volatility3
昨日のOSDFConでVolatility3が発表されました。発表されたVolatility3を使っていきたいと思います。
検証環境
用意したものは以下になります。
Ubuntu 18.04- Ubuntu 19.10
インストール
基本的にVolatility以外はpip3でインストールしました。
- Pefileのインストール
pip3 install pefile
- yaraのインストール
pip3 install yara-python
- capstone のインストール
pip3 install capstone
- volatilityのダウンロード
git clone https://github.com/volatilityfoundation/volatility3.git
実行
ヘルプを実行!
$ python3 vol.py -h
コマンドからプラグインに変更となっているみたいで、それぞれのOS(Windows,Linux,Mac)ごとにプラグインがある。
以下ヘルプの内容
ubuntu:~/volatility3$ python3 vol.py -h
Volatility 3 Framework 1.0.0-beta.1
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]]
[-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG]
[-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE]
[--write-config]
[--single-swap-locations SINGLE_SWAP_LOCATIONS]
[--single-location SINGLE_LOCATION]
plugin ...
An open-source memory forensics framework
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
Load the configuration from a json file
--parallelism [{processes,threads,off}]
Enables parallelism (defaults to processes if no
argument given)
-e EXTEND, --extend EXTEND
Extend the configuration with a new (or changed)
setting
-p PLUGIN_DIRS, --plugin-dirs PLUGIN_DIRS
Semi-colon separated list of paths to find plugins
-s SYMBOL_DIRS, --symbol-dirs SYMBOL_DIRS
Semi-colon separated list of paths to find symbols
-v, --verbosity Increase output verbosity
-l LOG, --log LOG Log output to a file as well as the console
-o OUTPUT_DIR, --output-dir OUTPUT_DIR
Directory in which to output any generated files
-q, --quiet Remove progress feedback
-r RENDERER, --renderer RENDERER
Determines how to render the output (quick, csv,
pretty)
-f FILE, --file FILE Shorthand for --single-location=file:// if single-
location is not defined
--write-config Write configuration JSON file out to config.json
--single-swap-locations SINGLE_SWAP_LOCATIONS
Specifies a list of swap layer URIs for use with
single-location
--single-location SINGLE_LOCATION
Specifies a base location on which to stack
Plugins:
plugin
configwriter.ConfigWriter
Runs the automagics and both prints and outputs
configuration in the output directory.
layerwriter.LayerWriter
Runs the automagics and lists out the generated layers
if no layer name is specified, otherwise writes out
the named layer.
linux.bash.Bash Recovers bash command history from memory.
linux.check_afinfo.Check_afinfo
Verifies the operation function pointers of network
protocols.
linux.check_syscall.Check_syscall
Check system call table for hooks.
linux.elfs.Elfs Lists all memory mapped ELF files for all processes.
linux.lsmod.Lsmod Lists loaded kernel modules.
linux.lsof.Lsof Lists all memory maps for all processes.
linux.malfind.Malfind
Lists process memory ranges that potentially contain
injected code.
linux.proc.Maps Lists all memory maps for all processes.
linux.pslist.PsList
Lists the processes present in a particular linux
memory image.
linux.pstree.PsTree
Plugin for listing processes in a tree based on their
parent process ID.
mac.bash.Bash Recovers bash command history from memory.
mac.check_syscall.Check_syscall
Check system call table for hooks.
mac.check_sysctl.Check_sysctl
Check sysctl handlers for hooks.
mac.check_trap_table.Check_trap_table
Check mach trap table for hooks.
mac.ifconfig.Ifconfig
Lists loaded kernel modules
mac.lsmod.Lsmod Lists loaded kernel modules.
mac.lsof.lsof Lists all open file descriptors for all processes.
mac.malfind.Malfind
Lists process memory ranges that potentially contain
injected code.
mac.netstat.Netstat
Lists all network connections for all processes.
mac.proc_maps.Maps Lists process memory ranges that potentially contain
injected code.
mac.psaux.Psaux Recovers program command line arguments.
mac.pslist.PsList Lists the processes present in a particular mac memory
image.
mac.pstree.PsTree Plugin for listing processes in a tree based on their
parent process ID.
mac.tasks.Tasks Lists the processes present in a particular mac memory
image.
