Go to Qiita Advent Calendar 2024 Top
LoginSignup
3
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

@masaomi346

Volatility3を使ってマルウェアを抽出してみる

Last updated at Posted at 2021-08-11

#環境
OS : REMnux(based Ubuntu 20.04)
Volatility3のバージョン : 1.1.1
GitHub
#やり方
###windows.infoを使ってOSとカーネルの情報を取得

$ vol3 -f memory.dmp windows.info

Volatility 3 Framework 1.1.1
Progress:  100.00		PDB scanning finished                     
Variable	Value

Kernel Base	0xf80001806000
DTB	0x187000
Symbols	file:///usr/local/lib/python3.8/dist-packages/volatility3/framework/symbols/windows/ntkrnlmp.pdb/57489119968749168D61EA066CAE9589-1.json.xz
Is64Bit	True
IsPAE	False
primary	0 WindowsIntel32e
memory_layer	1 Elf64Layer
base_layer	2 FileLayer
KdDebuggerDataBlock	0xf800019e8130
NTBuildLab	7601.24545.amd64fre.win7sp1_ldr_
CSDVersion	1
KdVersionBlock	0xf800019e80e8
Major/Minor	15.7601
MachineType	34404
KeNumberProcessors	4
SystemTime	2021-08-10 13:02:30
NtSystemRoot	C:\Windows
NtProductType	NtProductWinNt
NtMajorVersion	6
NtMinorVersion	1
PE MajorOperatingSystemVersion	6
PE MinorOperatingSystemVersion	1
PE Machine	34404
PE TimeDateStamp	Fri Jan  3 02:56:30 2020

###windows.pslistを使ってプロセスの一覧表示

$ vol3 -f memory.dmp windows.pslist

Volatility 3 Framework 1.1.1
Progress:  100.00		PDB scanning finished                     
PID	PPID	ImageFileName	Offset(V)	Threads	Handles	SessionId	Wow64	CreateTime	ExitTime	File output

