Kali下 volatility取证软件的使用
实验所用附件下载
https://gryffinbit.lanzous.com/b01bwm4ab
密码:15j0
实验环境:
Debian 8 kali
实验要求:
使用Volatility 取证软件从内存转储文件中获取有用信息,包括:
- 查看内存镜像中进程列表
- 查看内存镜像中注册表信息
- 获取用户名和用户登陆密码
- 查看转储前都运行了哪些程序
- 把某个程序的相关数据转储成-一个文件,对这个文件进行进一步分析
- 提取目标系统的命令行历史
- 提取目标系统的网络连接情况
- 提取目标系统的使用IE浏览器访问网络情况
实验内容:
- 首先使用内容转储软件dumpit在Windows7虚拟机(目标系统)中将内存中所有信息转储为-一个文件。
- 将转储生成的文件拷贝到Kali系统中进行分析。
实验过程:
volatility官方文档
https://github.com/volatilityfoundation/volatility/wiki/Installation
基本依赖包及环境配置
👉下载volatility
git clone [https://github.com/volatilityfoundation/volatility.git](https://github.com/volatilityfoundation/volatility.git)
解压该压缩包,cd到文件夹位置,运行安装脚本
python [setup.py](http://setup.py) build
python [setup.py](http://setup.py) install
用法
cd /root/volatility/
chmod +x vol.py
./vol.py
缺少依赖包
👉pip 安装缺少的依赖包
sudo pip install yara
pip install distorm3==3.4.4
sudo pip install pycrypto
sudo pip install openpyxl
sudo pip install Pillow
内存工具Dump的使用
👉进行转储
👉制备实验用的转储文件
在目标系统中打开一些应用程序,例如:记事本
使用kali分析转储生成的文件
👉查看帮助文档
👉分析系统信息
👉使用pslist查看内存镜像中进程列表
python vol.py -f /root/桌面/suspicion/mem.vmem --profile=WinXPSP2x86 pslist
👉使用hiveliest查看内存中缓存的注册表信息,例如所有用户名、密码hash、病毒隐藏、恶意启动项、映射劫持。等
python [vol.py](http://vol.py/) -f /root/桌面/suspicion/mem.vmem --profile=WinXPSP2x86 hivelist
Volatility Foundation Volatility Framework 2.6.1
👉hivedump可以查看hivelist中列出的所有文件内容
hivedump -o offset
-o的后面传递一个offset偏移量参数。是虚地址(内存地址)
python vol.py -f /root/桌面/suspicion/mem.vmem --profile=WinXPSP2x86 hivedump -o 0xe16aab60
👉查看注册表中的某一项健值
printkey -K 路径
python vol.py -f /root/桌面/suspicion/mem.vmem --profile=WinXPSP2x86 printkey -K "SAM\Domains\Account\Users\Names"
👉Winlogon健值查询在内存转储前,最后登录的账户是哪个
python vol.py -f /root/桌面/suspicion/mem.vmem --profile=WinXPSP2x86 printkey -K "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
👉取得用户密码的哈希值
hashdump -y system的偏移量 -s SAM的偏移量
python vol.py -f /root/桌面/suspicion/mem.vmem --profile=WinXPSP2x86 hashdump -y 0xe1035b60 -s 0xe16aab60
这步失败了,没有提取出来密码的hash
👉使用mimikatz插件,获取用户明文密码
sudo pip install construct==2.5.5-reupload
mimikatz.py
# Volatility mimikatz plugin
#
# Based on the research made by Gentil_Kiwi for his mimikatz
# http://blog.gentilkiwi.com/mimikatz
# https://code.google.com/p/mimikatz/
#
# Author: Francesco Picasso <francesco.picasso@gmail.com>
#
# This plugin is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This plugin is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this plugin. If not, see <http://www.gnu.org/licenses/>.
