Shulou(Shulou.com)06/01 Report--

Volatility getting started: Volatility-f name imageinfovolatility-f name pslist-- profile=WinXPSP2x86 lists processes: volatility-f name-- profile=WinXPSP2x86 volshelldt ("_ PEB") to view the process environment block volatility-f name-- profile=WinXPSP2x86 hivelist enumerates the registry of cached memory:

Hivedump prints out the data in the registry:

Volatility-f name-- virtual address of the profile=WinXPSP2x86 hivedump-o registry

Displays a list of loaded dll for each process

Volatility-f name-profile = Win7SP0x86 dlllist > dlllist.txt

Get the users in the SAM table:

Volatility-f name-- profile=WinXPSP2x86 printkey-K "SAM\ Domains\ Account\ Users\ Names"

Login account system

Volatility-f name-- profile=WinXPSP2x86 printkey-K "SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon"

The userassist key value contains information about the system or desktop execution file, such as name, path, number of execution times, last execution time, etc.

Volatility-f name-- profile=WinXPSP2x86 userassist

Save some process data in memory in dmp format

Volatility-f name-- profile=WinXPSP2x86-p [PID]-D [directory where files from dump are saved]

Extract the usage of cmd commands retained in memory

Volatility-f name-- profile=WinXPSP2x86 cmdscan

Get the network connection at that time

Volatility-f name-- profile=WinXPSP2x86 netscan

Get the usage of the IE browser:

Volatility-f name-- profile=WinXPSP2x86 iehistory

Get the system password in memory, which can be extracted using hashdump

Volatility-f name-- profile=WinXPSP2x86 hashdump-y (virtual address of registry system)-s (virtual address of SAM) volatility-f name-- profile=WinXPSP2x86 hashdump-y 0xe1035b60-s 0xe16aab60volatility-f name-- profile=WinXPSP2x86 timeliner

A process for file lookup and dumo extraction:

Volatility-f name-- profile=Win7SP1x64 memdump-D. -p 2872strings-e l. / 2872.dmp | grep flagvolatility-f name-- profile=Win7SP1x64 dumpfiles-Q 0x000000007e410890-n-- dump-dir=./

HASH matches the user's account name and password:

Hash, and then use john filename-- format=NT to crack

Security process scanning

Volatility-f name-- profile=Win7SP1x64 psscan

Flag string scan:

Strings-e l 2616.dmp | grep flag

Find pictures:

Volatility-f name--profile=Win7SP1x64 filescan | grep-E 'jpg | png | jpeg | bmp | gifvolatility-f name--profile=Win7SP1x64 netscan

Registry parsing

Volatility-f name-- profile=Win7SP1x64 hivelistvolatility-f name-- profile=Win7SP1x64-o 0xfffff8a000024010 printkey-K "ControlSet001\ Control;"

Copy, cut version:

Volatility-f name-- profile=Win7SP1x64 clipboardvolatility-f name-- profile=Win7SP1x64 dlllist-p 3820

Dump all processes:

Volatility-f name-- profile=Win7SP1x64 memdump-n chrome-D. Using string to find downloadpython vol.py-f name-- profile=Win7SP1x86 shimcache

Svcscan View Service

Python vol.py-f name-- profile=Win7SP1x86 svcscan

Modules check kernel driver modscan, driverscan can look at some hidden kernel driver ShimCache to identify application compatibility issues. Track the file path, size, last modification time, and last execution time.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.