SHOW:
|
|
- or go back to the newest paste.
1 | root@remnux:~/unixfreaxjp# uname -a; date | |
2 | Linux remnux 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:50:42 UTC 2011 i686 i686 i386 GNU/Linux | |
3 | Mon Apr 23 09:24:54 EDT 2012 | |
4 | ||
5 | # This is my private note for testing Remnux3.0's Volatile. | |
6 | # Be free to take a look for your reference too, hope will | |
7 | # be helpful. - unixfreaxjp - | |
8 | ||
9 | /* Took the below snapshot to take the RAT nsapshot of memory | |
10 | * by win32dd */ | |
11 | ============================================================= | |
12 | C:\>win32dd /f ./test.dmp | |
13 | ============================================================= | |
14 | win32dd - 1.3.1.20100417 - (Community Edition) | |
15 | Kernel land physical memory acquisition | |
16 | Copyright (C) 2007 - 2010, Matthieu Suiche <http://www.msuiche.net> | |
17 | Copyright (C) 2009 - 2010, MoonSols <http://www.moonsols.com> | |
18 | ||
19 | Name Value | |
20 | ---- ----- | |
21 | File type: Raw memory dump file | |
22 | Acquisition method: PFN Mapping | |
23 | Content: Memory manager physical memory block | |
24 | ||
25 | Destination path: ./test.dmp | |
26 | ||
27 | O.S. Version: Microsoft Windows XP Professional Service Pack 1 (build 2600) | |
28 | Computer name: UNIXFREAXJP-RAT | |
29 | ||
30 | Physical memory in use: 58% | |
31 | Physical memory size: 776624 Kb ( 758 Mb) | |
32 | Physical memory available: 323368 Kb ( 315 Mb) | |
33 | ||
34 | Paging file size: 1758228 Kb ( 1717 Mb) | |
35 | Paging file available: 1357412 Kb ( 1325 Mb) | |
36 | ||
37 | Virtual memory size: 2097024 Kb ( 2047 Mb) | |
38 | Virtual memory available: 2082668 Kb ( 2033 Mb) | |
39 | ||
40 | Extented memory available: 0 Kb ( 0 Mb) | |
41 | ||
42 | Physical page size: 4096 bytes | |
43 | Minimum physical address: 0x0000000000002000 | |
44 | Maximum physical address: 0x000000002F6DF000 | |
45 | ||
46 | Address space size: 795738112 bytes ( 777088 Kb) | |
47 | ||
48 | --> Are you sure you want to continue? [y/n] y | |
49 | ||
50 | Acquisition started at: [23/4/2012 (DD/MM/YYYY) 11:13:7 (UTC)] | |
51 | ||
52 | Processing....Done. | |
53 | ||
54 | Acquisition finished at: [2012-04-23 (YYYY-MM-DD) 11:14:15 (UTC)] | |
55 | Time elapsed: 1:08 minutes:seconds (68 secs) | |
56 | ||
57 | Created file size: 795738112 bytes ( 758 Mb) | |
58 | ||
59 | NtStatus (troubleshooting): 0x00000000 | |
60 | Total of written pages: 194173 | |
61 | Total of inacessible pages: 0 | |
62 | Total of accessible pages: 194173 | |
63 | ||
64 | Physical memory in use: 58% | |
65 | Physical memory size: 776624 Kb ( 758 Mb) | |
66 | Physical memory available: 319472 Kb ( 311 Mb) | |
67 | ||
68 | Paging file size: 1758228 Kb ( 1717 Mb) | |
69 | Paging file available: 1353564 Kb ( 1321 Mb) | |
70 | ||
71 | Virtual memory size: 2097024 Kb ( 2047 Mb) | |
72 | Virtual memory available: 2082668 Kb ( 2033 Mb) | |
73 | ||
74 | Extented memory available: 0 Kb ( 0 Mb) | |
75 | ||
76 | Physical page size: 4096 bytes | |
77 | Minimum physical address: 0x0000000000002000 | |
78 | Maximum physical address: 0x000000002F6DF000 | |
79 | ||
80 | Address space size: 795738112 bytes ( 777088 Kb) | |
81 | ||
82 | ||
83 | ||
84 | /* Volatile */ | |
85 | ||
86 | ||
87 | ||
88 | ============================================================= | |
89 | root@remnux:~/unixfreaxjp# vol -f test.dmp imageinfo | |
90 | ============================================================= | |
91 | Determining profile based on KDBG search... | |
92 | ||
93 | Suggested Profile(s) : WinXPSP3x86, WinXPSP2x86 (Instantiated with WinXPSP2x86) | |
