Volatility 3

GitHub - volatilityfoundation/volatility3: Volatility 3.0 development

Volatility 3.0 development. Contribute to volatilityfoundation/volatility3 development by creating an account on GitHub.

github.com

Volatility는 디지털 포렌식에서 메모리 포렌식을 수행하는 오픈소스 프레임워크다. 본래 Python 2를 사용하는 Volatility 2에서 Python3를 사용하게 3 버전으로 바뀌었다. 파이썬으로 수행하는 만큼 Windows, Linux, macOS 등 파이썬이 동작하는 환경이면 대부분 분석이 가능하다. 분석 방식은 메모리 덤프 파일을 로딩해서 내부 구조를 분석하는 형태이다. 떄문에 추가적으로 메모리를 덤프하는 툴이 필요하다.

Magnet Ram Capture

Magnet RAM Capture - Magnet Forensics

Magnet RAM Capture: What does it do? Magnet RAM Capture is a free imaging tool designed to capture the physical memory of…

www.magnetforensics.com

Magnet Forensics에서 만든 Windows 시스템의 RAW 이미지 형태의 메모리 덤프를 뜨는 프로그램이다. 특징이 있다면 파일이 매우매우 가볍다. 해당 링크에 들어가서 하단에 정보를 입력하면 이메일로 파일이 온다.

실습 준비

- 설치

$ git clone https://github.com/volatilityfoundation/volatility3.git
$ cd volatility3

# venv 사용 시
$ pip install -e ".[full]"

# venv 미사용 시
$ pip install --user -e ".[full]"

# 작동 체크
$ vol -h

- 실습용 메모리 파일 (선택)

GitHub - stuxnet999/MemLabs: Educational, CTF-styled labs for individuals interested in Memory Forensics

Educational, CTF-styled labs for individuals interested in Memory Forensics - stuxnet999/MemLabs

github.com

메모리 덤프

Magnet Ram Capture를 켜시고, Browse를 선택하여 Dump한 데이터를 저장할 곳을 설정하고 실행하시면 끝입니다.

기본 명령어 실습

1. 이미지 확인

$ python vol.py -f "<MEMORY-DUMP-PATH>" windows.info

Volatility 3 Framework 2.26.2
Progress:  100.00               PDB scanning finished
Kernel Base     0xf807c2800000
DTB     0x1ae000
Symbols file://~.json.xz
Is64Bit True
IsPAE   False
layer_name      0 WindowsIntel32e
memory_layer    1 FileLayer
KdVersionBlock  0xf807c360a870
Major/Minor     15.26100
MachineType     34404
KeNumberProcessors      12
SystemTime      2025-06-14 05:39:37+00:00
NtSystemRoot    C:\WINDOWS
NtProductType   NtProductWinNt
NtMajorVersion  10
NtMinorVersion  0
PE MajorOperatingSystemVersion  10
PE MinorOperatingSystemVersion  0
PE Machine      34404
PE TimeDateStamp        Thu Jun 29 05:55:06 1995

Kernel Base	커널이 로딩된 메모리 주소
DTB	디렉토리 테이블 베이스 (메모리 맵핑에 사용)
Symbols	자동으로 다운로드된 심볼 경로
Is64Bit: True	64비트 Windows
SystemTime	덤프 당시 시스템 시간 → 2025-06-14 05:39:37 UTC
NtSystemRoot	Windows 설치 경로 (C:\WINDOWS)
NtMajor/MinorVersion	Windows 10 (10.0)
Processors	논리 CPU 수: 12개

2. 프로세스 목록 보기

$ python vol.py -f "<MEMORY-DUMP-PATH>" windows.pslist

Volatility 3 Framework 2.26.2
Progress:  100.00               PDB scanning finished                        
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime        File output

4       0       System  0xe70abe6b0040  308     -       N/A     False   2025-06-13 12:55:53.000000 UTC  N/A     Disabled
188     4       Secure System   0xe70abe8ce040  0       -       N/A     False   2025-06-13 12:55:51.000000 UTC  N/A     Disabled
228     4       Registry        0xe70abe8ea040  4       -       N/A     False   2025-06-13 12:55:51.000000 UTC  N/A     Disabled
728     4       smss.exe        0xe70ac46a4040  2       -       N/A     False   2025-06-13 12:55:53.000000 UTC  N/A     Disabled
932     920     csrss.exe       0xe70ac49a7140  13      -       0       False   2025-06-13 12:55:54.000000 UTC  N/A     Disabled
700     920     wininit.exe     0xe70acbc3f180  1       -       0       False   2025-06-13 12:55:56.000000 UTC  N/A     Disabled
860     852     csrss.exe       0xe70acbc54180  0       -       1       False   2025-06-13 12:55:56.000000 UTC  2025-06-13 13:58:24.000000 UTC  Disabled
1060    700     services.exe    0xe70acbb460c0  9       -       0       False   2025-06-13 12:55:56.000000 UTC  N/A     Disabled
1080    700     LsaIso.exe      0xe70acbc6c0c0  1       -       0       False   2025-06-13 12:55:56.000000 UTC  N/A     Disabled
1088    700     lsass.exe       0xe70acbc8e0c0  10      -       0       False   2025-06-13 12:55:56.000000 UTC  N/A     Disabled
1308    1060    svchost.exe     0xe70acb8ad080  19      -       0       False   2025-06-13 12:55:56.000000 UTC  N/A     Disabled
...

