RootedCON ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Kwa lengo la kukuza maarifa ya kiufundi, kongamano hili ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila taaluma.
python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -e /home/user/tools/volatility/vol.py # It will use the most important plugins (could use a lot of space depending on the size of the memory)
Kumbukumbu kuhusu plugins za “list” dhidi ya “scan”
Volatility ina mbinu mbili kuu za plugins, ambazo wakati mwingine zinaonyeshwa katika majina yao. Plugins za “list” zitajaribu kuvinjari kupitia muundo wa Windows Kernel ili kupata taarifa kama vile michakato (kupata na kutembea kwenye orodha iliyo na kiungo ya _EPROCESS katika kumbukumbu), kushughulikia OS (kupata na kuorodhesha jedwali la kushughulikia, kuondoa viashiria vyovyote vilivyopatikana, nk). Zinajitenda kama vile API ya Windows ingefanya ikiwa itaombwa, kwa mfano, kuorodhesha michakato.
Hii inafanya plugins za “list” kuwa haraka sana, lakini pia zina hatari kama API ya Windows kwa ushawishi wa malware. Kwa mfano, ikiwa malware inatumia DKOM kuondoa mchakato kutoka kwenye orodha iliyo na kiungo ya _EPROCESS, haitajitokeza katika Meneja wa Kazi wala haitajitokeza katika pslist.
Plugins za “scan”, kwa upande mwingine, zitachukua mbinu inayofanana na kuchonga kumbukumbu kwa vitu ambavyo vinaweza kuwa na maana wakati vinapondolewa kama muundo maalum. psscan kwa mfano itasoma kumbukumbu na kujaribu kutengeneza vitu vya _EPROCESS kutoka kwake (inatumia skanning ya pool-tag, ambayo inatafuta nyuzi za 4-byte zinazonyesha uwepo wa muundo wa kupendeza). Faida ni kwamba inaweza kupata michakato ambayo imeondoka, na hata kama malware inaharibu orodha iliyo na kiungo ya _EPROCESS, plugin bado itapata muundo ulio karibu katika kumbukumbu (kwa kuwa bado inahitaji kuwepo ili mchakato ufanye kazi). Hasara ni kwamba plugins za “scan” ni polepole kidogo kuliko plugins za “list”, na wakati mwingine zinaweza kutoa matokeo yasiyo sahihi (mchakato ambao umeondoka kwa muda mrefu sana na sehemu za muundo wake zimeandikwa upya na operesheni nyingine).
Kama ilivyoelezwa ndani ya readme unahitaji kuweka meza ya alama ya OS unayotaka kusaidia ndani ya volatility3/volatility/symbols.
Pakiti za meza za alama za mifumo mbalimbali ya uendeshaji zinapatikana kwa kupakua katika:
Ikiwa unataka kutumia wasifu mpya ulio pakua (kwa mfano wa linux) unahitaji kuunda mahali fulani muundo wa folda ufuatao: plugins/overlays/linux na kuweka ndani ya folda hii faili la zip linalo zawia wasifu. Kisha, pata nambari ya wasifu kwa kutumia:
Katika kipande kilichopita unaweza kuona kwamba wasifu unaitwa LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64, na unaweza kuutumia kutekeleza kitu kama:
Kutoka hapa: Kinyume na imageinfo ambayo inatoa tu mapendekezo ya wasifu, kdbgscan imeundwa kubaini kwa uhakika wasifu sahihi na anwani sahihi ya KDBG (ikiwa kuna nyingi). Plugin hii inatafuta saini za KDBGHeader zinazohusiana na wasifu wa Volatility na inatekeleza ukaguzi wa akili ili kupunguza matokeo yasiyo sahihi. Ufanisi wa matokeo na idadi ya ukaguzi wa akili wanaoweza kufanywa inategemea ikiwa Volatility inaweza kupata DTB, hivyo ikiwa tayari unajua wasifu sahihi (au ikiwa una pendekezo la wasifu kutoka imageinfo), basi hakikisha unalitumia kutoka .
Daima angalia idadi ya michakato ambayo kdbgscan imepata. Wakati mwingine imageinfo na kdbgscan zinaweza kupata zaidi ya moja wasifu **unaofaa lakini tu mmoja halali utakuwa na michakato inayohusiana (Hii ni kwa sababu ili kutoa michakato anwani sahihi ya KDBG inahitajika)
KDBG inayoitwa kernel debugger block, ni muhimu kwa kazi za uchunguzi zinazofanywa na Volatility na debuggers mbalimbali. Inatambulika kama KdDebuggerDataBlock na aina ya _KDDEBUGGER_DATA64, ina viungo muhimu kama PsActiveProcessHead. Kiungo hiki maalum kinaelekeza kwenye kichwa cha orodha ya michakato, kuruhusu orodha ya michakato yote, ambayo ni ya msingi kwa uchambuzi wa kina wa kumbukumbu.