94 | AS Layer1 : JKIA32PagedMemory (Kernel AS) | |
95 | AS Layer2 : FileAddressSpace (/media/linux/home/unixfreaxjp/test.dmp) | |
96 | PAE type : No PAE | |
97 | DTB : 0x39000 | |
98 | KDBG : 0x805407e0L | |
99 | KPCR : 0xffdff000L | |
100 | KUSER_SHARED_DATA : 0xffdf0000L | |
101 | Image date and time : 2012-04-23 11:13:07 | |
102 | Image local date and time : 2012-04-23 11:13:07 | |
103 | Number of Processors : 1 | |
104 | Image Type : Service Pack 1 | |
105 | root@remnux:~/unixfreaxjp# | |
106 | ||
107 | ||
108 | ============================================================= | |
109 | root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 pslist -P | |
110 | ============================================================= | |
111 | Offset(P) Name PID PPID Thds Hnds Time | |
112 | ---------- -------------------- ------ ------ ------ ------ ------------------- | |
113 | 0x037c87c8 System 4 0 56 295 1970-01-01 00:00:00 | |
114 | 0x035d2998 smss.exe 640 4 3 21 2012-04-23 07:07:52 | |
115 | 0x035efda8 csrss.exe 696 640 13 497 2012-04-23 07:07:57 | |
116 | 0x035ccda8 winlogon.exe 720 640 19 516 2012-04-23 07:08:00 | |
117 | 0x030bada8 services.exe 764 720 16 298 2012-04-23 07:08:05 | |
118 | 0x030f3ba0 lsass.exe 776 720 19 325 2012-04-23 07:08:05 | |
119 | 0x030a8998 ibmpmsvc.exe 920 764 4 36 2012-04-23 07:08:09 | |
120 | 0x03096998 svchost.exe 1000 764 11 237 2012-04-23 07:08:26 | |
121 | 0x03046380 svchost.exe 1036 764 86 1351 2012-04-23 07:08:27 | |
122 | 0x0303cda8 ACS.EXE 1164 764 15 188 2012-04-23 07:08:27 | |
123 | 0x03025380 svchost.exe 1296 764 8 86 2012-04-23 07:08:33 | |
124 | 0x03021bb0 svchost.exe 1352 764 19 156 2012-04-23 07:08:35 | |
125 | 0x032e1da8 spoolsv.exe 1728 764 16 196 2012-04-23 07:08:39 | |
126 | 0x032dcba0 rrpcsb.exe 1844 764 4 103 2012-04-23 07:08:40 | |
127 | 0x03267da8 python.exe 148 1844 0 ------ 2012-04-23 07:08:43 | |
128 | 0x0326cda8 conime.exe 212 148 1 34 2012-04-23 07:08:44 | |
129 | 0x032c7958 PGPserv.exe 292 764 6 111 2012-04-23 07:08:46 | |
130 | 0x032629e8 QCONSVC.EXE 416 764 3 55 2012-04-23 07:08:48 | |
131 | 0x032c2da8 svchost.exe 472 764 5 108 2012-04-23 07:08:48 | |
132 | 0x0325d958 wdfmgr.exe 492 764 4 58 2012-04-23 07:08:48 | |
133 | 0x02e7b348 python.exe 1096 1844 0 ------ 2012-04-23 07:08:51 | |
134 | 0x0304f020 CAPRPCSK.EXE 1608 1728 1 15 2012-04-23 07:10:40 | |
135 | 0x032ae9c0 CAPPSWK.EXE 1624 1728 0 ------ 2012-04-23 07:10:40 | |
136 | 0x03747668 CAPPSWK.EXE 1896 1624 3 83 2012-04-23 07:10:42 | |
137 | 0x02e79b30 rbmonitor.exe 1936 1036 7 195 2012-04-23 07:19:57 | |
138 | 0x03118020 explorer.exe 1464 1156 13 783 2012-04-23 07:19:58 | |
139 | 0x02e829b8 tp4serv.exe 1584 1464 3 41 2012-04-23 07:20:09 | |
140 | 0x03074020 igfxtray.exe 1620 1464 1 68 2012-04-23 07:20:09 | |
141 | 0x03247470 hkcmd.exe 312 1464 2 76 2012-04-23 07:20:10 | |
142 | 0x03053020 TpShocks.exe 1056 1464 2 36 2012-04-23 07:20:11 | |
143 | 0x036e0da8 TPHKMGR.exe 608 1464 5 120 2012-04-23 07:20:12 | |
144 | 0x02e449a0 rundll32.exe 1292 1464 2 35 2012-04-23 07:20:12 | |
145 | 0x03261020 TPONSCR.exe 1104 608 1 28 2012-04-23 07:20:14 | |
146 | 0x0301d818 TpScrex.exe 1184 608 1 28 2012-04-23 07:20:14 | |
147 | 0x02e71570 ibmprc.exe 1144 1464 2 27 2012-04-23 07:20:14 | |
148 | 0x036d0598 rundll32.exe 1188 1464 1 45 2012-04-23 07:20:14 | |
149 | 0x036d4020 ctfmon.exe 2020 1464 1 56 2012-04-23 07:20:18 | |
150 | 0x02e379b8 WDSM.exe 180 1464 1 103 2012-04-23 07:20:19 | |
151 | 0x03211818 Maruo.exe 2252 1464 1 28 2012-04-23 07:20:33 | |
152 | 0x032dbc58 Maruo.exe 2348 2252 1 31 2012-04-23 07:20:38 | |
