前言
Volatility是一款开源内存取证框架,能够对导出的内存镜像进行分析,通过获取内核数据结构,使用插件获取内存的详细情况以及系统的运行状态。
而Dumpit是用于生成Windows机器的物理内存转储,可运行在32位/64位系统中,可完美地部署在USB闪存盘上,快速响应事件。
HollowFind插件是用来检测HollowProcoss的Volatility插件。
环境
Volatility 2.5(因为后面使用的hollowfind似乎2.6不支持)
win10
(注意:hollowfind插件只能查win7的)
Vmware 14
win7
python2.7
使用Dumpit生成内存镜像
具体用法参考:
生成的是xxx.raw
使用VMware的内存镜像
暂停vm虚拟机 对应的虚拟机文件夹中找到.vmem文件
我这里是win7的虚拟机
安装Volatility
安装
python setup.py install
执行
进程列表
python vol.py -f svchost.DMP pslist
使用HollowFind
python vol.py -f xxxx.vmem --profile=xxxx hollowfind
我是有python2.7和用的powershell 且必须是vmware虚拟机的win7的镜像内存(hollowfind只支持volatility2.5且win7),故这样写:
python27.exe .\vol.py -f ..\replace_process_win7.vmem --profile=Win2008R2SP0x64 hollowfind
运行结果:
PS D:\workspace\2013\Github\volatility-master\volatility-2.5> python27.exe .\vol.py -f ..\replace_process_win7.vmem --profile=Win2008R2SP0x64 hollowfind Volatility Foundation Volatility Framework 2.5 Hollowed Process Information: Process: GoogleUpdate.e PID: 2912 Parent Process: taskeng.exe PPID: 2864 Creation Time: 2022-06-14 06:39:27 UTC+0000 Process Base Name(PEB): GoogleUpdate.exe Command Line(PEB): "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /c Hollow Type: No VAD Entry For Process Executable VAD and PEB Comparison: Base Address(VAD): 0x0 Process Path(VAD): NA Vad Protection: NA Vad Tag: NA Base Address(PEB): 0xe80000 Process Path(PEB): C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Memory Protection: PAGE_EXECUTE_WRITECOPY Memory Tag: Vad No Hexdump: Memory Unreadable at 0x00e80000 Similar Processes: GoogleUpdate.e(2912) Parent:taskeng.exe(2864) Start:2022-06-14 06:39:27 UTC+0000 GoogleUpdate.e(3708) Parent:GoogleUpdate.e(2912) Start:2022-06-14 06:39:45 UTC+0000 GoogleUpdate.e(3784) Parent:GoogleUpdate.e(2912) Start:2022-06-14 06:39:47 UTC+0000 Suspicious Memory Regions: 0x1a0000(No PE/Possibly Code) Protection: PAGE_EXECUTE_READWRITE Tag: VadS --------------------------------------------------- Hollowed Process Information: Process: svchost.exe PID: 892 Parent Process: services.exe PPID: 536 Creation Time: 2022-06-14 06:39:10 UTC+0000 Process Base Name(PEB): svchost.exe Command Line(PEB): C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted Hollow Type: Process Base Address and Memory Protection Discrepancy VAD and PEB Comparison: Base Address(VAD): 0xff6c0000 Process Path(VAD): \Windows\System32\services.exe Vad Protection: PAGE_EXECUTE_WRITECOPY Vad Tag: Vad Base Address(PEB): 0xff550000 Process Path(PEB): C:\Windows\System32\svchost.exe Memory Protection: PAGE_EXECUTE_WRITECOPY Memory Tag: Vad 0xff550000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 0xff550010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0xff550020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0xff550030 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 ................ Similar Processes: svchost.exe(892) Parent:services.exe(536) Start:2022-06-14 06:39:10 UTC+0000 svchost.exe(1160) Parent:services.exe(536) Start:2022-06-14 06:39:11 UTC+0000 svchost.exe(108) Parent:services.exe(536) Start:2022-06-14 06:39:10 UTC+0000 svchost.exe(3440) Parent:services.exe(536) Start:2022-06-14 06:39:41 UTC+0000 svchost.exe(792) Parent:services.exe(536) Start:2022-06-14 06:39:10 UTC+0000 svchost.exe(924) Parent:services.exe(536) Start:2022-06-14 06:39:10 UTC+0000 svchost.exe(1264) Parent:services.exe(536) Start:2022-06-14 06:39:21 UTC+0000 svchost.exe(688) Parent:services.exe(536) Start:2022-06-14 