当前位置：网站首页>Misc of CTF-Memory Analysis (Volatility)

Misc of CTF-Memory Analysis (Volatility)

2022-07-30 06:34:00 【[email protected]】

Introduction to Volatility:

Volatility is an open source, Python-based memory forensics toolset that can analyze various data in memory.Volatility supports the extraction and analysis of RAM data in 32-bit or 64-bit Windows, Linux, Mac, and Android operating systems.(High-level version of kali now needs to download Volatility by itself, which depends on python environment installation)

volatility use:

Begin preparation:

volatility -f –profile= [plugin parameters]

Get the parameters of --profile

Use the imageinfo plugin to guess the profile value of the dump file: WinXPSP2x8

[email protected]:~/quzhen# volatility -f mem.vmem imageinfo

List processes:

[email protected]:~/quzhen# volatility -f mem.vmem --profile=WinXPSP2x86 pslist

List registers cached in memory:

volatility -f mem.vmem --profile=WinXPSP2x86 hivelist

hivedump prints out the data in the registry:

volatility -f mem.vmem –profile=WinXPSP2x86 hivedump -o virtual address of the registry

Get users in SAM table:

volatility -f mem.vmem –profile=WinXPSP2x86 printkey -K “SAM\Domains\Account\Users\Names”

You can see there are four users in the picture below

Get the last login account:

volatility -f mem.vmem – profile=WinXPSP2x86 printkey -K “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”

Extract the information recorded in the memory about which programs are running at that time, how many times they have been run, and the last running time.

volatility -f mem.vmem – profile=WinXPSP2x86 userassist