简介

挺简单的一个 Windows 内存取证

解题

1

打开 vol 直接看

image-20220514212446619

2

算个 SHA256

image-20220514212947315

虚拟机里算了一分半,外面就20秒,我怀疑是虚拟机共享文件硬盘读写速度受限

3

windows.pslist 查看进程列表

image-20220514231234244

不知道怎么排版出错了

4

windows.netscan 扫描

image-20220514233902741

一共 10 个

这里有个小坑

windows.netstat 扫出来只有 9 个

5

windows.netstat 扫出来 ESTABLISHED 状态的连接,然后去查对应 IP AS

image-20220515115108301

image-20220515115327807

但是 wiki 给的定义是包含主机名的完整域名,不理解

最开始我还把 Chrome 的 History 数据库 dump 出来找了半天没找到

6

使用 windows.pslist.PsList --pid <pid> --dump -o <outputFile> dump 内存

-o 可选

image-20220514235512885

然后使用 md5sum 计算 MD5

7

hexeditor 跳转到 0x45BE876 即可

image-20220515110956068

8

pstree 插件查看进程树

image-20220515111407462

9

Hint

Hint #4:
Use the "windows.cmdline" plugin to list processes' command lines. Check notepad command line. The full path is C:\Users\JOHNDO~1\AppData\Local\Temp\7zO4FB31F24\accountNum.

windows.cmdline 获得启动参数

image-20220515120402949

但是 winodws.filescan 居然扫不出来,不知道为什么

10

Hint:

Hint #4:
Use the "windows.registry.userassist" plugin to list userassist keys and search for brave. The usage time is 04:01:54.

image-20220515154957394

如图

DOT

vol 常用插件

  • layerwriter.LayerWriter

    • Runs the automagics and writes out the primary layer produced by the stacker.

  • timeliner.Timeliner

    • 运行所有提供时间相关信息的相关插件并按时间排序结果。
    • Runs all relevant plugins that provide time related information and orders the results by time.

  • windows.bigpools.BigPools

    • 列出大页面池。
    • List big page pools.

  • windows.callbacks.Callbacks

    • Lists kernel callbacks and notification routines.

  • windows.cmdline.CmdLine

    • Lists process command line arguments.
  • windows.crashinfo.Crashinfo

  • windows.dlllist.DllList

    • Lists the loaded modules in a particular windows memory image.

  • windows.driverirp.DriverIrp

    • List IRPs for drivers in a particular windows memory image.

  • windows.driverscan.DriverScan

    • Scans for drivers present in a particular windows memory image.

  • windows.dumpfiles.DumpFiles

    • Dumps cached file contents from Windows memory samples.

  • windows.envars.Envars

    • Display process environment variables

  • windows.filescan.FileScan

    • Scans for file objects present in a particular windows memory image.

  • windows.getservicesids.GetServiceSIDs

    • Lists process token sids.

  • windows.getsids.GetSIDs

    • Print the SIDs owning each process

  • windows.handles.Handles

    • Lists process open handles.
  • windows.info.Info Show OS & kernel details of the memory sample being analyzed.

  • windows.malfind.Malfind

    • Lists process memory ranges that potentially contain injected code.

  • windows.memmap.Memmap

    • Prints the memory map

  • windows.modscan.ModScan

    • Scans for modules present in a particular windows memory image.

  • windows.modules.Modules

    • Lists the loaded kernel modules.

  • windows.mutantscan.MutantScan

    • Scans for mutexes present in a particular windows memory image.

  • windows.netscan.NetScan

    • Scans for network objects present in a particular windows memory image.

  • windows.netstat.NetStat

    • Traverses network tracking structures present in a particular windows memory image.

  • windows.poolscanner.PoolScanner

    • A generic pool scanner plugin.

  • windows.privileges.Privs

    • Lists process token privileges

  • windows.pslist.PsList

    • Lists the processes present in a particular windows memory image.

  • windows.psscan.PsScan

    • Scans for processes present in a particular windows memory image.

  • windows.pstree.PsTree

    • Plugin for listing processes in a tree based on their parent process ID.

  • windows.registry.certificates.Certificates

    • Lists the certificates in the registry's Certificate Store.

  • windows.registry.hivelist.HiveList

    • Lists the registry hives present in a particular memory image.

  • windows.registry.hivescan.HiveScan

    • Scans for registry hives present in a particular windows memory image.

  • windows.registry.printkey.PrintKey

    • Lists the registry keys under a hive or specific key value.

  • windows.registry.userassist.UserAssist

    • Print userassist registry keys and information.

  • windows.skeleton_key_check.Skeleton_Key_Check

    • Looks for signs of Skeleton Key malware
  • windows.ssdt.SSDT Lists the system call table.
  • windows.statistics.Statistics

  • windows.strings.Strings

    • Reads output from the strings command and indicates which process(es) each string belongs to.

  • windows.svcscan.SvcScan

    • Scans for windows services.

  • windows.symlinkscan.SymlinkScan

    • Scans for links present in a particular windows memory image.

  • windows.vadinfo.VadInfo

    • Lists process memory ranges.

  • windows.vadyarascan.VadYaraScan

    • Scans all the Virtual Address Descriptor memory maps using yara.

  • windows.verinfo.VerInfo

    • Lists version information from PE files.

  • windows.virtmap.VirtMap

    • Lists virtual mapped sections.
  • yarascan.YaraScan Scans kernel memory using yara rules (string or file).

FQDN

完全合格域名(英语:Fully qualified domain name),缩写为FQDN,又译为完全资格域名完整领域名称,又称为绝对领域名称(absolute domain name)、 绝对域名[1]域名的一种,能指定其在域名系统 (DNS) 树状图下的一个确实位置。一个完全资格域名会包含所有域名级别,包括 顶级域名根域名。完整域名这个名称的由来,是因为它没有模糊空间,只能用一种方式来解析。完整域名是因应互联网上需要一个统一识别方式而出现,在1980年代后期快速成长。

img

完整域名的树状图

完整域名由主机名称与母域名两部分所组成,例如有一部服务器的本地主机名为myhost,而其母域名为example.com.,那指向该服务器的完整域名就是myhost.example.com.。虽然世界上可能有很多服务器的本地主机名是myhost,但myhost.example.com.是唯一的,因此完整域名能识别该特定服务器。

标签: none

添加新评论