3. 실행 트리 확인

$ python vol.py -f "<MEMORY-DUMP-PATH>" windows.pstree

Volatility 3 Framework 2.26.2
Progress:  100.00               PDB scanning finished
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime        Audit   Cmd     Path
4       0       System  0xe70abe6b0040  308     -       N/A     False   2025-06-13 12:55:53.000000 UTC  N/A     -       -       -
* 728   4       smss.exe        0xe70ac46a4040  2       -       N/A     False   2025-06-13 12:55:53.000000 UTC  N/A     \Device\HarddiskVolume4\Windows\System32\smss.exe       \SystemRoot\System32\smss.exe   \SystemRoot\System32\smss.exe
* 2732  4       MemCompression  0xe70acc4d5040  62      -       N/A     False   2025-06-13 12:55:57.000000 UTC  N/A     MemCompression  -       -
* 188   4       Secure System   0xe70abe8ce040  0       -       N/A     False   2025-06-13 12:55:51.000000 UTC  N/A     -       -       -
* 228   4       Registry        0xe70abe8ea040  4       -       N/A     False   2025-06-13 12:55:51.000000 UTC  N/A     Registry        -       -
1948    1164    dwm.exe 0xe70ac4955080  0       -       1       False   2025-06-13 12:55:57.000000 UTC  2025-06-13 13:58:22.000000 UTC  \Device\HarddiskVolume4\Windows\System32\dwm.exe        -       -
14652   14516   Docker Desktop  0xe70acfa60080  0       -       1       False   2025-06-13 12:57:35.000000 UTC  2025-06-13 12:58:00.000000 UTC  \Device\HarddiskVolume4\Program Files\Docker\Docker\frontend\Docker Desktop.exe -       -
...

4. 실행 명령어 확인

$ python vol.py -f "<MEMORY-DUMP-PATH>" windows.cmdline

Volatility 3 Framework 2.26.2
Progress:  100.00               PDB scanning finished                        
PID     Process Args

4       System  -
188     Secure System   -
228     Registry        -
728     smss.exe        \SystemRoot\System32\smss.exe
932     csrss.exe       %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
700     wininit.exe     wininit.exe
860     csrss.exe       -
1060    services.exe    C:\WINDOWS\system32\services.exe
1080    LsaIso.exe      \??\C:\WINDOWS\system32\lsaiso.exe -KeyGuard
1088    lsass.exe       C:\WINDOWS\system32\lsass.exe
1308    svchost.exe     C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
1348    fontdrvhost.ex  "fontdrvhost.exe"
1428    svchost.exe     C:\WINDOWS\system32\svchost.exe -k RPCSS -p
1492    svchost.exe     C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSM
1620    svchost.exe     C:\WINDOWS\system32\svchost.exe -k NetworkService -p
1624    svchost.exe     C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s BDESVC
1696    svchost.exe     C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s HvHost
...

5. DLL 확인

$ python vol.py -f "<MEMORY-DUMP-PATH>" windows.dlllist --pid <PID>

Volatility 3 Framework 2.26.2
Progress:  100.00               PDB scanning finished                        
PID     Process Base    Size    Name    Path    LoadTime        File output

6944    NexonPlug.exe   0x400000        0x1331000       NexonPlug.exe   C:\Users\shot7\NexonPlug\NexonPlug.exe  2025-06-14 00:43:55.000000 UTC  Disabled
6944    NexonPlug.exe   0x7ff998340000  0x265000        ntdll.dll       C:\WINDOWS\SYSTEM32\ntdll.dll   2025-06-14 00:43:55.000000 UTC  Disabled
6944    NexonPlug.exe   0x7ff996330000  0x55000 wow64.dll       C:\WINDOWS\System32\wow64.dll   2025-06-14 00:43:55.000000 UTC  Disabled
6944    NexonPlug.exe   0x7ff997a60000  0xb000  wow64base.dll   C:\WINDOWS\System32\wow64base.dll       2025-06-14 00:43:55.000000 UTC  Disabled
6944    NexonPlug.exe   0x7ff998270000  0x89000 wow64win.dll    C:\WINDOWS\System32\wow64win.dll        2025-06-14 00:43:55.000000 UTC  Disabled
6944    NexonPlug.exe   0x7ff9973f0000  0x18000 wow64con.dll    C:\WINDOWS\System32\wow64con.dll        2025-06-14 00:43:55.000000 UTC  Disabled
6944    NexonPlug.exe   0x77b60000      0xa000  wow64cpu.dll    C:\WINDOWS\System32\wow64cpu.dll        2025-06-14 00:43:55.000000 UTC  Disabled
6944    NexonPlug.exe   0x400000        0x1331000       NexonPlug.exe   C:\Users\shot7\NexonPlug\NexonPlug.exe  -       Disabled
6944    NexonPlug.exe   0x77b70000      0x1bb000        ntdll.dll       C:\WINDOWS\SYSTEM32\ntdll.dll   -       Disabled
6944    NexonPlug.exe   0x76e80000      0xf0000 KERNEL32.DLL    C:\WINDOWS\System32\KERNEL32.DLL        -       Disabled

