Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- root@remnux:~/unixfreaxjp# uname -a; date
- Linux remnux 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:50:42 UTC 2011 i686 i686 i386 GNU/Linux
- Mon Apr 23 09:24:54 EDT 2012
- # This is my private note for testing Remnux3.0's Volatile.
- # Be free to take a look for your reference too, hope will
- # be helpful. - unixfreaxjp -
- /* Took the below snapshot to take the RAT nsapshot of memory
- * by win32dd */
- =============================================================
- C:\>win32dd /f ./test.dmp
- =============================================================
- win32dd - 1.3.1.20100417 - (Community Edition)
- Kernel land physical memory acquisition
- Copyright (C) 2007 - 2010, Matthieu Suiche <http://www.msuiche.net>
- Copyright (C) 2009 - 2010, MoonSols <http://www.moonsols.com>
- Name Value
- ---- -----
- File type: Raw memory dump file
- Acquisition method: PFN Mapping
- Content: Memory manager physical memory block
- Destination path: ./test.dmp
- O.S. Version: Microsoft Windows XP Professional Service Pack 1 (build 2600)
- Computer name: UNIXFREAXJP-RAT
- Physical memory in use: 58%
- Physical memory size: 776624 Kb ( 758 Mb)
- Physical memory available: 323368 Kb ( 315 Mb)
- Paging file size: 1758228 Kb ( 1717 Mb)
- Paging file available: 1357412 Kb ( 1325 Mb)
- Virtual memory size: 2097024 Kb ( 2047 Mb)
- Virtual memory available: 2082668 Kb ( 2033 Mb)
- Extented memory available: 0 Kb ( 0 Mb)
- Physical page size: 4096 bytes
- Minimum physical address: 0x0000000000002000
- Maximum physical address: 0x000000002F6DF000
- Address space size: 795738112 bytes ( 777088 Kb)
- --> Are you sure you want to continue? [y/n] y
- Acquisition started at: [23/4/2012 (DD/MM/YYYY) 11:13:7 (UTC)]
- Processing....Done.
- Acquisition finished at: [2012-04-23 (YYYY-MM-DD) 11:14:15 (UTC)]
- Time elapsed: 1:08 minutes:seconds (68 secs)
- Created file size: 795738112 bytes ( 758 Mb)
- NtStatus (troubleshooting): 0x00000000
- Total of written pages: 194173
- Total of inacessible pages: 0
- Total of accessible pages: 194173
- Physical memory in use: 58%
- Physical memory size: 776624 Kb ( 758 Mb)
- Physical memory available: 319472 Kb ( 311 Mb)
- Paging file size: 1758228 Kb ( 1717 Mb)
- Paging file available: 1353564 Kb ( 1321 Mb)
- Virtual memory size: 2097024 Kb ( 2047 Mb)
- Virtual memory available: 2082668 Kb ( 2033 Mb)
- Extented memory available: 0 Kb ( 0 Mb)
- Physical page size: 4096 bytes
- Minimum physical address: 0x0000000000002000
- Maximum physical address: 0x000000002F6DF000
- Address space size: 795738112 bytes ( 777088 Kb)
- /* Volatile */
- =============================================================
- root@remnux:~/unixfreaxjp# vol -f test.dmp imageinfo
- =============================================================
- Determining profile based on KDBG search...
