9 nov 2012

Analizando dumps de memoria con Volatility y malfind

Bien, tenía una máquina infectada con diverso malware, ramsomware, troyanos bancarios, virus de publicidad… Etc

Para analizar un dump de memoria, primero vamos a generarlo, en MAC usaremos la utilidad vmss2core, ya que tengo la máquina virtualizada :P

Creamos el archivo dump de la memoria…

seifreed@darkmac:/Applications/VMware Fusion.app/Contents/Library:./vmss2core -W Malware\ XP-Snapshot3.vmss Malware\ XP-Snapshot3.vmem

Una vez creemos el memory dump, toca el análisis. Aunque en el mercado existen infinidad de herramientas, nos centraremos en Volatility, para el análisis del dump de memoria.

Lo que primero podemos hacer es identificar el sistema operativo, para eso usamos imageinfo

remnux@remnux: ~/volatility $ sudo volatility -f memory imageinfo[sudo] password for remnux:Determining profile based on KDBG search…Suggested Profile(s) : WinXPSP3x86, WinXPSP2x86 (Instantiated with WinXPSP2x86)AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)AS Layer2 : WindowsCrashDumpSpace32 (/home/remnux/volatility/memory)AS Layer3 : FileAddressSpace (/home/remnux/volatility/memory)PAE type : PAEDTB : 0x31c000KDBG : 0x80544ce0LKPCR : 0xffdff000LKUSER_SHARED_DATA : 0xffdf0000LImage date and time : 2012-09-11 22:26:38Image local date and time : 2012-09-11 22:26:38Number of Processors : 1Image Type : Service Pack 2

Podéis ver que ha identificado el sistema operativo de la imagen.

Para hacernos una idea de lo que se estaba “cociendo” en la imagen, podemos listar los procesos.

remnux@remnux: ~/volatility $ sudo volatility -f memory pslist[sudo] password for remnux:Offset(V) Name PID PPID Thds Hnds Time———- ——————– —— —— —— —— ——————-0x823c8830 System 4 0 59 246 1970-01-01 00:00:000×82044978 smss.exe 376 4 3 21 2012-09-11 22:20:570×82078598 csrss.exe 632 376 14 557 2012-09-11 22:20:570x81e36020 winlogon.exe 660 376 24 521 2012-09-11 22:20:590x81ee5990 services.exe 704 660 15 286 2012-09-11 22:20:590x81e5d2c8 lsass.exe 716 660 21 363 2012-09-11 22:20:590x821f4a78 vmacthlp.exe 924 704 1 36 2012-09-11 22:20:590x82153da0 svchost.exe 936 704 20 208 2012-09-11 22:20:590x81fe4da0 svchost.exe 1000 704 11 258 2012-09-11 22:20:590x821b7da0 svchost.exe 1116 704 62 1154 2012-09-11 22:20:590x821b5308 svchost.exe 1164 704 11 113 2012-09-11 22:20:590x822f9848 svchost.exe 1248 704 16 206 2012-09-11 22:21:000x821b93f0 explorer.exe 1552 1496 21 517 2012-09-11 22:21:010x821ad638 spoolsv.exe 1672 704 14 147 2012-09-11 22:21:010x821fb560 rundll32.exe 1756 1552 4 80 2012-09-11 22:21:020x81fe0880 jusched.exe 1764 1552 1 92 2012-09-11 22:21:020x81e0eda0 vmtoolsd.exe 1776 1552 7 228 2012-09-11 22:21:020x81e68da0 ctfmon.exe 1784 1552 1 80 2012-09-11 22:21:020x81eacda0 svchost.exe 1944 704 7 93 2012-09-11 22:21:070x81fa2da0 userdump.exe 312 704 4 54 2012-09-11 22:21:070×82271360 vmtoolsd.exe 440 704 7 261 2012-09-11 22:21:100x81f98a50 TPAutoConnSvc.e 1356 704 5 105 2012-09-11 22:21:160x81f8f020 TPAutoConnect.e 184 1356 1 76 2012-09-11 22:21:170x81fcc9b0 wuauclt.exe 260 1116 7 181 2012-09-11 22:21:560x821a6da0 wuauclt.exe 760 1116 4 146 2012-09-11 22:22:110x8232eda0 pdfw.exe 1484 1552 1 41 2012-09-11 22:24:400x81e012b0 perfoptim.exe 1516 1552 1 41 2012-09-11 22:24:400x821a6870 pes-2010-.exe 1424 1552 1 61 2012-09-11 22:24:400x823302f0 pes2010patch102 1340 1552 1 57 2012-09-11 22:24:400x821a7020 phase1.exe 1396 1552 1 88 2012-09-11 22:24:410x81e7d8c8 pdfw.tmp 1148 1484 1 45 2012-09-11 22:24:410x81e26020 perfoptim.tmp 1440 1516 1 50 2012-09-11 22:24:410x8221a3a8 ntvdm.exe 272 1552 3 55 2012-09-11 22:24:410x822c93a0 PocoSaCal_203.4 1544 1552 1 101 2012-09-11 22:24:420x8232f288 PokerXperience. 2116 1552 6 200 2012-09-11 22:24:440x81f56d78 Pornoarsivi.exe 2568 2260 1 46 2012-09-11 22:25:190×82232710 sqlupdate.exe 2768 2404 30 169 2012-09-11 22:25:260x81f61af0 PocoSaCal%203.4 2804 1544 6 196 2012-09-11 22:25:280x8216b020 Postales_amor– 2832 2284 1 123 2012-09-11 22:25:310x8226e020 wmiprvse.exe 2852 936 7 145 2012-09-11 22:25:330x81f64020 IEXPLORE.EXE 3288 936 9 242 2012-09-11 22:25:510x81fb6020 cmd.exe 3476 1552 1 45 2012-09-11 22:25:590x821995f8 win32dd.exe 2196 3476 1 34 2012-09-11 22:26:34

