好了,书中,说了操作的步骤,我们再vol2里实验下。
查看进程:
PS D:\Application\volatility3-stable> python .\vol.py -f "D:\book\malwarecookbook-master\malwarecookbook-master\16\7\laqma.vmem\laqma.vmem" windows.pslist Volatility 3 Framework 2.4.1 Progress: 100.00 PDB scanning finished PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output 4 0 System 0x810b1660 57 182 N/A False N/A N/A Disabled 544 4 smss.exe 0xff2ab020 3 21 N/A False 2010-08-11 06:06:21.000000 N/A Disabled 608 544 csrss.exe 0xff1ecda0 10 378 0 False 2010-08-11 06:06:23.000000 N/A Disabled 632 544 winlogon.exe 0xff1ec978 18 511 0 False 2010-08-11 06:06:23.000000 N/A Disabled 676 632 services.exe 0xff247020 16 269 0 False 2010-08-11 06:06:24.000000 N/A Disabled 688 632 lsass.exe 0xff255020 19 344 0 False 2010-08-11 06:06:24.000000 N/A Disabled 844 676 vmacthlp.exe 0xff218230 1 24 0 False 2010-08-11 06:06:24.000000 N/A Disabled 856 676 svchost.exe 0x80ff88d8 17 199 0 False 2010-08-11 06:06:24.000000 N/A Disabled 936 676 svchost.exe 0xff217560 11 274 0 False 2010-08-11 06:06:24.000000 N/A Disabled 1028 676 svchost.exe 0x80fbf910 75 1373 0 False 2010-08-11 06:06:24.000000 N/A Disabled 1088 676 svchost.exe 0xff22d558 6 86 0 False 2010-08-11 06:06:25.000000 N/A Disabled 1148 676 svchost.exe 0xff203b80 14 209 0 False 2010-08-11 06:06:26.000000 N/A Disabled 1432 676 spoolsv.exe 0xff1d7da0 12 134 0 False 2010-08-11 06:06:26.000000 N/A Disabled 1668 676 vmtoolsd.exe 0xff1b8b28 5 221 0 False 2010-08-11 06:06:35.000000 N/A Disabled 1788 676 VMUpgradeHelper 0xff1fdc88 4 100 0 False 2010-08-11 06:06:38.000000 N/A Disabled 1968 676 TPAutoConnSvc.e 0xff143b28 5 100 0 False 2010-08-11 06:06:39.000000 N/A Disabled 216 676 alg.exe 0xff25a7e0 6 105 0 False 2010-08-11 06:06:39.000000 N/A Disabled 888 1028 wscntfy.exe 0xff364310 1 27 0 False 2010-08-11 06:06:49.000000 N/A Disabled 1084 1968 TPAutoConnect.e 0xff38b5f8 1 61 0 False 2010-08-11 06:06:52.000000 N/A Disabled 1724 1708 explorer.exe 0xff3865d0 13 326 0 False 2010-08-11 06:09:29.000000 N/A Disabled 432 1724 VMwareTray.exe 0xff3667e8 1 49 0 False 2010-08-11 06:09:31.000000 N/A Disabled 452 1724 VMwareUser.exe 0xff374980 8 206 0 False 2010-08-11 06:09:32.000000 N/A Disabled 468 1028 wuauclt.exe 0x80f94588 4 135 0 False 2010-08-11 06:09:37.000000 N/A Disabled 1180 1060 lanmanwrk.exe 0xff3825f8 2 75 0 False 2010-08-15 19:09:12.000000 N/A Disabled 1340 1724 IEXPLORE.EXE 0xff38a410 12 346 0 False 2010-08-15 19:09:26.000000 N/A Disabled 460 1668 cmd.exe 0xff1f9b08 0 - 0 False 2010-08-15 19:11:21.000000 2010-08-15 19:11:21.000000 Disabled
可以看到1180的pid是对应我们要找的恶意进程id!