- Suggested Profile(s) : WinXPSP3x86, WinXPSP2x86 (Instantiated with WinXPSP2x86)
- AS Layer1 : JKIA32PagedMemory (Kernel AS)
- AS Layer2 : FileAddressSpace (/media/linux/home/unixfreaxjp/test.dmp)
- PAE type : No PAE
- DTB : 0x39000
- KDBG : 0x805407e0L
- KPCR : 0xffdff000L
- KUSER_SHARED_DATA : 0xffdf0000L
- Image date and time : 2012-04-23 11:13:07
- Image local date and time : 2012-04-23 11:13:07
- Number of Processors : 1
- Image Type : Service Pack 1
- root@remnux:~/unixfreaxjp#
- =============================================================
- root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 pslist -P
- =============================================================
- Offset(P) Name PID PPID Thds Hnds Time
- ---------- -------------------- ------ ------ ------ ------ -------------------
- 0x037c87c8 System 4 0 56 295 1970-01-01 00:00:00
- 0x035d2998 smss.exe 640 4 3 21 2012-04-23 07:07:52
- 0x035efda8 csrss.exe 696 640 13 497 2012-04-23 07:07:57
- 0x035ccda8 winlogon.exe 720 640 19 516 2012-04-23 07:08:00
- 0x030bada8 services.exe 764 720 16 298 2012-04-23 07:08:05
- 0x030f3ba0 lsass.exe 776 720 19 325 2012-04-23 07:08:05
- 0x030a8998 ibmpmsvc.exe 920 764 4 36 2012-04-23 07:08:09
- 0x03096998 svchost.exe 1000 764 11 237 2012-04-23 07:08:26
- 0x03046380 svchost.exe 1036 764 86 1351 2012-04-23 07:08:27
- 0x0303cda8 ACS.EXE 1164 764 15 188 2012-04-23 07:08:27
- 0x03025380 svchost.exe 1296 764 8 86 2012-04-23 07:08:33
- 0x03021bb0 svchost.exe 1352 764 19 156 2012-04-23 07:08:35
- 0x032e1da8 spoolsv.exe 1728 764 16 196 2012-04-23 07:08:39
- 0x032dcba0 rrpcsb.exe 1844 764 4 103 2012-04-23 07:08:40
- 0x03267da8 python.exe 148 1844 0 ------ 2012-04-23 07:08:43
- 0x0326cda8 conime.exe 212 148 1 34 2012-04-23 07:08:44
- 0x032c7958 PGPserv.exe 292 764 6 111 2012-04-23 07:08:46
- 0x032629e8 QCONSVC.EXE 416 764 3 55 2012-04-23 07:08:48
- 0x032c2da8 svchost.exe 472 764 5 108 2012-04-23 07:08:48
- 0x0325d958 wdfmgr.exe 492 764 4 58 2012-04-23 07:08:48
- 0x02e7b348 python.exe 1096 1844 0 ------ 2012-04-23 07:08:51
- 0x0304f020 CAPRPCSK.EXE 1608 1728 1 15 2012-04-23 07:10:40
- 0x032ae9c0 CAPPSWK.EXE 1624 1728 0 ------ 2012-04-23 07:10:40
- 0x03747668 CAPPSWK.EXE 1896 1624 3 83 2012-04-23 07:10:42
- 0x02e79b30 rbmonitor.exe 1936 1036 7 195 2012-04-23 07:19:57
- 0x03118020 explorer.exe 1464 1156 13 783 2012-04-23 07:19:58
- 0x02e829b8 tp4serv.exe 1584 1464 3 41 2012-04-23 07:20:09
- 0x03074020 igfxtray.exe 1620 1464 1 68 2012-04-23 07:20:09
- 0x03247470 hkcmd.exe 312 1464 2 76 2012-04-23 07:20:10
- 0x03053020 TpShocks.exe 1056 1464 2 36 2012-04-23 07:20:11
- 0x036e0da8 TPHKMGR.exe 608 1464 5 120 2012-04-23 07:20:12
- 0x02e449a0 rundll32.exe 1292 1464 2 35 2012-04-23 07:20:12
- 0x03261020 TPONSCR.exe 1104 608 1 28 2012-04-23 07:20:14
- 0x0301d818 TpScrex.exe 1184 608 1 28 2012-04-23 07:20:14
- 0x02e71570 ibmprc.exe 1144 1464 2 27 2012-04-23 07:20:14
- 0x036d0598 rundll32.exe 1188 1464 1 45 2012-04-23 07:20:14
- 0x036d4020 ctfmon.exe 2020 1464 1 56 2012-04-23 07:20:18
- 0x02e379b8 WDSM.exe 180 1464 1 103 2012-04-23 07:20:19
- 0x03211818 Maruo.exe 2252 1464 1 28 2012-04-23 07:20:33
- 0x032dbc58 Maruo.exe 2348 2252 1 31 2012-04-23 07:20:38
- 0x031d15a0 firefox.exe 3916 1464 34 807 2012-04-23 08:28:05
- 0x031ec020 putty.exe 2356 1464 5 87 2012-04-23 11:02:04
