iPython Notebook Volatility For Memory Forensics

738 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
738
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

iPython Notebook Volatility For Memory Forensics

  1. 1. 3/6/13 IPython Notebook Using iPython Notebook for Live Memory Forensics I [] fo Iyhncr.ipa ipr Iae n 1: rm Pto.oedsly mot mg fo Iyhncr.ipa ipr HM rm Pto.oedsly mot TL fo Iyhnlbdslyipr Yuueie rm Pto.i.ipa mot oTbVdo . . . iPython Notebook with Volatility 2.3 Alpha I [] n 8: aiok phos Dtc AIhosi poesadkre mmr eet P ok n rcs n enl eoy aos tm Pitssinadwno sainao tbe rn eso n idw tto tm als aosa tmcn Po sanrfr_T_TMTBE ol cne o RLAO_AL bokd isb Rastekyor bfe fo Ra Md mmr ed h ebad ufr rm el oe eoy clbcs alak Pitsse-ientfcto ruie rn ytmwd oiiain otns cibad lpor Etattecnet o tewnoscibad xrc h otns f h idw lpor cdcn msa Etatcmadhsoyb sann fr_OMN_ITR xrc omn itr y cnig o CMADHSOY cnetos oncin Pitls o oe cnetos[idw X ad20 Ol] rn it f pn oncin Wnos P n 03 ny cnsa oncn Sa Pyia mmr fr_CTOJC ojcs(c cnetos cn hscl eoy o TP_BET bet tp oncin) cnoe osls Etatcmadhsoyb sann fr_OSL_NOMTO xrc omn itr y cnig o CNOEIFRAIN cahno rsif Dm cahdm ifrain up rs-up nomto dssa ekcn Posae frtgEKO (ekos olcnr o aDSTP dstp) dvcte eiere So dvc te hw eie re dlup ldm Dm DL fo apoesadessae up Ls rm rcs drs pc dlit lls Pitls o lae dl frec poes rn it f odd ls o ah rcs dieip rvrr Die IPho dtcin rvr R ok eeto diesa rvrcn Sa frdie ojcs_RVROJC cn o rvr bet DIE_BET evr nas Dslypoesevrnetvrals ipa rcs niomn aibe eetok vnhos Pitdtiso wnoseethos rn eal n idw vn ok etos vlg EtatWnosEetLg (P20 ol) xrc idw vn os X/03 ny flsa iecn Sa Pyia mmr fr_IEOJC po alctos cn hscl eoy o FL_BET ol loain ghi at Dm teUE hnl tp ifrain up h SR ade ye nomto giies dtmr PitisaldGItmr adclbcs rn ntle D ies n alak gt d DslyGoa Dsrpo Tbe ipa lbl ecitr al gtevcsd esrieis Gttenmso srie i teRgsr adrtr Cluae SD e h ae f evcs n h eity n eun acltd I gtis esd PitteSD onn ec poes rn h Is wig ah rcs hnls ade Pitls o oe hnlsfrec poes rn it f pn ade o ah rcs hsdm ahup Dmspswrshse (MNL)fo mmr up asod ahs L/TM rm eoy hbno iif Dm hbrainfl ifrain up iento ie nomto hvdm ieup Pit otahv rns u ie hvls ieit Pitls o rgsr hvs rn it f eity ie. hvsa iecn Sa Pyia mmr fr_MIEojcs(eityhvs cn hscl eoy o CHV bet rgsr ie) haetat pkxrc Etatpyia mmr fo a HA fl xrc hscl eoy rm n PK ie haif pkno If o a HA fl no n n PK ie it d DslyItrutDsrpo Tbe ipa nerp ecitr al ihsoy eitr RcntutItre Epoe cce/hsoy eosrc nent xlrr ah itr iaeoy