# python vol.py -f dump.raw imageinfo
Volatile Systems Volatility Framework 2.0
Suggested Profile(s) : WinXPSP3x86, WinXPSP2x86 (Instantiated with WinXPSP2x86)
AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/home/kikuzou/volatility-2.0/dump.raw)
PAE type : PAE
DTB : 0xae2000
KDBG : 0x80544ce0L
KPCR : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2011-03-10 13:28:56
Image local date and time : 2011-03-10 13:28:56
Number of Processors : 1
Image Type : Service Pack 2
#
# python vol.py -f dump.raw pslist
Volatile Systems Volatility Framework 2.0
Offset(V) Name PID PPID Thds Hnds Time
---------- -------------------- ------ ------ ------ ------ -------------------
0x821c8830 System 4 0 53 258 1970-01-01 00:00:00
0x81e356d8 smss.exe 544 4 3 21 2011-03-10 13:02:27
0x81e216e8 csrss.exe 608 544 11 319 2011-03-10 13:02:29
0x820ac9c0 winlogon.exe 632 544 19 440 2011-03-10 13:02:29
0x821365b0 services.exe 684 632 16 338 2011-03-10 13:02:30
0x81bce938 lsass.exe 696 632 19 328 2011-03-10 13:02:30
0x82029720 svchost.exe 860 684 17 210 2011-03-10 13:02:31
0x81bd1500 svchost.exe 928 684 9 232 2011-03-10 13:02:31
0x81bf4020 svchost.exe 1020 684 59 1148 2011-03-10 13:02:31
0x81e123c0 svchost.exe 1064 684 4 74 2011-03-10 13:02:31
0x820df548 svchost.exe 1300 684 14 203 2011-03-10 13:02:33
0x81c1d7e8 spoolsv.exe 1472 684 10 108 2011-03-10 13:02:34
0x81fcf620 explorer.exe 1580 1564 11 446 2011-03-10 13:02:34
0x81bb0020 ctfmon.exe 1664 1580 1 66 2011-03-10 13:02:35
0x81d92020 alg.exe 500 684 6 104 2011-03-10 13:02:58
0x81be8020 wscntfy.exe 532 1020 1 36 2011-03-10 13:02:59
0x81dea980 winvnc4.exe 1696 684 3 67 2011-03-10 13:09:47
0x81f94da0 mmc.exe 1512 1580 7 241 2011-03-10 13:28:14
0x81deb558 wmiprvse.exe 1460 860 13 204 2011-03-10 13:28:33
#
# python vol.py -f dump.raw vadinfo -p 1696
Volatile Systems Volatility Framework 2.0
************************************************************************
Pid: 1696
VAD node @821e4090 Start 00ae0000 End 00b2ffff Tag Vad
Flags:
Commit Charge: 0 Protection: 1
ControlArea @81fd22b0 Segment e179a4b8
Dereference list: Flink 00000000, Blink 00000000
NumberOfSectionReferences: 1 NumberOfPfnReferences: 0
NumberOfMappedViews: 6 NumberOfUserReferences: 7
WaitingForDeletion Event: 00000000
Flags: Commit, HadUserReference
FileObject: none
First prototype PTE: e179a4f8 Last contiguous PTE: e179a770
Flags2: Inherit
File offset: 00000000
VAD node @81c38a60 Start 00400000 End 0046bfff Tag Vadl
Flags: ImageMap
Commit Charge: 6 Protection: 7
ControlArea @81bc9008 Segment e18fbc30
Dereference list: Flink 00000000, Blink 00000000
NumberOfSectionReferences: 1 NumberOfPfnReferences: 80
NumberOfMappedViews: 1 NumberOfUserReferences: 2
WaitingForDeletion Event: 00000000
Flags: Accessed, File, HadUserReference, Image
FileObject @81bc902c FileBuffer @ e1dc2008 , Name: \Program Files\RealVNC\VNC4\winvnc4.exe
First prototype PTE: e18fbc70 Last contiguous PTE: fffffffc
Flags2: Inherit, LongVad, ReadOnly
File offset: 00000000
※以下省略
「\Program Files\RealVNC\VNC4\winvnc4.exe」が実行されていることが判明。
よって、VNCサーバは「RealVNC 4」であると特定。
RealVNCのパスワード保存場所を調査したところ、以下レジストリに保存されているが判明。
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\Password
# python vol.py -f dump.raw hivelist
Volatile Systems Volatility Framework 2.0
Virtual Physical Name
0x8066e904 0x0066e904 [no name]
0xe1809008 0x08bfd008 \Device\HarddiskVolume1\Documents and Settings\eleve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1986008 0x09f7e008 \Device\HarddiskVolume1\Documents and Settings\eleve\NTUSER.DAT
0xe17a9768 0x08a48768 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe179b758 0x08a40758 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
0xe1770008 0x085d6008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe175fb60 0x08410b60 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
0xe13ffb60 0x02f2bb60 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe14ab008 0x07023008 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe14abb60 0x07023b60 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe14e4758 0x0369d758 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe12e8288 0x02d65288 [no name]
0xe1035b60 0x02aafb60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008 0x02ab1008 [no name]
#
# python vol.py -f dump.raw printkey -o 0xe13ffb60
Volatile Systems Volatility Framework 2.0
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: User Specified
Key name: $$$PROTO.HIV (S)
Last updated: 2011-03-10 13:09:47
Subkeys:
(S) C07ft5Y
(S) Classes
(S) Clients
(S) Gemplus
(S) Microsoft
(S) ODBC
(S) Policies
(S) Program Groups
(S) RealVNC
(S) Schlumberger
(S) Secure
(S) Windows 3.1 Migration Status
Values:
#
# python vol.py -f dump.raw printkey -o 0xe13ffb60 -K "RealVNC"
Volatile Systems Volatility Framework 2.0
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: User Specified
Key name: RealVNC (S)
Last updated: 2011-03-10 13:09:47
Subkeys:
(S) WinVNC4
Values:
#
# python vol.py -f dump.raw printkey -o 0xe13ffb60 -K "RealVNC\WinVNC4"
Volatile Systems Volatility Framework 2.0
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: User Specified
Key name: WinVNC4 (S)
Last updated: 2011-03-10 13:10:51
Subkeys:
Values:
REG_BINARY Password : (S)
0000 DA 6E 31 84 95 77 AD 6B .n1..w.k
REG_SZ SecurityTypes : (S) VncAuth
REG_SZ ReverseSecurityTypes : (S) None
REG_DWORD QueryConnect : (S) 0
REG_DWORD QueryOnlyIfLoggedOn : (S) 0
#
>vncpwdump.exe -k DA6E31849577AD6B
VNCPwdump v.1.0.6 by patrik@cqure.net
-------------------------------------
Password: secretpq
>