13
9

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

Volatility3を早速使ってみた[追記]

Last updated at Posted at 2019-10-17

volatility3

昨日のOSDFConでVolatility3が発表されました。発表されたVolatility3を使っていきたいと思います。

検証環境

用意したものは以下になります。

  • Ubuntu 18.04
  • Ubuntu 19.10

インストール

基本的にVolatility以外はpip3でインストールしました。

  1. Pefileのインストール

pip3 install pefile

  1. yaraのインストール

pip3 install yara-python

  1. capstone のインストール

pip3 install capstone

  1. volatilityのダウンロード

git clone https://github.com/volatilityfoundation/volatility3.git

実行

ヘルプを実行!

$ python3 vol.py -h

コマンドからプラグインに変更となっているみたいで、それぞれのOS(Windows,Linux,Mac)ごとにプラグインがある。

以下ヘルプの内容

ubuntu:~/volatility3$ python3 vol.py -h
Volatility 3 Framework 1.0.0-beta.1
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]]
                  [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG]
                  [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE]
                  [--write-config]
                  [--single-swap-locations SINGLE_SWAP_LOCATIONS]
                  [--single-location SINGLE_LOCATION]
                  plugin ...

An open-source memory forensics framework

optional arguments:
  -h, --help            show this help message and exit
  -c CONFIG, --config CONFIG
                        Load the configuration from a json file
  --parallelism [{processes,threads,off}]
                        Enables parallelism (defaults to processes if no
                        argument given)
  -e EXTEND, --extend EXTEND
                        Extend the configuration with a new (or changed)
                        setting
  -p PLUGIN_DIRS, --plugin-dirs PLUGIN_DIRS
                        Semi-colon separated list of paths to find plugins
  -s SYMBOL_DIRS, --symbol-dirs SYMBOL_DIRS
                        Semi-colon separated list of paths to find symbols
  -v, --verbosity       Increase output verbosity
  -l LOG, --log LOG     Log output to a file as well as the console
  -o OUTPUT_DIR, --output-dir OUTPUT_DIR
                        Directory in which to output any generated files
  -q, --quiet           Remove progress feedback
  -r RENDERER, --renderer RENDERER
                        Determines how to render the output (quick, csv,
                        pretty)
  -f FILE, --file FILE  Shorthand for --single-location=file:// if single-
                        location is not defined
  --write-config        Write configuration JSON file out to config.json
  --single-swap-locations SINGLE_SWAP_LOCATIONS
                        Specifies a list of swap layer URIs for use with
                        single-location
  --single-location SINGLE_LOCATION
                        Specifies a base location on which to stack