4	0	System	0xfa8003fc4040	106	561	N/A	False	2021-08-10 13:10:30.000000 N/A	Disabled
300	4	smss.exe	0xfa8005582330	2	32	N/A	False	2021-08-10 13:10:30.000000 	N/A	Disabled
392	372	csrss.exe	0xfa800563db00	9	544	0	False	2021-08-10 13:10:32.000000 	N/A	Disabled
436	372	wininit.exe	0xfa800584e060	3	84	0	False	2021-08-10 13:10:33.000000 	N/A	Disabled
444	428	csrss.exe	0xfa800575c060	10	237	1	False	2021-08-10 13:10:33.000000 	N/A	Disabled
508	428	winlogon.exe	0xfa8005eb45f0	4	117	1	False	2021-08-10 13:10:33.000000 	N/A	Disabled
516	436	services.exe	0xfa8005df4b00	11	237	0	False	2021-08-10 13:10:33.000000 	N/A	Disabled
548	436	lsass.exe	0xfa8005ec6060	8	607	0	False	2021-08-10 13:10:33.000000 	N/A	Disabled
556	436	lsm.exe	0xfa8005e9b060	11	148	0	False	2021-08-10 13:10:33.000000 N/A	Disabled
652	516	svchost.exe	0xfa80055bfb00	15	378	0	False	2021-08-10 13:10:34.000000 	N/A	Disabled
728	516	svchost.exe	0xfa8005f78b00	8	286	0	False	2021-08-10 13:10:34.000000 	N/A	Disabled
812	516	svchost.exe	0xfa8005df2b00	22	483	0	False	2021-08-10 13:10:35.000000 	N/A	Disabled
860	516	svchost.exe	0xfa8005998b00	21	507	0	False	2021-08-10 13:10:35.000000 	N/A	Disabled
900	516	svchost.exe	0xfa800599b8a0	19	618	0	False	2021-08-10 13:10:35.000000 	N/A	Disabled
948	516	svchost.exe	0xfa80059c5060	45	1870	0	False	2021-08-10 13:10:35.000000 	N/A	Disabled
1008	812	audiodg.exe	0xfa80059e3060	7	133	0	False	2021-08-10 13:10:35.000000 	N/A	Disabled
1000	516	svchost.exe	0xfa800614d5b0	17	479	0	False	2021-08-10 13:10:35.000000 	N/A	Disabled
1168	516	spoolsv.exe	0xfa8006206b00	17	327	0	False	2021-08-10 13:10:35.000000 	N/A	Disabled
1196	516	svchost.exe	0xfa800622b060	20	334	0	False	2021-08-10 13:10:35.000000 	N/A	Disabled
1288	516	taskhost.exe	0xfa800628e840	0	-	1	False	2021-08-10 13:10:36.000000 	2021-08-10 13:12:53.000000 	Disabled
1340	948	taskeng.exe	0xfa80062a0b00	5	88	0	False	2021-08-10 13:10:36.000000 	N/A	Disabled
1400	860	dwm.exe	0xfa80062dd440	0	-	1	False	2021-08-10 13:10:36.000000 2021-08-10 13:13:12.000000 	Disabled
1476	1352	explorer.exe	0xfa8006312b00	41	1016	1	False	2021-08-10 13:10:36.000000 	N/A	Disabled
1500	516	armsvc.exe	0xfa800631ab00	5	70	0	True	2021-08-10 13:10:36.000000 	N/A	Disabled
1576	516	svchost.exe	0xfa80063f6060	12	154	0	False	2021-08-10 13:10:36.000000 	N/A	Disabled
1636	516	IMEDICTUPDATE.	0xfa8006324b00	4	61	0	False	2021-08-10 13:10:36.000000 	N/A	Disabled
1696	516	coherence.exe	0xfa800645db00	6	72	0	False	2021-08-10 13:10:36.000000 	N/A	Disabled
1768	516	prl_tools_serv	0xfa800648ab00	10	142	0	False	2021-08-10 13:10:36.000000 	N/A	Disabled
1812	1696	coherence.exe	0xfa80064a4b00	5	68	1	False	2021-08-10 13:10:36.000000 	N/A	Disabled
1932	1768	prl_tools.exe	0xfa80040615f0	9	151	1	False	2021-08-10 13:10:36.000000 	N/A	Disabled
1944	516	dllhost.exe	0xfa80054bbb00	8	102	0	False	2021-08-10 13:10:36.000000 	N/A	Disabled
2116	1932	prl_cc.exe	0xfa80065aa060	0	-	1	False	2021-08-10 13:10:36.000000 	2021-08-10 13:13:41.000000 	Disabled
2392	516	dllhost.exe	0xfa800663e700	17	213	0	False	2021-08-10 13:10:36.000000 	N/A	Disabled
2604	516	svchost.exe	0xfa8006687300	5	110	0	False	2021-08-10 13:10:37.000000 	N/A	Disabled
2904	860	WUDFHost.exe	0xfa80066d1060	9	202	0	False	2021-08-10 13:10:37.000000 	N/A	Disabled
2936	516	msdtc.exe	0xfa80066f5060	14	156	0	False	2021-08-10 13:10:37.000000 	N/A	Disabled
2008	516	sppsvc.exe	0xfa8006765660	7	179	0	False	2021-08-10 13:10:41.000000 	N/A	Disabled
2864	516	SearchIndexer.	0xfa80067a5060	30	745	0	False	2021-08-10 13:10:42.000000 	N/A	Disabled
396	2864	SearchProtocol	0xfa80067e3110	9	291	0	False	2021-08-10 13:10:42.000000 	N/A	Disabled
3936	516	svchost.exe	0xfa8004185b00	9	127	0	False	2021-08-10 13:12:37.000000 	N/A	Disabled
3968	516	mscorsvw.exe	0xfa8004290b00	7	87	0	True	2021-08-10 13:12:37.000000 	N/A	Disabled
4024	516	mscorsvw.exe	0xfa80043f5b00	6	80	0	False	2021-08-10 13:12:37.000000 	N/A	Disabled
320	1476	goBnh.exe	0xfa80041806c0	8	126568	1	False	2021-08-10 13:12:41.000000 	N/A	Disabled
2452	516	svchost.exe	0xfa80043c65e0	7	80	0	False	2021-08-10 13:12:47.000000 	N/A	Disabled
69236	860	dwm.exe	0xfa8009fccb00	7	113	1	False	2021-08-10 13:13:13.000000 N/A	Disabled
125484	652	WmiPrvSE.exe	0xfa800b5d85f0	11	212	0	False	2021-08-10 13:13:23.000000 	N/A	Disabled
236912	652	dllhost.exe	0xfa80095ba5f0	12	134	1	False	2021-08-10 13:13:35.000000 	N/A	Disabled
257292	516	TrustedInstall	0xfa800bc535f0	8	141	0	False	2021-08-10 13:13:37.000000 	N/A	Disabled
295628	2864	SearchFilterHo	0xfa800c9015f0	6	115	0	False	2021-08-10 13:13:42.000000 	N/A	Disabled

