Volatility2工具mimiktz脚本_volatility2 mimu

最新推荐文章于 2024-10-10 23:07:28 发布
最新推荐文章于 2024-10-10 23:07:28 发布
阅读量908 收藏 14
点赞数 18
文章标签: python 算法 开发语言
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/2401_86950553/article/details/142024652
版权

def get_ptr_with_offset(self, pos):
return self.get_ptr(pos)

class Mimikatz_x64(MimikatzBase):
“”“The mimikatz x64 base class.”“”
SIZEOF_PTR = 8
UNPACK_PTR = ‘<Q’

def __init__(self, task):
MimikatzBase.init(self, task)

def get_ptr_with_offset(self, pos):
raw_data = self.task_as.zread(pos, self.SIZEOF_LONG)
if raw_data:
ptr = struct.unpack(self.UNPACK_LONG, raw_data)[0]
return pos + self.SIZEOF_LONG + ptr

#------------------------------------------------------------------------------

class LsaDecryptor():
“”“TODO: add description.”“”
SIGNATURE = None
IV_LENGTH = 16
PTR_IV_OFFSET = None
PTR_AES_KEY_OFFSET = None
PTR_DES_KEY_OFFSET = None
UUUR_TAG = 0x55555552
MSSK_TAG = 0x4d53534b

HARD_KEY = construct.Struct(‘KIWI_HARD_KEY’,
construct.ULInt32(‘cbSecret’),
construct.Field(‘data’, lambda ctx: ctx.cbSecret))

Modified to include HARD_KEY size.

BCRYPT_KEY = construct.Struct(‘KIWI_BCRYPT_KEY’,
construct.ULInt32(‘size’),
construct.ULInt32(‘tag’), # ‘MSSK’.
construct.ULInt32(‘type’),
construct.ULInt32(‘unk0’),
construct.ULInt32(‘unk1’),
construct.ULInt32(‘unk2’),
construct.ULInt32(‘cbSecret’))

def __init__(self):
self.iv = ‘’
self.aes_key = ‘’
self.des_key = ‘’

def find_signature(self):
for mod in self.task.get_load_modules():
if str(mod.BaseDllName).lower() == ‘lsasrv.dll’:
scanner = MemoryScanner(self.task)
return scanner.find_first(mod.DllBase.v(), self.SIGNATURE)
debug.warning(‘[LsaDecryptor:find_signature()] signature not found!’)

def get_IV(self, pos):
ptr_iv = self.get_ptr_with_offset(pos + self.PTR_IV_OFFSET)
if ptr_iv:
return self.get_data(ptr_iv, self.IV_LENGTH)

def get_key(self, pos, key_offset):
ptr_key = self.get_ptr_with_offset(pos + key_offset)
if ptr_key:
ptr_key = self.get_ptr(ptr_key)
if ptr_key:
size = self.BCRYPT_HANDLE_KEY.sizeof()
data = self.get_data(ptr_key, size)
if data:
kbhk = self.BCRYPT_HANDLE_KEY.parse(data)
if kbhk.tag == self.UUUR_TAG:
ptr_key = kbhk.ptr_kiwi_bcrypt_key
size = self.BCRYPT_KEY.sizeof()
data = self.get_data(ptr_key, size)
if data:
kbk = self.BCRYPT_KEY.parse(data)
if kbk.tag == self.MSSK_TAG:
adjust = construct.ULInt32(‘’).sizeof()
size = kbk.cbSecret + adjust
ptr_key = ptr_key + self.BCRYPT_KEY.sizeof() - adjust
data = self.get_data(ptr_key, size)
if data:
khk = self.HARD_KEY.parse(data)
return khk.data
else:
debug.warning(‘get_key() unable to get HARD_KEY.’)
else:
debug.warning(‘get_key() BCRYPT_KEY invalid tag’)
else:
debug.warning(‘get_key() unable to read BCRYPT_KEY data.’)
else:
debug.warning(‘get_key() BCRYPT_HANDLE_KEY invalid tag’)
debug.warning(kbhk)
else:
debug.warning(‘get_key() unable to read BCRYPT_HANDLE_KEY data.’)
else:
debug.warning(‘get_key() unable to get BCRYPT_HANDLE_KEY pointer.’)
else:
debug.warning(‘get_key()unable to get first pointer.’)