OS Information
#vol3 has a plugin to give OS information (note that imageinfo from vol2 will give you OS info)./vol.py-ffile.dmpwindows.info.Info
The plugin banners.Banners inaweza kutumika katika vol3 kujaribu kupata mabango ya linux katika dump.
./vol.py-ffile.dmpwindows.hashdump.Hashdump#Grab common windows hashes (SAM+SYSTEM)./vol.py-ffile.dmpwindows.cachedump.Cachedump#Grab domain cache hashes inside the registry./vol.py-ffile.dmpwindows.lsadump.Lsadump#Grab lsa secrets
volatility--profile=Win7SP1x86_23418hashdump-ffile.dmp#Grab common windows hashes (SAM+SYSTEM)volatility--profile=Win7SP1x86_23418cachedump-ffile.dmp#Grab domain cache hashes inside the registryvolatility--profile=Win7SP1x86_23418lsadump-ffile.dmp#Grab lsa secrets
Memory Dump
Dump ya kumbukumbu ya mchakato itachukua kila kitu cha hali ya sasa ya mchakato. Moduli ya procdump itachukua tu kanuni.
RootedCON ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Kwa lengo la kukuza maarifa ya kiufundi, kongamano hili ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila taaluma.
Jaribu kutafuta michakato ya kushangaza (kwa jina) au michakato ya watoto isiyotarajiwa (kwa mfano cmd.exe kama mtoto wa iexplorer.exe).
Inaweza kuwa ya kuvutia kulinganisha matokeo ya pslist na yale ya psscan ili kubaini michakato iliyofichwa.
python3vol.py-ffile.dmpwindows.pstree.PsTree# Get processes tree (not hidden)python3vol.py-ffile.dmpwindows.pslist.PsList# Get process list (EPROCESS)python3vol.py-ffile.dmpwindows.psscan.PsScan# Get hidden process list(malware)
volatility--profile=PROFILEpstree-ffile.dmp# Get process tree (not hidden)volatility--profile=PROFILEpslist-ffile.dmp# Get process list (EPROCESS)volatility--profile=PROFILEpsscan-ffile.dmp# Get hidden process list(malware)volatility--profile=PROFILEpsxview-ffile.dmp# Get hidden process list
Dump proc
./vol.py -f file.dmp windows.dumpfiles.DumpFiles --pid <pid> #Dump the .exe and dlls of the process in the current directory
Je, kuna kitu chochote cha kushangaza kilichotekelezwa?
python3vol.py-ffile.dmpwindows.cmdline.CmdLine#Display process command-line arguments
volatility--profile=PROFILEcmdline-ffile.dmp#Display process command-line argumentsvolatility--profile=PROFILEconsoles-ffile.dmp#command history by scanning for _CONSOLE_INFORMATION
Amri zinazotekelezwa katika cmd.exe zinadhibitiwa na conhost.exe (au csrss.exe kwenye mifumo kabla ya Windows 7). Hii ina maana kwamba ikiwa cmd.exe itafutwa na mshambuliaji kabla ya kupata memory dump, bado inawezekana kurejesha historia ya amri za kikao kutoka kwenye kumbukumbu ya conhost.exe. Ili kufanya hivyo, ikiwa shughuli zisizo za kawaida zitatambuliwa ndani ya moduli za console, kumbukumbu ya mchakato wa conhost.exe inayohusiana inapaswa kutolewa. Kisha, kwa kutafuta strings ndani ya dump hii, mistari ya amri zilizotumika katika kikao inaweza kutolewa.
Mazingira
Pata mabadiliko ya mazingira ya kila mchakato unaotembea. Kunaweza kuwa na thamani za kuvutia.
python3vol.py-ffile.dmpwindows.envars.Envars [--pid <pid>]#Display process environment variables
volatility--profile=PROFILEenvars-ffile.dmp [--pid <pid>]#Display process environment variablesvolatility --profile=PROFILE -f file.dmp linux_psenv [-p <pid>] #Get env of process. runlevel var means the runlevel where the proc is initated
Token privileges
Angalia kwa token za mamlaka katika huduma zisizotarajiwa.
Inaweza kuwa ya kuvutia kuorodhesha michakato inayotumia token fulani za mamlaka.
