0x00010000 USERNAME callb
32 556 ctfmon.exe 0x00010000 USERPROFILE C:\Documents and Settings\callb
33 556 ctfmon.exe 0x00010000 windir C:\WINDOWS
Information des PE
Afficher les informations embarquées dans les fichiers PE. Tous les fichiers PE ne disposent pas d'informations et souvent les auteurs de malware forgent de fausses informations.
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin verinfo
2 \SystemRoot\System32\smss.exe
3 C:\WINDOWS\system32\ntdll.dll
4 \??\C:\WINDOWS\system32\csrss.exe
5 C:\WINDOWS\system32\ntdll.dll
6 C:\WINDOWS\system32\CSRSRV.dll
7 C:\WINDOWS\system32\basesrv.dll
8 C:\WINDOWS\system32\winsrv.dll
9 File version : 5.1.2600.5512
10 Product version : 5.1.2600.5512
11 Flags :
12 OS : Windows NT
13 File Type : Dynamic Link Library
14 File Date :
15 CompanyName : Microsoft Corporation
16 FileDescription : Windows Server DLL
17 FileVersion : 5.1.2600.5512 (xpsp.080413-2105)
18 InternalName : winsrv
19 LegalCopyright : \xa9 Microsoft Corporation. All rights reserved.
20 OriginalFilename : winsrv.dll
21 ProductName : Microsoft\xae Windows\xae Operating System
22 ProductVersion : 5.1.2600.5512
23 C:\WINDOWS\system32\GDI32.dll
24 C:\WINDOWS\system32\KERNEL32.dll
25 C:\WINDOWS\system32\USER32.dll
26 File version : 5.1.2600.5512
27 Product version : 5.1.2600.5512
28 Flags :
29 OS : Windows NT
30 File Type : Dynamic Link Library
31 File Date :
32 CompanyName : Microsoft Corporation
33 FileDescription : Windows XP USER API Client DLL
34 FileVersion : 5.1.2600.5512 (xpsp.080413-2105)
35 InternalName : user32
36 LegalCopyright : \xa9 Microsoft Corporation. All rights reserved.
37 OriginalFilename : user32
38 ProductName : Microsoft\xae Windows\xae Operating System
39 ProductVersion : 5.1.2600.5512
40 --SNiP--
Dump de DLL
Il faudra au préalable créer ou indiquer un dossier dans lequel on fera le/les dump(s)
1 $ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin dlldump -p 556 -r SHELL32.dll -D dump
2 Volatility Foundation Volatility Framework 2.6
3 Process(V) Name Module Base Module Name Result
4 ---------- -------------------- ----------- -------------------- ------
5 0x822408d0 ctfmon.exe 0x07c9c0000 SHELL32.dll OK: module.556.22408d0.7c9c0000.dll
Ici on a limité le dump au process 556 et à la DLL SHELL32.dll.
Il y a un nommage particulier : module.PID.Offset_Du_Binaire.ModuleBase.dll
L'offset du binaire est visible dans le pslist du début.
Le contenu de la DLL n'est pas lisible en l'état hormis avec strings.
Il peut y avoir des résultat de DLL avec le message suivant : Error: DllBase is paged , la DLL n'est plus en mémoire.
On peut peut être la récupérer avec valdump.
Les handles ouverts dans un process
Ici nous allons filtrer le process via le PID pour limiter la sortie de commande.
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin handles -p 556
2 Volatility Foundation Volatility Framework 2.6
3 Offset(V) Pid Handle Access Type Details
4 ---------- ------ ---------- ---------- ---------------- -------
5 0xe10096e0 556 0x4 0xf0003 KeyedEvent CritSecOutOfMemoryEvent
6 0xe145e278 556 0x8 0x3 Directory KnownDlls
7 0x821cff90 556 0xc 0x100020 File \Device\HarddiskVolume1\Documents and Settings\callb
8 0x82237420 556 0x10 0x100003 Semaphore
9 0xe145d4e8 556 0x14 0xf000f Directory Windows
10 0xe1696638 556 0x18 0x21f0001 Port
11 0x82237488 556 0x1c 0x100003 Semaphore
12 0xe1562748 556 0x20 0x2000f Directory BaseNamedObjects
13 0x821d5aa0 556 0x24 0x1f0001 Mutant SHIMLIB_LOG_MUTEX
14 0xe1a374f0 556 0x28 0x20f003f Key MACHINE
15 0x82185df8 556 0x2c 0xf037f WindowStation WinSta0
16 0x821f33e0 556 0x30 0x21f0003 Event
17 0x822d6298 556 0x34 0xf01ff Desktop Default
18 0x82185df8 556 0x38 0xf037f WindowStation WinSta0
19 0xe197c040 556 0x3c 0xf0007 Section CiceroSharedMemDefaultS-1-5-21-219294376-1976090562-3929857903-1107
20 0x821df9f8 556 0x40 0x1f0001 Mutant CTF.LBES.MutexDefaultS-1-5-21-219294376-1976090562-3929857903-1107
21 0x8218e0f0 556 0x44 0x1f0001 Mutant CTF.Compart.MutexDefaultS-1-5-21-219294376-1976090562-3929857903-1107
22 0x822df480 556 0x48 0x1f0001 Mutant CTF.Asm.MutexDefaultS-1-5-21-219294376-1976090562-3929857903-1107
23 0x82202370 556 0x4c 0x1f0001 Mutant CTF.Layouts.MutexDefaultS-1-5-21-219294376-1976090562-3929857903-1107
24 0x82202320 556 0x50 0x1f0001 Mutant CTF.TMD.MutexDefaultS-1-5-21-219294376-1976090562-3929857903-1107
25 0xe1a8d250 556 0x54 0x20f003f Key USER\S-1-5-21-219294376-1976090562-3929857903-1107
26 0x821cc5a0 556 0x58 0x1f0003 Event
27 0x822373b8 556 0x5c 0x100003 Semaphore
28 0x82235be0 556 0x60 0x100003 Semaphore
29 0xe1a9bb50 556 0x64 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\DRIVERS32
30 0x82384568 556 0x68 0x100001 File \Device\KsecDD
31 0x821dfb08 556 0x6c 0x1f0003 Event
32 0x82075840 556 0x70 0x1f0003 Event
33 0xe1a54818 556 0x74 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\DRIVERS32
34 0x8225e2f0 556 0x78 0x1f0003 Semaphore shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
35 0x821a5590 556 0x7c 0x1f0003 Event userenv: User Profile setup event
36 0x82203840 556 0x80 0x100020 File \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512x-ww_35d4ce83
37 0x820bc5e0 556 0x84 0x100020 File \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512x-ww_35d4ce83
38 0xe1ab6718 556 0x88 0x1f0001 Port
39 0x82292440 556 0x8c 0x1f0001 Mutant CtfmonInstMutexDefaultS-1-5-21-219294376-1976090562-3929857903-1107
40 0xe1757d48 556 0x90 0x4 Section
41 0x822cc7a8 556 0x94 0x1f0001 Mutant CTF.TimListCache.FMPDefaultS-1-5-21-219294376-1976090562-3929857903-1107MUTEX.DefaultS-1-5-21-219294376-1976090562-3929857903-1107
42 0xe1a34040 556 0x98 0xf0007 Section CTF.TimListCache.FMPDefaultS-1-5-21-219294376-1976090562-3929857903-1107SFM.DefaultS-1-5-21-219294376-1976090562-3929857903-1107
43 0x821b0b60 556 0x9c 0x1f0001 Mutant MSCTF.GCompartListMUTEX.DefaultS-1-5-21-219294376-1976090562-3929857903-1107
44 0xe199fed0 556 0xa0 0xf0007 Section MSCTF.GCompartListSFM.DefaultS-1-5-21-219294376-1976090562-3929857903-1107
45 0x821f0618 556 0xa4 0x1f0003 Event
46 0xe1a82e40 556 0xa8 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\KEYBOARD LAYOUT\TOGGLE
47 0xe124b510 556 0xac 0xf0007 Section CTF.AsmListCache.FMPDefaultS-1-5-21-219294376-1976090562-3929857903-1107
48 0x821f05e8 556 0xb0 0x1f0003 Event
49 0xe1a601f8 556 0xb4 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\CTF\TIP
50 0xe19b2d68 556 0xb8 0xf003f Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\SOFTWARE\MICROSOFT\WINDOWS\SHELLNOROAM