def get_des_key(self, pos):
return self.get_key(pos, self.PTR_DES_KEY_OFFSET)

def get_aes_key(self, pos):
return self.get_key(pos, self.PTR_AES_KEY_OFFSET)

def acquire_crypto_material(self):
sigpos = self.find_signature()
if not sigpos:
debug.warning(‘[LsaDecryptor] unable to find signature!’)
return
self.iv = self.get_IV(sigpos)
self.des_key = self.get_des_key(sigpos)
self.aes_key = self.get_aes_key(sigpos)

def decrypt(self, encrypted):
# TODO: NT version specific, move from here in subclasses.
cleartext = ‘’
size = len(encrypted)
if size:
if size % 8:
if not self.aes_key or not self.iv:
return cleartext
cipher = AES.new(self.aes_key, AES.MODE_CBC, self.iv)
else:
if not self.des_key or not self.iv:
return cleartext
cipher = DES3.new(self.des_key, DES3.MODE_CBC, self.iv[:8])
cleartext = cipher.decrypt(encrypted)
return cleartext

def dump(self):
print ‘Dumping LSA Decryptor’
print ’ IV ({}): {}'.format(len(self.iv), self.iv.encode(‘hex’))
print ‘DES_KEY ({}): {}’.format(
len(self.des_key), self.des_key.encode(‘hex’))
print ‘AES_KEY ({}): {}’.format(
len(self.aes_key), self.aes_key.encode(‘hex’))

class LsaDecryptor_x86(LsaDecryptor, Mimikatz_x86):
“”“TODO: add description.”“”
def __init__(self, lsass_task):
Mimikatz_x86.init(self, lsass_task)
LsaDecryptor.init(self)

class LsaDecryptor_x64(LsaDecryptor, Mimikatz_x64):
“”“TODO: add description.”“”
def __init__(self, lsass_task):
Mimikatz_x64.init(self, lsass_task)
LsaDecryptor.init(self)

class LsaDecryptor_Vista_x86(LsaDecryptor_x86):
“”“Class for Windows Vista x86.”“”

MIMIKATZ x86: BYTE PTRN_WNO8_LsaInitializeProtectedMemory_KEY[]

SIGNATURE = ‘\x8b\xf0\x3b\xf3\x7c\x2c\x6a\x02\x6a\x10\x68’
PTR_IV_OFFSET = 11;
PTR_AES_KEY_OFFSET = -15;
PTR_DES_KEY_OFFSET = -70;

BCRYPT_HANDLE_KEY = construct.Struct(‘KIWI_BCRYPT_HANDLE_KEY’,
construct.ULInt32(‘size’),
construct.ULInt32(‘tag’), # Tag ‘UUUR’, 0x55555552.
construct.ULInt32(‘ptr_void_algorithm’),
construct.ULInt32(‘ptr_kiwi_bcrypt_key’),
construct.ULInt32(‘ptr_unknown’))

def __init__(self, lsass_task):
LsaDecryptor_x86.init(self, lsass_task)

class LsaDecryptor_Win7_x86(LsaDecryptor_x86):
“”“Class for Windows 7 x86.”“”

MIMIKATZ x86: BYTE PTRN_WNO8_LsaInitializeProtectedMemory_KEY[]

SIGNATURE = ‘\x8b\xf0\x3b\xf3\x7c\x2c\x6a\x02\x6a\x10\x68’
PTR_IV_OFFSET = 11;
PTR_AES_KEY_OFFSET = -15;
PTR_DES_KEY_OFFSET = -70;