"""
@author : Francesco Picasso
@license : GPL 2 or later
@contact : francesco.picasso@gmail.com
@organization : www.realitynet.it
"""
import construct
import os
import re
import struct
import volatility.obj as obj
import volatility.debug as debug
import volatility.commands as commands
import volatility.constants as constants
import volatility.utils as utils
import volatility.win32.tasks as tasks
from Crypto.Cipher import AES
from Crypto.Cipher import DES3
#------------------------------------------------------------------------------
class Credential():
"""TODO: add description here."""
def __init__(self, module='', username='', domain='', epwd='', pwd=''):
self.module = module
self.username = username
self.domain = domain
self.epwd = epwd
self.pwd = pwd
self.signature = module + username + domain + epwd.encode('hex')
def decrypt_epwd(self, decryptor):
if self.epwd and decryptor:
self.pwd = decryptor.decrypt(self.epwd)
try:
self.pwd = self.pwd.decode('utf-16-le').rstrip('\0')
except UnicodeDecodeError:
debug.warning('[Credential:decrypt_epwd] unicode decode error')
self.pwd = self.pwd.encode('hex')
def dump(self):
debug.notice('m<{}> u<{}> d<{}> ep<{}> p<{}>'.format(
self.module, self.username, self.domain,
self.epwd.encode('hex'), self.pwd))
class Credentials():
"""TODO: add description here."""
def __init__(self):
self.credentials = []
def add_credential(self, credential):
already_in = False
for cred in self.credentials:
if cred.signature == credential.signature:
already_in = True
if not already_in:
self.credentials.append(credential)
#------------------------------------------------------------------------------
class MemoryScanner(object):
"""An address space scanner based on scudette's Yara Scanner"""
def __init__(self, task):
self.task = task
def _find_first(self, address_space, offset, maxlen, signature):
"""Raw memory scanner with overlap."""
# Allow some bytes for overlapping signatures
overlap = 1024
i = offset
while i < offset + maxlen:
to_read = min(
constants.SCAN_BLOCKSIZE + overlap, offset + maxlen - i)
block = address_space.zread(i, to_read)
if block:
match = block.find(signature)
if match >= 0:
return match
i += constants.SCAN_BLOCKSIZE
def find_first(self, offset, signature):
"""Find the first match using VADs. It retuns a VA."""
task_as = self.task.get_process_address_space()
task_vads = self.task.get_vads(skip_max_commit = True)
for vad, __ in task_vads:
if offset >= vad.Start and offset <= vad.Start + vad.Length:
position = self._find_first(task_as, vad.Start, vad.Length, signature)
if position:
return position + vad.Start
#------------------------------------------------------------------------------
class MimikatzBase(object):
"""The mimikatz base class, used to defined common attributes/methods."""
SIZEOF_LONG = 4
SIZEOF_PTR = None
UNPACK_PTR = None
UNPACK_LONG = '<L'
def __init__(self, task):
self.task = task
self.task_as = task.get_process_address_space()
def get_ptr(self, pos):
raw_data = self.task_as.zread(pos, self.SIZEOF_PTR)
if raw_data:
return struct.unpack(self.UNPACK_PTR, raw_data)[0]
def get_data(self, pos, size):
if pos and size:
return self.task_as.zread(pos, size)
return ''
class Mimikatz_x86(MimikatzBase):
"""The mimikatz x86 base class."""
SIZEOF_PTR = 4
UNPACK_PTR = '<L'
def __init__(self, task):
MimikatzBase.__init__(self, task)
MimikatzBase.__init__(self, task)
def get_ptr_with_offset(self, pos):
return self.get_ptr(pos)
class Mimikatz_x64(MimikatzBase):
"""The mimikatz x64 base class."""
SIZEOF_PTR = 8
UNPACK_PTR = '<Q'
def __init__(self, task):
MimikatzBase.__init__(self, task)
def get_ptr_with_offset(self, pos):
raw_data = self.task_as.zread(pos, self.SIZEOF_LONG)
if raw_data:
ptr = struct.unpack(self.UNPACK_LONG, raw_data)[0]
return pos + self.SIZEOF_LONG + ptr
#------------------------------------------------------------------------------
class LsaDecryptor():
"""TODO: add description."""