51 0xe1ab1d20 556 0xbc 0xf003f Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\SOFTWARE\MICROSOFT\WINDOWS\SHELLNOROAM\MUICACHE
52 0xe1ab4250 556 0xc0 0x20f003f Key USER
53 0x821f05b8 556 0xc4 0x1f0003 Event
54 0xe1a9a458 556 0xc8 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\KEYBOARD LAYOUT\PRELOAD
55 0x821f0588 556 0xcc 0x1f0003 Event
56 0xe1a88ba0 556 0xd0 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
57 0x821f0520 556 0xd4 0x1f0003 Event
58 0xe12c05d8 556 0xd8 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\SOFTWARE\MICROSOFT\CTF\TIP
59 0x821af5d8 556 0xdc 0x1f0003 Event
60 0xe194a020 556 0xe0 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\SOFTWARE\MICROSOFT\SPEECH
61 0x821af570 556 0xe4 0x1f0003 Event
62 0xe1aa5d98 556 0xe8 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\CONTROL PANEL\APPEARANCE
63 0x821cdcd8 556 0xec 0x1f0003 Event
64 0xe194a0d8 556 0xf0 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\CONTROL PANEL\COLORS
65 0x821cdc70 556 0xf4 0x1f0003 Event
66 0xe1ac0340 556 0xf8 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\CONTROL PANEL\DESKTOP\WINDOWMETRICS
67 0x821cdc08 556 0xfc 0x1f0003 Event
68 0xe1bcb020 556 0x100 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\SPEECH
69 0x821cdbd8 556 0x104 0x1f0003 Event
70 0xe1bc94b8 556 0x108 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\KEYBOARD LAYOUT
71 0x82384690 556 0x10c 0x1f0003 Event
72 0xe1bcb0b8 556 0x110 0x20019 Key USER\S-1-5-21-219294376-1976090562-3929857903-1107\SOFTWARE\MICROSOFT\CTF\ASSEMBLIES
73 0x8218ddd0 556 0x114 0x120001 Mutant ShimCacheMutex
74 0x82229c80 556 0x118 0x1f0003 Event
75 0xe15d0918 556 0x11c 0x2 Section ShimSharedMemory
76 0x8224d230 556 0x120 0x1f0003 Event
77 0x8207f1e0 556 0x124 0x1f0003 Event
78 0xe1a3a0d0 556 0x128 0x20f003f Key USER\S-1-5-21-219294376-1976090562-3929857903-1107_CLASSES
79 0x8218a680 556 0x12c 0x100000 Event WinSta0_DesktopSwitch
Les connexions réseaux
1 $ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin connections
2 Volatility Foundation Volatility Framework 2.6
3 Offset(V) Local Address Remote Address Pid
4 ---------- ------------------------- ------------------------- ---
5 0x8201f850 172.16.150.20:1292 172.16.150.10:445 4
ou
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin connscan
2 Volatility Foundation Volatility Framework 2.6
3 Offset(P) Local Address Remote Address Pid
4 ---------- ------------------------- ------------------------- ---
5 0x01f60850 0.0.0.0:0 1.0.0.0:0 36569092
6 0x01ffa850 172.16.150.20:1291 58.64.132.141:80 1024
7 0x0201f850 172.16.150.20:1292 172.16.150.10:445 4
8 0x02084e68 172.16.150.20:1281 172.16.150.10:389 628
9 0x020f8988 172.16.150.20:2862 172.16.150.10:135 696
10 0x02201008 172.16.150.20:1280 172.16.150.10:389 628
11 0x18615850 172.16.150.20:1292 172.16.150.10:445 4
12 0x189e8850 172.16.150.20:1291 58.64.132.141:80 1024
13 0x18a97008 172.16.150.20:1280 172.16.150.10:389 628
14 0x18b8e850 0.0.0.0:0 1.0.0.0:0 36569092
15 0x18dce988 172.16.150.20:2862 172.16.150.10:135 696
Les sockets
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin sockets
2 Volatility Foundation Volatility Framework 2.6
3 Offset(V) PID Port Proto Protocol Address Create Time
4 ---------- -------- ------ ------ --------------- --------------- -----------
5 0x8207f298 4 0 47 GRE 0.0.0.0 2012-11-26 22:04:05 UTC+0000
6 0x82041878 4 1065 6 TCP 0.0.0.0 2012-11-26 22:04:05 UTC+0000
7 0x821afc70 692 500 17 UDP 0.0.0.0 2012-11-26 22:03:35 UTC+0000
8 0x82195e98 4 137 17 UDP 172.16.150.20 2012-11-26 22:03:28 UTC+0000
9 0x82196d00 4 445 6 TCP 0.0.0.0 2012-11-26 22:03:27 UTC+0000
10 0x821a2e98 940 135 6 TCP 0.0.0.0 2012-11-26 22:03:32 UTC+0000
11 0x8204d008 1024 1291 6 TCP 0.0.0.0 2012-11-27 01:56:30 UTC+0000
12 0x8219ec08 4 138 17 UDP 172.16.150.20 2012-11-26 22:03:28 UTC+0000
13 0x821cf008 692 0 255 Reserved 0.0.0.0 2012-11-26 22:03:35 UTC+0000
14 0x821d4e98 1024 123 17 UDP 127.0.0.1 2012-11-26 22:03:35 UTC+0000
15 0x82082458 1068 1025 17 UDP 0.0.0.0 2012-11-26 22:03:34 UTC+0000
16 0x821c28e0 1024 123 17 UDP 172.16.150.20 2012-11-26 22:03:35 UTC+0000
17 0x82276228 4 1292 6 TCP 0.0.0.0 2012-11-27 01:56:50 UTC+0000
18 0x82095d50 1068 1026 17 UDP 0.0.0.0 2012-11-26 22:03:34 UTC+0000
19 0x8223d840 1116 1900 17 UDP 127.0.0.1 2012-11-26 22:04:04 UTC+0000
20 0x821cfd08 692 4500 17 UDP 0.0.0.0 2012-11-26 22:03:35 UTC+0000
21 0x822e2760 1116 1900 17 UDP 172.16.150.20 2012-11-26 22:04:04 UTC+0000
22 0x821976e8 4 445 17 UDP 0.0.0.0 2012-11-26 22:03:27 UTC+0000
23 0x8222cd00 4 139 6 TCP 172.16.150.20 2012-11-26 22:03:28 UTC+0000
24 0x820382f8 1888 1035 6 TCP 127.0.0.1 2012-11-26 22:03:35 UTC+0000
25 0x821d1d10 628 1040 17 UDP 127.0.0.1 2012-11-26 22:03:36 UTC+0000
ou
1 /vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin sockscan
2 Volatility Foundation Volatility Framework 2.6
3 Offset(P) PID Port Proto Protocol Address Create Time
4 ---------- -------- ------ ------ --------------- --------------- -----------
5 0x01f60870 4 2947 6 TCP 172.16.150.20 2012-11-26 20:01:26 UTC+0000
6 0x02002880 692 1262 6 TCP 0.0.0.0 2012-11-27 01:31:16 UTC+0000
7 0x0201db78 512 1155 6 TCP 0.0.0.0 2012-11-26 23:11:32 UTC+0000
8 0x02022e98 1024 1290 6 TCP 0.0.0.0 2012-11-27 01:54:03 UTC+0000
9 0x02023880 4 1282 6 TCP 0.0.0.0 2012-11-27 01:45:26 UTC+0000
10 0x020382f8 1888 1035 6 TCP 127.0.0.1 2012-11-26 22:03:35 UTC+0000
11 0x02041878 4 1065 6 TCP 0.0.0.0 2012-11-26 22:04:05 UTC+0000
12 0x0204d008 1024 1291 6 TCP 0.0.0.0 2012-11-27 01:56:30 UTC+0000
13 0x0207b880 692 1032 6 TCP 0.0.0.0 2012-11-26 22:03:34 UTC+0000
14 0x0207f298 4 0 47 GRE 0.0.0.0 2012-11-26 22:04:05 UTC+0000
15 0x02082458 1068 1025 17 UDP 0.0.0.0 2012-11-26 22:03:34 UTC+0000
16 0x02095d50 1068 1026 17 UDP 0.0.0.0 2012-11-26 22:03:34 UTC+0000
17 0x0211ae00 1088 1025 17 UDP 0.0.0.0 2012-11-23 16:48:10 UTC+0000
18 0x0211f390 696 4500 17 UDP 0.0.0.0 2012-11-23 16:48:10 UTC+0000
19 0x0213cb68 696 0 255 Reserved 0.0.0.0 2012-11-23 16:48:10 UTC+0000
20 0x02195e98 4 137 17 UDP 172.16.150.20 2012-11-26 22:03:28 UTC+0000
21 0x02196d00 4 445 6 TCP 0.0.0.0 2012-11-26 22:03:27 UTC+0000
22 0x021976e8 4 445 17 UDP 0.0.0.0 2012-11-26 22:03:27 UTC+0000
23 0x0219ec08 4 138 17 UDP 172.16.150.20 2012-11-26 22:03:28 UTC+0000
24 0x021a2e98 940 135 6 TCP 0.0.0.0 2012-11-26 22:03:32 UTC+0000
25 0x021afc70 692 500 17 UDP 0.0.0.0 2012-11-26 22:03:35 UTC+0000
26 0x021c28e0 1024 123 17 UDP 172.16.150.20 2012-11-26 22:03:35 UTC+0000
27 0x021cf008 692 0 255 Reserved 0.0.0.0 2012-11-26 22:03:35 UTC+0000
