In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-04 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Volatility getting started: Volatility-f name imageinfovolatility-f name pslist-- profile=WinXPSP2x86 lists processes: volatility-f name-- profile=WinXPSP2x86 volshelldt ("_ PEB") to view the process environment block volatility-f name-- profile=WinXPSP2x86 hivelist enumerates the registry of cached memory:
Hivedump prints out the data in the registry:
Volatility-f name-- virtual address of the profile=WinXPSP2x86 hivedump-o registry
Displays a list of loaded dll for each process
Volatility-f name-profile = Win7SP0x86 dlllist > dlllist.txt
Get the users in the SAM table:
Volatility-f name-- profile=WinXPSP2x86 printkey-K "SAM\ Domains\ Account\ Users\ Names"
Login account system
Volatility-f name-- profile=WinXPSP2x86 printkey-K "SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon"
The userassist key value contains information about the system or desktop execution file, such as name, path, number of execution times, last execution time, etc.
Volatility-f name-- profile=WinXPSP2x86 userassist
Save some process data in memory in dmp format
Volatility-f name-- profile=WinXPSP2x86-p [PID]-D [directory where files from dump are saved]
Extract the usage of cmd commands retained in memory
Volatility-f name-- profile=WinXPSP2x86 cmdscan
Get the network connection at that time
Volatility-f name-- profile=WinXPSP2x86 netscan
Get the usage of the IE browser:
Volatility-f name-- profile=WinXPSP2x86 iehistory
Get the system password in memory, which can be extracted using hashdump
Volatility-f name-- profile=WinXPSP2x86 hashdump-y (virtual address of registry system)-s (virtual address of SAM) volatility-f name-- profile=WinXPSP2x86 hashdump-y 0xe1035b60-s 0xe16aab60volatility-f name-- profile=WinXPSP2x86 timeliner
A process for file lookup and dumo extraction:
Volatility-f name-- profile=Win7SP1x64 memdump-D. -p 2872strings-e l. / 2872.dmp | grep flagvolatility-f name-- profile=Win7SP1x64 dumpfiles-Q 0x000000007e410890-n-- dump-dir=./
HASH matches the user's account name and password:
Hash, and then use john filename-- format=NT to crack
Security process scanning
Volatility-f name-- profile=Win7SP1x64 psscan
Flag string scan:
Strings-e l 2616.dmp | grep flag
Find pictures:
Volatility-f name--profile=Win7SP1x64 filescan | grep-E 'jpg | png | jpeg | bmp | gifvolatility-f name--profile=Win7SP1x64 netscan
Registry parsing
Volatility-f name-- profile=Win7SP1x64 hivelistvolatility-f name-- profile=Win7SP1x64-o 0xfffff8a000024010 printkey-K "ControlSet001\ Control;"
Copy, cut version:
Volatility-f name-- profile=Win7SP1x64 clipboardvolatility-f name-- profile=Win7SP1x64 dlllist-p 3820
Dump all processes:
Volatility-f name-- profile=Win7SP1x64 memdump-n chrome-D. Using string to find downloadpython vol.py-f name-- profile=Win7SP1x86 shimcache
Svcscan View Service
Python vol.py-f name-- profile=Win7SP1x86 svcscan
Modules check kernel driver modscan, driverscan can look at some hidden kernel driver ShimCache to identify application compatibility issues. Track the file path, size, last modification time, and last execution time.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.