mgcp Cpe apyia adessaeota arwD iae ois hscl drs pc u s a D mg iaeno mgif Ietf ifrainfrteiae dniy nomto o h mg ipcn msa Sa frclst ipre fntos cn o al o motd ucin kbsa dgcn Sac fraddm ptnilKB vle erh o n up oeta DG aus kcsa prcn Sac fraddm ptnilKC vle erh o n up oeta PR aus lroue dmdls Dtc ulne DL eet nikd Ls laup sdm Dm (erpe)LAscesfo tergsr up dcytd S ert rm h eity mlid afn Fn hde adijce cd id idn n netd oe mrasr bpre Sasfradpre ptnilMse Bo Rcrs(Bs cn o n ass oeta atr ot eod MR) mmup edm Dm teadesbemmr frapoes up h drsal eoy o rcs mma emp Pittemmr mp rn h eoy a msaeok esghos Ls dstpadtra wno msaehos it eko n hed idw esg ok mtasr fpre Sasfradpre ptnilMTetis cn o n ass oeta F nre mdup odm Dm akre die t a eeual fl sml up enl rvr o n xctbe ie ape127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 1/14
  2. 2. 3/6/13 IPython Notebook mdcn osa Sa Pyia mmr fr_D_AATBEETYojcs cn hscl eoy o LRDT_AL_NR bet mdls oue Pitls o lae mdls rn it f odd oue mtnsa uatcn Sa frmtn ojcs_MTN cn o uat bet KUAT pthr ace Pthsmmr bsdo pg sas ace eoy ae n ae cn pite rnky Pitargsr ky adissbesadvle rn eity e, n t uky n aus pis rv Dslypoespiiee ipa rcs rvlgs poeeup rcxdm Dm apoest a eeual fl sml up rcs o n xctbe ie ape pommup rcedm Dm apoest a eeual mmr sml up rcs o n xctbe eoy ape pls sit Pitalrnigpoessb floigteERCS lss rn l unn rcse y olwn h POES it psa scn Sa Pyia mmr fr_POESpo alctos cn hscl eoy o ERCS ol loain pte sre Pitpoesls a ate rn rcs it s re pxiw sve Fn hde poesswt vrospoeslsig id idn rcse ih aiu rcs itns rwdp a2m Cnet apyia mmr sml t awnb cahdm ovrs hscl eoy ape o idg rs up sreso cenht Sv aped-cenhtbsdo GIwnos ae suosreso ae n D idw ssin esos Ls dtiso _MSSINSAE(srlgnssin) it eal n M_ESO_PC ue oo esos selas hlbg Pit Selasif rns hlBg no sicce hmah Pre teApiainCmaiiiySi Ccergsr ky ass h plcto optblt hm ah eity e sces okt Pitls o oe sces rn it f pn okt scsa okcn Sa Pyia mmr fr_DRS_BETojcs(c sces cn hscl eoy o ADESOJC bet tp okt) sd st DslySD etis ipa ST nre srns tig Mthpyia ofest vruladess(a tk awie VR vroe ac hscl fst o ita drse my ae hl, EY ebs) sccn vsa Sa frWnossrie cn o idw evcs smikcn ylnsa Sa frsmoi ln ojcs cn o yblc ik bet trsa hdcn Sa pyia mmr fr_TRA ojcs cn hscl eoy o EHED bet tras hed Ivsiae_TRA ad_TRAs netgt EHED n KHED tmr ies Pitkre tmr adascae mdl DC rn enl ies n soitd oue Ps ulaemdls noddoue Pitls o ulae mdls rn it f nodd oue ueass srsit Pitueass rgsr ky adifrain rn srsit eity es n nomto uehnls srade Dm teUE hnl tbe up h SR ade als vdup adm