28 0x021cfd08 692 4500 17 UDP 0.0.0.0 2012-11-26 22:03:35 UTC+0000
29 --SNiP--
Base de Registre : localisation des hives dans les adresses virtuelles
1 $ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin hivelist
2 Volatility Foundation Volatility Framework 2.6
3 Virtual Physical Name
4 ---------- ---------- ----
5 0xe1903008 0x08892008 \Device\HarddiskVolume1\Documents and Settings\callb\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
6 0xe1968720 0x0c516720 \Device\HarddiskVolume1\Documents and Settings\callb\NTUSER.DAT
7 0xe183b008 0x078cd008 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
8 0xe1837b60 0x07917b60 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
9 0xe169c008 0x06f55008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
10 0xe16ab008 0x07126008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
11 0xe1460b60 0x05ab9b60 \Device\HarddiskVolume1\WINDOWS\system32\config\software
12 0xe1467b60 0x05bb2b60 \Device\HarddiskVolume1\WINDOWS\system32\config\default
13 0xe1461008 0x05a6c008 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
14 0xe1451758 0x057f3758 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
15 0xe1345b60 0x02a4bb60 [no name]
16 0xe1035b60 0x02739b60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
17 0xe102e008 0x02733008 [no name]
Base de Registre : Afficher les clés de la hive(rvche) SAM
1 $ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin hivedump -o 0xe1461008
2 Volatility Foundation Volatility Framework 2.6
3 Last Written Key
4 2012-11-03 09:35:47 UTC+0000 \SAM
5 2012-11-03 09:35:47 UTC+0000 \SAM\SAM
6 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains
7 2012-11-26 19:32:35 UTC+0000 \SAM\SAM\Domains\Account
8 2012-11-03 15:49:40 UTC+0000 \SAM\SAM\Domains\Account\Aliases
9 2012-11-03 15:49:50 UTC+0000 \SAM\SAM\Domains\Account\Aliases\000003E9
10 2012-11-03 15:49:50 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Members
11 2012-11-03 15:49:50 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Members\S-1-5-21-1390067357-920026266-725345543
12 2012-11-03 15:49:50 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Members\S-1-5-21-1390067357-920026266-725345543\000003EA
13 2012-11-03 15:49:40 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Names
14 2012-11-03 15:49:40 UTC+0000 \SAM\SAM\Domains\Account\Aliases\Names\HelpServicesGroup
15 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Account\Groups
16 2012-11-25 19:10:32 UTC+0000 \SAM\SAM\Domains\Account\Groups\00000201
17 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Account\Groups\Names
18 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Account\Groups\Names\None
19 2012-11-25 19:10:32 UTC+0000 \SAM\SAM\Domains\Account\Users
20 2012-11-03 20:27:30 UTC+0000 \SAM\SAM\Domains\Account\Users\000001F4
21 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Account\Users\000001F5
22 2012-11-03 15:48:33 UTC+0000 \SAM\SAM\Domains\Account\Users\000003E8
23 2012-11-03 15:49:50 UTC+0000 \SAM\SAM\Domains\Account\Users\000003EA
24 2012-11-26 19:32:35 UTC+0000 \SAM\SAM\Domains\Account\Users\000003EC
25 2012-11-25 19:10:32 UTC+0000 \SAM\SAM\Domains\Account\Users\Names
26 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Account\Users\Names\Administrator
27 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Account\Users\Names\Guest
28 2012-11-03 15:48:33 UTC+0000 \SAM\SAM\Domains\Account\Users\Names\HelpAssistant
29 2012-11-03 15:49:50 UTC+0000 \SAM\SAM\Domains\Account\Users\Names\SUPPORT_388945a0
30 2012-11-25 19:10:32 UTC+0000 \SAM\SAM\Domains\Account\Users\Names\sysbackup
31 2012-11-25 19:11:09 UTC+0000 \SAM\SAM\Domains\Builtin
32 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases
33 2012-11-25 19:11:09 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\00000220
34 2012-11-25 19:10:32 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\00000221
35 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\00000222
36 2012-11-03 22:59:29 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\00000223
37 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\00000227
38 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\00000228
39 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\0000022B
40 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\0000022C
41 2012-11-03 21:20:16 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members
42 2012-11-03 09:36:27 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5
43 2012-11-03 09:36:27 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5\00000004
44 2012-11-03 09:36:27 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5\0000000B
45 2012-11-25 19:10:32 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-1390067357-920026266-725345543
46 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-1390067357-920026266-725345543\000001F4
47 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-1390067357-920026266-725345543\000001F5
48 2012-11-25 19:11:09 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-1390067357-920026266-725345543\000003EC
49 2012-11-03 22:59:29 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-219294376-1976090562-3929857903
50 2012-11-03 21:20:16 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-219294376-1976090562-3929857903\00000200
51 2012-11-03 21:20:16 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-219294376-1976090562-3929857903\00000201
52 2012-11-03 22:59:29 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-219294376-1976090562-3929857903\00000453
53 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names
54 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Administrators
55 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Backup Operators
56 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Guests
57 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Network Configuration Operators
58 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Power Users
59 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Remote Desktop Users
60 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Replicator
61 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Aliases\Names\Users
62 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Groups
63 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Groups\Names
64 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Users
65 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\Domains\Builtin\Users\Names
66 2012-11-03 09:35:47 UTC+0000 \SAM\SAM\RXACT
On peut voir des noms d'utilisateurs, groupes.
