Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationEventAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
5
Help us understand the problem. What are the problem?

More than 1 year has passed since last update.

Organization

Volatility3を早速使ってみた[追記]

volatility3

昨日のOSDFConでVolatility3が発表されました。発表されたVolatility3を使っていきたいと思います。

検証環境

用意したものは以下になります。
- Ubuntu 18.04
- Ubuntu 19.10

インストール

基本的にVolatility以外はpip3でインストールしました。
1. Pefileのインストール

pip3 install pefile

  1. yaraのインストール

pip3 install yara-python

  1. capstone のインストール

pip3 install capstone

  1. volatilityのダウンロード

git clone https://github.com/volatilityfoundation/volatility3.git

実行

ヘルプを実行!

$ python3 vol.py -h

コマンドからプラグインに変更となっているみたいで、それぞれのOS(Windows,Linux,Mac)ごとにプラグインがある。

以下ヘルプの内容

ubuntu:~/volatility3$ python3 vol.py -h
Volatility 3 Framework 1.0.0-beta.1
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]]
                  [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG]
                  [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE]
                  [--write-config]
                  [--single-swap-locations SINGLE_SWAP_LOCATIONS]
                  [--single-location SINGLE_LOCATION]
                  plugin ...

An open-source memory forensics framework

optional arguments:
  -h, --help            show this help message and exit
  -c CONFIG, --config CONFIG
                        Load the configuration from a json file
  --parallelism [{processes,threads,off}]
                        Enables parallelism (defaults to processes if no
                        argument given)
  -e EXTEND, --extend EXTEND
                        Extend the configuration with a new (or changed)
                        setting
  -p PLUGIN_DIRS, --plugin-dirs PLUGIN_DIRS
                        Semi-colon separated list of paths to find plugins
  -s SYMBOL_DIRS, --symbol-dirs SYMBOL_DIRS
                        Semi-colon separated list of paths to find symbols
  -v, --verbosity       Increase output verbosity
  -l LOG, --log LOG     Log output to a file as well as the console
  -o OUTPUT_DIR, --output-dir OUTPUT_DIR
                        Directory in which to output any generated files
  -q, --quiet           Remove progress feedback
  -r RENDERER, --renderer RENDERER
                        Determines how to render the output (quick, csv,
                        pretty)
  -f FILE, --file FILE  Shorthand for --single-location=file:// if single-
                        location is not defined
  --write-config        Write configuration JSON file out to config.json
  --single-swap-locations SINGLE_SWAP_LOCATIONS
                        Specifies a list of swap layer URIs for use with
                        single-location
  --single-location SINGLE_LOCATION
                        Specifies a base location on which to stack