Dmsottevdscin t afl up u h a etos o ie vdno aif Dm teVDif up h A no vdre ate Wl teVDte addslyi te fra ak h A re n ipa n re omt vdak awl Wl teVDte ak h A re voif bxno Dm vrulo ifrain up itabx nomto vwrif maeno Dm Vwr VS/MNifrain up Mae MSVS nomto vlhl osel Seli temmr iae hl n h eoy mg wnos idw PitDstpWnos(ebs dtis rn eko idw vroe eal) wnre ite PitZOdrDstpWnosTe rn -re eko idw re wdcn nsa Po sanrfrtgIDWTTO (idwsain) ol cne o aWNOSAIN wno ttos yrsa aacn Sa poeso kre mmr wt Yr sgaue cn rcs r enl eoy ih aa intrs . . . imageinfo - Identify information for the image I [] !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmiaeno n 2: pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e mgif Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Dtriigpoiebsdo KB sac.. eemnn rfl ae n DG erh. SgetdPoies :WnPPx6 WnPPx6(ntnitdwt WnPPx6 ugse rfl() iXS28, iXS38 Isatae ih iXS28) A Lyr :JI3Pgdeoya (enlA) S ae1 KA2aeMmrPe Kre S A Lyr :FlAdespc (ro/eko/e/edm.e) S ae2 iedrsSae /otDstpmmmmupmm PEtp :PE A ye A DB:0340L T x300 KB :0854eL DG x04c0 Nme o Poesr :1 ubr f rcsos IaeTp (evc Pc):2 mg ye Srie ak KC frCU0:0fdf0L PR o P xff00 KSRSAE_AA:0fd00L UE_HRDDT xff00127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 2/14
  3. 3. 3/6/13 IPython Notebook Iaedt adtm :21-22 1:60 UC00 mg ae n ie 030-5 81:1 T+00 Iaelcldt adtm :21-22 1:60 -50 mg oa ae n ie 030-5 31:1 00 . . . pslist - Print all running processes by following the EPROCESS lists I [] !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmpls n 6: pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e sit Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Ofe() Nm fstV ae PD PI I PD Td hs Hd ns Ss Ww4Sat es o6 tr Ei xt ----- ---------- --- --- --- ---- --- --- --------------- --------- ----- ---------- --- --- --- ---- --- --- --------------- --------- ------ ------ 08c33 Sse x9780 ytm 4 0 56 37--- 2 --- 0 087b2 ss.x x9900 msee 34 8 4 3 2 --- 1 --- 021-22 2:22 UC00 030-0 15:0 T+00 087e3 crsee x9828 ss.x 68 0 34 8 12 48 4 0 021-22 2:22 UC00 030-0 15:2 T+00 087e6 wnoo.x x9860 ilgnee 62 3 34 8 19 55 6 0 021-22 2:22 UC00 030-0 15:2 T+00 08651 srie.x x9360 evcsee 66 7 62 3 16 23 8 0 021-22 2:22 UC00 030-0 15:2 T+00 08a08 lasee x9f80 ss.x 68 8 62 3 19 31 4 0 021-22 2:22 UC00 030-0 15:2 T+00 0870e vatl.x x9a68 mchpee 86 9 66 7 1 24 0 021-22 2:22 UC00 030-0 15:2 T+00 08b48 scotee x9538 vhs.x 98 0 66 7 17 17 9 0 021-22 2:22 UC00 030-0 15:2 T+00 08647 scotee x9fa8 vhs.x 92 7 66 7 9 26 7 0 021-22 2:22 UC00 