Plugins:
  plugin
    configwriter.ConfigWriter
                        Runs the automagics and both prints and outputs
                        configuration in the output directory.
    layerwriter.LayerWriter
                        Runs the automagics and lists out the generated layers
                        if no layer name is specified, otherwise writes out
                        the named layer.
    linux.bash.Bash     Recovers bash command history from memory.
    linux.check_afinfo.Check_afinfo
                        Verifies the operation function pointers of network
                        protocols.
    linux.check_syscall.Check_syscall
                        Check system call table for hooks.
    linux.elfs.Elfs     Lists all memory mapped ELF files for all processes.
    linux.lsmod.Lsmod   Lists loaded kernel modules.
    linux.lsof.Lsof     Lists all memory maps for all processes.
    linux.malfind.Malfind
                        Lists process memory ranges that potentially contain
                        injected code.
    linux.proc.Maps     Lists all memory maps for all processes.
    linux.pslist.PsList
                        Lists the processes present in a particular linux
                        memory image.
    linux.pstree.PsTree
                        Plugin for listing processes in a tree based on their
                        parent process ID.
    mac.bash.Bash       Recovers bash command history from memory.
    mac.check_syscall.Check_syscall
                        Check system call table for hooks.
    mac.check_sysctl.Check_sysctl
                        Check sysctl handlers for hooks.
    mac.check_trap_table.Check_trap_table
                        Check mach trap table for hooks.
    mac.ifconfig.Ifconfig
                        Lists loaded kernel modules
    mac.lsmod.Lsmod     Lists loaded kernel modules.
    mac.lsof.lsof       Lists all open file descriptors for all processes.
    mac.malfind.Malfind
                        Lists process memory ranges that potentially contain
                        injected code.
    mac.netstat.Netstat
                        Lists all network connections for all processes.
    mac.proc_maps.Maps  Lists process memory ranges that potentially contain
                        injected code.
    mac.psaux.Psaux     Recovers program command line arguments.
    mac.pslist.PsList   Lists the processes present in a particular mac memory
                        image.
    mac.pstree.PsTree   Plugin for listing processes in a tree based on their
                        parent process ID.
    mac.tasks.Tasks     Lists the processes present in a particular mac memory
                        image.
    mac.trustedbsd.trustedbsd
                        Checks for malicious trustedbsd modules
    timeliner.Timeliner
                        Runs all relevant plugins that provide time related
                        information and orders the results by time.
    windows.callbacks.Callbacks
                        Lists kernel callbacks and notification routines.
    windows.cmdline.CmdLine
                        Lists process command line arguments.
    windows.dlldump.DllDump
                        Dumps process memory ranges as DLLs.
    windows.dlllist.DllList
                        Lists the loaded modules in a particular windows
                        memory image.
    windows.driverirp.DriverIrp
                        List IRPs for drivers in a particular windows memory
                        image.
    windows.driverscan.DriverScan
                        Scans for drivers present in a particular windows
                        memory image.
    windows.filescan.FileScan
                        Scans for file objects present in a particular windows
                        memory image.
    windows.handles.Handles
                        Lists process open handles.
    windows.info.Info   Show OS & kernel details of the memory sample being
                        analyzed.
    windows.malfind.Malfind
                        Lists process memory ranges that potentially contain
                        injected code.
    windows.moddump.ModDump
                        Dumps kernel modules.
    windows.modscan.ModScan
                        Scans for modules present in a particular windows
                        memory image.
    windows.modules.Modules
                        Lists the loaded kernel modules.
    windows.mutantscan.MutantScan
                        Scans for mutexes present in a particular windows
                        memory image.
    windows.poolscanner.PoolScanner
                        A generic pool scanner plugin.
    windows.procdump.ProcDump
                        Dumps process executable images.
    windows.pslist.PsList
                        Lists the processes present in a particular windows
                        memory image.
    windows.psscan.PsScan
                        Scans for processes present in a particular windows
                        memory image.
    windows.pstree.PsTree
                        Plugin for listing processes in a tree based on their
                        parent process ID.
    windows.registry.certificates.Certificates
                        Lists the certificates in the registry's Certificate
                        Store.
    windows.registry.hivelist.HiveList
                        Lists the registry hives present in a particular
                        memory image.
    windows.registry.hivescan.HiveScan
                        Scans for registry hives present in a particular
                        windows memory image.
    windows.registry.printkey.PrintKey
                        Lists the registry keys under a hive or specific key
                        value.
    windows.registry.userassist.UserAssist
                        Print userassist registry keys and information.
    windows.ssdt.SSDT   Lists the system call table.
    windows.statistics.Statistics
    windows.strings.Strings
                        Reads output from the strings command and indicates
                        which process(es) each string belongs to.
    windows.svcscan.SvcScan
                        Scans for windows services.
    windows.symlinkscan.SymlinkScan
                        Scans for links present in a particular windows memory
                        image.
    windows.vaddump.VadDump
                        Dumps process memory ranges.
    windows.vadinfo.VadInfo
                        Lists process memory ranges.
    windows.vadyarascan.VadYaraScan
                        Scans all the Virtual Address Descriptor memory maps
                        using yara.
    windows.verinfo.VerInfo
                        Lists version information from PE files.
    windows.virtmap.VirtMap
                        Lists virtual mapped sections.
    yarascan.YaraScan   Scans memory using yara rules (string or file).

解析してみた

Volatility3がどんなも感じなのを試したいと思います。

解析対象

今回はstuxnetを解析していきます。

解析対象のファイルは下記からダウンロードしました。

URL

volatilityとvolatility3の違いは以下のような感じです。

  • 開発されている言語がpython2からpython3に変更された
  • プロファイルコマンドを実行しないでいい

解析の流れ

以下のように解析をしていきます。

  1. メモリの情報を取得
  2. プロセスの調査
  3. dllの調査
  4. 怪しいものを探す
  5. プロセスをダンプ
  6. virustotalで確認

使い方

vol.py -f [解析する対象のパス] [使用するプラグイン名]

1.メモリの情報を取得

使用するプラグイン:windows.info

ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.info 

出力結果

Volatility 3 Framework 1.0.0-beta.1
Progress:   99.99		Reading Symbol layer                                                                                              
Variable	Value

