View difference between Paste ID: <a href="/3KUFgjbp">3KUFgjbp</a> and <a href="/sFj0vQiN">sFj0vQiN</a> - Pastebin.com

View difference between Paste ID: 3KUFgjbp and sFj0vQiN

SHOW: | | - or go back to the newest paste.

root@remnux:~/unixfreaxjp# uname -a; date
Linux remnux 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:50:42 UTC 2011 i686 i686 i386 GNU/Linux
Mon Apr 23 09:24:54 EDT 2012

# This is my private note for testing Remnux3.0's Volatile.
# Be free to take a look for your reference too, hope will
# be helpful. - unixfreaxjp -

/* Took the below snapshot to take the RAT nsapshot of memory
 * by win32dd */
=============================================================
C:\>win32dd /f ./test.dmp
=============================================================
  win32dd - 1.3.1.20100417 - (Community Edition)
  Kernel land physical memory acquisition
  Copyright (C) 2007 - 2010, Matthieu Suiche <http://www.msuiche.net>
  Copyright (C) 2009 - 2010, MoonSols <http://www.moonsols.com>

    Name                        Value
    ----                        -----
    File type:                  Raw memory dump file
    Acquisition method:         PFN Mapping
    Content:                    Memory manager physical memory block

    Destination path:           ./test.dmp

    O.S. Version:               Microsoft Windows XP Professional Service Pack 1 (build 2600)
    Computer name:              UNIXFREAXJP-RAT

    Physical memory in use:         58%
    Physical memory size:        776624 Kb (    758 Mb)
    Physical memory available:   323368 Kb (    315 Mb)

    Paging file size:           1758228 Kb (   1717 Mb)
    Paging file available:      1357412 Kb (   1325 Mb)

    Virtual memory size:        2097024 Kb (   2047 Mb)
    Virtual memory available:   2082668 Kb (   2033 Mb)

    Extented memory available:        0 Kb (      0 Mb)

    Physical page size:         4096 bytes
    Minimum physical address:   0x0000000000002000
    Maximum physical address:   0x000000002F6DF000

    Address space size:         795738112 bytes ( 777088 Kb)

    --> Are you sure you want to continue? [y/n] y

    Acquisition started at:     [23/4/2012 (DD/MM/YYYY) 11:13:7 (UTC)]

    Processing....Done.

    Acquisition finished at:  [2012-04-23 (YYYY-MM-DD) 11:14:15 (UTC)]
    Time elapsed:             1:08 minutes:seconds (68 secs)

    Created file size:          795738112 bytes (    758 Mb)

    NtStatus (troubleshooting):   0x00000000
    Total of written pages:        194173
    Total of inacessible pages:         0
    Total of accessible pages:     194173

    Physical memory in use:         58%
    Physical memory size:        776624 Kb (    758 Mb)
    Physical memory available:   319472 Kb (    311 Mb)

    Paging file size:           1758228 Kb (   1717 Mb)
    Paging file available:      1353564 Kb (   1321 Mb)

    Virtual memory size:        2097024 Kb (   2047 Mb)
    Virtual memory available:   2082668 Kb (   2033 Mb)

    Extented memory available:        0 Kb (      0 Mb)

    Physical page size:         4096 bytes
    Minimum physical address:   0x0000000000002000
    Maximum physical address:   0x000000002F6DF000

    Address space size:         795738112 bytes ( 777088 Kb)



/* Volatile  */



=============================================================
root@remnux:~/unixfreaxjp# vol -f test.dmp imageinfo
=============================================================
Determining profile based on KDBG search...