030-0 15:2 T+00 08b4a scotee x90d0 vhs.x 12 10 66 7 61 18 53 0 021-22 2:22 UC00 030-0 15:2 T+00 08b27 scotee x9058 vhs.x 17 16 66 7 5 87 0 021-22 2:22 UC00 030-0 15:2 T+00 08b06 scotee x9e40 vhs.x 11 26 66 7 15 24 1 0 021-22 2:22 UC00 030-0 15:3 T+00 08b91 solvee x9c68 pos.x 14 58 66 7 10 17 2 0 021-22 2:22 UC00 030-0 15:4 T+00 086c8 scotee x9f90 vhs.x 18 64 66 7 6 89 0 021-22 2:24 UC00 030-0 15:1 T+00 086e8 vtos.x x9390 moldee 14 88 66 7 7 20 7 0 021-22 2:24 UC00 030-0 15:1 T+00 08842 TAtCnSce x9400 Puoonv. 42 5 66 7 5 11 0 0 021-22 2:24 UC00 030-0 15:9 T+00 089de agee x9f60 l.x 58 8 66 7 6 16 0 0 021-22 2:25 UC00 030-0 15:0 T+00 0863a epoe.x x95d0 xlrree 21 02 16 80 13 42 9 0 021-22 2:30 UC00 030-0 15:0 T+00 08bea rnl3.x x95d0 udl2ee 88 21 0 02 5 75 0 021-22 2:30 UC00 030-0 15:1 T+00 087a2 vtos.x x99c0 moldee 62 21 9 02 6 22 4 0 021-22 2:30 UC00 030-0 15:1 T+00 087ac TAtCnete x9930 Puoonc. 13 02 42 5 1 63 0 021-22 2:30 UC00 030-0 15:1 T+00 087ae wctyee x9978 snf.x 16 18 12 10 1 27 0 021-22 2:30 UC00 030-0 15:2 T+00 08880 wactee x9360 uul.x 22 54 12 10 3 12 3 0 021-22 2:34 UC00 030-0 15:9 T+00 08ba2 crm.x x9338 hoeee 19 76 21 02 27 84 1 0 021-22 2:21 UC00 030-0 20:2 T+00 08aec crm.x x9a98 hoeee 10 74 19 76 6 97 0 021-22 2:21 UC00 030-0 20:3 T+00 08e15 crm.x x8538 hoeee 18 40 19 76 7 92 0 021-22 2:84 UC00 030-0 21:9 T+00 08422 crm.x x9400 hoeee 10 38 19 76 7 94 0 021-22 2:55 UC00 030-0 23:7 T+00 08ca7 crm.x x8f90 hoeee 18 78 19 76 7 97 0 021-22 2:73 UC00 030-0 23:8 T+00 0890a cdee x87d0 m.x 28 34 21 02 1 30 0 021-22 0:92 UC00 030-5 51:4 T+00 08f1a crm.x x88d0 hoeee 86 19 5 76 7 94 0 021-22 0:30 UC00 030-5 73:5 T+00 085da FKIae.x x83d0 T mgree 36 18 21 02 8 23 2 0 021-22 1:53 UC00 030-5 81:7 T+00 . . . psscan - Scan Physical memory for _EPROCESS pool allocationsRun BASH commands I [] !yhn/ets/oesc/oaiiyvlp - ~Dstpmmmmupmmpsa n 8: pto pnetfrnisvltlt/o.y f /eko/e/edm.e scn Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 3/14
  4. 4. 3/6/13 IPython Notebook Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Ofe() Nm fstP ae PD PI PB I PD D Tm cetd ie rae Tm eie ie xtd ----- -------- --- --- ----- --------------- --------------- ----- -------- --- --- ----- --------------- --------------- 0061c crm.x x8c98 hoeee 10 74 19 00f00 21-22 2:21 UC00 76 xf840 030-0 20:3 T+00 007da FKIae.x x83d0 T mgree 36 18 21 00f04 21-22 1:53 UC00 02 xf830 030-5 81:7 T+00 00b0a cdee x87d0 m.x 28 34 21 00f00 21-22 0:92 UC00 02 xf830 030-5 51:4 T+00 00ea7 crm.x x8f90 hoeee 18 78 19 00f06 21-22 2:73 UC00 76 xf830 030-0 23:8 T+00 00015 crm.x x9538 hoeee 18 40 19 00f0c 21-22 2:84 UC00 76 xf830 030-0 21:9 T+00 0011a crm.x x98d0 hoeee 86 19 00f06 21-22 0:30 UC00 5 76 xf840 030-5 73:5 T+00 00578 (s@$ ??: 2.. 