Kernel Base	0x804d7000
DTB	0x319000
Symbols	file:///home/shinobi/volatility3/volatility/symbols/windows/ntkrnlpa.pdb/30B5FB31AE7E4ACAABA750AA241FF331-1.json.xz
primary	0 WindowsIntelPAE
memory_layer	1 FileLayer
KdDebuggerDataBlock	0x80545ae0
NTBuildLab	2600.xpsp.080413-2111
CSDVersion	3
KdVersionBlock	0x80545ab8
Major/Minor	15.2600
MachineType	332
KeNumberProcessors	1
SystemTime	2011-06-03 04:31:36
NtSystemRoot	C:\WINDOWS
NtProductType	NtProductWinNt
NtMajorVersion	5
NtMinorVersion	1
PE MajorOperatingSystemVersion	5
PE MinorOperatingSystemVersion	1
PE Machine	332
PE TimeDateStamp	Sun Apr 13 18:31:06 2008

2.プロセスの調査

使用するプラグイン:windows.pslist

ubuntu:~/volatility3$python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.pslist

出力結果

Volatility 3 Framework 1.0.0-beta.1
Progress:   29.00		Scanning primary2 using PdbSignatureScanner
PID	PPID	ImageFileName	Offset(V)	Threads	Handles	SessionId	Wow64	CreateTime	ExitTime

4	0	System	0x823c8830	59	403	N/A	False	N/A	N/A
376	4	smss.exe	0x820df020	3	19	N/A	False	2010-10-29 17:08:53.000000 	N/A
600	376	csrss.exe	0x821a2da0	11	395	0	False	2010-10-29 17:08:54.000000 	N/A
624	376	winlogon.exe	0x81da5650	19	570	0	False	2010-10-29 17:08:54.000000 	N/A
668	624	services.exe	0x82073020	21	431	0	False	2010-10-29 17:08:54.000000 	N/A
680	624	lsass.exe	0x81e70020	19	342	0	False	2010-10-29 17:08:54.000000 	N/A
844	668	vmacthlp.exe	0x823315d8	1	25	0	False	2010-10-29 17:08:55.000000 	N/A
856	668	svchost.exe	0x81db8da0	17	193	0	False	2010-10-29 17:08:55.000000 	N/A
940	668	svchost.exe	0x81e61da0	13	312	0	False	2010-10-29 17:08:55.000000 	N/A
1032	668	svchost.exe	0x822843e8	61	1169	0	False	2010-10-29 17:08:55.000000 	N/A
1080	668	svchost.exe	0x81e18b28	5	80	0	False	2010-10-29 17:08:55.000000 	N/A
1200	668	svchost.exe	0x81ff7020	14	197	0	False	2010-10-29 17:08:55.000000 	N/A
1412	668	spoolsv.exe	0x81fee8b0	10	118	0	False	2010-10-29 17:08:56.000000 	N/A
1580	668	jqs.exe	0x81e0eda0	5	148	0	False	2010-10-29 17:09:05.000000 	N/A
1664	668	vmtoolsd.exe	0x81fe52d0	5	284	0	False	2010-10-29 17:09:05.000000 	N/A
1816	668	VMUpgradeHelper	0x821a0568	3	96	0	False	2010-10-29 17:09:08.000000 	N/A
188	668	alg.exe	0x8205ada0	6	107	0	False	2010-10-29 17:09:09.000000 	N/A
1196	1728	explorer.exe	0x820ec7e8	16	582	0	False	2010-10-29 17:11:49.000000 	N/A
2040	1032	wscntfy.exe	0x820ecc10	1	28	0	False	2010-10-29 17:11:49.000000 	N/A
324	1196	TSVNCache.exe	0x81e86978	7	54	0	False	2010-10-29 17:11:49.000000 	N/A
1912	1196	VMwareTray.exe	0x81fc5da0	1	50	0	False	2010-10-29 17:11:50.000000 	N/A
1356	1196	VMwareUser.exe	0x81e6b660	9	251	0	False	2010-10-29 17:11:50.000000 	N/A
1712	1196	jusched.exe	0x8210d478	1	26	0	False	2010-10-29 17:11:50.000000 	N/A
756	668	imapi.exe	0x82279998	4	116	0	False	2010-10-29 17:11:54.000000 	N/A
976	1032	wuauclt.exe	0x822b9a10	3	133	0	False	2010-10-29 17:12:03.000000 	N/A
660	1196	Procmon.exe	0x81c543a0	13	189	0	False	2011-06-03 04:25:56.000000 	N/A
1872	856	wmiprvse.exe	0x81fa5390	5	134	0	False	2011-06-03 04:25:58.000000 	N/A
868	668	lsass.exe	0x81c498c8	2	23	0	False	2011-06-03 04:26:55.000000 	N/A
1928	668	lsass.exe	0x81c47c00	4	65	0	False	2011-06-03 04:26:55.000000 	N/A
968	1664	cmd.exe	0x81c0cda0	0	-	0	False	2011-06-03 04:31:35.000000 	2011-06-03 04:31:36.000000 
304	968	ipconfig.exe	0x81f14938	0	-	0	False	2011-06-03 04:31:35.000000 	2011-06-03 04:31:36.000000 