SIGNATURE = None
IV_LENGTH = 16
PTR_IV_OFFSET = None
PTR_AES_KEY_OFFSET = None
PTR_DES_KEY_OFFSET = None
UUUR_TAG = 0x55555552
MSSK_TAG = 0x4d53534b
HARD_KEY = construct.Struct('KIWI_HARD_KEY',
construct.ULInt32('cbSecret'),
construct.Field('data', lambda ctx: ctx.cbSecret))
# Modified to include HARD_KEY size.
BCRYPT_KEY = construct.Struct('KIWI_BCRYPT_KEY',
construct.ULInt32('size'),
construct.ULInt32('tag'), # 'MSSK'.
construct.ULInt32('type'),
construct.ULInt32('unk0'),
construct.ULInt32('unk1'),
construct.ULInt32('unk2'),
construct.ULInt32('cbSecret'))
def __init__(self):
self.iv = ''
self.aes_key = ''
self.des_key = ''
def find_signature(self):
for mod in self.task.get_load_modules():
if str(mod.BaseDllName).lower() == 'lsasrv.dll':
scanner = MemoryScanner(self.task)
return scanner.find_first(mod.DllBase.v(), self.SIGNATURE)
debug.warning('[LsaDecryptor:find_signature()] signature not found!')
def get_IV(self, pos):
ptr_iv = self.get_ptr_with_offset(pos + self.PTR_IV_OFFSET)
if ptr_iv:
return self.get_data(ptr_iv, self.IV_LENGTH)
def get_key(self, pos, key_offset):
ptr_key = self.get_ptr_with_offset(pos + key_offset)
if ptr_key:
ptr_key = self.get_ptr(ptr_key)
if ptr_key:
size = self.BCRYPT_HANDLE_KEY.sizeof()
data = self.get_data(ptr_key, size)
if data:
kbhk = self.BCRYPT_HANDLE_KEY.parse(data)
if kbhk.tag == self.UUUR_TAG:
ptr_key = kbhk.ptr_kiwi_bcrypt_key
size = self.BCRYPT_KEY.sizeof()
data = self.get_data(ptr_key, size)
if data:
kbk = self.BCRYPT_KEY.parse(data)
if kbk.tag == self.MSSK_TAG:
adjust = construct.ULInt32('').sizeof()
size = kbk.cbSecret + adjust
ptr_key = ptr_key + self.BCRYPT_KEY.sizeof() - adjust
data = self.get_data(ptr_key, size)
if data:
khk = self.HARD_KEY.parse(data)
return khk.data
else:
debug.warning('get_key() unable to get HARD_KEY.')
else:
debug.warning('get_key() BCRYPT_KEY invalid tag')
else:
debug.warning('get_key() unable to read BCRYPT_KEY data.')
else:
debug.warning('get_key() BCRYPT_HANDLE_KEY invalid tag')
debug.warning(kbhk)
else:
debug.warning('get_key() unable to read BCRYPT_HANDLE_KEY data.')
else:
debug.warning('get_key() unable to get BCRYPT_HANDLE_KEY pointer.')
else:
debug.warning('get_key()unable to get first pointer.')
def get_des_key(self, pos):
return self.get_key(pos, self.PTR_DES_KEY_OFFSET)
def get_aes_key(self, pos):
return self.get_key(pos, self.PTR_AES_KEY_OFFSET)
def acquire_crypto_material(self):
sigpos = self.find_signature()
if not sigpos:
debug.warning('[LsaDecryptor] unable to find signature!')
return
self.iv = self.get_IV(sigpos)
self.des_key = self.get_des_key(sigpos)
self.aes_key = self.get_aes_key(sigpos)
def decrypt(self, encrypted):
# TODO: NT version specific, move from here in subclasses.
cleartext = ''
size = len(encrypted)
if size:
if size % 8:
if not self.aes_key or not self.iv:
return cleartext
cipher = AES.new(self.aes_key, AES.MODE_CBC, self.iv)
else:
if not self.des_key or not self.iv:
return cleartext
cipher = DES3.new(self.des_key, DES3.MODE_CBC, self.iv[:8])
cleartext = cipher.decrypt(encrypted)
return cleartext
def dump(self):
print 'Dumping LSA Decryptor'
print ' IV ({}): {}'.format(len(self.iv), self.iv.encode('hex'))
print 'DES_KEY ({}): {}'.format(
len(self.des_key), self.des_key.encode('hex'))
print 'AES_KEY ({}): {}'.format(
len(self.aes_key), self.aes_key.encode('hex'))
class LsaDecryptor_x86(LsaDecryptor, Mimikatz_x86):
"""TODO: add description."""
def __init__(self, lsass_task):
Mimikatz_x86.__init__(self, lsass_task)
LsaDecryptor.__init__(self)
class LsaDecryptor_x64(LsaDecryptor, Mimikatz_x64):
"""TODO: add description."""
def __init__(self, lsass_task):
Mimikatz_x64.__init__(self, lsass_task)
LsaDecryptor.__init__(self)
class LsaDecryptor_Vista_x86(LsaDecryptor_x86):
"""Class for Windows Vista x86."""