mac.trustedbsd.trustedbsd
Checks for malicious trustedbsd modules
timeliner.Timeliner
Runs all relevant plugins that provide time related
information and orders the results by time.
windows.callbacks.Callbacks
Lists kernel callbacks and notification routines.
windows.cmdline.CmdLine
Lists process command line arguments.
windows.dlldump.DllDump
Dumps process memory ranges as DLLs.
windows.dlllist.DllList
Lists the loaded modules in a particular windows
memory image.
windows.driverirp.DriverIrp
List IRPs for drivers in a particular windows memory
image.
windows.driverscan.DriverScan
Scans for drivers present in a particular windows
memory image.
windows.filescan.FileScan
Scans for file objects present in a particular windows
memory image.
windows.handles.Handles
Lists process open handles.
windows.info.Info Show OS & kernel details of the memory sample being
analyzed.
windows.malfind.Malfind
Lists process memory ranges that potentially contain
injected code.
windows.moddump.ModDump
Dumps kernel modules.
windows.modscan.ModScan
Scans for modules present in a particular windows
memory image.
windows.modules.Modules
Lists the loaded kernel modules.
windows.mutantscan.MutantScan
Scans for mutexes present in a particular windows
memory image.
windows.poolscanner.PoolScanner
A generic pool scanner plugin.
windows.procdump.ProcDump
Dumps process executable images.
windows.pslist.PsList
Lists the processes present in a particular windows
memory image.
windows.psscan.PsScan
Scans for processes present in a particular windows
memory image.
windows.pstree.PsTree
Plugin for listing processes in a tree based on their
parent process ID.
windows.registry.certificates.Certificates
Lists the certificates in the registry's Certificate
Store.
windows.registry.hivelist.HiveList
Lists the registry hives present in a particular
memory image.
windows.registry.hivescan.HiveScan
Scans for registry hives present in a particular
windows memory image.
windows.registry.printkey.PrintKey
Lists the registry keys under a hive or specific key
value.
windows.registry.userassist.UserAssist
Print userassist registry keys and information.
windows.ssdt.SSDT Lists the system call table.
windows.statistics.Statistics
windows.strings.Strings
Reads output from the strings command and indicates
which process(es) each string belongs to.
windows.svcscan.SvcScan
Scans for windows services.
windows.symlinkscan.SymlinkScan
Scans for links present in a particular windows memory
image.
windows.vaddump.VadDump
Dumps process memory ranges.
windows.vadinfo.VadInfo
Lists process memory ranges.
windows.vadyarascan.VadYaraScan
Scans all the Virtual Address Descriptor memory maps
using yara.
windows.verinfo.VerInfo
Lists version information from PE files.
windows.virtmap.VirtMap
Lists virtual mapped sections.
yarascan.YaraScan Scans memory using yara rules (string or file).
解析してみた
Volatility3がどんなも感じなのを試したいと思います。
