概要
volatilityの作法、調べてみた。
stuxnet.vmemやってみた。
volatility -f stuxnet.vmem/stuxnet.vmem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/home/testuser/stuxnet.vmem/stuxnet.vmem)
PAE type : PAE
DTB : 0x319000L
KDBG : 0x80545ae0L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2011-06-03 04:31:36 UTC+0000
Image local date and time : 2011-06-03 00:31:36 -0400
volatility -f stuxnet.vmem/stuxnet.vmem pstree
Volatility Foundation Volatility Framework 2.6
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x823c8830:System 4 0 59 403 1970-01-01 00:00:00 UTC+0000
. 0x820df020:smss.exe 376 4 3 19 2010-10-29 17:08:53 UTC+0000
.. 0x821a2da0:csrss.exe 600 376 11 395 2010-10-29 17:08:54 UTC+0000
.. 0x81da5650:winlogon.exe 624 376 19 570 2010-10-29 17:08:54 UTC+0000
... 0x82073020:services.exe 668 624 21 431 2010-10-29 17:08:54 UTC+0000
.... 0x81fe52d0:vmtoolsd.exe 1664 668 5 284 2010-10-29 17:09:05 UTC+0000
..... 0x81c0cda0:cmd.exe 968 1664 0 ------ 2011-06-03 04:31:35 UTC+0000
...... 0x81f14938:ipconfig.exe 304 968 0 ------ 2011-06-03 04:31:35 UTC+0000
.... 0x822843e8:svchost.exe 1032 668 61 1169 2010-10-29 17:08:55 UTC+0000
..... 0x822b9a10:wuauclt.exe 976 1032 3 133 2010-10-29 17:12:03 UTC+0000
..... 0x820ecc10:wscntfy.exe 2040 1032 1 28 2010-10-29 17:11:49 UTC+0000
.... 0x81e61da0:svchost.exe 940 668 13 312 2010-10-29 17:08:55 UTC+0000
.... 0x81db8da0:svchost.exe 856 668 17 193 2010-10-29 17:08:55 UTC+0000
..... 0x81fa5390:wmiprvse.exe 1872 856 5 134 2011-06-03 04:25:58 UTC+0000
.... 0x821a0568:VMUpgradeHelper 1816 668 3 96 2010-10-29 17:09:08 UTC+0000
.... 0x81fee8b0:spoolsv.exe 1412 668 10 118 2010-10-29 17:08:56 UTC+0000
.... 0x81ff7020:svchost.exe 1200 668 14 197 2010-10-29 17:08:55 UTC+0000
.... 0x81c47c00:lsass.exe 1928 668 4 65 2011-06-03 04:26:55 UTC+0000
.... 0x81e18b28:svchost.exe 1080 668 5 80 2010-10-29 17:08:55 UTC+0000
.... 0x8205ada0:alg.exe 188 668 6 107 2010-10-29 17:09:09 UTC+0000
.... 0x823315d8:vmacthlp.exe 844 668 1 25 2010-10-29 17:08:55 UTC+0000
.... 0x81e0eda0:jqs.exe 1580 668 5 148 2010-10-29 17:09:05 UTC+0000
.... 0x81c498c8:lsass.exe 868 668 2 23 2011-06-03 04:26:55 UTC+0000
.... 0x82279998:imapi.exe 756 668 4 116 2010-10-29 17:11:54 UTC+0000
... 0x81e70020:lsass.exe 680 624 19 342 2010-10-29 17:08:54 UTC+0000
0x820ec7e8:explorer.exe 1196 1728 16 582 2010-10-29 17:11:49 UTC+0000
. 0x81c543a0:Procmon.exe 660 1196 13 189 2011-06-03 04:25:56 UTC+0000
. 0x81e86978:TSVNCache.exe 324 1196 7 54 2010-10-29 17:11:49 UTC+0000
. 0x81e6b660:VMwareUser.exe 1356 1196 9 251 2010-10-29 17:11:50 UTC+0000
. 0x8210d478:jusched.exe 1712 1196 1 26 2010-10-29 17:11:50 UTC+0000
. 0x81fc5da0:VMwareTray.exe 1912 1196 1 50 2010-10-29 17:11:50 UTC+0000
