来自内存转储的Windows CMD历史记录w/Volatility_Windows_Cmd_Netcat_Computer Forensics_Volatility

来自内存转储的Windows CMD历史记录w/Volatility

windows cmd

来自内存转储的Windows CMD历史记录w/Volatility,windows,cmd,netcat,computer-forensics,volatility,Windows,Cmd,Netcat,Computer Forensics,Volatility,我试图分析Windows7内存转储的波动性。目标是查看转储之前运行的CMD命令 Volatility Foundation Volatility Framework 2.6 ************************************************** CommandProcess: conhost.exe Pid: 2580 CommandHistory: 0x63bf0 Application: cmd.exe Flags: Allocated CommandCount

我试图分析Windows7内存转储的波动性。目标是查看转储之前运行的CMD命令

Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: conhost.exe Pid: 2580
CommandHistory: 0x63bf0 Application: cmd.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #15 @ 0x30158: 
Cmd #16 @ 0x4ed50: 
**************************************************
CommandProcess: conhost.exe Pid: 2580
CommandHistory: 0x63e40 Application: ncat.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x58
Cmd #41 @ 0x300f8: 
Cmd #42 @ 0x300f8: 
Cmd #43 @ 0x30060: 
Cmd #44 @ 0x30060: 
**************************************************
CommandProcess: conhost.exe Pid: 3136
CommandHistory: 0x24ec00 Application: DumpIt.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #15 @ 0x210158: $
Cmd #16 @ 0x24d570: $

我运行了以下命令（下面的输出）：

volatility.exe--profile=Win7SP1x64_23418-f WINDOWS7-20200221-214526.raw cmdscan

我需要找出中间块中运行的命令（来自NCAT.exe）。是否有其他将信息输出为文本的波动率参数/命令？有没有更好的方法找到这些信息？我可以通过实时快照访问Win7虚拟机（virtualbox），使我能够在内存转储发生之前立即恢复机器

Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: conhost.exe Pid: 2580
CommandHistory: 0x63bf0 Application: cmd.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #15 @ 0x30158: 
Cmd #16 @ 0x4ed50: 
**************************************************
CommandProcess: conhost.exe Pid: 2580
CommandHistory: 0x63e40 Application: ncat.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x58
Cmd #41 @ 0x300f8: 
Cmd #42 @ 0x300f8: 
Cmd #43 @ 0x30060: 
Cmd #44 @ 0x30060: 
**************************************************
CommandProcess: conhost.exe Pid: 3136
CommandHistory: 0x24ec00 Application: DumpIt.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #15 @ 0x210158: $
Cmd #16 @ 0x24d570: $

简单的控制台程序，比如cmd.exe和ncat.exe，我想它们不会跟踪自己的输入历史。它由控制台主机进程conhost.exe中的熟读进行管理。我猜您有一个完整的系统转储，其中包含有关conhost.exe实例的信息，但显然找不到任何命令。我从未使用过Volatility，但根据这一点，cmdscan插件会查找MaxHistory landmark，如果它不是假定的默认值，则会有一个

max_history

参数。简单的控制台程序（如cmd.exe和，我假定，ncat.exe）不会跟踪它们自己的输入历史。它由控制台主机进程conhost.exe中的熟读进行管理。我猜您有一个完整的系统转储，其中包含有关conhost.exe实例的信息，但显然找不到任何命令。我从未使用过Volatility，但根据这一点，cmdscan插件会查找MaxHistory地标，如果它不是假定的默认值，则会有一个

max\u history

参数。