解析対象
今回はstuxnetを解析していきます。
解析対象のファイルは下記からダウンロードしました。
URL
volatilityとvolatility3の違いは以下のような感じです。
- 開発されている言語がpython2からpython3に変更された
- プロファイルコマンドを実行しないでいい
解析の流れ
以下のように解析をしていきます。
- メモリの情報を取得
- プロセスの調査
- dllの調査
- 怪しいものを探す
- プロセスをダンプ
- virustotalで確認
使い方
vol.py -f [解析する対象のパス] [使用するプラグイン名]
1.メモリの情報を取得
使用するプラグイン:windows.info
ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.info
出力結果
Volatility 3 Framework 1.0.0-beta.1
Progress: 99.99 Reading Symbol layer
Variable Value
Kernel Base 0x804d7000
DTB 0x319000
Symbols file:///home/shinobi/volatility3/volatility/symbols/windows/ntkrnlpa.pdb/30B5FB31AE7E4ACAABA750AA241FF331-1.json.xz
primary 0 WindowsIntelPAE
memory_layer 1 FileLayer
KdDebuggerDataBlock 0x80545ae0
NTBuildLab 2600.xpsp.080413-2111
CSDVersion 3
KdVersionBlock 0x80545ab8
Major/Minor 15.2600
MachineType 332
KeNumberProcessors 1
SystemTime 2011-06-03 04:31:36
NtSystemRoot C:\WINDOWS
NtProductType NtProductWinNt
NtMajorVersion 5
NtMinorVersion 1
PE MajorOperatingSystemVersion 5
PE MinorOperatingSystemVersion 1
PE Machine 332
PE TimeDateStamp Sun Apr 13 18:31:06 2008
2.プロセスの調査
使用するプラグイン:windows.pslist
ubuntu:~/volatility3$python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.pslist
出力結果
Volatility 3 Framework 1.0.0-beta.1
Progress: 29.00 Scanning primary2 using PdbSignatureScanner
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime
4 0 System 0x823c8830 59 403 N/A False N/A N/A
376 4 smss.exe 0x820df020 3 19 N/A False 2010-10-29 17:08:53.000000 N/A
600 376 csrss.exe 0x821a2da0 11 395 0 False 2010-10-29 17:08:54.000000 N/A
624 376 winlogon.exe 0x81da5650 19 570 0 False 2010-10-29 17:08:54.000000 N/A
668 624 services.exe 0x82073020 21 431 0 False 2010-10-29 17:08:54.000000 N/A
680 624 lsass.exe 0x81e70020 19 342 0 False 2010-10-29 17:08:54.000000 N/A
844 668 vmacthlp.exe 0x823315d8 1 25 0 False 2010-10-29 17:08:55.000000 N/A
856 668 svchost.exe 0x81db8da0 17 193 0 False 2010-10-29 17:08:55.000000 N/A
940 668 svchost.exe 0x81e61da0 13 312 0 False 2010-10-29 17:08:55.000000 N/A
1032 668 svchost.exe 0x822843e8 61 1169 0 False 2010-10-29 17:08:55.000000 N/A
1080 668 svchost.exe 0x81e18b28 5 80 0 False 2010-10-29 17:08:55.000000 N/A
1200 668 svchost.exe 0x81ff7020 14 197 0 False 2010-10-29 17:08:55.000000 N/A
1412 668 spoolsv.exe 0x81fee8b0 10 118 0 False 2010-10-29 17:08:56.000000 N/A
1580 668 jqs.exe 0x81e0eda0 5 148 0 False 2010-10-29 17:09:05.000000 N/A
1664 668 vmtoolsd.exe 0x81fe52d0 5 284 0 False 2010-10-29 17:09:05.000000 N/A
1816 668 VMUpgradeHelper 0x821a0568 3 96 0 False 2010-10-29 17:09:08.000000 N/A
188 668 alg.exe 0x8205ada0 6 107 0 False 2010-10-29 17:09:09.000000 N/A
1196 1728 explorer.exe 0x820ec7e8 16 582 0 False 2010-10-29 17:11:49.000000 N/A
2040 1032 wscntfy.exe 0x820ecc10 1 28 0 False 2010-10-29 17:11:49.000000 N/A
324 1196 TSVNCache.exe 0x81e86978 7 54 0 False 2010-10-29 17:11:49.000000 N/A