          Suggested Profile(s) : WinXPSP3x86, WinXPSP2x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : JKIA32PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/media/linux/home/unixfreaxjp/test.dmp)
                      PAE type : No PAE
                           DTB : 0x39000
                          KDBG : 0x805407e0L
                          KPCR : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2012-04-23 11:13:07
     Image local date and time : 2012-04-23 11:13:07
          Number of Processors : 1
                    Image Type : Service Pack 1
root@remnux:~/unixfreaxjp#


=============================================================
root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 pslist -P
=============================================================
 Offset(P)  Name                 PID    PPID   Thds   Hnds   Time
---------- -------------------- ------ ------ ------ ------ -------------------
0x037c87c8 System                    4      0     56    295 1970-01-01 00:00:00
0x035d2998 smss.exe                640      4      3     21 2012-04-23 07:07:52
0x035efda8 csrss.exe               696    640     13    497 2012-04-23 07:07:57
0x035ccda8 winlogon.exe            720    640     19    516 2012-04-23 07:08:00
0x030bada8 services.exe            764    720     16    298 2012-04-23 07:08:05
0x030f3ba0 lsass.exe               776    720     19    325 2012-04-23 07:08:05
0x030a8998 ibmpmsvc.exe            920    764      4     36 2012-04-23 07:08:09
0x03096998 svchost.exe            1000    764     11    237 2012-04-23 07:08:26
0x03046380 svchost.exe            1036    764     86   1351 2012-04-23 07:08:27
0x0303cda8 ACS.EXE                1164    764     15    188 2012-04-23 07:08:27
0x03025380 svchost.exe            1296    764      8     86 2012-04-23 07:08:33
0x03021bb0 svchost.exe            1352    764     19    156 2012-04-23 07:08:35
0x032e1da8 spoolsv.exe            1728    764     16    196 2012-04-23 07:08:39
0x032dcba0 rrpcsb.exe             1844    764      4    103 2012-04-23 07:08:40
0x03267da8 python.exe              148   1844      0 ------ 2012-04-23 07:08:43
0x0326cda8 conime.exe              212    148      1     34 2012-04-23 07:08:44
0x032c7958 PGPserv.exe             292    764      6    111 2012-04-23 07:08:46
0x032629e8 QCONSVC.EXE             416    764      3     55 2012-04-23 07:08:48
0x032c2da8 svchost.exe             472    764      5    108 2012-04-23 07:08:48
0x0325d958 wdfmgr.exe              492    764      4     58 2012-04-23 07:08:48
0x02e7b348 python.exe             1096   1844      0 ------ 2012-04-23 07:08:51
0x0304f020 CAPRPCSK.EXE           1608   1728      1     15 2012-04-23 07:10:40
0x032ae9c0 CAPPSWK.EXE            1624   1728      0 ------ 2012-04-23 07:10:40
0x03747668 CAPPSWK.EXE            1896   1624      3     83 2012-04-23 07:10:42
0x02e79b30 rbmonitor.exe          1936   1036      7    195 2012-04-23 07:19:57
0x03118020 explorer.exe           1464   1156     13    783 2012-04-23 07:19:58
0x02e829b8 tp4serv.exe            1584   1464      3     41 2012-04-23 07:20:09
0x03074020 igfxtray.exe           1620   1464      1     68 2012-04-23 07:20:09
0x03247470 hkcmd.exe               312   1464      2     76 2012-04-23 07:20:10
0x03053020 TpShocks.exe           1056   1464      2     36 2012-04-23 07:20:11
0x036e0da8 TPHKMGR.exe             608   1464      5    120 2012-04-23 07:20:12
0x02e449a0 rundll32.exe           1292   1464      2     35 2012-04-23 07:20:12
0x03261020 TPONSCR.exe            1104    608      1     28 2012-04-23 07:20:14
0x0301d818 TpScrex.exe            1184    608      1     28 2012-04-23 07:20:14
0x02e71570 ibmprc.exe             1144   1464      2     27 2012-04-23 07:20:14
0x036d0598 rundll32.exe           1188   1464      1     45 2012-04-23 07:20:14
0x036d4020 ctfmon.exe             2020   1464      1     56 2012-04-23 07:20:18
0x02e379b8 WDSM.exe                180   1464      1    103 2012-04-23 07:20:19
0x03211818 Maruo.exe              2252   1464      1     28 2012-04-23 07:20:33
0x032dbc58 Maruo.exe              2348   2252      1     31 2012-04-23 07:20:38
0x031d15a0 firefox.exe            3916   1464     34    807 2012-04-23 08:28:05
0x031ec020 putty.exe              2356   1464      5     87 2012-04-23 11:02:04
0x02c54020 Maruo.exe              2360   1464      1     74 2012-04-23 11:05:23
0x031c49c8 cmd.exe                3408   1464      1     20 2012-04-23 11:07:23
0x02c74020 win32dd.exe            3372   3408      1     23 2012-04-23 11:12:54

