volatility取证与usb键盘记录
抓包文件导出HTTP对象,导出保存为zip
解压是vmem文件
linux下用volatility分析
volatility imageinfo -f data.vmem
接下来用WinXPSP3x86(试出来的)
查看进程:volatility -f data.vmem --profile=WinXPSP3x86 pslist
发现有cmd.exe
查看cmd的历史命令:volatility -f data.vmem --profile=WinXPSP3x86 cmdscan
发现:passwd:weak_auth_top100
再扫描文件并查找flag字样(试出来的)
volatility -f data.vmem --profile=WinXPSP3x86 filescan | grep "flag"
dump出来
volatility -f data.vmem --profile=WinXPSP3x86 dumpfiles -Q 0x0000000001155f90 --dump-dir=./
dump出来的文件名是file.None.0xff425090.dat
binwalk 查看发现有zip,foremost出来(binwalk会损坏zip)
zip解压的密码就是weak_auth_top100
解压出来就是usbdata.txt,用网上的脚本就可以解出来
#coding:utf-8
import sys
import os
usb_codes = {
0x04:"aA", 0x05:"bB", 0x06:"cC", 0x07:"dD", 0x08:"eE", 0x09:"fF",
0x0A:"gG", 0x0B:"hH", 0x0C:"iI", 0x0D:"jJ", 0x0E:"kK", 0x0F:"lL",
0x10:"mM", 0x11:"nN", 0x12:"oO", 0x13:"pP", 0x14:"qQ", 0x15:"rR",
0x16:"sS", 0x17:"tT", 0x18:"uU", 0x19:"vV", 0x1A:"wW", 0x1B:"xX",
0x1C:"yY", 0x1D:"zZ", 0x1E:"1!", 0x1F:"2@", 0x20:"3#", 0x21:"4$",
0x22:"5%", 0x23:"6^", 0x24:"7&", 0x25:"8*", 0x26:"9(", 0x27:"0)",
0x2C:" ", 0x2D:"-_", 0x2E:"=+", 0x2F:"[{", 0x30:"]}", 0x32:"#~",
0x33:";:", 0x34:"'\"", 0x36:",<", 0x37:".>", 0x4f:">", 0x50:"<"
}
def code2chr(filepath):
lines = []
pos = 0
for x in open(filepath,"r").readlines():
code = int(x[6:8],16) # 即第三个字节
if code == 0:
continue
# newline or down arrow - move down
if code == 0x51 or code == 0x28:
pos += 1
continue
# up arrow - move up
if code == 0x52:
pos -= 1
continue
# select the character based on the Shift key
while len(lines) <= pos:
lines.append("")
if code in range(4,81):
if int(x[0:2],16) == 2:
lines[pos] += usb_codes[code][1]
else:
lines[pos] += usb_codes[code][0]
for x in lines:
print(x)
if __name__ == "__main__":
code2chr('usbdata.txt')
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。