2.. 0837a x9a30 ???? s​? 3.8 3.0 x9a30 u 00622 crm.x x9400 hoeee 10 38 19 00f02 21-22 2:55 UC00 76 xf830 030-0 23:7 T+00 0077a agee x98d0 l.x 18 44 6600e08 21-22 2:84 UC00 7 xf810 030-0 12:4 T+00 00851 srie.x x9360 evcsee 66 7 6200f08 21-22 2:22 UC00 3 xf800 030-0 15:2 T+00 008e8 vtos.x x9390 moldee 14 88 6600f00 21-22 2:24 UC00 7 xf820 030-0 15:1 T+00 0083a epoe.x x95d0 xlrree 21 02 16 00f06 21-22 2:30 UC00 80 xf820 030-0 15:0 T+00 00847 scotee x9fa8 vhs.x 92 7 6600f00 21-22 2:22 UC00 7 xf810 030-0 15:2 T+00 008c8 scotee x9f90 vhs.x 18 64 6600f0c 21-22 2:24 UC00 7 xf810 030-0 15:1 T+00 009e3 crsee x9828 ss.x 68 0 3400f04 21-22 2:22 UC00 8 xf800 030-0 15:2 T+00 009e6 wnoo.x x9860 ilgnee 62 3 3400f06 21-22 2:22 UC00 8 xf800 030-0 15:2 T+00 009ac TAtCnete x9930 Puoonc. 13 02 4200f0e 21-22 2:30 UC00 5 xf820 030-0 15:1 T+00 009ae wctyee x9978 snf.x 16 18 12 00f02 21-22 2:30 UC00 10 xf820 030-0 15:2 T+00 009a2 vtos.x x99c0 moldee 62 21 00f0c 21-22 2:30 UC00 9 02 xf820 030-0 15:1 T+00 009b2 ss.x x9900 msee 34 8 400f02 21-22 2:22 UC00 xf800 030-0 15:0 T+00 0090e vatl.x x9a68 mchpee 86 9 6600f0c 21-22 2:22 UC00 7 xf800 030-0 15:2 T+00 00afe vatl.x x9268 mchpee 86 9 6600f0c 21-22 2:22 UC00 7 xf800 030-0 15:2 T+00 00a80 wactee x9360 uul.x 22 54 12 00f08 21-22 2:34 UC00 10 xf830 030-0 15:9 T+00 00a42 TAtCnSce x9400 Puoonv. 42 5 6600f0a 21-22 2:24 UC00 7 xf820 030-0 15:9 T+00 00bde agee x9f60 l.x 58 8 6600f0e 21-22 2:25 UC00 7 xf810 030-0 15:0 T+00 00cec crm.x x9a98 hoeee 10 74 19 00f00 21-22 2:21 UC00 76 xf840 030-0 20:3 T+00 00c08 lasee x9f80 ss.x 68 8 6200f0a 21-22 2:22 UC00 3 xf800 030-0 15:2 T+00 00d27 scotee x9058 vhs.x 17 16 6600f04 21-22 2:22 UC00 7 xf810 030-0 15:2 T+00 00d4a scotee x90d0 vhs.x 12 10 6600f02 21-22 2:22 UC00 7 xf810 030-0 15:2 T+00 00da2 crm.x x9338 hoeee 19 76 21 00f08 21-22 2:21 UC00 02 xf820 030-0 20:2 T+00 00d48 scotee x9538 vhs.x 98 0 6600f0e 21-22 2:22 UC00 7 xf800 030-0 15:2 T+00 00dea rnl3.x x95d0 udl2ee 88 21 00f08 21-22 2:30 UC00 0 02 xf810 030-0 15:1 T+00 00d91 solvee x9c68 pos.x 14 58 6600f0a 21-22 2:22 UC00 7 xf810 030-0 15:4 T+00 00d06 scotee x9e40 vhs.x 11 26 6600f06 21-22 2:22 UC00 7 xf810 030-0 15:3 T+00 00e33 Sse x9780 ytm 4 000340 x0300 0105c crm.x x3d98 hoeee 10 74 19 00f00 21-22 2:21 UC00 76 xf840 030-0 20:3 T+00 01a0c TAtCnete x3c30 Puoonc. 