- 0x02c54020 Maruo.exe 2360 1464 1 74 2012-04-23 11:05:23
- 0x031c49c8 cmd.exe 3408 1464 1 20 2012-04-23 11:07:23
- 0x02c74020 win32dd.exe 3372 3408 1 23 2012-04-23 11:12:54
- =============================================================
- root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 pstree
- =============================================================
- Name Pid PPid Thds Hnds Time
- 0x83BC87C8:System 4 0 56 295 1970-01-01 00:00:00
- . 0x839D2998:smss.exe 640 4 3 21 2012-04-23 07:07:52
- .. 0x839EFDA8:csrss.exe 696 640 13 497 2012-04-23 07:07:57
- .. 0x839CCDA8:winlogon.exe 720 640 19 516 2012-04-23 07:08:00
- ... 0x834F3BA0:lsass.exe 776 720 19 325 2012-04-23 07:08:05
- ... 0x834BADA8:services.exe 764 720 16 298 2012-04-23 07:08:05
- .... 0x8343CDA8:ACS.EXE 1164 764 15 188 2012-04-23 07:08:27
- .... 0x83425380:svchost.exe 1296 764 8 86 2012-04-23 07:08:33
- .... 0x834A8998:ibmpmsvc.exe 920 764 4 36 2012-04-23 07:08:09
- .... 0x836629E8:QCONSVC.EXE 416 764 3 55 2012-04-23 07:08:48
- .... 0x836C7958:PGPserv.exe 292 764 6 111 2012-04-23 07:08:46
- .... 0x836DCBA0:rrpcsb.exe 1844 764 4 103 2012-04-23 07:08:40
- ..... 0x83667DA8:python.exe 148 1844 0 ------ 2012-04-23 07:08:43
- ...... 0x8366CDA8:conime.exe 212 148 1 34 2012-04-23 07:08:44
- ..... 0x8327B348:python.exe 1096 1844 0 ------ 2012-04-23 07:08:51
- .... 0x836E1DA8:spoolsv.exe 1728 764 16 196 2012-04-23 07:08:39
- ..... 0x836AE9C0:CAPPSWK.EXE 1624 1728 0 ------ 2012-04-23 07:10:40
- ...... 0x83B47668:CAPPSWK.EXE 1896 1624 3 83 2012-04-23 07:10:42
- ..... 0x8344F020:CAPRPCSK.EXE 1608 1728 1 15 2012-04-23 07:10:40
- .... 0x83421BB0:svchost.exe 1352 764 19 156 2012-04-23 07:08:35
- .... 0x83446380:svchost.exe 1036 764 86 1351 2012-04-23 07:08:27
- ..... 0x83279B30:rbmonitor.exe 1936 1036 7 195 2012-04-23 07:19:57
- .... 0x836C2DA8:svchost.exe 472 764 5 108 2012-04-23 07:08:48
- .... 0x83496998:svchost.exe 1000 764 11 237 2012-04-23 07:08:26
- .... 0x8365D958:wdfmgr.exe 492 764 4 58 2012-04-23 07:08:48
- 0x83518020:explorer.exe 1464 1156 13 783 2012-04-23 07:19:58
- . 0x832449A0:rundll32.exe 1292 1464 2 35 2012-04-23 07:20:12
- . 0x83647470:hkcmd.exe 312 1464 2 76 2012-04-23 07:20:10
- . 0x832829B8:tp4serv.exe 1584 1464 3 41 2012-04-23 07:20:09
- . 0x832379B8:WDSM.exe 180 1464 1 103 2012-04-23 07:20:19
- . 0x835D15A0:firefox.exe 3916 1464 34 807 2012-04-23 08:28:05
- . 0x83453020:TpShocks.exe 1056 1464 2 36 2012-04-23 07:20:11
- . 0x83611818:Maruo.exe 2252 1464 1 28 2012-04-23 07:20:33
- .. 0x836DBC58:Maruo.exe 2348 2252 1 31 2012-04-23 07:20:38
- . 0x83AD0598:rundll32.exe 1188 1464 1 45 2012-04-23 07:20:14
- . 0x83054020:Maruo.exe 2360 1464 1 74 2012-04-23 11:05:23
- . 0x83AE0DA8:TPHKMGR.exe 608 1464 5 120 2012-04-23 07:20:12
- .. 0x83661020:TPONSCR.exe 1104 608 1 28 2012-04-23 07:20:14
- .. 0x8341D818:TpScrex.exe 1184 608 1 28 2012-04-23 07:20:14
- . 0x83AD4020:ctfmon.exe 2020 1464 1 56 2012-04-23 07:20:18
- . 0x835C49C8:cmd.exe 3408 1464 1 20 2012-04-23 11:07:23
- .. 0x83074020:win32dd.exe 3372 3408 1 23 2012-04-23 11:12:54
- . 0x835EC020:putty.exe 2356 1464 5 87 2012-04-23 11:02:04
- . 0x83271570:ibmprc.exe 1144 1464 2 27 2012-04-23 07:20:14
- . 0x83474020:igfxtray.exe 1620 1464 1 68 2012-04-23 07:20:09
- =============================================================