=============================================================
root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 pstree
=============================================================
Name                                        Pid    PPid   Thds   Hnds   Time
 0x83BC87C8:System                               4      0     56    295 1970-01-01 00:00:00
. 0x839D2998:smss.exe                          640      4      3     21 2012-04-23 07:07:52
.. 0x839EFDA8:csrss.exe                        696    640     13    497 2012-04-23 07:07:57
.. 0x839CCDA8:winlogon.exe                     720    640     19    516 2012-04-23 07:08:00
... 0x834F3BA0:lsass.exe                       776    720     19    325 2012-04-23 07:08:05
... 0x834BADA8:services.exe                    764    720     16    298 2012-04-23 07:08:05
.... 0x8343CDA8:ACS.EXE                       1164    764     15    188 2012-04-23 07:08:27
.... 0x83425380:svchost.exe                   1296    764      8     86 2012-04-23 07:08:33
.... 0x834A8998:ibmpmsvc.exe                   920    764      4     36 2012-04-23 07:08:09
.... 0x836629E8:QCONSVC.EXE                    416    764      3     55 2012-04-23 07:08:48
.... 0x836C7958:PGPserv.exe                    292    764      6    111 2012-04-23 07:08:46
.... 0x836DCBA0:rrpcsb.exe                    1844    764      4    103 2012-04-23 07:08:40
..... 0x83667DA8:python.exe                    148   1844      0 ------ 2012-04-23 07:08:43
...... 0x8366CDA8:conime.exe                   212    148      1     34 2012-04-23 07:08:44
..... 0x8327B348:python.exe                   1096   1844      0 ------ 2012-04-23 07:08:51
.... 0x836E1DA8:spoolsv.exe                   1728    764     16    196 2012-04-23 07:08:39
..... 0x836AE9C0:CAPPSWK.EXE                  1624   1728      0 ------ 2012-04-23 07:10:40
...... 0x83B47668:CAPPSWK.EXE                 1896   1624      3     83 2012-04-23 07:10:42
..... 0x8344F020:CAPRPCSK.EXE                 1608   1728      1     15 2012-04-23 07:10:40
.... 0x83421BB0:svchost.exe                   1352    764     19    156 2012-04-23 07:08:35
.... 0x83446380:svchost.exe                   1036    764     86   1351 2012-04-23 07:08:27
..... 0x83279B30:rbmonitor.exe                1936   1036      7    195 2012-04-23 07:19:57
.... 0x836C2DA8:svchost.exe                    472    764      5    108 2012-04-23 07:08:48
.... 0x83496998:svchost.exe                   1000    764     11    237 2012-04-23 07:08:26
.... 0x8365D958:wdfmgr.exe                     492    764      4     58 2012-04-23 07:08:48
 0x83518020:explorer.exe                      1464   1156     13    783 2012-04-23 07:19:58
. 0x832449A0:rundll32.exe                     1292   1464      2     35 2012-04-23 07:20:12
. 0x83647470:hkcmd.exe                         312   1464      2     76 2012-04-23 07:20:10
. 0x832829B8:tp4serv.exe                      1584   1464      3     41 2012-04-23 07:20:09
. 0x832379B8:WDSM.exe                          180   1464      1    103 2012-04-23 07:20:19
. 0x835D15A0:firefox.exe                      3916   1464     34    807 2012-04-23 08:28:05
. 0x83453020:TpShocks.exe                     1056   1464      2     36 2012-04-23 07:20:11
. 0x83611818:Maruo.exe                        2252   1464      1     28 2012-04-23 07:20:33
.. 0x836DBC58:Maruo.exe                       2348   2252      1     31 2012-04-23 07:20:38
. 0x83AD0598:rundll32.exe                     1188   1464      1     45 2012-04-23 07:20:14
. 0x83054020:Maruo.exe                        2360   1464      1     74 2012-04-23 11:05:23
. 0x83AE0DA8:TPHKMGR.exe                       608   1464      5    120 2012-04-23 07:20:12
.. 0x83661020:TPONSCR.exe                     1104    608      1     28 2012-04-23 07:20:14
.. 0x8341D818:TpScrex.exe                     1184    608      1     28 2012-04-23 07:20:14
. 0x83AD4020:ctfmon.exe                       2020   1464      1     56 2012-04-23 07:20:18
. 0x835C49C8:cmd.exe                          3408   1464      1     20 2012-04-23 11:07:23
.. 0x83074020:win32dd.exe                     3372   3408      1     23 2012-04-23 11:12:54
. 0x835EC020:putty.exe                        2356   1464      5     87 2012-04-23 11:02:04
. 0x83271570:ibmprc.exe                       1144   1464      2     27 2012-04-23 07:20:14
. 0x83474020:igfxtray.exe                     1620   1464      1     68 2012-04-23 07:20:09