153 | 0x031d15a0 firefox.exe 3916 1464 34 807 2012-04-23 08:28:05 | |
154 | 0x031ec020 putty.exe 2356 1464 5 87 2012-04-23 11:02:04 | |
155 | 0x02c54020 Maruo.exe 2360 1464 1 74 2012-04-23 11:05:23 | |
156 | 0x031c49c8 cmd.exe 3408 1464 1 20 2012-04-23 11:07:23 | |
157 | 0x02c74020 win32dd.exe 3372 3408 1 23 2012-04-23 11:12:54 | |
158 | ||
159 | ============================================================= | |
160 | root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 pstree | |
161 | ============================================================= | |
162 | Name Pid PPid Thds Hnds Time | |
163 | 0x83BC87C8:System 4 0 56 295 1970-01-01 00:00:00 | |
164 | . 0x839D2998:smss.exe 640 4 3 21 2012-04-23 07:07:52 | |
165 | .. 0x839EFDA8:csrss.exe 696 640 13 497 2012-04-23 07:07:57 | |
166 | .. 0x839CCDA8:winlogon.exe 720 640 19 516 2012-04-23 07:08:00 | |
167 | ... 0x834F3BA0:lsass.exe 776 720 19 325 2012-04-23 07:08:05 | |
168 | ... 0x834BADA8:services.exe 764 720 16 298 2012-04-23 07:08:05 | |
169 | .... 0x8343CDA8:ACS.EXE 1164 764 15 188 2012-04-23 07:08:27 | |
170 | .... 0x83425380:svchost.exe 1296 764 8 86 2012-04-23 07:08:33 | |
171 | .... 0x834A8998:ibmpmsvc.exe 920 764 4 36 2012-04-23 07:08:09 | |
172 | .... 0x836629E8:QCONSVC.EXE 416 764 3 55 2012-04-23 07:08:48 | |
173 | .... 0x836C7958:PGPserv.exe 292 764 6 111 2012-04-23 07:08:46 | |
174 | .... 0x836DCBA0:rrpcsb.exe 1844 764 4 103 2012-04-23 07:08:40 | |
175 | ..... 0x83667DA8:python.exe 148 1844 0 ------ 2012-04-23 07:08:43 | |
176 | ...... 0x8366CDA8:conime.exe 212 148 1 34 2012-04-23 07:08:44 | |
177 | ..... 0x8327B348:python.exe 1096 1844 0 ------ 2012-04-23 07:08:51 | |
178 | .... 0x836E1DA8:spoolsv.exe 1728 764 16 196 2012-04-23 07:08:39 | |
179 | ..... 0x836AE9C0:CAPPSWK.EXE 1624 1728 0 ------ 2012-04-23 07:10:40 | |
180 | ...... 0x83B47668:CAPPSWK.EXE 1896 1624 3 83 2012-04-23 07:10:42 | |
181 | ..... 0x8344F020:CAPRPCSK.EXE 1608 1728 1 15 2012-04-23 07:10:40 | |
182 | .... 0x83421BB0:svchost.exe 1352 764 19 156 2012-04-23 07:08:35 | |
183 | .... 0x83446380:svchost.exe 1036 764 86 1351 2012-04-23 07:08:27 | |
184 | ..... 0x83279B30:rbmonitor.exe 1936 1036 7 195 2012-04-23 07:19:57 | |
185 | .... 0x836C2DA8:svchost.exe 472 764 5 108 2012-04-23 07:08:48 | |
186 | .... 0x83496998:svchost.exe 1000 764 11 237 2012-04-23 07:08:26 | |
187 | .... 0x8365D958:wdfmgr.exe 492 764 4 58 2012-04-23 07:08:48 | |
188 | 0x83518020:explorer.exe 1464 1156 13 783 2012-04-23 07:19:58 | |
189 | . 0x832449A0:rundll32.exe 1292 1464 2 35 2012-04-23 07:20:12 | |
190 | . 0x83647470:hkcmd.exe 312 1464 2 76 2012-04-23 07:20:10 | |
191 | . 0x832829B8:tp4serv.exe 1584 1464 3 41 2012-04-23 07:20:09 | |
192 | . 0x832379B8:WDSM.exe 180 1464 1 103 2012-04-23 07:20:19 | |
193 | . 0x835D15A0:firefox.exe 3916 1464 34 807 2012-04-23 08:28:05 | |
194 | . 0x83453020:TpShocks.exe 1056 1464 2 36 2012-04-23 07:20:11 | |
195 | . 0x83611818:Maruo.exe 2252 1464 1 28 2012-04-23 07:20:33 | |
196 | .. 0x836DBC58:Maruo.exe 2348 2252 1 31 2012-04-23 07:20:38 | |
197 | . 0x83AD0598:rundll32.exe 1188 1464 1 45 2012-04-23 07:20:14 | |
198 | . 0x83054020:Maruo.exe 2360 1464 1 74 2012-04-23 11:05:23 | |
199 | . 0x83AE0DA8:TPHKMGR.exe 608 1464 5 120 2012-04-23 07:20:12 | |
200 | .. 0x83661020:TPONSCR.exe 1104 608 1 28 2012-04-23 07:20:14 | |
201 | .. 0x8341D818:TpScrex.exe 1184 608 1 28 2012-04-23 07:20:14 | |
202 | . 0x83AD4020:ctfmon.exe 2020 1464 1 56 2012-04-23 07:20:18 | |
203 | . 0x835C49C8:cmd.exe 3408 1464 1 20 2012-04-23 11:07:23 | |
204 | .. 0x83074020:win32dd.exe 3372 3408 1 23 2012-04-23 11:12:54 | |