###windows.pstreeを使ってプロセスツリーを表示

$ vol3 -f memory.dmp windows.pstree

Volatility 3 Framework 1.1.1
Progress:  100.00		PDB scanning finished                     
PID	PPID	ImageFileName	Offset(V)	Threads	Handles	SessionId	Wow64	CreateTime	ExitTime

4	0	System	0xfa800c9015f0	106	561	N/A	False	2021-08-10 13:10:30.000000 N/A
* 300	4	smss.exe	0xfa800c9015f0	2	32	N/A	False	2021-08-10 13:10:30.000000 	N/A
392	372	csrss.exe	0xfa800c9015f0	9	544	0	False	2021-08-10 13:10:32.000000 	N/A
436	372	wininit.exe	0xfa800c9015f0	3	84	0	False	2021-08-10 13:10:33.000000 	N/A
* 516	436	services.exe	0xfa800c9015f0	11	237	0	False	2021-08-10 13:10:33.000000 	N/A
** 3968	516	mscorsvw.exe	0xfa800c9015f0	7	87	0	True	2021-08-10 13:12:37.000000 	N/A
** 900	516	svchost.exe	0xfa800c9015f0	19	618	0	False	2021-08-10 13:10:35.000000 	N/A
** 1288	516	taskhost.exe	0xfa800c9015f0	0	-	1	False	2021-08-10 13:10:36.000000 	2021-08-10 13:12:53.000000 
** 652	516	svchost.exe	0xfa800c9015f0	15	378	0	False	2021-08-10 13:10:34.000000 	N/A
*** 236912	652	dllhost.exe	0xfa800c9015f0	12	134	1	False	2021-08-10 13:13:35.000000 	N/A
*** 125484	652	WmiPrvSE.exe	0xfa800c9015f0	11	212	0	False	2021-08-10 13:13:23.000000 	N/A
** 257292	516	TrustedInstall	0xfa800c9015f0	8	141	0	False	2021-08-10 13:13:37.000000 	N/A
** 1168	516	spoolsv.exe	0xfa800c9015f0	17	327	0	False	2021-08-10 13:10:35.000000 	N/A
** 2452	516	svchost.exe	0xfa800c9015f0	7	80	0	False	2021-08-10 13:12:47.000000 	N/A
** 1944	516	dllhost.exe	0xfa800c9015f0	8	102	0	False	2021-08-10 13:10:36.000000 	N/A
** 1696	516	coherence.exe	0xfa800c9015f0	6	72	0	False	2021-08-10 13:10:36.000000 	N/A
*** 1812	1696	coherence.exe	0xfa800c9015f0	5	68	1	False	2021-08-10 13:10:36.000000 	N/A
** 1576	516	svchost.exe	0xfa800c9015f0	12	154	0	False	2021-08-10 13:10:36.000000 	N/A
** 812	516	svchost.exe	0xfa800c9015f0	22	483	0	False	2021-08-10 13:10:35.000000 	N/A
*** 1008	812	audiodg.exe	0xfa800c9015f0	7	133	0	False	2021-08-10 13:10:35.000000 	N/A
** 1196	516	svchost.exe	0xfa800c9015f0	20	334	0	False	2021-08-10 13:10:35.000000 	N/A
** 2604	516	svchost.exe	0xfa800c9015f0	5	110	0	False	2021-08-10 13:10:37.000000 	N/A
** 2864	516	SearchIndexer.	