Microsoft Word - APA_FUM_W_FNSC_0087
|
|
|
- かねろう ねぎたや
- 7 years ago
- Views:
Transcription
1 c e r u m. a c. i r Volatility 6 ( ) soltani@cert.um.ac.ir ィC :6 APA_FUM_W_FNSC_0087
2 4747: volatility : volatility IAT DKOM VAD PEB ETHREAD EPROCESS
3 IDA Pro " " volatility volatility pslist 90 volatility DKOM volatility psscan 2 psxview dlllist 90 volatility volatility VAD ( ) DLL ldrmodules 90 volatility VAD volatility malfind DLL yarascan 90 volatility volatility DLL9 2exe IDA Pro procexedump 2 procmemdump 90 volatility IAT PE IAT IDA Pro impscan 90 volatility volatility
4 Volatility python volatility Mac OS X Server 2008 R2 2Server Vista 2Server XP volatility Microsoft crash dump 5948 hibernation volatility volatility volatility volatility volatility volatility apihooks atoms atomscan bioskbd callbacks clipboard cmdscan connections connscan consoles crashinfo deskscan devicetree dlldump dlllist driverirp driverscan envars eventhooks filescan gahti gditimers gdt getsids handles hibinfo hivedump hivelist hivescan idt imagecopy volatility 2.2 Detect API hooks in process and kernel memory Print session and window station atom tables Pool scanner for _RTL_ATOM_TABLE Reads the keyboard buffer from Real Mode memory Print system-wide notification routines Extract the contents of the windows clipboard Extract command history by scanning for _COMMAND_HISTORY Print list of open connections [Windows XP and 2003 Only] Scan Physical memory for _TCPT_OBJECT objects (tcp connections) Extract command history by scanning for _CONSOLE_INFORMATION Dump crash-dump information Poolscaner for tagdesktop (desktops) Show device tree Dump DLLs from a process address space Print list of loaded dlls for each process Driver IRP hook detection Scan for driver objects _DRIVER_OBJECT Display process environment variables Print details on windows event hooks Scan Physical memory for _FILE_OBJECT pool allocations Dump the USER handle type information Print installed GDI timers and callbacks Display Global Descriptor Table Print the SIDs owning each process Print list of open handles for each process Dump hibernation file information Prints out a hive Print list of registry hives Scan Physical memory for _CMHIVE objects (registry hives) Display Interrupt Descriptor Table Copies a physical address space out as a raw DD image Snapshot 3
5 imageinfo impscan kdbgscan kpcrscan ldrmodules malfind memdump memmap messagehooks moddump modscan modules mutantscan patcher printkey procexedump procmemdump pslist psscan pstree psxview raw2dmp screenshot sessions sockets sockscan ssdt strings svcscan symlinkscan thrdscan threads timers userassist userhandles vaddump vadinfo vadtree vadwalk volshell windows wintree wndscan yarascan Identify information for the image Scan for calls to imported functions Search for and dump potential KDBG values Search for and dump potential KPCR values Detect unlinked DLLs Find hidden and injected code Dump the addressable memory for a process Print the memory map List desktop and thread window message hooks Dump a kernel driver to an executable file sample Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects Print list of loaded modules Scan for mutant objects _KMUTANT Patches memory based on page scans Print a registry key, and its subkeys and values Dump a process to an executable file sample Dump a process to an executable memory sample Print all running processes by following the EPROCESS lists Scan Physical memory for _EPROCESS pool allocations Print process list as a tree Find hidden processes with various process listings Converts a physical memory sample to a windbg crash dump Save a pseudo-screenshot based on GDI windows List details on _MM_SESSION_SPACE (user logon sessions) Print list of open sockets Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets) Display SSDT entries Match physical offsets to virtual addresses (may take a while, VERY verbose) Scan for Windows services Scan for symbolic link objects Scan physical memory for _ETHREAD objects Investigate _ETHREAD and _KTHREADs Print kernel timers and associated module DPCs Print userassist registry keys and information Dump the USER handle tables Dumps out the vad sections to a file Dump the VAD info Walk the VAD tree and display in tree format Walk the VAD tree Shell in the memory image Print Desktop Windows (verbose details) Print Z-Order Desktop Windows Tree Pool scanner for tagwindowstation (window stations) Scan process or kernel memory with Yara signatures EPROCESS EPROCESS ( ) WinDbg Non-paged pool 4
6 EPROCESS XP SP :6 kd> dt nt!_eprocess +0x000 Pcb : _KPROCESS +0x06c ProcessLock : _EX_PUSH_LOCK +0x070 CreateTime : _LARGE_INTEGER +0x078 ExitTime : _LARGE_INTEGER +0x080 RundownProtect : _EX_RUNDOWN_REF +0x084 UniqueProcessId : Ptr32 Void +0x088 ActiveProcessLinks : _LIST_ENTRY +0x0c0 ExceptionPort : Ptr32 Void +0x0c4 ObjectTable : Ptr32 _HANDLE_TABLE +0xc VadRoot : Ptr32 Void +0x20 VadHint : Ptr32 Void : Ptr32 _PAGEFAULT_HISTORY +0x48 Win32WindowStation : Ptr32 Void +0x4c InheritedFromUniqueProcessId : Ptr32 Void +0x50 LdtInformation : Ptr32 Void +0x54 VadFreeHint : Ptr32 Void +0x58 VdmObjects : Ptr32 Void +0x5c DeviceMap : Ptr32 Void +0x60 PhysicalVadList : _LIST_ENTRY +0x68 PageDirectoryPte : _HARDWARE_PTE +0x68 Filler : Uint8B +0x70 Session : Ptr32 Void +0x74 ImageFileName : [6] UChar +0x84 JobLinks : _LIST_ENTRY +0x8c LockedPagesList : Ptr32 Void +0x90 ThreadListHead : _LIST_ENTRY +0x98 SecurityPort : Ptr32 Void +0x9c PaeTop : Ptr32 Void +0xa0 ActiveThreads : Uint4B +0xa4 GrantedAccess : Uint4B [...] kd> dt nt!_list_entry +0x000 Flink : Ptr32 _LIST_ENTRY +0x004 Blink : Ptr32 _LIST_ENTRY EPROCESS LIST_ENTRY 0099 ActiveProcessLinks LIST_ENTRY Flink 2 Blink 92.6 Flink Flink EPROCESS Blink Blink EPROCESS (278 ) ActiveProcessLinks EProcess 5
7 ntoskrnl.exe 7 79 PsActiveProcessHead EPROCESS volatility EPROCESS (278 ) ntoskrnl.exe PsActiveProcessHead 99 export KPCR 6908 volatility pslist EPROCESS pstree pslist psscan EPROCESS pslist f profile WinXPSP2x XP SP imageinfo $ python volatility.py pslist ィCf memory.bin Name Pid PPid Thds Hnds Time System Thu Jan 0 00:00: smss.exe Tue Dec 0 5:58: csrss.exe Tue Dec 0 5:58: winlogon.exe Tue Dec 0 5:58: services.exe Tue Dec 0 5:58: lsass.exe Tue Dec 0 5:58: svchost.exe Tue Dec 0 5:58: svchost.exe Tue Dec 0 5:58: svchost.exe Tue Dec 0 5:58: volatility pslist EPROCESS WinDbg Field Name Pid PPid Thds Hnds Time pslist EPROCESS Description Source Name of the process executable EPROCESS.ImageFileName Process ID EPROCESS.UniqueProcessId Parent process ID EPROCESS.InheritedFromUniqueProcessId Number of active threads in the process EPROCESS.ActiveThreads Number of open handles in the process EPROCESS.ObjectTable.HandleCount Time when the process was started EPROCESS.CreateTime DKOM pslist DKOM ntoskrnl.exe NT Physical Address 2Extension ntkrnlpa.exe Kernel Processor Control Region :6 Direct Kernel Object Manipulation 6