BCRYPT_HANDLE_KEY = construct.Struct(‘KIWI_BCRYPT_HANDLE_KEY’,
construct.ULInt32(‘size’),
construct.ULInt32(‘tag’), # Tag ‘UUUR’, 0x55555552.
construct.ULInt32(‘ptr_void_algorithm’),
construct.ULInt32(‘ptr_kiwi_bcrypt_key’),
construct.ULInt32(‘ptr_unknown’))

def __init__(self, lsass_task):
LsaDecryptor_x86.init(self, lsass_task)

class LsaDecryptor_Vista_x64(LsaDecryptor_x64):
“”“Class for Vista x64.”“”
SIGNATURE = ‘\x83\x64\x24\x30\x00\x44\x8b\x4c\x24\x48\x48\x8b\x0d’
PTR_IV_OFFSET = 63;
PTR_AES_KEY_OFFSET = 25;
PTR_DES_KEY_OFFSET = -69;

BCRYPT_HANDLE_KEY = construct.Struct(‘KIWI_BCRYPT_HANDLE_KEY’,
construct.ULInt32(‘size’),
construct.ULInt32(‘tag’), # Tag ‘UUUR’, 0x55555552.
construct.ULInt64(‘ptr_void_algorithm’),
construct.ULInt64(‘ptr_kiwi_bcrypt_key’),
construct.ULInt64(‘ptr_unknown’))

def __init__(self, lsass_task):
LsaDecryptor_x64.init(self, lsass_task)

class LsaDecryptor_Win7_x64(LsaDecryptor_x64):
“”“Class for Windows 7 x64.”“”

MIMIKATZ x64: BYTE PTRN_WNO8_LsaInitializeProtectedMemory_KEY[]

SIGNATURE = ‘\x83\x64\x24\x30\x00\x44\x8b\x4c\x24\x48\x48\x8b\x0d’
PTR_IV_OFFSET = 59;
PTR_AES_KEY_OFFSET = 25;
PTR_DES_KEY_OFFSET = -61;

BCRYPT_HANDLE_KEY = construct.Struct(‘KIWI_BCRYPT_HANDLE_KEY’,
construct.ULInt32(‘size’),
construct.ULInt32(‘tag’), # Tag ‘UUUR’, 0x55555552.
construct.ULInt64(‘ptr_void_algorithm’),
construct.ULInt64(‘ptr_kiwi_bcrypt_key’),
construct.ULInt64(‘ptr_unknown’))

def __init__(self, lsass_task):
LsaDecryptor_x64.init(self, lsass_task)

#------------------------------------------------------------------------------

class Wdigest():
“”“TODO: add description.”“”
SIGNATURE = None
FIRST_ENTRY_OFFSET = 0
WDIGEST_LIST_ENTRY = None
MODULE_NAME = ‘wdigest’
MAX_WALK = 32

def __init__(self, credentials_obj):
self.entries = []
self.entries_seen = {}
self.credentials_obj = credentials_obj

def find_signature(self):
for mod in self.task.get_load_modules():
if str(mod.BaseDllName).lower() == ‘wdigest.dll’:
scanner = MemoryScanner(self.task)
return scanner.find_first(mod.DllBase.v(), self.SIGNATURE)
debug.warning(‘[Wdigest] no wdigest.dll found in lsass process!’)

def get_entry_at(self, ptr):
if ptr:
size = self.WDIGEST_LIST_ENTRY.sizeof()
data = self.get_data(ptr, size)
if data:
entry = self.WDIGEST_LIST_ENTRY.parse(data)
return entry

def get_first_entry(self):
position = self.find_signature()
if position:
ptr_entry = self.get_ptr_with_offset(position + self.FIRST_ENTRY_OFFSET)
if ptr_entry:
ptr_entry = self.get_ptr(ptr_entry)
if ptr_entry:
entry = self.get_entry_at(ptr_entry)
if entry:
return entry, ptr_entry
else:
debug.warning(‘[Wdigest] no wdigest package found.’)
return None, None

def get_unicode_string_at(self, ptr, size):
data = self.get_data(ptr, size)
if data:
data_str = ‘’
try:
data_str = data.decode(‘utf-16-le’).rstrip(‘\0’)
except UnicodeDecodeError as ee:
debug.error(
‘[Wdigest] get_unicode_string_at() unicode error {}’.format(
ee))
debug.warning(‘[Wdigest] src data is <{}>’.format(data_str))
return data_str
else:
debug.error(‘[Wdigest] get_unicode_string_at() unable to get data’)
return ‘’

