Wednesday, April 29, 2015

Minor update to my memscan script

I've been wanting to post some analyses here, but haven't really had the time. In trying to solve a puzzle on an analysis, I was told how to do some string mapping in memory. Not very complicated, but there have been many times where I wished I knew which process contained a string. Well, now I can find out =) So now my memscan script looks like this (apologies for the awkward formatting, I blame blogger):


#Simply runs a bunch of my most commonly used volatility plugins

if [ $# -lt 2 ]
    #I added the script to /usr/bin/memscan and gave it execute
    echo "Useage: memscan imagename profile"

    if [ ! -d dump ];
        #The script doesn't use this folder, but I do ;)
        mkdir dump

    for plugin in pslist pstree psxview malfind hivelist dlllist

        echo "Running $plugin"
        python /usr/share/volatility/ -f $1 --profile=$2 $plugin > $plugin.txt

        echo "Running autoruns"
        python /usr/share/volatility/ --plugins=/usr/share/volatility/contrib/plugins/autoruns /usr/share/volatility/ $1 -- profile=$2 autoruns > autoruns.txt

        echo "Running mimikatz"
        python /usr/share/volatility/ --plugins=/usr/share/volatility/contrib/plugins -f $1 --profile=$2 mimikatz > passwords.txt

    echo "Creating timeline"
    python /usr/share/volatility/ -f $1 --profile=$2 mftparser --output=body --output-file=mftparser.txt
    mactime -b mftparser.txt -d -z UTC-6 > timeline.txt

    echo "Mapping strings"
    strings -a -td $1 > full_strings.txt
    strings -a -td -el $1 >> full_strings.txt # Second pass for unicode
    python /usr/share/volatility/ -f $1 --profile=$2 strings -s full_strings.txt --output-file=mapped_strings.txt

No comments:

Post a Comment