volatility -f stuxnet.vmem/stuxnet.vmem dlllist --pid 680
Volatility Foundation Volatility Framework 2.6
************************************************************************
lsass.exe pid: 680
Command line : C:\WINDOWS\system32\lsass.exe
Service Pack 3
Base Size LoadCount Path
---------- ---------- ---------- ----
0x01000000 0x6000 0xffff C:\WINDOWS\system32\lsass.exe
0x7c900000 0xaf000 0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000 0xf6000 0xffff C:\WINDOWS\system32\kernel32.dll
0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 0x92000 0xffff C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000 0x11000 0xffff C:\WINDOWS\system32\Secur32.dll
0x75730000 0xb5000 0xffff C:\WINDOWS\system32\LSASRV.dll
0x71b20000 0x12000 0xffff C:\WINDOWS\system32\MPR.dll
0x7e410000 0x91000 0xffff C:\WINDOWS\system32\USER32.dll
0x77f10000 0x49000 0xffff C:\WINDOWS\system32\GDI32.dll
0x77b20000 0x12000 0xffff C:\WINDOWS\system32\MSASN1.dll
0x77c10000 0x58000 0xffff C:\WINDOWS\system32\msvcrt.dll
0x5b860000 0x55000 0xffff C:\WINDOWS\system32\NETAPI32.dll
0x767a0000 0x13000 0xffff C:\WINDOWS\system32\NTDSAPI.dll
0x76f20000 0x27000 0xffff C:\WINDOWS\system32\DNSAPI.dll
0x71ab0000 0x17000 0xffff C:\WINDOWS\system32\WS2_32.dll
0x71aa0000 0x8000 0xffff C:\WINDOWS\system32\WS2HELP.dll
0x76f60000 0x2c000 0xffff C:\WINDOWS\system32\WLDAP32.dll
0x71bf0000 0x13000 0xffff C:\WINDOWS\system32\SAMLIB.dll
0x74440000 0x6a000 0xffff C:\WINDOWS\system32\SAMSRV.dll
0x76790000 0xc000 0xffff C:\WINDOWS\system32\cryptdll.dll
0x5cb70000 0x26000 0x1 C:\WINDOWS\system32\ShimEng.dll
0x6f880000 0x1ca000 0x1 C:\WINDOWS\AppPatch\AcGenral.DLL
0x76b40000 0x2d000 0x2 C:\WINDOWS\system32\WINMM.dll
0x774e0000 0x13d000 0x4 C:\WINDOWS\system32\ole32.dll
0x77120000 0x8b000 0x2 C:\WINDOWS\system32\OLEAUT32.dll
0x77be0000 0x15000 0x1 C:\WINDOWS\system32\MSACM32.dll
0x77c00000 0x8000 0x1 C:\WINDOWS\system32\VERSION.dll
0x7c9c0000 0x817000 0x2 C:\WINDOWS\system32\SHELL32.dll
0x77f60000 0x76000 0x4 C:\WINDOWS\system32\SHLWAPI.dll
0x769c0000 0xb4000 0xf C:\WINDOWS\system32\USERENV.dll
0x5ad70000 0x38000 0x3 C:\WINDOWS\system32\UxTheme.dll
0x773d0000 0x103000 0x1 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0x5d090000 0x9a000 0x1 C:\WINDOWS\system32\comctl32.dll
0x4d200000 0xe000 0x1 C:\WINDOWS\system32\msprivs.dll
0x71cf0000 0x4c000 0x2 C:\WINDOWS\system32\kerberos.dll
0x77c70000 0x24000 0x5 C:\WINDOWS\system32\msv1_0.dll
0x76d60000 0x19000 0x8 C:\WINDOWS\system32\iphlpapi.dll
0x744b0000 0x65000 0x2 C:\WINDOWS\system32\netlogon.dll
0x767c0000 0x2c000 0x2 C:\WINDOWS\system32\w32time.dll
0x76080000 0x65000 0x2 C:\WINDOWS\system32\MSVCP60.dll
