ubuntu linux 에서 Volatility 설치
1. 필요 라이브러리 설치
|
1 2 |
$ sudo apt-get update $ sudo apt-get install build-essential subversion pcregrep libpcre++-dev python-dev sqlite3 libsqlite3-dev -y |
proxy 환경일 경우 apt-get를 아래와 같이 설정한다.
|
1 2 3 |
$ cat /etc/apt/apt.conf Acquire::http::proxy "http://xxx.xxx.xxx.xxx:8080/"; Acquire::https::proxy "https://xxx.xxx.xxx.xxx:8080/"; |
또는
|
1 |
sudo http_proxy='http://xxx.xxx.xxx.xxx:8080/' apt-get install package-name |
2. Volatility 설치
|
1 |
$ svn checkout http://volatility.googlecode.com/svn/trunk Volatility |
proxy 환경일 경우 svn 를 아래와 같이 설정한다.
|
1 2 3 4 5 6 |
$ cat ~/.subversion/servers ... [global] ... http-proxy-host = xxx.xxx.xxx.xxx http-proxy-port = 8080 |
3. python module 설치
proxy 환경일 경우 wget를 아래와 같이 설정한다.
|
1 2 3 4 5 |
$ cat /etc/wgetrc ... https_proxy = http://xxx.xxx.xxx.xxx:8080/ http_proxy = http://xxx.xxx.xxx.xxx:8080/ use_proxy = on |
– Distorm3
|
1 2 3 4 5 |
$ wget http://distorm.googlecode.com/files/distorm-package3.1.zip $ unzip distorm-package3.1.zip $ cd distorm3 $ python setup.py build $ sudo python setup.py build install |
– YARA
|
1 2 3 4 5 6 |
$ wget http://yara-project.googlecode.com/files/yara-1.7.tar.gz $ tar -xvzf yara-1.7.tar.gz $ cd yara-1.7 $ ./configure $ make $ sudo make install |
– Yara-Python
|
1 2 3 4 5 |
$ wget http://yara-project.googlecode.com/files/yara-python-1.7.tar.gz $ tar -xvzf yara-python-1.7.tar.gz $ cd yara-python-1.7 $ python setup.py build $ sudo python setup.py build install |
– PyCrypto
|
1 2 3 4 5 |
$ wget --no-check-certificate http://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.1.tar.gz $ tar -xvzf pycrypto-2.6.1.tar.gz $ cd pycrypto-2.6.1 $ python setup.py build $ sudo python setup.py build install |
4. Volatility Plugin 설치
– Malware Plugins
|
1 2 |
$ cd ~/Volatility/volatility/plugins/ $ wget http://code.google.com/p/malwarecookbook/source/browse/trunk/malware.py |
– proccmd Plugins
|
1 |
$ wget http://maj3sty.tistory.com/attachment/cfile21.uf@22318D4451FDCE442C8A58.py --output-document proccmd.py |
– virustotal Plugins
|
1 |
$ wget --no-check-certificate https://raw.githubusercontent.com/Sebastienbr/Volatility/master/plugins/virustotal.py |
설치 완료!
