波动性包装说明
波动率框架是一个完全开放的工具集合,实现在Python GNU通用公共许可证下,数字文物从易失性存储器(RAM)的样品的提取。提取技术进行完全独立的被调查系统,但提供了前所未有的可视性系统的运行状态。该框架旨在向人们介绍了与提取数字文物从易失性存储器样品,并提供进一步工作的平台,为研究这一令人兴奋的领域相关的技术和复杂性。 波动性支持来自所有主要的32位和64位的Windows版本和服务包,包括XP,2003服务器,Vista中,服务器2008,Server 2008 R2中,七内存转储。无论你的内存转储是RAW格式,微软崩溃转储,休眠文件或虚拟机快照,波动性能够与它的工作。我们现在也支持原始的或石灰格式Linux的内存转储,包括35 +插件从2.6.11分析32位和64位的Linux内核 - 3.5.x的和发行比如Debian,Ubuntu的,OpenSuSE的,Fedora的,CentOS的,并Mandrake的。我们支持38版本的Mac OSX内存转储从10.5〜10.8.3山狮,32位和64位。也支持Android手机使用ARM处理器。支持Windows 8,8.1,服务器2012,2012 R2,和OSX 10.9(小牛)是不是已经在SVN或指日可待 资料来源:https://code.google.com/p/volatility/
- 作者:挥发性系统,Komoku股份有限公司
- 许可:GPL第二版
0x01 包含在波动包工具
波动性 - 内存取证分析平台:~# volatility -h Volatility Foundation Volatility Framework 2.4 Usage: Volatility - A memory forensics analysis platform. Options: -h, --help list all available options and their default values. Default values may be set in the configuration file (/etc/volatilityrc) --conf-file=/root/.volatilityrc User based configuration file -d, --debug Debug volatility --plugins=PLUGINS Additional plugin directories to use (colon separated) --info Print information about all registered objects --cache-directory=/root/.cache/volatility Directory where cache files are stored --cache Use caching --tz=TZ Sets the timezone for displaying timestamps -f FILENAME, --filename=FILENAME Filename to use when opening an image --profile=WinXPSP2x86 Name of the profile to load -l LOCATION, --location=LOCATION A URN location from which to load an address space -w, --write Enable write support --dtb=DTB DTB Address --shift=SHIFT Mac KASLR shift address --output=text Output in this format (format support is module specific) --output-file=OUTPUT_FILE write output in this file -v, --verbose Verbose information -g KDBG, --kdbg=KDBG Specify a specific KDBG virtual address -k KPCR, --kpcr=KPCR Specify a specific KPCR address Supported Plugin Commands: apihooks Detect API hooks in process and kernel memory atoms Print session and window station atom tables atomscan Pool scanner for atom tables auditpol Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv bigpools Dump the big page pools using BigPagePoolScanner bioskbd Reads the keyboard buffer from Real Mode memory cachedump Dumps cached domain hashes from memory callbacks Print system-wide notification routines clipboard Extract the contents of the windows clipboard cmdline Display process command-line arguments cmdscan Extract command history by scanning for _COMMAND_HISTORY connections Print list of open connections [Windows XP and 2003 Only] connscan Pool scanner for tcp connections consoles Extract command history by scanning for _CONSOLE_INFORMATION crashinfo Dump crash-dump information deskscan Poolscaner for tagDESKTOP (desktops) devicetree Show device tree dlldump Dump DLLs from a process address space dlllist Print list of loaded dlls for each process driverirp Driver IRP hook detection driverscan Pool scanner for driver objects dumpcerts Dump RSA private and public SSL keys dumpfiles Extract memory mapped and cached files envars Display process environment variables eventhooks Print details on windows event hooks evtlogs Extract Windows Event Logs (XP/2003 only) filescan Pool scanner for file objects gahti Dump the USER handle type information gditimers Print installed GDI timers and callbacks gdt Display Global Descriptor Table getservicesids Get the names of services in the Registry and return Calculated SID getsids