0xfa800c9015f0	30	745	0	False	2021-08-10 13:10:42.000000 	N/A
*** 295628	2864	SearchFilterHo	0xfa800c9015f0	6	115	0	False	2021-08-10 13:13:42.000000 	N/A
*** 396	2864	SearchProtocol	0xfa800c9015f0	9	291	0	False	2021-08-10 13:10:42.000000 	N/A
** 948	516	svchost.exe	0xfa800c9015f0	45	1870	0	False	2021-08-10 13:10:35.000000 	N/A
*** 1340	948	taskeng.exe	0xfa800c9015f0	5	88	0	False	2021-08-10 13:10:36.000000 	N/A
** 4024	516	mscorsvw.exe	0xfa800c9015f0	6	80	0	False	2021-08-10 13:12:37.000000 	N/A
** 2392	516	dllhost.exe	0xfa800c9015f0	17	213	0	False	2021-08-10 13:10:36.000000 	N/A
** 728	516	svchost.exe	0xfa800c9015f0	8	286	0	False	2021-08-10 13:10:34.000000 	N/A
** 2008	516	sppsvc.exe	0xfa800c9015f0	7	179	0	False	2021-08-10 13:10:41.000000 	N/A
** 1500	516	armsvc.exe	0xfa800c9015f0	5	70	0	True	2021-08-10 13:10:36.000000 	N/A
** 860	516	svchost.exe	0xfa800c9015f0	21	507	0	False	2021-08-10 13:10:35.000000 	N/A
*** 1400	860	dwm.exe	0xfa800c9015f0	0	-	1	False	2021-08-10 13:10:36.000000 	2021-08-10 13:13:12.000000 
*** 2904	860	WUDFHost.exe	0xfa800c9015f0	9	202	0	False	2021-08-10 13:10:37.000000 	N/A
*** 69236	860	dwm.exe	0xfa800c9015f0	7	113	1	False	2021-08-10 13:13:13.000000 	N/A
** 3936	516	svchost.exe	0xfa800c9015f0	9	127	0	False	2021-08-10 13:12:37.000000 	N/A
** 1636	516	IMEDICTUPDATE.	0xfa800c9015f0	4	61	0	False	2021-08-10 13:10:36.000000 	N/A
** 1000	516	svchost.exe	0xfa800c9015f0	17	479	0	False	2021-08-10 13:10:35.000000 	N/A
** 1768	516	prl_tools_serv	0xfa800c9015f0	10	142	0	False	2021-08-10 13:10:36.000000 	N/A
*** 1932	1768	prl_tools.exe	0xfa800c9015f0	9	151	1	False	2021-08-10 13:10:36.000000 	N/A
**** 2116	1932	prl_cc.exe	0xfa800c9015f0	0	-	1	False	2021-08-10 13:10:36.000000 	2021-08-10 13:13:41.000000 
** 2936	516	msdtc.exe	0xfa800c9015f0	14	156	0	False	2021-08-10 13:10:37.000000 	N/A
* 548	436	lsass.exe	0xfa800c9015f0	8	607	0	False	2021-08-10 13:10:33.000000 	N/A
* 556	436	lsm.exe	0xfa800c9015f0	11	148	0	False	2021-08-10 13:10:33.000000 N/A
444	428	csrss.exe	0xfa800c9015f0	10	237	1	False	2021-08-10 13:10:33.000000 	N/A
508	428	winlogon.exe	0xfa800c9015f0	4	117	1	False	2021-08-10 13:10:33.000000 	N/A
1476	1352	explorer.exe	0xfa800c9015f0	41	1016	1	False	2021-08-10 13:10:36.000000 	N/A
* 320	1476	goBnh.exe	0xfa800c9015f0	8	126568	1	False	2021-08-10 13:12:41.000000 	N/A

pid 320のプロセスが怪しそう。
###windows.netscanを使って通信を行っているプロセスの一覧を表示

$ vol3 -f memory.dmp windows.netscan

Volatility 3 Framework 1.1.1
Progress:  100.00		PDB scanning finished                     
Offset	Proto	LocalAddr	LocalPort	ForeignAddr	ForeignPort	State	PID	Owner	Created