=============================================================
root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 dlllist
=============================================================
  :
  :
cmd.exe pid:   3408
Command line : "C:\WINDOWS\system32\cmd.exe"
Service Pack 1

Base         Size         Path
0x4ad00000   0x076000     C:\WINDOWS\system32\cmd.exe
0x77f50000   0x0a7000     C:\WINDOWS\System32\ntdll.dll
0x77e20000   0x124000     C:\WINDOWS\system32\kernel32.dll
0x77bc0000   0x053000     C:\WINDOWS\system32\msvcrt.dll
0x77cf0000   0x08c000     C:\WINDOWS\system32\USER32.dll
0x7f000000   0x042000     C:\WINDOWS\system32\GDI32.dll
0x77d80000   0x09b000     C:\WINDOWS\system32\ADVAPI32.dll
0x78000000   0x087000     C:\WINDOWS\system32\RPCRT4.dll
0x762e0000   0x01c000     C:\WINDOWS\System32\IMM32.DLL
0x60740000   0x008000     C:\WINDOWS\system32\LPK.DLL
0x72ef0000   0x05a000     C:\WINDOWS\system32\USP10.dll
0x10000000   0x00d000     C:\WINDOWS\system32\OCMAPIHK.DLL
0x75e90000   0x01e000     C:\WINDOWS\system32\Apphelp.dll
************************************************************************
win32dd.exe pid:   3372
Command line : win32dd /f ./test.dmp
Service Pack 1

Base         Size         Path
0x00400000   0x01a000     C:\transit\@@DEV\@@@ANALYST\moonsols\win32dd.exe
0x77f50000   0x0a7000     C:\WINDOWS\System32\ntdll.dll
0x77e20000   0x124000     C:\WINDOWS\system32\kernel32.dll
0x77cf0000   0x08c000     C:\WINDOWS\system32\USER32.dll
0x7f000000   0x042000     C:\WINDOWS\system32\GDI32.dll
0x77d80000   0x09b000     C:\WINDOWS\system32\ADVAPI32.dll
0x78000000   0x087000     C:\WINDOWS\system32\RPCRT4.dll
0x719e0000   0x014000     C:\WINDOWS\System32\WS2_32.dll
0x77bc0000   0x053000     C:\WINDOWS\system32\msvcrt.dll
0x719d0000   0x008000     C:\WINDOWS\System32\WS2HELP.dll
0x74a10000   0x007000     C:\WINDOWS\System32\POWRPROF.dll
0x762e0000   0x01c000     C:\WINDOWS\System32\IMM32.DLL
0x60740000   0x008000     C:\WINDOWS\System32\LPK.DLL
0x72ef0000   0x05a000     C:\WINDOWS\System32\USP10.dll
0x10000000   0x00d000     C:\WINDOWS\System32\OCMAPIHK.DLL