プロセスを調査する際に、正しいプロセスを知っておかなければなりません。
参考になる資料は下記URLのポスターです。

HuntEvilPosterの1ページ目のポスターを確認すると、lsassというプロセスは通常1つのみですが、複数あることが確認できます。
本来ならばpstreeというプラグインを使用することで、プロセスをツリー構造で確認することができますが、何故かpstreeが実行できませんので、このまま進めさせていただきます。

python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.pslist | grep lsass
680	624	lsass.exe	0x81e70020	19	342	0	False	2010-10-29 17:08:54.000000 	N/A
868	668	lsass.exe	0x81c498c8	2	23	0	False	2011-06-03 04:26:55.000000 	N/A
1928	668	lsass.exe	0x81c47c00	4	65	0	False	2011-06-03 04:26:55.000000 	N/A

3つあるlsassのうち、2つは不信なプロセスであるということが分かりました。
正規のlsassの親プロセスは「wininit.exe」というプロセスなので、pid 680のlsassは正規のプロセスだという事が分かります。
次から868と1928のlsassを対象に調査していきます。

3.dllの調査

使用するプラグイン:windows.dlllist

ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.dlllist --pid 680

出力結果

Volatility 3 Framework 1.0.0-beta.1
Progress:   29.00		Scanning primary2 using PdbSignatureScanner
PID	Process	Base	Size	Name	Path