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 |
$ python vol.py -h Volatility Foundation Volatility Framework 2.3.1 Usage: Volatility - A memory forensics analysis platform. Options: -h, --help list all available options and their default values. Default values may be set in the configuration file (/etc/volatilityrc) --conf-file=/home/apollo89/.volatilityrc User based configuration file -d, --debug Debug volatility --plugins=PLUGINS Additional plugin directories to use (colon separated) --info Print information about all registered objects --cache-directory=/home/apollo89/.cache/volatility Directory where cache files are stored --cache Use caching --tz=TZ Sets the timezone for displaying timestamps -f FILENAME, --filename=FILENAME Filename to use when opening an image --profile=WinXPSP2x86 Name of the profile to load -l LOCATION, --location=LOCATION A URN location from which to load an address space -w, --write Enable write support --dtb=DTB DTB Address --output=text Output in this format (format support is module specific) --output-file=OUTPUT_FILE write output in this file -v, --verbose Verbose information --shift=SHIFT Mac KASLR shift address -g KDBG, --kdbg=KDBG Specify a specific KDBG virtual address -k KPCR, --kpcr=KPCR Specify a specific KPCR address Supported Plugin Commands: apihooks Detect API hooks in process and kernel memory atoms Print session and window station atom tables atomscan Pool scanner for _RTL_ATOM_TABLE bioskbd Reads the keyboard buffer from Real Mode memory callbacks Print system-wide notification routines clipboard Extract the contents of the windows clipboard cmdscan Extract command history by scanning for _COMMAND_HISTORY connections Print list of open connections [Windows XP and 2003 Only] connscan Scan Physical memory for _TCPT_OBJECT objects (tcp connections) consoles Extract command history by scanning for _CONSOLE_INFORMATION crashinfo Dump crash-dump information deskscan Poolscaner for tagDESKTOP (desktops) devicetree Show device tree dlldump Dump DLLs from a process address space dlllist Print list of loaded dlls for each process driverirp Driver IRP hook detection driverscan Scan for driver objects _DRIVER_OBJECT dumpcerts Dump RSA private and public SSL keys dumpfiles Extract memory mapped and cached files envars Display process environment variables eventhooks Print details on windows event hooks evtlogs Extract Windows Event Logs (XP/2003 only) filescan Scan Physical memory for _FILE_OBJECT pool allocations gahti Dump the USER handle type information gditimers Print installed GDI timers and callbacks gdt Display Global Descriptor Table getservicesids Get the names of services in the Registry and return Calculated SID getsids Print the SIDs owning each process handles Print list of open handles for each process hashdump Dumps passwords hashes (LM/NTLM) from memory hibinfo Dump hibernation file information hivedump Prints out a hive hivelist Print list of registry hives. hivescan Scan Physical memory for _CMHIVE objects (registry hives) hpakextract Extract physical memory from an HPAK file hpakinfo Info on an HPAK file idt Display Interrupt Descriptor Table iehistory Reconstruct Internet Explorer cache / history imagecopy Copies a physical address space out as a raw DD image imageinfo Identify information for the image impscan Scan for calls to imported functions kdbgscan Search for and dump potential KDBG values kpcrscan Search for and dump potential KPCR values ldrmodules Detect unlinked DLLs lsadump Dump (decrypted) LSA secrets from the registry machoinfo Dump Mach-O file format information malfind Find hidden and injected code mbrparser Scans for and parses potential Master Boot Records (MBRs) memdump Dump the addressable memory for a process memmap Print the memory map messagehooks List desktop and thread window message hooks mftparser Scans for and parses potential MFT entries moddump Dump a kernel driver to an executable file sample modscan Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects modules Print list of loaded modules mutantscan Scan for mutant objects _KMUTANT patcher Patches memory based on page scans printkey Print a registry key, and its subkeys and values privs Display process privileges procexedump Dump a process to an executable file sample procmemdump Dump a process to an executable memory sample pslist Print all running processes by following the EPROCESS lists psscan Scan Physical memory for _EPROCESS pool allocations pstree Print process list as a tree psxview Find hidden processes with various process listings raw2dmp Converts a physical memory sample to a windbg crash dump screenshot Save a pseudo-screenshot based on GDI windows sessions List details on _MM_SESSION_SPACE (user logon sessions) shellbags Prints ShellBags info shimcache Parses the Application Compatibility Shim Cache registry key sockets Print list of open sockets sockscan Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets) ssdt Display SSDT entries strings Match physical offsets to virtual addresses (may take a while, VERY verbose) svcscan Scan for Windows services symlinkscan Scan for symbolic link objects thrdscan Scan physical memory for _ETHREAD objects threads Investigate _ETHREAD and _KTHREADs timeliner Creates a timeline from various artifacts in memory timers Print kernel timers and associated module DPCs unloadedmodules Print list of unloaded modules userassist Print userassist registry keys and information userhandles Dump the USER handle tables vaddump Dumps out the vad sections to a file vadinfo Dump the VAD info vadtree Walk the VAD tree and display in tree format vadwalk Walk the VAD tree vboxinfo Dump virtualbox information vmwareinfo Dump VMware VMSS/VMSN information volshell Shell in the memory image windows Print Desktop Windows (verbose details) wintree Print Z-Order Desktop Windows Tree wndscan Pool scanner for tagWINDOWSTATION (window stations) yarascan Scan process or kernel memory with Yara signatures |