def add_entry(self, entry, found_at):
if entry.usage_count:
if entry.this_entry == found_at:
user = domain = epwd = ‘’
if entry.user_string_ptr and entry.user_len:
user = self.get_unicode_string_at(
entry.user_string_ptr, entry.user_max_len)
if entry.domain_string_ptr and entry.domain_len:
domain = self.get_unicode_string_at(
entry.domain_string_ptr, entry.domain_max_len)
if entry.password_encrypted_ptr and entry.password_len:
epwd = data = self.get_data(
entry.password_encrypted_ptr, entry.password_max_len)
if user:
cred_entry = Credential(self.MODULE_NAME, user, domain, epwd)
self.credentials_obj.add_credential(cred_entry)

def walk_entries(self):
entry, found_at = self.get_first_entry()
if entry:
walk_num = 1
while walk_num < self.MAX_WALK:
self.add_entry(entry, found_at)
self.entries_seen[found_at] = 1
found_at = entry.previous
entry = self.get_entry_at(found_at)
if not entry:
debug.error(‘Next entry not found!’)
break
if entry.this_entry in self.entries_seen:
break
walk_num += 1

class Wdigest_x86(Wdigest, Mimikatz_x86):
“”“TODO: add description.”“”

WDIGEST_LIST_ENTRY = construct.Struct(‘WdigestListEntry’,
construct.ULInt32(‘previous’),
construct.ULInt32(‘next’),
construct.ULInt32(‘usage_count’),
construct.ULInt32(‘this_entry’),
construct.ULInt64(‘luid’),
construct.ULInt64(‘flag’),
construct.ULInt16(‘user_len’),
construct.ULInt16(‘user_max_len’),
construct.ULInt32(‘user_string_ptr’),
construct.ULInt16(‘domain_len’),
construct.ULInt16(‘domain_max_len’),
construct.ULInt32(‘domain_string_ptr’),
construct.ULInt16(‘password_len’),
construct.ULInt16(‘password_max_len’),
construct.ULInt32(‘password_encrypted_ptr’))

def __init__(self, lsass_task, credentials_obj):
Mimikatz_x86.init(self, lsass_task)
Wdigest.init(self, credentials_obj)

class Wdigest_x64(Wdigest, Mimikatz_x64):
“”“TODO: add description.”“”

WDIGEST_LIST_ENTRY = construct.Struct(‘WdigestListEntry’,
construct.ULInt64(‘previous’),
construct.ULInt64(‘next’),
construct.ULInt32(‘usage_count’),
construct.ULInt32(‘align1’),
construct.ULInt64(‘this_entry’),
construct.ULInt64(‘luid’),
construct.ULInt64(‘flag’),
construct.ULInt16(‘user_len’),
construct.ULInt16(‘user_max_len’),
construct.ULInt32(‘align2’),
construct.ULInt64(‘user_string_ptr’),
construct.ULInt16(‘domain_len’),
construct.ULInt16(‘domain_max_len’),
construct.ULInt32(‘align3’),
construct.ULInt64(‘domain_string_ptr’),
construct.ULInt16(‘password_len’),
construct.ULInt16(‘password_max_len’),
construct.ULInt32(‘align4’),
construct.ULInt64(‘password_encrypted_ptr’))

def __init__(self, lsass_task, credentials_obj):
Mimikatz_x64.init(self, lsass_task)
Wdigest.init(self, credentials_obj)

class Wdigest_Vista_x86(Wdigest_x86):
“”“Class for Windows Vista x86.”“”
SIGNATURE = ‘\x74\x11\x8b\x0b\x39\x4e\x10’
FIRST_ENTRY_OFFSET = -6

def __init__(self, lsass_task, credentials_obj):
Wdigest_x86.init(self, lsass_task, credentials_obj)

class Wdigest_Win7_x86(Wdigest_x86):
“”“Class for Windows 7 x86.”“”
SIGNATURE = ‘\x74\x11\x8b\x0b\x39\x4e\x10’
FIRST_ENTRY_OFFSET = -6

def __init__(self, lsass_task, credentials_obj):
Wdigest_x86.init(self, lsass_task, credentials_obj)

