tmxklab
4.2 메모리 분석(feat. Volatility) 본문
이제 수집한 메모리 이미지를 volatility라는 도구를 사용해서 분석해보자
다운로드 :
Volatility 2.6 Release
Volatility 2.6 - an advanced memory forensics framework
www.volatilityfoundation.org
volatility는 파이썬으로 작성된 메모리 포렌식 프레임워크이며 Window, mac, linux에서도 실행할 수 있다. 독립 실행 파일(standalone executable)을 사용하면 파이썬 2.7인터프리터와 의존성이 함께 묶여있기 때문에 따로 파이썬 인터프리터를 설치하거나 의존성을 고려하지 않고 빠르게 실행할 수 있다.
volatility option :
C:\Users\sec\Desktop\forensic_tool\MEM>vol_2.6.exe -h
Volatility Foundation Volatility Framework 2.6
Usage: Volatility - A memory forensics analysis platform.
Options:
-h, --help list all available options and their default values.
Default values may be set in the configuration file
(/etc/volatilityrc)
--conf-file=.volatilityrc
User based configuration file
-d, --debug Debug volatility
--plugins=PLUGINS Additional plugin directories to use (semi-colon
separated)
--info Print information about all registered objects
--cache-directory=C:\Users\sec/.cache\volatility
Directory where cache files are stored
--cache Use caching
--tz=TZ Sets the (Olson) timezone for displaying timestamps
using pytz (if installed) or tzset
-f FILENAME, --filename=FILENAME
Filename to use when opening an image
--profile=WinXPSP2x86
Name of the profile to load (use --info to see a list
of supported profiles)
-l LOCATION, --location=LOCATION
A URN location from which to load an address space
-w, --write Enable write support
--dtb=DTB DTB Address
--shift=SHIFT Mac KASLR shift address
--output=text Output in this format (support is module specific, see
the Module Output Options below)
--output-file=OUTPUT_FILE
Write output in this file
-v, --verbose Verbose information
-g KDBG, --kdbg=KDBG Specify a KDBG virtual address (Note: for 64-bit
Windows 8 and above this is the address of
KdCopyDataBlock)
--force Force utilization of suspect profile
-k KPCR, --kpcr=KPCR Specify a specific KPCR address
--cookie=COOKIE Specify the address of nt!ObHeaderCookie (valid for
Windows 10 only)
Supported Plugin Commands:
amcache Print AmCache information
apihooks Detect API hooks in process and kernel memory
atoms Print session and window station atom tables
atomscan Pool scanner for atom tables
auditpol Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
bigpools Dump the big page pools using BigPagePoolScanner
bioskbd Reads the keyboard buffer from Real Mode memory
cachedump Dumps cached domain hashes from memory
callbacks Print system-wide notification routines
clipboard Extract the contents of the windows clipboard
cmdline Display process command-line arguments
cmdscan Extract command history by scanning for _COMMAND_HISTORY
connections Print list of open connections [Windows XP and 2003 Only]
connscan Pool scanner for tcp connections
consoles Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo Dump crash-dump information
deskscan Poolscaner for tagDESKTOP (desktops)
devicetree Show device tree
dlldump Dump DLLs from a process address space
dlllist Print list of loaded dlls for each process
driverirp Driver IRP hook detection
drivermodule Associate driver objects to kernel modules
driverscan Pool scanner for driver objects
dumpcerts Dump RSA private and public SSL keys
dumpfiles Extract memory mapped and cached files
dumpregistry Dumps registry files out to disk
editbox Displays information about Edit controls. (Listbox experimental.)
envars Display process environment variables
eventhooks Print details on windows event hooks
evtlogs Extract Windows Event Logs (XP/2003 only)
filescan Pool scanner for file objects
gahti Dump the USER handle type information
gditimers Print installed GDI timers and callbacks
gdt Display Global Descriptor Table
getservicesids Get the names of services in the Registry and return Calculated SID
getsids Print the SIDs owning each process
handles Print list of open handles for each process
hashdump Dumps passwords hashes (LM/NTLM) from memory
hibinfo Dump hibernation file information
hivedump Prints out a hive
hivelist Print list of registry hives.