0x19f1520	TCPv6	fdb2:2c26:f4e4:0:b4cf:c701:28fa:f804	49162	240b:c010:105:2::856a:108a	80	ESTABLISHED	-	-	N/A
0x51b4cd0	TCPv6	fdb2:2c26:f4e4:0:b4cf:c701:28fa:f804	49161	2a01:111:f100:3000::a83e:19a1	443	ESTABLISHED	-	-	N/A
0x62666170	TCPv4	10.211.55.37	445	10.211.55.2	53361	ESTABLISHED	-	-	N/A
0x14973b520	TCPv6	fdb2:2c26:f4e4:0:b4cf:c701:28fa:f804	49160	240b:c010:105:2::856a:108a	80	ESTABLISHED	-	-	N/A
0x14ce2e700	TCPv6	fdb2:2c26:f4e4:0:b4cf:c701:28fa:f804	49163	2a01:111:2003::50	80	ESTABLISHED	-	-	N/A
0x14d7832c0	TCPv4	10.211.55.37	445	10.211.55.2	53359	CLOSED	-	-	N/A
0x14d80ede0	TCPv4	0.0.0.0	49155	0.0.0.0	0	LISTENING	516	services.exe	-
0x14d813260	TCPv4	0.0.0.0	445	0.0.0.0	0	LISTENING	4	System	-
0x14d813260	TCPv6	::	445	::	0	LISTENING	4	System	-
0x14d8199b0	TCPv4	0.0.0.0	49156	0.0.0.0	0	LISTENING	2604	svchost.exe	-
0x14d8199b0	TCPv6	::	49156	::	0	LISTENING	2604	svchost.exe	-Traceback (most recent call last):
  File "/usr/local/bin/vol3", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.8/dist-packages/volatility3/cli/__init__.py", line 618, in main
    CommandLine().run()
  File "/usr/local/lib/python3.8/dist-packages/volatility3/cli/__init__.py", line 326, in run
    renderers[args.renderer]().render(constructed.run())
  File "/usr/local/lib/python3.8/dist-packages/volatility3/cli/text_renderer.py", line 178, in render
    grid.populate(visitor, outfd)
  File "/usr/local/lib/python3.8/dist-packages/volatility3/framework/renderers/__init__.py", line 211, in populate
    for (level, item) in self._generator:
  File "/usr/local/lib/python3.8/dist-packages/volatility3/framework/plugins/windows/netscan.py", line 297, in _generator
    for ver, laddr, _ in netw_obj.dual_stack_sockets():
  File "/usr/local/lib/python3.8/dist-packages/volatility3/framework/symbols/windows/extensions/network.py", line 146, in dual_stack_sockets
    inaddr = self.get_in_addr()
  File "/usr/local/lib/python3.8/dist-packages/volatility3/framework/symbols/windows/extensions/network.py", line 123, in get_in_addr
    _ = local_addr.pData.dereference().addr4[0]
  File "/usr/local/lib/python3.8/dist-packages/volatility3/framework/objects/__init__.py", line 761, in __getattr__
    raise AttributeError("{} has no attribute: {}.{}".format(agg_name, self.vol.type_name, attr))
AttributeError: StructType has no attribute: nt_symbols1!_EPROCESS.pData

途中でエラー吐いて全部表示されてなさそう。
###windows.cmdlineを使ってプロセスのコマンドライン引数の一覧を表示

$ vol3 -f memory.dmp windows.cmdline

Volatility 3 Framework 1.1.1
Progress:  100.00		PDB scanning finished                     
PID	Process	Args