Si nos encontramos analizando un caso forense y queremos saber que conexiones han habido en la máquina, también podemos obtener las que se han cerrado recientemente.

remnux@remnux: ~/volatility $ sudo volatility -f memory connscanOffset Local Address Remote Address Pid———- ————————- ————————- ——0x02084e70 172.18.1.100:1049 209.208.79.128:80 20040x02164c68 172.18.1.100:1054 209.208.79.128:80 20040x02399bc0 172.18.1.100:1052 209.208.79.128:80 20040x023a8718 172.18.1.100:1047 209.208.79.128:80 2004

Ahí podemos ver las conexiones.

Otra de las cosas que podemos hacer es buscar Mutex en el sistema

remnux@remnux: ~/volatility $ sudo volatility -f memory mutantscanOffset Obj Type #Ptr #Hnd Signal Thread CID Name0x01f9dfe0 0x823c55e0 1 1 1 0×00000000 ”0x01f9f020 0x823c55e0 1 1 1 0×00000000 ”0x01f9f4c0 0x823c55e0 1 1 1 0×00000000 ”0x01fc13f8 0x823c55e0 1 1 1 0×00000000 ”0x01fc1d28 0x823c55e0 37 36 1 0×00000000 ‘faebec4a-Mutex’0x01fc49e0 0x823c55e0 2 1 1 0×00000000 ‘WmiApRpl_Perf_Library_Lock_PID_1b8′0x01fc4ac8 0x823c55e0 2 1 1 0×00000000 ‘RemoteAccess_Perf_Library_Lock_PID_1b8′0x01fe0e38 0x823c55e0 1 1 1 0×00000000 ”0x01fe7a60 0x823c55e0 1 1 1 0×00000000 ”0x01fe8dd0 0x823c55e0 3 2 1 0×00000000 ‘TP_HIGHLANDER_MUTEX’0x01fee198 0x823c55e0 1 1 1 0×00000000 ”0x01feee38 0x823c55e0 2 1 1 0×00000000 ‘HGFSMUTEX’0x01fef980 0x823c55e0 2 1 1 0×00000000 ‘VMToolsHookQueueLock’0x01ff09c0 0x823c55e0 8 7 1 0×00000000 ‘c:!documents and settings!user!local settings!history!history.ie5!’0x01ff9450 0x823c55e0 1 1 1 0×00000000 ”0x01ffbf48 0x823c55e0 1 1 1 0×00000000 ”0x01ffbfe0 0x823c55e0 1 1 1 0×00000000 ”0x02000ed0 0x823c55e0 1 1 1 0×00000000 ”0x02008bf0 0x823c55e0 1 1 1 0×00000000 ”0x020091c8 0x823c55e0 1 1 1 0×00000000 ”0x02009d68 0x823c55e0 1 1 1 0×00000000 ”0x02009e30 0x823c55e0 1 1 1 0×00000000 ”0x0200a428 0x823c55e0 1 1 1 0×00000000 ”0x0200a468 0x823c55e0 1 1 1 0×00000000 ”0x02012bc0 0x823c55e0 1 1 1 0×00000000 ”0x02012c00 0x823c55e0 1 1 1 0×00000000 ”0x02012c40 0x823c55e0 1 1 1 0×00000000 ”0x02012fe0 0x823c55e0 2 1 0 0x820768b8 1764:1768 ‘SunJavaUpdateSchedulerMutex’0x020133c8 0x823c55e0 1 1 1 0×00000000 ”0×02013558 0x823c55e0 1 1 1 0×00000000 ”0x020135c8 0x823c55e0 1 1 1 0×00000000 ”0x02016ac8 0x823c55e0 1 1 1 0×00000000 ”0x020181f0 0x823c55e0 1 1 1 0×00000000 ”0x0201b560 0x823c55e0 1 1 1 0×00000000 ”0x0201b868 0x823c55e0 1 1 1 0×00000000 ”0x0201c840 0x823c55e0 2 1 1 0×00000000 ‘PnP_Init_Mutex’0x0201fb08 0x823c55e0 1 1 1 0×00000000 ”0x02020a30 0x823c55e0 2 1 1 0×00000000 ‘ExplorerIsShellMutex’0×02024688 0x823c55e0 3 2 1 0×00000000 ‘MidiMapper_Configure’0x02035f58 0x823c55e0 1 1 1 0×00000000 ”0×02036358 0x823c55e0 1 1 1 0×00000000 ”0x020364b0 0x823c55e0 1 1 1 0×00000000 ”0x0205e180 0x823c55e0 1 1 1 0×00000000 ”0x0205f688 0x823c55e0 1 1 1 0×00000000 ”0×02063580 