0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@tubobon

第四回_実機でメモリダンプ勉強 (dlllist,filescan,dumpfiles)

0
Last updated at Posted at 2026-04-05

はじめに

この記事は、実機にメモリダンプを行い、中身がどうなっているのかを勉強する目的で投稿しています。投稿者は初心者であるため、誤解していることがあればコメントをお願いします。メモリダンプについてはFTK Imager、解析にはVolatility3を使用しています。
再度言いますが、初心者です。どうか温かい目で見守ってください。

dllについて

それぞれのプロセスにはdllなるものが大体存在しています。dllを一言で言ってしまうと、ライブラリです。dllの中には関数やリソース(画像やアイコンのデータ)などが入っています。

プロセスにロードされているdllの一覧を表示するには、dlllistコマンドが有効です。

$ vol3 -f memdump.mem windows.dlllist

Volatility 3 Framework 2.28.0   PDB scanning finished

PID     Process Base    Size    Name    Path    LoadCount       LoadTime        File output

808     smss.exe        0x7ff792820000  0x37000 smss.exe        \SystemRoot\System32\smss.exe   -1      2026-03-26 00:02:28.000000 UTC  Disabled
808     smss.exe        0x7ff8072a0000  0x267000        -       -       -1      2026-03-26 00:02:28.000000 UTC  Disabled
1132    csrss.exe       0x37b900000002  0x9e5   -       -       1501    2322-06-03 17:58:48.000000 UTC  Disabled
1220    wininit.exe     0x7ff6cb350000  0xc6000 wininit.exe     C:\WINDOWS\system32\wininit.exe -1      2026-03-26 00:04:04.000000 UTC  Disabled
1220    wininit.exe     0x7ff8072a0000  0x267000        ntdll.dll       C:\WINDOWS\SYSTEM32\ntdll.dll   -1      2026-03-26 00:04:04.000000 UTC  Disabled
1220    wininit.exe     0x7ff805ac0000  0xc9000 KERNEL32.DLL    C:\WINDOWS\SYSTEM32\KERNEL32.DLL        -1      2026-03-26 00:04:04.000000 UTC  Disabled
1220    wininit.exe     0x7ff803c30000  0x3f1000        KERNELBASE.dll  C:\WINDOWS\SYSTEM32\KERNELBASE.dll      -1      2026-03-26 00:04:04.000000 UTC  Disabled
1220    wininit.exe     0x7ff804680000  0x14b000        ucrtbase.dll    C:\WINDOWS\SYSTEM32\ucrtbase.dll        6       2026-03-26 00:04:04.000000 UTC  Disabled
1220    wininit.exe     0x7ff806740000  0x382000        combase.dll     C:\WINDOWS\SYSTEM32\combase.dll 6       2026-03-26 00:04:04.000000 UTC  Disabled
1220    wininit.exe     0x7ff805640000  0xa7000 sechost.dll     C:\WINDOWS\SYSTEM32\sechost.dll 6       2026-03-26 00:04:04.000000 UTC  Disabled
1220    wininit.exe     0x7ff805520000  0x118000        RPCRT4.dll      C:\WINDOWS\system32\RPCRT4.dll  6       2026-03-26 00:04:04.000000 UTC  Disabled
1220    wininit.exe     0x7ff805d70000  0xbb000 advapi32.dll    C:\WINDOWS\SYSTEM32\advapi32.dll        6       2026-03-26 00:04:04.000000 UTC  Disabled
1220    wininit.exe     0x7ff805a90000  0x20000 imagehlp.dll    C:\WINDOWS\system32\imagehlp.dll        6       2026-03-26 00:04:04.000000 UTC  Disabled
1220    wininit.exe     0x7ff8050b0000  0xa9000 msvcrt.dll      C:\WINDOWS\system32\msvcrt.dll  6       2026-03-26 00:04:04.000000 UTC  Disabled
1220    wininit.exe     0x7ff803aa0000  0x29000 profapi.dll     C:\WINDOWS\system32\profapi.dll 6       2026-03-26 00:04:04.000000 UTC  Disabled
1220    wininit.exe     0x7ff803a70000  0x2a000 bcrypt.dll      C:\WINDOWS\system32\bcrypt.dll  6       2026-03-26 00:04:04.000000 UTC  Disabled
1220    wininit.exe     0x7ff803a50000  0x16000 wininitext.dll  C:\WINDOWS\SYSTEM32\wininitext.dll      6       2026-03-26 00:04:04.000000 UTC  Disabled
1220    wininit.exe     0x7ff805350000  0x1c5000        USER32.dll      C:\WINDOWS\system32\USER32.dll  -1      2026-03-26 00:04:04.000000 UTC  Disabled
1220    wininit.exe     0x7ff8041a0000  0x27000 win32u.dll      C:\WINDOWS\system32\win32u.dll  -1      2026-03-26 00:04:04.000000 UTC  Disabled
1220    wininit.exe     0x7ff8057c0000  0x2b000 GDI32.dll       C:\WINDOWS\system32\GDI32.dll   6       2026-03-26 00:04:04.000000 UTC  Disabled