4	System	Required memory at 0x20 is not valid (process exited?)
300	smss.exe	\SystemRoot\System32\smss.exe
392	csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
436	wininit.exe	wininit.exe
444	csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
508	winlogon.exe	winlogon.exe
516	services.exe	C:\Windows\system32\services.exe
548	lsass.exe	C:\Windows\system32\lsass.exe
556	lsm.exe	C:\Windows\system32\lsm.exe
652	svchost.exe	C:\Windows\system32\svchost.exe -k DcomLaunch
728	svchost.exe	C:\Windows\system32\svchost.exe -k RPCSS
812	svchost.exe	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
860	svchost.exe	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
900	svchost.exe	C:\Windows\system32\svchost.exe -k LocalService
948	svchost.exe	C:\Windows\system32\svchost.exe -k netsvcs
1008	audiodg.exe	C:\Windows\system32\AUDIODG.EXE 0x314
1000	svchost.exe	C:\Windows\system32\svchost.exe -k NetworkService
1168	spoolsv.exe	C:\Windows\System32\spoolsv.exe
1196	svchost.exe	C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1288	taskhost.exe	Required memory at 0x7fffffdd020 is not valid (process exited?)
1340	taskeng.exe	taskeng.exe {E50D53F4-E701-449C-A88F-0F5FC0E63665}
1400	dwm.exe	Required memory at 0x7fffffdf020 is not valid (process exited?)
1476	explorer.exe	C:\Windows\Explorer.EXE
1500	armsvc.exe	"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
1576	svchost.exe	C:\Windows\System32\svchost.exe -k utcsvc
1636	IMEDICTUPDATE.	"C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED\IMEDICTUPDATE.EXE"
1696	coherence.exe	"C:\Program Files (x86)\Parallels\Parallels Tools\Services\coherence.exe"
1768	prl_tools_serv	"C:\Program Files (x86)\Parallels\Parallels Tools\Services\prl_tools_service.exe"
1812	coherence.exe	coherence.exe agent
1932	prl_tools.exe	"C:\Program Files (x86)\Parallels\Parallels Tools\Services\prl_tools.exe"
1944	dllhost.exe	C:\Windows\system32\dllhost.exe /Processid:{D5B6B728-3141-4F37-9E9B-E5D2A807CF3A}
2116	prl_cc.exe	Required memory at 0x7fffffdf020 is not valid (process exited?)
2392	dllhost.exe	C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
2604	svchost.exe	C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
2904	WUDFHost.exe	"C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:HostProcess-679cc312-0ae7-45fd-acc1-15c0f831cda3 -SystemEventPortName:HostProcess-08beca70-1042-4303-859b-99885db7fe82 -IoCancelEventPortName:HostProcess-2635b92a-aba2-48eb-9de2-ae5a3a6ca67f -NonStateChangingEventPortName:HostProcess-a1275a1e-2ccd-47e5-a875-9e74a12df500 -ServiceSID:S-1-5-80-2652678385-582572993-1835434367-1344795993-749280709 -LifetimeId:3a4a4add-8f8d-4743-9166-0d6e830d7c9c -DeviceGroupId:
2936	msdtc.exe	C:\Windows\System32\msdtc.exe
2008	sppsvc.exe	C:\Windows\system32\sppsvc.exe
2864	SearchIndexer.	C:\Windows\system32\SearchIndexer.exe /Embedding
396	SearchProtocol	"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" 
3936	svchost.exe	C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3968	mscorsvw.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
4024	mscorsvw.exe	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
320	goBnh.exe	"C:\Users\masaomi\Downloads\goBnh.exe" 
2452	svchost.exe	C:\Windows\System32\svchost.exe -k WerSvcGroup
69236	dwm.exe	"C:\Windows\system32\Dwm.exe"
125484	WmiPrvSE.exe	C:\Windows\system32\wbem\wmiprvse.exe
236912	dllhost.exe	C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
257292	TrustedInstall	C:\Windows\servicing\TrustedInstaller.exe
295628	SearchFilterHo	"C:\Windows\system32\SearchFilterHost.exe" 0 536 540 548 65536 544

pid 320をもう少し詳細に調べてみる。
###windows.dlllistを使って読み込まれたDLLの一覧を表示

$ vol3 -f memory.dmp windows.dlllist --pid 320

Volatility 3 Framework 1.1.1
Progress:  100.00		PDB scanning finished                     
PID	Process	Base	Size	Name	Path	LoadTime	File output