Plugins:
  plugin
    configwriter.ConfigWriter
                        Runs the automagics and both prints and outputs
                        configuration in the output directory.
    layerwriter.LayerWriter
                        Runs the automagics and lists out the generated layers
                        if no layer name is specified, otherwise writes out
                        the named layer.
    linux.bash.Bash     Recovers bash command history from memory.
    linux.check_afinfo.Check_afinfo
                        Verifies the operation function pointers of network
                        protocols.
    linux.check_syscall.Check_syscall
                        Check system call table for hooks.
    linux.elfs.Elfs     Lists all memory mapped ELF files for all processes.
    linux.lsmod.Lsmod   Lists loaded kernel modules.
    linux.lsof.Lsof     Lists all memory maps for all processes.
    linux.malfind.Malfind
                        Lists process memory ranges that potentially contain
                        injected code.
    linux.proc.Maps     Lists all memory maps for all processes.
    linux.pslist.PsList
                        Lists the processes present in a particular linux
                        memory image.
    linux.pstree.PsTree
                        Plugin for listing processes in a tree based on their
                        parent process ID.
    mac.bash.Bash       Recovers bash command history from memory.
    mac.check_syscall.Check_syscall
                        Check system call table for hooks.
    mac.check_sysctl.Check_sysctl
                        Check sysctl handlers for hooks.
    mac.check_trap_table.Check_trap_table
                        Check mach trap table for hooks.
    mac.ifconfig.Ifconfig
                        Lists loaded kernel modules
    mac.lsmod.Lsmod     Lists loaded kernel modules.
    mac.lsof.lsof       Lists all open file descriptors for all processes.
    mac.malfind.Malfind
                        Lists process memory ranges that potentially contain
                        injected code.
    mac.netstat.Netstat
                        Lists all network connections for all processes.
    mac.proc_maps.Maps  Lists process memory ranges that potentially contain
                        injected code.
    mac.psaux.Psaux     Recovers program command line arguments.
    mac.pslist.PsList   Lists the processes present in a particular mac memory
                        image.
    mac.pstree.PsTree   Plugin for listing processes in a tree based on their
                        parent process ID.
    mac.tasks.Tasks     Lists the processes present in a particular mac memory
                        image.
    mac.trustedbsd.trustedbsd
                        Checks for malicious trustedbsd modules
    timeliner.Timeliner
                        Runs all relevant plugins that provide time related
                        information and orders the results by time.
    windows.callbacks.Callbacks
                        Lists kernel callbacks and notification routines.
    windows.cmdline.CmdLine
                        Lists process command line arguments.
    windows.dlldump.DllDump
                        Dumps process memory ranges as DLLs.
    windows.dlllist.DllList
                        Lists the loaded modules in a particular windows
                        memory image.
    windows.driverirp.DriverIrp
                        List IRPs for drivers in a particular windows memory
                        image.
    windows.driverscan.DriverScan
                        Scans for drivers present in a particular windows
                        memory image.
    windows.filescan.FileScan
                        Scans for file objects present in a particular windows
                        memory image.
    windows.handles.Handles
                        Lists process open handles.
    windows.info.Info   Show OS & kernel details of the memory sample being
                        analyzed.
    windows.malfind.Malfind
                        Lists process memory ranges that potentially contain
                        injected code.
    windows.moddump.ModDump
                        Dumps kernel modules.
    windows.modscan.ModScan
                        Scans for modules present in a particular windows
                        memory image.
    windows.modules.Modules
                        Lists the loaded kernel modules.
    windows.mutantscan.MutantScan
                        Scans for mutexes present in a particular windows
                        memory image.
    windows.poolscanner.PoolScanner
                        A generic pool scanner plugin.
    windows.procdump.ProcDump
                        Dumps process executable images.
    windows.pslist.PsList
                        Lists the processes present in a particular windows
                        memory image.
    windows.psscan.PsScan
                        Scans for processes present in a particular windows
                        memory image.
    windows.pstree.PsTree
                        Plugin for listing processes in a tree based on their
                        parent process ID.
    windows.registry.certificates.Certificates
                        Lists the certificates in the registry's Certificate
                        Store.
    windows.registry.hivelist.HiveList
                        Lists the registry hives present in a particular
                        memory image.
    windows.registry.hivescan.HiveScan
                        Scans for registry hives present in a particular
                        windows memory image.
    windows.registry.printkey.PrintKey
                        Lists the registry keys under a hive or specific key
                        value.
    windows.registry.userassist.UserAssist
                        Print userassist registry keys and information.
    windows.ssdt.SSDT   Lists the system call table.
    windows.statistics.Statistics
    windows.strings.Strings
                        Reads output from the strings command and indicates
                        which process(es) each string belongs to.
    windows.svcscan.SvcScan
                        Scans for windows services.
    windows.symlinkscan.SymlinkScan
                        Scans for links present in a particular windows memory
                        image.
    windows.vaddump.VadDump
                        Dumps process memory ranges.
    windows.vadinfo.VadInfo
                        Lists process memory ranges.
    windows.vadyarascan.VadYaraScan
                        Scans all the Virtual Address Descriptor memory maps
                        using yara.
    windows.verinfo.VerInfo
                        Lists version information from PE files.
    windows.virtmap.VirtMap
                        Lists virtual mapped sections.
    yarascan.YaraScan   Scans memory using yara rules (string or file).

解析してみた

Volatility3がどんなも感じなのを試したいと思います。

解析対象

今回はstuxnetを解析していきます。

解析対象のファイルは下記からダウンロードしました。

URL
- http://www.jonrajewski.com/data/Malware/

volatilityとvolatility3の違いは以下のような感じです。
- 開発されている言語がpython2からpython3に変更された
- プロファイルコマンドを実行しないでいい

解析の流れ

以下のように解析をしていきます。
1. メモリの情報を取得
2. プロセスの調査
3. dllの調査
4. 怪しいものを探す
5. プロセスをダンプ
6. virustotalで確認

使い方

vol.py -f [解析する対象のパス] [使用するプラグイン名]

1.メモリの情報を取得

使用するプラグイン:windows.info

ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.info 

出力結果

Volatility 3 Framework 1.0.0-beta.1
Progress:   99.99       Reading Symbol layer                                                                                              
Variable    Value