13 02 4200f0e 21-22 2:30 UC00 5 xf820 030-0 15:1 T+00 01a0e wctyee x3c78 snf.x 16 18 12 00f02 21-22 2:30 UC00 10 xf820 030-0 15:2 T+00 01a02 vtos.x x3cc0 moldee 62 21 00f0c 21-22 2:30 UC00 9 02 xf820 030-0 15:1 T+00 0128a epoe.x xafd0 xlrree 21 02 16 00f06 21-22 2:30 UC00 80 xf820 030-0 15:0 T+00 01238 vtos.x xd690 moldee 14 88 6600f00 21-22 2:24 UC00 7 xf820 030-0 15:1 T+00 020a2 TAtCnSce x0600 Puoonv. 42 5 6600f0a 21-22 2:24 UC00 7 xf820 030-0 15:9 T+00 0206e vatl.x x0868 mchpee 86 9 6600f0c 21-22 2:22 UC00 7 xf800 030-0 15:2 T+00 02408 vtos.x x3090 moldee 14 88 6600f00 21-22 2:24 UC00 7 xf820 030-0 15:1 T+00 02811 solvee x7f68 pos.x 14 58 6600f0a 21-22 2:22 UC00 7 xf810 030-0 15:4 T+00 02187 crm.x x8d90 hoeee 18 78 19 00f06 21-22 2:73 UC00 76 xf830 030-0 23:8 T+00 0278c crm.x x8998 hoeee 10 74 19 00f00 21-22 2:21 UC00 76 xf840 030-0 20:3 T+00 021e7 crm.x xb690 hoeee 18 78 19 00f06 21-22 2:73 UC00 76 xf830 030-0 23:8 T+00 02e5e vatl.x xb168 mchpee 86 9 6600f0c 21-22 2:22 UC00 7 xf800 030-0 15:2 T+00 03bca agee x1ad0 l.x 18 44 6600e08 21-22 2:84 UC00 7 xf810 030-0 12:4 T+00 03152 TAtCnSce x2e00 Puoonv. 42 5 6600f0a 21-22 2:24 UC00 7 xf820 030-0 15:9 T+00 03aca scotee x5ad0 vhs.x 12 10 6600f02 21-22 2:22 UC00 7 xf810 030-0 15:2 T+00 03ba7 scotee xce58 vhs.x 17 16 6600f04 21-22 2:22 UC00 7 xf810 030-0 15:2 T+00 0493a scotee x32d0 vhs.x 12 10 6600f02 21-22 2:22 UC00 7 xf810 030-0 15:2 T+00 04f52 crm.x x5a00 hoeee 10 38 19 00f02 21-22 2:55 UC00 76 xf830 030-0 23:7 T+00 04305 crm.x x7738 hoeee 18 40 19 00f0c 21-22 2:84 UC00 76 xf830 030-0 21:9 T+00 0456a rnl3.x xa4d0 udl2ee 88 21 00f08 21-22 2:30 UC00 0 02 xf810 030-0 15:1 T+00 048a1 srie.x xad60 evcsee 66 7 6200f08 21-22 2:22 UC00 3 xf800 030-0 15:2 T+00 045b3 Sse xd180 ytm 4 000340 x0300 04bc8 scotee xd338 vhs.x 98 0 6600f0e 21-22 2:22 UC00 7 xf800 030-0 15:2 T+00 046a8 (s@$ ??: 2.. 2.. 0837a xe430 ???? s​? 3.8 3.0 x9a30 u 05478 lasee x4580 ss.x 68 8 6200f0a 21-22 2:22 UC00 3 xf800 030-0 15:2 T+00 05ff7 crm.x x7990 hoeee 18 78 19 00f06 21-22 2:73 UC00 76 xf830 030-0 23:8 T+00 056ba agee x8ad0 l.x 18 44 6600e08 21-22 2:84 UC00 7 xf810 030-0 12:4 T+00 052fa rnl3.x xbdd0 udl2ee 88 21 00f08 21-22 2:30 UC00 0 02 xf810 030-0 15:1 T+00 05902 TAtCnSce xbe00 Puoonv. 