=============================================================
root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 connections -P
=============================================================
 Offset(P)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ------
root@remnux:~/unixfreaxjp#

=============================================================
root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 sockets -P
=============================================================
 Offset(P)  PID    Port   Proto               Address        Create Time
---------- ------ ------ ------------------- -------------- --------------------------


=============================================================
root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 sockscan
=============================================================
 Offset     PID    Port   Proto               Address        Create Time
---------- ------ ------ ------------------- -------------- --------------------------
0x0b3b7be4 945014  17774  25185 -              116.105.111.110    -


=============================================================
root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 connscan
=============================================================
 Offset     Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ------
0x02c36008 192.168.7.2:1473          173.194.38.106:80           3916
0x02c582a8 192.168.7.2:1234          173.194.38.97:80          45219846
0x02e1fae0 192.168.7.2:1268          173.194.38.102:443          3916
0x02e22aa0 192.168.7.2:1126          199.59.148.87:443           3916
0x02e3c9d0 192.168.7.2:1201          173.236.192.217:80          3916
0x02e53838 192.168.7.2:1408          192.168.7.1:22              2356
0x02efc008 192.168.7.2:1186          74.125.235.133:443          3916
0x02f71008 192.168.7.2:1471          207.171.189.80:80           3916
0x02f9d008 192.168.7.2:1460          199.59.150.41:443           3916
0x02fc0008 192.168.7.2:1470          207.171.189.80:80           3916
0x0301f1c8 192.168.7.2:1480          199.59.150.9:443            3916
0x030e1e08 127.0.0.1:1085            127.0.0.1:1087              3916
0x0316ee60 192.168.7.2:1457          74.125.235.145:443          3916
0x03175ac0 192.168.7.2:1477          199.59.150.41:443           3916
0x031dd958 0.0.0.0:55919             0.0.0.0:21157             34056384
0x032781c8 192.168.7.2:1454          173.194.38.118:443          3916
0x0328fc20 192.168.7.2:1479          173.194.38.118:443          3916
0x032a3bf0 127.0.0.1:1087            127.0.0.1:1085              3916


=============================================================
root@remnux:~/unixfreaxjp# mkdir dumpdir
root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 procmemdump -p3916 -D./dumpdir
=============================================================
************************************************************************
Dumping firefox.exe, pid:   3916 output: executable.3916.exe

=============================================================
root@remnux:~/unixfreaxjp# file ./dumpdir/executable.3916.exe
=============================================================
./dumpdir/executable.3916.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit


=============================================================
root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 memdump -p1296 -D ./dumpdir
=============================================================
************************************************************************
Writing svchost.exe [  1296] to 1296.dmp

=============================================================
root@remnux:~/unixfreaxjp# strings -a ./dumpdir/1296.dmp
=============================================================
u.;5|
SVWUj
]_^[
t.;t$$t(
VWumh
wLVWP
FVWS
 :
 :
 
=============================================================
root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 memmap
=============================================================
0x0080281000 0x0000281000 0x000000001000
0x0080282000 0x0000282000 0x000000001000
0x0080283000 0x0000283000 0x000000001000
0x0080284000 0x0000284000 0x000000001000
0x0080285000 0x0000285000 0x000000001000
  :
  :
  
=============================================================
root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 volshell
=============================================================
Current context: process System, pid=4, ppid=0 DTB=0x39000
Welcome to volshell! Current memory image is:
file:///media/linux/home/unixfreaxjp/test.dmp
To get help, type 'hh()'
>>>
>>> hh()
ps()                                     : Print a process listing.
cc(offset=None, pid=None, name=None)     : Change current shell context.
dd(address, length=128, space=None)      : Print dwords at address.
db(address, length=128, width=16, space=None) : Print bytes as canonical hexdump.
hh(cmd=None)                             : Get help on a command.
dt(objct, address=None)                  : Describe an object or show type info.
list_entry(head, objname, offset=-1, fieldname=None, forward=True) : Traverse a _LIST_ENTRY.
dis(address, length=128, space=None)     : Disassemble code at a given address.