class Wdigest_Win7_x64(Wdigest_x64):
“”“Class for Windows 7 x64.”“”
SIGNATURE = ‘\x48\x3b\xd9\x74’
FIRST_ENTRY_OFFSET = -4

def __init__(self, lsass_task, credentials_obj):
Wdigest_x64.init(self, lsass_task, credentials_obj)

class Wdigest_Vista_x64(Wdigest_x64):
“”“Class for Windows Vista x64.”“”
SIGNATURE = ‘\x48\x3b\xd9\x74’
FIRST_ENTRY_OFFSET = -4

def __init__(self, lsass_task, credentials_obj):
Wdigest_x64.init(self, lsass_task, credentials_obj)

#------------------------------------------------------------------------------

class mimikatz(commands.Command):
“”“mimikatz offline”“”
def __init__(self, config, *args, **kwargs):
commands.Command.init(self, config, *args, **kwargs)
self.profile = config.get_value(‘profile’)
self.credentials_obj = Credentials()

def find_lsass(self):
addr_space = utils.load_as(self._config)
for task in tasks.pslist(addr_space):
if str(task.ImageFileName) == ‘lsass.exe’:
return task

def init_objects(self, lsass_task):
lsa_decryptor = None
wdigest = None
if len(self.profile) >= 7:
arch = self.profile[-3:]
sp = self.profile[-6:-3]
os = self.profile[:-6]
if os == ‘Vista’:
if arch == ‘x86’:
lsa_decryptor = LsaDecryptor_Vista_x86(lsass_task)
wdigest = Wdigest_Vista_x86(lsass_task, self.credentials_obj)
elif arch == ‘x64’:
lsa_decryptor = LsaDecryptor_Vista_x64(lsass_task)
wdigest = Wdigest_Vista_x64(lsass_task, self.credentials_obj)
elif os == ‘Win7’:
if arch == ‘x86’:
lsa_decryptor = LsaDecryptor_Win7_x86(lsass_task)
wdigest = Wdigest_Win7_x86(lsass_task, self.credentials_obj)
elif arch == ‘x64’:
lsa_decryptor = LsaDecryptor_Win7_x64(lsass_task)
wdigest = Wdigest_Win7_x64(lsass_task, self.credentials_obj)
else:
pass
return lsa_decryptor, wdigest