8 EPROCESS Flink 2 Blink (278 2) DKOM 7229 psscan EPROCESS EPROCESS psscan EPROCESS EPROCESS ) ) API ZwSystemDebugControl psscan Prolaco DKOM ZwSystemDebugControl pslist 2 psscan :6 $ vol.py pslist -f prolaco.vmem Offset(V) Name PID PPID Thds Hnds Start x80b660 System xff2ab020 smss.exe :06:2 0xffecda0 csrss.exe :06:23 0xffec978 winlogon.exe :06:23 0xff services.exe :06:24 0xff lsass.exe :06:24 0xff28230 vmacthlp.exe :06:24 0x80ff88d8 svchost.exe :06:24 0xff27560 svchost.exe :06:24 0x80fbf90 svchost.exe :06:24 0xff22d558 svchost.exe :06:25 0xff203b80 svchost.exe :06:26 0xffd7da0 spoolsv.exe :06:26 0xffb8b28 vmtoolsd.exe :06:35 0xfffdc88 VMUpgradeHelper :06:38 0xff43b28 TPAutoConnSvc.e :06:39 0xff25a7e0 alg.exe :06:39 0xff36430 wscntfy.exe :06:49 0xff38b5f8 TPAutoConnect.e :06:52 0xff3865d0 explorer.exe :09:29 7
9 0xff3667e8 VMwareTray.exe :09:3 0xff VMwareUser.exe :09:32 0x80f94588 wuauclt.exe :09:37 0xff37a4b0 ImmunityDebugge :50:9 $ vol.py psscan ィCf prolaco.vmem Offset(P) Name PID PPID Time created Time exited x005f23a0 rundll32.exe :50: :50:42 0x00f7588 wuauclt.exe :09:37 0x02290 svchost.exe :06:24 0x03f648 _doc_rcdata_ :50:20 0x05b8d8 svchost.exe :06:24 0x System 4 0 0x02ab28 TPAutoConnSvc.e :06:39 0x049c5f8 TPAutoConnect.e :06:52 0x04a065d0 explorer.exe :09:29 0x04a544b0 ImmunityDebugge :50:9 0x04b5a980 VMwareUser.exe :09:32 0x04be97e8 VMwareTray.exe :09:3 0x04c2b30 wscntfy.exe :06:49 0x smss.exe :06:2 0x05f027e0 alg.exe :06:39 0x05f47020 lsass.exe :06:24 0x services.exe :06:24 0x06ef558 svchost.exe :06:25 0x vmacthlp.exe :06:24 0x063c5560 svchost.exe :06:24 0x0640ac0 msiexec.exe :49: :50:08 0x06499b80 svchost.exe :06:26 0x0655fc88 VMUpgradeHelper :06:38 0x066f0978 winlogon.exe :06:23 0x066f0da0 csrss.exe :06:23 0x06945da0 spoolsv.exe :06:26 0x069d5b28 vmtoolsd.exe :06:35 pslist _doc_rcdata_6.exe psscan rundll32.exe 2 msiexec.exe pslist DKOM psxview PsActiveProcessHead psxview EPROCESS : PsActiveProcessHead 6 (7229 (pslist EPROCESS9 6 (7229 (psscan ETHREAD9 6 (7229 :(thrdscan thrdscan ETHREAD ETHREAD prolaco.vmem
10 PspCidTable :PspCidTable HANDLE_TABLE PspCidTable PspCidTable :Csrss.exe Csrss.exe System 2Idle 2 smss 94227) ( EPROCESS Csrss.exe prolaco psxview False _doc_rcdata_ pslist rundll32.exe 2 msiexec.exe EPROCESS $ vol.py psxview ィCf prolaco.vmem Offset(P) Name PID pslist psscan thrdproc pspcdid csrss x06499b80 svchost.exe 48 True True True True True 0x04b5a980 VMwareUser.exe 452 True True True True True 0x0655fc88 VMUpgradeHelper 788 True True True True True 0x02ab28 TPAutoConnSvc.e 968 True True True True True 0x04c2b30 wscntfy.exe 888 True True True True True 0x06ef558 svchost.exe 088 True True True True True 0x06945da0 spoolsv.exe 432 True True True True True 0x smss.exe 544 True True True True False 0x04a544b0 ImmunityDebugge 36 True True True True True 0x069d5b28 vmtoolsd.exe 668 True True True True True 0x vmacthlp.exe 844 True True True True True 0x00f7588 wuauclt.exe 468 True True True True True 0x066f0da0 csrss.exe 608 True True True True False 0x05f027e0 alg.exe 26 True True True True True 0x services.exe 676 True True True True True 0x04a065d0 explorer.exe 724 True True True True True 0x049c5f8 TPAutoConnect.e 084 True True True True True 0x05b8d8 svchost.exe 856 True True True True True 0x System 4 True True True True False 0x02290 svchost.exe 028 True True True True True 0x04be97e8 VMwareTray.exe 432 True True True True True 0x05f47020 lsass.exe 688 True True True True True 0x063c5560 svchost.exe 936 True True True True True 0x066f0978 winlogon.exe 632 True True True True True 0x0640ac0 msiexec.exe 44 False True False False False 0x005f23a0 rundll32.exe 260 False True False False False 0x03f648 _doc_rcdata_6 336 False True True True True 9
11 lsass.exe Stuxnet lsass.exe Winlogon.exe XP Wininit.exe Stuxnet $ vol.py -f ーstuxnet.vmem" --profile=winxpsp3x86 pslist Offset(V) Name PID PPID Thds Hnds Start 0x823c8830 System x820df020 smss.exe :08:53 0x82a2da0 csrss.exe :08:54 0x8da5650 winlogon.exe :08:54 0x services.exe :08:54 0x8e70020 lsass.exe :08:54 0x82335d8 vmacthlp.exe :08:55 0x8db8da0 svchost.exe :08:55 0x8e6da0 svchost.exe :08:55 0x822843e8 svchost.exe :08:55 0x8e8b28 svchost.exe :08:55 0x8ff7020 svchost.exe :08:55 0x8fee8b0 spoolsv.exe :08:56 0x822b9a0 wuauclt.exe :2:03 0x8c543a0 Procmon.exe :25:56 0x8fa5390 wmiprvse.exe :25:58 0x8c498c8 lsass.exe :26:55 0x8c47c00 lsass.exe :26: lsass.exe winlogon.exe lsass.exe services.exe volatility : services.exe CreateProcess notepad.exe 99 lsass.exe ( (CreateProcess API CreateProcess Stable 2 Crash 3 Local Security Authentication SubSystem 0
12 services.exe svchost.exe svchost.exe svchost.exe services.exe $ python volatility.py pslist ィCf fakesvchost.bin Name Pid PPid Thds Hnds Time System Thu Jan 0 00:00: smss.exe Thu Dec 03 6:43: csrss.exe Thu Dec 03 6:43: winlogon.exe Thu Dec 03 6:43: services.exe Thu Dec 03 6:43: lsass.exe Thu Dec 03 6:43: svchost.exe Thu Dec 03 6:43: svchost.exe Thu Dec 03 6:43: svchost.exe Thu Dec 03 6:43: svchost.exe Thu Dec 03 6:43: svchost.exe Thu Dec 03 6:43: spoolsv.exe Thu Dec 03 6:43: explorer.exe Thu Dec 03 6:43: cmd.exe Thu Dec 03 6:44: svchost.exe Fri Dec 04 5:06: win32dd.exe Fri Dec 04 5:36: C: Windows System32 svchost.exe svchost.exe dlllist svchost.exe C: Temp svchost.exe $ python volatility.py dlllist ィCf fakesvchost.bin ィCp 2908 ************************************************* svchost.exe pid: 2908 Command line : C: Temp svchost.exe Service Pack DLL EPROCESS PEB PEB WinDbg PEB_LDR_DATA PEB_LDR_DATA Ldr xC head LDR_DATA_TABLE_ENTRY DLL (278 3) svchost.exe dll svchost.exe Process Environment Block