- root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 dlllist
- =============================================================
- :
- :
- cmd.exe pid: 3408
- Command line : "C:\WINDOWS\system32\cmd.exe"
- Service Pack 1
- Base Size Path
- 0x4ad00000 0x076000 C:\WINDOWS\system32\cmd.exe
- 0x77f50000 0x0a7000 C:\WINDOWS\System32\ntdll.dll
- 0x77e20000 0x124000 C:\WINDOWS\system32\kernel32.dll
- 0x77bc0000 0x053000 C:\WINDOWS\system32\msvcrt.dll
- 0x77cf0000 0x08c000 C:\WINDOWS\system32\USER32.dll
- 0x7f000000 0x042000 C:\WINDOWS\system32\GDI32.dll
- 0x77d80000 0x09b000 C:\WINDOWS\system32\ADVAPI32.dll
- 0x78000000 0x087000 C:\WINDOWS\system32\RPCRT4.dll
- 0x762e0000 0x01c000 C:\WINDOWS\System32\IMM32.DLL
- 0x60740000 0x008000 C:\WINDOWS\system32\LPK.DLL
- 0x72ef0000 0x05a000 C:\WINDOWS\system32\USP10.dll
- 0x10000000 0x00d000 C:\WINDOWS\system32\OCMAPIHK.DLL
- 0x75e90000 0x01e000 C:\WINDOWS\system32\Apphelp.dll
- ************************************************************************
- win32dd.exe pid: 3372
- Command line : win32dd /f ./test.dmp
- Service Pack 1
- Base Size Path
- 0x00400000 0x01a000 C:\transit\@@DEV\@@@ANALYST\moonsols\win32dd.exe
- 0x77f50000 0x0a7000 C:\WINDOWS\System32\ntdll.dll
- 0x77e20000 0x124000 C:\WINDOWS\system32\kernel32.dll
- 0x77cf0000 0x08c000 C:\WINDOWS\system32\USER32.dll
- 0x7f000000 0x042000 C:\WINDOWS\system32\GDI32.dll
- 0x77d80000 0x09b000 C:\WINDOWS\system32\ADVAPI32.dll
- 0x78000000 0x087000 C:\WINDOWS\system32\RPCRT4.dll
- 0x719e0000 0x014000 C:\WINDOWS\System32\WS2_32.dll
- 0x77bc0000 0x053000 C:\WINDOWS\system32\msvcrt.dll
- 0x719d0000 0x008000 C:\WINDOWS\System32\WS2HELP.dll
- 0x74a10000 0x007000 C:\WINDOWS\System32\POWRPROF.dll
- 0x762e0000 0x01c000 C:\WINDOWS\System32\IMM32.DLL
- 0x60740000 0x008000 C:\WINDOWS\System32\LPK.DLL
- 0x72ef0000 0x05a000 C:\WINDOWS\System32\USP10.dll
- 0x10000000 0x00d000 C:\WINDOWS\System32\OCMAPIHK.DLL
- =============================================================
- root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 connections -P
- =============================================================
- Offset(P) Local Address Remote Address Pid
- ---------- ------------------------- ------------------------- ------
- root@remnux:~/unixfreaxjp#
- =============================================================
- root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 sockets -P
- =============================================================
- Offset(P) PID Port Proto Address Create Time
- ---------- ------ ------ ------------------- -------------- --------------------------
- =============================================================
- root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 sockscan
- =============================================================
- Offset PID Port Proto Address Create Time
- ---------- ------ ------ ------------------- -------------- --------------------------
- 0x0b3b7be4 945014 17774 25185 - 116.105.111.110 -
- =============================================================
- root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 connscan
- =============================================================
- Offset Local Address Remote Address Pid
- ---------- ------------------------- ------------------------- ------