Kernel Base 0x804d7000
DTB 0x319000
Symbols file:///home/shinobi/volatility3/volatility/symbols/windows/ntkrnlpa.pdb/30B5FB31AE7E4ACAABA750AA241FF331-1.json.xz
primary 0 WindowsIntelPAE
memory_layer    1 FileLayer
KdDebuggerDataBlock 0x80545ae0
NTBuildLab  2600.xpsp.080413-2111
CSDVersion  3
KdVersionBlock  0x80545ab8
Major/Minor 15.2600
MachineType 332
KeNumberProcessors  1
SystemTime  2011-06-03 04:31:36
NtSystemRoot    C:\WINDOWS
NtProductType   NtProductWinNt
NtMajorVersion  5
NtMinorVersion  1
PE MajorOperatingSystemVersion  5
PE MinorOperatingSystemVersion  1
PE Machine  332
PE TimeDateStamp    Sun Apr 13 18:31:06 2008

2.プロセスの調査

使用するプラグイン:windows.pslist

ubuntu:~/volatility3$python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.pslist

出力結果

Volatility 3 Framework 1.0.0-beta.1
Progress:   29.00       Scanning primary2 using PdbSignatureScanner
PID PPID    ImageFileName   Offset(V)   Threads Handles SessionId   Wow64   CreateTime  ExitTime

4   0   System  0x823c8830  59  403 N/A False   N/A N/A
376 4   smss.exe    0x820df020  3   19  N/A False   2010-10-29 17:08:53.000000  N/A
600 376 csrss.exe   0x821a2da0  11  395 0   False   2010-10-29 17:08:54.000000  N/A
624 376 winlogon.exe    0x81da5650  19  570 0   False   2010-10-29 17:08:54.000000  N/A
668 624 services.exe    0x82073020  21  431 0   False   2010-10-29 17:08:54.000000  N/A
680 624 lsass.exe   0x81e70020  19  342 0   False   2010-10-29 17:08:54.000000  N/A
844 668 vmacthlp.exe    0x823315d8  1   25  0   False   2010-10-29 17:08:55.000000  N/A
856 668 svchost.exe 0x81db8da0  17  193 0   False   2010-10-29 17:08:55.000000  N/A
940 668 svchost.exe 0x81e61da0  13  312 0   False   2010-10-29 17:08:55.000000  N/A
1032    668 svchost.exe 0x822843e8  61  1169    0   False   2010-10-29 17:08:55.000000  N/A
1080    668 svchost.exe 0x81e18b28  5   80  0   False   2010-10-29 17:08:55.000000  N/A
1200    668 svchost.exe 0x81ff7020  14  197 0   False   2010-10-29 17:08:55.000000  N/A
1412    668 spoolsv.exe 0x81fee8b0  10  118 0   False   2010-10-29 17:08:56.000000  N/A
1580    668 jqs.exe 0x81e0eda0  5   148 0   False   2010-10-29 17:09:05.000000  N/A
1664    668 vmtoolsd.exe    0x81fe52d0  5   284 0   False   2010-10-29 17:09:05.000000  N/A
1816    668 VMUpgradeHelper 0x821a0568  3   96  0   False   2010-10-29 17:09:08.000000  N/A
188 668 alg.exe 0x8205ada0  6   107 0   False   2010-10-29 17:09:09.000000  N/A
1196    1728    explorer.exe    0x820ec7e8  16  582 0   False   2010-10-29 17:11:49.000000  N/A
2040    1032    wscntfy.exe 0x820ecc10  1   28  0   False   2010-10-29 17:11:49.000000  N/A
324 1196    TSVNCache.exe   0x81e86978  7   54  0   False   2010-10-29 17:11:49.000000  N/A
1912    1196    VMwareTray.exe  0x81fc5da0  1   50  0   False   2010-10-29 17:11:50.000000  N/A
1356    1196    VMwareUser.exe  0x81e6b660  9   251 0   False   2010-10-29 17:11:50.000000  N/A
1712    1196    jusched.exe 0x8210d478  1   26  0   False   2010-10-29 17:11:50.000000  N/A
756 668 imapi.exe   0x82279998  4   116 0   False   2010-10-29 17:11:54.000000  N/A
976 1032    wuauclt.exe 0x822b9a10  3   133 0   False   2010-10-29 17:12:03.000000  N/A
660 1196    Procmon.exe 0x81c543a0  13  189 0   False   2011-06-03 04:25:56.000000  N/A
1872    856 wmiprvse.exe    0x81fa5390  5   134 0   False   2011-06-03 04:25:58.000000  N/A
868 668 lsass.exe   0x81c498c8  2   23  0   False   2011-06-03 04:26:55.000000  N/A
1928    668 lsass.exe   0x81c47c00  4   65  0   False   2011-06-03 04:26:55.000000  N/A
968 1664    cmd.exe 0x81c0cda0  0   -   0   False   2011-06-03 04:31:35.000000  2011-06-03 04:31:36.000000 
304 968 ipconfig.exe    0x81f14938  0   -   0   False   2011-06-03 04:31:35.000000  2011-06-03 04:31:36.000000 