205 | . 0x835EC020:putty.exe 2356 1464 5 87 2012-04-23 11:02:04 | |
206 | . 0x83271570:ibmprc.exe 1144 1464 2 27 2012-04-23 07:20:14 | |
207 | . 0x83474020:igfxtray.exe 1620 1464 1 68 2012-04-23 07:20:09 | |
208 | ||
209 | ||
210 | ============================================================= | |
211 | root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 dlllist | |
212 | ============================================================= | |
213 | : | |
214 | : | |
215 | cmd.exe pid: 3408 | |
216 | Command line : "C:\WINDOWS\system32\cmd.exe" | |
217 | Service Pack 1 | |
218 | ||
219 | Base Size Path | |
220 | 0x4ad00000 0x076000 C:\WINDOWS\system32\cmd.exe | |
221 | 0x77f50000 0x0a7000 C:\WINDOWS\System32\ntdll.dll | |
222 | 0x77e20000 0x124000 C:\WINDOWS\system32\kernel32.dll | |
223 | 0x77bc0000 0x053000 C:\WINDOWS\system32\msvcrt.dll | |
224 | 0x77cf0000 0x08c000 C:\WINDOWS\system32\USER32.dll | |
225 | 0x7f000000 0x042000 C:\WINDOWS\system32\GDI32.dll | |
226 | 0x77d80000 0x09b000 C:\WINDOWS\system32\ADVAPI32.dll | |
227 | 0x78000000 0x087000 C:\WINDOWS\system32\RPCRT4.dll | |
228 | 0x762e0000 0x01c000 C:\WINDOWS\System32\IMM32.DLL | |
229 | 0x60740000 0x008000 C:\WINDOWS\system32\LPK.DLL | |
230 | 0x72ef0000 0x05a000 C:\WINDOWS\system32\USP10.dll | |
231 | 0x10000000 0x00d000 C:\WINDOWS\system32\OCMAPIHK.DLL | |
232 | 0x75e90000 0x01e000 C:\WINDOWS\system32\Apphelp.dll | |
233 | ************************************************************************ | |
234 | win32dd.exe pid: 3372 | |
235 | Command line : win32dd /f ./test.dmp | |
236 | Service Pack 1 | |
237 | ||
238 | Base Size Path | |
239 | 0x00400000 0x01a000 C:\transit\@@DEV\@@@ANALYST\moonsols\win32dd.exe | |
240 | 0x77f50000 0x0a7000 C:\WINDOWS\System32\ntdll.dll | |
241 | 0x77e20000 0x124000 C:\WINDOWS\system32\kernel32.dll | |
242 | 0x77cf0000 0x08c000 C:\WINDOWS\system32\USER32.dll | |
243 | 0x7f000000 0x042000 C:\WINDOWS\system32\GDI32.dll | |
244 | 0x77d80000 0x09b000 C:\WINDOWS\system32\ADVAPI32.dll | |
245 | 0x78000000 0x087000 C:\WINDOWS\system32\RPCRT4.dll | |
246 | 0x719e0000 0x014000 C:\WINDOWS\System32\WS2_32.dll | |
247 | 0x77bc0000 0x053000 C:\WINDOWS\system32\msvcrt.dll | |
248 | 0x719d0000 0x008000 C:\WINDOWS\System32\WS2HELP.dll | |
249 | 0x74a10000 0x007000 C:\WINDOWS\System32\POWRPROF.dll | |
250 | 0x762e0000 0x01c000 C:\WINDOWS\System32\IMM32.DLL | |
251 | 0x60740000 0x008000 C:\WINDOWS\System32\LPK.DLL | |
252 | 0x72ef0000 0x05a000 C:\WINDOWS\System32\USP10.dll | |
253 | 0x10000000 0x00d000 C:\WINDOWS\System32\OCMAPIHK.DLL | |
254 | ||
255 | ||
256 | ============================================================= | |
257 | root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 connections -P | |
258 | ============================================================= | |
259 | Offset(P) Local Address Remote Address Pid | |
260 | ---------- ------------------------- ------------------------- ------ | |
261 | root@remnux:~/unixfreaxjp# | |
262 | ||
263 | ============================================================= | |
264 | root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 sockets -P | |
265 | ============================================================= | |
266 | Offset(P) PID Port Proto Address Create Time | |
267 | ---------- ------ ------ ------------------- -------------- -------------------------- | |
268 | ||
269 | ||
270 | ============================================================= | |
271 | root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 sockscan | |
