利用Volatility进行入侵痕迹分析 - 完整教学指南<\/h1>

0x00 环境准备<\/h2>

工具准备：<\/strong><\/p>

Volatility：Kali Linux 2自带版本2.4，建议使用最新版本2.6<\/li>
下载地址：https:\/\/github.com\/volatilityfoundation\/volatility<\/li>
Windows内存镜像工具：DumpIt等<\/li> <\/ul>
系统要求：<\/strong><\/p>

本文以Windows系统内存镜像为例进行分析<\/li>
示例镜像：PC-20170527XAOD-20180409-232828.raw<\/li>
示例系统配置：Win7SP1x86<\/li> <\/ul>
0x01 网络连接分析<\/h2>
命令：<\/strong><\/p>
python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180409-232828.raw --profile=<\/span>Win7SP1x86 netscan <\/span><\/span><\/code><\/pre>功能：<\/strong><\/p> 查看系统网络连接情况<\/li> 识别异常连接和远程IP<\/li> <\/ul> 0x02 进程分析<\/h2> 基本进程查看：<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180409-232828.raw --profile=<\/span>Win7SP1x86 pslist <\/span><\/span><\/code><\/pre>隐藏进程检测：<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180409-232828.raw --profile=<\/span>Win7SP1x86 psxview <\/span><\/span><\/code><\/pre>关键点：<\/strong><\/p> psxview可以检测通过DKOM等技术隐藏的进程<\/li> 对比pslist和psxview结果寻找差异<\/li> <\/ul> 0x03 进程注入检测<\/h2> 命令：<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180409-232828.raw --profile=<\/span>Win7SP1x86 malfind <\/span><\/span><\/code><\/pre>功能：<\/strong><\/p> 查找隐藏或注入的代码\/DLL<\/li> 检测进程内存中的异常区域<\/li> <\/ul> 示例输出分析：<\/strong><\/p> 检测到PID为620的svchost.exe存在异常<\/li> <\/ul> 0x04 内存提取与分析<\/h2> 进程内存提取：<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180409-232828.raw --profile=<\/span>Win7SP1x86 procdump -p 620<\/span> -D dump <\/span><\/span>python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180409-232828.raw --profile=<\/span>Win7SP1x86 memdump -p 620<\/span> -D dump <\/span><\/span><\/code><\/pre>后续分析：<\/strong><\/p> 将提取的文件上传至VirusTotal进行检测<\/li> 成功检测出Meterpreter攻击痕迹<\/li> <\/ul> 0x05 YARA规则检测Meterpreter<\/h2> 自定义YARA规则(fm.yara)：<\/strong><\/p> rule Find_Meterpreter{ meta: desrciption = "it's the Meterpreter!" strings: $a = { 6D 65 74 73 72 76 2E 64 6C 6C 00 00 52 65 66 6C 65 63 74 69 76 65 4C 6F 61 64 65 72 } $b = "stdapi_" ascii nocase condition: $a and $b } <\/code><\/pre> 执行检测：<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180409-232828.raw --profile=<\/span>Win7SP1x86 yarascan -y fm.yara <\/span><\/span><\/code><\/pre>参考资源：<\/strong><\/p> http:\/\/cyberforensicator.com\/2018\/03\/11\/finding-metasploits-meterpreter-traces-with-memory-forensics\/<\/li> <\/ul> 0x06 DLL分析<\/h2> DLL查看：<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180409-232828.raw --profile=<\/span>Win7SP1x86 dlllist -p 1656<\/span> <\/span><\/span>python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180409-232828.raw --profile=<\/span>Win7SP1x86 ldrmodules <\/span><\/span><\/code><\/pre>DLL提取：<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180409-232828.raw --profile=<\/span>Win7SP1x86 dlldump -p 1656<\/span> -D dump <\/span><\/span><\/code><\/pre>关键点：<\/strong><\/p> ldrmodules可检测隐藏的DLL<\/li> 提取的DLL可上传至VirusTotal检测<\/li> <\/ul> 0x07 文件句柄分析<\/h2> 命令：<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180409-232828.raw --profile=<\/span>Win7SP1x86 handles -p 620<\/span> -t file <\/span><\/span><\/code><\/pre>功能：<\/strong><\/p> 查看进程打开的文件句柄<\/li> 检测异常文件访问<\/li> <\/ul> 0x08 命令行历史分析<\/h2> 命令：<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180409-232828.raw --profile=<\/span>Win7SP1x86 