13 kd> dt _PEB ntdll!_peb +0x000 InheritedAddressSpace : UChar +0x00 ReadImageFileExecOptions : UChar +0x002 BeingDebugged : UChar +0x003 SpareBool : UChar +0x004 Mutant : Ptr32 Void +0x008 ImageBaseAddress : Ptr32 Void +0x00c Ldr : Ptr32 _PEB_LDR_DATA +0x00 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS [...] kd> dt _PEB_LDR_DATA ntdll!_peb_ldr_data +0x000 Length : Uint4B +0x004 Initialized : UChar +0x008 SsHandle : Ptr32 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY +0x04 InMemoryOrderModuleList : _LIST_ENTRY +0x0c InInitializationOrderModuleList : _LIST_ENTRY +0x024 EntryInProgress : Ptr32 Void kd> dt _LDR_DATA_TABLE_ENTRY ntdll!_ldr_data_table_entry +0x000 InLoadOrderLinks : _LIST_ENTRY +0x008 InMemoryOrderLinks : _LIST_ENTRY +0x00 InInitializationOrderLinks : _LIST_ENTRY +0x08 DllBase : Ptr32 Void +0x0c EntryPoint : Ptr32 Void +0x020 SizeOfImage : Uint4B +0x024 FullDllName : _UNICODE_STRING +0x02c BaseDllName : _UNICODE_STRING [...] InMemoryOrderModuleList 2InLoadOrderModuleList PEB_LDR_DATA InInitializationOrderModuleList DLL
![+0x00c Ldr : Ptr32 _PEB_LDR_DATA +0x00 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS [...] kd> dt _PEB_LDR_DATA ntdll!](/docs-images/41/22577517/images/page_13.jpg "_peb_ldr_data +0x000 Length : Uint4B +0x004 Initialized : UChar +0x008 SsHandle : Ptr32 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY +0x04 InMemoryOrderModuleList : _LIST_ENTRY +0x0c")
14 2InLoadOrderModuleList DLL9 2InMemoryOrderModuleList DLL DLL9 2InInitializationOrderList dlllist 90 volatility DLL LDR_DATA_TABLE_ENTRY InLoadOrderModuleList (278 3) LoadLibrary DLL p DLL dlllist DLL EPROCESS offset 842 DLL $ python volatility.py dlllist -p 820 -f memory.bin svchost.exe pid: 820 Command line : C: WINDOWS system32 svchost -k DcomLaunch Base Size Path 0x x6000 C: WINDOWS system32 svchost.exe 0x7c xb0000 C: WINDOWS system32 ntdll.dll 0x7c xf4000 C: WINDOWS system32 kernel32.dll 0x77dd0000 0x9b000 C: WINDOWS system32 ADVAPI32.dll 0x77e x9000 C: WINDOWS system32 RPCRT4.dll 0x5cb x26000 C: WINDOWS system32 ShimEng.dll 0x6f xca000 C: WINDOWS AppPatch AcGenral.DLL 0x77d x90000 C: WINDOWS system32 USER32.dll 0x77f0000 0x46000 C: WINDOWS system32 GDI32.dll 0x76b x2d000 C: WINDOWS system32 WINMM.dll 0x774e0000 0x3c000 C: WINDOWS system32 ole32.dll [...] DLL DLL DLL DLL :6 DLL C: windows sys kernel32.dll DLL944 DLL sfc_os.dll pstorec.dll wininet.dll 2winsock32.dll 2ws2_32.dll DLL94 2 urlmon.dll DLL notepad.exe ( ) Windows File Protection (WFP) 2 Credentials 3 Windows Protected Storage 3
15 DLL PEB DLL DLL DKOM DLL listdlls 2 Process Explorer dlllist volatility DLL DLL PEB VAD LoadLibrary DLL LoadLibrary : ZwCreateFile DLL ZwCreateSection ( ) ZwMapViewOfSection (DLL) VAD DLL PEB VAD VAD VAD EPROCESS VadRoot VirtualAlloc VAD ( ) Section 4 Virtual Address Descriptor 5 Range 6 Memory manager
16 VAD WinDbg :6 kd> dt _MMVAD nt!_mmvad +0x000 StartingVpn : Uint4B +0x004 EndingVpn : Uint4B +0x008 Parent : Ptr32 _MMVAD +0x00c LeftChild : Ptr32 _MMVAD +0x00 RightChild : Ptr32 _MMVAD +0x04 u : unnamed +0x08 ControlArea : Ptr32 _CONTROL_AREA +0x0c FirstPrototypePte : Ptr32 _MMPTE +0x020 LastContiguousPte : Ptr32 _MMPTE +0x024 u2 : unnamed kd> dt _CONTROL_AREA nt!_control_area +0x000 Segment : Ptr32 _SEGMENT +0x004 DereferenceList : _LIST_ENTRY +0x024 FilePointer : Ptr32 _FILE_OBJECT +0x028 WaitingForDeletion : Ptr32 _EVENT_COUNTER +0x02c ModifiedWriteCount : Uint2B +0x02e NumberOfSystemCacheViews : Uint2B kd> dt _FILE_OBJECT ntdll!_file_object +0x000 Type : Int2B +0x002 Size : Int2B +0x030 FileName : _UNICODE_STRING +0x038 CurrentByteOffset : _LARGE_INTEGER DLL LoadLibrary VAD DLL (StartingVpn) (ControlArea.FilePointer.FileName) DLL PEB VAD PEB VAD 47 DLL PEB DLL VAD : Vadl 2Vad) VAD 2 (VadS Vad 49 Vadl
17 7229 volatility VAD : VAD :vadinfo VAD :vadwalk VAD :vadtree VAD Graphviz VAD 79 volatility VadRoot EPROCESS vadtree :6 $ python volatility.py vadtree -f memory.bin ィCp output=dot --output-file=vad.html Graphviz vadinfo :6 $ python volatility.py vadinfo -p 680 -f memory.bin [...] VAD Start 7ffab000 End 7ffabfff Tag Vadl Flags: NoChange, PrivateMemory, MemCommit Commit Charge: Protection: 4 First prototype PTE: Last contiguous PTE: Flags2: LongVad, OneSecured File offset: Secured: 7ffab000-7ffabfff Pointer to _MMEXTEND_INFO (or _MMBANKED_SECTION?):
18 VAD Start 7c End 7c9bfff Tag Vad Flags: ImageMap Commit Charge: 5 Protection: 7 Segment e4cdcc8 Dereference list: Flink , Blink NumberOfSectionReferences: NumberOfPfnReferences: 05 NumberOfMappedViews: 30 NumberOfSubsections: 5 FlushInProgressCount: 0 NumberOfUserReferences: 3 Flags: Accessed, HadUserReference, DebugSymbolsLoaded, Image, File (023e5f90), Name: WINDOWS system32 ntdll.dll WaitingForDeletion Event: ModifiedWriteCount: 0 NumberOfSystemCacheViews: 0 First prototype PTE: e4cdd00 Last contiguous PTE: fffffffc Flags2: Inherit File offset: [...] VAD b9e ffab000-7ffabfff c3d c c9bfff _CONTROL_AREA ntdll.dll ldrmodules 7229 ldrmodules 90 volatility PEB VAD PEB ) InInit 2InLoad 2 (InMem True 49 False DLL $vol.py -f laqma.vmem ldrmodules Pid Process Base InLoad InInit InMem MappedPath 340 IEXPLORE.EXE 0x False False False WINDOWS system32 mshtml.tlb 340 IEXPLORE.EXE 0x True True True WINDOWS system32 msxml3.dll 340 IEXPLORE.EXE 0x True True True WINDOWS system32 imm32.dll 340 IEXPLORE.EXE 0x77c0000 True True True WINDOWS system32 msvcrt.dll 340 IEXPLORE.EXE 0x025f0000 False False False WINDOWS system32 stdole2.tlb 340 IEXPLORE.EXE 0x5ad70000 True True True WINDOWS system32 uxtheme.dll 340 IEXPLORE.EXE 0x7aa0000 True True True WINDOWS system32 ws2help.dll 340 IEXPLORE.EXE 0x746c0000 True True True WINDOWS system32 msls3.dll 340 IEXPLORE.EXE 0x76ee0000 True True True WINDOWS system32 rasapi32.dll 340 IEXPLORE.EXE 0x03a50000 False False False WINDOWS system32 msxml3r.dll 340 IEXPLORE.EXE 0x4d4f0000 True True True WINDOWS system32 winhttp.dll 340 IEXPLORE.EXE 0x77b20000 True True True WINDOWS system32 msasn.dll ldrmodules VAD iexplore.exe PEB VAD vaddump
19 Firefox Gmail SecretUser SecretPass Firefox HTTP Firefox Gmail " " pslist 90 volatility Firefox vaddump $ vol.py -f gmail.bin --profile=win7spx86 pslist find "Firefox" Name Pid PPid Thds Hnds Time Firefox.exe :40:53 $ vol.py -f gmail.bin --profile=win7spx86 vaddump -p 5384 ィC-dump-dir=outdir VAD outdir volatility EPROCESS ( ) Firefox.exe.bb x09df0000-0x09eeffff x09df0000-0x09eeffff Firefox vaddump ( ) strings 2 find $ strings outdir * find "SecretUser" outdir Firefox.exe.bb x x038fffff.dmp: SecretUser
