You need to customize the following script based on the information gathered from the analysis.
#!/bin/bash
# Script to collect information by utilizing volatility
#### Configurable Options #######
homeDir='/home/volatility/image'
memImage="$homeDir/image.vmem"
locVolPy='/usr/share/volatility/vol.py'
volProfile=''
PID='1384'
dumpFileFilename='malware' # Dump the file malware.exe
######################################
outputDir="$homeDir/output"
dumpDir="$homeDir/dumpdir"
tempDir="$homeDir/temp"
if [ ! -d $outputDir ]; then
mkdir $outputDir
mkdir $dumpDir
mkdir $tempDir
fi
# Identify the profile found from output/imageinfo
cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print "Identified Profile: " $4}' | sed 's/,//'
volProfile=`cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print $4}' | sed 's/,//'`
# List the dll's associated with a PID
#python $locVolPy -f $memImage --profile=$volProfile dlllist -p $PID > $outputDir/dlllist-$PID
# Dump the file based on filename
#python $locVolPy -f $memImage --profile=$volProfile dumpfiles -r $dumpFileFilename -D $tempDir
# Find the mutants
#python $locVolPy -f $memImage --profile=$volProfile handles -p $PID > $outputDir/handles-$PID
Subscribe to:
Post Comments (Atom)
-
Here is a quick walk through of GetBoo. The first item that I found was you can harvest the usernames of the existing users that are regist... -
As I was glancing through the logs of my honeypots I spent some time to look at the following logs. In the past I have just overlooked them... -
I ran a Nikto scan and found the following vulnerability in the report that it produces: "OSVDB-637: Enumeration of users is possible...
-
I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM. The first one I th... -
Today looking at the logs of the honeypots, I became curious based on the whois of the IP Addresses attempting to login to SSH which country...
No comments:
Post a Comment