工具

Volatility

官网 文档 GitHub命令速查
插件列表

  1. amcache         Print AmCache information
  2. apihooks        Detect API hooks in process and kernel memory
  3. atoms           Print session and window station atom tables
  4. atomscan        Pool scanner for atom tables
  5. auditpol        Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
  6. bigpools        Dump the big page pools using BigPagePoolScanner
  7. bioskbd         Reads the keyboard buffer from Real Mode memory
  8. cachedump       Dumps cached domain hashes from memory
  9. callbacks       Print system-wide notification routines
  10. clipboard       Extract the contents of the windows clipboard
  11. cmdline         Display process command-line arguments
  12. cmdscan         Extract command history by scanning for _COMMAND_HISTORY
  13. connections     Print list of open connections [Windows XP and 2003 Only]
  14. connscan        Pool scanner for tcp connections
  15. consoles        Extract command history by scanning for _CONSOLE_INFORMATION
  16. crashinfo       Dump crash-dump information
  17. deskscan        Poolscaner for tagDESKTOP (desktops)
  18. devicetree      Show device tree
  19. dlldump         Dump DLLs from a process address space
  20. dlllist         Print list of loaded dlls for each process
  21. driverirp       Driver IRP hook detection
  22. drivermodule    Associate driver objects to kernel modules
  23. driverscan      Pool scanner for driver objects
  24. dumpcerts       Dump RSA private and public SSL keys
  25. dumpfiles       Extract memory mapped and cached files
  26. dumpregistry    Dumps registry files out to disk
  27. editbox         Displays information about Edit controls. (Listbox experimental.)
  28. envars          Display process environment variables
  29. eventhooks      Print details on windows event hooks
  30. evtlogs         Extract Windows Event Logs (XP/2003 only)
  31. filescan        Pool scanner for file objects
  32. gahti           Dump the USER handle type information
  33. gditimers       Print installed GDI timers and callbacks
  34. gdt             Display Global Descriptor Table
  35. getservicesids  Get the names of services in the Registry and return Calculated SID
  36. getsids         Print the SIDs owning each process
  37. handles         Print list of open handles for each process
  38. hashdump        Dumps passwords hashes (LM/NTLM) from memory
  39. hibinfo         Dump hibernation file information
  40. hivedump        Prints out a hive
  41. hivelist        Print list of registry hives.
  42. hivescan        Pool scanner for registry hives
  43. hpakextract     Extract physical memory from an HPAK file
  44. hpakinfo        Info on an HPAK file
  45. idt             Display Interrupt Descriptor Table
  46. iehistory       Reconstruct Internet Explorer cache / history
  47. imagecopy       Copies a physical address space out as a raw DD image
  48. imageinfo       Identify information for the image
  49. impscan         Scan for calls to imported functions
  50. joblinks        Print process job link information
  51. kdbgscan        Search for and dump potential KDBG values
  52. kpcrscan        Search for and dump potential KPCR values
  53. ldrmodules      Detect unlinked DLLs
  54. lsadump         Dump (decrypted) LSA secrets from the registry
  55. machoinfo       Dump Mach-O file format information
  56. malfind         Find hidden and injected code
  57. mbrparser       Scans for and parses potential Master Boot Records (MBRs)
  58. memdump         Dump the addressable memory for a process
  59. memmap          Print the memory map
  60. messagehooks    List desktop and thread window message hooks
  61. mftparser       Scans for and parses potential MFT entries
  62. moddump         Dump a kernel driver to an executable file sample
  63. modscan         Pool scanner for kernel modules
  64. modules         Print list of loaded modules
  65. multiscan       Scan for various objects at once
  66. mutantscan      Pool scanner for mutex objects
  67. notepad         List currently displayed notepad text
  68. objtypescan     Scan for Windows object type objects
  69. patcher         Patches memory based on page scans
  70. poolpeek        Configurable pool scanner plugin
  71. printkey        Print a registry key, and its subkeys and values
  72. privs           Display process privileges
  73. procdump        Dump a process to an executable file sample
  74. pslist          Print all running processes by following the EPROCESS lists
  75. psscan          Pool scanner for process objects
  76. pstree          Print process list as a tree
  77. psxview         Find hidden processes with various process listings
  78. qemuinfo        Dump Qemu information
  79. raw2dmp         Converts a physical memory sample to a windbg crash dump
  80. screenshot      Save a pseudo-screenshot based on GDI windows
  81. servicediff     List Windows services (ala Plugx)
  82. sessions        List details on _MM_SESSION_SPACE (user logon sessions)
  83. shellbags       Prints ShellBags info
  84. shimcache       Parses the Application Compatibility Shim Cache registry key
  85. shutdowntime    Print ShutdownTime of machine from registry
  86. sockets         Print list of open sockets
  87. sockscan        Pool scanner for tcp socket objects
  88. ssdt            Display SSDT entries
  89. strings         Match physical offsets to virtual addresses (may take a while, VERY verbose)
  90. svcscan         Scan for Windows services
  91. symlinkscan     Pool scanner for symlink objects
  92. thrdscan        Pool scanner for thread objects
  93. threads         Investigate _ETHREAD and _KTHREADs
  94. timeliner       Creates a timeline from various artifacts in memory
  95. timers          Print kernel timers and associated module DPCs
  96. truecryptmaster Recover TrueCrypt 7.1a Master Keys
  97. truecryptpassphrase     TrueCrypt Cached Passphrase Finder
  98. truecryptsummary        TrueCrypt Summary
  99. unloadedmodules Print list of unloaded modules
  100. userassist      Print userassist registry keys and information
  101. userhandles     Dump the USER handle tables
  102. vaddump         Dumps out the vad sections to a file
  103. vadinfo         Dump the VAD info
  104. vadtree         Walk the VAD tree and display in tree format
  105. vadwalk         Walk the VAD tree
  106. vboxinfo        Dump virtualbox information
  107. verinfo         Prints out the version information from PE images
  108. vmwareinfo      Dump VMware VMSS/VMSN information
  109. volshell        Shell in the memory image
  110. windows         Print Desktop Windows (verbose details)
  111. wintree         Print Z-Order Desktop Windows Tree
  112. wndscan         Pool scanner for window stations
  113. yarascan        Scan process or kernel memory with Yara signatures