#Get enabled privileges of some processespython3vol.py-ffile.dmpwindows.privileges.Privs [--pid <pid>]#Get all processes with interesting privilegespython3 vol.py -f file.dmp windows.privileges.Privs | grep "SeImpersonatePrivilege\|SeAssignPrimaryPrivilege\|SeTcbPrivilege\|SeBackupPrivilege\|SeRestorePrivilege\|SeCreateTokenPrivilege\|SeLoadDriverPrivilege\|SeTakeOwnershipPrivilege\|SeDebugPrivilege"
#Get enabled privileges of some processesvolatility--profile=Win7SP1x86_23418privs--pid=3152-ffile.dmp|grepEnabled#Get all processes with interesting privilegesvolatility --profile=Win7SP1x86_23418 privs -f file.dmp | grep "SeImpersonatePrivilege\|SeAssignPrimaryPrivilege\|SeTcbPrivilege\|SeBackupPrivilege\|SeRestorePrivilege\|SeCreateTokenPrivilege\|SeLoadDriverPrivilege\|SeTakeOwnershipPrivilege\|SeDebugPrivilege"
SIDs
Angalia kila SSID inayomilikiwa na mchakato.
Inaweza kuwa ya kuvutia kuorodhesha michakato inayotumia SID ya mamlaka (na michakato inayotumia SID ya huduma).
./vol.py-ffile.dmpwindows.getsids.GetSIDs [--pid <pid>]#Get SIDs of processes./vol.py-ffile.dmpwindows.getservicesids.GetServiceSIDs#Get the SID of services
volatility--profile=Win7SP1x86_23418getsids-ffile.dmp#Get the SID owned by each processvolatility--profile=Win7SP1x86_23418getservicesids-ffile.dmp#Get the SID of each service
Handles
Ni muhimu kujua ni faili, funguo, nyuzi, michakato... zipi mchakato una shughulikia (amefungua)
./vol.py-ffile.dmpwindows.dlllist.DllList [--pid <pid>]#List dlls used by each./vol.py -f file.dmp windows.dumpfiles.DumpFiles --pid <pid> #Dump the .exe and dlls of the process in the current directory process
volatility--profile=Win7SP1x86_23418dlllist--pid=3152-ffile.dmp#Get dlls of a procvolatility--profile=Win7SP1x86_23418dlldump--pid=3152--dump-dir=.-ffile.dmp#Dump dlls of a proc
Mifumo ya nyuzi kwa michakato
Volatility inatuwezesha kuangalia ni mchakato gani nyuzi inahusiana nayo.
Windows inashughulikia programu unazotumia kwa kutumia kipengele katika rejista kinachoitwa UserAssist keys. Funguo hizi zinaandika ni mara ngapi kila programu imefanywa na wakati ilifanywa mara ya mwisho.
RootedCON ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Ikiwa na lengo la kukuza maarifa ya kiufundi, kongamano hili ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila taaluma.
./vol.py-ffile.dmpwindows.svcscan.SvcScan#List services./vol.py-ffile.dmpwindows.getservicesids.GetServiceSIDs#Get the SID of services
#Get services and binary pathvolatility--profile=Win7SP1x86_23418svcscan-ffile.dmp#Get name of the services and SID (slow)volatility--profile=Win7SP1x86_23418getservicesids-ffile.dmp
Mtandao
./vol.py-ffile.dmpwindows.netscan.NetScan#For network info of linux use volatility2
volatility--profile=Win7SP1x86_23418netscan-ffile.dmpvolatility--profile=Win7SP1x86_23418connections-ffile.dmp#XPand2003onlyvolatility--profile=Win7SP1x86_23418connscan-ffile.dmp#TCPconnectionsvolatility--profile=Win7SP1x86_23418sockscan-ffile.dmp#Opensocketsvolatility--profile=Win7SP1x86_23418sockets-ffile.dmp#Scannerfortcpsocketobjectsvolatility--profile=SomeLinux-ffile.dmplinux_ifconfigvolatility--profile=SomeLinux-ffile.dmplinux_netstatvolatility--profile=SomeLinux-ffile.dmplinux_netfiltervolatility--profile=SomeLinux-ffile.dmplinux_arp#ARP tablevolatility --profile=SomeLinux -f file.dmp linux_list_raw #Processes using promiscuous raw sockets (comm between processes)
volatility--profile=SomeLinux-ffile.dmplinux_route_cache
Registry hive
Print available hives
./vol.py-ffile.dmpwindows.registry.hivelist.HiveList#List roots./vol.py-ffile.dmpwindows.registry.printkey.PrintKey#List roots and get initial subkeys
volatility--profile=Win7SP1x86_23418-ffile.dmphivelist#List rootsvolatility--profile=Win7SP1x86_23418-ffile.dmpprintkey#List roots and get initial subkeys