プロセスを調査する際に、正しいプロセスを知っておかなければなりません。
参考になる資料は下記URLのポスターです。
- SANS:HuntEvilPoster
- https://digital-forensics.sans.org/media/SANS_Poster_2018_Hunt_Evil_FINAL.pdf

HuntEvilPosterの1ページ目のポスターを確認すると、lsassというプロセスは通常1つのみですが、複数あることが確認できます。
本来ならばpstreeというプラグインを使用することで、プロセスをツリー構造で確認することができますが、何故かpstreeが実行できませんので、このまま進めさせていただきます。

python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.pslist | grep lsass
680 624 lsass.exe   0x81e70020  19  342 0   False   2010-10-29 17:08:54.000000  N/A
868 668 lsass.exe   0x81c498c8  2   23  0   False   2011-06-03 04:26:55.000000  N/A
1928    668 lsass.exe   0x81c47c00  4   65  0   False   2011-06-03 04:26:55.000000  N/A

3つあるlsassのうち、2つは不信なプロセスであるということが分かりました。
正規のlsassの親プロセスは「wininit.exe」というプロセスなので、pid 680のlsassは正規のプロセスだという事が分かります。
次から868と1928のlsassを対象に調査していきます。

3.dllの調査

使用するプラグイン:windows.dlllist

ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.dlllist --pid 680

出力結果

Volatility 3 Framework 1.0.0-beta.1
Progress:   29.00       Scanning primary2 using PdbSignatureScanner
PID Process Base    Size    Name    Path