0x767f0000 0x27000 0x7 C:\WINDOWS\system32\schannel.dll
0x77a80000 0x95000 0x9 C:\WINDOWS\system32\CRYPT32.dll
0x74380000 0xf000 0x1 C:\WINDOWS\system32\wdigest.dll
0x68000000 0x36000 0x1 C:\WINDOWS\system32\rsaenh.dll
0x74410000 0x2f000 0x1 C:\WINDOWS\system32\scecli.dll
0x77920000 0xf3000 0x1 C:\WINDOWS\system32\SETUPAPI.dll
0x743e0000 0x2f000 0x1 C:\WINDOWS\system32\ipsecsvc.dll
0x776c0000 0x12000 0x1 C:\WINDOWS\system32\AUTHZ.dll
0x75d90000 0xd0000 0x1 C:\WINDOWS\system32\oakley.DLL
0x74370000 0xb000 0x1 C:\WINDOWS\system32\WINIPSEC.DLL
0x71a50000 0x3f000 0x2 C:\WINDOWS\system32\mswsock.dll
0x662b0000 0x58000 0x1 C:\WINDOWS\system32\hnetcfg.dll
0x71a90000 0x8000 0x1 C:\WINDOWS\System32\wshtcpip.dll
0x743a0000 0xb000 0x1 C:\WINDOWS\system32\pstorsvc.dll
0x743c0000 0x1b000 0x1 C:\WINDOWS\system32\psbase.dll
0x68100000 0x26000 0x1 C:\WINDOWS\system32\dssenh.dll
volatility -f stuxnet.vmem/stuxnet.vmem malfind --pid 1928
Volatility Foundation Volatility Framework 2.6
Process: lsass.exe Pid: 1928 Address: 0x80000
Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE
Flags: Protection: 6
0x00080000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0x00080010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x00080020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00080030 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 ................
0x00080000 4d DEC EBP
0x00080001 5a POP EDX
0x00080002 90 NOP
0x00080003 0003 ADD [EBX], AL
0x00080005 0000 ADD [EAX], AL
0x00080007 000400 ADD [EAX+EAX], AL
0x0008000a 0000 ADD [EAX], AL
0x0008000c ff DB 0xff
0x0008000d ff00 INC DWORD [EAX]
0x0008000f 00b800000000 ADD [EAX+0x0], BH
0x00080015 0000 ADD [EAX], AL
0x00080017 004000 ADD [EAX+0x0], AL
0x0008001a 0000 ADD [EAX], AL
0x0008001c 0000 ADD [EAX], AL
0x0008001e 0000 ADD [EAX], AL
0x00080020 0000 ADD [EAX], AL
0x00080022 0000 ADD [EAX], AL
0x00080024 0000 ADD [EAX], AL
0x00080026 0000 ADD [EAX], AL
0x00080028 0000 ADD [EAX], AL
0x0008002a 0000 ADD [EAX], AL
0x0008002c 0000 ADD [EAX], AL
0x0008002e 0000 ADD [EAX], AL
0x00080030 0000 ADD [EAX], AL
0x00080032 0000 ADD [EAX], AL
0x00080034 0000 ADD [EAX], AL
0x00080036 0000 ADD [EAX], AL
0x00080038 0000 ADD [EAX], AL
0x0008003a 0000 ADD [EAX], AL
0x0008003c 0801 OR [ECX], AL
0x0008003e 0000 ADD [EAX], AL
Process: lsass.exe Pid: 1928 Address: 0x1000000
Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 2, Protection: 6
0x01000000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0x01000010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x01000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x01000030 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 ................