For help on a specific command, type 'hh(<command>)'
  


=============================================================
root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 malfind -D ./dumpdir/
=============================================================
Name                 Pid    Start      End        Tag      Hits   Protect

firefox.exe          3916   0x02040000 0x2040fff0 VadS     0      PAGE_EXECUTE_READWRITE
Dumped to: ./dumpdir/firefox.exe.31d15a0.02040000-02040fff.dmp
0x02040000   1b 6f f5 77 68 58 02 00 00 e9 12 6f f1 75 00 00    .o.whX.....o.u..
0x02040010   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0x02040020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0x02040030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0x02040040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0x02040050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0x02040060   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0x02040070   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................

Disassembly:
02040000: 1b6ff5                           SBB EBP, [EDI-0xb]
02040003: 7768                             JA 0x204006d
02040005: 58                               POP EAX
02040006: 0200                             ADD AL, [EAX]
02040008: 00e9                             ADD CL, CH
0204000a: 126ff1                           ADC CH, [EDI-0xf]
0204000d: 7500                             JNZ 0x204000f
0204000f: 0000                             ADD [EAX], AL
02040011: 0000                             ADD [EAX], AL
02040013: 0000                             ADD [EAX], AL

=============================================================
root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 hivescan
=============================================================
Offset          (hex)
63426568        0x03c7d008
63458144        0x03c84b60
71756640        0x0446eb60
100591960       0x05fee958
115226456       0x06de3758
115443544       0x06e18758
117456904       0x07004008
200962056       0x0bfa7008
205273952       0x0c3c3b60
212844552       0x0cafc008
219321368       0x0d129418
380906336       0x16b42b60
381963104       0x16c44b60

=============================================================
root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 hivelist
=============================================================
Virtual     Physical    Name
0xe16d6b60  0x16b42b60  \Device\HarddiskVolume1\Documents and Settings\kaspersky\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe16deb60  0x16c44b60  \Device\HarddiskVolume1\Documents and Settings\kaspersky\NTUSER.DAT
0xe1377418  0x0d129418  \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe12d3b60  0x0c3c3b60  \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
0xe11c4008  0x0bfa7008  \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1318008  0x0cafc008  \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
0xe1a43758  0x06e18758  \Device\HarddiskVolume1\WINDOWS\system32\config\SOFTWARE
0xe1a3a758  0x06de3758  \Device\HarddiskVolume1\WINDOWS\system32\config\DEFAULT
0xe1a41008  0x07004008  \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe1987958  0x05fee958  \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe181cb60  0x0446eb60  [no name]
0xe1036b60  0x03c84b60  \Device\HarddiskVolume1\WINDOWS\system32\config\SYSTEM
0xe102e008  0x03c7d008  [no name]
0x8066ab1c  0x0066ab1c  [no name]

=============================================================
root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 printkey
=============================================================

Values:
----------------------------
Registry: [no name]
Key name: REGISTRY (S)
Last updated: 2012-04-23 07:07:40

Subkeys:
  (S) MACHINE
  (S) USER

Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Key name: S-1-5-19_Classes (S)
Last updated: 2003-02-27 12:01:19

Subkeys:
  (S) Network
  (S) Software

Values:
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
Key name: SECURITY (S)
Last updated: 2012-04-23 07:07:57

Subkeys:
  (S) Cache
  (S) Policy
  (S) RXACT
  (V) SAM

Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\kaspersky\NTUSER.DAT
Key name: $$$PROTO.HIV (S)
Last updated: 2012-04-23 07:21:34

Subkeys:
  (S) AppEvents
  (S) Applications
  (S) Console
  (S) Control Panel
  (S) DefaultScope
  (S) Environment
  (S) EUDC
  (S) Identities
  (S) Keyboard Layout
  (S) Network
  (S) NodeEventQuery
  (S) pmtest
  (S) Printers
  (S) RemoteAccess
  (S) Software
  (S) UNICODE Program Groups
  (S) Windows 3.1 Migration Status
  (V) SessionInformation
  (V) Volatile Environment