680 lsass.exe   0x1000000   0x6000  lsass.exe   C:\WINDOWS\system32\lsass.exe
680 lsass.exe   0x7c900000  0xaf000 -   -
680 lsass.exe   0x7c800000  0xf6000 kernel32.dll    C:\WINDOWS\system32\kernel32.dll
680 lsass.exe   0x77dd0000  0x9b000 ADVAPI32.dll    C:\WINDOWS\system32\ADVAPI32.dll
680 lsass.exe   0x77e70000  0x92000 RPCRT4.dll  C:\WINDOWS\system32\RPCRT4.dll
680 lsass.exe   0x77fe0000  0x11000 Secur32.dll C:\WINDOWS\system32\Secur32.dll
680 lsass.exe   0x75730000  0xb5000 LSASRV.dll  C:\WINDOWS\system32\LSASRV.dll
680 lsass.exe   0x71b20000  0x12000 MPR.dll C:\WINDOWS\system32\MPR.dll
680 lsass.exe   0x7e410000  0x91000 USER32.dll  C:\WINDOWS\system32\USER32.dll
680 lsass.exe   0x77f10000  0x49000 GDI32.dll   C:\WINDOWS\system32\GDI32.dll
680 lsass.exe   0x77b20000  0x12000 MSASN1.dll  C:\WINDOWS\system32\MSASN1.dll
680 lsass.exe   0x77c10000  0x58000 msvcrt.dll  C:\WINDOWS\system32\msvcrt.dll
680 lsass.exe   0x5b860000  0x55000 NETAPI32.dll    C:\WINDOWS\system32\NETAPI32.dll
680 lsass.exe   0x767a0000  0x13000 NTDSAPI.dll C:\WINDOWS\system32\NTDSAPI.dll
680 lsass.exe   0x76f20000  0x27000 DNSAPI.dll  C:\WINDOWS\system32\DNSAPI.dll
680 lsass.exe   0x71ab0000  0x17000 WS2_32.dll  C:\WINDOWS\system32\WS2_32.dll
680 lsass.exe   0x71aa0000  0x8000  WS2HELP.dll C:\WINDOWS\system32\WS2HELP.dll
680 lsass.exe   0x76f60000  0x2c000 WLDAP32.dll C:\WINDOWS\system32\WLDAP32.dll
680 lsass.exe   0x71bf0000  0x13000 SAMLIB.dll  C:\WINDOWS\system32\SAMLIB.dll
680 lsass.exe   0x74440000  0x6a000 SAMSRV.dll  C:\WINDOWS\system32\SAMSRV.dll
680 lsass.exe   0x76790000  0xc000  cryptdll.dll    C:\WINDOWS\system32\cryptdll.dll
680 lsass.exe   0x5cb70000  0x26000 ShimEng.dll C:\WINDOWS\system32\ShimEng.dll
680 lsass.exe   0x6f880000  0x1ca000    AcGenral.DLL    C:\WINDOWS\AppPatch\AcGenral.DLL
680 lsass.exe   0x76b40000  0x2d000 WINMM.dll   C:\WINDOWS\system32\WINMM.dll
680 lsass.exe   0x774e0000  0x13d000    ole32.dll   C:\WINDOWS\system32\ole32.dll
680 lsass.exe   0x77120000  0x8b000 OLEAUT32.dll    C:\WINDOWS\system32\OLEAUT32.dll
680 lsass.exe   0x77be0000  0x15000 MSACM32.dll C:\WINDOWS\system32\MSACM32.dll
680 lsass.exe   0x77c00000  0x8000  VERSION.dll C:\WINDOWS\system32\VERSION.dll
680 lsass.exe   0x7c9c0000  0x817000    SHELL32.dll C:\WINDOWS\system32\SHELL32.dll
680 lsass.exe   0x77f60000  0x76000 SHLWAPI.dll C:\WINDOWS\system32\SHLWAPI.dll
680 lsass.exe   0x769c0000  0xb4000 USERENV.dll C:\WINDOWS\system32\USERENV.dll
680 lsass.exe   0x5ad70000  0x38000 UxTheme.dll C:\WINDOWS\system32\UxTheme.dll
680 lsass.exe   0x773d0000  0x103000    comctl32.dll    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
680 lsass.exe   0x5d090000  0x9a000 comctl32.dll    C:\WINDOWS\system32\comctl32.dll
680 lsass.exe   0x4d200000  0xe000  msprivs.dll C:\WINDOWS\system32\msprivs.dll
680 lsass.exe   0x71cf0000  0x4c000 kerberos.dll    C:\WINDOWS\system32\kerberos.dll
680 lsass.exe   0x77c70000  0x24000 msv1_0.dll  C:\WINDOWS\system32\msv1_0.dll
680 lsass.exe   0x76d60000  0x19000 iphlpapi.dll    C:\WINDOWS\system32\iphlpapi.dll
680 lsass.exe   0x744b0000  0x65000 netlogon.dll    C:\WINDOWS\system32\netlogon.dll
680 lsass.exe   0x767c0000  0x2c000 w32time.dll C:\WINDOWS\system32\w32time.dll
680 lsass.exe   0x76080000  0x65000 MSVCP60.dll C:\WINDOWS\system32\MSVCP60.dll
680 lsass.exe   0x767f0000  0x27000 schannel.dll    C:\WINDOWS\system32\schannel.dll
680 lsass.exe   0x77a80000  0x95000 CRYPT32.dll C:\WINDOWS\system32\CRYPT32.dll
680 lsass.exe   0x74380000  0xf000  wdigest.dll C:\WINDOWS\system32\wdigest.dll
680 lsass.exe   0x68000000  0x36000 rsaenh.dll  C:\WINDOWS\system32\rsaenh.dll
680 lsass.exe   0x74410000  0x2f000 scecli.dll  C:\WINDOWS\system32\scecli.dll
680 lsass.exe   0x77920000  0xf3000 SETUPAPI.dll    C:\WINDOWS\system32\SETUPAPI.dll
680 lsass.exe   0x743e0000  0x2f000 ipsecsvc.dll    C:\WINDOWS\system32\ipsecsvc.dll
680 lsass.exe   0x776c0000  0x12000 AUTHZ.dll   C:\WINDOWS\system32\AUTHZ.dll
680 lsass.exe   0x75d90000  0xd0000 oakley.DLL  C:\WINDOWS\system32\oakley.DLL
680 lsass.exe   0x74370000  0xb000  WINIPSEC.DLL    C:\WINDOWS\system32\WINIPSEC.DLL
680 lsass.exe   0x71a50000  0x3f000 mswsock.dll C:\WINDOWS\system32\mswsock.dll
680 lsass.exe   0x662b0000  0x58000 hnetcfg.dll C:\WINDOWS\system32\hnetcfg.dll
680 lsass.exe   0x71a90000  0x8000  wshtcpip.dll    C:\WINDOWS\System32\wshtcpip.dll
680 lsass.exe   0x743a0000  0xb000  pstorsvc.dll    C:\WINDOWS\system32\pstorsvc.dll
680 lsass.exe   0x743c0000  0x1b000 psbase.dll  C:\WINDOWS\system32\psbase.dll
680 lsass.exe   0x68100000  0x26000 dssenh.dll  C:\WINDOWS\system32\dssenh.dll
ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.dlllist --pid 868
Volatility 3 Framework 1.0.0-beta.1
Progress:   29.00       Scanning primary2 using PdbSignatureScanner
PID Process Base    Size    Name    Path