6. 네트워크 연결 확인

$ python vol.py -f "<MEMORY-DUMP-PATH>" windows.netscan

7. 악성 메모리 탐지

$ python vol.py -f "<MEMORY-DUMP-PATH>" windows.malfind --pid <PID>

Volatility 3 Framework 2.26.2
6944    NexonPlug.exe   0x3750000       0x3750fff       VadS    PAGE_EXECUTE_READWRITE  1       1       Disabled        N/A
ff 74 24 10 ff 74 24 10 e9 bb 22 4d 74 ff 74 24 .t$..t$..."Mt.t$
10 ff 74 24 10 ff 25 1b 00 75 03 80 85 88 00 00 ..t$..%..u......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x3750000:      push    dword ptr [esp + 0x10]
0x3750004:      push    dword ptr [esp + 0x10]
0x3750008:      jmp     0x77c222c8
0x375000d:      push    dword ptr [esp + 0x10]
0x3750011:      push    dword ptr [esp + 0x10]
0x3750015:      jmp     dword ptr [0x375001b]
0x375001b:      add     byte ptr [ebp + 0x88], 0
0x3750022:      add     byte ptr [eax], al
0x3750024:      add     byte ptr [eax], al
0x3750026:      add     byte ptr [eax], al
0x3750028:      add     byte ptr [eax], al
0x375002a:      add     byte ptr [eax], al
0x375002c:      add     byte ptr [eax], al
0x375002e:      add     byte ptr [eax], al
0x3750030:      add     byte ptr [eax], al
0x3750032:      add     byte ptr [eax], al
0x3750034:      add     byte ptr [eax], al
0x3750036:      add     byte ptr [eax], al
0x3750038:      add     byte ptr [eax], al
0x375003a:      add     byte ptr [eax], al
0x375003c:      add     byte ptr [eax], al
0x375003e:      add     byte ptr [eax], al
...

8. 서비스 확인

$ python vol.py -f "<MEMORY-DUMP-PATH>" windows.svcscan

Volatility 3 Framework 2.26.2
Progress:  100.00               PDB scanning finished
Offset  Order   PID     Start   State   Type    Name    Display Binary  Binary (Registry)       Dll

0x21d0014f590   134     2296    SERVICE_AUTO_START      SERVICE_RUNNING SERVICE_WIN32_OWN_PROCESS       Dnscache        DNS Client      C:\WINDOWS\system32\svchost.exe -k NetworkService -p    %SystemRoot%\system32\svchost.exe -k NetworkService -p       %SystemRoot%\System32\dnsrslvr.dll
0x21d0014f5a0   133     N/A     SERVICE_DEMAND_START    SERVICE_STOPPED SERVICE_WIN32_SHARE_PROCESS     dmwappushservice        장치 관리 무선 응용 프로그램 프로토콜(WAP) 푸시 메시지 라우팅 서비스    N/A     %SystemRoot%\system32\svchost.exe -k netsvcs -p      %SystemRoot%\system32\dmwappushsvc.dll
0x21d0014fae0   132     N/A     SERVICE_DEMAND_START    SERVICE_STOPPED SERVICE_KERNEL_DRIVER   dmvsc   dmvsc   N/A     \SystemRoot\System32\drivers\dmvsc.sys  -
0x21d00154b60   131     N/A     SERVICE_DEMAND_START    SERVICE_STOPPED SERVICE_WIN32_OWN_PROCESS       DmEnrollmentSvc 장치 관리 등록 서비스   N/A     %systemroot%\system32\svchost.exe -k netsvcs -p %systemroot%\system32\Windows.Internal.Management.dll
0x21d00150c60   130     N/A     SERVICE_DEMAND_START    SERVICE_STOPPED SERVICE_KERNEL_DRIVER   DisplayMux      Microsoft DisplayMux    N/A     \SystemRoot\System32\DriverStore\FileRepository\displaymux.inf_amd64_da65a70f0c3ce0f3\DisplayMux.sys -
...

UI

ui.py

0.01MB

Volatility 3가 설치된 폴더에 해당 ui파일을 넣고 아래 명령어를 실행해주시면 사용 가능합니다.

$ pip install streamlit pandas

$ streamlit run ui.py

임성현의 개발블로그

Volatility 3 - Memory Capture