20 outdir Firefox.exe.bb x x038fffff.dmp: outdir Firefox.exe.bb x x038fffff.dmp: Would you like to remember the password for "SecretUser" on google.com? outdir Firefox.exe.bb x x056fffff.dmp: continue=http%3a%2f%2fmail.google.com%2fmail 8% F&service=mail&rm=false&dsh= <mpl=default&scc=&GALX=95bJEYRdzKc&pstMsg=&dnConn=&checkConnection=&checkedDomai ns=youtube×tmp=§ok=& =secretuser&passwd=secretpass&signin=sign+in&rmshown= outdir Firefox.exe.bb x x082fffff.dmp: - SecretUser $ strings outdir * find "SecretPass" outdir Firefox.exe.bb x x056fffff.dmp: continue=http%3a%2f%2fmail.google.com%2fmail 8% F&service=mail&rm=false&dsh= <mpl=default&scc=&GALX=95bJEYRdzKc&pstMsg=&dnConn=&checkConnection=&checkedDomai ns=youtube×tmp=§ok=& =secretuser&passwd=secretpass&signin=sign+in&rmshown= outdir Firefox.exe.bb x x083fffff.dmp: SecretPass outdir Firefox.exe.bb x0a x0a5fffff.dmp: SecretPass Gmail SSL dll malfind 2 yarascan SecretUser) 2 (SecretPass (Firefox) malfind 90 volatility VAD executable shellcode9 2 DLL malfind hex dump VirtualAllocEx API protection VAD Zeus malfind Code injection 9
21 $ vol.py -f zeus.vmem malfind --dump-dir=outdir Process: explorer.exe Pid: 724 Address: 0x Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge:, MemCommit:, PrivateMemory:, Protection: 6 0x b e9 cd d7 30 7b b e {... 0x f df 30 7b 8b ff 55 8b ec e9 ef 7 c 75 8b ff O.0{..U...u.. 0x b ec e bc 75 8b ff 55 8b ec e9 be 53 U...v.u..U...S 0x bd 75 8b ff 55 8b ec e9 d6 8 c 75 8b ff 55 8b.u..U...u..U. 0x b x e9cdd7307b 0x60000a b x60000f e94fdf307b 0x bff 0x x bec 0x60009 e9ef7c75 0x6000e 8bff 0x x bec 0x e99576bc75 0x bff 0x60002a 55 0x60002b 8bec 0x60002d e9be53bd75 0x bff 0x x bec 0x e9d68c75 0x60003c 8bff 0x60003e 55 0x60003f 8b MOV EAX, 0x35 JMP 0x7c90d7d7 MOV EAX, 0x9 JMP 0x7c90df63 MOV EDI, EDI PUSH EBP MOV EBP, ESP JMP 0x77280d MOV EDI, EDI PUSH EBP MOV EBP, ESP JMP 0x77c76bd MOV EDI, EDI PUSH EBP MOV EBP, ESP JMP 0x77d53f0 MOV EDI, EDI PUSH EBP MOV EBP, ESP JMP 0x77292 MOV EDI, EDI PUSH EBP DB 0x8b Process: explorer.exe Pid: 724 Address: 0x5d0000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 38, MemCommit:, PrivateMemory:, Protection: 6 0x05d0000 4d 5a ff ff MZ... 0x05d000 b @... 0x05d x05d d x5d0000 4d 0x5d000 5a 0x5d x5d x5d x5d x5d000a x5d000c ff 0x5d000d ff00 0x5d000f 00b x5d x5d x5d00a x5d00c x5d00e x5d x5d x5d x5d x5d x5d002a x5d002c x5d002e x5d x5d x5d DEC EBP POP EDX NOP ADD [EBX], AL ADD [EAX+EAX], AL DB 0xff INC DWORD [EAX] ADD [EAX+0x0], BH ADD [EAX+0x0], AL 20
22 0x5d x5d x5d003a x5d003c d000 0x5d003e 0000 ROL BYTE [EAX], 0x malfind malfind VAD hex dump explorer.exe Zeus csrss.exe Zeus csrss.exe csrss.exe IP Yara Yara python Yara-Python Yara volatility yarascan Yara Yara strings 2 condition yara :6 rule xmlc : banker { strings: $a = "/c del" fullword $b = "PostDel" fullword $c = ">> NUL" fullword $d = "LOADXML" $e = "lm.dat" $f = " %s " $g = /( x00 x20)([a-z0-9]{5,8}.dll) x00{,8} 2/ } condition: filesize < 50KB and (3 of ($a,$b,$c,$d,$e,$f) or #g >= 2) rule silent_banker : banker { strings: $a = {6A A 4 8D 9} $b = {8D 4D B0 2B C 83 C A 4E 59 F7 F9} $c = "UVODFRYSIHLNWPEJXQZAKCBGMT" condition:
23 } $a or $b or $c rule zbot : banker { strings: $a = " SYSTEM " wide $b = "*tanentry*" $c = "*<option" $d = "*<select" $e = "*<input" } condition: ($a and $b) or ($c and $d and $e) yarascan yara-file Yara system (Zeus) Zbot $ vol.py -f zeus.vmem yarascan --yara-file=malwarerule --dump-dir=outdir Rule: zbot Owner: Process System Pid 4 0x00a658 5f 00 5f d 00 _._.S.Y.S.T.E.M. 0x00a668 5f 00 5f _._.6.4.A.D x00a f 00 5f a 2f 2a _._...*/*. 0x00a f d 6f 7a 69 6c 6c 6 2f.../...Mozilla/ Rule: zbot Owner: Process System Pid 4 0x00a304 2a 3c c a 3c 6f 70 *<select...*<op 0x00a f 6e c tion..selected.. 0x00a3034 2a 3c 69 6e a c d 22 *<input.*value=" 0x00a f B.O.F.A...a volatility PE 6 ( DLL ) ( ) x PE text Memory-resident 2 Section 22
24 (read, execute) RX data (read, write, execute) RWX ( executable ) data 0494 RWX RX volatility PE PE procexedump 6 ( )6 2 procmemdump 6 ( )6 90 volatility PE Laqma pslist PID procexedump $ vol.py -f laqma.vmem pslist Offset(V) Name PID PPID Thds Hnds Start xff3667e8 VMwareTray.exe :09:3 0xff3825f8 lanmanwrk.exe :09:2 Slack space 2 PE section headers 23
目次 実習 1 ネットワーク接続状況の確認... 2 実習 2 不審プロセスの確認... 5
実習資料 1 仙台 CTF セキュリティ技術勉強会実習 Volatility Framework によるメモリフォレンジック 平成 29 年 11 月 12 日 仙台 CTF 実行委員会 目次 実習 1 ネットワーク接続状況の確認... 2 実習 2 不審プロセスの確認... 5 本実習の概要 あなたは 架空の企業 株式会社仙台シーテーエフ に入社したばかりの新米情報セキュリティ担当者です 営業所の社員用
shio SA.ppt[読み取り専用]
![shio SA.ppt[読み取り専用]](/thumbs/78/76924044.jpg "shio SA.ppt[読み取り専用]")
2005 213 Rootkit 2 ...... GPG EFS Windows 3 Rootkit + ifconfig, ps, ls, login Tripwire lkm-rootkit NT Rootkit, AFX Rootkit OS 4 HD... NTFS ADS Alternate Data Stream... NTFS HD HD...
Security Solution 2008.pptx
Security Solution 2008 Windows DOS (apack, lzexe, diet, pklite) Linux (gzexe, UPX) PE PE DOS Stub Space Section Header.idata PE Header & Optional Header Space.unpack (unpack code) Section Header.unpack
1007 ステルスデバッガを利用したマルウェア解析手法の提案
マルウェア対策研究人材育成ワークショップ 2008 ステルスデバッガを利用したマルウェア 解析手法の提案 NTT 情報流通プラットフォーム研究所 川古谷裕平岩村誠伊藤光恭 2008/10/10 1 目次 背景 ステルスデバッガの提案 CCC Dataset 2008 検体による評価 考察 まとめ 2008/10/10 2 背景 マルウェアの高度化 高機能化 柔軟な機能追加 自身の隠蔽化 耐解析機能
1 IPA Hierocrypt-L1 Hierocrypt-L Hierocrypt-L1 Hierocrypt-L1 Hierocrypt-L1 Hierocrypt-L1 Hierocrypt-L1 2 Hierocrypt-L1 Hierocrypt-L1 Hierocrypt-
Hierocrypt-L1 : Hierocrypt-L1 Hierocrypt-L1 Hierocrypt-L1 Abstract: In this report, we address our security evaluation of Hierocrypt-L1. As a result, we found no critical security flaw during the limited
4. 半角文字コード変換表 ここでは 半角文字のコード変換についての詳細な表を記載します の文字と文字コード (16 進数 ) には 表内で灰色の網掛けを設定しています 4.1 IBMカナ文字拡張からへの変換 16 進数 16 進数 16 進数 16 進数 16 進数 16 進数 SP 0x40 S
2013 年 4 月 3 日 お客様各位 株式会社セゾン情報システムズ HULFT 事業部 コード変換機能での のサポート 拝啓貴社ますますご清祥のこととお慶び申し上げます 平素は格別のご高配を賜り 厚く御礼申し上げます idivo Ver.1.4.0 では コード変換機能で変換できるコード体系の 1 つとして をサポートしました ついては 次に示すコード変換のパターンにおける 文字と文字コード (16
ユーザ デバイス プロファイル エクス ポートの使用方法
CHAPTER 41 ユーザデバイスプロファイルレコードをエクスポートする場合 次の 2 つのファイル形式名から選択できます All User Device Profile Details(All Phone Details ファイル形式 ): ユーザデバイスプロファイルに関連付けられた回線アトリビュート サービス およびユーザ ID をすべてエクスポートします Specific User Device
スライド 1
FFRI Dataset 2014 のご紹介 株式会社 FFRI http://www.ffri.jp Ver 2.00.01 1 Agenda FFRI Dataset 2014 概要 Cuckoo Sandbox 具体的なデータ項目 FFR yarai analyzer Professional 具体的なデータ項目 データの利用例 2 FFRI Dataset 2014 の概要 FFRIで収集したマルウェアの動的解析ログ
untitled
FutureNet Microsoft Corporation Microsoft Windows Windows 95 Windows 98 Windows NT4.0 Windows 2000, Windows XP, Microsoft Internet Exproler (1) (2) (3) COM. (4) (5) ii ... 1 1.1... 1 1.2... 3 1.3... 6...