1912 1196 VMwareTray.exe 0x81fc5da0 1 50 0 False 2010-10-29 17:11:50.000000 N/A
1356 1196 VMwareUser.exe 0x81e6b660 9 251 0 False 2010-10-29 17:11:50.000000 N/A
1712 1196 jusched.exe 0x8210d478 1 26 0 False 2010-10-29 17:11:50.000000 N/A
756 668 imapi.exe 0x82279998 4 116 0 False 2010-10-29 17:11:54.000000 N/A
976 1032 wuauclt.exe 0x822b9a10 3 133 0 False 2010-10-29 17:12:03.000000 N/A
660 1196 Procmon.exe 0x81c543a0 13 189 0 False 2011-06-03 04:25:56.000000 N/A
1872 856 wmiprvse.exe 0x81fa5390 5 134 0 False 2011-06-03 04:25:58.000000 N/A
868 668 lsass.exe 0x81c498c8 2 23 0 False 2011-06-03 04:26:55.000000 N/A
1928 668 lsass.exe 0x81c47c00 4 65 0 False 2011-06-03 04:26:55.000000 N/A
968 1664 cmd.exe 0x81c0cda0 0 - 0 False 2011-06-03 04:31:35.000000 2011-06-03 04:31:36.000000
304 968 ipconfig.exe 0x81f14938 0 - 0 False 2011-06-03 04:31:35.000000 2011-06-03 04:31:36.000000
プロセスを調査する際に、正しいプロセスを知っておかなければなりません。
参考になる資料は下記URLのポスターです。
- SANS:HuntEvilPoster
HuntEvilPosterの1ページ目のポスターを確認すると、lsassというプロセスは通常1つのみですが、複数あることが確認できます。
本来ならばpstreeというプラグインを使用することで、プロセスをツリー構造で確認することができますが、何故かpstreeが実行できませんので、このまま進めさせていただきます。
python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.pslist | grep lsass
680 624 lsass.exe 0x81e70020 19 342 0 False 2010-10-29 17:08:54.000000 N/A
868 668 lsass.exe 0x81c498c8 2 23 0 False 2011-06-03 04:26:55.000000 N/A
1928 668 lsass.exe 0x81c47c00 4 65 0 False 2011-06-03 04:26:55.000000 N/A
3つあるlsassのうち、2つは不信なプロセスであるということが分かりました。
正規のlsassの親プロセスは「wininit.exe」というプロセスなので、pid 680のlsassは正規のプロセスだという事が分かります。
次から868と1928のlsassを対象に調査していきます。
3.dllの調査
使用するプラグイン:windows.dlllist
ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.dlllist --pid 680
出力結果
Volatility 3 Framework 1.0.0-beta.1
Progress: 29.00 Scanning primary2 using PdbSignatureScanner
PID Process Base Size Name Path
680 lsass.exe 0x1000000 0x6000 lsass.exe C:\WINDOWS\system32\lsass.exe
680 lsass.exe 0x7c900000 0xaf000 - -
680 lsass.exe 0x7c800000 0xf6000 kernel32.dll C:\WINDOWS\system32\kernel32.dll
680 lsass.exe 0x77dd0000 0x9b000 ADVAPI32.dll C:\WINDOWS\system32\ADVAPI32.dll
680 lsass.exe 0x77e70000 0x92000 RPCRT4.dll C:\WINDOWS\system32\RPCRT4.dll
680 lsass.exe 0x77fe0000 0x11000 Secur32.dll C:\WINDOWS\system32\Secur32.dll
680 lsass.exe 0x75730000 0xb5000 LSASRV.dll C:\WINDOWS\system32\LSASRV.dll
680 lsass.exe 0x71b20000 0x12000 MPR.dll C:\WINDOWS\system32\MPR.dll
680 lsass.exe 0x7e410000 0x91000 USER32.dll C:\WINDOWS\system32\USER32.dll
680 lsass.exe 0x77f10000 0x49000 GDI32.dll C:\WINDOWS\system32\GDI32.dll
680 lsass.exe 0x77b20000 0x12000 MSASN1.dll C:\WINDOWS\system32\MSASN1.dll
680 lsass.exe 0x77c10000 0x58000 msvcrt.dll C:\WINDOWS\system32\msvcrt.dll
680 lsass.exe 0x5b860000 0x55000 NETAPI32.dll C:\WINDOWS\system32\NETAPI32.dll
680 lsass.exe 0x767a0000 0x13000 NTDSAPI.dll C:\WINDOWS\system32\NTDSAPI.dll
680 lsass.exe 0x76f20000 0x27000 DNSAPI.dll C:\WINDOWS\system32\DNSAPI.dll
680 lsass.exe 0x71ab0000 0x17000 WS2_32.dll C:\WINDOWS\system32\WS2_32.dll