320	goBnh.exe	0x13f740000	0x389000	goBnh.exe	C:\Users\masaomi\Downloads\goBnh.exe	N/A	Disabled
320	goBnh.exe	0x76e80000	0x19f000	ntdll.dll	C:\Windows\SYSTEM32\ntdll.dll	N/A	Disabled
320	goBnh.exe	0x76d60000	0x11f000	kernel32.dll	C:\Windows\system32\kernel32.dll	2021-08-10 13:12:41.000000 	Disabled
320	goBnh.exe	0x7fefcd20000	0x67000	KERNELBASE.dll	C:\Windows\system32\KERNELBASE.dll	2021-08-10 13:12:41.000000 	Disabled
320	goBnh.exe	0x7fefe3c0000	0xdb000	ADVAPI32.dll	C:\Windows\system32\ADVAPI32.dll	2021-08-10 13:12:41.000000 	Disabled
320	goBnh.exe	0x7fefeb70000	0x9f000	msvcrt.dll	C:\Windows\system32\msvcrt.dll	2021-08-10 13:12:41.000000 	Disabled
320	goBnh.exe	0x7fefe5e0000	0x1f000	sechost.dll	C:\Windows\SYSTEM32\sechost.dll	2021-08-10 13:12:41.000000 	Disabled
320	goBnh.exe	0x7fefe6b0000	0x12c000	RPCRT4.dll	C:\Windows\system32\RPCRT4.dll	2021-08-10 13:12:41.000000 	Disabled
320	goBnh.exe	0x7fefd2a0000	0xd8b000	SHELL32.dll	C:\Windows\system32\SHELL32.dll	2021-08-10 13:12:41.000000 	Disabled
320	goBnh.exe	0x7fefec10000	0x71000	SHLWAPI.dll	C:\Windows\system32\SHLWAPI.dll	2021-08-10 13:12:41.000000 	Disabled
320	goBnh.exe	0x7fefe300000	0x67000	GDI32.dll	C:\Windows\system32\GDI32.dll	2021-08-10 13:12:41.000000 	Disabled
320	goBnh.exe	0x76c60000	0xfa000	USER32.dll	C:\Windows\system32\USER32.dll	2021-08-10 13:12:41.000000 	Disabled
320	goBnh.exe	0x7fefe6a0000	0xe000	LPK.dll	C:\Windows\system32\LPK.dll	2021-08-10 13:12:41.000000 	Disabled
320	goBnh.exe	0x7fefe050000	0xcb000	USP10.dll	C:\Windows\system32\USP10.dll	2021-08-10 13:12:41.000000 	Disabled
320	goBnh.exe	0x7fefe4a0000	0x2e000	IMM32.DLL	C:\Windows\system32\IMM32.DLL	2021-08-10 13:12:41.000000 	Disabled
320	goBnh.exe	0x7fefe4d0000	0x10b000	MSCTF.dll	C:\Windows\system32\MSCTF.dll	2021-08-10 13:12:41.000000 	Disabled
320	goBnh.exe	0x7fef8990000	0x3000	api-ms-win-core-synch-l1-2-0.DLL	C:\Windows\system32\api-ms-win-core-synch-l1-2-0.DLL	2021-08-10 13:12:41.000000 	Disabled
320	goBnh.exe	0x7fef9aa0000	0x18000	mpr.dll	C:\Windows\system32\mpr.dll	2021-08-10 13:12:58.000000 	Disabled
320	goBnh.exe	0x7fefe970000	0x1ff000	ole32.dll	C:\Windows\system32\ole32.dll	2021-08-10 13:12:58.000000 	Disabled
320	goBnh.exe	0x7fefa0f0000	0x27000	Iphlpapi.dll	C:\Windows\system32\Iphlpapi.dll	2021-08-10 13:12:58.000000 	Disabled
320	goBnh.exe	0x7fefef60000	0x8000	NSI.dll	C:\Windows\system32\NSI.dll	2021-08-10 13:12:58.000000 	Disabled
320	goBnh.exe	0x7fefa0e0000	0xb000	WINNSI.DLL	C:\Windows\system32\WINNSI.DLL	2021-08-10 13:12:58.000000 	Disabled
320	goBnh.exe	0x7fefc170000	0x18000	CRYPTSP.dll	C:\Windows\system32\CRYPTSP.dll	2021-08-10 13:12:58.000000 	Disabled
320	goBnh.exe	0x7fefbe70000	0x47000	rsaenh.dll	C:\Windows\system32\rsaenh.dll	2021-08-10 13:12:58.000000 	Disabled
320	goBnh.exe	0x7fefcbb0000	0x1f000	USERENV.dll	C:\Windows\system32\USERENV.dll	2021-08-10 13:12:58.000000 	Disabled
320	goBnh.exe	0x7fefc9e0000	0xf000	profapi.dll	C:\Windows\system32\profapi.dll	2021-08-10 13:12:58.000000 	Disabled
320	goBnh.exe	0x7fefc830000	0xf000	CRYPTBASE.dll	C:\Windows\system32\CRYPTBASE.dll	2021-08-10 13:12:58.000000 	Disabled