868 lsass.exe   0x1000000   0x6000  lsass.exe   C:\WINDOWS\system32\lsass.exe
868 lsass.exe   0x7c900000  0xaf000 ntdll.dll   C:\WINDOWS\system32\ntdll.dll
868 lsass.exe   0x7c800000  0xf6000 kernel32.dll    C:\WINDOWS\system32\kernel32.dll
868 lsass.exe   0x77dd0000  0x9b000 ADVAPI32.dll    C:\WINDOWS\system32\ADVAPI32.dll
868 lsass.exe   0x77e70000  0x92000 RPCRT4.dll  C:\WINDOWS\system32\RPCRT4.dll
868 lsass.exe   0x77fe0000  0x11000 Secur32.dll C:\WINDOWS\system32\Secur32.dll
868 lsass.exe   0x7e410000  0x91000 USER32.dll  C:\WINDOWS\system32\USER32.dll
868 lsass.exe   0x77f10000  0x49000 GDI32.dll   C:\WINDOWS\system32\GDI32.dll
ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.dlllist --pid 1928
Volatility 3 Framework 1.0.0-beta.1
Progress:   29.00       Scanning primary2 using PdbSignatureScanner
PID Process Base    Size    Name    Path

1928    lsass.exe   0x1000000   0x6000  lsass.exe   C:\WINDOWS\system32\lsass.exe
1928    lsass.exe   0x7c900000  0xaf000 ntdll.dll   C:\WINDOWS\system32\ntdll.dll
1928    lsass.exe   0x7c800000  0xf6000 kernel32.dll    C:\WINDOWS\system32\kernel32.dll
1928    lsass.exe   0x77dd0000  0x9b000 ADVAPI32.dll    C:\WINDOWS\system32\ADVAPI32.dll
1928    lsass.exe   0x77e70000  0x92000 RPCRT4.dll  C:\WINDOWS\system32\RPCRT4.dll
1928    lsass.exe   0x77fe0000  0x11000 Secur32.dll C:\WINDOWS\system32\Secur32.dll
1928    lsass.exe   0x7e410000  0x91000 USER32.dll  C:\WINDOWS\system32\USER32.dll
1928    lsass.exe   0x77f10000  0x49000 GDI32.dll   C:\WINDOWS\system32\GDI32.dll
1928    lsass.exe   0x870000    0x138000    KERNEL32.DLL.ASLR.0360b7ab  C:\WINDOWS\system32\KERNEL32.DLL.ASLR.0360b7ab
1928    lsass.exe   0x76f20000  0x27000 DNSAPI.dll  C:\WINDOWS\system32\DNSAPI.dll
1928    lsass.exe   0x77c10000  0x58000 msvcrt.dll  C:\WINDOWS\system32\msvcrt.dll
1928    lsass.exe   0x71ab0000  0x17000 WS2_32.dll  C:\WINDOWS\system32\WS2_32.dll
1928    lsass.exe   0x71aa0000  0x8000  WS2HELP.dll C:\WINDOWS\system32\WS2HELP.dll
1928    lsass.exe   0x76d60000  0x19000 IPHLPAPI.DLL    C:\WINDOWS\system32\IPHLPAPI.DLL
1928    lsass.exe   0x5b860000  0x55000 NETAPI32.dll    C:\WINDOWS\system32\NETAPI32.dll
1928    lsass.exe   0x774e0000  0x13d000    ole32.dll   C:\WINDOWS\system32\ole32.dll
1928    lsass.exe   0x77120000  0x8b000 OLEAUT32.dll    C:\WINDOWS\system32\OLEAUT32.dll
1928    lsass.exe   0x76bf0000  0xb000  PSAPI.DLL   C:\WINDOWS\system32\PSAPI.DLL
1928    lsass.exe   0x7c9c0000  0x817000    SHELL32.dll C:\WINDOWS\system32\SHELL32.dll
1928    lsass.exe   0x77f60000  0x76000 SHLWAPI.dll C:\WINDOWS\system32\SHLWAPI.dll
1928    lsass.exe   0x769c0000  0xb4000 USERENV.dll C:\WINDOWS\system32\USERENV.dll
1928    lsass.exe   0x77c00000  0x8000  VERSION.dll C:\WINDOWS\system32\VERSION.dll
1928    lsass.exe   0x771b0000  0xaa000 WININET.dll C:\WINDOWS\system32\WININET.dll
1928    lsass.exe   0x77a80000  0x95000 CRYPT32.dll C:\WINDOWS\system32\CRYPT32.dll
1928    lsass.exe   0x77b20000  0x12000 MSASN1.dll  C:\WINDOWS\system32\MSASN1.dll
1928    lsass.exe   0x71ad0000  0x9000  WSOCK32.dll C:\WINDOWS\system32\WSOCK32.dll
1928    lsass.exe   0x773d0000  0x103000    comctl32.dll    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
1928    lsass.exe   0x5d090000  0x9a000 comctl32.dll    C:\WINDOWS\system32\comctl32.dll