Une clès de registre
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin printkey -K "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
2 Volatility Foundation Volatility Framework 2.6
3 Legend: (S) = Stable (V) = Volatile
4
5 ----------------------------
6 Registry: \Device\HarddiskVolume1\Documents and Settings\callb\NTUSER.DAT
7 Key name: Internet Settings (S)
8 Last updated: 2012-11-24 18:20:49 UTC+0000
9
10 Subkeys:
11 (S) 5.0
12 (S) Cache
13 (S) Connections
14 (S) Lockdown_Zones
15 (S) Passport
16 (S) ZoneMap
17 (S) Zones
18
19 Values:
20 REG_SZ User Agent : (S) Mozilla/4.0 (compatible; MSIE 8.0; Win32)
21 REG_SZ IE5_UA_Backup_Flag : (S) 5.0
22 REG_DWORD NoNetAutodial : (S) 0
23 REG_DWORD MigrateProxy : (S) 1
24 REG_DWORD EnableNegotiate : (S) 1
25 REG_DWORD ProxyEnable : (S) 0
26 REG_SZ EmailName : (S) IEUser@
27 REG_SZ AutoConfigProxy : (S) wininet.dll
28 REG_SZ MimeExclusionListForCache : (S) multipart/mixed multipart/x-mixed-replace multipart/x-byteranges
29 REG_BINARY WarnOnPost : (S)
30 0x00000000 01 00 00 00 ....
31 REG_BINARY UseSchannelDirectly : (S)
32 0x00000000 01 00 00 00 ....
33 REG_DWORD EnableHttp1_1 : (S) 1
34 REG_DWORD PrivacyAdvanced : (S) 0
35 REG_DWORD UrlEncoding : (S) 0
36 REG_DWORD SecureProtocols : (S) 160
37 REG_DWORD PrivDiscUiShown : (S) 1
38 REG_BINARY ZonesSecurityUpgrade : (S)
39 0x00000000 90 98 08 d8 9f c9 cd 01 ........
40 REG_DWORD DisableCachingOfSSLPages : (S) 0
41 REG_DWORD WarnonZoneCrossing : (S) 0
42 ----------------------------
43 Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
44 Key name: Internet Settings (S)
45 Last updated: 2012-11-03 15:53:16 UTC+0000
46
47 Subkeys:
48 (S) 5.0
49 (S) Cache
50 (S) Connections
51 (S) Passport
52 (S) ZoneMap
53 (S) Zones
54
55 Values:
56 REG_SZ User Agent : (S) Mozilla/4.0 (compatible; MSIE 6.0; Win32)
57 REG_SZ IE5_UA_Backup_Flag : (S) 5.0
58 REG_DWORD NoNetAutodial : (S) 0
59 REG_DWORD MigrateProxy : (S) 0
60 REG_DWORD EnableNegotiate : (S) 1
61 REG_DWORD ProxyEnable : (S) 0
62 ----------------------------
63 Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\default
64 Key name: Internet Settings (S)
65 Last updated: 2012-11-03 15:49:42 UTC+0000
66
67 Subkeys:
68 (S) 5.0
69 (S) Cache
70 (S) Connections
71 (S) Passport
72 (S) ZoneMap
73 (S) Zones
74
75 Values:
76 REG_SZ User Agent : (S) Mozilla/4.0 (compatible; MSIE 6.0; Win32)
77 REG_SZ IE5_UA_Backup_Flag : (S) 5.0
78 REG_DWORD NoNetAutodial : (S) 0
79 REG_DWORD MigrateProxy : (S) 0
80 REG_DWORD EnableNegotiate : (S) 1
81 REG_DWORD ProxyEnable : (S) 0
82 ----------------------------
83 Registry: \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
84 Key name: Internet Settings (S)
85 Last updated: 2012-11-03 15:53:16 UTC+0000
86
87 Subkeys:
88 (S) 5.0
89 (S) Cache
90 (S) Connections
91 (S) Passport
92 (S) ZoneMap
93 (S) Zones
94
95 Values:
96 REG_SZ User Agent : (S) Mozilla/4.0 (compatible; MSIE 6.0; Win32)
97 REG_SZ IE5_UA_Backup_Flag : (S) 5.0
98 REG_DWORD NoNetAutodial : (S) 0
99 REG_DWORD MigrateProxy : (S) 0
100 REG_DWORD EnableNegotiate : (S) 1
101 REG_DWORD ProxyEnable : (S) 0
ou via un offset (offset 0xe1460b60 qui correspond à \Device\HarddiskVolume1\WINDOWS\system32\config\software récupéré via hivelist)
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin printkey --hive-offset 0xe1460b60
2 Volatility Foundation Volatility Framework 2.6
3 Legend: (S) = Stable (V) = Volatile
4
5 ----------------------------
6 Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\software
7 Key name: $$$PROTO.HIV (S)
8 Last updated: 2012-11-03 15:56:53 UTC+0000
9
10 Subkeys:
11 (S) C07ft5Y
12 (S) Classes
13 (S) Clients
14 (S) Gemplus
15 (S) Microsoft
16 (S) ODBC
17 (S) Policies
18 (S) Program Groups
19 (S) Schlumberger
20 (S) Secure
21 (S) Windows 3.1 Migration Status
22
23 Values:
Allons voir le contenu de la sous-clés Clients
1 /vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin printkey --hive-offset 0xe1460b60 --key Clients
2 Volatility Foundation Volatility Framework 2.6
3 Legend: (S) = Stable (V) = Volatile
4
5 ----------------------------
6 Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\software
7 Key name: Clients (S)
8 Last updated: 2012-11-03 15:50:15 UTC+0000
9
10 Subkeys:
11 (S) Contacts
12 (S) IM
13 (S) Internet Call
14 (S) JavaVM
15 (S) Mail
16 (S) Media
17 (S) News
18 (S) StartMenuInternet
19
20 Values:
Et de manière itérative on peut aller récupérer une valeur dans les sous-clés :
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin printkey --hive-offset 0xe1460b60 --key "Clients\Contacts\Address Book\shell\open\command"
2 Volatility Foundation Volatility Framework 2.6
3 Legend: (S) = Stable (V) = Volatile
4
5 ----------------------------
6 Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\software
7 Key name: command (S)
8 Last updated: 2012-11-03 15:50:15 UTC+0000
9
10 Subkeys:
11
12 Values:
13 REG_SZ : (S) "C:\Program Files\Outlook Express\wab.exe" /showexisting
Note :
Via printkey on peut récupérer les programmes qui sont lancés à la connexion :
- Software\Microsoft\Windows\CurrentVersion\Run
- Software\Microsoft\Windows\CurrentVersion\RunOnce
Extraction des hashs du cache stoqués dans le registre
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin hashdump
2 Volatility Foundation Volatility Framework 2.6
3 Administrator:500:b7ae6225a35c376da8d03b0a558fdf1f:159cb99e6dfd8830d25e8592c505d4be:::
4 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
5 HelpAssistant:1000:42dbf333659cabcd0b546a25124a5476:dfd19a421051e8329e0c7b5aa7fe7dbe:::
6 SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:5168fdd9d699311c78acabde3c849622:::
7 sysbackup:1004:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057:::
Les users/password sont stoqués sous forme de hash dans la registry.
Il faudra utiliser un brute force ou des rainbows tables pour casser ces hashs.