kali安装volatility插件mimikatz
qq_73722777的博客
09-14 5324
vol.py --plugins=[plugins文件夹路径] -f [镜像文件路径] --profile=[操作系统] mimikatz。下载解压后拖入kali内,文件夹改名为volatility,终端cd进入文件夹。下载后拖入volatility/volatility/plugins/解压后拖入kali,使用cd进入文件夹内。下载mimikatz.py文件。2.安装volatility。下载文件distorm3。3.安装mimikatz。4.在终端中使用插件。kali安装pip2
volatility_2.6_win64system_standalone.rar
10-08
Volatility 2.6是该工具的一个稳定版本,专门针对Windows系统进行优化。它能够帮助分析师在不依赖原始主机的情况下,从内存转储文件中提取出关键信息,如进程列表、网络连接、注册表项、密码、恶意软件活动等。这...
volatility2 with mimikatzmimikatz插件踩的坑_volatility mimikatz
qq_58071132的博客
04-15 731
论你是正从事IT行业的老鸟或是对IT行业感兴趣的新人,都欢迎加入我们的的圈子(技术交流、学习资源、职场吐槽、大厂内推、面试辅导),让我们一起学习成长!我在网上搜索到了全都是将construct换成2.5.5 但我就是换成2.5.5之后会出现了上面这个问题。在-f 前增加–plugin,后面接你的volatility里plugins存放的目录 例如我这里是。下载的2.10.54的版本 并不会出问题(注意这里的pip是python2的)如果你也出现了下面这条错误信息。
volatility及部分插件的安装与配置
最新发布
weixin_73049307的博客
10-10 1789
vol.py --plugin=/opt/volatility/plugins -f /root/neicun.vmem --profile=Win7SP1x64 mimikatz(系统版本是:Win7SP1x64)vol.py --plugin=/opt/volatility/plugins -f [内存镜像文件路径] --profile [系统版本] [插件名]当使用第三方插件的时候,需要使用 --plugin 属性指定插件的存放目录。(mimikatz.py插件可以从内存中提取明文密码)
volatility安装+插件安装(mimikatz
sbingmo的博客
07-11 1万+
volatility安装+插件安装(mimikatz
volatility2 with mimikatz|装mimikatz插件踩的坑
Rainy_Madison的博客
09-03 3612
volatility插件mimikatz安装过程
内存取证-volatility工具的使用 (史上更全教程,更全命令)
热门推荐
路baby的博客
10-20 10万+
内存取证-volatility工具的使用 (史上更全教程,更全命令) 安装步骤 命令解析 工具插件分析 例题讲解
Volatility2Step_Alerts_HTF - MetaTrader 5脚本.zip
09-13
总结起来,"Volatility2Step_Alerts_HTF"脚本和相关指标是MT5平台上的强大工具,它们以高时间框架为基础,通过计算波动性并触发警报,为交易者提供了更深入的市场洞察和自动化交易信号。了解并熟练运用这些工具,...
volatility_2.6_lin64_standalone.zip
05-16
Volatility是一款强大的开源工具,主要用于内存取证分析,它能够在不触及硬盘的情况下,从系统内存中提取关键信息。Volatility 2.6 lin64_standalone.zip是该工具的一个Linux版本,专为64位系统设计,具有独立运行的...
volatility_2.6_mac64_standalone.zip
05-16
Volatility 2.6是该框架的一个重要版本,它提供了丰富的插件工具,能够对多种操作系统,包括Windows、Linux和macOS进行内存分析。Mac64版本特别针对苹果的64位架构进行了优化,确保在macOS平台上高效、稳定地运行...
windows内存密码获取mimikatz_trunk
04-17
第一条:privilege::debug //提升权限 第二条:sekurlsa::logonpasswords https://github.com/gentilkiwi/mimikatz/releases/tag/2.1.1-20180325
mimikatz2.0
06-26
获取系统密码工具,法国程序员开发的轻量级调试器,可以帮助安全测试人员抓取Windows密码,压缩包密码:novirus。由于属于黑客工具,杀毒软件会报毒,使用时可以暂时关闭实时扫描,或者设置例外处理。解压后,参考命令行提示即可方便使用
volatility内存取证命令合集
01-10
volatility内存取证命令合集,原版volatility内存取证CheatSheet,赶紧学习一波!
volatility-plugins, 我为波动而编写的插件.zip
09-17
volatility-plugins, 我为波动而编写的插件 用户定义的波动插件我所做的插件:uninstallinfo.py - 从内存转储 HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstallprefetch.py - 扫描预取文件的内存和转
常用mimikatz命令合集
03-08
这是我平时使用时觉得最常用的一些命令合集,希望可以帮到大家.
volatilitux-1.0_volatility_Memdump_Memdump_
10-01
Volatility工具在Linux内存转储中的应用》 在网络安全分析和取证调查中,内存转储分析是一项至关重要的技术。Volatility是一款强大的开源工具,专用于Windows和Linux系统的内存分析,它可以从内存映像中提取出...
Volatility安装遇到的问题之mimikatz插件安装
qq_42878458的博客
08-23 2761
数字取证学习
内存取证 Volatility
orchid_sea的博客
03-01 1105
内存分析工具 volatility,有Volatility2Volatility3两种,分别基于Python2Python3环境运行。说是一般Volatility2Volatility3好用,所以我也选择的Volatility2版本。一般kali里面兼容了python2Python3,但是pip命令执行的都是python3环境,没有配置pip2,因此需要自己下载安装。
内存取证-Volatility安装使用以及一些CTF比赛题目
Bnessy
04-02 3万+
一 、简介 Volatility是一款开源内存取证框架,能够对导出的内存镜像进行分析,通过获取内核数据结构,使用插件获取内存的详细情况以及系统的运行状态。 二 、安装Volatility 下载源码 https://github.com/volatilityfoundation/volatility 解压 unzip volatility-master.zip 安装依赖 crypto pip2 install pycryptodome #如果安装失败,可使用以下命令切换国内源 pip2
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值