680	lsass.exe	0x1000000	0x6000	lsass.exe	C:\WINDOWS\system32\lsass.exe
680	lsass.exe	0x7c900000	0xaf000	-	-
680	lsass.exe	0x7c800000	0xf6000	kernel32.dll	C:\WINDOWS\system32\kernel32.dll
680	lsass.exe	0x77dd0000	0x9b000	ADVAPI32.dll	C:\WINDOWS\system32\ADVAPI32.dll
680	lsass.exe	0x77e70000	0x92000	RPCRT4.dll	C:\WINDOWS\system32\RPCRT4.dll
680	lsass.exe	0x77fe0000	0x11000	Secur32.dll	C:\WINDOWS\system32\Secur32.dll
680	lsass.exe	0x75730000	0xb5000	LSASRV.dll	C:\WINDOWS\system32\LSASRV.dll
680	lsass.exe	0x71b20000	0x12000	MPR.dll	C:\WINDOWS\system32\MPR.dll
680	lsass.exe	0x7e410000	0x91000	USER32.dll	C:\WINDOWS\system32\USER32.dll
680	lsass.exe	0x77f10000	0x49000	GDI32.dll	C:\WINDOWS\system32\GDI32.dll
680	lsass.exe	0x77b20000	0x12000	MSASN1.dll	C:\WINDOWS\system32\MSASN1.dll
680	lsass.exe	0x77c10000	0x58000	msvcrt.dll	C:\WINDOWS\system32\msvcrt.dll
680	lsass.exe	0x5b860000	0x55000	NETAPI32.dll	C:\WINDOWS\system32\NETAPI32.dll
680	lsass.exe	0x767a0000	0x13000	NTDSAPI.dll	C:\WINDOWS\system32\NTDSAPI.dll
680	lsass.exe	0x76f20000	0x27000	DNSAPI.dll	C:\WINDOWS\system32\DNSAPI.dll
680	lsass.exe	0x71ab0000	0x17000	WS2_32.dll	C:\WINDOWS\system32\WS2_32.dll
680	lsass.exe	0x71aa0000	0x8000	WS2HELP.dll	C:\WINDOWS\system32\WS2HELP.dll
680	lsass.exe	0x76f60000	0x2c000	WLDAP32.dll	C:\WINDOWS\system32\WLDAP32.dll
680	lsass.exe	0x71bf0000	0x13000	SAMLIB.dll	C:\WINDOWS\system32\SAMLIB.dll
680	lsass.exe	0x74440000	0x6a000	SAMSRV.dll	C:\WINDOWS\system32\SAMSRV.dll
680	lsass.exe	0x76790000	0xc000	cryptdll.dll	C:\WINDOWS\system32\cryptdll.dll
680	lsass.exe	0x5cb70000	0x26000	ShimEng.dll	C:\WINDOWS\system32\ShimEng.dll
680	lsass.exe	0x6f880000	0x1ca000	AcGenral.DLL	C:\WINDOWS\AppPatch\AcGenral.DLL
680	lsass.exe	0x76b40000	0x2d000	WINMM.dll	C:\WINDOWS\system32\WINMM.dll
680	lsass.exe	0x774e0000	0x13d000	ole32.dll	C:\WINDOWS\system32\ole32.dll
680	lsass.exe	0x77120000	0x8b000	OLEAUT32.dll	C:\WINDOWS\system32\OLEAUT32.dll
680	lsass.exe	0x77be0000	0x15000	MSACM32.dll	C:\WINDOWS\system32\MSACM32.dll
680	lsass.exe	0x77c00000	0x8000	VERSION.dll	C:\WINDOWS\system32\VERSION.dll
680	lsass.exe	0x7c9c0000	0x817000	SHELL32.dll	C:\WINDOWS\system32\SHELL32.dll
680	lsass.exe	0x77f60000	0x76000	SHLWAPI.dll	C:\WINDOWS\system32\SHLWAPI.dll
680	lsass.exe	0x769c0000	0xb4000	USERENV.dll	C:\WINDOWS\system32\USERENV.dll
680	lsass.exe	0x5ad70000	0x38000	UxTheme.dll	C:\WINDOWS\system32\UxTheme.dll
680	lsass.exe	0x773d0000	0x103000	comctl32.dll	C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
680	lsass.exe	0x5d090000	0x9a000	comctl32.dll	C:\WINDOWS\system32\comctl32.dll
680	lsass.exe	0x4d200000	0xe000	msprivs.dll	C:\WINDOWS\system32\msprivs.dll
680	lsass.exe	0x71cf0000	0x4c000	kerberos.dll	C:\WINDOWS\system32\kerberos.dll
680	lsass.exe	0x77c70000	0x24000	msv1_0.dll	C:\WINDOWS\system32\msv1_0.dll
680	lsass.exe	0x76d60000	0x19000	iphlpapi.dll	C:\WINDOWS\system32\iphlpapi.dll
680	lsass.exe	0x744b0000	0x65000	netlogon.dll	C:\WINDOWS\system32\netlogon.dll
680	lsass.exe	0x767c0000	0x2c000	w32time.dll	C:\WINDOWS\system32\w32time.dll
680	lsass.exe	0x76080000	0x65000	MSVCP60.dll	C:\WINDOWS\system32\MSVCP60.dll
680	lsass.exe	0x767f0000	0x27000	schannel.dll	C:\WINDOWS\system32\schannel.dll
680	lsass.exe	0x77a80000	0x95000	CRYPT32.dll	C:\WINDOWS\system32\CRYPT32.dll
680	lsass.exe	0x74380000	0xf000	wdigest.dll	C:\WINDOWS\system32\wdigest.dll
680	lsass.exe	0x68000000	0x36000	rsaenh.dll	C:\WINDOWS\system32\rsaenh.dll
680	lsass.exe	0x74410000	0x2f000	scecli.dll	C:\WINDOWS\system32\scecli.dll
680	lsass.exe	0x77920000	0xf3000	SETUPAPI.dll	C:\WINDOWS\system32\SETUPAPI.dll
680	lsass.exe	0x743e0000	0x2f000	ipsecsvc.dll	C:\WINDOWS\system32\ipsecsvc.dll
680	lsass.exe	0x776c0000	0x12000	AUTHZ.dll	C:\WINDOWS\system32\AUTHZ.dll
680	lsass.exe	0x75d90000	0xd0000	oakley.DLL	C:\WINDOWS\system32\oakley.DLL
680	lsass.exe	0x74370000	0xb000	WINIPSEC.DLL	C:\WINDOWS\system32\WINIPSEC.DLL
680	lsass.exe	0x71a50000	0x3f000	mswsock.dll	C:\WINDOWS\system32\mswsock.dll
680	lsass.exe	0x662b0000	0x58000	hnetcfg.dll	C:\WINDOWS\system32\hnetcfg.dll
680	lsass.exe	0x71a90000	0x8000	wshtcpip.dll	C:\WINDOWS\System32\wshtcpip.dll
680	lsass.exe	0x743a0000	0xb000	pstorsvc.dll	C:\WINDOWS\system32\pstorsvc.dll
680	lsass.exe	0x743c0000	0x1b000	psbase.dll	C:\WINDOWS\system32\psbase.dll
680	lsass.exe	0x68100000	0x26000	dssenh.dll	C:\WINDOWS\system32\dssenh.dll
ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.dlllist --pid 868
Volatility 3 Framework 1.0.0-beta.1
Progress:   29.00		Scanning primary2 using PdbSignatureScanner
PID	Process	Base	Size	Name	Path