- 0x02c36008 192.168.7.2:1473 173.194.38.106:80 3916
- 0x02c582a8 192.168.7.2:1234 173.194.38.97:80 45219846
- 0x02e1fae0 192.168.7.2:1268 173.194.38.102:443 3916
- 0x02e22aa0 192.168.7.2:1126 199.59.148.87:443 3916
- 0x02e3c9d0 192.168.7.2:1201 173.236.192.217:80 3916
- 0x02e53838 192.168.7.2:1408 192.168.7.1:22 2356
- 0x02efc008 192.168.7.2:1186 74.125.235.133:443 3916
- 0x02f71008 192.168.7.2:1471 207.171.189.80:80 3916
- 0x02f9d008 192.168.7.2:1460 199.59.150.41:443 3916
- 0x02fc0008 192.168.7.2:1470 207.171.189.80:80 3916
- 0x0301f1c8 192.168.7.2:1480 199.59.150.9:443 3916
- 0x030e1e08 127.0.0.1:1085 127.0.0.1:1087 3916
- 0x0316ee60 192.168.7.2:1457 74.125.235.145:443 3916
- 0x03175ac0 192.168.7.2:1477 199.59.150.41:443 3916
- 0x031dd958 0.0.0.0:55919 0.0.0.0:21157 34056384
- 0x032781c8 192.168.7.2:1454 173.194.38.118:443 3916
- 0x0328fc20 192.168.7.2:1479 173.194.38.118:443 3916
- 0x032a3bf0 127.0.0.1:1087 127.0.0.1:1085 3916
- =============================================================
- root@remnux:~/unixfreaxjp# mkdir dumpdir
- root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 procmemdump -p3916 -D./dumpdir
- =============================================================
- ************************************************************************
- Dumping firefox.exe, pid: 3916 output: executable.3916.exe
- =============================================================
- root@remnux:~/unixfreaxjp# file ./dumpdir/executable.3916.exe
- =============================================================
- ./dumpdir/executable.3916.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
- =============================================================
- root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 memdump -p1296 -D ./dumpdir
- =============================================================
- ************************************************************************
- Writing svchost.exe [ 1296] to 1296.dmp
- =============================================================
- root@remnux:~/unixfreaxjp# strings -a ./dumpdir/1296.dmp
- =============================================================
- u.;5|
- SVWUj
- ]_^[
- t.;t$$t(
- VWumh
- wLVWP
- FVWS
- :
- :
- =============================================================
- root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 memmap
- =============================================================
- 0x0080281000 0x0000281000 0x000000001000
- 0x0080282000 0x0000282000 0x000000001000
- 0x0080283000 0x0000283000 0x000000001000
- 0x0080284000 0x0000284000 0x000000001000
- 0x0080285000 0x0000285000 0x000000001000
- :
- :
- =============================================================
- root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 volshell
- =============================================================
- Current context: process System, pid=4, ppid=0 DTB=0x39000
- Welcome to volshell! Current memory image is:
- file:///media/linux/home/unixfreaxjp/test.dmp
- To get help, type 'hh()'
- >>>
- >>> hh()
- ps() : Print a process listing.
- cc(offset=None, pid=None, name=None) : Change current shell context.
- dd(address, length=128, space=None) : Print dwords at address.
- db(address, length=128, width=16, space=None) : Print bytes as canonical hexdump.