1220    wininit.exe     0x7ff804550000  0x12b000        gdi32full.dll   C:\WINDOWS\SYSTEM32\gdi32full.dll       6       2026-03-26 00:04:04.000000 UTC  Disabled
1220    wininit.exe     0x7ff8040f0000  0xa3000 msvcp_win.dll   C:\WINDOWS\system32\msvcp_win.dll       -1      2026-03-26 00:04:04.000000 UTC  Disabled
1220    wininit.exe     0x7ff802b80000  0x49000 SspiCli.dll     C:\WINDOWS\system32\SspiCli.dll 6       2026-03-26 00:04:05.000000 UTC  Disabled
1220    wininit.exe     0x7ff803b80000  0xa5000 bcryptprimitives.dll    C:\WINDOWS\system32\bcryptprimitives.dll        -1      2026-03-26 00:04:05.000000 UTC  Disabled
1220    wininit.exe     0x7ff8022a0000  0xf000  DiagnosticDataSettings.dll      C:\WINDOWS\system32\DiagnosticDataSettings.dll  6       2026-03-26 00:04:05.000000 UTC  Disabled
1220    wininit.exe     0x7ff802f10000  0x32000 USERENV.dll     C:\WINDOWS\system32\USERENV.dll 6       2026-03-26 00:04:05.000000 UTC  Disabled
1220    wininit.exe     0x7ff802140000  0x30000 profext.dll     C:\WINDOWS\SYSTEM32\profext.dll 6       2026-03-26 00:04:05.000000 UTC  Disabled
1220    wininit.exe     0x7ff802260000  0x30000 coreprivacysettingsstore.dll    C:\WINDOWS\SYSTEM32\coreprivacysettingsstore.dll        6       2026-03-26 00:04:05.000000 UTC  Disabled
1220    wininit.exe     0x7ff802080000  0xae000 firewallapi.dll C:\WINDOWS\SYSTEM32\firewallapi.dll     6       2026-03-26 00:04:05.000000 UTC  Disabled
1220    wininit.exe     0x7ff802030000  0x44000 fwbase.dll      C:\WINDOWS\system32\fwbase.dll  6       2026-03-26 00:04:05.000000 UTC  Disabled
1220    wininit.exe     0x7ff805230000  0x74000 WS2_32.dll      C:\WINDOWS\SYSTEM32\WS2_32.dll  6       2026-03-26 00:04:05.000000 UTC  Disabled
1220    wininit.exe     0x7ff802e60000  0x6b000 mswsock.dll     C:\WINDOWS\system32\mswsock.dll 6       2026-03-26 00:04:05.000000 UTC  Disabled
1220    wininit.exe     0x7ff800f50000  0x29000 wtsapi32.dll    C:\WINDOWS\SYSTEM32\wtsapi32.dll        6       2026-03-26 15:58:25.000000 UTC  Disabled
1220    wininit.exe     0x7ff804340000  0x177000        CRYPT32.dll     C:\WINDOWS\system32\CRYPT32.dll 6       2026-03-26 15:58:25.000000 UTC  Disabled
1220    wininit.exe     0x7ff8033b0000  0x63000 WINSTA.dll      C:\WINDOWS\system32\WINSTA.dll  6       2026-03-26 15:58:25.000000 UTC  Disabled
1308    services.exe    0x7ff6de500000  0xd9000 services.exe    C:\WINDOWS\system32\services.exe        -1      2026-03-26 00:04:04.000000 UTC  Disabled
1308    services.exe    0x7ff8072a0000  0x267000        ntdll.dll       C:\WINDOWS\SYSTEM32\ntdll.dll   -1      2026-03-26 00:04:04.000000 UTC  Disabled
1308    services.exe    0x7ff805ac0000  0xc9000 KERNEL32.DLL    C:\WINDOWS\SYSTEM32\KERNEL32.DLL        -1      2026-03-26 00:04:04.000000 UTC  Disabled
1308    services.exe    0x7ff803c30000  0x3f1000        KERNELBASE.dll  C:\WINDOWS\SYSTEM32\KERNELBASE.dll      -1      2026-03-26 00:04:04.000000 UTC  Disabled
1308    services.exe    0x7ff805520000  0x118000        RPCRT4.dll      C:\WINDOWS\SYSTEM32\RPCRT4.dll  6       2026-03-26 00:04:04.000000 UTC  Disabled
1308    services.exe    0x7ff805640000  0xa7000 sechost.dll     C:\WINDOWS\SYSTEM32\sechost.dll 6       2026-03-26 00:04:04.000000 UTC  Disabled
1308    services.exe    0x7ff8037e0000  0xa000  DPAPI.dll       C:\WINDOWS\SYSTEM32\DPAPI.dll   6       2026-03-26 00:04:04.000000 UTC  Disabled
1308    services.exe    0x7ff8037c0000  0x18000 EventAggregation.dll    C:\WINDOWS\SYSTEM32\EventAggregation.dll        6       2026-03-26 00:04:04.000000 UTC  Disabled