272 | ============================================================= | |
273 | Offset PID Port Proto Address Create Time | |
274 | ---------- ------ ------ ------------------- -------------- -------------------------- | |
275 | 0x0b3b7be4 945014 17774 25185 - 116.105.111.110 - | |
276 | ||
277 | ||
278 | ============================================================= | |
279 | root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 connscan | |
280 | ============================================================= | |
281 | Offset Local Address Remote Address Pid | |
282 | ---------- ------------------------- ------------------------- ------ | |
283 | 0x02c36008 192.168.7.2:1473 173.194.38.106:80 3916 | |
284 | 0x02c582a8 192.168.7.2:1234 173.194.38.97:80 45219846 | |
285 | 0x02e1fae0 192.168.7.2:1268 173.194.38.102:443 3916 | |
286 | 0x02e22aa0 192.168.7.2:1126 199.59.148.87:443 3916 | |
287 | 0x02e3c9d0 192.168.7.2:1201 173.236.192.217:80 3916 | |
288 | 0x02e53838 192.168.7.2:1408 192.168.7.1:22 2356 | |
289 | 0x02efc008 192.168.7.2:1186 74.125.235.133:443 3916 | |
290 | 0x02f71008 192.168.7.2:1471 207.171.189.80:80 3916 | |
291 | 0x02f9d008 192.168.7.2:1460 199.59.150.41:443 3916 | |
292 | 0x02fc0008 192.168.7.2:1470 207.171.189.80:80 3916 | |
293 | 0x0301f1c8 192.168.7.2:1480 199.59.150.9:443 3916 | |
294 | 0x030e1e08 127.0.0.1:1085 127.0.0.1:1087 3916 | |
295 | 0x0316ee60 192.168.7.2:1457 74.125.235.145:443 3916 | |
296 | 0x03175ac0 192.168.7.2:1477 199.59.150.41:443 3916 | |
297 | 0x031dd958 0.0.0.0:55919 0.0.0.0:21157 34056384 | |
298 | 0x032781c8 192.168.7.2:1454 173.194.38.118:443 3916 | |
299 | 0x0328fc20 192.168.7.2:1479 173.194.38.118:443 3916 | |
300 | 0x032a3bf0 127.0.0.1:1087 127.0.0.1:1085 3916 | |
301 | ||
302 | ||
303 | ============================================================= | |
304 | root@remnux:~/unixfreaxjp# mkdir dumpdir | |
305 | root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 procmemdump -p3916 -D./dumpdir | |
306 | ============================================================= | |
307 | ************************************************************************ | |
308 | Dumping firefox.exe, pid: 3916 output: executable.3916.exe | |
309 | ||
310 | ============================================================= | |
311 | root@remnux:~/unixfreaxjp# file ./dumpdir/executable.3916.exe | |
312 | ============================================================= | |
313 | ./dumpdir/executable.3916.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
314 | ||
315 | ||
316 | ============================================================= | |
317 | root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 memdump -p1296 -D ./dumpdir | |
318 | ============================================================= | |
319 | ************************************************************************ | |
320 | Writing svchost.exe [ 1296] to 1296.dmp | |
321 | ||
322 | ============================================================= | |
323 | root@remnux:~/unixfreaxjp# strings -a ./dumpdir/1296.dmp | |
324 | ============================================================= | |
325 | u.;5| | |
326 | SVWUj | |
327 | ]_^[ | |
328 | t.;t$$t( | |
329 | VWumh | |
330 | wLVWP | |
331 | FVWS | |
332 | : | |
333 | : | |
334 | ||
335 | ============================================================= | |
336 | root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 memmap | |
337 | ============================================================= | |
338 | 0x0080281000 0x0000281000 0x000000001000 | |
339 | 0x0080282000 0x0000282000 0x000000001000 | |
340 | 0x0080283000 0x0000283000 0x000000001000 | |