0x823c55e0 1 1 1 0×00000000 ”0x020644d0 0x823c55e0 2 1 1 0×00000000 ‘userenv: user policy mutex’0x02066a70 0x823c55e0 1 1 1 0×00000000 ”0×02067858 0x823c55e0 1 1 1 0×00000000 ”0x02067cb8 0x823c55e0 1 1 1 0×00000000 ”0×02068128 0x823c55e0 2 1 1 0×00000000 ‘MSCTF.GCompartListMUTEX.DefaultS-1-5-21-1708537768-884357618-682003330-1003′0×02068200 0x823c55e0 18 17 1 0×00000000 ‘CTF.TimListCache.FMPDefaultS-1-5-21-1708537768-884357618-682003330-1003MUTEX.DefaultS-1-5-21-1708537768-884357618-682003330-100′0×02068800 0x823c55e0 1 1 1 0×00000000 ”0x0206f3c0 0x823c55e0 1 1 1 0×00000000 ”0x0206fb58 0x823c55e0 1 1 1 0×00000000 ”0x0206fb98 0x823c55e0 1 1 1 0×00000000 ”0×02070558 0x823c55e0 1 1 1 0×00000000 ”0×02073180 0x823c55e0 5 4 1 0×00000000 ‘WindowsUpdateTracingMutex’0×02073688 0x823c55e0 2 1 1 0×00000000 ‘DBWinMutex’0x0207c9b0 0x823c55e0 8 7 1 0×00000000 ‘WininetStartupMutex’0x0207d308 0x823c55e0 1 1 1 0×00000000 ”0x020aa188 0x823c55e0 8 7 1 0×00000000 ‘WininetProxyRegistryMutex’0x020aadf8 0x823c55e0 1 1 1 0×00000000 ”0x020ac9a8 0x823c55e0 2 1 1 0×00000000 ‘c:!documents and settings!localservice!local settings!temporary internet files!content.ie5!’0x020acc38 0x823c55e0 1 1 1 0×00000000 ”0x020b2180 0x823c55e0 1 1 1 0×00000000 ”0x020b23e8 0x823c55e0 1 1 1 0×00000000 ”0x020b6180 0x823c55e0 1 1 1 0×00000000 ”0x020baf70 0x823c55e0 1 1 1 0×00000000 ”0x020bafb0 0x823c55e0 1 1 1 0×00000000 ”0x020be1f0 0x823c55e0 1 1 1 0×00000000 ”0x020c0b20 0x823c55e0 2 1 1 0×00000000 ‘TapiSrv_Perf_Library_Lock_PID_1b8′0x020c4188 0x823c55e0 1 1 1 0×00000000 ”0x020c4f10 0x823c55e0 2 1 1 0×00000000 ’238FAD3109D3473aB4764B20B3731840′0x020c4f60 0x823c55e0 2 1 1 0×00000000 ’4FCC0DEFE22C4f138FB9D5AF25FD9398′0x020c4fb0 0x823c55e0 2 1 1 0×00000000 ’0CADFD67AF62496dB34264F000F5624A’0x020c9aa8 0x823c55e0 1 1 1 0×00000000 ”0x020e2820 0x823c55e0 1 1 1 0×00000000 ”0x020e4eb8 0x823c55e0 2 1 1 0×00000000 ‘userenv: machine policy mutex’0x020e52b8 0x823c55e0 1 1 1 0×00000000 ”0x020ec998 0x823c55e0 8 7 1 0×00000000 ‘c:!documents and settings!user!local settings!temporary internet files!content.ie5!’0x020ed310 0x823c55e0 2 1 1 0×00000000 ‘_SHuassist.mtx’0x020f3ec8 0x823c55e0 1 1 1 0×00000000 ”0x020f4540 0x823c55e0 2 1 1 0×00000000 ‘PerfDisk_Perf_Library_Lock_PID_1b8′0x020f5180 0x823c55e0 1 1 1 0×00000000 ”0x02127d98 0x823c55e0 1 1 1 0×00000000 ”0x0212cdb0 0x823c55e0 1 1 1 0×00000000 ”0x0212de28 0x823c55e0 1 1 1 0×00000000 ”0x0212df40 0x823c55e0 1 1 1 0×00000000 ”0x02142d48 0x823c55e0 1 1 1 0×00000000 ”0×02147180 0x823c55e0 1 1 1 0×00000000 ”0x02147d48 0x823c55e0 1 1 1 0×00000000 ”0x0214a430 0x823c55e0 1 1 1 0×00000000 ”0x0214f300 0x823c55e0 1 1 1 0×00000000 ”0x0214f340 0x823c55e0 1 1 1 0×00000000 ”0x0214f380 0x823c55e0 1 1 1 0×00000000 ”0x0214f3c0 0x823c55e0 1 1 1 0×00000000 ”0×02155868 0x823c55e0 