42 5 6600f0a 21-22 2:24 UC00 7 xf820 030-0 15:9 T+00 05401 solvee xd068 pos.x 14 58 6600f0a 21-22 2:22 UC00 7 xf810 030-0 15:4 T+00 06a1e vatl.x x5868 mchpee 86 9 6600f0c 21-22 2:22 UC00 7 xf800 030-0 15:2 T+00 06b9a epoe.x xd3d0 xlrree 21 02 16 00f06 21-22 2:30 UC00 80 xf820 030-0 15:0 T+00 06f41 srie.x xd360 evcsee 66 7 6200f08 21-22 2:22 UC00 3 xf800 030-0 15:2 T+00 079d2 crm.x x4400 hoeee 10 38 19 00f02 21-22 2:55 UC00 76 xf830 030-0 23:7 T+00 07bd2 TAtCnSce x7500 Puoonv. 42 5 6600f0a 21-22 2:24 UC00 7 xf820 030-0 15:9 T+00 076ce vatl.x xc468 mchpee 86 9 6600f0c 21-22 2:22 UC00 7 xf800 030-0 15:2 T+00 .127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 4/14
  5. 5. 3/6/13 IPython Notebook . . pstree - Print process list as a tree I [] !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmpte n 9: pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e sre Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Nm ae Pd Pi i Pd Td hs Hd Tm ns ie ------------------------- --- --- --- --- ---------- ------------------------- --- --- --- --- ---------- 08c33:ytm x9780Sse 4 0 56 3717-10.UC00 2 900-..T+00 .087b2:msee x9900ss.x 34 8 4 3 2 21-22.UC00 1 030-..T+00 . 087e3:ss.x . x9828crsee 68 0 34 8 12 4821-22.UC00 4 030-..T+00 . 087e6:ilgnee . x9860wnoo.x 62 3 34 8 19 5521-22.UC00 6 030-..T+00 ..08651:evcsee . x9360srie.x 66 7 62 3 16 2321-22.UC00 8 030-..T+00 .. 0870e:mchpee .. x9a68vatl.x 86 9 66 7 1 2 21-22.UC00 4 030-..T+00 .. 08b48:vhs.x .. x9538scotee 98 0 66 7 17 1721-22.UC00 9 030-..T+00 .. 086c8:vhs.x .. x9f90scotee 18 64 66 7 6 8 21-22.UC00 9 030-..T+00 .. 08b27:vhs.x .. x9058scotee 17 16 66 7 5 8 21-22.UC00 7 030-..T+00 .. 08b91:pos.x .. x9c68solvee 14 58 66 7 10 1721-22.UC00 2 030-..T+00 .. 086e8:moldee .. x9390vtos.x 14 88 66 7 7 2021-22.UC00 7 030-..T+00 .. 08b06:vhs.x .. x9e40scotee 11 26 66 7 15 2421-22.UC00 1 030-..T+00 .. 08b4a:vhs.x .. x90d0scotee 12 10 66 7 61 18 21-22.UC00 53 030-..T+00 ...087ae:snf.x .. x9978wctyee 16 18 12 10 1 2 21-22.UC00 7 030-..T+00 ...08880:uul.x .. x9360wactee 22 54 12 10 3 1221-22.UC00 3 030-..T+00 .. 08842:Puoonv. .. x9400TAtCnSce 42 5 66 7 5 1121-22.UC00 0 030-..T+00 ...087ac:Puoonc. .. x9930TAtCnete 13 02 42 5 1 6 21-22.UC00 3 030-..T+00 .. 08647:vhs.x .. x9fa8scotee 92 7 66 7 9 2621-22.UC00 7 030-..T+00 .. 089de:l.x .. x9f60agee 58 8 66 7 6 1621-22.UC00 0 030-..T+00 ..08a08:ss.x . x9f80lasee 68 8 62 3 19 3121-22.UC00 4 030-..T+00 0863a:xlrree x95d0epoe.x 21 02 16 80 13 4221-22.UC00 9 030-..T+00 .08ba2:hoeee x9338crm.x 19 76 21 02 27 8421-22.UC00 1 030-..T+00 . 08422:hoeee . x9400crm.x 10 38 19 76 7 9 21-22.UC00 4 030-..T+00 . 