dlllistでは怪しい名前のdllや不自然なパスのdllなどがないか探します。
また、以下のDLLはロードされているアプリケーションによっては注意する必要があります。
- ws2_32.dll(通信)
- crypt32.dll(暗号)
- hnetcfg.dll(ファイアウォール)
- pstorec.dll(ストレージ)

今回は不信なDLLはありませんでしたが、正規のlsassと不信なlsassには、DLLの数に差があるということが分かりました。

4.怪しいもの探す

使用するプラグイン:windows.malfind

ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.malfind --pid 680
Volatility 3 Framework 1.0.0-beta.1
Progress:   29.00       Scanning primary2 using PdbSignatureScanner
PID Process Start VPN   End VPN Tag Protection  CommitCharge    PrivateMemory   Hexdump Disasm
ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.malfind --pid 868
Volatility 3 Framework 1.0.0-beta.1
Progress:   29.00       Scanning primary2 using PdbSignatureScanner
PID Process Start VPN   End VPN Tag Protection  CommitCharge    PrivateMemory   Hexdump Disasm

868 lsass.exe   0x80000 0xf9fff Vad     PAGE_EXECUTE_READWRITE  0   0   
4d 5a 90 00 03 00 00 00 MZ......
04 00 00 00 ff ff 00 00 ........
b8 00 00 00 00 00 00 00 ........
40 00 00 00 00 00 00 00 @.......
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 08 01 00 00 ........    4d 5a 90  0  3  0  0  0  4  0  0  0 ff ff  0  0 b8  0  0  0  0  0  0  0 40  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  8  1  0  0
868 lsass.exe   0x1000000   0x1005fff   Vad     PAGE_EXECUTE_READWRITE  2   0   
4d 5a 90 00 03 00 00 00 MZ......
04 00 00 00 ff ff 00 00 ........
b8 00 00 00 00 00 00 00 ........
40 00 00 00 00 00 00 00 @.......
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 d0 00 00 00 ........    4d 5a 90  0  3  0  0  0  4  0  0  0 ff ff  0  0 b8  0  0  0  0  0  0  0 40  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0 d0  0  0  0
ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.malfind --pid 1928
Volatility 3 Framework 1.0.0-beta.1
Progress:   29.00       Scanning primary2 using PdbSignatureScanner
PID Process Start VPN   End VPN Tag Protection  CommitCharge    PrivateMemory   Hexdump Disasm