常用插件

  1. clipboard
  2. hivelist
  3. imageinfo
  4. lsadump
  5. malfind
  6. memdump
  7. pslistpsscanpstree

案例

JarvisOJ 取证 2(磁盘解密)

https://www.jarvisoj.com/challenges > MISC > 取证 2 还记得取证那题吗?既然有了取证神器,这里有一个可疑文件以及该存储该文件电脑的一个内存快照,那么接下来我们实战一下吧。 由于文件比较大,请大家至百度云盘下载: 链接: http://pan.baidu.com/s/1c2BIGLE 密码: 9v2z

附件 suspicion.7z 解压出来有两个文件:

  • suspicion :这个不知道是啥文件
  • mem.vmem :这个是内存映像

volatility.exe -f .\mem.vmem imageinfo 查看操作系统类型是 WinXP 

  1. Volatility Foundation Volatility Framework 2.6
  2. INFO    : volatility.debug    : Determining profile based on KDBG search...
  3.           Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
  4.                      AS Layer1 : IA32PagedMemoryPae (Kernel AS)
  5.                      AS Layer2 : FileAddressSpace (D:\Users\DP\Downloads\mem.vmem)
  6.                       PAE type : PAE
  7.                            DTB : 0xb18000L
  8.                           KDBG : 0x80546ae0L
  9.           Number of Processors : 1
  10.      Image Type (Service Pack) : 3
  11.                 KPCR for CPU 0 : 0xffdff000L
  12.              KUSER_SHARED_DATA : 0xffdf0000L
  13.            Image date and time : 2016-05-03 04:41:19 UTC+0000
  14.      Image local date and time : 2016-05-03 12:41:19 +0800

