ubuntu linux \uc5d0\uc11c Volatility \uc124\uce58<\/p>\n
1. \ud544\uc694 \ub77c\uc774\ube0c\ub7ec\ub9ac \uc124\uce58<\/p>\n
$ sudo apt-get update\r\n$ sudo apt-get install build-essential subversion pcregrep libpcre++-dev python-dev sqlite3 libsqlite3-dev -y<\/pre>\nproxy \ud658\uacbd\uc77c \uacbd\uc6b0 apt-get\ub97c \uc544\ub798\uc640 \uac19\uc774 \uc124\uc815\ud55c\ub2e4.<\/p>\n
$ cat \/etc\/apt\/apt.conf\r\nAcquire::http::proxy \"http:\/\/xxx.xxx.xxx.xxx:8080\/\";\r\nAcquire::https::proxy \"https:\/\/xxx.xxx.xxx.xxx:8080\/\";\r\n<\/pre>\n\ub610\ub294 <\/p>\n
sudo http_proxy='http:\/\/xxx.xxx.xxx.xxx:8080\/' apt-get install package-name<\/pre>\n2. Volatility \uc124\uce58<\/p>\n
$ svn checkout http:\/\/volatility.googlecode.com\/svn\/trunk Volatility<\/pre>\nproxy \ud658\uacbd\uc77c \uacbd\uc6b0 svn \ub97c \uc544\ub798\uc640 \uac19\uc774 \uc124\uc815\ud55c\ub2e4.<\/p>\n
$ cat ~\/.subversion\/servers \r\n...\r\n[global]\r\n...\r\nhttp-proxy-host = xxx.xxx.xxx.xxx\r\nhttp-proxy-port = 8080<\/pre>\n3. python module \uc124\uce58<\/p>\n
proxy \ud658\uacbd\uc77c \uacbd\uc6b0 wget\ub97c \uc544\ub798\uc640 \uac19\uc774 \uc124\uc815\ud55c\ub2e4.<\/p>\n
$ cat \/etc\/wgetrc\r\n...\r\nhttps_proxy = http:\/\/xxx.xxx.xxx.xxx:8080\/\r\nhttp_proxy = http:\/\/xxx.xxx.xxx.xxx:8080\/\r\nuse_proxy = on\r\n<\/pre>\n– Distorm3<\/p>\n
$ wget http:\/\/distorm.googlecode.com\/files\/distorm-package3.1.zip\r\n$ unzip distorm-package3.1.zip\r\n$ cd distorm3\r\n$ python setup.py build\r\n$ sudo python setup.py build install<\/pre>\n– YARA<\/p>\n
$ wget http:\/\/yara-project.googlecode.com\/files\/yara-1.7.tar.gz\r\n$ tar -xvzf yara-1.7.tar.gz\r\n$ cd yara-1.7\r\n$ .\/configure\r\n$ make\r\n$ sudo make install<\/pre>\n– Yara-Python<\/p>\n
$ wget http:\/\/yara-project.googlecode.com\/files\/yara-python-1.7.tar.gz\r\n$ tar -xvzf yara-python-1.7.tar.gz\r\n$ cd yara-python-1.7\r\n$ python setup.py build\r\n$ sudo python setup.py build install<\/pre>\n– PyCrypto<\/p>\n
$ wget --no-check-certificate http:\/\/ftp.dlitz.net\/pub\/dlitz\/crypto\/pycrypto\/pycrypto-2.6.1.tar.gz\r\n$ tar -xvzf pycrypto-2.6.1.tar.gz\r\n$ cd pycrypto-2.6.1\r\n$ python setup.py build\r\n$ sudo python setup.py build install<\/pre>\n4. Volatility Plugin \uc124\uce58
\n– Malware Plugins<\/p>\n$ cd ~\/Volatility\/volatility\/plugins\/\r\n$ wget http:\/\/code.google.com\/p\/malwarecookbook\/source\/browse\/trunk\/malware.py<\/pre>\n– proccmd Plugins<\/p>\n
$ wget http:\/\/maj3sty.tistory.com\/attachment\/cfile21.uf@22318D4451FDCE442C8A58.py --output-document proccmd.py<\/pre>\n– virustotal Plugins<\/p>\n
$ wget --no-check-certificate https:\/\/raw.githubusercontent.com\/Sebastienbr\/Volatility\/master\/plugins\/virustotal.py<\/pre>\n\uc124\uce58 \uc644\ub8cc!<\/p>\n
$ python vol.py -h\r\nVolatility Foundation Volatility Framework 2.3.1\r\nUsage: Volatility - A memory forensics analysis platform.\r\n\r\nOptions:\r\n -h, --help list all available options and their default values.