Print the SIDs owning each process handles Print list of open handles for each process hashdump Dumps passwords hashes (LM/NTLM) from memory hibinfo Dump hibernation file information hivedump Prints out a hive hivelist Print list of registry hives. hivescan Pool scanner for registry hives hpakextract Extract physical memory from an HPAK file hpakinfo Info on an HPAK file idt Display Interrupt Descriptor Table iehistory Reconstruct Internet Explorer cache / history imagecopy Copies a physical address space out as a raw DD image imageinfo Identify information for the image impscan Scan for calls to imported functions joblinks Print process job link information kdbgscan Search for and dump potential KDBG values kpcrscan Search for and dump potential KPCR values ldrmodules Detect unlinked DLLs lsadump Dump (decrypted) LSA secrets from the registry machoinfo Dump Mach-O file format information malfind Find hidden and injected code mbrparser Scans for and parses potential Master Boot Records (MBRs) memdump Dump the addressable memory for a process memmap Print the memory map messagehooks List desktop and thread window message hooks mftparser Scans for and parses potential MFT entries moddump Dump a kernel driver to an executable file sample modscan Pool scanner for kernel modules modules Print list of loaded modules multiscan Scan for various objects at once mutantscan Pool scanner for mutex objects notepad List currently displayed notepad text objtypescan Scan for Windows object type objects patcher Patches memory based on page scans poolpeek Configurable pool scanner plugin printkey Print a registry key, and its subkeys and values privs Display process privileges procdump Dump a process to an executable file sample pslist Print all running processes by following the EPROCESS lists psscan Pool scanner for process objects pstree Print process list as a tree psxview Find hidden processes with various process listings raw2dmp Converts a physical memory sample to a windbg crash dump screenshot Save a pseudo-screenshot based on GDI windows sessions List details on _MM_SESSION_SPACE (user logon sessions) shellbags Prints ShellBags info shimcache Parses the Application Compatibility Shim Cache registry key sockets Print list of open sockets sockscan Pool scanner for tcp socket objects ssdt Display SSDT entries strings Match physical offsets to virtual addresses (may take a while, VERY verbose) svcscan Scan for Windows services symlinkscan Pool scanner for symlink objects thrdscan Pool scanner for thread objects threads Investigate _ETHREAD and _KTHREADs timeliner Creates a timeline from various artifacts in memory timers Print kernel timers and associated module DPCs truecryptmaster Recover TrueCrypt 7.1a Master Keys truecryptpassphrase TrueCrypt Cached Passprhase Finder truecryptsummary TrueCrypt Summary unloadedmodules Print list of unloaded modules userassist Print userassist registry keys and information userhandles Dump the USER handle tables vaddump Dumps out the vad sections to a file vadinfo Dump the VAD info vadtree Walk the VAD tree and display in tree format vadwalk Walk the VAD tree vboxinfo Dump virtualbox information verinfo Prints out the version information from PE images vmwareinfo Dump VMware VMSS/VMSN information volshell Shell in the memory image windows Print Desktop Windows (verbose details) wintree Print Z-Order Desktop Windows Tree wndscan Pool scanner for window stations yarascan Scan process or kernel memory with Yara signatures0x02 第一卷用法示例
