Searching Keywords in Google: "volatility 病毒"
Useful Information of Reverse Engineering :
通用的介绍:
http://lis.nsysu.edu.tw/ezfiles/240/1240/attach/68/pta_20972_4275960_42727.pdf
Process of analysing malware:
http://www.myhack58.com/Article/64/2016/75124.htm
Tools that used to analyse malware:
https://www.qa-knowhow.com/?p=2625
image.png
image.png
image.png
很有用的讲Memory Forensic的视频(印度口音)
https://www.youtube.com/watch?v=E4W6nK1UcnA
几种常见的MemoryProcess
System Process.png
service.png
csrss.png
Winlogon.png
lsass.png
Detecting Malware with Memory Forensics (PDF)
http://www.deer-run.com/~hal/Detect_Malware_w_Memory_Forensics.pdf
比较重要一个PPT,就是不同版本的虚拟机生成的用于分析的文件后缀都不一样(我估计.img的其实就是一个系统镜像,不是从虚拟机里面生成出来的,抑或是说是压缩成.img格式?)
用于分析的文件后缀.png
Malware Memory Analysis for non-specialists
(PDF- book talks in detailed)
http://cradpdf.drdc-rddc.gc.ca/PDFS/unc166/p801024_A1b.pdf
Case study: Zeus Analysis (Memory Forensics)
https://securityintelligence.com/zeus-analysis-memory-forensics-via-volatility/
常见的volatility 操作:
http://www.restran.net/2017/08/10/memory-forensics-tool-volatility%20-%20副本/
Volatility Command Reference: (最重要🌟🌟🌟)
https://github.com/volatilityfoundation/volatility/wiki/Command-Reference
Analysis Stuxnet using Volatility.(重要🌟🌟🌟)
http://www.behindthefirewalls.com/2013/12/stuxnet-trojan-memory-forensics-with_16.html
We know that lsass.exe is one of the first processes to start when Windows boots. Because of this, it’s normal that “lsass.exe” has a lower Pid. You can see when the three lsass.exe process started in the picture above:
- Pid 680 started at 2010-10-29 17:08:54
- Pid 868 started at 2011-06-03 04:26:55
- Pid 1928 started at 2011-06-03 04:26:55
You can see the “lsass.exe” with lower Pid (680) started in 2010 and the other ones with higher Pid (868 and 1928) started in 2011. It isn’t a normal behavior.
Analysis Zeus using Volatility.(重要🌟🌟🌟)
http://www.behindthefirewalls.com/2013/07/zeus-trojan-memory-forensics-with.html
The same website as above.
网友评论