[内存取证]volatility基本用法

Word count: 177   |   Reading time≈ 1 min

volatility -f memory imageinfo #查看系统版本

1
2
3
4
5
6
7
8
9
10
11
12
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/root/桌面/quzheng3/memory)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80003ffd0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80003ffed00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-05-17 06:20:56 UTC+0000
Image local date and time : 2020-05-17 14:20:56 +0800

volatility -f memory --profile=Win7SP1x64 pslist # 列出进程
列出进程

volatility -f memory --profile=Win7SP1x64 cmdscan #查看cmd命令历史
查看cmd命令历史

volatility -f memory --profile=Win7SP1x64 filescan | grep flag #查找flag文件
volatility -f memory --profile=Win7SP1x64 dumpfiles -Q 0x000000001e85f430 --dump-dir=./ #dump目标文件
查找flag文件

volatility -f memory --profile=Win7SP1x64 printkey -K "SAM\Domains\Account\Users\Names" #列出SAM表用户
列出SAM用户

volatility -f memory --profile=Win7SP1x64 hivelist #获取system和SAM地址
SAM和system地址
volatility -f memory --profile=Win7SP1x64 hashdump -y 0xfffff8a000024010 -s 0xfffff8a00167a010
SAM账号密码
NTLM算法计算,可得原密码

Donate
  • Copyright: Copyright is owned by the author. For commercial reprints, please contact the author for authorization. For non-commercial reprints, please indicate the source.
  • Copyrights © 2020 Tyrant-K
  • Visitors: | Views:

请我喝杯咖啡吧~

支付宝
微信