阅读给定的内存映像 (-f /root/xp-laptop-2005-07-04-1430.img),并显示 正在运行的进程 (则PsList):
:~# volatility -f /root/xp-laptop-2005-07-04-1430.img pslist
Volatility Foundation Volatility Framework 2.4
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x823c87c0 System 4 0 62 1133 ------ 0
0x8214b020 smss.exe 400 4 3 21 ------ 0 2005-07-04 18:17:26 UTC+0000
0x821c11a8 csrss.exe 456 400 11 551 0 0 2005-07-04 18:17:29 UTC+0000
0x814dc020 winlogon.exe 480 400 18 522 0 0 2005-07-04 18:17:29 UTC+0000
0x815221c8 services.exe 524 480 17 321 0 0 2005-07-04 18:17:30 UTC+0000
0x821d8248 lsass.exe 536 480 20 369 0 0 2005-07-04 18:17:30 UTC+0000
0x814f0020 svchost.exe 680 524 19 206 0 0 2005-07-04 18:17:31 UTC+0000
0x821daa88 svchost.exe 760 524 10 289 0 0 2005-07-04 18:17:31 UTC+0000
0x821463a8 svchost.exe 800 524 75 1558 0 0 2005-07-04 18:17:31 UTC+0000
0x8216c9b0 Smc.exe 840 524 22 421 0 0 2005-07-04 18:17:32 UTC+0000
0x81530228 svchost.exe 932 524 6 93 �� 0 0 2005-07-04 18:17:33 UTC+0000
0x81534c10 svchost.exe 972 524 15 212 0 0 2005-07-04 18:17:34 UTC+0000
0x8202e7e8 spoolsv.exe 1104 524 11 145 0 0 2005-07-04 18:17:38 UTC+0000
0x8152f9a0 ati2evxx.exe 1272 524 4 38 0 0 2005-07-04 18:17:39 UTC+0000
0x820ac020 Crypserv.exe 1356 524 3 34 0 0 2005-07-04 18:17:40 UTC+0000
0x81521da0 DefWatch.exe 1380 524 3 27 0 0 2005-07-04 18:17:40 UTC+0000
0x820b5670 msdtc.exe 1440 524 15 164 0 0 2005-07-04 18:17:40 UTC+0000
0x81fcf460 Rtvscan.exe 1484 524 37 312 0 0 2005-07-04 18:17:40 UTC+0000
0x8204b8e0 tcpsvcs.exe 1548 524 2 105 0 0 2005-07-04 18:17:41 UTC+0000
0x82027a78 snmp.exe 1564 524 5 192 0 0 2005-07-04 18:17:41 UTC+0000
0x8204c558 svchost.exe 1588 524 5 122 0 0 2005-07-04 18:17:41 UTC+0000
0x8202f558 wdfmgr.exe 1640 524 4 65 0 0 2005-07-04 18:17:42 UTC+0000
0x81fb5da0 Fast.exe 1844 524 2 33 0 0 2005-07-04 18:17:43 UTC+0000
0x81fe9da0 mqsvc.exe 1860 524 23 218 0 0 2005-07-04 18:17:43 UTC+0000
0x82022760 mqtgsvc.exe 712 524 9 119 0 0 2005-07-04 18:17:47 UTC+0000
0x81fe6a78 alg.exe 992 524 5 105 0 0 2005-07-04 18:17:50 UTC+0000
0x8202c6a0 ssonsvr.exe 2196 2172 1 24 0 0 2005-07-04 18:17:59 UTC+0000
0x8146e860 explorer.exe 2392 2300 18 489 0 0 2005-07-04 18:18:03 UTC+0000
0x820d1b00 Directcd.exe 2456 2392 4 40 0 0 2005-07-04 18:18:05 UTC+0000
0x81540da0 TaskSwitch.exe 2472 2392 1 24 0 0 2005-07-04 18:18:05 UTC+0000
0x8219dda0 Fast.exe 2480 2392 1 23 0 0 2005-07-04 18:18:05 UTC+0000
0x81462be0 VPTray.exe 2496 2392 2 111 0 0 2005-07-04 18:18:06 UTC+0000
0x8219d960 atiptaxx.exe 2524 2392 1 51 0 0 2005-07-04 18:18:06 UTC+0000
0x814ecc00 jusched.exe 2548 2392 1 22 0 0 2005-07-04 18:18:07 UTC+0000
0x820d1718 EM_EXEC.EXE 2588 2540 2 80 0 0 2005-07-04 18:18:09 UTC+0000
0x814b8a58 WZQKPICK.EXE 2692 2392 1 17 0 0 2005-07-04 18:18:15 UTC+0000
0x81474510 wuauclt.exe 3128 800 3 157 0 0 2005-07-04 18:19:11 UTC+0000
0x81f7fb98 taskmgr.exe 3192 2392 3 65 0 0 2005-07-04 18:19:33 UTC+0000
0x8153f480 cmd.exe 3256 2392 1 29 0 0 2005-07-04 18:20:58 UTC+0000
0x8133d810 firefox.exe 3276 2392 7 189 0 0 2005-07-04 18:21:11 UTC+0000
0xff96b860 PluckSvr.exe 3352 680 6 206 0 0 2005-07-04 18:21:42 UTC+0000
0x813383b0 PluckTray.exe 3612 3352 3 102 0 0 2005-07-04 18:24:00 UTC+0000
0x81488350 PluckUpdater.ex 368 3352 0 -------- 0 0 2005-07-04 18:24:30 UTC+0000 2005-07-04 18:26:44 UTC+0000
0x81543870 dd.exe
原文来自:https://www.hackfun.org/kali-tools/volatility_zh.html。转载请注明原出处,商用请联系原作者授权。