680 lsass.exe 0x71aa0000 0x8000 WS2HELP.dll C:\WINDOWS\system32\WS2HELP.dll
680 lsass.exe 0x76f60000 0x2c000 WLDAP32.dll C:\WINDOWS\system32\WLDAP32.dll
680 lsass.exe 0x71bf0000 0x13000 SAMLIB.dll C:\WINDOWS\system32\SAMLIB.dll
680 lsass.exe 0x74440000 0x6a000 SAMSRV.dll C:\WINDOWS\system32\SAMSRV.dll
680 lsass.exe 0x76790000 0xc000 cryptdll.dll C:\WINDOWS\system32\cryptdll.dll
680 lsass.exe 0x5cb70000 0x26000 ShimEng.dll C:\WINDOWS\system32\ShimEng.dll
680 lsass.exe 0x6f880000 0x1ca000 AcGenral.DLL C:\WINDOWS\AppPatch\AcGenral.DLL
680 lsass.exe 0x76b40000 0x2d000 WINMM.dll C:\WINDOWS\system32\WINMM.dll
680 lsass.exe 0x774e0000 0x13d000 ole32.dll C:\WINDOWS\system32\ole32.dll
680 lsass.exe 0x77120000 0x8b000 OLEAUT32.dll C:\WINDOWS\system32\OLEAUT32.dll
680 lsass.exe 0x77be0000 0x15000 MSACM32.dll C:\WINDOWS\system32\MSACM32.dll
680 lsass.exe 0x77c00000 0x8000 VERSION.dll C:\WINDOWS\system32\VERSION.dll
680 lsass.exe 0x7c9c0000 0x817000 SHELL32.dll C:\WINDOWS\system32\SHELL32.dll
680 lsass.exe 0x77f60000 0x76000 SHLWAPI.dll C:\WINDOWS\system32\SHLWAPI.dll
680 lsass.exe 0x769c0000 0xb4000 USERENV.dll C:\WINDOWS\system32\USERENV.dll
680 lsass.exe 0x5ad70000 0x38000 UxTheme.dll C:\WINDOWS\system32\UxTheme.dll
680 lsass.exe 0x773d0000 0x103000 comctl32.dll C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
680 lsass.exe 0x5d090000 0x9a000 comctl32.dll C:\WINDOWS\system32\comctl32.dll
680 lsass.exe 0x4d200000 0xe000 msprivs.dll C:\WINDOWS\system32\msprivs.dll
680 lsass.exe 0x71cf0000 0x4c000 kerberos.dll C:\WINDOWS\system32\kerberos.dll
680 lsass.exe 0x77c70000 0x24000 msv1_0.dll C:\WINDOWS\system32\msv1_0.dll
680 lsass.exe 0x76d60000 0x19000 iphlpapi.dll C:\WINDOWS\system32\iphlpapi.dll
680 lsass.exe 0x744b0000 0x65000 netlogon.dll C:\WINDOWS\system32\netlogon.dll
680 lsass.exe 0x767c0000 0x2c000 w32time.dll C:\WINDOWS\system32\w32time.dll
680 lsass.exe 0x76080000 0x65000 MSVCP60.dll C:\WINDOWS\system32\MSVCP60.dll
680 lsass.exe 0x767f0000 0x27000 schannel.dll C:\WINDOWS\system32\schannel.dll
680 lsass.exe 0x77a80000 0x95000 CRYPT32.dll C:\WINDOWS\system32\CRYPT32.dll
680 lsass.exe 0x74380000 0xf000 wdigest.dll C:\WINDOWS\system32\wdigest.dll
680 lsass.exe 0x68000000 0x36000 rsaenh.dll C:\WINDOWS\system32\rsaenh.dll
680 lsass.exe 0x74410000 0x2f000 scecli.dll C:\WINDOWS\system32\scecli.dll
680 lsass.exe 0x77920000 0xf3000 SETUPAPI.dll C:\WINDOWS\system32\SETUPAPI.dll
680 lsass.exe 0x743e0000 0x2f000 ipsecsvc.dll C:\WINDOWS\system32\ipsecsvc.dll
680 lsass.exe 0x776c0000 0x12000 AUTHZ.dll C:\WINDOWS\system32\AUTHZ.dll
680 lsass.exe 0x75d90000 0xd0000 oakley.DLL C:\WINDOWS\system32\oakley.DLL
680 lsass.exe 0x74370000 0xb000 WINIPSEC.DLL C:\WINDOWS\system32\WINIPSEC.DLL
680 lsass.exe 0x71a50000 0x3f000 mswsock.dll C:\WINDOWS\system32\mswsock.dll
680 lsass.exe 0x662b0000 0x58000 hnetcfg.dll C:\WINDOWS\system32\hnetcfg.dll