\r\n Default values may be set in the configuration file\r\n (\/etc\/volatilityrc)\r\n --conf-file=\/home\/apollo89\/.volatilityrc\r\n User based configuration file\r\n -d, --debug Debug volatility\r\n --plugins=PLUGINS Additional plugin directories to use (colon separated)\r\n --info Print information about all registered objects\r\n --cache-directory=\/home\/apollo89\/.cache\/volatility\r\n Directory where cache files are stored\r\n --cache Use caching\r\n --tz=TZ Sets the timezone for displaying timestamps\r\n -f FILENAME, --filename=FILENAME\r\n Filename to use when opening an image\r\n --profile=WinXPSP2x86\r\n Name of the profile to load\r\n -l LOCATION, --location=LOCATION\r\n A URN location from which to load an address space\r\n -w, --write Enable write support\r\n --dtb=DTB DTB Address\r\n --output=text Output in this format (format support is module\r\n specific)\r\n --output-file=OUTPUT_FILE\r\n write output in this file\r\n -v, --verbose Verbose information\r\n --shift=SHIFT Mac KASLR shift address\r\n -g KDBG, --kdbg=KDBG Specify a specific KDBG virtual address\r\n -k KPCR, --kpcr=KPCR Specify a specific KPCR address\r\n\r\n\tSupported Plugin Commands:\r\n\r\n\t\tapihooks \tDetect API hooks in process and kernel memory\r\n\t\tatoms \tPrint session and window station atom tables\r\n\t\tatomscan \tPool scanner for _RTL_ATOM_TABLE\r\n\t\tbioskbd \tReads the keyboard buffer from Real Mode memory\r\n\t\tcallbacks \tPrint system-wide notification routines\r\n\t\tclipboard \tExtract the contents of the windows clipboard\r\n\t\tcmdscan \tExtract command history by scanning for _COMMAND_HISTORY\r\n\t\tconnections \tPrint list of open connections [Windows XP and 2003 Only]\r\n\t\tconnscan \tScan Physical memory for _TCPT_OBJECT objects (tcp connections)\r\n\t\tconsoles \tExtract command history by scanning for _CONSOLE_INFORMATION\r\n\t\tcrashinfo \tDump crash-dump information\r\n\t\tdeskscan \tPoolscaner for tagDESKTOP (desktops)\r\n\t\tdevicetree \tShow device tree\r\n\t\tdlldump \tDump DLLs from a process address space\r\n\t\tdlllist \tPrint list of loaded dlls for each process\r\n\t\tdriverirp \tDriver IRP hook detection\r\n\t\tdriverscan \tScan for driver objects _DRIVER_OBJECT \r\n\t\tdumpcerts \tDump RSA private and public SSL keys\r\n\t\tdumpfiles \tExtract memory mapped and cached files\r\n\t\tenvars \tDisplay process environment variables\r\n\t\teventhooks \tPrint details on windows event hooks\r\n\t\tevtlogs \tExtract Windows Event Logs (XP\/2003 only)\r\n\t\tfilescan \tScan Physical memory for _FILE_OBJECT pool allocations\r\n\t\tgahti \tDump the USER handle type information\r\n\t\tgditimers \tPrint installed GDI timers and callbacks\r\n\t\tgdt \tDisplay Global Descriptor Table\r\n\t\tgetservicesids \tGet the names of services in the Registry and return Calculated SID\r\n\t\tgetsids \tPrint the SIDs owning each process\r\n\t\thandles \tPrint list of open handles for each process\r\n\t\thashdump \tDumps passwords hashes (LM\/NTLM) from memory\r\n\t\thibinfo \tDump hibernation file information\r\n\t\thivedump \tPrints out a hive\r\n\t\thivelist \tPrint list of registry hives.\r\n\t\thivescan \tScan Physical memory for _CMHIVE objects (registry hives)\r\n\t\thpakextract \tExtract physical memory from an HPAK file\r\n\t\thpakinfo \tInfo on an HPAK file\r\n\t\tidt \tDisplay Interrupt Descriptor Table\r\n\t\tiehistory \tReconstruct Internet Explorer cache \/ history\r\n\t\timagecopy \tCopies a physical address space out as a raw DD image\r\n\t\timageinfo \tIdentify information for the image \r\n\t\timpscan \tScan for calls to imported functions\r\n\t\tkdbgscan \tSearch for and dump potential KDBG values\r\n\t\tkpcrscan \tSearch for and dump potential KPCR values\r\n\t\tldrmodules \tDetect unlinked DLLs\r\n\t\tlsadump \tDump (decrypted) LSA secrets from the registry\r\n\t\tmachoinfo \tDump Mach-O file format information\r\n\t\tmalfind \tFind hidden and injected code\r\n\t\tmbrparser \tScans for and parses potential Master Boot Records (MBRs) \r\n\t\tmemdump \tDump the addressable memory for a process\r\n\t\tmemmap \tPrint the memory map\r\n\t\tmessagehooks \tList desktop and thread window message hooks\r\n\t\tmftparser \tScans for and parses potential MFT entries \r\n\t\tmoddump \tDump a kernel driver to an executable file sample\r\n\t\tmodscan \tScan Physical memory for _LDR_DATA_TABLE_ENTRY objects\r\n\t\tmodules \tPrint list of loaded modules\r\n\t\tmutantscan \tScan for mutant objects _KMUTANT \r\n\t\tpatcher \tPatches memory based on page scans\r\n\t\tprintkey \tPrint a registry key, and its subkeys and values\r\n\t\tprivs \tDisplay process privileges\r\n\t\tprocexedump \tDump a process to an executable file sample\r\n\t\tprocmemdump \tDump a process to an executable memory sample\r\n\t\tpslist \tPrint all running processes by following the EPROCESS lists \r\n\t\tpsscan \tScan Physical memory for _EPROCESS pool allocations\r\n\t\tpstree \tPrint process list as a tree\r\n\t\tpsxview \tFind hidden processes with various process listings\r\n\t\traw2dmp \tConverts a physical memory sample to a windbg crash dump\r\n\t\tscreenshot \tSave a pseudo-screenshot based on GDI windows\r\n\t\tsessions \tList details on _MM_SESSION_SPACE (user logon sessions)\r\n\t\tshellbags \tPrints ShellBags info\r\n\t\tshimcache \tParses the Application Compatibility Shim Cache registry key\r\n\t\tsockets \tPrint list of open sockets\r\n\t\tsockscan \tScan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)\r\n\t\tssdt \tDisplay SSDT entries\r\n\t\tstrings \tMatch physical offsets to virtual addresses (may take a while, VERY verbose)\r\n\t\tsvcscan \tScan for Windows services\r\n\t\tsymlinkscan \tScan for symbolic link objects \r\n\t\tthrdscan \tScan physical memory for _ETHREAD objects\r\n\t\tthreads \tInvestigate _ETHREAD and _KTHREADs\r\n\t\ttimeliner \tCreates a timeline from various artifacts in memory \r\n\t\ttimers \tPrint kernel timers and associated module DPCs\r\n\t\tunloadedmodules\tPrint list of unloaded modules\r\n\t\tuserassist \tPrint userassist registry keys and information\r\n\t\tuserhandles \tDump the USER handle tables\r\n\t\tvaddump \tDumps out the vad sections to a file\r\n\t\tvadinfo \tDump the VAD info\r\n\t\tvadtree \tWalk the VAD tree and display in tree format\r\n\t\tvadwalk \tWalk the VAD tree\r\n\t\tvboxinfo \tDump virtualbox information\r\n\t\tvmwareinfo \tDump VMware VMSS\/VMSN information\r\n\t\tvolshell \tShell in the memory image\r\n\t\twindows \tPrint Desktop Windows (verbose details)\r\n\t\twintree \tPrint Z-Order Desktop Windows Tree\r\n\t\twndscan \tPool scanner for tagWINDOWSTATION (window stations)\r\n\t\tyarascan \tScan process or kernel memory with Yara signatures\r\n<\/pre>\n\ucc38\uace0 : http:\/\/bestrive.tistory.com\/22<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
ubuntu linux \uc5d0\uc11c Volatility \uc124\uce58 1. \ud544\uc694 \ub77c\uc774\ube0c\ub7ec\ub9ac \uc124\uce58 $ sudo apt-get update $ sudo apt-get install build-essential subversion pcregrep libpcre++-dev python-dev sqlite3 libsqlite3-dev -y proxy \ud658\uacbd\uc77c \uacbd\uc6b0 apt-get\ub97c \uc544\ub798\uc640 \uac19\uc774 \uc124\uc815\ud55c\ub2e4. $ cat \/etc\/apt\/apt.conf Acquire::http::proxy “http:\/\/xxx.xxx.xxx.xxx:8080\/”; Acquire::https::proxy “https:\/\/xxx.xxx.xxx.xxx:8080\/”; \ub610\ub294 … Continue reading