volatilityの作法 その18

概要

volatilityの作法、調べてみた。
yarascanやってみた。

volatility -f zeus.vmem/zeus.vmem yarascan --yara-rules="{4d 5a 90 00 03}" --pid 856

Volatility Foundation Volatility Framework 2.6
Rule: r1
Owner: Process svchost.exe Pid 856
0x01000000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ..............
0x01000010  b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00   ........@.......
0x01000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x01000030  00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00   ................
0x01000040  0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68   ........!..L.!Th
0x01000050  69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f   is.program.canno
0x01000060  74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20   t.be.run.in.DOS.
0x01000070  6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00   mode....$.......
0x01000080  fc a9 f5 66 b8 c8 9b 35 b8 c8 9b 35 b8 c8 9b 35   ...f...5...5...5
0x01000090  7b c7 fb 35 b9 c8 9b 35 7b c7 c6 35 b1 c8 9b 35   {..5...5{..5...5
0x010000a0  b8 c8 9a 35 e7 c8 9b 35 7b c7 c5 35 b9 c8 9b 35   ...5...5{..5...5
0x010000b0  7b c7 c4 35 b4 c8 9b 35 7b c7 c1 35 b9 c8 9b 35   {..5...5{..5...5
0x010000c0  52 69 63 68 b8 c8 9b 35 00 00 00 00 00 00 00 00   Rich...5........
0x010000d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x010000e0  50 45 00 00 4c 01 03 00 d6 7e 10 41 00 00 00 00   PE..L....~.A....
0x010000f0  00 00 00 00 e0 00 0f 01 0b 01 07 0a 00 2c 00 00   .............,..

volatility -f zeus.vmem/zeus.vmem yarascan --yara-rules="cannot" --pid 856

Volatility Foundation Volatility Framework 2.6
Rule: r1
Owner: Process svchost.exe Pid 856
0x0100005b  63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e   cannot.be.run.in
0x0100006b  20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00   .DOS.mode....$..
0x0100007b  00 00 00 00 00 fc a9 f5 66 b8 c8 9b 35 b8 c8 9b   ........f...5...
0x0100008b  35 b8 c8 9b 35 7b c7 fb 35 b9 c8 9b 35 7b c7 c6   5...5{..5...5{..
0x0100009b  35 b1 c8 9b 35 b8 c8 9a 35 e7 c8 9b 35 7b c7 c5   5...5...5...5{..
0x010000ab  35 b9 c8 9b 35 7b c7 c4 35 b4 c8 9b 35 7b c7 c1   5...5{..5...5{..
0x010000bb  35 b9 c8 9b 35 52 69 63 68 b8 c8 9b 35 00 00 00   5...5Rich...5...
0x010000cb  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x010000db  00 00 00 00 00 50 45 00 00 4c 01 03 00 d6 7e 10   .....PE..L....~.
0x010000eb  41 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 07   A...............
0x010000fb  0a 00 2c 00 00 00 08 00 00 00 00 00 00 09 25 00   ..,...........%.
0x0100010b  00 00 10 00 00 00 40 00 00 00 00 00 01 00 10 00   ......@.........
0x0100011b  00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00   ................
0x0100012b  00 00 00 00 00 00 60 00 00 00 04 00 00 dd 9c 00   ......`.........
0x0100013b  00 02 00 00 84 00 00 04 00 00 40 00 00 00 00 10   ..........@.....
0x0100014b  00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00   ................