hivescan Pool scanner for registry hives
hpakextract Extract physical memory from an HPAK file
hpakinfo Info on an HPAK file
idt Display Interrupt Descriptor Table
iehistory Reconstruct Internet Explorer cache / history
imagecopy Copies a physical address space out as a raw DD image
imageinfo Identify information for the image
impscan Scan for calls to imported functions
joblinks Print process job link information
kdbgscan Search for and dump potential KDBG values
kpcrscan Search for and dump potential KPCR values
ldrmodules Detect unlinked DLLs
lsadump Dump (decrypted) LSA secrets from the registry
machoinfo Dump Mach-O file format information
malfind Find hidden and injected code
mbrparser Scans for and parses potential Master Boot Records (MBRs)
memdump Dump the addressable memory for a process
memmap Print the memory map
messagehooks List desktop and thread window message hooks
mftparser Scans for and parses potential MFT entries
moddump Dump a kernel driver to an executable file sample
modscan Pool scanner for kernel modules
modules Print list of loaded modules
multiscan Scan for various objects at once
mutantscan Pool scanner for mutex objects
notepad List currently displayed notepad text
objtypescan Scan for Windows object type objects
patcher Patches memory based on page scans
poolpeek Configurable pool scanner plugin
printkey Print a registry key, and its subkeys and values
privs Display process privileges
procdump Dump a process to an executable file sample
pslist Print all running processes by following the EPROCESS lists
psscan Pool scanner for process objects
pstree Print process list as a tree
psxview Find hidden processes with various process listings
qemuinfo Dump Qemu information
raw2dmp Converts a physical memory sample to a windbg crash dump
screenshot Save a pseudo-screenshot based on GDI windows
servicediff List Windows services (ala Plugx)
sessions List details on _MM_SESSION_SPACE (user logon sessions)
shellbags Prints ShellBags info
shimcache Parses the Application Compatibility Shim Cache registry key
shutdowntime Print ShutdownTime of machine from registry
sockets Print list of open sockets
sockscan Pool scanner for tcp socket objects
ssdt Display SSDT entries
strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan Scan for Windows services
symlinkscan Pool scanner for symlink objects
thrdscan Pool scanner for thread objects
threads Investigate _ETHREAD and _KTHREADs
timeliner Creates a timeline from various artifacts in memory
timers Print kernel timers and associated module DPCs
truecryptmaster Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase TrueCrypt Cached Passphrase Finder
truecryptsummary TrueCrypt Summary
unloadedmodules Print list of unloaded modules
userassist Print userassist registry keys and information
userhandles Dump the USER handle tables
vaddump Dumps out the vad sections to a file
vadinfo Dump the VAD info
vadtree Walk the VAD tree and display in tree format
vadwalk Walk the VAD tree
vboxinfo Dump virtualbox information
verinfo Prints out the version information from PE images
vmwareinfo Dump VMware VMSS/VMSN information
volshell Shell in the memory image
windows Print Desktop Windows (verbose details)
wintree Print Z-Order Desktop Windows Tree
wndscan Pool scanner for window stations
yarascan Scan process or kernel memory with Yara signatures위에서 볼 수 있듯이 volaitlity는 다양한 정보를 추출할 수 있게 많은 플러그인들로 구성되어 있다.
플러그인에 대한 설명은 다음 링크를 참고
volatilityfoundation/volatility
An advanced memory forensics framework. Contribute to volatilityfoundation/volatility development by creating an account on GitHub.
github.com
보통 다음과 같이 Volatility를 사용한다.
volatility.exe -f <메모리 이미지 파일> --profile=<프로파일> <플러그인> <인자>
python vol.py -f <메모리 이미지 파일> --profile=<프로파일> <플러그인> <인자>근데 문제는 덤프뜬 메모리 이미지 파일에서 프로파일 값을 어떤 것으로 전달할 지를 모를 수 있다.
그래서 먼저 imageinfo플러그인을 사용해서 덤프뜬 이미지 파일의 프로파일 값을 구한다.
위에서 Suggested Profile(s) 항목에 "Win7SP1x86_23418, Win7SP0x86, Win7SP1x86" 총 3개가 나오는데 이 중에 하나를 사용하면 된다.
테스트로 pslist 플러그인을 사용한다고 하면 다음과 같이 profile을 세팅하고 실행하면 된다.
volatility 플러그인 대부분은 윈도우 OS 구조체에서 추출한 정보에 의존하며 이런 구조체는 윈도우 버전에 따라 다르기 때문에 profile을 통해 volatility에게 사용할 데이터 구조, 심벌, 알고리즘을 알려준다.
플러그인 정리
1) imageinfo : 메모리 덤프 운영체제, 시간 확인(스캔 방식)
2) pslist : 프로세스 리스트 출력(리스트워킹-가상주소)
3) psscan : 프로세스 구조체 스캔 후 출력(패턴매칭-물리주소)
4) pstree : 프로세스 트리 출력(리스트워킹-가상주소)
5) cmdline : 프로세스 실행 명령줄 인자 출력
6) netscan : 네트워크 연결 스캔 후 출력(패턴매칭-물리주소)
7) filescan : 파일 목록 스캔 후 출력(패턴매칭-물리주소)
8) dumpfiles : 스캔 된 파일 추출(물리주소를 인자로 받고, 가상주소를 기반으로 파일을 추출해줌)
9) hivelist : 메모리에 존재하는 하이브파일 목록 출력(가상+물리주소)
10) printkey : 하이브파일 내부에 존재하는 서브키를 검색해줌
* 사용순서
1) -> 4) -> 3) -> 5) -> 6)
(나머지는 옵션)
플러그인 참고 자료)
The Volatility Framework: Main Page
volatilityfoundation.github.io
왼쪽 탭에서 The Volatility Framework -> Classes -> Class List -> volatility -> plugins를 통해 확인
Volatility 사용 참고
'Security/Volatility' 카테고리의 글 목록
rninche01.tistory.com
'Security > 04 forensic' 카테고리의 다른 글
| 4.1 메모리 수집 (DumpIt) (0) | 2021.04.28 |
|---|---|
| 4. 메모리 수집/분석 (0) | 2021.04.22 |
| 3. 비활성 데이터 수집/분석 (0) | 2021.04.22 |
| 2. 활성 데이터 수집/분석 (0) | 2021.04.22 |
| 1. 디지털 포렌식 개요 (0) | 2021.04.22 |
'Security/04 forensic' Related Articles
more
Comments