volatility--profile=Win7SP1x86_23418printkey-K"Software\Microsoft\Windows NT\CurrentVersion"-ffile.dmp# Get Run binaries registry valuevolatility-ffile.dmp--profile=Win7SP1x86printkey-o0x9670e9d0-K'Software\Microsoft\Windows\CurrentVersion\Run'
Dump
#Dump a hivevolatility--profile=Win7SP1x86_23418hivedump-o0x9aad6148-ffile.dmp#Offset extracted by hivelist#Dump all hivesvolatility--profile=Win7SP1x86_23418hivedump-ffile.dmp
Filesystem
Mount
#See vol2
volatility--profile=SomeLinux-ffile.dmplinux_mountvolatility--profile=SomeLinux-ffile.dmplinux_recover_filesystem#Dump the entire filesystem (if possible)
Skana/dump
./vol.py-ffile.dmpwindows.filescan.FileScan#Scan for files inside the dump./vol.py-ffile.dmpwindows.dumpfiles.DumpFiles--physaddr<0xAAAAA>#Offset from previous command
volatility--profile=Win7SP1x86_23418filescan-ffile.dmp#Scan for files inside the dumpvolatility--profile=Win7SP1x86_23418dumpfiles-n--dump-dir=/tmp-ffile.dmp#Dump all filesvolatility--profile=Win7SP1x86_23418dumpfiles-n--dump-dir=/tmp-Q0x000000007dcaa620-ffile.dmpvolatility--profile=SomeLinux-ffile.dmplinux_enumerate_filesvolatility--profile=SomeLinux-ffile.dmplinux_find_file-F/path/to/filevolatility--profile=SomeLinux-ffile.dmplinux_find_file-i0xINODENUMBER-O/path/to/dump/file
Jedwali la Faili Kuu
# I couldn't find any plugin to extract this information in volatility3
Mfumo wa NTFS unatumia kipengele muhimu kinachojulikana kama meza ya faili ya bwana (MFT). Meza hii ina angalau kiingilio kimoja kwa kila faili kwenye kiasi, ikijumuisha MFT yenyewe pia. Maelezo muhimu kuhusu kila faili, kama vile ukubwa, alama za muda, ruhusa, na data halisi, yanajumuishwa ndani ya viingilio vya MFT au katika maeneo ya nje ya MFT lakini yanarejelea na viingilio hivi. Maelezo zaidi yanaweza kupatikana katika nyaraka rasmi.
SSL Keys/Certs
#vol3 allows to search for certificates inside the registry
./vol.py -f file.dmp windows.registry.certificates.Certificates
#vol2 allos you to search and dump certificates from memory
#Interesting options for this modules are: --pid, --name, --ssl
volatility --profile=Win7SP1x86_23418 dumpcerts --dump-dir=. -f file.dmp
Malware
./vol.py -f file.dmp windows.malfind.Malfind [--dump] #Find hidden and injected code, [dump each suspicious section]
#Malfind will search for suspicious structures related to malware
./vol.py -f file.dmp windows.driverirp.DriverIrp #Driver IRP hook detection
./vol.py -f file.dmp windows.ssdt.SSDT #Check system call address from unexpected addresses
./vol.py -f file.dmp linux.check_afinfo.Check_afinfo #Verifies the operation function pointers of network protocols
./vol.py -f file.dmp linux.check_creds.Check_creds #Checks if any processes are sharing credential structures
./vol.py -f file.dmp linux.check_idt.Check_idt #Checks if the IDT has been altered
./vol.py -f file.dmp linux.check_syscall.Check_syscall #Check system call table for hooks
./vol.py -f file.dmp linux.check_modules.Check_modules #Compares module list to sysfs info, if available
./vol.py -f file.dmp linux.tty_check.tty_check #Checks tty devices for hooks
Inawezekana kusoma kutoka kwa kumbukumbu historia ya bash. Unaweza pia kutupa faili ya .bash_history, lakini ilizuiliwa utashukuru unaweza kutumia moduli hii ya volatility
The Master Boot Record (MBR) ina jukumu muhimu katika kusimamia sehemu za mantiki za kifaa cha kuhifadhi, ambazo zimeundwa na mifumo tofauti ya file systems. Haishikilii tu taarifa za mpangilio wa sehemu bali pia ina msimbo unaoweza kutekelezwa ukifanya kazi kama boot loader. Boot loader hii ama huanzisha moja kwa moja mchakato wa upakiaji wa hatua ya pili wa OS (tazama second-stage boot loader) au inafanya kazi kwa ushirikiano na volume boot record (VBR) ya kila sehemu. Kwa maarifa ya kina, rejelea MBR Wikipedia page.
RootedCON ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Kwa lengo la kukuza maarifa ya kiufundi, kongamano hili ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila taaluma.