# MIMIKATZ x86: BYTE PTRN_WNO8_LsaInitializeProtectedMemory_KEY[]
SIGNATURE = '\x8b\xf0\x3b\xf3\x7c\x2c\x6a\x02\x6a\x10\x68'
PTR_IV_OFFSET = 11;
PTR_AES_KEY_OFFSET = -15;
PTR_DES_KEY_OFFSET = -70;
BCRYPT_HANDLE_KEY = construct.Struct('KIWI_BCRYPT_HANDLE_KEY',
construct.ULInt32('size'),
construct.ULInt32('tag'), # Tag 'UUUR', 0x55555552.
construct.ULInt32('ptr_void_algorithm'),
construct.ULInt32('ptr_kiwi_bcrypt_key'),
construct.ULInt32('ptr_unknown'))
def __init__(self, lsass_task):
LsaDecryptor_x86.__init__(self, lsass_task)
class LsaDecryptor_Win7_x86(LsaDecryptor_x86):
"""Class for Windows 7 x86."""
# MIMIKATZ x86: BYTE PTRN_WNO8_LsaInitializeProtectedMemory_KEY[]
SIGNATURE = '\x8b\xf0\x3b\xf3\x7c\x2c\x6a\x02\x6a\x10\x68'
PTR_IV_OFFSET = 11;
PTR_AES_KEY_OFFSET = -15;
PTR_DES_KEY_OFFSET = -70;
BCRYPT_HANDLE_KEY = construct.Struct('KIWI_BCRYPT_HANDLE_KEY',
construct.ULInt32('size'),
construct.ULInt32('tag'), # Tag 'UUUR', 0x55555552.
construct.ULInt32('ptr_void_algorithm'),
construct.ULInt32('ptr_kiwi_bcrypt_key'),
construct.ULInt32('ptr_unknown'))
def __init__(self, lsass_task):
LsaDecryptor_x86.__init__(self, lsass_task)
class LsaDecryptor_Vista_x64(LsaDecryptor_x64):
"""Class for Vista x64."""
SIGNATURE = '\x83\x64\x24\x30\x00\x44\x8b\x4c\x24\x48\x48\x8b\x0d'
PTR_IV_OFFSET = 63;
PTR_AES_KEY_OFFSET = 25;
PTR_DES_KEY_OFFSET = -69;
BCRYPT_HANDLE_KEY = construct.Struct('KIWI_BCRYPT_HANDLE_KEY',
construct.ULInt32('size'),
construct.ULInt32('tag'), # Tag 'UUUR', 0x55555552.
construct.ULInt64('ptr_void_algorithm'),
construct.ULInt64('ptr_kiwi_bcrypt_key'),
construct.ULInt64('ptr_unknown'))
def __init__(self, lsass_task):
LsaDecryptor_x64.__init__(self, lsass_task)
class LsaDecryptor_Win7_x64(LsaDecryptor_x64):
"""Class for Windows 7 x64."""
# MIMIKATZ x64: BYTE PTRN_WNO8_LsaInitializeProtectedMemory_KEY[]
SIGNATURE = '\x83\x64\x24\x30\x00\x44\x8b\x4c\x24\x48\x48\x8b\x0d'
PTR_IV_OFFSET = 59;
PTR_AES_KEY_OFFSET = 25;
PTR_DES_KEY_OFFSET = -61;
BCRYPT_HANDLE_KEY = construct.Struct('KIWI_BCRYPT_HANDLE_KEY',
construct.ULInt32('size'),
construct.ULInt32('tag'), # Tag 'UUUR', 0x55555552.
construct.ULInt64('ptr_void_algorithm'),
construct.ULInt64('ptr_kiwi_bcrypt_key'),
construct.ULInt64('ptr_unknown'))
def __init__(self, lsass_task):
LsaDecryptor_x64.__init__(self, lsass_task)
#------------------------------------------------------------------------------
class Wdigest():
"""TODO: add description."""