2 1 1 0×00000000 ‘Spooler_Perf_Library_Lock_PID_1b8′0×02158698 0x823c55e0 5 4 1 0×00000000 ‘TpVcW32ListMutex’0x0215e150 0x823c55e0 2 1 1 0×00000000 ‘c:!documents and settings!localservice!cookies!’0×02185088 0x823c55e0 2 1 1 0×00000000 ‘TermService_Perf_Library_Lock_PID_1b8′0x0218d160 0x823c55e0 1 1 1 0×00000000 ”0x0218d1d0 0x823c55e0 1 1 1 0×00000000 ”0x02197a68 0x823c55e0 1 1 1 0×00000000 ”0x021983e8 0x823c55e0 1 1 1 0×00000000 ”0x0219ec08 0x823c55e0 2 1 1 0×00000000 ‘ContentIndex_Perf_Library_Lock_PID_1b8′0x0219f6b0 0x823c55e0 3 2 1 0×00000000 ‘ThinPrint-L’0x021a09d8 0x823c55e0 2 1 1 0×00000000 ‘Tcpip_Perf_Library_Lock_PID_1b8′0x021a0ac0 0x823c55e0 2 1 1 0×00000000 ‘PSched_Perf_Library_Lock_PID_1b8′0x021a1548 0x823c55e0 1 1 1 0×00000000 ”0x021a2c10 0x823c55e0 1 1 1 0×00000000 ”0x021adb88 0x823c55e0 2 1 0 0x821bb020 2832:2836 ‘BYhackpsycho’0x021b18e8 0x823c55e0 1 1 1 0×00000000 ”0x021b19c8 0x823c55e0 1 1 1 0×00000000 ”0x021b2c18 0x823c55e0 1 1 1 0×00000000 ”0x021b2f80 0x823c55e0 1 1 1 0×00000000 ”0x021b6848 0x823c55e0 1 1 1 0×00000000 ”0x021ba638 0x823c55e0 1 1 1 0×00000000 ”0x021baac0 0x823c55e0 2 1 1 0×00000000 ‘PerfOS_Perf_Library_Lock_PID_1b8′0x021bbea8 0x823c55e0 1 1 1 0×00000000 ”0x021bc630 0x823c55e0 8 7 1 0×00000000 ‘c:!documents and settings!user!cookies!’0x021bcc90 0x823c55e0 2 1 1 0×00000000 ‘PerfNet_Perf_Library_Lock_PID_1b8′0x021be828 0x823c55e0 1 1 1 0×00000000 ”0x021c6d68 0x823c55e0 1 1 1 0×00000000 ”0x021ca6b8 0x823c55e0 1 1 1 0×00000000 ”0x021cc640 0x823c55e0 19 18 1 0×00000000 ‘CTF.TMD.MutexDefaultS-1-5-21-1708537768-884357618-682003330-1003′0x021cc690 0x823c55e0 19 18 1 0×00000000 ‘CTF.Layouts.MutexDefaultS-1-5-21-1708537768-884357618-682003330-1003′0x021cdaf0 0x823c55e0 1 1 1 0×00000000 ”0x021d0e38 0x823c55e0 1 1 1 0×00000000 ”0x021d0e78 0x823c55e0 1 1 1 0×00000000 ”0x021d1878 0x823c55e0 1 1 1 0×00000000 ”0x021d5a80 0x823c55e0 1 1 1 0×00000000 ”0x021de570 0x823c55e0 10 9 1 0×00000000 ‘ZonesLockedCacheCounterMutex’0x021df9d8 0x823c55e0 1 1 1 0×00000000 ”0x021dfa18 0x823c55e0 1 1 1 0×00000000 ”0x021e2ba8 0x823c55e0 1 1 1 0×00000000 ”0x021e2be8 0x823c55e0 1 1 1 0×00000000 ”0x021e31a0 0x823c55e0 1 1 1 0×00000000 ”0x021e31e0 0x823c55e0 1 1 1 0×00000000 ”0x021e3680 0x823c55e0 1 1 1 0×00000000 ”0x021e5db0 0x823c55e0 1 1 1 0×00000000 ”0x021e5df0 0x823c55e0 1 1 1 0×00000000 ”0x021e5fb8 0x823c55e0 1 1 1 0×00000000 ”0x02207a30 0x823c55e0 1 1 1 0×00000000 ”0×02208810 0x823c55e0 1 1 1 0×00000000 ”0x02208fb0 0x823c55e0 1 1 1 0×00000000 ”0x0223ac50 0x823c55e0 1 1 1 0×00000000 ”0x0223b0e0 0x823c55e0 1 1 1 0×00000000 ”0x0223b200 0x823c55e0 1 1 1 0×00000000 ”0x022412a0 0x823c55e0 7 6 1 0×00000000 ‘WininetConnectionMutex’0×02242180 0x823c55e0 1 1 1 0×00000000 ”0×02242438 0x823c55e0 1 1 1 0×00000000 ”0×02242800 0x823c55e0 1 1 1 0×00000000 ”0x02245dd0 0x823c55e0 19 18 1 0×00000000 ‘CTF.Compart.MutexDefaultS-1-5-21-1708537768-884357618-682003330-1003′0x0224b4c0 0x823c55e0 1 1 1 0×00000000 ”0×02269468 0x823c55e0 1 1 1 0×00000000 ”0x0226b600 0x823c55e0 1 1 1 0×00000000 ”0x0226b670 0x823c55e0 1 1 1 0×00000000 ”0x0226d148 0x823c55e0 1 1 1 0×00000000 ”0×02271530 0x823c55e0 1 1 1 0×00000000 ”0x022733c0 0x823c55e0 1 1 1 0×00000000 ”0x022737c0 0x823c55e0 1 1 1 0×00000000 ”0x022740d0 0x823c55e0 1 1 1 0×00000000 ”0×02274318 0x823c55e0 1 1 1 0×00000000 ”0x022762c0 0x823c55e0 1 1 1 0×00000000 ”0x0234eeb8 0x823c55e0 2 1 1 0×00000000 ‘userenv: Machine Registry policy mutex’0x0234f260 0x823c55e0 1 1 1 0×00000000 ”0x023511d0 0x823c55e0 1 1 1 0×00000000 ”0x02354c38 0x823c55e0 8 7 1 0×00000000 ‘SHIMLIB_LOG_MUTEX’0x02355ec8 0x823c55e0 13 12 1 0×00000000 ‘ShimCacheMutex’0x023591a0 0x823c55e0 1 1 1 0×00000000 ”0x0235e720 0x823c55e0 1 1 1 0×00000000 ”0x02360bd0 0x823c55e0 1 1 1 0×00000000 ”0x02360c10 0x823c55e0 1 1 1 0×00000000 ”0x023702c8 0x823c55e0 1 1 1 0×00000000 ”0×02398950 0x823c55e0 1 1 1 0×00000000 ”0x0239a390 0x823c55e0 1 1 1 0×00000000 ”0x0239ba60 0x823c55e0 2 1 1 0×00000000 ‘RSVP_Perf_Library_Lock_PID_1b8′0x0239bb48 0x823c55e0 2 1 1 0×00000000 ‘PerfProc_Perf_Library_Lock_PID_1b8′0x0239d3c8 0x823c55e0 2 1 0 0x8222ada8 260:284 ‘Instance0: ESENT Performance Data Schema Version 40′0x0239e7c8 0x823c55e0 2 1 1 0×00000000 ‘DARKISBACK000001′0x023a1fe0 0x823c55e0 1 1 1 0×00000000 ”0x023a8200 0x823c55e0 1 1 1 0×00000000 ”0x023a8a78 0x823c55e0 1 1 1 0×00000000 ”0x023a8fb0 0x823c55e0 1 1 1 0×00000000 ”0x023b3248 0x823c55e0 1 1 1 0×00000000 ”0x023b62e0 0x823c55e0 1 1 1 0×00000000 ”0x023b8ab0 0x823c55e0 9 8 1 0×00000000 ‘RasPbFile’0x023bd1c8 0x823c55e0 1 1 1 0×00000000 ”0x023bde30 0x823c55e0 2 1 1 0×00000000 ‘WPA_LICSTORE_MUTEX’0x023bde80 0x823c55e0 2 1 1 0×00000000 ‘WPA_HWID_MUTEX’0x023bded0 0x823c55e0 2 1 1 0×00000000 ‘WPA_LT_MUTEX’0x023bdf20 0x823c55e0 2 1 1 0×00000000 ‘WPA_RT_MUTEX’0x023bdf70 0x823c55e0 2 1 1 0×00000000 ‘WPA_PR_MUTEX’0x023be470 0x823c55e0 1 1 1 0×00000000 ”0x023bea58 0x823c55e0 1 1 1 0×00000000 ”0x023bf410 0x823c55e0 2 1 1 0×00000000 ‘CtfmonInstMutexDefaultS-1-5-21-1708537768-884357618-682003330-1003′0x023f0180 0x823c55e0 1 1 1 0×00000000 ”0x023f0f40 0x823c55e0 1 1 1 0×00000000 ”0x023f1470 0x823c55e0 1 1 1 0×00000000 ”0x023f6990 0x823c55e0 1 1 1 0×00000000 ”0x023f6d90 0x823c55e0 1 1 1 0×00000000 ”0x023f75e8 0x823c55e0 1 1 1 0×00000000 ”0x023f8c30 0x823c55e0 1 1 1 0×00000000 ”0x023f9c28 0x823c55e0 2 1 1 0×00000000 ‘SingleSesMutex’0x023f9fa0 0x823c55e0 10 9 1 0×00000000 ‘MSCTF.Shared.MUTEX.ADG’0x023fadb8 0x823c55e0 10 9 1 0×00000000 ‘ZonesCounterMutex’0x023fba28 0x823c55e0 1 1 1 0×00000000 ”0x023fbe08 0x823c55e0 1 1 1 0×00000000 ”0x023fc740 0x823c55e0 2 1 1 0×00000000 ‘msgina: InteractiveLogonRequestMutex’0x023fc790 0x823c55e0 2 1 1 0×00000000 ‘msgina: InteractiveLogonMutex’0×02400280 0x823c55e0 1 1 1 0×00000000 ”0x024056f0 0x823c55e0 1 1 1 0×00000000 ”0x024059e8 0x823c55e0 1 1 1 0×00000000 ”0x02405f60 0x823c55e0 3 2 1 0×00000000 ‘SRDataStore’0x024060f8 0x823c55e0 1 1 1 0×00000000 ”0×02406168 0x823c55e0 1 1 1 0×00000000 ”0x0240c438 0x823c55e0 1 1 1 0×00000000 ”0x0240c4c8 0x823c55e0 1 1 1 0×00000000 ”0x0241cd30 0x823c55e0 2 1 1 0×00000000 ‘ContentFilter_Perf_Library_Lock_PID_1b8′0x0241d9b0 0x823c55e0 10 9 1 0×00000000 ‘ZonesCacheCounterMutex’0x0241e180 0x823c55e0 19 18 1 0×00000000 ‘CTF.Asm.MutexDefaultS-1-5-21-1708537768-884357618-682003330-1003′0x0241ec68 0x823c55e0 1 1 1 0×00000000 ”0x0241ecd8 0x823c55e0 1 1 1 0×00000000 ”0x0241f370 0x823c55e0 19 18 1 0×00000000 ‘CTF.LBES.MutexDefaultS-1-5-21-1708537768-884357618-682003330-1003′0x024264b8 0x823c55e0 1 1 1 0×00000000 ”0×02427130 0x823c55e0 2 1 1 0×00000000 ‘c:!documents and settings!user!local settings!history!history.ie5!mshist012012091220120913!’0x0242f180 0x823c55e0 9 8 1 0×00000000 ‘_!MSFTHISTORY!_’0x024322a0 0x823c55e0 1 1 1 0×00000000 ”0x02432e58 0x823c55e0 1 1 1 0×00000000 ”0x02440c50 0x823c55e0 2 1 1 0×00000000 ‘ISAPISearch_Perf_Library_Lock_PID_1b8′0x0244d868 0x823c55e0 1 1 1 0×00000000 ”0×02451188 0x823c55e0 2 1 1 0×00000000 ‘c:!documents and settings!localservice!local settings!history!history.ie5!’0x02453c90 0x823c55e0 1 1 1 0×00000000 ”0x02453d00 0x823c55e0 1 1 1 0×00000000 ”0x02453d70 0x823c55e0 1 1 1 0×00000000 ”0x02453e48 0x823c55e0 3 2 1 0×00000000 ‘MidiMapper_modLongMessage_RefCnt’0×02456140 0x823c55e0 2 1 1 0×00000000 ‘_!SHMSFTHISTORY!_’0x0245ab88 0x823c55e0 2 1 1 0×00000000 ’746bbf3569adEncrypt’0x0245ce50 0x823c55e0 1 1 1 0×00000000 ”0x0245d830 0x823c55e0 1 1 1 0×00000000 ”0×02465850 0x823c55e0 1 1 1 0×00000000 ”0×02471798 0x823c55e0 1 1 1 0×00000000 ”0×02471808 0x823c55e0 1 1 1 0×00000000 ”0×02481548 0x823c55e0 1 1 1 0×00000000 ”0×02486150 0x823c55e0 1 1 1 0×00000000 ”0x024b64c0 0x823c55e0 1 1 1 0×00000000 ”0x024b8788 0x823c55e0 1 1 1 0×00000000 ”0x024bc2d0 0x823c55e0 1 1 1 0×00000000 ”0x024bfa08 0x823c55e0 1 1 1 0×00000000 ”0x024c9cf8 0x823c55e0 1 1 1 0×00000000 ”0x024f39b8 0x823c55e0 1 1 1 0×00000000 ”0x024f3bc0 0x823c55e0 1 1 1 0×00000000 ”0x024f4190 0x823c55e0 1 1 1 0×00000000 ”0x024f6260 0x823c55e0 1 1 1 0×00000000 ”0x024f93d8 0x823c55e0 1 1 1 0×00000000 ”0x024f9c28 0x823c55e0 1 1 1 0×00000000 ”0x024fac28 0x823c55e0 2 1 1 0×00000000 ‘userenv: User Registry policy mutex’0x024fcc28 0x823c55e0 2 1 1 0×00000000 ‘winlogon: Logon UserProfileMapping Mutex’0x024fd150 0x823c55e0 1 1 1 0×00000000 ”0×02503180 0x823c55e0 1 1 1 0×00000000 ”0×02503888 0x823c55e0 1 1 1 0×00000000 ”0x0253c9f0 0x823c55e0 2 1 1 0×00000000 ‘MSDTC_Perf_Library_Lock_PID_1b8′

