appmemdumper 2.3.2

目录

• Introduction
• System Requirements
• Installation
• Quick Start
• Issues management

简介

该工具基于一系列常见windows应用程序的波动性，自动研究用于取证的内存转储中的某些工件。

它还可以打开多种存档格式。在存档的情况下，该工具会将其所有文件提取到一个临时目录中，然后尝试将每个文件作为内存转储打开（名为readme或readme.md的文件除外）。

系统要求

这个框架在一个带有Python2.7的Ubuntu18.04上进行了测试。

安装

1. 安装系统要求

$ sudo apt-get install foremost
$ git clone https://github.com/volatilityfoundation/volatility /tmp/vol-setup
$ cd /tmp/vol-setup && sudo python setup.py install

Behind a proxy ?

Do not forget to configure your Network system settings (or manually edit /etc/apt/apt.conf).

1. 从pip安装appmemdumper

$ pip install appmemdumper

Behind a proxy ?

Do not forget to add option --proxy=http://[user]:[pwd]@[host]:[port] to your pip command.

快速启动

1. 帮助

$ app-mem-dumper -h
usage: app-mem-dumper [-a APPS] [-d DUMP_DIR] [-f] [-p PLUGINS] [-s SYST]
                        [-t TEMP_DIR] [-u] [-h] [-v]
                        dump

AppMemDumper v2.3.0
Author   : Alexandre D'Hondt
Copyright: © 2019 A. D'Hondt
License  : GNU Affero General Public License v3.0

This tool automates the research of some artifacts for forensics purpose in
 memory dumps based upon Volatility for a series of common Windows applications.

It can also open multiple archive formats (it uses pyunpack). In case of an
 archive, the tool will extract all its files to a temporary directory and then
 try to open each file as a memory dump.

positional arguments:
  dump                  memory dump file path

optional arguments:
  -a APPS               comma-separated list of integers designating applications to be parsed
                         Currently supported: 
                          [0] AdobeReader             [8] Notepad
                          [1] Chrome                  [9] OpenOffice
                          [2] Firefox                 [10] PDFLite
                          [3] FoxitReader             [11] SumatraPDF
                          [4] InternetExplorer        [12] Thunderbird
                          [5] KeePass                 [13] TrueCrypt
                          [6] MSPaint                 [14] Wordpad
                          [7] MediaPlayerClassic    
                         (default: all)
  -d DUMP_DIR, --dump-dir DUMP_DIR
                        dump directory (default: files)
  -f, --force           force profile search, do not use cached profile (default: False)
  -p PLUGINS, --plugins-dir PLUGINS
                        path to custom plugins directory (default: None)
  -s SYST               comma-separated list of integers designating system items to be parsed
                         Currently supported: 
                          [0] Clipboard               [8] Mimikatz
                          [1] CommandLines            [9] NetworkConnections
                          [2] CriticalProcessesInfo   [10] ProcessesInfo
                          [3] Devices                 [11] Registry
                          [4] DumpInfo                [12] Timeline
                          [5] Kernel                  [13] UserActivities
                          [6] LsaSecrets              [14] UserHashes
                          [7] Malfind               
                         (default: none)
  -t TEMP_DIR, --temp-dir TEMP_DIR
                        temporary directory for decompressed images (default: .temp)
  -u, --update          update previous dump directories (default: False)

extra arguments:
  -h, --help            show this help message and exit
  -v, --verbose         verbose mode (default: False)

Usage examples:
  app-mem-dumper memory.dmp
  app-mem-dumper my-dumps.tar.gz
  app-mem-dumper dumps.zip -g all
  app-mem-dumper dump.raw -a 1,2,4 -f
  app-mem-dumper dump.mem -a 0,3,10,11 -g 0

1. 输出示例

$ app-mem-dumper memory.dump -v -p plugins
[appmemdumper] XX:XX:XX [DEBUG] Attempting to decompress 'memory.dump'...
[appmemdumper] XX:XX:XX [DEBUG] Not an archive, continuing...
[appmemdumper] XX:XX:XX [DEBUG] Setting output directory to 'files/memory.dump'...
[appmemdumper] XX:XX:XX [INFO] Opening dump file 'memory.dump'...
[appmemdumper] XX:XX:XX [INFO] Getting profile...
[appmemdumper] XX:XX:XX [INFO] Getting processes...
[appmemdumper] XX:XX:XX [DEBUG] > Executing command 'pslist'...
[appmemdumper] XX:XX:XX [DEBUG] Found       : mspaint.exe
[appmemdumper] XX:XX:XX [DEBUG] Not handled : audiodg.exe, csrss.exe, dllhost.exe, [...]
[appmemdumper] XX:XX:XX [DEBUG] Profile: Win7SP0x86
[appmemdumper] XX:XX:XX [INFO] Processing dumper 'dumpinfo'...
[appmemdumper] XX:XX:XX [INFO] Processing dumper 'mspaint'...
[appmemdumper] XX:XX:XX [DEBUG] Dumping for PID XXXX
[appmemdumper] XX:XX:XX [DEBUG] > Calling command 'memdump'...
[appmemdumper] XX:XX:XX [DEBUG] >> volatility --plugins=/path/to/plugins --file=[...]
[appmemdumper] XX:XX:XX [INFO] > /path/to/files/memory.dump/mspaint-2640-memdump.data
[appmemdumper] XX:XX:XX [WARNING] 
The following applies to collected objects of:
- mspaint

Raw data (.data files) requires manual handling ;
Follow this procedure:
 1. Open the collected resources with Gimp
 2. Set the width and height to the expected screen resolution
 3. Set another color palette than 'RVB'
Restart this procedure by setting other parameters for width|height|palette.

问题管理

如果你想贡献或提交建议，请open an Issue。

labels用法约定如下：

• 一般问题：问题
• 建议：需要帮助
• 错误/异常/问题：bug
• 改进/贡献：enhancement；注意：如果您有动力并且能够做出贡献，请精确说明

如果要生成并提交新的转储程序，请打开拉取请求。

标签：

• 工具
• to
• 内存
• 应用程序
• windows
• dump
• 工件
• xx
• 波动性

欢迎加入QQ群-->： 979659372

推荐PyPI第三方库

• django-mp-tags

  Django标签应用程序

• kaggleenvironments

  防止攻击的包

• pythonirodsclient

  防止攻击的包

• dists-udacity-trial

  高斯分布

• u8timeseries

  一组易于使用的时间序列预测模型

• frbcat

  查询FRB目录

• sodaflow

  问候某人

• jsconfp

  json save config是一个简单的配置文件库

• dist-soham

  高斯分布

• zimagi

  齐马吉

• sdkdemo

  gitlab ci auto-pub的演示SDK

• gitlab-ci-pipeline-queue

  锁定作业，直到旧管道完成

• usb2container

  将特定USB设备绑定到容器

• catalyst-sphinx-theme

  Catalyst狮身人面像主题

• djdg_python_common_verify_SDK

  djdg通用验证