1308    services.exe    0x7ff804680000  0x14b000        ucrtbase.dll    C:\WINDOWS\SYSTEM32\ucrtbase.dll        6       2026-03-26 00:04:04.000000 UTC  Disabled
1308    services.exe    0x7ff803790000  0x2d000 DEVOBJ.dll      C:\WINDOWS\SYSTEM32\DEVOBJ.dll  6       2026-03-26 00:04:04.000000 UTC  Disabled
1308    services.exe    0x7ff803730000  0x57000 cfgmgr32.dll    C:\WINDOWS\SYSTEM32\cfgmgr32.dll        6       2026-03-26 00:04:04.000000 UTC  Disabled
1308    services.exe    0x7ff802560000  0x95000 scesrv.dll      C:\WINDOWS\SYSTEM32\scesrv.dll  6       2026-03-26 00:04:05.000000 UTC  Disabled
1308    services.exe    0x7ff8050b0000  0xa9000 msvcrt.dll      C:\WINDOWS\system32\msvcrt.dll  6       2026-03-26 00:04:05.000000 UTC  Disabled
1308    services.exe    0x7ff802b80000  0x49000 sspicli.dll     C:\WINDOWS\system32\sspicli.dll 6       2026-03-26 00:04:05.000000 UTC  Disabled
1308    services.exe    0x7ff802480000  0x50000 AUTHZ.dll       C:\WINDOWS\system32\AUTHZ.dll   6       2026-03-26 00:04:05.000000 UTC  Disabled
1308    services.exe    0x7ff802430000  0x40000 WudfPlatform.dll        C:\WINDOWS\system32\WudfPlatform.dll    6       2026-03-26 00:04:05.000000 UTC  Disabled
1308    services.exe    0x7ff803b80000  0xa5000 bcryptPrimitives.dll    C:\WINDOWS\SYSTEM32\bcryptPrimitives.dll        -1      2026-03-26 00:04:05.000000 UTC  Disabled
1308    services.exe    0x7ff803aa0000  0x29000 profapi.dll     C:\WINDOWS\SYSTEM32\profapi.dll 6       2026-03-26 00:04:05.000000 UTC  Disabled
1308    services.exe    0x7ff800fb0000  0x8000  DABAPI.dll      C:\WINDOWS\SYSTEM32\DABAPI.dll  6       2026-03-26 00:04:05.000000 UTC  Disabled
1308    services.exe    0x7ffff7260000  0x1f000 -       -       6       2026-03-26 00:04:05.000000 UTC  Disabled
1308    services.exe    0x7ff800e90000  0x9f000 -       -       -1      2026-03-26 00:04:06.000000 UTC  Disabled
1308    services.exe    0x7fffeca60000  0x29000 srvcli.dll      C:\WINDOWS\SYSTEM32\srvcli.dll  6       2026-03-26 00:04:06.000000 UTC  Disabled
1308    services.exe    0x7fffdff90000  0x5d000 capauthz.dll    C:\WINDOWS\SYSTEM32\capauthz.dll        6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ff8028e0000  0x1b000 kernel.appcore.dll      C:\WINDOWS\SYSTEM32\kernel.appcore.dll  6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ff8015f0000  0x36000 rmclient.dll    C:\WINDOWS\SYSTEM32\rmclient.dll        6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7fffdee00000  0x11d000        daxexec.dll     C:\WINDOWS\SYSTEM32\daxexec.dll 6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ff803a70000  0x2a000 bcrypt.dll      C:\WINDOWS\system32\bcrypt.dll  -1      2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ff803370000  0x30000 ncrypt.dll      C:\WINDOWS\system32\ncrypt.dll  6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ff8040f0000  0xa3000 msvcp_win.dll   C:\WINDOWS\system32\msvcp_win.dll       6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7fffe95c0000  0x21000 MPR.dll C:\WINDOWS\system32\MPR.dll     6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ff805e70000  0xd7000 OLEAUT32.dll    C:\WINDOWS\system32\OLEAUT32.dll        6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ff806740000  0x382000        combase.dll     C:\WINDOWS\SYSTEM32\combase.dll 6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7fffdfb80000  0x4b000 container.dll   C:\WINDOWS\system32\container.dll       6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ff803320000  0x3f000 NTASN1.dll      C:\WINDOWS\system32\NTASN1.dll  6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ff805170000  0xae000 -       -       6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ff805350000  0x1c5000        -       -       6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ff8041a0000  0x27000 -       -       6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ff8057c0000  0x2b000 -       -       6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ff804550000  0x12b000        gdi32full.dll   C:\WINDOWS\SYSTEM32\gdi32full.dll       6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7fffe23c0000  0xc4000 Windows.StateRepositoryPS.dll   C:\Windows\System32\Windows.StateRepositoryPS.dll       6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7fffdf330000  0x6b000 AppXAllUserStore.dll    C:\WINDOWS\system32\AppXAllUserStore.dll        6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7fffeca10000  0x47000 windows.staterepositoryclient.dll       C:\WINDOWS\SYSTEM32\windows.staterepositoryclient.dll   6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ffff02e0000  0x1a000 windows.staterepositorycore.dll C:\WINDOWS\SYSTEM32\windows.staterepositorycore.dll     6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ffff7290000  0x21000 licensemanagerapi.dll   C:\WINDOWS\SYSTEM32\licensemanagerapi.dll       6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ff805d70000  0xbb000 advapi32.dll    C:\WINDOWS\SYSTEM32\advapi32.dll        6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ff802a00000  0x36000 -       -       6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ff8047d0000  0x864000        windows.storage.dll     C:\WINDOWS\SYSTEM32\windows.storage.dll 6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ff8057f0000  0xf7000 -       -       6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ff805040000  0x67000 -       -       6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ff805230000  0x74000 -       -       6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ff802e60000  0x6b000 -       -       6       2026-03-26 00:04:08.000000 UTC  Disabled
1308    services.exe    0x7ffffeba0000  0x17000 usermgrcli.dll  C:\WINDOWS\SYSTEM32\usermgrcli.dll      6       2026-03-26 00:04:09.000000 UTC  Disabled
1380    lsass.exe       0x7ff769c30000  0x12000 lsass.exe       C:\WINDOWS\system32\lsass.exe   -1      2026-03-26 00:04:04.000000 UTC  Disabled
1380    lsass.exe       0x7ff8072a0000  0x267000        ntdll.dll       C:\WINDOWS\SYSTEM32\ntdll.dll   -1      2026-03-26 00:04:04.000000 UTC  Disabled
1380    lsass.exe       0x7ff805ac0000  0xc9000 KERNEL32.DLL    C:\WINDOWS\System32\KERNEL32.DLL        -1      2026-03-26 00:04:04.000000 UTC  Disabled
1380    lsass.exe       0x7ff803c30000  0x3f1000        KERNELBASE.dll  C:\WINDOWS\System32\KERNELBASE.dll      -1      2026-03-26 00:04:04.000000 UTC  Disabled
1380    lsass.exe       0x7ff805520000  0x118000        RPCRT4.dll      C:\WINDOWS\System32\RPCRT4.dll  6       2026-03-26 00:04:04.000000 UTC  Disabled
1380    lsass.exe       0x7ff803560000  0x1b7000        lsasrv.dll      C:\WINDOWS\system32\lsasrv.dll  6       2026-03-26 00:04:04.000000 UTC  Disabled
1380    lsass.exe       0x7ff804680000  0x14b000        ucrtbase.dll    C:\WINDOWS\System32\ucrtbase.dll        -1      2026-03-26 00:04:04.000000 UTC  Disabled
1380    lsass.exe       0x7ff8040f0000  0xa3000 msvcp_win.dll   C:\WINDOWS\System32\msvcp_win.dll       6       2026-03-26 00:04:04.000000 UTC  Disabled
1380    lsass.exe       0x7ff803520000  0x37000 LSAADT.dll      C:\WINDOWS\system32\LSAADT.dll  6       2026-03-26 00:04:04.000000 UTC  Disabled

たいていのdllは、C:\WINDOWS\system32,C:\WINDOWS\SYSTEM32,C:\WINDOWS\System32のパスに存在しています。これ以外のパスにdllが存在していれば少し怪しいdllのため、注意しましょう。
※出力がとっても長いので、怪しいプロセスのdll見たいなってときは、--pid <input> でgrepしましょう。(他のコマンドでも使えます)

Filescanについて

windows.filescanコマンドを使えば、メモリダンプ上に存在するすべてのファイルオブジェクトの痕跡を検出できます。もちろん先ほどのdllたちも検出可能です。ダンプできるかどうかは、そのデータがメモリ上に残っているか否かで決まります。

$ vol3 -f memdump.mem windows.filescan | head -50

Offset  Name

0xa601801f1a90  \Windows\apppatch\DirectXApps.sdb
0xcf0f4f3f6220  \$LogFile
0xcf0f4f3f6500  \$Mft::$BITMAP
0xcf0f4f3f67e0  \$Secure:$SII:$INDEX_ALLOCATION
0xcf0f4f3f6c30  \$MapAttributeValue
0xcf0f4f3f71f0  \$Mft
0xcf0f4f3f74d0  \$BitMap
0xcf0f4f3f7920  \$Secure:$SDS:$DATA
0xcf0f4f3f7a90  \Windows\SysWOW64\ntdll.dll
0xcf0f4f3f7d70  \$MftMirr
0xcf0f4f3f7ee0  TxfLog
0xcf0f4f4150d0  \CMNotify
0xcf0f551600b0  \$Directory
0xcf0f55160220  KtmLog
0xcf0f55160390  \$Secure:$SDH:$INDEX_ALLOCATION
0xcf0f55160500  \:$I30:$INDEX_ALLOCATION
0xcf0f55160670  \Device\HarddiskVolume3\$Extend\$RmMetadata\$TxfLog\$TxfLog
0xcf0f551607e0  \$Directory
0xcf0f55160da0  \$Extend\$Reparse:$R:$INDEX_ALLOCATION
0xcf0f551611f0  \$Directory
0xcf0f55161360  \Windows\System32\drivers\ja-JP\ntfs.sys.mui
0xcf0f551614d0  \$Extend\$RmMetadata\$TxfLog\$Tops:$T:$DATA
0xcf0f55161640  \Device\HarddiskVolume3\$Extend\$RmMetadata\$TxfLog\$TxfLog
0xcf0f55161920  \Windows\System32\drivers\crashdmp.sys
0xcf0f55161c00  \$Directory
0xcf0f55161d70  \$Extend\$RmMetadata\$TxfLog\$Tops
0xcf0f55161ee0  \$Extend\$RmMetadata\$Txf:$I30:$INDEX_ALLOCATION
0xcf0f5518c0b0  \$Directory
0xcf0f5518c220  \Windows\System32\drivers\cdrom.sys
0xcf0f5518c500  \Program Files\Riot Vanguard\vgk.sys
0xcf0f5518d080  \$Directory
0xcf0f5518d360  \$Directory
0xcf0f5518d640  \$Secure:$SDS:$DATA
0xcf0f5518d7b0  \$ConvertToNonresident
0xcf0f5518d920  \Windows\System32\vertdll.dll
0xcf0f5518da90  \Program Files\Riot Vanguard\Logs\vgk_2026-03-26_09-02-20.log
0xcf0f5518dd70  \$Directory
0xcf0f551c30b0  \$Directory
0xcf0f551c3220  \$Extend\$RmMetadata\$TxfLog:$I30:$INDEX_ALLOCATION
0xcf0f551c3390  \Windows\System32\drivers\stornvme.sys
0xcf0f551c3670  \$Extend\$RmMetadata\$Repair:$Corrupt:$DATA

このファイル気になるなぁと思ったらダンプしてみましょう。
windows.dumpfilesでダンプ可能です。
ダンプには仮想アドレスを指定するのがおすすめです。(--virtaddr \<アドレス>

$ vol3 -f memdump.mem windows.dumpfiles --virtaddr <アドレス>

まとめ

短いですが、今回はメモリ上にあるdllとファイルオブジェクトについてまとめてみました。実務で使うのかは分かりませんが、CTFだとだダンプする系の問題で出てくるのかなぁという印象です。次回は、レジストリもしくはプロセスの内部構造とメモリとの関係についてやると思います。

引用

DLLって何?Windowsユーザーのためのやさしい解説
https://gainoheya.com/windows-dll/#toc1

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?