0x01000000 4d DEC EBP
0x01000001 5a POP EDX
0x01000002 90 NOP
0x01000003 0003 ADD [EBX], AL
0x01000005 0000 ADD [EAX], AL
0x01000007 000400 ADD [EAX+EAX], AL
0x0100000a 0000 ADD [EAX], AL
0x0100000c ff DB 0xff
0x0100000d ff00 INC DWORD [EAX]
0x0100000f 00b800000000 ADD [EAX+0x0], BH
0x01000015 0000 ADD [EAX], AL
0x01000017 004000 ADD [EAX+0x0], AL
0x0100001a 0000 ADD [EAX], AL
0x0100001c 0000 ADD [EAX], AL
0x0100001e 0000 ADD [EAX], AL
0x01000020 0000 ADD [EAX], AL
0x01000022 0000 ADD [EAX], AL
0x01000024 0000 ADD [EAX], AL
0x01000026 0000 ADD [EAX], AL
0x01000028 0000 ADD [EAX], AL
0x0100002a 0000 ADD [EAX], AL
0x0100002c 0000 ADD [EAX], AL
0x0100002e 0000 ADD [EAX], AL
0x01000030 0000 ADD [EAX], AL
0x01000032 0000 ADD [EAX], AL
0x01000034 0000 ADD [EAX], AL
0x01000036 0000 ADD [EAX], AL
0x01000038 0000 ADD [EAX], AL
0x0100003a 0000 ADD [EAX], AL
0x0100003c d000 ROL BYTE [EAX], 0x1
0x0100003e 0000 ADD [EAX], AL
Process: lsass.exe Pid: 1928 Address: 0x6f0000
Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE
Flags: Protection: 6
0x006f0000 29 87 7f ae 00 00 00 00 ff ff ff ff 77 35 00 01 )...........w5..
0x006f0010 4b 00 45 00 52 00 4e 00 45 00 4c 00 33 00 32 00 K.E.R.N.E.L.3.2.
0x006f0020 2e 00 44 00 4c 00 4c 00 2e 00 41 00 53 00 4c 00 ..D.L.L...A.S.L.
0x006f0030 52 00 2e 00 30 00 33 00 36 00 30 00 62 00 37 00 R...0.3.6.0.b.7.
0x006f0000 29877fae0000 SUB [EDI+0xae7f], EAX
0x006f0006 0000 ADD [EAX], AL
0x006f0008 ff DB 0xff
0x006f0009 ff DB 0xff
0x006f000a ff DB 0xff
0x006f000b ff7735 PUSH DWORD [EDI+0x35]
0x006f000e 0001 ADD [ECX], AL
0x006f0010 4b DEC EBX
0x006f0011 004500 ADD [EBP+0x0], AL
0x006f0014 52 PUSH EDX
0x006f0015 004e00 ADD [ESI+0x0], CL
0x006f0018 45 INC EBP
0x006f0019 004c0033 ADD [EAX+EAX+0x33], CL
0x006f001d 0032 ADD [EDX], DH
0x006f001f 002e ADD [ESI], CH
0x006f0021 0044004c ADD [EAX+EAX+0x4c], AL
0x006f0025 004c002e ADD [EAX+EAX+0x2e], CL
0x006f0029 004100 ADD [ECX+0x0], AL
0x006f002c 53 PUSH EBX
0x006f002d 004c0052 ADD [EAX+EAX+0x52], CL
0x006f0031 002e ADD [ESI], CH
0x006f0033 0030 ADD [EAX], DH
0x006f0035 0033 ADD [EBX], DH
0x006f0037 0036 ADD [ESI], DH
0x006f0039 0030 ADD [EAX], DH
0x006f003b 006200 ADD [EDX+0x0], AH
0x006f003e 37 AAA
0x006f003f 00 DB 0x0
Process: lsass.exe Pid: 1928 Address: 0x680000
Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE
Flags: Protection: 6
0x00680000 90 06 68 00 c6 07 68 00 24 00 68 00 a5 04 00 00 ..h...h.$.h.....