680 lsass.exe 0x71a90000 0x8000 wshtcpip.dll C:\WINDOWS\System32\wshtcpip.dll
680 lsass.exe 0x743a0000 0xb000 pstorsvc.dll C:\WINDOWS\system32\pstorsvc.dll
680 lsass.exe 0x743c0000 0x1b000 psbase.dll C:\WINDOWS\system32\psbase.dll
680 lsass.exe 0x68100000 0x26000 dssenh.dll C:\WINDOWS\system32\dssenh.dll
ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.dlllist --pid 868
Volatility 3 Framework 1.0.0-beta.1
Progress: 29.00 Scanning primary2 using PdbSignatureScanner
PID Process Base Size Name Path
868 lsass.exe 0x1000000 0x6000 lsass.exe C:\WINDOWS\system32\lsass.exe
868 lsass.exe 0x7c900000 0xaf000 ntdll.dll C:\WINDOWS\system32\ntdll.dll
868 lsass.exe 0x7c800000 0xf6000 kernel32.dll C:\WINDOWS\system32\kernel32.dll
868 lsass.exe 0x77dd0000 0x9b000 ADVAPI32.dll C:\WINDOWS\system32\ADVAPI32.dll
868 lsass.exe 0x77e70000 0x92000 RPCRT4.dll C:\WINDOWS\system32\RPCRT4.dll
868 lsass.exe 0x77fe0000 0x11000 Secur32.dll C:\WINDOWS\system32\Secur32.dll
868 lsass.exe 0x7e410000 0x91000 USER32.dll C:\WINDOWS\system32\USER32.dll
868 lsass.exe 0x77f10000 0x49000 GDI32.dll C:\WINDOWS\system32\GDI32.dll
ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.dlllist --pid 1928
Volatility 3 Framework 1.0.0-beta.1
Progress: 29.00 Scanning primary2 using PdbSignatureScanner
PID Process Base Size Name Path
1928 lsass.exe 0x1000000 0x6000 lsass.exe C:\WINDOWS\system32\lsass.exe
1928 lsass.exe 0x7c900000 0xaf000 ntdll.dll C:\WINDOWS\system32\ntdll.dll
1928 lsass.exe 0x7c800000 0xf6000 kernel32.dll C:\WINDOWS\system32\kernel32.dll
1928 lsass.exe 0x77dd0000 0x9b000 ADVAPI32.dll C:\WINDOWS\system32\ADVAPI32.dll
1928 lsass.exe 0x77e70000 0x92000 RPCRT4.dll C:\WINDOWS\system32\RPCRT4.dll
1928 lsass.exe 0x77fe0000 0x11000 Secur32.dll C:\WINDOWS\system32\Secur32.dll
1928 lsass.exe 0x7e410000 0x91000 USER32.dll C:\WINDOWS\system32\USER32.dll
1928 lsass.exe 0x77f10000 0x49000 GDI32.dll C:\WINDOWS\system32\GDI32.dll
1928 lsass.exe 0x870000 0x138000 KERNEL32.DLL.ASLR.0360b7ab C:\WINDOWS\system32\KERNEL32.DLL.ASLR.0360b7ab
1928 lsass.exe 0x76f20000 0x27000 DNSAPI.dll C:\WINDOWS\system32\DNSAPI.dll
1928 lsass.exe 0x77c10000 0x58000 msvcrt.dll C:\WINDOWS\system32\msvcrt.dll
1928 lsass.exe 0x71ab0000 0x17000 WS2_32.dll C:\WINDOWS\system32\WS2_32.dll
1928 lsass.exe 0x71aa0000 0x8000 WS2HELP.dll C:\WINDOWS\system32\WS2HELP.dll
1928 lsass.exe 0x76d60000 0x19000 IPHLPAPI.DLL C:\WINDOWS\system32\IPHLPAPI.DLL
1928 lsass.exe 0x5b860000 0x55000 NETAPI32.dll C:\WINDOWS\system32\NETAPI32.dll
1928 lsass.exe 0x774e0000 0x13d000 ole32.dll C:\WINDOWS\system32\ole32.dll
1928 lsass.exe 0x77120000 0x8b000 OLEAUT32.dll C:\WINDOWS\system32\OLEAUT32.dll
1928 lsass.exe 0x76bf0000 0xb000 PSAPI.DLL C:\WINDOWS\system32\PSAPI.DLL
1928 lsass.exe 0x7c9c0000 0x817000 SHELL32.dll C:\WINDOWS\system32\SHELL32.dll
1928 lsass.exe 0x77f60000 0x76000 SHLWAPI.dll C:\WINDOWS\system32\SHLWAPI.dll
