1. Intro
This batch file can be used for initial analysis using volatility.
After the initial analysis is done through this batch file, you can proceed with the detailed analysis with the commands you know.
2. Bat Code (to save ‘vola_analysis.bat’)
@echo off cls :: Title : Memory Analysis using volatility :: Maker : L.T :: Date : 2018.04.12. 16:30 :: Description : Auto extract to file / The details such as malfind, impscan should be analyzed by you echo @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ echo @ @ echo @ About Memory Analysis @ echo @ @ echo @ L.T @ echo @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ echo. echo @ Output 파일 : D:\Memory_Analysis_Result echo. echo @ Input dump file path set /p dumpfilepath="Dump 파일 경로 : " echo. :: Make Directory & Set variable FOR /F "delims=" %%i IN ("%dumpfilepath%") DO ( set dumpname=%%~nxi ) set savepath=D:\Memory_Analysis_Result\%dumpname% set procpath=%savepath%\procdump if not exist %savepath% mkdir %savepath% if not exist %procpath% mkdir %procpath% :: Change Directory & Set count variable cd C:\Python27\Scripts set cnt=0 echo # %cnt%. imageinfo && set /a cnt=cnt+1 vol.py -f %dumpfilepath% imageinfo > %savepath%\%cnt%.imageinfo.txt :: Analysis OS version FOR /F "tokens=1,5" %%A IN (%savepath%\%cnt%.imageinfo.txt) DO ( if %%A==Suggested ( set profileimg=%%B ) ) echo. echo # %cnt%. pslist && set /a cnt=cnt+1 vol.py -f %dumpfilepath% --profile=%profileimg% pslist > %savepath%\%cnt%.pslist.txt echo. echo # %cnt%. pstree && set /a cnt=cnt+1 vol.py -f %dumpfilepath% --profile=%profileimg% pstree > %savepath%\%cnt%.pstree.txt echo. echo # %cnt%. psscan && set /a cnt=cnt+1 vol.py -f %dumpfilepath% --profile=%profileimg% psscan > %savepath%\%cnt%.psscan.txt echo. echo # %cnt%. dlllist && set /a cnt=cnt+1 vol.py -f %dumpfilepath% --profile=%profileimg% dlllist > %savepath%\%cnt%.dlllist.txt echo. echo # %cnt%. hivelist && set /a cnt=cnt+1 vol.py -f %dumpfilepath% --profile=%profileimg% hivelist > %savepath%\%cnt%.hivelist.txt echo. :: Extract Hash SAM, SYSTEM FOR /F "tokens=1,3" %%C IN (%savepath%\%cnt%.hivelist.txt) DO ( FOR /F "delims=" %%p IN ("%%D") DO ( set hiv=%%~nxp if %%~nxp==SAM ( set hashsam=%%C ) if %%~nxp==system ( set hashsys=%%C ) ) ) echo # %cnt%. hashdump && set /a cnt=cnt+1 vol.py -f %dumpfilepath% --profile=%profileimg% hashdump -y %hashsys% -s %hashsam% > %savepath%\%cnt%.hashdump.txt echo. echo # %cnt%. connections && set /a cnt=cnt+1 vol.py -f %dumpfilepath% --profile=%profileimg% connections > %savepath%\%cnt%.connections.txt echo. echo # %cnt%. connscan && set /a cnt=cnt+1 vol.py -f %dumpfilepath% --profile=%profileimg% connscan > %savepath%\%cnt%.connscan.txt echo. :: 의심 프로세스에 대한 상세정보 확인은 사용자가 판단해야하므로 수동으로 직접 실행 ::echo # %cnt%. malfind && set /a cnt=cnt+1 ::vol.py -f %dumpfilepath% --profile=%profileimg% malfind -p > %savepath%\%cnt%.malfind.txt ::echo. ::echo # %cnt%. impscan && set /a cnt=cnt+1 ::vol.py -f %dumpfilepath% --profile=%profileimg% impscan > %savepath%\%cnt%.impscan.txt ::echo. echo # %cnt%. procdump && set /a cnt=cnt+1 vol.py -f %dumpfilepath% --profile=%profileimg% procdump -D %procpath% > %savepath%\%cnt%.procdump.txt echo. :: Run explorer Directory explorer %savepath% SET /P P=Press any Key...