SIGNATURE = None
FIRST_ENTRY_OFFSET = 0
WDIGEST_LIST_ENTRY = None
MODULE_NAME = 'wdigest'
MAX_WALK = 32
def __init__(self, credentials_obj):
self.entries = []
self.entries_seen = {}
self.credentials_obj = credentials_obj
def find_signature(self):
for mod in self.task.get_load_modules():
if str(mod.BaseDllName).lower() == 'wdigest.dll':
scanner = MemoryScanner(self.task)
return scanner.find_first(mod.DllBase.v(), self.SIGNATURE)
debug.warning('[Wdigest] no wdigest.dll found in lsass process!')
def get_entry_at(self, ptr):
if ptr:
size = self.WDIGEST_LIST_ENTRY.sizeof()
data = self.get_data(ptr, size)
if data:
entry = self.WDIGEST_LIST_ENTRY.parse(data)
return entry
def get_first_entry(self):
position = self.find_signature()
if position:
ptr_entry = self.get_ptr_with_offset(position + self.FIRST_ENTRY_OFFSET)
if ptr_entry:
ptr_entry = self.get_ptr(ptr_entry)
if ptr_entry:
entry = self.get_entry_at(ptr_entry)
if entry:
return entry, ptr_entry
else:
debug.warning('[Wdigest] no wdigest package found.')
return None, None
def get_unicode_string_at(self, ptr, size):
data = self.get_data(ptr, size)
if data:
data_str = ''
try:
data_str = data.decode('utf-16-le').rstrip('\0')
except UnicodeDecodeError as ee:
debug.error(
'[Wdigest] get_unicode_string_at() unicode error {}'.format(
ee))
debug.warning('[Wdigest] src data is <{}>'.format(data_str))
return data_str
else:
debug.error('[Wdigest] get_unicode_string_at() unable to get data')
return ''
def add_entry(self, entry, found_at):
if entry.usage_count:
if entry.this_entry == found_at:
user = domain = epwd = ''
if entry.user_string_ptr and entry.user_len:
user = self.get_unicode_string_at(
entry.user_string_ptr, entry.user_max_len)
if entry.domain_string_ptr and entry.domain_len:
domain = self.get_unicode_string_at(
entry.domain_string_ptr, entry.domain_max_len)
if entry.password_encrypted_ptr and entry.password_len:
epwd = data = self.get_data(
entry.password_encrypted_ptr, entry.password_max_len)
if user:
cred_entry = Credential(self.MODULE_NAME, user, domain, epwd)
self.credentials_obj.add_credential(cred_entry)
def walk_entries(self):
entry, found_at = self.get_first_entry()
if entry:
walk_num = 1
while walk_num < self.MAX_WALK:
self.add_entry(entry, found_at)
self.entries_seen[found_at] = 1
found_at = entry.previous
entry = self.get_entry_at(found_at)
if not entry:
debug.error('Next entry not found!')
break
if entry.this_entry in self.entries_seen:
break
walk_num += 1
class Wdigest_x86(Wdigest, Mimikatz_x86):
"""TODO: add description."""
WDIGEST_LIST_ENTRY = construct.Struct('WdigestListEntry',
construct.ULInt32('previous'),
construct.ULInt32('next'),
construct.ULInt32('usage_count'),
construct.ULInt32('this_entry'),
construct.ULInt64('luid'),
construct.ULInt64('flag'),
construct.ULInt16('user_len'),
construct.ULInt16('user_max_len'),
construct.ULInt32('user_string_ptr'),
construct.ULInt16('domain_len'),
construct.ULInt16('domain_max_len'),
construct.ULInt32('domain_string_ptr'),
construct.ULInt16('password_len'),
construct.ULInt16('password_max_len'),
construct.ULInt32('password_encrypted_ptr'))
def __init__(self, lsass_task, credentials_obj):
Mimikatz_x86.__init__(self, lsass_task)
Wdigest.__init__(self, credentials_obj)
class Wdigest_x64(Wdigest, Mimikatz_x64):
"""TODO: add description."""