341 | 0x0080284000 0x0000284000 0x000000001000 | |
342 | 0x0080285000 0x0000285000 0x000000001000 | |
343 | : | |
344 | : | |
345 | ||
346 | ============================================================= | |
347 | root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 volshell | |
348 | ============================================================= | |
349 | Current context: process System, pid=4, ppid=0 DTB=0x39000 | |
350 | Welcome to volshell! Current memory image is: | |
351 | file:///media/linux/home/unixfreaxjp/test.dmp | |
352 | To get help, type 'hh()' | |
353 | >>> | |
354 | >>> hh() | |
355 | ps() : Print a process listing. | |
356 | cc(offset=None, pid=None, name=None) : Change current shell context. | |
357 | dd(address, length=128, space=None) : Print dwords at address. | |
358 | db(address, length=128, width=16, space=None) : Print bytes as canonical hexdump. | |
359 | hh(cmd=None) : Get help on a command. | |
360 | dt(objct, address=None) : Describe an object or show type info. | |
361 | list_entry(head, objname, offset=-1, fieldname=None, forward=True) : Traverse a _LIST_ENTRY. | |
362 | dis(address, length=128, space=None) : Disassemble code at a given address. | |
363 | ||
364 | For help on a specific command, type 'hh(<command>)' | |
365 | ||
366 | ||
367 | ||
368 | ============================================================= | |
369 | root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 malfind -D ./dumpdir/ | |
370 | ============================================================= | |
371 | Name Pid Start End Tag Hits Protect | |
372 | ||
373 | firefox.exe 3916 0x02040000 0x2040fff0 VadS 0 PAGE_EXECUTE_READWRITE | |
374 | Dumped to: ./dumpdir/firefox.exe.31d15a0.02040000-02040fff.dmp | |
375 | 0x02040000 1b 6f f5 77 68 58 02 00 00 e9 12 6f f1 75 00 00 .o.whX.....o.u.. | |
376 | 0x02040010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
377 | 0x02040020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
378 | 0x02040030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
379 | 0x02040040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
380 | 0x02040050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
381 | 0x02040060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
382 | 0x02040070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
383 | ||
384 | Disassembly: | |
385 | 02040000: 1b6ff5 SBB EBP, [EDI-0xb] | |
386 | 02040003: 7768 JA 0x204006d | |
387 | 02040005: 58 POP EAX | |
388 | 02040006: 0200 ADD AL, [EAX] | |
389 | 02040008: 00e9 ADD CL, CH | |
390 | 0204000a: 126ff1 ADC CH, [EDI-0xf] | |
391 | 0204000d: 7500 JNZ 0x204000f | |
392 | 0204000f: 0000 ADD [EAX], AL | |
393 | 02040011: 0000 ADD [EAX], AL | |
394 | 02040013: 0000 ADD [EAX], AL | |
395 | ||
396 | ============================================================= | |
397 | root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 hivescan | |
398 | ============================================================= | |
399 | Offset (hex) | |
400 | 63426568 0x03c7d008 | |
401 | 63458144 0x03c84b60 | |
402 | 71756640 0x0446eb60 | |
403 | 100591960 0x05fee958 | |
404 | 115226456 0x06de3758 | |
405 | 115443544 0x06e18758 | |
406 | 117456904 0x07004008 | |
407 | 200962056 0x0bfa7008 | |
408 | 205273952 0x0c3c3b60 | |
409 | 212844552 0x0cafc008 | |
410 | 219321368 0x0d129418 | |
411 | 380906336 0x16b42b60 | |
412 | 381963104 0x16c44b60 | |
413 | ||
414 | ============================================================= | |
415 | root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 hivelist | |