06:39:09 UTC+0000 svchost.exe(2832) Parent:explorer.exe(2712) Start:2022-06-14 06:39:33 UTC+0000 svchost.exe(3260) Parent:ReplaceProcess(3076) Start:2022-06-14 06:40:32 UTC+0000 svchost.exe(396) Parent:services.exe(536) Start:2022-06-14 06:39:10 UTC+0000 svchost.exe(952) Parent:services.exe(536) Start:2022-06-14 06:39:10 UTC+0000 svchost.exe(1488) Parent:services.exe(536) Start:2022-06-14 06:39:21 UTC+0000 Suspicious Memory Regions: 0x7feff000000(No PE/Possibly Code) Protection: PAGE_EXECUTE_WRITECOPY Tag: Vad --------------------------------------------------- Hollowed Process Information: Process: GoogleUpdate.e PID: 3708 Parent Process: GoogleUpdate.e PPID: 2912 Creation Time: 2022-06-14 06:39:45 UTC+0000 Process Base Name(PEB): GoogleUpdate.exe Command Line(PEB): "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /cr Hollow Type: No VAD Entry For Process Executable VAD and PEB Comparison: Base Address(VAD): 0x0 Process Path(VAD): NA Vad Protection: NA Vad Tag: NA Base Address(PEB): 0xe80000 Process Path(PEB): C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Memory Protection: PAGE_EXECUTE_WRITECOPY Memory Tag: Vad No Hexdump: Memory Unreadable at 0x00e80000 Similar Processes: GoogleUpdate.e(3708) Parent:GoogleUpdate.e(2912) Start:2022-06-14 06:39:45 UTC+0000 GoogleUpdate.e(3784) Parent:GoogleUpdate.e(2912) Start:2022-06-14 06:39:47 UTC+0000 GoogleUpdate.e(2912) Parent:taskeng.exe(2864) Start:2022-06-14 06:39:27 UTC+0000 Suspicious Memory Regions: 0x40000(No PE/Possibly Code) Protection: PAGE_EXECUTE_WRITECOPY Tag: Vad ---------------------------------------------------
常见问题
Failed to import volatility.plugins.registry.shutdown (ImportError: XXX
执行时
python27.exe .\vol.py -f D:\workspace\2013\Github\volatility-master\svchost.DMP hollowfind
报错
Volatility Foundation Volatility Framework 2.6.1 *** Failed to import volatility.plugins.registry.shutdown (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.getservicesids (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.timeliner (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined) *** Failed to import volatility.plugins.malware.servicediff (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.userassist (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.getsids (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.shellbags (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.evtlogs (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.tcaudit (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.dumpregistry (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.lsadump (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined) *** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: Error loading the diStorm dynamic library (or cannot load library into process).)
解决方案
https://github.com/volatilityfoundation/volatility/issues/535
pip install distorm3 pycrypto openpyxl Pillow
也可以这样 这样pip和python用的就是同一版本
python -m pip install distorm3 pycrypto openpyxl Pillow
No suitable address space mapping found
可参考:https://blog.csdn.net/yingzinanfei/article/details/53150423
可参考:https://github.com/volatilityfoundation/volatility/issues/698
我主要看后面一个kdbgscan可以执行成功了 就根据kdbgscan输出的profile 再添加–profile=xxxx到需要执行的命令中。
python27.exe .\vol.py -f D:\workspace\vms\windows_10_business_editions_version_1903_x64_dvd_e001dd2c.iso\windows_10_business_editions_version_1903_x64_dvd_e001dd2c.iso-6f11cc0a.vmem --profile=Win10x64_18362 pslist