Por último con malfind volcaremos aquellos procesos que han sido inyectados:

root@remnux: /home/remnux/volatility # volatility -f memory malfind –dump-dir dumps/PocoSaCal%203.4 2804 0x016a0000 0x16eefff0 VadS 0 PAGE_EXECUTE_READWRITEDumped to: dumps/PocoSaCal%203.4.2161af0.016a0000-016eefff.dmp0x016a0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ…………..0x016a0010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ……..@…….0x016a0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….0x016a0030 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 …………….0x016a0040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ……..!..L.!Th0x016a0050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is program canno0x016a0060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t be run in DOS0x016a0070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode….$…….Postales_amor– 2832 0×01300000 0x134efff0 VadS 0 PAGE_EXECUTE_READWRITEDumped to: dumps/Postales_amor–.236b020.01300000-0134efff.dmp0×01300000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ…………..0×01300010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ……..@…….0×01300020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….0×01300030 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 …………….0×01300040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ……..!..L.!Th0×01300050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is program canno0×01300060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t be run in DOS0×01300070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode….$…….Postales_amor– 2832 0x012f0000 0x12f0fff0 VadS 0 PAGE_EXECUTE_READWRITEDumped to: dumps/Postales_amor–.236b020.012f0000-012f0fff.dmp0x012f0000 80 0b 01 00 00 00 00 00 80 0c 01 00 00 00 00 00 …………….0x012f0010 00 0e 01 00 00 00 00 00 10 0e 01 00 00 00 00 00 …………….0x012f0020 00 0e 01 00 00 00 00 00 16 00 00 00 4c 00 00 00 …………L…0x012f0030 0c 00 00 00 5c 02 00 00 02 00 00 00 ec 02 00 00 …………….0x012f0040 01 00 00 00 04 03 00 00 05 00 00 00 74 16 01 00 …………t…0x012f0050 c8 35 01 00 90 63 00 00 9c 9b 04 00 b0 0b 01 00 .5…c……….0x012f0060 04 00 c0 ff 74 16 01 00 b0 35 01 00 40 66 00 00 ….t….5..@f..0x012f0070 a0 9b 04 00 b0 0b 01 00 04 00 c0 ff f4 13 01 00 …………….Disassembly:012f0000: 800b01 OR BYTE [EBX], 0×1012f0003: 0000 ADD [EAX], AL012f0005: 0000 ADD [EAX], AL012f0007: 00800c010000 ADD [EAX+0x10c], AL012f000d: 0000 ADD [EAX], AL012f000f: 0000 ADD [EAX], AL012f0011: 0e PUSH CS012f0012: 0100 ADD [EAX], EAX012f0014: 0000 ADD [EAX], AL012f0016: 0000 ADD [EAX], ALwmiprvse.exe 2852 0x00b70000 0xb70fff00 VadS 0 PAGE_EXECUTE_READWRITEDumped to: dumps/wmiprvse.exe.246e020.00b70000-00b70fff.dmp0x00b70000 80 0b 01 00 00 00 00 00 80 0c 01 00 00 00 00 00 …………….0x00b70010 00 0e 01 00 00 00 00 00 10 0e 01 00 00 00 00 00 …………….0x00b70020 00 0e 01 00 00 00 00 00 16 00 00 00 4c 00 00 00 …………L…0x00b70030 0c 00 00 00 5c 02 00 00 02 00 00 00 ec 02 00 00 …………….0x00b70040 01 00 00 00 04 03 00 00 05 00 00 00 74 16 01 00 …………t…0x00b70050 c8 35 01 00 90 63 00 00 9c 9b 04 00 b0 0b 01 00 .5…c……….0x00b70060 04 00 c0 ff 74 16 01 00 b0 35 01 00 40 66 00 00 ….t….5..