868	lsass.exe	0x1000000	0x6000	lsass.exe	C:\WINDOWS\system32\lsass.exe
868	lsass.exe	0x7c900000	0xaf000	ntdll.dll	C:\WINDOWS\system32\ntdll.dll
868	lsass.exe	0x7c800000	0xf6000	kernel32.dll	C:\WINDOWS\system32\kernel32.dll
868	lsass.exe	0x77dd0000	0x9b000	ADVAPI32.dll	C:\WINDOWS\system32\ADVAPI32.dll
868	lsass.exe	0x77e70000	0x92000	RPCRT4.dll	C:\WINDOWS\system32\RPCRT4.dll
868	lsass.exe	0x77fe0000	0x11000	Secur32.dll	C:\WINDOWS\system32\Secur32.dll
868	lsass.exe	0x7e410000	0x91000	USER32.dll	C:\WINDOWS\system32\USER32.dll
868	lsass.exe	0x77f10000	0x49000	GDI32.dll	C:\WINDOWS\system32\GDI32.dll
ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.dlllist --pid 1928
Volatility 3 Framework 1.0.0-beta.1
Progress:   29.00		Scanning primary2 using PdbSignatureScanner
PID	Process	Base	Size	Name	Path

1928	lsass.exe	0x1000000	0x6000	lsass.exe	C:\WINDOWS\system32\lsass.exe
1928	lsass.exe	0x7c900000	0xaf000	ntdll.dll	C:\WINDOWS\system32\ntdll.dll
1928	lsass.exe	0x7c800000	0xf6000	kernel32.dll	C:\WINDOWS\system32\kernel32.dll
1928	lsass.exe	0x77dd0000	0x9b000	ADVAPI32.dll	C:\WINDOWS\system32\ADVAPI32.dll
1928	lsass.exe	0x77e70000	0x92000	RPCRT4.dll	C:\WINDOWS\system32\RPCRT4.dll
1928	lsass.exe	0x77fe0000	0x11000	Secur32.dll	C:\WINDOWS\system32\Secur32.dll
1928	lsass.exe	0x7e410000	0x91000	USER32.dll	C:\WINDOWS\system32\USER32.dll
1928	lsass.exe	0x77f10000	0x49000	GDI32.dll	C:\WINDOWS\system32\GDI32.dll
1928	lsass.exe	0x870000	0x138000	KERNEL32.DLL.ASLR.0360b7ab	C:\WINDOWS\system32\KERNEL32.DLL.ASLR.0360b7ab
1928	lsass.exe	0x76f20000	0x27000	DNSAPI.dll	C:\WINDOWS\system32\DNSAPI.dll
1928	lsass.exe	0x77c10000	0x58000	msvcrt.dll	C:\WINDOWS\system32\msvcrt.dll
1928	lsass.exe	0x71ab0000	0x17000	WS2_32.dll	C:\WINDOWS\system32\WS2_32.dll
1928	lsass.exe	0x71aa0000	0x8000	WS2HELP.dll	C:\WINDOWS\system32\WS2HELP.dll
1928	lsass.exe	0x76d60000	0x19000	IPHLPAPI.DLL	C:\WINDOWS\system32\IPHLPAPI.DLL
1928	lsass.exe	0x5b860000	0x55000	NETAPI32.dll	C:\WINDOWS\system32\NETAPI32.dll
1928	lsass.exe	0x774e0000	0x13d000	ole32.dll	C:\WINDOWS\system32\ole32.dll
1928	lsass.exe	0x77120000	0x8b000	OLEAUT32.dll	C:\WINDOWS\system32\OLEAUT32.dll
1928	lsass.exe	0x76bf0000	0xb000	PSAPI.DLL	C:\WINDOWS\system32\PSAPI.DLL
1928	lsass.exe	0x7c9c0000	0x817000	SHELL32.dll	C:\WINDOWS\system32\SHELL32.dll
1928	lsass.exe	0x77f60000	0x76000	SHLWAPI.dll	C:\WINDOWS\system32\SHLWAPI.dll
1928	lsass.exe	0x769c0000	0xb4000	USERENV.dll	C:\WINDOWS\system32\USERENV.dll
1928	lsass.exe	0x77c00000	0x8000	VERSION.dll	C:\WINDOWS\system32\VERSION.dll
1928	lsass.exe	0x771b0000	0xaa000	WININET.dll	C:\WINDOWS\system32\WININET.dll
1928	lsass.exe	0x77a80000	0x95000	CRYPT32.dll	C:\WINDOWS\system32\CRYPT32.dll
1928	lsass.exe	0x77b20000	0x12000	MSASN1.dll	C:\WINDOWS\system32\MSASN1.dll
1928	lsass.exe	0x71ad0000	0x9000	WSOCK32.dll	C:\WINDOWS\system32\WSOCK32.dll
1928	lsass.exe	0x773d0000	0x103000	comctl32.dll	C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
1928	lsass.exe	0x5d090000	0x9a000	comctl32.dll	C:\WINDOWS\system32\comctl32.dll