WAGO Ch 測温抵抗体入力モジュール 取扱説明書
WAGO-I/O-SYSTEM 750 750-450 I/O 750 750-450 4ch Copyright ª 2015 by WAGO Kontakttechnik GmbH & Co. KG All rights reserved. WAGO Kontakttechnik GmbH & Co. KG Hansastraße 27 D-32423 Minden Phone: +49 (0)
( )
NAIST-IS-MT1551117 2017 3 10 ( ) Volatility Framework TPR 78.3-87.0% FPR 0-20% Volatility Framework 10., NAIST-IS-MT1551117, 2017 3 i Design and Implementation for Detecting Malware-Infected Terminals
I117 II I117 PROGRAMMING PRACTICE II DEBUG Research Center for Advanced Computing Infrastructure (RCACI) / Yasuhiro Ohara
I117 II I117 PROGRAMMING PRACTICE II DEBUG Research Center for Advanced Computing Infrastructure (RCACI) / Yasuhiro Ohara yasu@jaist.ac.jp / SCHEDULE 1. 2011/06/07(Tue) / Basic of Programming 2. 2011/06/09(Thu)
LIN
LIN @IT MONOist LIN @IT MONOist http://monoist.atmarkit.co.jp Vector Japan Co., Ltd. 目次 LIN 1 03 1. LIN 03 LIN 03 05 LIN? 06 OSI LIN 07 LIN 07 2. LIN 08 3. 09 09 10 10 11 12 LIN 2 13 1. 13 13 15 16 17
#include <stdio.h> unsigned char x86[] = { 0x8b, 0x44, 0x24, 0x04, // mov eax,[esp+4] 0x03, 0x44, 0x24, 0x08, // add eax,[esp+8] 0xc3 // ret }; int ma
![#include <stdio.h> unsigned char x86[] = { 0x8b, 0x44, 0x24, 0x04, // mov eax,[esp+4] 0x03, 0x44, 0x24, 0x08, // add eax,[esp+8] 0xc3 // ret }; int ma](/thumbs/91/104526063.jpg "#include <stdio.h> unsigned char x86[] = { 0x8b, 0x44, 0x24, 0x04, // mov eax,[esp+4] 0x03, 0x44, 0x24, 0x08, // add eax,[esp+8] 0xc3 // ret }; int ma")
x86 JIT Web JavaScript x86 JIT JIT x86 JIT Windows OS DEP x86 ASLR DEP ASLR Return-Oriented Programming JIT-Spraying JavaScript JIT x86 x86 JIT How to execute arbitrary code on x86 JIT Compiler Yoshinori
RX600 & RX200シリーズ アプリケーションノート RX用仮想EEPROM
R01AN0724JU0170 Rev.1.70 MCU EEPROM RX MCU 1 RX MCU EEPROM VEE VEE API MCU MCU API RX621 RX62N RX62T RX62G RX630 RX631 RX63N RX63T RX210 R01AN0724JU0170 Rev.1.70 Page 1 of 33 1.... 3 1.1... 3 1.2... 3
Metasploit 2012.indb
7 2 Metasploit Metasploit Framework MSF Metasploit Metasploit 2 Metasploit Metasploit 2.1 Metasploit 2.1.1 エクスプロイト Web SQL 2.1.2 Framework リバースシェル Windows 5 バインドシェル 8 2 Metasploit OS 2.1.3 シェルコード Meterpreter
Agenda IPv4 over IPv6 MAP MAP IPv4 over IPv6 MAP packet MAP Protocol MAP domain MAP domain ASAMAP ASAMAP 2
MAP Tutorial @ 1 Agenda IPv4 over IPv6 MAP MAP IPv4 over IPv6 MAP packet MAP Protocol MAP domain MAP domain ASAMAP ASAMAP 2 IPv4 over IPv6 IPv6 network IPv4 service Internet Service ProviderISP IPv4 service
制御メッセージ
APPENDIX C この付録では のパケットキャプチャおよびセッション状態のサンプルを示します この項では次のトピックについて説明します セッションアップ状態 (P.C-62) ポリシーディレクティブ (P.C-63) Service Activate (P.C-65) Service Deactivate (P.C-67) セッション切断 (P.C-69) C-61 セッションアップ状態 付録
Systemwalker IT Service Management Systemwalker IT Service Management V11.0L10 IT Service Management - Centric Manager Windows
Systemwalker IT Service Management Systemwalker IT Service Management V11.0L10 IT Service Management - Centric Manager Windows Systemwalker IT Service Management Systemwalker Centric Manager IT Service
電話機のエクスポート
CHAPTER 9 エクスポートユーティリティを使用すると 複数の Cisco Unified Communications Manager サーバ上のレコードを 1 台の Cisco Unified Communications Manager サーバにマージできます Cisco Unified Communications Manager サーバから別の Cisco Unified Communications
WinDriver PCI Quick Start Guide
WinDriver PCI/PCI Express/PCMCIA 5! WinDriver (1) DriverWizard (2) DriverWizard WinDriver (1) Windows 98/Me/2000/XP/Server 2003/Vista Windows CE.NET Windows Embedded CE v6.00 Windows Mobile 5.0/6.0 Linux
Moldplus_Server_4.12
Moldplus Server 4.12 04.12.2008... 3 MOLDPLUS SERVER V4.12... 4 VERSION 4.12 WHAT S NEW...5... 7... 9... 15 A.WINDOWS VISTA WINDOWS XP SERVER... 15 B. WINDOWS VISTA... 18... 23 XML... 24... 27 1.1 MOLDPLUS
FileMaker Server 9 Getting Started Guide
FileMaker Server 10 2007-2009 FileMaker, Inc. All rights reserved. FileMaker, Inc. 5201 Patrick Henry Drive Santa Clara, California 95054 FileMaker Bento Bento FileMaker, Inc. Mac Mac Apple Inc. FileMaker
Ethernet / / Ver
Ethernet / / Ver. 7.1 2007.09.10 1 I/O...1-1 1.1...1-1 1.2...1-1 1.3...1-1 1.4...1-2 1.5...1-3 2...2-1 2.1...2-1 2.1.1...2-1 2.1.2...2-1 2.1.3...2-3 2.1.4...2-3 2.1.5...2-4 2.1.6...2-5 2.2 Ethernet...2-6
Express5800/R320a-E4/Express5800/R320b-M4ユーザーズガイド
7 7 障害箇所の切り分け 万一 障害が発生した場合は ESMPRO/ServerManagerを使って障害の発生箇所を確認し 障害がハー ドウェアによるものかソフトウェアによるものかを判断します 障害発生個所や内容の確認ができたら 故障した部品の交換やシステム復旧などの処置を行います 障害がハードウェア要因によるものかソフトウェア要因によるものかを判断するには E S M P R O / ServerManagerが便利です
Nios® II HAL API を使用したソフトウェア・サンプル集 「Modular Scatter-Gather DMA Core」
ALTIMA Company, MACNICA, Inc Nios II HAL API Modular Scatter-Gather DMA Core Ver.17.1 2018 8 Rev.1 Nios II HAL API Modular Scatter-Gather DMA Core...3...3...4... 4... 5 3-2-1. msgdma... 6 3-2-2. On-Chip
Express5800/320Fc-MR
7 7 Phoenix BIOS 4.0 Release 6.0.XXXX : CPU=Pentium III Processor XXX MHz 0640K System RAM Passed 0127M Extended RAM Passed WARNING 0212: Keybord Controller Failed. : Press to resume, to setup
自動シャットタ<3099>ウンクイックインストールカ<3099>イト<3099>.indb
OMRON Corporation. 2011 All Rights Reserved. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 title Red Hat Enterprise Linux Server (2.6.18-8.el5xen serial) root (hd0,1) kernel /xen.gz-2.6.18-8.el5 console=vga xencons=ttys16
X Window System X X &
1 1 1.1 X Window System................................... 1 1.2 X......................................... 1 1.3 X &................................ 1 1.3.1 X.......................... 1 1.3.2 &....................................