首先是导出进程对应的PE文件:
PS D:\Application\volatility3-stable\prodmp_out> volatility26.exe -f "D:\book\malwarecookbook-master\malwarecookbook-master\16\7\laqma.vmem\laqma.vmem" procdump --dump-dir prodmp_out
目录: D:\Application\volatility3-stable\prodmp_out
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2023-05-03 20:55 14336 executable.1028.exe
-a---- 2023-05-03 20:55 446464 executable.1084.exe
-a---- 2023-05-03 20:55 14336 executable.1088.exe
-a---- 2023-05-03 20:55 29696 executable.1180.exe
-a---- 2023-05-03 21:13 16384 executable.1180.exe.id0
-a---- 2023-05-03 21:13 0 executable.1180.exe.id1
-a---- 2023-05-03 21:13 41 executable.1180.exe.id2
-a---- 2023-05-03 21:13 0 executable.1180.exe.nam
-a---- 2023-05-03 21:14 82 executable.1180.exe.til
-a---- 2023-05-03 20:55 93184 executable.1340.exe
-a---- 2023-05-03 20:55 57856 executable.1432.exe
-a---- 2023-05-03 20:55 65536 executable.1668.exe
-a---- 2023-05-03 20:55 1032192 executable.1724.exe
-a---- 2023-05-03 20:55 184320 executable.1788.exe
-a---- 2023-05-03 20:55 135168 executable.432.exe
-a---- 2023-05-03 20:55 1081344 executable.452.exe
-a---- 2023-05-03 20:55 111104 executable.468.exe
-a---- 2023-05-03 20:55 0 executable.608.exe
-a---- 2023-05-03 20:55 502272 executable.632.exe
-a---- 2023-05-03 20:55 108032 executable.676.exe
-a---- 2023-05-03 20:55 13312 executable.688.exe
-a---- 2023-05-03 20:55 14336 executable.936.exe
当然使用vol3也是可以的,python .\vol.py -f "D:\book\malwarecookbook-master\malwarecookbook-master\16\7\laqma.vmem\laqma.vmem" windows.pslist --dump
确实看到1180这个PE文件没有正确的IAT!!!然后我们再IDA里看下:
果然是看起来很蛋疼!然后使用impscan扫描:
PS D:\Application\volatility3-stable> volatility26.exe -f "D:\book\malwarecookbook-master\malwarecookbook-master\16\7\laqma.vmem\laqma.vmem" impscan -p 1180 Volatility Foundation Volatility Framework 2.6 IAT Call Module Function ---------- ---------- -------------------- -------- 0x00406000 0x77deb635 ADVAPI32.dll ControlService 0x00406004 0x77ddede5 ADVAPI32.dll RegDeleteValueA 0x00406008 0x77dd6bf0 ADVAPI32.dll RegCloseKey 0x0040600c 0x77e37311 ADVAPI32.dll DeleteService 0x00406010 0x77deada7 ADVAPI32.dll OpenSCManagerA 0x00406014 0x77e37071 ADVAPI32.dll CreateServiceA 0x00406018 0x77deb88c ADVAPI32.dll OpenServiceA 0x0040601c 0x77de5e4d ADVAPI32.dll CloseServiceHandle 0x00406020 0x77dd7883 ADVAPI32.dll RegQueryValueExA 0x00406024 0x77dfc41b ADVAPI32.dll RegOpenKeyA 0x0040602c 0x7c80b357 kernel32.dll GetModuleFileNameA 0x00406030 0x7c802442 kernel32.dll Sleep 0x00406034 0x7c81082f kernel32.dll CreateThread 0x00406038 0x7c82293b kernel32.dll GetWindowsDirectoryA 0x0040603c 0x7c81caa2 kernel32.dll ExitProcess 0x00406040 0x7c8092ac kernel32.dll GetTickCount 0x00406044 0x7c80c9c1 kernel32.dll GetLocalTime 0x00406048 0x7c810d34 kernel32.dll SystemTimeToFileTime 0x0040604c 