Dump des LSA
./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin lsadump
Volatility Foundation Volatility Framework 2.6
_SC_Alerter
0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantAccount
0x00000000 54 00 6b 00 24 00 37 00 43 00 6c 00 75 00 58 00 T.k.$.7.C.l.u.X.
0x00000010 47 00 7a 00 57 00 56 00 4b 00 30 00 00 00 G.z.W.V.K.0...
0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantSID
0x00000000 01 05 00 00 00 00 00 05 15 00 00 00 9d be da 52 ...............R
0x00000010 9a 7c d6 36 07 e5 3b 2b e8 03 00 00 .|.6..;+....
_SC_WebClient
20ed87e2-3b82-4114-81f9-5e219ed4c481-SALEMHELPACCOUNT
_SC_SSDPSRV
DPAPI_SYSTEM
0x00000000 01 00 00 00 41 fb ae d7 f4 40 54 e3 ce be c5 dd ....A....@T.....
0x00000010 95 3d 8d b4 22 54 e8 eb db 20 d0 d5 c2 93 1f 58 .=.."T.........X
0x00000020 71 e1 ff 6f 6d cb a0 2f f6 16 0a 15 q..om../....
_SC_MSDTC
SAC
0x00000000 02 00 00 00 ....
L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75
0x00000000 52 53 41 32 48 00 00 00 00 02 00 00 3f 00 00 00 RSA2H.......?...
0x00000010 01 00 01 00 8b 5d 4b f9 38 ab 8c 9e b0 8b 69 1b .....]K.8.....i.
0x00000020 98 10 60 ae 35 e2 c8 71 cb d9 43 e4 0d 65 07 8d ..`.5..q..C..e..
0x00000030 6d 19 d8 a2 87 c1 e0 4e 28 41 4d d5 0b ce 68 22 m......N(AM...h"
0x00000040 be 9e 91 93 0b fc 00 57 fa 31 16 6b 20 62 d7 6a .......W.1.k.b.j
0x00000050 7a 87 67 bc 00 00 00 00 00 00 00 00 53 6d 42 38 z.g.........SmB8
0x00000060 8e fb f4 de ab 93 74 d9 a1 e8 ad de f5 7c 5b f6 ......t......|[.
0x00000070 df b7 20 db ae bd 3d b8 38 02 50 f6 00 00 00 00 ......=.8.P.....
0x00000080 e9 0f 1a 62 31 70 70 90 e0 71 b8 58 3c 9f 81 a0 ...b1pp..q.X<...
0x00000090 1f e6 ff 85 02 87 94 d2 51 0c 8d 31 5f 79 d0 c3 ........Q..1_y..
0x000000a0 00 00 00 00 3f 35 da 1c 5a 35 15 cc 59 75 48 19 ....?5..Z5..YuH.
0x000000b0 d6 1e c2 ae 7e 4b c6 a0 44 df a8 25 0b 73 f1 ed ....~K..D..%.s..
0x000000c0 e8 c8 e8 b4 00 00 00 00 b9 b3 37 67 47 32 ad 30 ..........7gG2.0
0x000000d0 f6 f5 38 3a c2 ed a5 92 e6 59 2f 32 77 76 20 f2 ..8:.....Y/2wv..
0x000000e0 73 e5 83 6a 6c 42 c1 2c 00 00 00 00 ac 9d ed cc s..jlB.,........
0x000000f0 c0 db b8 5c 8e e9 57 fb c7 90 58 aa a5 64 3b c5 ...\..W...X..d;.
0x00000100 74 ab 5c e9 31 94 eb 91 04 47 03 98 00 00 00 00 t.\.1....G......
0x00000110 91 8f 2a ac 34 76 56 66 11 ab 8a 56 89 24 48 1b ..*.4vVf...V.$H.
0x00000120 8f bd d2 dd 3e e1 4a 73 bd 85 7f e5 16 fc b0 88 ....>.Js........
0x00000130 ae 76 4b 4e 43 0b e3 2c 45 6a ee 3b 95 77 89 a7 .vKNC..,Ej.;.w..
0x00000140 a3 fd 4f b1 0f f8 d9 57 d7 25 c8 3f 54 ac bb 44 ..O....W.%.?T..D
0x00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000170 00 00 00 00 00 00 00 00 00 00 00 00 ............
$MACHINE.ACC
0x00000000 2b 00 41 00 3b 00 64 00 68 00 7a 00 6a 00 25 00 +.A.;.d.h.z.j.%.
0x00000010 6f 00 3c 00 38 00 78 00 70 00 44 00 40 00 2c 00 o.<.8.x.p.D.@.,.
0x00000020 70 00 35 00 76 00 29 00 43 00 3a 00 70 00 32 00 p.5.v.).C.:.p.2.
0x00000030 25 00 3f 00 31 00 4e 00 6b 00 78 00 26 00 35 00 %.?.1.N.k.x.&.5.
0x00000040 4f 00 55 00 21 00 63 00 5b 00 77 00 74 00 35 00 O.U.!.c.[.w.t.5.
0x00000050 42 00 67 00 56 00 27 00 72 00 34 00 70 00 37 00 B.g.V.'.r.4.p.7.
0x00000060 2f 00 6c 00 57 00 63 00 5b 00 60 00 58 00 57 00 /.l.W.c.[.`.X.W.
0x00000070 50 00 70 00 4e 00 2f 00 2e 00 64 00 24 00 49 00 P.p.N./...d.$.I.
0x00000080 2e 00 55 00 62 00 63 00 2d 00 37 00 63 00 20 00 ..U.b.c.-.7.c...
0x00000090 24 00 2d 00 61 00 70 00 28 00 40 00 3f 00 49 00 $.-.a.p.(.@.?.I.
0x000000a0 37 00 53 00 36 00 53 00 44 00 28 00 55 00 2d 00 7.S.6.S.D.(.U.-.
0x000000b0 7a 00 62 00 64 00 51 00 48 00 67 00 54 00 32 00 z.b.d.Q.H.g.T.2.
0x000000c0 26 00 20 00 75 00 5c 00 72 00 67 00 6b 00 28 00 &...u.\.r.g.k.(.
0x000000d0 67 00 61 00 3f 00 79 00 2b 00 47 00 47 00 45 00 g.a.?.y.+.G.G.E.
0x000000e0 2a 00 45 00 5f 00 30 00 2f 00 32 00 51 00 73 00 *.E._.0./.2.Q.s.
_SC_Dnscache
_SC_LmHosts
_SC_ALG
_SC_RpcLocator
_SC_upnphost
G${ED8F4747-E13D-47bc-856B-5CEFE1A81A7F}
0x00000000 93 19 18 48 e4 9c 0b 46 90 79 b2 e2 60 03 d7 79 ...H...F.y..`..y
L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588
0x00000000 80 96 f2 dc 27 18 ce 01 ....'...
DefaultPassword
NL$KM
0x00000000 b5 17 53 78 5f bb f3 0b fe ab 2e 43 5f 0a b6 8d ..Sx_......C_...
0x00000010 fd 9d 1f df 6b 9b 67 a6 51 81 ba a0 77 f9 5f f1 ....k.g.Q...w._.
0x00000020 dc cc f9 3c 80 15 8c 16 44 cc 0f 74 c1 7f 8e e4 ...<....D..t....
0x00000030 b6 70 09 d6 af 31 e2 ed b6 c3 02 21 6d 0e c3 8c .p...1.....!m...
L${6B3E6424-AF3E-4bff-ACB6-DA535F0DDC0A}
0x00000000 ff 62 37 13 60 5a 8b 2b 4f 0e 28 c4 d8 97 be 54 .b7.`Z.+O.(....T
0x00000010 0e 90 24 1a 4c 91 8d 8a 6d 6b 69 71 53 7e d4 f8 ..$.L...mkiqS~..
