To get image information.
vol.exe -f [Image path what you want to analysis] imageinfo
vol.exe -f [Image] --profile=WinXPSP2X86 pslist
pstree
psscan
vol.exe -f [Image] --profile=WinXPSP2X86 dlllist
you can see the dll list in process what you want to know.
the command is -p [ps]
InLoadOrderModuleList LDR_DATA_TABLE_ENTRY
When one of process calls LoadLibrary function, DLL is imported automatically.
That is never removed when FreeLibrary called or reference count be 0.
vol.exe -f [Image] --profile=[profile] hivelist
What is hive?
connections
to know about that tcp connections when you dumped
connscan
kind of full scanning. to find _TCPT_OBJECT structure. this command will work only WinXP(x86,X64) and WinServer2003
malfind -p []
VAD?
this command can't find DLL that injected by CreateRemoteThread -> LoadLibrary.
If you want to save memory segment, you can use -D option with directory what you want to save
-D option
to save
'침해대응' 카테고리의 다른 글
[시작]침해사고 대응의 개념, 잡담 (2) | 2017.06.25 |
---|