cmdscan <\/span><\/span><\/code><\/pre>功能：<\/strong><\/p> 查看内存中保留的cmd命令<\/li> 可检测powershell命令执行记录<\/li> <\/ul> 0x09 IE浏览器历史记录分析<\/h2> 方法1：iehistory插件<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180410-073551.raw --profile=<\/span>Win7SP1x86 iehistory <\/span><\/span><\/code><\/pre>方法2：yarascan搜索<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180410-073551.raw --profile=<\/span>Win7SP1x86 pslist | grep iexplore <\/span><\/span>python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180410-073551.raw --profile=<\/span>Win7SP1x86 yarascan -Y "\/(URL|REDR|LEAK)\/"<\/span> -p 1904,220,3276,3676 <\/span><\/span><\/code><\/pre>方法3：memdump+strings<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180410-073551.raw --profile=<\/span>Win7SP1x86 memdump -p 1904,220,3276,3676 -D dump <\/span><\/span>strings dump\/1904.dmp | grep -i http:\/\/ | sort | uniq -u <\/span><\/span><\/code><\/pre>0x10 注册表分析<\/h2> 启动项检查：<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180409-232828.raw --profile=<\/span>Win7SP1x86 printkey -K "Microsoft\Windows\CurrentVersion\Run"<\/span> <\/span><\/span><\/code><\/pre>用户账户检查：<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180409-232828.raw --profile=<\/span>Win7SP1x86 printkey -K "SAM\Domains\Account\Users\Names"<\/span> <\/span><\/span><\/code><\/pre>ShimCache分析：<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180409-232828.raw --profile=<\/span>Win7SP1x86 shimcache <\/span><\/span><\/code><\/pre>UserAssist分析：<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180407-042003.raw --profile=<\/span>Win7SP1x86 userassist <\/span><\/span><\/code><\/pre>0x11 服务分析<\/h2> 命令：<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180409-232828.raw --profile=<\/span>Win7SP1x86 svcscan <\/span><\/span><\/code><\/pre>功能：<\/strong><\/p> 查看系统服务信息<\/li> 检测恶意服务<\/li> <\/ul> 0x12 内核驱动分析<\/h2> 基本驱动查看：<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180409-232828.raw --profile=<\/span>Win7SP1x86 modules <\/span><\/span><\/code><\/pre>隐藏驱动检测：<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180409-232828.raw --profile=<\/span>Win7SP1x86 modscan <\/span><\/span>python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180409-232828.raw --profile=<\/span>Win7SP1x86 driverscan <\/span><\/span><\/code><\/pre>0x13 文件系统分析<\/h2> 命令：<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180409-232828.raw --profile=<\/span>Win7SP1x86 filescan <\/span><\/span><\/code><\/pre>功能：<\/strong><\/p> 检测rootkit隐藏文件<\/li> 扫描内存中的文件对象<\/li> <\/ul> 0x14 时间线分析<\/h2> 命令：<\/strong><\/p> python vol.py -f \/root\/lltest\/PC-20170527XAOD-20180407-042003.raw --profile=<\/span>Win7SP1x86 timeliner --output=<\/span>text --output-file=<\/span>out1.txt <\/span><\/span><\/code><\/pre>建议：<\/strong><\/p> 输出内容较多，建议重定向到文件<\/li> 可用于构建攻击时间线<\/li> <\/ul> 参考资源<\/h2> Volatility官方命令参考：https:\/\/github.com\/volatilityfoundation\/volatility\/wiki\/Command-Reference<\/li> Meterpreter检测方法：http:\/\/cyberforensicator.com\/2018\/03\/11\/finding-metasploits-meterpreter-traces-with-memory-forensics\/<\/li> 高级恶意软件检测：https:\/\/eforensicsmag.com\/finding-advanced-malware-using-volatility\/<\/li> IE缓存历史记录扫描：https:\/\/volatility-labs.blogspot.com\/2012\/09\/howto-scan-for-internet-cachehistory.html<\/li> <\/ol>