- hh(cmd=None) : Get help on a command.
- dt(objct, address=None) : Describe an object or show type info.
- list_entry(head, objname, offset=-1, fieldname=None, forward=True) : Traverse a _LIST_ENTRY.
- dis(address, length=128, space=None) : Disassemble code at a given address.
- For help on a specific command, type 'hh(<command>)'
- =============================================================
- root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 malfind -D ./dumpdir/
- =============================================================
- Name Pid Start End Tag Hits Protect
- firefox.exe 3916 0x02040000 0x2040fff0 VadS 0 PAGE_EXECUTE_READWRITE
- Dumped to: ./dumpdir/firefox.exe.31d15a0.02040000-02040fff.dmp
- 0x02040000 1b 6f f5 77 68 58 02 00 00 e9 12 6f f1 75 00 00 .o.whX.....o.u..
- 0x02040010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0x02040020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0x02040030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0x02040040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0x02040050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0x02040060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0x02040070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- Disassembly:
- 02040000: 1b6ff5 SBB EBP, [EDI-0xb]
- 02040003: 7768 JA 0x204006d
- 02040005: 58 POP EAX
- 02040006: 0200 ADD AL, [EAX]
- 02040008: 00e9 ADD CL, CH
- 0204000a: 126ff1 ADC CH, [EDI-0xf]
- 0204000d: 7500 JNZ 0x204000f
- 0204000f: 0000 ADD [EAX], AL
- 02040011: 0000 ADD [EAX], AL
- 02040013: 0000 ADD [EAX], AL
- =============================================================
- root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 hivescan
- =============================================================
- Offset (hex)
- 63426568 0x03c7d008
- 63458144 0x03c84b60
- 71756640 0x0446eb60
- 100591960 0x05fee958
- 115226456 0x06de3758
- 115443544 0x06e18758
- 117456904 0x07004008
- 200962056 0x0bfa7008
- 205273952 0x0c3c3b60
- 212844552 0x0cafc008
- 219321368 0x0d129418
- 380906336 0x16b42b60
- 381963104 0x16c44b60
- =============================================================
- root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 hivelist
- =============================================================
- Virtual Physical Name
- 0xe16d6b60 0x16b42b60 \Device\HarddiskVolume1\Documents and Settings\kaspersky\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- 0xe16deb60 0x16c44b60 \Device\HarddiskVolume1\Documents and Settings\kaspersky\NTUSER.DAT
- 0xe1377418 0x0d129418 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- 0xe12d3b60 0x0c3c3b60 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
- 0xe11c4008 0x0bfa7008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- 0xe1318008 0x0cafc008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
- 0xe1a43758 0x06e18758 \Device\HarddiskVolume1\WINDOWS\system32\config\SOFTWARE
- 0xe1a3a758 0x06de3758 \Device\HarddiskVolume1\WINDOWS\system32\config\DEFAULT
- 0xe1a41008 0x07004008 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
- 0xe1987958 0x05fee958 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
- 0xe181cb60 0x0446eb60 [no name]
- 0xe1036b60 0x03c84b60 \Device\HarddiskVolume1\WINDOWS\system32\config\SYSTEM
- 0xe102e008 0x03c7d008 [no name]
- 0x8066ab1c 0x0066ab1c [no name]
- =============================================================
- root@remnux:~/unixfreaxjp# vol -f test.dmp --profile=WinXPSP2x86 printkey
- =============================================================
- Values:
- ----------------------------
- Registry: [no name]
- Key name: REGISTRY (S)
- Last updated: 2012-04-23 07:07:40
- Subkeys:
- (S) MACHINE
- (S) USER
- Values:
- ----------------------------
- Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- Key name: S-1-5-19_Classes (S)
- Last updated: 2003-02-27 12:01:19
- Subkeys:
- (S) Network
- (S) Software
- Values:
- ----------------------------
- Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
- Key name: SECURITY (S)
- Last updated: 2012-04-23 07:07:57
- Subkeys:
- (S) Cache
- (S) Policy