volatility.exe -f .\mem.vmem pslist 查看进程

  1. Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit
  2. ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
  3. 0x821b9830 System                    4      0     62      253 ------      0
  4. 0x81fb9210 smss.exe                552      4      3       19 ------      0 2016-05-03 04:32:10 UTC+0000
  5. 0x81c14da0 csrss.exe               616    552     10      328      0      0 2016-05-03 04:32:12 UTC+0000
  6. 0x81f81880 winlogon.exe            640    552     18      449      0      0 2016-05-03 04:32:12 UTC+0000
  7. 0x8208fda0 services.exe            684    640     16      260      0      0 2016-05-03 04:32:12 UTC+0000
  8. 0x81c32b10 lsass.exe               696    640     18      333      0      0 2016-05-03 04:32:12 UTC+0000
  9. 0x820a19a0 vmacthlp.exe            852    684      1       25      0      0 2016-05-03 04:32:13 UTC+0000
  10. 0x81c30458 svchost.exe             864    684     18      201      0      0 2016-05-03 04:32:13 UTC+0000
  11. 0x81c67020 svchost.exe             948    684     11      238      0      0 2016-05-03 04:32:13 UTC+0000
  12. 0x81ce7da0 svchost.exe            1040    684     55     1103      0      0 2016-05-03 04:32:13 UTC+0000
  13. 0x81c25020 svchost.exe            1096    684      4       66      0      0 2016-05-03 04:32:13 UTC+0000
  14. 0x82002b28 svchost.exe            1256    684     13      194      0      0 2016-05-03 04:32:14 UTC+0000
  15. 0x81f6c988 explorer.exe           1464   1448     12      329      0      0 2016-05-03 04:32:14 UTC+0000
  16. 0x82085550 spoolsv.exe            1576    684     13      140      0      0 2016-05-03 04:32:14 UTC+0000
  17. 0x81f64560 vmtoolsd.exe           1712   1464      5      145      0      0 2016-05-03 04:32:15 UTC+0000
  18. 0x820a3528 ctfmon.exe             1736   1464      1       78      0      0 2016-05-03 04:32:15 UTC+0000
  19. 0x81f7d3c0 vmtoolsd.exe           2020    684      7      273      0      0 2016-05-03 04:32:23 UTC+0000
  20. 0x8207db28 TPAutoConnSvc.e         512    684      5       99      0      0 2016-05-03 04:32:25 UTC+0000
  21. 0x81c26da0 alg.exe                1212    684      6      105      0      0 2016-05-03 04:32:26 UTC+0000
  22. 0x81f715c0 wscntfy.exe            1392   1040      1       39      0      0 2016-05-03 04:32:26 UTC+0000
  23. 0x81e1f520 TPAutoConnect.e        1972    512      1       72      0      0 2016-05-03 04:32:26 UTC+0000
  24. 0x81f9d3e8 TrueCrypt.exe          2012   1464      2      139      0      0 2016-05-03 04:33:36 UTC+0000

发现可疑进程 TrueCrypt.exe,搜索得知是磁盘加密工具,那么 suspicion 应该是被加密的文件
搜索 TrueCrypt 破解软件,找到 EFDD(Elcomsoft Forensic Disk Decryptor),下面开始破解
volatility.exe -f .\mem.vmem memdump -p 2012 -D . 将进程 dump 出来

  1. ************************************************************************
  2. Writing TrueCrypt.exe [  2012] to 2012.dmp

打开 EFDD,选择 suspicion2012.dmp 文件,开始破解密钥
image.png image.png
image.png image.png
直接用密钥解密磁盘并挂载,发现 flag
image.png image.png image.png

相关链接:

  1. https://ctf-wiki.org/misc/disk-memory/introduction/
  2. Elcomsoft.Forensic.Disk.Decryptor.2.17.916.zip
  3. Elcomsoft.Forensic.Disk.Decryptor.CracKed.By.Hmily.LCG.rar
  4. https://blog.csdn.net/qq_45836474/article/details/109540832 - CTF取证小集合
  5. https://www.cnblogs.com/sesefadou/p/11804566.html - Volatility取证使用笔记