@f..0x00b70070 a0 9b 04 00 b0 0b 01 00 04 00 c0 ff f4 13 01 00 …………….Disassembly:00b70000: 800b01 OR BYTE [EBX], 0×100b70003: 0000 ADD [EAX], AL00b70005: 0000 ADD [EAX], AL00b70007: 00800c010000 ADD [EAX+0x10c], AL00b7000d: 0000 ADD [EAX], AL00b7000f: 0000 ADD [EAX], AL00b70011: 0e PUSH CS00b70012: 0100 ADD [EAX], EAX00b70014: 0000 ADD [EAX], AL00b70016: 0000 ADD [EAX], ALwmiprvse.exe 2852 0x00b80000 0xbcefff00 VadS 0 PAGE_EXECUTE_READWRITEDumped to: dumps/wmiprvse.exe.246e020.00b80000-00bcefff.dmp0x00b80000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ…………..0x00b80010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ……..@…….0x00b80020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….0x00b80030 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 …………….0x00b80040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ……..!..L.!Th0x00b80050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is program canno0x00b80060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t be run in DOS0x00b80070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode….$…….IEXPLORE.EXE 3288 0x011e0000 0x11e0fff0 VadS 0 PAGE_EXECUTE_READWRITEDumped to: dumps/IEXPLORE.EXE.2164020.011e0000-011e0fff.dmp0x011e0000 80 0b 01 00 00 00 00 00 80 0c 01 00 00 00 00 00 …………….0x011e0010 00 0e 01 00 00 00 00 00 10 0e 01 00 00 00 00 00 …………….0x011e0020 00 0e 01 00 00 00 00 00 16 00 00 00 4c 00 00 00 …………L…0x011e0030 0c 00 00 00 5c 02 00 00 02 00 00 00 ec 02 00 00 …………….0x011e0040 01 00 00 00 04 03 00 00 05 00 00 00 74 16 01 00 …………t…0x011e0050 c8 35 01 00 90 63 00 00 9c 9b 04 00 b0 0b 01 00 .5…c……….0x011e0060 04 00 c0 ff 74 16 01 00 b0 35 01 00 40 66 00 00 ….t….5..@f..0x011e0070 a0 9b 04 00 b0 0b 01 00 04 00 c0 ff f4 13 01 00 …………….Disassembly:011e0000: 800b01 OR BYTE [EBX], 0×1011e0003: 0000 ADD [EAX], AL011e0005: 0000 ADD [EAX], AL011e0007: 00800c010000 ADD [EAX+0x10c], AL011e000d: 0000 ADD [EAX], AL011e000f: 0000 ADD [EAX], AL011e0011: 0e PUSH CS011e0012: 0100 ADD [EAX], EAX011e0014: 0000 ADD [EAX], AL011e0016: 0000 ADD [EAX], ALIEXPLORE.EXE 3288 0×01820000 0x186efff0 VadS 0 PAGE_EXECUTE_READWRITEDumped to: dumps/IEXPLORE.EXE.2164020.01820000-0186efff.dmp0×01820000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ…………..0×01820010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ……..@…….0×01820020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….0×01820030 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 …………….0×01820040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ……..!..L.!Th0×01820050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is program canno0×01820060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t be run in DOS0×01820070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode….$…….

Y hasta aquí, un POST sobre Volatility :D

en
Etiquetas: , , ,

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)