0x00000020 b5 95 03 47 4b e3 27 9c 0a 9b 1f ed 9b 51 ed 7c ...GK.'......Q.|
0x00000030 76 ec 2b 5f 03 5e aa 5a v.+_.^.Z
SAI
0x00000000 02 00 00 00 ....
Exemples d'infos sympa :
- $MACHINE.ACC: has to do with domain authentication, see KB175468
- DefaultPassword: password used to logon to Windows if auto-logon is enabled
- NL$KM: secret key used to encrypt cached domain passwords
- L$RTMTIMEBOMB_[...]: FILETIME giving the date when an unactivated copy of Windows will stop working
Cache de credentials
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin cachedump
2 Volatility Foundation Volatility Framework 2.6
3 administrator:00c2bcc2230054581d3551a9fdcf4893:petro-market:petro-market.org
4 callb:178526e1cb2fdfc36d764595f1ddd0f7:petro-market:petro-market.org
Les shellbags
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin shellbags
2 Volatility Foundation Volatility Framework 2.6
3 Scanning for registries....
4 Gathering shellbag items and building path tree...
5
6 Registry: \Device\HarddiskVolume1\Documents and Settings\callb\NTUSER.DAT
7 Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU
8 Last updated: 2012-11-24 18:12:40 UTC+0000
9 Value Mru Entry Type GUID GUID Description Folder IDs
10 ------- ----- -------------- ---------------------------------------- -------------------- ----------
11 0 0 Folder Entry 20d04fe0-3aea-1069-a2d8-08002b30309d My Computer EXPLORER, MY_COMPUTER
12
13
14
15 Registry: \Device\HarddiskVolume1\Documents and Settings\callb\NTUSER.DAT
16 Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0
17 Last updated: 2012-11-24 18:12:40 UTC+0000
18 Value Mru Entry Type Path
19 ------- ----- -------------- ----
20 0 1 Volume Name Z:\
21
Shellbags : dossiers/fichiers accédés récemment.
Korben Shellbags.
Activité utilisateur
1 $ ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin userassist
2 Volatility Foundation Volatility Framework 2.6
3 ----------------------------
4 Registry: \Device\HarddiskVolume1\Documents and Settings\callb\NTUSER.DAT
5 Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
6 Last updated: 2012-11-24 18:12:53 UTC+0000
7
8 Subkeys:
9
10 Values:
11
12 REG_BINARY UEME_CTLSESSION : Raw Data:
13 0x00000000 7a 53 6e 0e 03 00 00 00 zSn.....
14 ----------------------------
15 Registry: \Device\HarddiskVolume1\Documents and Settings\callb\NTUSER.DAT
16 Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{75048700-EF1F-11D0-9888-006097DEACF9}\Count
17 Last updated: 2012-11-27 01:56:21 UTC+0000
18
19 Subkeys:
20
21 Values:
22
23 REG_BINARY UEME_CTLSESSION : Raw Data:
24 0x00000000 93 60 6e 0e 03 00 00 00 .`n.....
25
26 REG_BINARY UEME_RUNPIDL:C:\Documents and Settings\All Users\Start Menu\Set Program Access and Defaults.lnk :
27 ID: 1
28 Count: 14
29 Last updated: 2012-11-03 22:53:49 UTC+0000
30 Raw Data:
31 0x00000000 01 00 00 00 13 00 00 00 00 f7 81 16 16 ba cd 01 ................
32
33 REG_BINARY UEME_RUNPIDL:%csidl2%\MSN Explorer.lnk :
34 ID: 1
35 Count: 13
36 Last updated: 2012-11-03 22:53:49 UTC+0000
37 Raw Data:
38 0x00000000 01 00 00 00 12 00 00 00 00 f7 81 16 16 ba cd 01 ................
39
40 REG_BINARY UEME_RUNPIDL:%csidl2%\Windows Media Player.lnk :
41 ID: 1
42 Count: 12
43 Last updated: 2012-11-03 22:53:49 UTC+0000
44 Raw Data:
45 0x00000000 01 00 00 00 11 00 00 00 00 f7 81 16 16 ba cd 01 ................
Dump de la registry
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin dumpregistry -D dump
2 Volatility Foundation Volatility Framework 2.6
3
4 Writing out registry: registry.0xe1968720.NTUSERDAT.reg
5
6
7
8 Writing out registry: registry.0xe1837b60.NTUSERDAT.reg
9
10
11
12 Writing out registry: registry.0xe1467b60.default.reg
13
14
15
16 Writing out registry: registry.0xe102e008.no_name.reg
17
18
19
20 Writing out registry: registry.0xe1903008.UsrClassdat.reg
21
22
23
24 Writing out registry: registry.0xe1035b60.system.reg
25
26 Physical layer returned None for index 3000, filling with NULL
27 Physical layer returned None for index 4000, filling with NULL
28 Physical layer returned None for index e000, filling with NULL
29 Physical layer returned None for index 10000, filling with NULL
30 Physical layer returned None for index 11000, filling with NULL
31 Physical layer returned None for index 12000, filling with NULL
32 Physical layer returned None for index 1c000, filling with NULL
33 Physical layer returned None for index 1d000, filling with NULL
34 Physical layer returned None for index 1e000, filling with NULL
35 Physical layer returned None for index 31000, filling with NULL
36 Physical layer returned None for index 32000, filling with NULL
37 Physical layer returned None for index 34000, filling with NULL
38 Physical layer returned None for index 35000, filling with NULL
39 Physical layer returned None for index 37000, filling with NULL
40 Physical layer returned None for index 3a000, filling with NULL
41 Physical layer returned None for index 3b000, filling with NULL
42 Physical layer returned None for index 3e000, filling with NULL
43 Physical layer returned None for index 46000, filling with NULL
44 Physical layer returned None for index 47000, filling with NULL
45 Physical layer returned None for index 48000, filling with NULL
46 Physical layer returned None for index 4a000, filling with NULL
47 Physical layer returned None for index 4f000, filling with NULL
48 Physical layer returned None for index 50000, filling with NULL
49 Physical layer returned None for index 51000, filling with NULL
50 Physical layer returned None for index 5a000, filling with NULL
51 Physical layer returned None for index ba000, filling with NULL
52 Physical layer returned None for index c5000, filling with NULL
53 Physical layer returned None for index c6000, filling with NULL
54 Physical layer returned None for index c7000, filling with NULL
55 Physical layer returned None for index 167000, filling with NULL
56 Physical layer returned None for index 168000, filling with NULL
57 Physical layer returned None for index 16a000, filling with NULL
58 Physical layer returned None for index 16b000, filling with NULL
59 Physical layer returned None for index 16c000, filling with NULL
60 Physical layer returned None for index 16d000, filling with NULL
61 Physical layer returned None for index 1a7000, filling with NULL
62 Physical layer returned None for index 1a9000, filling with NULL
63 Physical layer returned None for index 1aa000, filling with NULL
64 Physical layer returned None for index 1ab000, filling with NULL
65 Physical layer returned None for index 1ae000, filling with NULL
66 Physical layer returned None for index 1b4000, filling with NULL
67 Physical layer returned None for index 1b6000, filling with NULL
68 Physical layer returned None for index 1b7000, filling with NULL
69 Physical layer returned None for index 1c3000, filling with NULL
70 Physical layer returned None for index 1f0000, filling with NULL
71 Physical layer returned None for index 24a000, filling with NULL
72 Physical layer returned None for index 257000, filling with NULL
73 Physical layer returned None for index 258000, filling with NULL
74 Physical layer returned None for index 259000, filling with NULL
75 Physical layer returned None for index 25a000, filling with NULL
76 Physical layer returned None for index 25b000, filling with NULL
77 Physical layer returned None for index 25f000, filling with NULL
78 Physical layer returned None for index 260000, filling with NULL
79 Physical layer returned None for index 273000, filling with NULL
80 Physical layer returned None for index 284000, filling with NULL
81 Physical layer returned None for index 288000, filling with NULL
82 Physical layer returned None for index 289000, filling with NULL
83 Physical layer returned None for index 296000, filling with NULL
84 Physical layer returned None for index 297000, filling with NULL
85 Physical layer returned None for index 298000, filling with NULL
86 Physical layer returned None for index 299000, filling with NULL
87 Physical layer returned None for index 29a000, filling with NULL
88 Physical layer returned None for index 29b000, filling with NULL
89 Physical layer returned None for index 2b2000, filling with NULL
90 Physical layer returned None for index 2b7000, filling with NULL
91 Physical layer returned None for index 2ca000, filling with NULL
92 Physical layer returned None for index 2d4000, filling with NULL
93 Physical layer returned None for index 2f0000, filling with NULL
94 Physical layer returned None for index 2f1000, filling with NULL
95 Physical layer returned None for index 2f3000, filling with NULL
96
97
98 Writing out registry: registry.0xe16ab008.NTUSERDAT.reg
99
100
101
102 Writing out registry: registry.0xe1461008.SAM.reg
103
104
105
106 Writing out registry: registry.0xe1460b60.software.reg
107
108
109
110 Writing out registry: registry.0xe183b008.UsrClassdat.reg
111
112
113
114 Writing out registry: registry.0xe1451758.SECURITY.reg
115
116
117
118 Writing out registry: registry.0xe1345b60.no_name.reg
119
120
121 **************************************************
122 Writing out registry: registry.0xe169c008.UsrClassdat.reg
On peut utiliser xxd pour afficher le contenu des fichiers .reg.