0x00680010 f2 04 68 00 48 06 00 00 c9 04 68 00 29 00 00 00 ..h.H.....h.)...
0x00680020 00 00 6f 00 e8 13 00 00 00 5a 77 4d 61 70 56 69 ..o......ZwMapVi
0x00680030 65 77 4f 66 53 65 63 74 69 6f 6e 00 5a 51 81 c1 ewOfSection.ZQ..
0x00680000 90 NOP
0x00680001 06 PUSH ES
0x00680002 6800c60768 PUSH DWORD 0x6807c600
0x00680007 002400 ADD [EAX+EAX], AH
0x0068000a 6800a50400 PUSH DWORD 0x4a500
0x0068000f 00f2 ADD DL, DH
0x00680011 0468 ADD AL, 0x68
0x00680013 004806 ADD [EAX+0x6], CL
0x00680016 0000 ADD [EAX], AL
0x00680018 c9 LEAVE
0x00680019 0468 ADD AL, 0x68
0x0068001b 0029 ADD [ECX], CH
0x0068001d 0000 ADD [EAX], AL
0x0068001f 0000 ADD [EAX], AL
0x00680021 006f00 ADD [EDI+0x0], CH
0x00680024 e813000000 CALL 0x68003c
0x00680029 5a POP EDX
0x0068002a 774d JA 0x680079
0x0068002c 61 POPA
0x0068002d 7056 JO 0x680085
0x0068002f 6965774f665365 IMUL ESP, [EBP+0x77], 0x6553664f
0x00680036 6374696f ARPL [ECX+EBP*2+0x6f], SI
0x0068003a 6e OUTS DX, BYTE [ESI]
0x0068003b 005a51 ADD [EDX+0x51], BL
0x0068003e 81 DB 0x81
0x0068003f c1 DB 0xc1
Process: lsass.exe Pid: 1928 Address: 0x870000
Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE
Flags: Protection: 6
0x00870000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0x00870010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x00870020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00870030 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 ................
0x00870000 4d DEC EBP
0x00870001 5a POP EDX
0x00870002 90 NOP
0x00870003 0003 ADD [EBX], AL
0x00870005 0000 ADD [EAX], AL
0x00870007 000400 ADD [EAX+EAX], AL
0x0087000a 0000 ADD [EAX], AL
0x0087000c ff DB 0xff
0x0087000d ff00 INC DWORD [EAX]
0x0087000f 00b800000000 ADD [EAX+0x0], BH
0x00870015 0000 ADD [EAX], AL
0x00870017 004000 ADD [EAX+0x0], AL
0x0087001a 0000 ADD [EAX], AL
0x0087001c 0000 ADD [EAX], AL
0x0087001e 0000 ADD [EAX], AL
0x00870020 0000 ADD [EAX], AL
0x00870022 0000 ADD [EAX], AL
0x00870024 0000 ADD [EAX], AL
0x00870026 0000 ADD [EAX], AL
0x00870028 0000 ADD [EAX], AL
0x0087002a 0000 ADD [EAX], AL
0x0087002c 0000 ADD [EAX], AL
0x0087002e 0000 ADD [EAX], AL
0x00870030 0000 ADD [EAX], AL
0x00870032 0000 ADD [EAX], AL
0x00870034 0000 ADD [EAX], AL
0x00870036 0000 ADD [EAX], AL
0x00870038 0000 ADD [EAX], AL
0x0087003a 0000 ADD [EAX], AL
0x0087003c 0801 OR [ECX], AL
0x0087003e 0000 ADD [EAX], AL
以上。