Information Security

Volatility Basic Analysis

1. Intro

This batch file can be used for initial analysis using volatility.

After the initial analysis is done through this batch file, you can proceed with the detailed analysis with the commands you know.

 

2. Bat Code (to save ‘vola_analysis.bat’)

@echo off
cls
 
:: Title : Memory Analysis using volatility
:: Maker : L.T
:: Date  : 2018.04.12. 16:30
:: Description : Auto extract to file / The details such as malfind, impscan should be analyzed by you
 
echo  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
echo  @                                    @
echo  @     About Memory Analysis          @
echo  @                                    @
echo  @                            L.T     @
echo  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
echo.
 
echo @ Output 파일 : D:\Memory_Analysis_Result
echo.
 
echo @ Input dump file path
set /p dumpfilepath="Dump 파일 경로 : "
echo.
 
:: Make Directory & Set variable
FOR /F "delims=" %%i IN ("%dumpfilepath%") DO (
    set dumpname=%%~nxi
)
 
set savepath=D:\Memory_Analysis_Result\%dumpname%
set procpath=%savepath%\procdump
 
if not exist %savepath%        mkdir %savepath%
if not exist %procpath%        mkdir %procpath%
 
:: Change Directory & Set count variable
cd C:\Python27\Scripts
set cnt=0
 
echo # %cnt%. imageinfo && set /a cnt=cnt+1
vol.py -f %dumpfilepath% imageinfo > %savepath%\%cnt%.imageinfo.txt
 
:: Analysis OS version
FOR /F "tokens=1,5" %%A IN (%savepath%\%cnt%.imageinfo.txt) DO (
    if %%A==Suggested (
        set profileimg=%%B
    )
)
echo.
 
echo # %cnt%. pslist && set /a cnt=cnt+1
vol.py -f %dumpfilepath% --profile=%profileimg% pslist > %savepath%\%cnt%.pslist.txt
echo.
 
echo # %cnt%. pstree && set /a cnt=cnt+1
vol.py -f %dumpfilepath% --profile=%profileimg% pstree > %savepath%\%cnt%.pstree.txt
echo.
 
echo # %cnt%. psscan && set /a cnt=cnt+1
vol.py -f %dumpfilepath% --profile=%profileimg% psscan > %savepath%\%cnt%.psscan.txt
echo.
 
echo # %cnt%. dlllist && set /a cnt=cnt+1
vol.py -f %dumpfilepath% --profile=%profileimg% dlllist > %savepath%\%cnt%.dlllist.txt
echo.
 
echo # %cnt%. hivelist && set /a cnt=cnt+1
vol.py -f %dumpfilepath% --profile=%profileimg% hivelist > %savepath%\%cnt%.hivelist.txt
echo.
 
:: Extract Hash SAM, SYSTEM
FOR /F "tokens=1,3" %%C IN (%savepath%\%cnt%.hivelist.txt) DO (
    FOR /F "delims=" %%p IN ("%%D") DO (
        set hiv=%%~nxp
        
        if %%~nxp==SAM (
            set hashsam=%%C
        )
        if %%~nxp==system (
            set hashsys=%%C
        )
    )
)
 
echo # %cnt%. hashdump && set /a cnt=cnt+1
vol.py -f %dumpfilepath% --profile=%profileimg% hashdump -y %hashsys% -s %hashsam% > %savepath%\%cnt%.hashdump.txt
echo.
 
echo # %cnt%. connections && set /a cnt=cnt+1
vol.py -f %dumpfilepath% --profile=%profileimg% connections > %savepath%\%cnt%.connections.txt
echo.
 
echo # %cnt%. connscan && set /a cnt=cnt+1
vol.py -f %dumpfilepath% --profile=%profileimg% connscan > %savepath%\%cnt%.connscan.txt
echo.
 
:: 의심 프로세스에 대한 상세정보 확인은 사용자가 판단해야하므로 수동으로 직접 실행
::echo # %cnt%. malfind && set /a cnt=cnt+1
::vol.py -f %dumpfilepath% --profile=%profileimg% malfind -p > %savepath%\%cnt%.malfind.txt
::echo.
 
::echo # %cnt%. impscan && set /a cnt=cnt+1
::vol.py -f %dumpfilepath% --profile=%profileimg% impscan > %savepath%\%cnt%.impscan.txt
::echo.
 
echo # %cnt%. procdump && set /a cnt=cnt+1
vol.py -f %dumpfilepath% --profile=%profileimg% procdump -D %procpath% > %savepath%\%cnt%.procdump.txt
echo.
 
:: Run explorer Directory
explorer %savepath%
 
SET /P P=Press any Key...

 

 

 

Back To Top