Mapping mémoire
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin memmap
2 Volatility Foundation Volatility Framework 2.6
3 System pid: 4
4 Virtual Physical Size DumpFileOffset
5 ---------- ---------- ---------- --------------
6 0x00010000 0x02725000 0x1000 0x0
7 0x00011000 0x02726000 0x1000 0x1000
8 0x00012000 0x02727000 0x1000 0x2000
9 0x00013000 0x02708000 0x1000 0x3000
10 0x00014000 0x02709000 0x1000 0x4000
11 0x00015000 0x0270a000 0x1000 0x5000
12 0x00016000 0x0270b000 0x1000 0x6000
13 0x00017000 0x0270c000 0x1000 0x7000
14 0x00018000 0x0270d000 0x1000 0x8000
15 0x00019000 0x0270e000 0x1000 0x9000
16 0x0001a000 0x0270f000 0x1000 0xa000
17 0x0001b000 0x02710000 0x1000 0xb000
18 0x0001c000 0x02711000 0x1000 0xc000
19 0x0001d000 0x02712000 0x1000 0xd000
20 0x0001e000 0x02713000 0x1000 0xe000
21 0x0001f000 0x02714000 0x1000 0xf000
22 0x00020000 0x02715000 0x1000 0x10000
23 0x00021000 0x02716000 0x1000 0x11000
24 --SNiP--
Dump mémoire de process
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin memdump -p 556 -D dump
2 Volatility Foundation Volatility Framework 2.6
3 ************************************************************************
4 Writing ctfmon.exe [ 556] to 556.dmp
Il faut au préalable avoir créer le dossier de sortie, ici dump.
Si le PID n'est pas fourni, il dumpera tous les process.
Dump process
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin procdump -p 556 -D dump
2 Volatility Foundation Volatility Framework 2.6
3 Process(V) ImageBase Name Result
4 ---------- ---------- -------------------- ------
5 0x822408d0 0x00400000 ctfmon.exe OK: executable.556.exe
Dump des événements
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin evtlogs -D dump
2 Volatility Foundation Volatility Framework 2.6
3 Parsed data sent to internet.txt
4 Parsed data sent to appevent.txt
5 Parsed data sent to sysevent.txt
6 Parsed data sent to secevent.txt
L'option --save-evt permet aussi de dumper les événements au format raw.
Historique IE
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin iehistory
2 Volatility Foundation Volatility Framework 2.6
3 **************************************************
4 Process: 284 explorer.exe
5 Cache type "DEST" at 0xdcb69
6 Last modified: 2012-11-26 17:01:53 UTC+0000
7 Last accessed: 2012-11-26 23:01:54 UTC+0000
8 URL: callb@http://58.64.132.8/download/Symantec-1.43-1.exe
Timeline des process
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin timeliner
2 Volatility Foundation Volatility Framework 2.6
3 2012-11-27 01:57:28 UTC+0000|[LIVE RESPONSE]| (System time)|
4 2012-11-26 22:03:29 UTC+0000|[PROCESS]| winlogon.exe| PID: 628/PPID: 356/POffset: 0x02189da0
5 2012-11-26 22:03:29 UTC+0000|[PROCESS LastTrimTime]| winlogon.exe| PID: 628/PPID: 356/POffset: 0x02189da0
6 2012-11-26 22:03:29 UTC+0000|[Handle (Key)]| MACHINE| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
7 2012-11-24 18:05:47 UTC+0000|[Handle (Key)]| MACHINE\SOFTWARE\CLASSES| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
8 2012-11-27 00:48:19 UTC+0000|[Handle (Key)]| USER\.DEFAULT| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
9 2012-11-23 16:26:23 UTC+0000|[Handle (Key)]| MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
10 2012-11-23 16:26:23 UTC+0000|[Handle (Key)]| MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\NAMESPACE_CATALOG5| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
11 2012-11-03 09:36:28 UTC+0000|[Handle (Key)]| MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\CRYPT32CHAIN| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
12 2012-11-03 09:36:28 UTC+0000|[Handle (Key)]| MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\CRYPTNET| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
13 2012-11-03 15:49:58 UTC+0000|[Handle (Key)]| MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\SCLGNTFY| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
14 2012-11-26 22:03:30 UTC+0000|[Handle (Key)]| MACHINE\SYSTEM\CONTROLSET001\CONTROL\LSA| winlogon.exe PID: 628/PPID: 356/POffset: 0x02189da0
15 --SNiP--
N'affiche pas spécialement dans l'ordre chronologique.
YARA
Kézako YARA, YARA est un outils très apprécié pour l'analyse de malware. On peut créer des fichiers de règles ou des patterns pour chercher des malwares.
1 ./vol.py --profile=WinXPSP2x86 -f /tmp/sample001.bin yarascan -Y http
2 Volatility Foundation Volatility Framework 2.6
3 Rule: r1
4 Owner: Process csrss.exe Pid 604
5 0x008105df 68 74 74 70 73 3a 2f 2f 77 77 77 2e 76 65 72 69 https://www.veri
6 0x008105ef 73 69 67 6e 2e 63 6f 6d 2f 72 70 61 20 28 63 29 sign.com/rpa.(c)
7 0x008105ff 30 31 31 27 30 25 06 03 55 04 03 13 1e 56 65 72 011'0%..U....Ver
8 0x0081060f 69 53 69 67 6e 20 54 69 6d 65 20 53 74 61 6d 70 iSign.Time.Stamp
9 0x0081061f 69 6e 67 20 53 65 72 76 69 63 65 30 82 01 22 30 ing.Service0.."0
10 0x0081062f 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 ....H..........
11 0x0081063f 01 0f 00 30 82 01 0a 02 82 01 01 00 c0 7a 61 87 ...0.........za.
12 0x0081064f eb b2 a7 03 63 1b 2b 1a 61 de 80 b7 15 1d a0 8b ....c.+.a.......