1928 lsass.exe 0x769c0000 0xb4000 USERENV.dll C:\WINDOWS\system32\USERENV.dll
1928 lsass.exe 0x77c00000 0x8000 VERSION.dll C:\WINDOWS\system32\VERSION.dll
1928 lsass.exe 0x771b0000 0xaa000 WININET.dll C:\WINDOWS\system32\WININET.dll
1928 lsass.exe 0x77a80000 0x95000 CRYPT32.dll C:\WINDOWS\system32\CRYPT32.dll
1928 lsass.exe 0x77b20000 0x12000 MSASN1.dll C:\WINDOWS\system32\MSASN1.dll
1928 lsass.exe 0x71ad0000 0x9000 WSOCK32.dll C:\WINDOWS\system32\WSOCK32.dll
1928 lsass.exe 0x773d0000 0x103000 comctl32.dll C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
1928 lsass.exe 0x5d090000 0x9a000 comctl32.dll C:\WINDOWS\system32\comctl32.dll
dlllistでは怪しい名前のdllや不自然なパスのdllなどがないか探します。
また、以下のDLLはロードされているアプリケーションによっては注意する必要があります。
- ws2_32.dll(通信)
- crypt32.dll(暗号)
- hnetcfg.dll(ファイアウォール)
- pstorec.dll(ストレージ)
今回は不信なDLLはありませんでしたが、正規のlsassと不信なlsassには、DLLの数に差があるということが分かりました。
4.怪しいもの探す
使用するプラグイン:windows.malfind
ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.malfind --pid 680
Volatility 3 Framework 1.0.0-beta.1
Progress: 29.00 Scanning primary2 using PdbSignatureScanner
PID Process Start VPN End VPN Tag Protection CommitCharge PrivateMemory Hexdump Disasm
ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.malfind --pid 868
Volatility 3 Framework 1.0.0-beta.1
Progress: 29.00 Scanning primary2 using PdbSignatureScanner
PID Process Start VPN End VPN Tag Protection CommitCharge PrivateMemory Hexdump Disasm
868 lsass.exe 0x80000 0xf9fff Vad PAGE_EXECUTE_READWRITE 0 0
4d 5a 90 00 03 00 00 00 MZ......
04 00 00 00 ff ff 00 00 ........
b8 00 00 00 00 00 00 00 ........
40 00 00 00 00 00 00 00 @.......
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 08 01 00 00 ........ 4d 5a 90 0 3 0 0 0 4 0 0 0 ff ff 0 0 b8 0 0 0 0 0 0 0 40 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 8 1 0 0
868 lsass.exe 0x1000000 0x1005fff Vad PAGE_EXECUTE_READWRITE 2 0
4d 5a 90 00 03 00 00 00 MZ......
04 00 00 00 ff ff 00 00 ........
b8 00 00 00 00 00 00 00 ........
40 00 00 00 00 00 00 00 @.......
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 d0 00 00 00 ........ 4d 5a 90 0 3 0 0 0 4 0 0 0 ff ff 0 0 b8 0 0 0 0 0 0 0 40 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 d0 0 0 0
ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.malfind --pid 1928
Volatility 3 Framework 1.0.0-beta.1
Progress: 29.00 Scanning primary2 using PdbSignatureScanner
PID Process Start VPN End VPN Tag Protection CommitCharge PrivateMemory Hexdump Disasm
1928 lsass.exe 0x80000 0xf9fff Vad PAGE_EXECUTE_READWRITE 0 0
4d 5a 90 00 03 00 00 00 MZ......
04 00 00 00 ff ff 00 00 ........
b8 00 00 00 00 00 00 00 ........
40 00 00 00 00 00 00 00 @.......
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 08 01 00 00 ........ 4d 5a 90 0 3 0 0 0 4 0 0 0 ff ff 0 0 b8 0 0 0 0 0 0 0 40 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 8 1 0 0
1928 lsass.exe 0x1000000 0x1005fff Vad PAGE_EXECUTE_READWRITE 2 0
4d 5a 90 00 03 00 00 00 MZ......