- (S) RXACT
- (V) SAM
- Values:
- ----------------------------
- Registry: \Device\HarddiskVolume1\Documents and Settings\kaspersky\NTUSER.DAT
- Key name: $$$PROTO.HIV (S)
- Last updated: 2012-04-23 07:21:34
- Subkeys:
- (S) AppEvents
- (S) Applications
- (S) Console
- (S) Control Panel
- (S) DefaultScope
- (S) Environment
- (S) EUDC
- (S) Identities
- (S) Keyboard Layout
- (S) Network
- (S) NodeEventQuery
- (S) pmtest
- (S) Printers
- (S) RemoteAccess
- (S) Software
- (S) UNICODE Program Groups
- (S) Windows 3.1 Migration Status
- (V) SessionInformation
- (V) Volatile Environment
- =====================
- PLUGIN LISTS
- =====================
- apihooks [MALWARE] Find API hooks
- bioskbd Reads the keyboard buffer from Real Mode memory
- callbacks [MALWARE] Print system-wide notification routines
- connections Print list of open connections [Windows XP Only]
- connscan Scan Physical memory for _TCPT_OBJECT objects (tcp connections)
- crashinfo Dump crash-dump information
- datetime A simple example plugin that gets the date/time information from a Windows image
- devicetree [MALWARE] Show device tree
- dlldump Dump DLLs from a process address space
- dlllist Print list of loaded dlls for each process
- driverirp [MALWARE] Driver IRP hook detection
- driverscan Scan for driver objects _DRIVER_OBJECT
- evtlogs Extract Windows Event Logs (XP/2K3 only)
- filescan Scan Physical memory for _FILE_OBJECT pool allocations
- gdt [MALWARE] Display Global Descriptor Table
- getservicesids Get the names of services in the Registry and return Calculated SID
- getsids Print the SIDs owning each process
- handles Print list of open handles for each process
- hashdump Dumps passwords hashes (LM/NTLM) from memory
- hibinfo Dump hibernation file information
- hivedump Prints out a hive
- hivelist Print list of registry hives.
- hivescan Scan Physical memory for _CMHIVE objects (registry hives)
- idt [MALWARE] Display Interrupt Descriptor Table
- imagecopy Copies a physical address space out as a raw DD image
- imageinfo Identify information for the image
- impscan [MALWARE] Scan a module for imports (API calls)
- inspectcache Inspect the contents of a cache
- kdbgscan Search for and dump potential KDBG values
- kpcrscan Search for and dump potential KPCR values
- ldrmodules [MALWARE] Detect unlinked DLLs
- lsadump Dump (decrypted) LSA secrets from the registry
- malfind [MALWARE] Find hidden and injected code
- memdump Dump the addressable memory for a process
- memmap Print the memory map
- moddump Dump a kernel driver to an executable file sample
- modscan Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
- modules Print list of loaded modules
- mutantscan Scan for mutant objects _KMUTANT
- netscan Scan a Vista, 2008 or Windows 7 image for connections and sockets
- patcher Patches memory based on page scans
- printkey Print a registry key, and its subkeys and values
- procexedump Dump a process to an executable file sample
- procmemdump Dump a process to an executable memory sample
- psdispscan Scan Physical memory for _EPROCESS objects based on their Dispatch Headers
- pslist print all running processes by following the EPROCESS lists
- psscan Scan Physical memory for _EPROCESS pool allocations
- pstree Print process list as a tree
- psxview [MALWARE] Find hidden processes with various process listings
- registryapi A wrapper several highly used Registry functions and w/a Timeline component
- sockets Print list of open sockets
- sockscan Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)
- ssdt Display SSDT entries
- ssdt_ex [MALWARE] SSDT Hook Explorer for IDA Pro (and SSDT by thread)
- strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
- svcscan [MALWARE] Scan for Windows services
- testsuite Run unit test suit using the Cache
- ------
- ZeroDay Japan http://0day.jp
- OPERATION CLEANUP JAPAN | #OCJP
- Analyst: Hendunixfreaxjp ADRIAN アドリアン・ヘンドリック
- Malware Researcher VT/ twitter/google: @unixfreaxjp
- sponsored by: 株式会社ケイエルジェイテック http://www.kljtech.com
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement