内存取证技术是计算机取证技术的分支,是指从计算机物理内存和页面交换文件中查找、提取、分析易失性证据,方法是通过硬件接口、软件获取、虚拟机快照等方式获取内存转储文件,将其保存到非易失性存储器中,使用专用软件(如Volatility Framework或Rekall等)进行分析。
内存镜像获取的方式有很多种,不同情况下应采取不同的方法,具体内存获取方式决策树如下图所示:
如果目标操作系统是虚拟机,可以使用虚拟机挂起功能将运行的虚拟机挂起。
然后在对应的目录中能够找到一个扩展名为.vmem的文件,这个文件中包含了虚拟机全部的物理内存数据和其他配置信息。
另外,也可以通过软件的方式获取,这里推荐使用DumpIt这个软件,在目标系统安装好后双击运行,按y + 回车,等待一会显示dump成功后,就能够在其所在的目录中找到一个扩展名为.raw的文件:
目前笔者常用的获取内存转储的方式是这两种,其他方式有兴趣可以去了解一下,详细参考《The Art of Memory Forensics》一书。
目前主流的分析内存镜像的方法是使用Volatility内存取证框架分析。
Volatility Framework是一款基于GNU协议开发的开源内存取证框架,使用python语言编写,支持32位或64位的Windows、Linux、Mac OS、Android的大多数版本操作系统,其最大的亮点在于框架的可扩展性,取证人员可通过框架提供的基础功能接口编写自己的插件,从不同的角度分析内存中的数据,以满足不同的取证需求。
目前volatility常用的插件有:
还有许多插件实现了不同的功能,这里不一一运行了,这里给出volatility中的全部插件列表及其功能:
shellcode注入是一种进程注入技术,其主要过程如下:
利用OpenProcess()附加到被害进程
使用VirtualAllocEx()在被害进程中分配内存,这里一定要以可执行权限分配,不然会由于DEP保护,使得注入的代码无法执行
使用WriteProcessMemory()函数在分配的内存中写入shellcode
使用CreateRemoteThread()将程序执行流控制到shellcode的起始地址(执行shellcode)
shellcode成功注入并执行后,受害进程中会存在具有可执行权限保护的页面,那么页面对应的pte的NX位应置为0。而正常进程中几乎不可能利用分配的内存去执行恶意代码,也就是说一般情况下分配的内存不会出现可执行权限,利用这一特点,能够检测进程地址空间是否有shellcode。
检测思路如下:
首先将进程的用户地址空间区分为映射文件区和非映射文件区,映射文件区主要包括进程的加载可执行文件和模块,如exe文件、dll文件、nls文件等;非映射文件区主要包括内存中的堆栈等缓冲区,这些内存区几乎不会分配可执行权限的页面。这样做的目的是由于内存中的映射文件本身具有可执行的页面,需要将这些排除在外,防止产生误报。
获取全部非映射文件区的页面的pte
检查这些pte的NX位
若存在NX为0的页面,说明这个页面可能是被注入的页面
输出被注入的页面地址及其内容
使用kali生成shellcode:
此处生成的是一个弹出对话框的shellcode。
编译运行这段代码:
运行后输入一个想要注入的进程ID,这里选择taskhostw.exe这个进程
输入任务管理器的PID后显示成功注入并执行了shellcode。
首先执行完shellcode后获取内存转储,这里使用DumpIt获取内存转储,然后使用自己编写的volatility插件检测恶意代码。
检测shellcode插件的源码放在了我的github中,插件中的关键代码如下:
此处函数用于提取全部具有可执行权限的页面
此处函数用于提取非映射文件区的可执行页面
运行后查看结果:
能够看到插件共检测出两个可疑页面,地址分别是:0x28f07b90000和0x7fffa2581000
使用volshell查看这地址的内容:
可以看到0x28f07b90000这部分正是shellcode的内容。至此成功检测出被注入shellcode的页面。
思路:由于插件的检测方式依赖于PTE的NX位,在执行完shellcode后可通过VirtualProtect()函数将其可执行权限设置为不可执行,此时插件是无法检测到的。
《The Art of Memory Forensics》
将ShellCode注入进程内存
Windows Memory Forensics: Detecting (Un)Intentionally Hidden Injected Code by Examining Page Table Entries
amcache
Print
AmCache information
apihooks Detect API hooks
in
process
and
kernel memory
atoms
Print
session
and
window station atom tables
atomscan Pool scanner
for
atom tables
auditpol Prints out the Audit Policies
from
HKLM\SECURITY\Policy\PolAdtEv
bigpools Dump the big page pools using BigPagePoolScanner
bioskbd Reads the keyboard
buffer
from
Real Mode memory
cachedump Dumps cached domain hashes
from
memory
callbacks
Print
system
-
wide notification routines
clipboard Extract the contents of the windows clipboard
cmdline Display process command
-
line arguments
cmdscan Extract command history by scanning
for
_COMMAND_HISTORY
consoles Extract command history by scanning
for
_CONSOLE_INFORMATION
crashinfo Dump crash
-
dump information
deskscan Poolscaner
for
tagDESKTOP (desktops)
devicetree Show device tree
dlldump Dump DLLs
from
a process address space
dlllist
Print
list
of loaded dlls
for
each process
driverirp Driver IRP hook detection
drivermodule Associate driver objects to kernel modules
driverscan Pool scanner
for
driver objects
dumpcerts Dump RSA private
and
public SSL keys
dumpfiles Extract memory mapped
and
cached files
dumpregistry Dumps registry files out to disk
editbox Displays information about Edit controls. (Listbox experimental.)
envars Display process environment variables
eventhooks
Print
details on windows event hooks
filescan Pool scanner
for
file
objects
gahti Dump the USER handle
type
information
getservicesids Get the names of services
in
the Registry
and
return
Calculated SID
getsids
Print
the SIDs owning each process
handles
Print
list
of
open
handles
for
each process
hashdump Dumps passwords hashes (LM
/
NTLM)
from
memory
hibinfo Dump hibernation
file
information
hivedump Prints out a hive
hivelist
Print
list
of registry hives.
hivescan Pool scanner
for
registry hives
hpakextract Extract physical memory
from
an HPAK
file
hpakinfo Info on an HPAK
file
iehistory Reconstruct Internet Explorer cache
/
history
imagecopy Copies a physical address space out as a raw DD image
imageinfo Identify information
for
the image
impscan Scan
for
calls to imported functions
joblinks
Print
process job link information
kdbgscan Search
for
and
dump potential KDBG values
kpcrscan Search
for
and
dump potential KPCR values
ldrmodules Detect unlinked DLLs
lsadump Dump (decrypted) LSA secrets
from
the registry
machoinfo Dump Mach
-
O
file
format
information
malfind Find hidden
and
injected code
malfindplus Find the injected code
mbrparser Scans
for
and
parses potential Master Boot Records (MBRs)
memdump Dump the addressable memory
for
a process
memmap
Print
the memory
map
messagehooks
List
desktop
and
thread window message hooks
mftparser Scans
for
and
parses potential MFT entries
moddump Dump a kernel driver to an executable
file
sample
modscan Pool scanner
for
kernel modules
modules
Print
list
of loaded modules
multiscan Scan
for
various objects at once
mutantscan Pool scanner
for
mutex objects
netscan Scan a Vista (
or
later) image
for
connections
and
sockets
objtypescan Scan
for
Windows
object
type
objects
patcher Patches memory based on page scans
poolpeek Configurable pool scanner plugin
pooltracker Show a summary of pool tag usage
printkey
Print
a registry key,
and
its subkeys
and
values
privs Display process privileges
procdump Dump a process to an executable
file
sample
pslist
Print
all
running processes by following the EPROCESS lists
psscan Pool scanner
for
process objects
pstree
Print
process
list
as a tree
psxview Find hidden processes with various process listings
qemuinfo Dump Qemu information
raw2dmp Converts a physical memory sample to a windbg crash dump
screenshot Save a pseudo
-
screenshot based on GDI windows
sessions
List
details on _MM_SESSION_SPACE (user logon sessions)
shellbags Prints ShellBags info
shimcache Parses the Application Compatibility Shim Cache registry key
shutdowntime
Print
ShutdownTime of machine
from
registry
ssdt Display SSDT entries
strings Match physical offsets to virtual addresses (may take a
while
, VERY verbose)
svcscan Scan
for
Windows services
symlinkscan Pool scanner
for
symlink objects
thrdscan Pool scanner
for
thread objects
threads Investigate _ETHREAD
and
_KTHREADs
timeliner Creates a timeline
from
various artifacts
in
memory
timers
Print
kernel timers
and
associated module DPCs
truecryptmaster Recover TrueCrypt
7.1a
Master Keys
truecryptpassphrase TrueCrypt Cached Passphrase Finder
truecryptsummary TrueCrypt Summary
unloadedmodules
Print
list
of unloaded modules
userassist
Print
userassist registry keys
and
information
userhandles Dump the USER handle tables
vaddump Dumps out the vad sections to a
file
vadinfo Dump the VAD info
vadtree Walk the VAD tree
and
display
in
tree
format
vadwalk Walk the VAD tree
vboxinfo Dump virtualbox information
verinfo Prints out the version information
from
PE images
vmwareinfo Dump VMware VMSS
/
VMSN information
volshell Shell
in
the memory image
win10cookie Find the ObHeaderCookie value
for
Windows
10
windows
Print
Desktop Windows (verbose details)
wintree
Print
Z
-
Order Desktop Windows Tree
wndscan Pool scanner
for
window stations
yarascan Scan process
or
kernel memory with Yara signatures
amcache
Print
AmCache information
apihooks Detect API hooks
in
process
and
kernel memory
atoms
Print
session
and
window station atom tables
atomscan Pool scanner
for
atom tables
auditpol Prints out the Audit Policies
from
HKLM\SECURITY\Policy\PolAdtEv
bigpools Dump the big page pools using BigPagePoolScanner
bioskbd Reads the keyboard
buffer
from
Real Mode memory
cachedump Dumps cached domain hashes
from
memory
callbacks
Print
system
-
wide notification routines
clipboard Extract the contents of the windows clipboard
cmdline Display process command
-
line arguments
cmdscan Extract command history by scanning
for
_COMMAND_HISTORY
consoles Extract command history by scanning
for
_CONSOLE_INFORMATION
crashinfo Dump crash
-
dump information
deskscan Poolscaner
for
tagDESKTOP (desktops)
devicetree Show device tree
dlldump Dump DLLs
from
a process address space
dlllist
Print
list
of loaded dlls
for
each process
driverirp Driver IRP hook detection
drivermodule Associate driver objects to kernel modules
driverscan Pool scanner
for
driver objects
dumpcerts Dump RSA private
and
public SSL keys
dumpfiles Extract memory mapped
and
cached files
dumpregistry Dumps registry files out to disk
editbox Displays information about Edit controls. (Listbox experimental.)
envars Display process environment variables
eventhooks
Print
details on windows event hooks
filescan Pool scanner
for
file
objects
gahti Dump the USER handle
type
information
getservicesids Get the names of services
in
the Registry
and
return
Calculated SID
getsids
Print
the SIDs owning each process
handles
Print
list
of
open
handles
for
each process
hashdump Dumps passwords hashes (LM
/
NTLM)
from
memory
hibinfo Dump hibernation
file
information
hivedump Prints out a hive
hivelist
Print
list
of registry hives.
hivescan Pool scanner
for
registry hives
hpakextract Extract physical memory
from
an HPAK
file
hpakinfo Info on an HPAK
file
iehistory Reconstruct Internet Explorer cache
/
history
imagecopy Copies a physical address space out as a raw DD image
imageinfo Identify information
for
the image
impscan Scan
for
calls to imported functions
joblinks
Print
process job link information
kdbgscan Search
for
and
dump potential KDBG values
kpcrscan Search
for
and
dump potential KPCR values
ldrmodules Detect unlinked DLLs
lsadump Dump (decrypted) LSA secrets
from
the registry
machoinfo Dump Mach
-
O
file
format
information
malfind Find hidden
and
injected code
malfindplus Find the injected code
mbrparser Scans
for
and
parses potential Master Boot Records (MBRs)
memdump Dump the addressable memory
for
a process
memmap
Print
the memory
map
messagehooks
List
desktop
and
thread window message hooks
mftparser Scans
for
and
parses potential MFT entries
moddump Dump a kernel driver to an executable
file
sample
modscan Pool scanner
for
kernel modules
modules
Print
list
of loaded modules
multiscan Scan
for
various objects at once
mutantscan Pool scanner
for
mutex objects
netscan Scan a Vista (
or
later) image
for
connections
and
sockets
objtypescan Scan
for
Windows
object
type
objects
patcher Patches memory based on page scans
poolpeek Configurable pool scanner plugin
pooltracker Show a summary of pool tag usage
printkey
Print
a registry key,
and
its subkeys
and
values
privs Display process privileges
procdump Dump a process to an executable
file
sample
pslist
Print
all
running processes by following the EPROCESS lists
psscan Pool scanner
for
process objects
pstree
Print
process
list
as a tree
psxview Find hidden processes with various process listings
qemuinfo Dump Qemu information
raw2dmp Converts a physical memory sample to a windbg crash dump
screenshot Save a pseudo
-
screenshot based on GDI windows
sessions
List
details on _MM_SESSION_SPACE (user logon sessions)
shellbags Prints ShellBags info
shimcache Parses the Application Compatibility Shim Cache registry key
shutdowntime
Print
ShutdownTime of machine
from
registry
ssdt Display SSDT entries
strings Match physical offsets to virtual addresses (may take a
while
, VERY verbose)
svcscan Scan
for
Windows services
symlinkscan Pool scanner
for
symlink objects
thrdscan Pool scanner
for
thread objects
threads Investigate _ETHREAD
and
_KTHREADs
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)