=====================
PLUGIN LISTS
=====================

apihooks        [MALWARE] Find API hooks
bioskbd         Reads the keyboard buffer from Real Mode memory
callbacks       [MALWARE] Print system-wide notification routines
connections     Print list of open connections [Windows XP Only]
connscan        Scan Physical memory for _TCPT_OBJECT objects (tcp connections)
crashinfo       Dump crash-dump information
datetime        A simple example plugin that gets the date/time information from a Windows image
devicetree      [MALWARE] Show device tree
dlldump         Dump DLLs from a process address space
dlllist         Print list of loaded dlls for each process
driverirp       [MALWARE] Driver IRP hook detection
driverscan      Scan for driver objects _DRIVER_OBJECT
evtlogs         Extract Windows Event Logs (XP/2K3 only)
filescan        Scan Physical memory for _FILE_OBJECT pool allocations
gdt             [MALWARE] Display Global Descriptor Table
getservicesids  Get the names of services in the Registry and return Calculated SID
getsids         Print the SIDs owning each process
handles         Print list of open handles for each process
hashdump        Dumps passwords hashes (LM/NTLM) from memory
hibinfo         Dump hibernation file information
hivedump        Prints out a hive
hivelist        Print list of registry hives.
hivescan        Scan Physical memory for _CMHIVE objects (registry hives)
idt             [MALWARE] Display Interrupt Descriptor Table
imagecopy       Copies a physical address space out as a raw DD image
imageinfo       Identify information for the image
impscan         [MALWARE] Scan a module for imports (API calls)
inspectcache    Inspect the contents of a cache
kdbgscan        Search for and dump potential KDBG values
kpcrscan        Search for and dump potential KPCR values
ldrmodules      [MALWARE] Detect unlinked DLLs
lsadump         Dump (decrypted) LSA secrets from the registry
malfind         [MALWARE] Find hidden and injected code
memdump         Dump the addressable memory for a process
memmap          Print the memory map
moddump         Dump a kernel driver to an executable file sample
modscan         Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
modules         Print list of loaded modules
mutantscan      Scan for mutant objects _KMUTANT
netscan         Scan a Vista, 2008 or Windows 7 image for connections and sockets
patcher         Patches memory based on page scans
printkey        Print a registry key, and its subkeys and values
procexedump     Dump a process to an executable file sample
procmemdump     Dump a process to an executable memory sample
psdispscan      Scan Physical memory for _EPROCESS objects based on their Dispatch Headers
pslist          print all running processes by following the EPROCESS lists
psscan          Scan Physical memory for _EPROCESS pool allocations
pstree          Print process list as a tree
psxview         [MALWARE] Find hidden processes with various process listings
registryapi     A wrapper several highly used Registry functions and w/a Timeline component
sockets         Print list of open sockets
sockscan        Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)
ssdt            Display SSDT entries
ssdt_ex         [MALWARE] SSDT Hook Explorer for IDA Pro (and SSDT by thread)
strings         Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan         [MALWARE] Scan for Windows services
testsuite       Run unit test suit using the Cache
------
ZeroDay Japan http://0day.jp
OPERATION CLEANUP JAPAN | #OCJP
Analyst: Hendunixfreaxjp ADRIAN アドリアン・ヘンドリック 
Analyst: Hendrik ADRIAN アドリアン・ヘンドリック 
Malware Researcher VT/ twitter/google: @unixfreaxjp
sponsored by: 株式会社ケイエルジェイテック http://www.kljtech.com

Public Pastes

Untitled
14 min ago | 14.07 KB
Untitled
2 hours ago | 14.87 KB
Untitled
4 hours ago | 15.21 KB
Untitled
6 hours ago | 15.29 KB
Untitled
8 hours ago | 15.87 KB
Untitled
10 hours ago | 13.65 KB
Untitled
12 hours ago | 11.13 KB
Hytale Launcher Lutris Log
12 hours ago | 4.18 KB