416 | ============================================================= | |
417 | Virtual Physical Name | |
418 | 0xe16d6b60 0x16b42b60 \Device\HarddiskVolume1\Documents and Settings\kaspersky\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat | |
419 | 0xe16deb60 0x16c44b60 \Device\HarddiskVolume1\Documents and Settings\kaspersky\NTUSER.DAT | |
420 | 0xe1377418 0x0d129418 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat | |
421 | 0xe12d3b60 0x0c3c3b60 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT | |
422 | 0xe11c4008 0x0bfa7008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat | |
423 | 0xe1318008 0x0cafc008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT | |
424 | 0xe1a43758 0x06e18758 \Device\HarddiskVolume1\WINDOWS\system32\config\SOFTWARE | |
425 | 0xe1a3a758 0x06de3758 \Device\HarddiskVolume1\WINDOWS\system32\config\DEFAULT | |
426 | 0xe1a41008 0x07004008 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY | |
427 | 0xe1987958 0x05fee958 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM | |
428 | 0xe181cb60 0x0446eb60 [no name] | |
429 | 0xe1036b60 0x03c84b60 \Device\HarddiskVolume1\WINDOWS\system32\config\SYSTEM | |
430 | 0xe102e008 0x03c7d008 [no name] | |
431 | 0x8066ab1c 0x0066ab1c [no name] | |
432 | ||
433 | ============================================================= | |
434 | root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 printkey | |
435 | ============================================================= | |
436 | ||
437 | Values: | |
438 | ---------------------------- | |
439 | Registry: [no name] | |
440 | Key name: REGISTRY (S) | |
441 | Last updated: 2012-04-23 07:07:40 | |
442 | ||
443 | Subkeys: | |
444 | (S) MACHINE | |
445 | (S) USER | |
446 | ||
447 | Values: | |
448 | ---------------------------- | |
449 | Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat | |
450 | Key name: S-1-5-19_Classes (S) | |
451 | Last updated: 2003-02-27 12:01:19 | |
452 | ||
453 | Subkeys: | |
454 | (S) Network | |
455 | (S) Software | |
456 | ||
457 | Values: | |
458 | ---------------------------- | |
459 | Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY | |
460 | Key name: SECURITY (S) | |
461 | Last updated: 2012-04-23 07:07:57 | |
462 | ||
463 | Subkeys: | |
464 | (S) Cache | |
465 | (S) Policy | |
466 | (S) RXACT | |
467 | (V) SAM | |
468 | ||
469 | Values: | |
470 | ---------------------------- | |
471 | Registry: \Device\HarddiskVolume1\Documents and Settings\kaspersky\NTUSER.DAT | |
472 | Key name: $$$PROTO.HIV (S) | |
473 | Last updated: 2012-04-23 07:21:34 | |
474 | ||
475 | Subkeys: | |
476 | (S) AppEvents | |
477 | (S) Applications | |
478 | (S) Console | |
479 | (S) Control Panel | |
480 | (S) DefaultScope | |
481 | (S) Environment | |
482 | (S) EUDC | |
483 | (S) Identities | |
484 | (S) Keyboard Layout | |
485 | (S) Network | |
486 | (S) NodeEventQuery | |
487 | (S) pmtest | |
488 | (S) Printers | |
489 | (S) RemoteAccess | |
490 | (S) Software | |
491 | (S) UNICODE Program Groups | |
492 | (S) Windows 3.1 Migration Status | |
493 | (V) SessionInformation | |
494 | (V) Volatile Environment | |
495 | ||
496 | ===================== | |
497 | PLUGIN LISTS | |
498 | ===================== | |
499 | ||
500 | apihooks [MALWARE] Find API hooks | |
501 | bioskbd Reads the keyboard buffer from Real Mode memory | |
502 | callbacks [MALWARE] Print system-wide notification routines | |
503 | connections Print list of open connections [Windows XP Only] | |
504 | connscan Scan Physical memory for _TCPT_OBJECT objects (tcp connections) | |
505 | crashinfo Dump crash-dump information | |
