Forensic - Volatility, les plugins
Alasta 9 Décembre 2018 forensic shell cli security forensic memory analyse
Description : Voici comment utiliser les plugins avec Volatility
Volatility : les plugins
Il y a des plugins qui ne sont pas intégrés (ou pas encore) à Volatility, nous allons voir les manipulations à faire pour les utiliser.
Créer un dossier plugins ou vous voulez et y ajouter des plugins (souvent en Python).
ll ../plugins/
total 80
drwxr-xr-x 4 alasta alasta 128 20 oct 12:09 .
drwxr-xr-x 7 alasta alasta 224 9 oct 21:22 ..
-rwxr-xr-x 1 alasta alasta 15161 6 oct 12:05 psinfo.py/vol.py --plugins=../plugins/ --profile=WinXPSP2x86 -f /tmp/sample001.bin psinfo
Volatility Foundation Volatility Framework 2.6
Process Information:
Process: svchost.exe PID: 1024
Parent Process: services.exe PPID: 680
Creation Time: 2012-11-26 22:03:32 UTC+0000
Process Base Name(PEB): svchost.exe
Command Line(PEB): C:\WINDOWS\System32\svchost.exe -k netsvcs
VAD and PEB Comparison:
Base Address(VAD): 0x1000000
Process Path(VAD): \WINDOWS\system32\svchost.exe
Vad Protection: PAGE_EXECUTE_WRITECOPY
Vad Tag: Vad
Base Address(PEB): 0x1000000
Process Path(PEB): C:\WINDOWS\System32\svchost.exe
Memory Protection: PAGE_EXECUTE_WRITECOPY
Memory Tag: Vad
Similar Processes:
C:\WINDOWS\System32\svchost.exe
svchost.exe(1024) Parent:services.exe(680) Start:2012-11-26 22:03:32 UTC+0000
C:\WINDOWS\System32\svchost.exe
svchost.exe(1068) Parent:services.exe(680) Start:2012-11-26 22:03:32 UTC+0000
C:\WINDOWS\system32\svchost.exe
svchost.exe(940) Parent:services.exe(680) Start:2012-11-26 22:03:31 UTC+0000
C:\WINDOWS\System32\svchost.exe
svchost.exe(1116) Parent:services.exe(680) Start:2012-11-26 22:03:33 UTC+0000
C:\WINDOWS\system32\svchost.exe
svchost.exe(852) Parent:services.exe(680) Start:2012-11-26 22:03:31 UTC+0000
Suspicious Memory Regions:
---------------------------------------------------
Process Information:
Process: alg.exe PID: 1888
Parent Process: services.exe PPID: 680
Creation Time: 2012-11-26 22:03:35 UTC+0000
Process Base Name(PEB): alg.exe
Command Line(PEB): C:\WINDOWS\System32\alg.exe
VAD and PEB Comparison:
Base Address(VAD): 0x1000000
Process Path(VAD): \WINDOWS\system32\alg.exe
Vad Protection: PAGE_EXECUTE_WRITECOPY
Vad Tag: Vad
Base Address(PEB): 0x1000000
Process Path(PEB): C:\WINDOWS\System32\alg.exe
Memory Protection: PAGE_EXECUTE_WRITECOPY
Memory Tag: Vad
Similar Processes:
C:\WINDOWS\System32\alg.exe
alg.exe(1888) Parent:services.exe(680) Start:2012-11-26 22:03:35 UTC+0000
-SNiP--