1928    lsass.exe   0x80000 0xf9fff Vad     PAGE_EXECUTE_READWRITE  0   0   
4d 5a 90 00 03 00 00 00 MZ......
04 00 00 00 ff ff 00 00 ........
b8 00 00 00 00 00 00 00 ........
40 00 00 00 00 00 00 00 @.......
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 08 01 00 00 ........    4d 5a 90  0  3  0  0  0  4  0  0  0 ff ff  0  0 b8  0  0  0  0  0  0  0 40  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  8  1  0  0
1928    lsass.exe   0x1000000   0x1005fff   Vad     PAGE_EXECUTE_READWRITE  2   0   
4d 5a 90 00 03 00 00 00 MZ......
04 00 00 00 ff ff 00 00 ........
b8 00 00 00 00 00 00 00 ........
40 00 00 00 00 00 00 00 @.......
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 d0 00 00 00 ........    4d 5a 90  0  3  0  0  0  4  0  0  0 ff ff  0  0 b8  0  0  0  0  0  0  0 40  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0 d0  0  0  0
1928    lsass.exe   0x6f0000    0x769fff    Vad     PAGE_EXECUTE_READWRITE  0   0   
29 87 7f ae 00 00 00 00 ).......
ff ff ff ff 77 35 00 01 ....w5..
4b 00 45 00 52 00 4e 00 K.E.R.N.
45 00 4c 00 33 00 32 00 E.L.3.2.
2e 00 44 00 4c 00 4c 00 ..D.L.L.
2e 00 41 00 53 00 4c 00 ..A.S.L.
52 00 2e 00 30 00 33 00 R...0.3.
36 00 30 00 62 00 37 00 6.0.b.7.    29 87 7f ae  0  0  0  0 ff ff ff ff 77 35  0  1 4b  0 45  0 52  0 4e  0 45  0 4c  0 33  0 32  0 2e  0 44  0 4c  0 4c  0 2e  0 41  0 53  0 4c  0 52  0 2e  0 30  0 33  0 36  0 30  0 62  0 37  0
1928    lsass.exe   0x680000    0x680fff    Vad     PAGE_EXECUTE_READWRITE  0   0   
90 06 68 00 c6 07 68 00 ..h...h.
24 00 68 00 a5 04 00 00 $.h.....
f2 04 68 00 48 06 00 00 ..h.H...
c9 04 68 00 29 00 00 00 ..h.)...
00 00 6f 00 e8 13 00 00 ..o.....
00 5a 77 4d 61 70 56 69 .ZwMapVi
65 77 4f 66 53 65 63 74 ewOfSect
69 6f 6e 00 5a 51 81 c1 ion.ZQ..    90  6 68  0 c6  7 68  0 24  0 68  0 a5  4  0  0 f2  4 68  0 48  6  0  0 c9  4 68  0 29  0  0  0  0  0 6f  0 e8 13  0  0  0 5a 77 4d 61 70 56 69 65 77 4f 66 53 65 63 74 69 6f 6e  0 5a 51 81 c1
1928    lsass.exe   0x870000    0x9a7fff    Vad     PAGE_EXECUTE_READWRITE  0   0   
4d 5a 90 00 03 00 00 00 MZ......
04 00 00 00 ff ff 00 00 ........
b8 00 00 00 00 00 00 00 ........
40 00 00 00 00 00 00 00 @.......
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 08 01 00 00 ........    4d 5a 90  0  3  0  0  0  4  0  0  0 ff ff  0  0 b8  0  0  0  0  0  0  0 40  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  8  1  0  0

malfindは非表示または挿入されたコードまたはDLLを見つけることができます。
不信なlsassには疑わしいものがありました。
なので、pid 1928のlsassをダンプしてみたいと思います。

5.プロセスをダンプ

使用するプラグイン:windows.procdup

ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.procdump --pid 1928
Volatility 3 Framework 1.0.0-beta.1
Progress:   29.00       Scanning primary2 using PdbSignatureScanner
PID Process Result

1928    lsass.exe   Stored pid.1928.0x1000000.dmp

ハッシュ値を計算

ubuntu:~/volatility3$ ls
config.json  development  doc  LICENSE.txt  MANIFEST.in  mypy.ini  pid.1928.0x1000000.dmp  README.txt  setup.py  volatility  vol.py  volshell.py  volshell.spec  vol.spec  yara-python
ubuntu:~/volatility3$ file pid.1928.0x1000000.dmp 
pid.1928.0x1000000.dmp: PE32 executable (GUI) Intel 80386, for MS Windows

ubuntu:~/volatility3$ md5sum pid.1928.0x1000000.dmp 
72986f71a43da2780d3eec53da02241a  pid.1928.0x1000000.dmp

6.virustotalで確認

virustotalに計算したハッシュ値で検索をかける。

結果
https://www.virustotal.com/gui/file/0e03d3398eb2cc3d96c39a551d67945a427e39890aa94f2c57396fd8e4805d9b/detection

まとめ

volatility3は以前のものと同様に使えると思います。
新しい情報が入り次第、追記していきたいと思います。

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
5
Help us understand the problem. What are the problem?