概要
volatilityの作法、調べてみた。
malconfscanやってみた。
volatility malconfscan -f zeus.vmem/zeus.vmem
Volatility Foundation Volatility Framework 2.6
[+] Searching memory by Yara rules.
volatility malconfscan -f stuxnet.vmem/stuxnet.vmem
Volatility Foundation Volatility Framework 2.6
[+] Searching memory by Yara rules.
volatility malconfscan -f laqma.vmem/laqma.vmem
Volatility Foundation Volatility Framework 2.6
[+] Searching memory by Yara rules.
Traceback (most recent call last):
File "/usr/bin/volatility", line 192, in <module>
main()
File "/usr/bin/volatility", line 183, in main
command.execute()
File "/usr/lib/python2.7/dist-packages/volatility/commands.py", line 147, in execute
func(outfd, data)
File "/usr/lib/python2.7/dist-packages/volatility/plugins/malware/malconfscan.py", line 101, in render_text
for task, start, end, malname, memory_model, config_data in data:
File "/usr/lib/python2.7/dist-packages/volatility/plugins/malware/malconfscan.py", line 87, in calculate
for task, vad_base_addr, end, hit, memory_model, config_data in instance.calculate():
File "/usr/lib/python2.7/dist-packages/volatility/plugins/malware/utils/datperscan.py", line 236, in calculate
dec = self.custom_rc4(enc, key, rc4key_seed)
File "/usr/lib/python2.7/dist-packages/volatility/plugins/malware/utils/datperscan.py", line 97, in custom_rc4
for char in data:
TypeError: 'NoneType' object is not iterable
volatility malconfscan -f be2.vmem/be2.vmem
Volatility Foundation Volatility Framework 2.6
[+] Searching memory by Yara rules.
volatility malconfscan -f coreflood.vmem/coreflood.vmem
Volatility Foundation Volatility Framework 2.6
[+] Searching memory by Yara rules.
Traceback (most recent call last):
File "/usr/bin/volatility", line 192, in <module>
main()
File "/usr/bin/volatility", line 183, in main
command.execute()
File "/usr/lib/python2.7/dist-packages/volatility/commands.py", line 147, in execute
func(outfd, data)
File "/usr/lib/python2.7/dist-packages/volatility/plugins/malware/malconfscan.py", line 101, in render_text
for task, start, end, malname, memory_model, config_data in data:
File "/usr/lib/python2.7/dist-packages/volatility/plugins/malware/malconfscan.py", line 87, in calculate
for task, vad_base_addr, end, hit, memory_model, config_data in instance.calculate():
File "/usr/lib/python2.7/dist-packages/volatility/plugins/malware/utils/datperscan.py", line 236, in calculate
dec = self.custom_rc4(enc, key, rc4key_seed)
File "/usr/lib/python2.7/dist-packages/volatility/plugins/malware/utils/datperscan.py", line 97, in custom_rc4
for char in data:
TypeError: 'NoneType' object is not iterable
volatility malconfscan -f sality.vmem/sality.vmem
Volatility Foundation Volatility Framework 2.6
[+] Searching memory by Yara rules.
volatility malconfscan -f silentbanker.vmem/silentbanker.vmem
Volatility Foundation Volatility Framework 2.6
[+] Searching memory by Yara rules.
Traceback (most recent call last):
File "/usr/bin/volatility", line 192, in <module>
main()
File "/usr/bin/volatility", line 183, in main
command.execute()
File "/usr/lib/python2.7/dist-packages/volatility/commands.py", line 147, in execute
func(outfd, data)
File "/usr/lib/python2.7/dist-packages/volatility/plugins/malware/malconfscan.py", line 101, in render_text
for task, start, end, malname, memory_model, config_data in data:
File "/usr/lib/python2.7/dist-packages/volatility/plugins/malware/malconfscan.py", line 87, in calculate
for task, vad_base_addr, end, hit, memory_model, config_data in instance.calculate():
File "/usr/lib/python2.7/dist-packages/volatility/plugins/malware/utils/datperscan.py", line 236, in calculate
dec = self.custom_rc4(enc, key, rc4key_seed)
File "/usr/lib/python2.7/dist-packages/volatility/plugins/malware/utils/datperscan.py", line 97, in custom_rc4
for char in data:
TypeError: 'NoneType' object is not iterable
volatility malconfscan -f tigger.vmem/tigger.vmem
Volatility Foundation Volatility Framework 2.6
[+] Searching memory by Yara rules.
以上。