dlllistでは怪しい名前のdllや不自然なパスのdllなどがないか探します。
また、以下のDLLはロードされているアプリケーションによっては注意する必要があります。
- ws2_32.dll(通信)
- crypt32.dll(暗号)
- hnetcfg.dll(ファイアウォール)
- pstorec.dll(ストレージ)

今回は不信なDLLはありませんでしたが、正規のlsassと不信なlsassには、DLLの数に差があるということが分かりました。

4.怪しいもの探す

使用するプラグイン:windows.malfind

ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.malfind --pid 680
Volatility 3 Framework 1.0.0-beta.1
Progress:   29.00		Scanning primary2 using PdbSignatureScanner
PID	Process	Start VPN	End VPN	Tag	Protection	CommitCharge	PrivateMemory	Hexdump	Disasm
ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.malfind --pid 868
Volatility 3 Framework 1.0.0-beta.1
Progress:   29.00		Scanning primary2 using PdbSignatureScanner
PID	Process	Start VPN	End VPN	Tag	Protection	CommitCharge	PrivateMemory	Hexdump	Disasm

868	lsass.exe	0x80000	0xf9fff	Vad 	PAGE_EXECUTE_READWRITE	0	0	
4d 5a 90 00 03 00 00 00	MZ......
04 00 00 00 ff ff 00 00	........
b8 00 00 00 00 00 00 00	........
40 00 00 00 00 00 00 00	@.......
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 08 01 00 00	........	4d 5a 90  0  3  0  0  0  4  0  0  0 ff ff  0  0 b8  0  0  0  0  0  0  0 40  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  8  1  0  0
868	lsass.exe	0x1000000	0x1005fff	Vad 	PAGE_EXECUTE_READWRITE	2	0	
4d 5a 90 00 03 00 00 00	MZ......
04 00 00 00 ff ff 00 00	........
b8 00 00 00 00 00 00 00	........
40 00 00 00 00 00 00 00	@.......
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 d0 00 00 00	........	4d 5a 90  0  3  0  0  0  4  0  0  0 ff ff  0  0 b8  0  0  0  0  0  0  0 40  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0 d0  0  0  0
ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.malfind --pid 1928
Volatility 3 Framework 1.0.0-beta.1
Progress:   29.00		Scanning primary2 using PdbSignatureScanner
PID	Process	Start VPN	End VPN	Tag	Protection	CommitCharge	PrivateMemory	Hexdump	Disasm