13 0x0081065f 90 3d bb 27 92 84 14 39 eb 85 ce 29 92 06 66 48 .=.'...9...)..fH
14 0x0081066f a4 03 4f 8d e8 4f a7 f0 af 5e d1 2f 19 c7 91 f1 ..O..O...^./....
15 0x0081067f b5 9e 7b 91 21 ce e9 ff e3 4e f0 fc af 95 58 b8 ..{.!....N....X.
16 0x0081068f 63 2d e6 8e f6 29 18 cd 70 8e 50 c3 ed 96 bb 40 c-...)..p.P....@
17 0x0081069f db be 25 e8 42 55 d6 f6 85 f2 06 e7 8b 99 1c 31 ..%.BU.........1
18 0x008106af f3 03 0f d4 4c 9c 24 2a dc 1b 1b 8f 82 f3 b0 ef ....L.$........
19 0x008106bf a7 4d e3 14 a7 e0 8f d6 c7 68 c2 61 58 a9 72 d4 .M.......h.aX.r.
20 0x008106cf f8 30 48 4f d9 2f 6f 63 20 d9 89 ca 82 7b c2 4b .0HO./oc.....{.K
21 Rule: r1
22 Owner: Process csrss.exe Pid 604
23 0x00810774 68 74 74 70 3a 2f 2f 6f 63 73 70 2e 76 65 72 69 http://ocsp.veri
24 0x00810784 73 69 67 6e 2e 63 6f 6d 2f 6f 63 73 70 2f 73 74 sign.com/ocsp/st
25 0x00810794 61 74 75 73 30 09 06 03 55 1d 13 04 02 30 00 30 atus0...U....0.0
26 0x008107a4 44 06 03 55 1d 20 04 3d 30 3b 30 39 06 0b 60 86 D..U...=0;09..</span><span class="o">.</span>
<span class="lineno">27 </span><span class="mh">0x008107b4</span> <span class="mi">48</span> <span class="mo">01</span> <span class="mi">86</span> <span class="n">f8</span> <span class="mi">45</span> <span class="mo">01</span> <span class="mo">07</span> <span class="mo">01</span> <span class="mo">01</span> <span class="mi">30</span> <span class="mi">2</span><span class="n">a</span> <span class="mi">30</span> <span class="mi">28</span> <span class="mo">06</span> <span class="mi">08</span> <span class="mi">2</span><span class="n">b</span> <span class="n">H</span><span class="o">...</span><span class="n">E</span><span class="o">....</span><span class="mi">0</span><span class="o">*</span><span class="mi">0</span><span class="p">(</span><span class="o">..+</span>
<span class="lineno">28 </span><span class="mh">0x008107c4</span> <span class="mo">06</span> <span class="mo">01</span> <span class="mo">05</span> <span class="mo">05</span> <span class="mo">07</span> <span class="mo">02</span> <span class="mo">01</span> <span class="mi">16</span> <span class="mi">1</span><span class="n">c</span> <span class="mi">68</span> <span class="mi">74</span> <span class="mi">74</span> <span class="mi">70</span> <span class="mi">73</span> <span class="mi">3</span><span class="n">a</span> <span class="mi">2</span><span class="n">f</span> <span class="o">.........</span><span class="ss">https</span><span class="p">:</span><span class="sr">/</span>
<span class="lineno">29 </span><span class="sr">0x008107d4 2f 77 77 77 2e 76 65 72 69 73 69 67 6e 2e 63 6f /</span><span class="n">www</span><span class="o">.</span><span class="n">verisign</span><span class="o">.</span><span class="n">co</span>
<span class="lineno">30 </span><span class="mh">0x008107e4</span> <span class="mi">6</span><span class="n">d</span> <span class="mi">2</span><span class="n">f</span> <span class="mi">72</span> <span class="mi">70</span> <span class="mi">61</span> <span class="mi">30</span> <span class="mi">13</span> <span class="mo">06</span> <span class="mo">03</span> <span class="mi">55</span> <span class="mi">1</span><span class="n">d</span> <span class="mi">25</span> <span class="mo">04</span> <span class="mi">0</span><span class="n">c</span> <span class="mi">30</span> <span class="mi">0</span><span class="n">a</span> <span class="n">m</span><span class="o">/</span><span class="n">rpa0</span><span class="o">...</span><span class="n">U</span><span class="o">.</span><span class="n n-Operator">%</span><span class="o">..</span><span class="mi">0</span><span class="o">.</span>
<span class="lineno">31 </span><span class="mh">0x008107f4</span> <span class="mo">06</span> <span class="mi">08</span> <span class="mi">2</span><span class="n">b</span> <span class="mo">06</span> <span class="mo">01</span> <span class="mo">05</span> <span class="mo">05</span> <span class="mo">07</span> <span class="mo">03</span> <span class="mi">08</span> <span class="mi">30</span> <span class="mi">0</span><span class="n">b</span> <span class="mo">06</span> <span class="mo">03</span> <span class="mi">55</span> <span class="mi">1</span><span class="n">d</span> <span class="o">..+.......</span><span class="mi">0</span><span class="o">...</span><span class="n">U</span><span class="o">.</span>
<span class="lineno">32 </span><span class="mh">0x00810804</span> <span class="mi">0</span><span class="n">f</span> <span class="mo">04</span> <span class="mo">04</span> <span class="mo">03</span> <span class="mo">02</span> <span class="mo">06</span> <span class="n">c0</span> <span class="mi">30</span> <span class="mi">0</span><span class="n">d</span> <span class="mo">06</span> <span class="mi">09</span> <span class="mi">2</span><span class="n">a</span> <span class="mi">86</span> <span class="mi">48</span> <span class="mi">86</span> <span class="n">f7</span> <span class="o">.......</span><span class="mi">0</span><span class="o">...*.</span><span class="n">H</span><span class="o">..</span>
<span class="lineno">33 </span><span class="mh">0x00810814</span> <span class="mi">0</span><span class="n">d</span> <span class="mo">01</span> <span class="mo">01</span> <span class="mo">04</span> <span class="mo">05</span> <span class="mo">00</span> <span class="mo">03</span> <span class="mi">81</span> <span class="mi">81</span> <span class="mo">00</span> <span class="mi">2</span><span class="n">d</span> <span class="n">f3</span> <span class="mi">4</span><span class="n">f</span> <span class="mi">63</span> <span class="mi">60</span> <span class="mi">2</span><span class="n">c</span> <span class="o">..........</span><span class="n n-Operator">-</span><span class="o">.</span><span class="n">Oc</span><span class="sb">,
34 0x00810824 18 da f5 24 0f 52 b3 0c eb b3 bc 67 85 c2 23 ed ...$.R.....g..#.
35 0x00810834 8f 46 0d cf 1a 4d be f3 7c 7a 20 30 32 18 68 8b .F...M..|z.02.h.
36 0x00810844 92 bb 32 99 f0 93 b8 3b 15 06 27 7b 3e 02 06 00 ..2....;..'{>...
37 0x00810854 a4 21 92 84 13 0a c5 98 e5 40 57 c5 05 25 e8 af .!.......@W..%..
38 0x00810864 af 11 6a a9 e5 3b cb e9 23 f6 94 29 5d 40 55 f3 ..j..;..#..)]@U.
39 --SNiP--
Avec -Y on recherche un pattern, -y on lui fourni un fichier de règle.
Autres
La liste des options est ici très incomplète, il faut se référer à l'aide du binaire et/ou la doc officielle en ligne.
Voici un lien proposant une liste de commande Volatility pour la recherche de malware.
Annexes
Site Volatility
Samples de dumps mémoire sur divers OS utilisés dans ce billet
Volatility : command reference