WDIGEST_LIST_ENTRY = construct.Struct('WdigestListEntry',
construct.ULInt64('previous'),
construct.ULInt64('next'),
construct.ULInt32('usage_count'),
construct.ULInt32('align1'),
construct.ULInt64('this_entry'),
construct.ULInt64('luid'),
construct.ULInt64('flag'),
construct.ULInt16('user_len'),
construct.ULInt16('user_max_len'),
construct.ULInt32('align2'),
construct.ULInt64('user_string_ptr'),
construct.ULInt16('domain_len'),
construct.ULInt16('domain_max_len'),
construct.ULInt32('align3'),
construct.ULInt64('domain_string_ptr'),
construct.ULInt16('password_len'),
construct.ULInt16('password_max_len'),
construct.ULInt32('align4'),
construct.ULInt64('password_encrypted_ptr'))
def __init__(self, lsass_task, credentials_obj):
Mimikatz_x64.__init__(self, lsass_task)
Wdigest.__init__(self, credentials_obj)
class Wdigest_Vista_x86(Wdigest_x86):
"""Class for Windows Vista x86."""
SIGNATURE = '\x74\x11\x8b\x0b\x39\x4e\x10'
FIRST_ENTRY_OFFSET = -6
def __init__(self, lsass_task, credentials_obj):
Wdigest_x86.__init__(self, lsass_task, credentials_obj)
class Wdigest_Win7_x86(Wdigest_x86):
"""Class for Windows 7 x86."""
SIGNATURE = '\x74\x11\x8b\x0b\x39\x4e\x10'
FIRST_ENTRY_OFFSET = -6
def __init__(self, lsass_task, credentials_obj):
Wdigest_x86.__init__(self, lsass_task, credentials_obj)
class Wdigest_Win7_x64(Wdigest_x64):
"""Class for Windows 7 x64."""
SIGNATURE = '\x48\x3b\xd9\x74'
FIRST_ENTRY_OFFSET = -4
def __init__(self, lsass_task, credentials_obj):
Wdigest_x64.__init__(self, lsass_task, credentials_obj)
class Wdigest_Vista_x64(Wdigest_x64):
"""Class for Windows Vista x64."""
SIGNATURE = '\x48\x3b\xd9\x74'
FIRST_ENTRY_OFFSET = -4
def __init__(self, lsass_task, credentials_obj):
Wdigest_x64.__init__(self, lsass_task, credentials_obj)
#------------------------------------------------------------------------------
class mimikatz(commands.Command):
"""mimikatz offline"""
def __init__(self, config, *args, **kwargs):
commands.Command.__init__(self, config, *args, **kwargs)
self.profile = config.get_value('profile')
self.credentials_obj = Credentials()
def find_lsass(self):
addr_space = utils.load_as(self._config)
for task in tasks.pslist(addr_space):
if str(task.ImageFileName) == 'lsass.exe':
return task
def init_objects(self, lsass_task):
lsa_decryptor = None
wdigest = None
if len(self.profile) >= 7:
arch = self.profile[-3:]
sp = self.profile[-6:-3]
os = self.profile[:-6]
if os == 'Vista':
if arch == 'x86':
lsa_decryptor = LsaDecryptor_Vista_x86(lsass_task)
wdigest = Wdigest_Vista_x86(lsass_task, self.credentials_obj)
elif arch == 'x64':
lsa_decryptor = LsaDecryptor_Vista_x64(lsass_task)
wdigest = Wdigest_Vista_x64(lsass_task, self.credentials_obj)
elif os == 'Win7':
if arch == 'x86':
lsa_decryptor = LsaDecryptor_Win7_x86(lsass_task)
wdigest = Wdigest_Win7_x86(lsass_task, self.credentials_obj)
elif arch == 'x64':
lsa_decryptor = LsaDecryptor_Win7_x64(lsass_task)
wdigest = Wdigest_Win7_x64(lsass_task, self.credentials_obj)
else:
pass
return lsa_decryptor, wdigest
def calculate(self):
lsass_task = self.find_lsass()
if not lsass_task:
debug.error('lsass_task process not found!!')