GA-1190J
GA-1190J 1 1. 2. 3. 4. 2 5. 3 PDF 4 PDF PDF PDF PDF PDF PDF PDF PDF 5 6 ...1...2...4 1...12 2...16...18 3...22 PCL/PS...23 4...26 5...30 ETHERNET...31 TCP/IP...33 IPX/SPX...38 AppleTalk...40 HTTP...42
TM-T88VI 詳細取扱説明書
M00109801 Rev. B 2 3 4 5 6 7 8 9 10 Bluetooth 11 12 Bluetooth 13 14 1 15 16 Bluetooth Bluetooth 1 17 1 2 3 4 10 9 8 7 12 5 6 11 18 1 19 1 3 4 2 5 6 7 20 1 21 22 1 23 24 1 25 SimpleAP Start SSID : EPSON_Printer
Linux2.4でのメモリ管理機構
Linux2.2 on x86 Dec 2001 x86 Linux Linux (demand paging, copy on write ) (buddy system, slab allocator) x86 x86 ( ) (required) (= ) ( ) (optional) x86 Physical address( ) Linear address( ) Logical address(
ProVAL Recent Projects, ProVAL Online 3 Recent Projects ProVAL Online Show Online Content on the Start Page Page 13
ProVAL Unit System Enable Recording Log Preferred Language Default File Type Default Project Path ProVAL : Unit SystemUse SI Units SI SI USCS Enable Recording Log Language Default File Type Default Project
Cisco® ASA シリーズルーター向けDigiCert® 統合ガイド
Cisco ASA DigiCert 2013 7 8 Cisco ASA VPN DigiCert : 2013 7 8 Copyright 2018 DigiCert, Inc. All rights reserved. DigiCert DigiCert DigiCert, Inc. Symantec Norton Symantec Corporation DigiCert, Inc. DigiCert,
実施していただく前に
SiteProtector 2.0 Service Pack 5 Service Pack 6 2006 4 7 1.... 2 Event Collector Service Pack 1.13... 3 2. SiteProtector Core SP6... 4 3. Console... 10 4. Service Pack 6... 11 5. 1 Deployment Manager...
Mail_Spam_Manual_120815b
server~>su - server:~#mount /mnt/cdrom server:~#umount /mnt/cdrom # cd /mnt/cdrom #./ginstall -F -M [MTA ] -P AV # wget http://download.gideon.co.jp/ginstall.tgz #./ginstall -F -M P -P AV #./ginstall -M
Express5800/R110a-1Hユーザーズガイド
4 Phoenix BIOS 4.0 Release 6.0.XXXX : CPU=Xeon Processor XXX MHz 0640K System RAM Passed 0127M Extended RAM Passed WARNING 0B60: DIMM group #1 has been disabled. : Press to resume, to
Metasploit 2012.indb
239 15 Metasploit Framework Metasploit Framework Metasploit Framework Perl Python C C++ Metasploit Python Perl Metasploit Framework Framework OS Framework 2 Framework Framework 15.1 15.1.1 EIP ESP レジスタ
( 億 種 ) マルウェアが 急 速 に 増 加! 短 時 間 で 解 析 し, マルウェアの 意 図 や 概 略 を 把 握 したい マルウェアを 実 行 し, 挙 動 を 観 測 することで 解 析 する 動 的 解 析 が 有 効 しかし, マルウェアの 巧 妙 化 により, 観 測 自 体
大 月 勇 人, 瀧 本 栄 二, 毛 利 公 一 立 命 館 大 学 ( 億 種 ) マルウェアが 急 速 に 増 加! 短 時 間 で 解 析 し, マルウェアの 意 図 や 概 略 を 把 握 したい マルウェアを 実 行 し, 挙 動 を 観 測 することで 解 析 する 動 的 解 析 が 有 効 しかし, マルウェアの 巧 妙 化 により, 観 測 自 体 が 困 難 となっている アンチデバッグ:
Faronics Core User Guide
1 2 : 2017 2 1999-2017 Faronics Corporation. All rights reserved. Faronics Deep Freeze Faronics Core Console Faronics Anti-Executable Faronics Device Filter Faronics Power Save Faronics Insight Faronics
ワイヤレス~イーサネットレシーバー UWTC-REC3
www.jp.omega.com : esales@jp.omega.com www.omegamanual.info UWTC-REC3 www.jp.omega.com/worldwide UWIR UWTC-NB9 / UWRH UWRTD UWTC 61.6 [2.42] REF 11.7 [0.46] 38.1 [1.50] 66.0 [2.60] REF 33.0 [1.30]
VMware View Persona Management
VMware View Persona Management View Persona Management...................................... 3.......................................................... 3 View Persona Management..............................................
untitled
2004 1094 1.... 1 1.1....1 1.2....3 1.3....3 2. POSTGRESQL... 5 2.1. POSTGRESQL DB UNIX...5 2.2. POSTGRESQL DB WINDOWS...8 3. XML... 12 3.1. XINDICE (NATIVE XML DATABASE)... 12 3.2. XINDICE... 12 3.3.
FileMaker Server Getting Started Guide
FileMaker Server 12 2007 2012 FileMaker, Inc. All Rights Reserved. FileMaker, Inc. 5201 Patrick Henry Drive Santa Clara, California 95054 FileMaker Bento FileMaker, Inc. Bento FileMaker, Inc. FileMaker
Actual ESS Adapterの使用について
Actual ESS Adapter SQL External SQL Source FileMaker SQL ESS SQL FileMaker FileMaker SQL FileMaker FileMaker ESS SQL SQL FileMaker ODBC SQL FileMaker Microsoft SQL Server MySQL Oracle 3 ODBC Mac OS X Actual
Computer Security Symposium October ,a) API API API Alkanet IDA MWS API Proposal of static analysis assistance method utilizi
Computer Security Symposium 2016 11-13 October 2016 1,a) 1 1 2 1 API API API Alkanet IDA MWS API Proposal of static analysis assistance method utilizing the dynamic analysis log Shota Nakajima 1,a) Shuhei
MOTIF XF 取扱説明書
MUSIC PRODUCTION SYNTHESIZER JA 2 (7)-1 1/3 3 (7)-1 2/3 4 (7)-1 3/3 5 http://www.adobe.com/jp/products/reader/ 6 NOTE http://japan.steinberg.net/ http://japan.steinberg.net/ 7 8 9 A-1 B-1 C0 D0 E0 F0 G0
1 BitVisor [3] Alkanet[1] Alkanet (DLL) DLL 2 Alkanet 3 4 5 6 7 2 Alkanet Alkanet VMM VMM Alkanet Windows [2] マルウェア 観 測 用 VM SystemCall Windows System
![1 BitVisor [3] Alkanet[1] Alkanet (DLL) DLL 2 Alkanet 3 4 5 6 7 2 Alkanet Alkanet VMM VMM Alkanet Windows [2] マルウェア 観 測 用 VM SystemCall Windows System](/thumbs/40/20587794.jpg "1 BitVisor [3] Alkanet[1] Alkanet (DLL) DLL 2 Alkanet 3 4 5 6 7 2 Alkanet Alkanet VMM VMM Alkanet Windows [2] マルウェア 観 測 用 VM SystemCall Windows System")
Computer Security Symposium 2013 21-23 October 2013 Alkanet 525-8577 1-1-1 yotuki@asl.cs.ritsumei.ac.jp, {takimoto, mouri}@cs.ritsumei.ac.jp 466-8555 shoichi@nitech.ac.jp BitVisor Alkanet API DLL A Method
Introduction Purpose This course explains how to use Mapview, a utility program for the Highperformance Embedded Workshop (HEW) development environmen
Introduction Purpose This course explains how to use Mapview, a utility program for the Highperformance Embedded Workshop (HEW) development environment for microcontrollers (MCUs) from Renesas Technology
NetIQ White Paper
Contents 1... 1 2... 2 3... 6 AppManager 3.4J 4.0J 4... 9 5 Web... 11 6... 12 7... 13 Appendix SQL Server 21 1.1 March 25, 2002 1 NetIQ AppManager 3.4J AppManager 4.0J AppManager 1.1 AppManager3.4J 4.0J
<Documents Title Here>
Oracle Application Server 10g Release 2 (10.1.2) for Microsoft Windows Business Intelligence Standalone Oracle Application Server 10g Release 2 (10.1.2) for Microsoft Windows Business Intelligence Standalone
FileMaker Server Getting Started Guide