0x7c80946c kernel32.dll CreateFileMappingA 0x00406050 0x7c81ff03 kernel32.dll FlushViewOfFile 0x00406054 0x7c801d77 kernel32.dll LoadLibraryA 0x00406058 0x7c80994e kernel32.dll GetCurrentProcessId 0x0040605c 0x7c910331 kernel32.dll GetLastError 0x00406060 0x7c80c729 kernel32.dll lstrcpyA 0x00406064 0x7c810c8f kernel32.dll GetFileSize 0x00406068 0x7c812851 kernel32.dll GetVersionExA 0x0040606c 0x7c80b529 kernel32.dll GetModuleHandleA 0x00406070 0x7c80ac28 kernel32.dll GetProcAddress 0x00406074 0x7c80c6e0 kernel32.dll lstrlenA 0x00406078 0x7c80b9fe kernel32.dll OpenFileMappingA 0x0040607c 0x7c80b78d kernel32.dll MapViewOfFile 0x00406080 0x7c80b7fc kernel32.dll UnmapViewOfFile 0x00406084 0x7c80c865 kernel32.dll GetSystemDefaultLCID 0x00406088 0x7c80d47e kernel32.dll GetLocaleInfoA 0x0040608c 0x7c80b929 kernel32.dll lstrcmpiA 0x00406090 0x7c9179fd kernel32.dll HeapReAlloc 0x00406094 0x7c9105d4 kernel32.dll HeapAlloc 0x00406098 0x7c80aa49 kernel32.dll GetProcessHeap 0x0040609c 0x7c91043d kernel32.dll HeapFree 0x004060a0 0x7c809b77 kernel32.dll CloseHandle 0x004060a4 0x7c801a24 kernel32.dll CreateFileA 0x004060a8 0x7c810f9f kernel32.dll WriteFile 0x004060ac 0x7c830053 kernel32.dll CopyFileA 0x004060b0 0x7c838fb9 kernel32.dll lstrcatA 0x004060b4 0x7c8394ae kernel32.dll GetTimeZoneInformation 0x004060bc 0x77d4df6b USER32.dll DefWindowProcA 0x004060c0 0x77d4e2ae USER32.dll SendMessageA 0x004060c4 0x77d6f3c6 USER32.dll FindWindowA 0x004060c8 0x77d4d7bb USER32.dll GetDesktopWindow 0x004060cc 0x77d4b57c USER32.dll GetWindowRect 0x004060d0 0x77d4bcbd USER32.dll DispatchMessageA 0x004060d4 0x77d4a2de USER32.dll wsprintfA 0x004060d8 0x77d52316 USER32.dll RegisterClassA 0x004060dc 0x77d5190b USER32.dll CreateWindowExA 0x004060e0 0x77d48bce USER32.dll TranslateMessage 0x004060e4 0x77d6ea45 USER32.dll GetMessageA 0x004060e8 0x77d48c06 USER32.dll SetTimer 0x004060f0 0x771d325f WININET.dll InternetQueryDataAvailable 0x004060f4 0x771c8c6a WININET.dll HttpQueryInfoA 0x004060f8 0x771c76b8 WININET.dll HttpSendRequestA 0x004060fc 0x771c4ac5 WININET.dll HttpOpenRequestA 0x00406100 0x771c61dc WININET.dll InternetCloseHandle 0x00406104 0x771c44db WININET.dll InternetConnectA 0x00406108 0x771c6d2a WININET.dll InternetOpenA 0x0040610c 0x771c8840 WININET.dll InternetCrackUrlA 0x00408a80 0x7c80180e kernel32.dll ReadFile 0x00408a84 0x7c81e85c kernel32.dll DeleteFileA 0x00408a88 0x7c801a24 kernel32.dll CreateFileA 0x00408a8c 0x7c830053 kernel32.dll CopyFileA 0x00408a90 0x7c809b77 kernel32.dll CloseHandle 0x00408a94 0x771c9555 WININET.dll InternetReadFile 0x00408a98 0x7c810f9f kernel32.dll WriteFile 0x00408a9c 0x77df3238 ADVAPI32.dll StartServiceA
将上述结果处理下,notepad++里查找替换:
^([0-9a-z]+)\s+[0-9a-z]+\s+[0-9a-z.]+\s+(\w+)$
MakeName\(\1, "\2"\);
变成IDA里能够识别的命令后,导入到IDA:
最后正确重建了IAT!!!GOOD!!!