return
lsa_decryptor, wdigest = self.init_objects(lsass_task)
if not lsa_decryptor or not wdigest:
return
lsa_decryptor.acquire_crypto_material()
wdigest.walk_entries()
for cred in self.credentials_obj.credentials:
cred.decrypt_epwd(lsa_decryptor)
def render_text(self, outfd, data):
self.table_header(outfd, [("Module", "8"),
("User", "16"),
("Domain", "16"),
("Password", "40")])
for cred in self.credentials_obj.credentials:
self.table_row(
outfd, cred.module, cred.username, cred.domain, cred.pwd)
把py放进volatility文件夹的plugins文件夹内
python vol.py -f /root/桌面/suspicion/mem.vmem --profile=WinXPSP2x86 mimikatz
👉使用userassist命令可以获取到内存在转储前都运行了哪些程序,运行多少次,最后一次运行时间
👉使用memdump把某个程序的相关数据转储成一个文件,然后对这个文件进一步分析
memdump -p PID -D 转储文件的存放目录
pslist获取PID
python vol.py -f /root/桌面/suspicion/mem.vmem memdump -p 1736 -D mem
👉文件成功生成,用editor打开
👉用strings 命令提取文件中的字符串
strings 1736.dmp|grep flag | more
|grep flag 是以flag为关键词进行搜索
| more 是逐页显示搜索结果
👉使用cmdscan命令从转储内容中提取目标系统的命令行历史
python vol.py -f /root/桌面/suspicion/mem.vmem --profile=WinXPSP2x86 cmdscan
👉使用netscan提取网络连接情况
👉使用iehistory提取使用IE浏览器访问网络情况
volatility自带的是ie的,也可以下载其他的插件来提取其他浏览器的浏览记录
Tip:volatility入门指令
Volatility -f name imageinfo
volatility -f name pslist --profile=WinXPSP2x86 列举进程:
volatility -f name --profile=WinXPSP2x86 volshell
dt("_PEB") 查看进程环境块
volatility -f name --profile=WinXPSP2x86 hivelist列举缓存在内存的注册表 :
hivedump打印出注册表中的数据 :
volatility -f name --profile=WinXPSP2x86 hivedump -o 注册表的 virtual 地址
显示每个进程的加载dll列表
Volatility -f name -profile = Win7SP0x86 dlllist> dlllist.txt
获取SAM表中的用户:
volatility -f name --profile=WinXPSP2x86 printkey -K "SAM\Domains\Account\Users\Names"
登陆账户系统
volatility -f name --profile=WinXPSP2x86 printkey -K "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
userassist键值包含系统或桌面执行文件的信息,如名称、路径、执行次数、最后一次执行时间等
volatility -f name --profile=WinXPSP2x86 userassist
将内存中的某个进程数据以 dmp 的格式保存出来
volatility -f name --profile=WinXPSP2x86 -p [PID] -D [dump 出的文件保存的目录]
提取内存中保留的 cmd 命令使用情况
volatility -f name --profile=WinXPSP2x86 cmdscan
获取到当时的网络连接情况
volatility -f name --profile=WinXPSP2x86 netscan
获取 IE 浏览器的使用情况 :
volatility -f name --profile=WinXPSP2x86 iehistory
获取内存中的系统密码,可以使用 hashdump 将它提取出来
volatility -f name --profile=WinXPSP2x86 hashdump -y (注册表 system 的 virtual 地址 )-s (SAM 的 virtual 地址)
volatility -f name --profile=WinXPSP2x86 hashdump -y 0xe1035b60 -s 0xe16aab60
volatility -f name --profile=WinXPSP2x86 timeliner
对文件查找及dumo提取某个进程:
volatility -f name --profile=Win7SP1x64 memdump -D . -p 2872
strings -e l ./2872.dmp | grep flag
volatility -f name --profile=Win7SP1x64 dumpfiles -Q 0x000000007e410890 -n --dump-dir=./
HASH匹配用户账户名密码:
Hash, 然后使用john filename --format=NT破解
安全进程扫描
volatility -f name --profile=Win7SP1x64 psscan
Flag字符串扫描:
strings -e l 2616.dmp | grep flag
查找图片:
volatility -f name--profile=Win7SP1x64 filescan | grep -E 'jpg|png|jpeg|bmp|gif
volatility -f name --profile=Win7SP1x64 netscan
注册表解析
volatility -f name --profile=Win7SP1x64 hivelist
volatility -f name --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001\Control;"
复制、剪切版:
volatility -f name --profile=Win7SP1x64 clipboard
volatility -f name --profile=Win7SP1x64 dlllist -p 3820
Dump所有进程:
volatility -f name --profile=Win7SP1x64 memdump -n chrome -D .
利用字符串查找download
python vol.py -f name --profile=Win7SP1x86 shimcache
svcscan查看服务
python vol.py -f name --profile=Win7SP1x86 svcscan
modules 查看内核驱动
modscan、driverscan 可查看一些隐藏的内核驱动
ShimCache来识别应用程序兼容性问题。跟踪文件路径,大小,最后修改时间和最后“执行”时间.