1928	lsass.exe	0x80000	0xf9fff	Vad 	PAGE_EXECUTE_READWRITE	0	0	
4d 5a 90 00 03 00 00 00	MZ......
04 00 00 00 ff ff 00 00	........
b8 00 00 00 00 00 00 00	........
40 00 00 00 00 00 00 00	@.......
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 08 01 00 00	........	4d 5a 90  0  3  0  0  0  4  0  0  0 ff ff  0  0 b8  0  0  0  0  0  0  0 40  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  8  1  0  0
1928	lsass.exe	0x1000000	0x1005fff	Vad 	PAGE_EXECUTE_READWRITE	2	0	
4d 5a 90 00 03 00 00 00	MZ......
04 00 00 00 ff ff 00 00	........
b8 00 00 00 00 00 00 00	........
40 00 00 00 00 00 00 00	@.......
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 d0 00 00 00	........	4d 5a 90  0  3  0  0  0  4  0  0  0 ff ff  0  0 b8  0  0  0  0  0  0  0 40  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0 d0  0  0  0
1928	lsass.exe	0x6f0000	0x769fff	Vad 	PAGE_EXECUTE_READWRITE	0	0	
29 87 7f ae 00 00 00 00	).......
ff ff ff ff 77 35 00 01	....w5..
4b 00 45 00 52 00 4e 00	K.E.R.N.
45 00 4c 00 33 00 32 00	E.L.3.2.
2e 00 44 00 4c 00 4c 00	..D.L.L.
2e 00 41 00 53 00 4c 00	..A.S.L.
52 00 2e 00 30 00 33 00	R...0.3.
36 00 30 00 62 00 37 00	6.0.b.7.	29 87 7f ae  0  0  0  0 ff ff ff ff 77 35  0  1 4b  0 45  0 52  0 4e  0 45  0 4c  0 33  0 32  0 2e  0 44  0 4c  0 4c  0 2e  0 41  0 53  0 4c  0 52  0 2e  0 30  0 33  0 36  0 30  0 62  0 37  0
1928	lsass.exe	0x680000	0x680fff	Vad 	PAGE_EXECUTE_READWRITE	0	0	
90 06 68 00 c6 07 68 00	..h...h.
24 00 68 00 a5 04 00 00	$.h.....
f2 04 68 00 48 06 00 00	..h.H...
c9 04 68 00 29 00 00 00	..h.)...
00 00 6f 00 e8 13 00 00	..o.....
00 5a 77 4d 61 70 56 69	.ZwMapVi
65 77 4f 66 53 65 63 74	ewOfSect
69 6f 6e 00 5a 51 81 c1	ion.ZQ..	90  6 68  0 c6  7 68  0 24  0 68  0 a5  4  0  0 f2  4 68  0 48  6  0  0 c9  4 68  0 29  0  0  0  0  0 6f  0 e8 13  0  0  0 5a 77 4d 61 70 56 69 65 77 4f 66 53 65 63 74 69 6f 6e  0 5a 51 81 c1
1928	lsass.exe	0x870000	0x9a7fff	Vad 	PAGE_EXECUTE_READWRITE	0	0	
4d 5a 90 00 03 00 00 00	MZ......
04 00 00 00 ff ff 00 00	........
b8 00 00 00 00 00 00 00	........
40 00 00 00 00 00 00 00	@.......
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 08 01 00 00	........	4d 5a 90  0  3  0  0  0  4  0  0  0 ff ff  0  0 b8  0  0  0  0  0  0  0 40  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0  8  1  0  0

malfindは非表示または挿入されたコードまたはDLLを見つけることができます。
不信なlsassには疑わしいものがありました。
なので、pid 1928のlsassをダンプしてみたいと思います。

5.プロセスをダンプ

使用するプラグイン:windows.procdup

ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.procdump --pid 1928
Volatility 3 Framework 1.0.0-beta.1
Progress:   29.00		Scanning primary2 using PdbSignatureScanner
PID	Process	Result

1928	lsass.exe	Stored pid.1928.0x1000000.dmp

ハッシュ値を計算

ubuntu:~/volatility3$ ls
config.json  development  doc  LICENSE.txt  MANIFEST.in  mypy.ini  pid.1928.0x1000000.dmp  README.txt  setup.py  volatility  vol.py  volshell.py  volshell.spec  vol.spec  yara-python
ubuntu:~/volatility3$ file pid.1928.0x1000000.dmp 
pid.1928.0x1000000.dmp: PE32 executable (GUI) Intel 80386, for MS Windows

ubuntu:~/volatility3$ md5sum pid.1928.0x1000000.dmp 
72986f71a43da2780d3eec53da02241a  pid.1928.0x1000000.dmp

6.virustotalで確認

virustotalに計算したハッシュ値で検索をかける。

結果
https://www.virustotal.com/gui/file/0e03d3398eb2cc3d96c39a551d67945a427e39890aa94f2c57396fd8e4805d9b/detection

まとめ

volatility3は以前のものと同様に使えると思います。
新しい情報が入り次第、追記していきたいと思います。

13
9
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
13
9

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?