FileMaker Server 11 2004-2010 FileMaker, Inc. All Rights Reserved. FileMaker, Inc. 5201 Patrick Henry Drive Santa Clara, California 95054 FileMaker FileMaker, Inc. FileMaker, Inc. FileMaker FileMaker,
fx-9860G Manager PLUS_J
fx-9860g J fx-9860g Manager PLUS http://edu.casio.jp k 1 k III 2 3 1. 2. 4 3. 4. 5 1. 2. 3. 4. 5. 1. 6 7 k 8 k 9 k 10 k 11 k k k 12 k k k 1 2 3 4 5 6 1 2 3 4 5 6 13 k 1 2 3 1 2 3 1 2 3 1 2 3 14 k a j.+-(),m1
nopcommerce 2.2 2.1.6 Adobe Flash ( 1 ) 1 nopcommerce 2.2 ( [5, p.3-4] )
![nopcommerce 2.2 2.1.6 Adobe Flash ( 1 ) 1 nopcommerce 2.2 ( [5, p.3-4] )](/thumbs/39/20122401.jpg "nopcommerce 2.2 2.1.6 Adobe Flash ( 1 ) 1 nopcommerce 2.2 ( [5, p.3-4] )")
nopcommerce 2.2 NopCommerce (Ver.2.3) NopCommerce 2.1.1 (OS) Windows 7 Windows Vista Windows XP Windows Server 2003 Windows Server 2008 2.1.2 Web Internet Information Service (IIS) 6.0 2.1.3 ASP.NET 4.0
iPhone/iPad/Android(TM) とベリサイン アイデンティティプロテクション(VIP)エンタープライズゲートウェイとの組み合わせによるL2TP+IPsecのワンタイムパスワード設定例
VeriSign VIP VIP + AR VIP VIP AR VPN iphone ipad Apple Inc. iphone Android Google Inc. Copyright 2011 Allied Telesis K.K. All Rights Reserved. VIP AR User Copyright 2011 Allied Telesis K.K. All Rights
スライド 1
FFRI Dataset 2016 のご紹介 株式会社 FFRI http://www.ffri.jp Ver 2.00.01 1 Agenda FFRI Dataset 2016 概要 Cuckoo Sandbox 具体的なデータ項目 データの利用例 2 FFRI Dataset 2016 の概要 FFRIで収集したマルウェアの動的解析ログ 2016/1~2016/3に収集された検体 計 8,243
2
WJ-HD150 Digital Disk Recorder WJ-HD150 2 3 q w e r t y u 4 5 6 7 8 9 10 11 12 13 14 15 16 q w SIGNAL GND AC IN 17 SUNDAY MONDAY TUESDAY WEDNESDAY THURSDAY FRIDAY SATURDAY DAILY Program 1 Event No.1 Event
cover1.indd
OMRON Corporation. 2010 All Rights Reserved. Power Credit UPS PowerAct Pro Ver.4.x PA PowerAct Pro PA UPS Power Credit 2 3 4 5 6 7 8 9 10 11 12 13 title Red Hat Enterprise Linux Server (2.6.18-8.el5xen
はじめに SCSI ( ) RAID Utility (HDD Check Scheduler) V1.01 / 2005 年 4 月富士通株式会社 Microsoft Windows Windows NT Microsoft Corporation All Rights Reserved, Cop
Adaptec RAID Utility (HDD Check Scheduler) V1.01 取扱説明書 はじめに SCSI ( ) RAID Utility (HDD Check Scheduler) V1.01 / 2005 年 4 月富士通株式会社 Microsoft Windows Windows NT Microsoft Corporation All Rights Reserved,
目次 第 1 章インシデント対応の基本手順 1. インシデント対応とは 2. インシデント対応のイメージ 3. 状況把握に役立つ技術 フォレンジック 4. インシデント対応の基本手順第 2 章いきなり体験! インシデント対応 1. 体験するインシデントの概要 2. インシデントの検知 3. プロキシ
仙台 CTF キュリティ技術勉強会 マルウェアに感染したパソコンのメモリ解析とタイムライン解析入門 平成 29 年 11 月 12 日 仙台 CTF 実行委員会 Copyright (C) 2017 Sendai CTF 2017. All Rights Reserved. 目次 第 1 章インシデント対応の基本手順 1. インシデント対応とは 2. インシデント対応のイメージ 3. 状況把握に役立つ技術
AD7142: 静電容量タッチ・センサ向けのプログラマブル・コントローラ
AD7142 CDC 36ms 1fF 14 RC RAM SPI AD7142 I 2 C AD7142-1 V DRIVE GPIO 325mm5mm LFCSP_VQ 2.63.6V 1mA 50µA A/V CIN0 30 CIN1 31 CIN2 32 CIN3 1 CIN4 2 CIN5 3 CIN6 4 CIN7 5 CIN8 6 CIN9 7 CIN10 8 CIN11 9 CIN12
SRX IDP Full IDP Stateful Inspection 8 Detection mechanisms including Stateful Signatures and Protocol Anomalies Reassemble, normalize, eliminate ambi
IDP (INTRUSION DETECTION AND PREVENTION) SRX IDP Full IDP Stateful Inspection 8 Detection mechanisms including Stateful Signatures and Protocol Anomalies Reassemble, normalize, eliminate ambiguity Track
Teradici Corporation #101-4621 Canada Way, Burnaby, BC V5G 4X8 Canada p +1 604 451 5800 f +1 604 451 5818 www.teradici.com Teradici Corporation Teradi
PCoIP TER0806003 TER0806003 Issue 2 0 Teradici Corporation #101-4621 Canada Way, Burnaby, BC V5G 4X8 Canada p +1 604 451 5800 f +1 604 451 5818 www.teradici.com Teradici Corporation Teradici Teradici Teradici
I. Opal SSC 1. Opal SSC 2. Opal Storage 3. Opal Storage MBR Shadowing 6. SP II. TCG Opal SSC HDD 9. Opal SSC HDD *1. TCG: Trusted Computin
TCG Opal Yoshiju Watanabe Firmware Common Engineering Group Firmware Development Department November 4, 2010 I. Opal SSC 1. Opal SSC 2. Opal Storage 3. Opal Storage 4. 5. MBR Shadowing 6. SP 7. 8. II.
ProVisionaire Control V3.0セットアップガイド
ProVisionaire Control V3 1 Manual Development Group 2018 Yamaha Corporation JA 2 3 4 5 NOTE 6 7 8 9 q w e r t r t y u y q w u e 10 3. NOTE 1. 2. 11 4. NOTE 5. Tips 12 2. 1. 13 3. 4. Tips 14 5. 1. 2. 3.
~~~~~~~~~~~~~~~~~~ wait Call CPU time 1, latch: library cache 7, latch: library cache lock 4, job scheduler co
072 DB Magazine 2007 September ~~~~~~~~~~~~~~~~~~ wait Call CPU time 1,055 34.7 latch: library cache 7,278 750 103 24.7 latch: library cache lock 4,194 465 111 15.3 job scheduler coordinator slave wait
RouteMagic Controller RMC-MP200 / MP Version
RouteMagic Controller RMC-MP200 / MP1200 - Version 3.7.1 - RouteMagic Controller( RMC ) 3.7 RMC RouteMagic RouteMagic Controller RouteMagic Controller MP1200 / MP200 Version 3.7 RouteMagic Controller Version
tcp/ip.key
IP TCP IP ヘッダデータ部ヘッダデータ部ヘッダデータ部 Ethernet パケット Ethernet パケット Ethernet パケット IP(1) 0 8 16 24 31 () Version IHL () Time To Live () Identification () Type of Service ) Flags Protocol () Source Address IP) Destination
Complex Lab – Operating Systems - Graphical Console
Complex Lab Operating Systems Graphical Console Martin Küttler Last assignment Any questions? Any bug reports, whishes, etc.? 1 / 13 We are here Pong Server Paddle Client 1 Paddle Client 2 Memory Management
RouteMagic Controller( RMC ) 3.6 RMC RouteMagic RouteMagic Controller RouteMagic Controller MP1200 / MP200 Version 3.6 RouteMagic Controller Version 3
RouteMagic Controller RMC-MP200 / MP1200 - Version 3.6 - RouteMagic Controller( RMC ) 3.6 RMC RouteMagic RouteMagic Controller RouteMagic Controller MP1200 / MP200 Version 3.6 RouteMagic Controller Version
1 1.1 (PAC-YW01BAC) 1.1 Y GR R2 GR WR2 Eeco WY Eeco S Y ICE YkP ECO Y GR R2 Eeco WR2 Eeco Y A K PAC PAC (RAC) (HAC) *1) 24-4 - 1.2 PAC-YW01BAC (1) M-NET 1 50 ICAICLCFU ICAICA LCFU (2) (3) (4) UPS (5) (6)
JEE 上の Adobe Experience Manager forms のインストールおよびデプロイ(WebLogic 版)
JEE ADOBE EXPERIENCE MANAGER FORMS WEBLOGIC http://help.adobe.com/ja_jp/legalnotices/index.html iii 1 AEM forms 2 AEM Forms 3 4 - WebLogic Server 4.1............................................................................