「CRYPTSP.dll」「CRYPTBASE.dll」などのDLLが読み込まれているのが確認できる。
###windows.malfindを使ってインジェクションコードを表示

$ vol3 -f memory.dmp windows.malfind --pid 320

Volatility 3 Framework 1.1.1
Progress:  100.00		PDB scanning finished                     
PID	Process	Start VPN	End VPN	Tag	Protection	CommitCharge	PrivateMemory	File output	Hexdump	Disasm

インジェクションはなさそう。
インジェクションがあるとこんな感じに表示される。

$ vol3 -f memory.dmp windows.malfind --pid 1476

Volatility 3 Framework 1.1.1
Progress:  100.00		PDB scanning finished
PID	Process	Start VPN	End VPN	Tag	Protection	CommitCharge	PrivateMemory	File output	Hexdump	Disasm

1476	explorer.exe	0x2e50000	0x2e5ffff	VadS	PAGE_EXECUTE_READWRITE	16	1	Disabled
41 ba 80 00 00 00 48 b8	A.....H.
08 61 2f ff fe 07 00 00	.a/.....
48 ff 20 90 41 ba 81 00	H...A...
00 00 48 b8 08 61 2f ff	..H..a/.
fe 07 00 00 48 ff 20 90	....H...
41 ba 82 00 00 00 48 b8	A.....H.
08 61 2f ff fe 07 00 00	.a/.....
48 ff 20 90 41 ba 83 00	H...A...	41 ba 80 00 00 00 48 b8 08 61 2f ff fe 07 00 00 48 ff 20 90 41 ba 81 00 00 00 48 b8 08 61 2f ff fe 07 00 00 48 ff 20 90 41 ba 82 00 00 00 48 b8 08 61 2f ff fe 07 00 00 48 ff 20 90 41 ba 83 00
1476	explorer.exe	0x4520000	0x4520fff	VadS	PAGE_EXECUTE_READWRITE	1	1	Disabled
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 52 04 00 00 00 00	..R.....
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1476	explorer.exe	0x4a00000	0x4a7ffff	VadS	PAGE_EXECUTE_READWRITE	2	1	Disabled
00 00 00 00 00 00 00 00	........
cb 7f 56 9b 0f 48 00 01	..V..H..
ee ff ee ff 00 00 00 00	........
28 01 a0 04 00 00 00 00	(.......
28 01 a0 04 00 00 00 00	(.......
00 00 a0 04 00 00 00 00	........
00 00 a0 04 00 00 00 00	........
80 00 00 00 00 00 00 00	........	00 00 00 00 00 00 00 00 cb 7f 56 9b 0f 48 00 01 ee ff ee ff 00 00 00 00 28 01 a0 04 00 00 00 00 28 01 a0 04 00 00 00 00 00 00 a0 04 00 00 00 00 00 00 a0 04 00 00 00 00 80 00 00 00 00 00 00 00

###windows.dumpfilesを使ってファイルをダンプする。

$ vol3 -f memory.dmp windows.dumpfiles --pid 320

これでファイルを抽出できる。
下記は抽出したファイルのhash値をVirusTotalで確認した結果。
スクリーンショット 2021-08-11 12.17.43.png

時々エラー吐いたりして安定していないように感じる。
#参考
https://volatility3.readthedocs.io/en/latest/#

3
1
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
3
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?