04 00 00 00 ff ff 00 00 ........
b8 00 00 00 00 00 00 00 ........
40 00 00 00 00 00 00 00 @.......
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 d0 00 00 00 ........ 4d 5a 90 0 3 0 0 0 4 0 0 0 ff ff 0 0 b8 0 0 0 0 0 0 0 40 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 d0 0 0 0
1928 lsass.exe 0x6f0000 0x769fff Vad PAGE_EXECUTE_READWRITE 0 0
29 87 7f ae 00 00 00 00 ).......
ff ff ff ff 77 35 00 01 ....w5..
4b 00 45 00 52 00 4e 00 K.E.R.N.
45 00 4c 00 33 00 32 00 E.L.3.2.
2e 00 44 00 4c 00 4c 00 ..D.L.L.
2e 00 41 00 53 00 4c 00 ..A.S.L.
52 00 2e 00 30 00 33 00 R...0.3.
36 00 30 00 62 00 37 00 6.0.b.7. 29 87 7f ae 0 0 0 0 ff ff ff ff 77 35 0 1 4b 0 45 0 52 0 4e 0 45 0 4c 0 33 0 32 0 2e 0 44 0 4c 0 4c 0 2e 0 41 0 53 0 4c 0 52 0 2e 0 30 0 33 0 36 0 30 0 62 0 37 0
1928 lsass.exe 0x680000 0x680fff Vad PAGE_EXECUTE_READWRITE 0 0
90 06 68 00 c6 07 68 00 ..h...h.
24 00 68 00 a5 04 00 00 $.h.....
f2 04 68 00 48 06 00 00 ..h.H...
c9 04 68 00 29 00 00 00 ..h.)...
00 00 6f 00 e8 13 00 00 ..o.....
00 5a 77 4d 61 70 56 69 .ZwMapVi
65 77 4f 66 53 65 63 74 ewOfSect
69 6f 6e 00 5a 51 81 c1 ion.ZQ.. 90 6 68 0 c6 7 68 0 24 0 68 0 a5 4 0 0 f2 4 68 0 48 6 0 0 c9 4 68 0 29 0 0 0 0 0 6f 0 e8 13 0 0 0 5a 77 4d 61 70 56 69 65 77 4f 66 53 65 63 74 69 6f 6e 0 5a 51 81 c1
1928 lsass.exe 0x870000 0x9a7fff Vad PAGE_EXECUTE_READWRITE 0 0
4d 5a 90 00 03 00 00 00 MZ......
04 00 00 00 ff ff 00 00 ........
b8 00 00 00 00 00 00 00 ........
40 00 00 00 00 00 00 00 @.......
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 08 01 00 00 ........ 4d 5a 90 0 3 0 0 0 4 0 0 0 ff ff 0 0 b8 0 0 0 0 0 0 0 40 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 8 1 0 0
malfindは非表示または挿入されたコードまたはDLLを見つけることができます。
不信なlsassには疑わしいものがありました。
なので、pid 1928のlsassをダンプしてみたいと思います。
5.プロセスをダンプ
使用するプラグイン:windows.procdup
ubuntu:~/volatility3$ python3 vol.py -f '/home/shinobi/Downloads/stuxnet.vmem' windows.procdump --pid 1928
Volatility 3 Framework 1.0.0-beta.1
Progress: 29.00 Scanning primary2 using PdbSignatureScanner
PID Process Result
1928 lsass.exe Stored pid.1928.0x1000000.dmp
ハッシュ値を計算
ubuntu:~/volatility3$ ls
config.json development doc LICENSE.txt MANIFEST.in mypy.ini pid.1928.0x1000000.dmp README.txt setup.py volatility vol.py volshell.py volshell.spec vol.spec yara-python
ubuntu:~/volatility3$ file pid.1928.0x1000000.dmp
pid.1928.0x1000000.dmp: PE32 executable (GUI) Intel 80386, for MS Windows
ubuntu:~/volatility3$ md5sum pid.1928.0x1000000.dmp
72986f71a43da2780d3eec53da02241a pid.1928.0x1000000.dmp
6.virustotalで確認
virustotalに計算したハッシュ値で検索をかける。
まとめ
volatility3は以前のものと同様に使えると思います。
新しい情報が入り次第、追記していきたいと思います。