1 142
7 1 2 3 4 5 6 7 8 1 142 PhoenixBIOS Setup Utility MainSystem DevicesSecurityPowerOthersBootExit System Time: [XX:XX:XX] Item Specific Help System Date: [XX/XX/XXXX] Floppy Drive: 1.44MB, 3 1 / 2" Hard
Epson Print Admin
Epson Print Admin NPD5368-02 JA Epson Print Admin Epson Print Admin Epson Print Admin Epson Print Admin Epson Open Platform Epson Open Platform Epson Print Admin Epson Print Admin Epson Print Admin Epson
James 1
1 Google Project Zero Windows 2 Windows Windows 3 Windows 4 Windows 5 Windows 6 7 8 Windows 400 WIN32K 1000 9 Windows 7 SP1 Windows 8.1 Windows 10 サービス 150 169 196 ドライバ 238 253 291 7 8 10 10 Windows 7
スライド 1
IBM Global Technology Services PCI DSS ITS IAS. IAS. 2I/T 1PCIDSS 2 2 PCI DSS QSA PCIDSS Fi Gap IBM PCIDSS IBM PCIDSS QSA QSA PCIDSS ROC* 1/ * ROC: Report on Compliance 3 PCI DSS 4 PCIDSS PCIDSS 1. PCIDSS
u302.book
Text Search Filter Library Version 3 3000-6-302-10 P-1MD3-3831* Text Search Filter Library Version 3 03-10 OS AIX 5L V5.2 AIX 5L V5.3 P-24D3-3834 Text Search Filter Library Version 3 03-10 OS Windows 2000
AirMac ネットワーク for Windows
AirMac for Windows Windows XP Windows 2000 1 1 5 6 AirMac 6 7 AirMac Extreme AirMac Express 7 AirMac for Windows 7 AirMac Express 8 AirMac 9 AirTunes 9 AirMac Extreme 10 2 11 AirMac 11 AirMac 12 AirMac
1 122
6 1 2 3 4 5 6 1 122 PhoenixBIOS Setup Utility MainAdvancedSecurityPowerExit MainSystem DevicesSecurityBootExit System Time: [XX:XX:XX] [XX:XX:XX] System Date: [XX/XX/XX] [XX/XX/XXXX] Item Specific Help
FileMaker Server Getting Started Guide
FileMaker Server 13 2007-2013 FileMaker, Inc. All Rights Reserved. FileMaker, Inc. 5201 Patrick Henry Drive Santa Clara, California 95054 FileMaker Bento FileMaker, Inc. FileMaker WebDirect Bento FileMaker,
Cisco 1711/1712セキュリティ アクセス ルータの概要
CHAPTER 1 Cisco 1711/1712 Cisco 1711/1712 Cisco 1711/1712 1-1 1 Cisco 1711/1712 Cisco 1711/1712 LAN Cisco 1711 1 WIC-1-AM WAN Interface Card WIC;WAN 1 Cisco 1712 1 ISDN-BRI S/T WIC-1B-S/T 1 Cisco 1711/1712
etrust Access Control etrust Access Control UNIX(Linux, Windows) 2
etrust Access Control etrust Access Control UNIX(Linux, Windows) 2 etrust Access Control etrust Access Control 3 ID 10 ID SU ID root 4 OS OS 2 aaa 3 5 TCP/IP outgoing incoming DMZ 6 OS setuid/setgid) OS
Max Library Size Smoke 10 Network Panel Display Default Web Browser Smoke Web Mac open Cleaner Export Destination Path Autodesk Cleaner XL Microsoft W
Setup Utility の使い方 使い方 Autodesk Smoke[version] Utilities Smoke Setup Preview Vtr Emulator Duplicate Delete Active Apply Reload Smoke Setup Manual Edit General Video Device Smoke AJA Kona Mac KONA 3 Audio
I TCP 1/2 1
I TCP 1/2 1 Transport layer: a birds-eye view Hosts maintain state for each transport endpoint Routers don t maintain perhost state H R R R R H Transport IP IP IP IP IP Copyright(C)2011 Youki Kadobayashi.
インストールマニュアル
EPSON OPOS ADK (1) (2) (3) (4) (5) (3) Microsoft Windows Windows Vista Windows Server Visual Basic Visual C++ EPSON ESC/POS Copyright 2000-2011 SEIKO EPSON CORPORATION 1...1 1.1...1 1.2...1 1.3...2 2...4
82801pdf.pqxp
PC Contents Chapter 1 PC / Chapter 2/ 1 2 SMS WAN BITS Chapter 3 SMS 2003 SMS SMS SMS 2003 2 6 8 9 9 10 11 12 13 14 16 17 17 18 19 19 20 20 21 22 24 24 25 25 26 26 27 28 PC PC PC PC PC IT 1 1 PC PC PC
ACS電子ジャーナル利用マニュアル
American Chemical Society ACS Web Edition & Journal Archives American Chemical Society ACS 4 Web Edition 2002 7 1879 Journal Archives ACS 1...2 2 2-1...3 2-2...4 2-3...5 3 3-1 Abstract...6 3-2 Full Text
RouteMagic Controller RMC-MP200 / MP Version
RouteMagic Controller RMC-MP200 / MP1200 - Version 3.5.2 - RouteMagic Controller( RMC ) 3.5.2 RMC RouteMagic RouteMagic Controller RouteMagic Controller MP1200 / MP200 Version 3.5 RouteMagic Controller
エクセルソフト株式会社 WinDriver PCI 5! WinDriver 1. DriverWizard 2. DriverWizard WinDriver 1. Windows 98/Me NT/2000/XP Windows CE/CE.NET Windows Server 2003 Lin
5! WinDriver 1. DriverWizard 2. DriverWizard WinDriver 1. Windows 98/Me NT/2000/XP Windows CE/CE.NET Windows Server 2003 Linux Solaris VxWorks Web http://www.xlsoft.com/jp/products/windriver/ 2. WinDriver
Adobe LiveCycle Workbench 11 のインストール
Adobe LiveCycle - Workbench 10 http://help.adobe.com/ja_jp/legalnotices/index.html iii 1 1.1............................................................................................ 1 1.2..............................................................................................................
Microsoft PowerPoint mm2
システムプログラム概論 Memory management 2/2 25/5/6 門林雄基 ( インターネット工学講座 ) 奈良先端科学技術大学院大学 前回 Memory hierarchy Contention and arbitration for memory Virtual memory: software + hardware solution Address translation Physical
Microsoft Word - Meta70_Preferences.doc
Image Windows Preferences Edit, Preferences MetaMorph, MetaVue Image Windows Preferences Edit, Preferences Image Windows Preferences 1. Windows Image Placement: Acquire Overlay at Top Left Corner: 1 Acquire
ohp.mgp
2019/06/11 A/B -- HTML/WWW(World Wide Web -- (TA:, [ 1 ] !!? Web Page http://edu-gw2.math.cst.nihon-u.ac.jp/~kurino VNC Server Address : 10.9.209.159 Password : vnc-2019 (2019/06/04 : : * * / / : (cf.
$ sudo apt-get install libavahi-compat-libdnssd-dev $ sudo apt-get autoremove nodejs $ wget http://nodejs.org/dist/latest/node-v7.6.0-linux-armv7l.tar.gz $ tar xzf node-v7.6.0-linux-armv7l.tar.gz $ sudo
Web Web Web Web Web, i
22 Web Research of a Web search support system based on individual sensitivity 1135117 2011 2 14 Web Web Web Web Web, i Abstract Research of a Web search support system based on individual sensitivity
TOPLON PRIO操作手順
TOPLON PRIO 2004/05/24 I/O LON WAGO TOPLON PRIO 1. 1) PCC-10 S/W 2) PC 3) PCC-10 4) Windows Lon WorksR Plug n Play Apply OK 5) Visio LonMaker LonPoint 6) TOPLON PRIO 2. IO-PRO SYM TOPLON-PRIO SNVT NVI
スライド 1
RX62N 周辺機能紹介データフラッシュ データ格納用フラッシュメモリ ルネサスエレクトロニクス株式会社ルネサス半導体トレーニングセンター 2013/08/02 Rev. 1.00 00000-A コンテンツ データフラッシュの概要 プログラムサンプル 消去方法 書き込み方法 読み出し方法 FCUのリセット プログラムサンプルのカスタマイズ 2 データフラッシュの概要 3 データフラッシュとは フラッシュメモリ
Express5800/320Fa-L/320Fa-LR/320Fa-M/320Fa-MR
7 7 Phoenix BIOS 4.0 Release 6.0.XXXX : CPU=Pentium III Processor XXX MHz 0640K System RAM Passed 0127M Extended RAM Passed WARNING 0212: Keybord Controller Failed. : Press to resume, to setup
IIJ Technical WEEK SEILシリーズ開発動向:IPv6対応の現状と未来
SEIL : IPv6 1 SEIL 2011 IPv6 SEIL IPv6 SEIL 4rd 2 SEIL 3 SEIL (1/3) SEIL IIJ SEIL 2001/6 IPv6 SEIL/X1 SEIL/X2 50,000 SEIL/x86 1998/8 SEIL SEIL/neu 128 SEIL/neu T1 SEIL/neu 2FE SEIL/neu ATM SEIL/Turbo SEIL/neu
1
Version 3.5.3J Software.com, Inc. 1994 1998 Translated by Open Technologies Corporation Table of Contents...... 1 1.1 E-mail...1 1.1.1 E-mail...1 1.1.2...2 1.1.3...3 1.1.4...4 1.2 E-mail :...5 1.3...6