506 | datetime A simple example plugin that gets the date/time information from a Windows image | |
507 | devicetree [MALWARE] Show device tree | |
508 | dlldump Dump DLLs from a process address space | |
509 | dlllist Print list of loaded dlls for each process | |
510 | driverirp [MALWARE] Driver IRP hook detection | |
511 | driverscan Scan for driver objects _DRIVER_OBJECT | |
512 | evtlogs Extract Windows Event Logs (XP/2K3 only) | |
513 | filescan Scan Physical memory for _FILE_OBJECT pool allocations | |
514 | gdt [MALWARE] Display Global Descriptor Table | |
515 | getservicesids Get the names of services in the Registry and return Calculated SID | |
516 | getsids Print the SIDs owning each process | |
517 | handles Print list of open handles for each process | |
518 | hashdump Dumps passwords hashes (LM/NTLM) from memory | |
519 | hibinfo Dump hibernation file information | |
520 | hivedump Prints out a hive | |
521 | hivelist Print list of registry hives. | |
522 | hivescan Scan Physical memory for _CMHIVE objects (registry hives) | |
523 | idt [MALWARE] Display Interrupt Descriptor Table | |
524 | imagecopy Copies a physical address space out as a raw DD image | |
525 | imageinfo Identify information for the image | |
526 | impscan [MALWARE] Scan a module for imports (API calls) | |
527 | inspectcache Inspect the contents of a cache | |
528 | kdbgscan Search for and dump potential KDBG values | |
529 | kpcrscan Search for and dump potential KPCR values | |
530 | ldrmodules [MALWARE] Detect unlinked DLLs | |
531 | lsadump Dump (decrypted) LSA secrets from the registry | |
532 | malfind [MALWARE] Find hidden and injected code | |
533 | memdump Dump the addressable memory for a process | |
534 | memmap Print the memory map | |
535 | moddump Dump a kernel driver to an executable file sample | |
536 | modscan Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects | |
537 | modules Print list of loaded modules | |
538 | mutantscan Scan for mutant objects _KMUTANT | |
539 | netscan Scan a Vista, 2008 or Windows 7 image for connections and sockets | |
540 | patcher Patches memory based on page scans | |
541 | printkey Print a registry key, and its subkeys and values | |
542 | procexedump Dump a process to an executable file sample | |
543 | procmemdump Dump a process to an executable memory sample | |
544 | psdispscan Scan Physical memory for _EPROCESS objects based on their Dispatch Headers | |
545 | pslist print all running processes by following the EPROCESS lists | |
546 | psscan Scan Physical memory for _EPROCESS pool allocations | |
547 | pstree Print process list as a tree | |
548 | psxview [MALWARE] Find hidden processes with various process listings | |
549 | registryapi A wrapper several highly used Registry functions and w/a Timeline component | |
550 | sockets Print list of open sockets | |
551 | sockscan Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets) | |
552 | ssdt Display SSDT entries | |
553 | ssdt_ex [MALWARE] SSDT Hook Explorer for IDA Pro (and SSDT by thread) | |
554 | strings Match physical offsets to virtual addresses (may take a while, VERY verbose) | |
555 | svcscan [MALWARE] Scan for Windows services | |
556 | testsuite Run unit test suit using the Cache | |
557 | ------ | |
558 | ZeroDay Japan http://0day.jp | |
559 | OPERATION CLEANUP JAPAN | #OCJP | |
560 | - | Analyst: Hendunixfreaxjp ADRIAN アドリアン・ヘンドリック |
560 | + | Analyst: Hendrik ADRIAN アドリアン・ヘンドリック |
561 | Malware Researcher VT/ twitter/google: @unixfreaxjp | |
562 | sponsored by: 株式会社ケイエルジェイテック http://www.kljtech.com |