08e15:hoeee . x8538crm.x 18 40 19 76 7 9 21-22.UC00 2 030-..T+00 . 08f1a:hoeee . x88d0crm.x 86 19 5 76 7 9 21-22.UC00 4 030-..T+00 . 08aec:hoeee . x9a98crm.x 10 74 19 76 6 9 21-22.UC00 7 030-..T+00 . 08ca7:hoeee . x8f90crm.x 18 78 19 76 7 9 21-22.UC00 7 030-..T+00 .08bea:udl2ee x95d0rnl3.x 88 21 0 02 5 7 21-22.UC00 5 030-..T+00 .087a2:moldee x99c0vtos.x 62 21 9 02 6 2221-22.UC00 4 030-..T+00 .0890a:m.x x87d0cdee 28 34 21 02 1 3 21-22.UC00 0 030-..T+00 .085da:T Iae.x x83d0FK mgree 36 18 21 02 8 2321-22.UC00 2 030-..T+00 . . . clipboard - Extract the contents of the windows clipboard I [0: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmcibad n 1] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e lpor Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Ssin eso WnoSainFra idwtto omt Hnl Ojc ade bet Dt aa ----- ---------------- ----- ----- ------------------------- ----- ------ --------- ----- ----- ------------------------- 0Wnt0 iSa 0c0L x09 02e03 0e8db x511f x1218 0Wnt0 iSa C_NCDTX FUIOEET 00----- x ----- 0Wnt0 iSa 0c1L x03 0e0b 0eef2 xd03 x1b20 0Wnt0 iSa C_OAE FLCL 0be1b0e480 xa04 x29d0 0Wnt0 iSa C_ET FTX 01----- x -----127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 5/14
  6. 6. 3/6/13 IPython Notebook 0Wnt0 iSa C_ETX FOMET 01----- x ----- . . . connections - Print list of open connections [Windows XP and 2003 Only] I [2: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmcnetos n 1] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e oncin Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Ofe() LclAdes fstV oa drs Rmt Ades eoe drs Pd i ----- ---------------------------- ----- ------------ ------------ - 08837 121.5.3:83 x8ee0 7.6181715 121.5.4:44 7.6181444 12 10 08597 121.5.3:84 x85e0 7.6181715 121.5.4:44 7.6181444 12 10 08507 121.5.3:10 x87e0 7.6181723 121.5.4:44 7.6181444 12 10 08fc0 121.5.3:85 x8308 7.6181715 121.5.4:44 7.6181444 12 10 0861d 121.5.3:82 x98d8 7.6181715 121.5.4:44 7.6181444 12 10 08ae6 121.5.3:86 x9fa8 7.6181715 121.5.4:44 7.6181444 12 10 . . . sockets - Print list of open sockets I [1: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmsces n 1] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e okt Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Ofe() fstV PD Pr PooPooo I ot rt rtcl Ades drs Cet Tm rae ie ----- ---- --- --- ---------------------- ----- ---- --- --- ------- ------- ----- 086a0 x9308 17 16 1301 1 UP 7 D 0000 ... 21-22 2:30 UC00 030-0 15:1 T+00 08b3c x9a68 4 17 3 1 UP 7 D 121.5.3 21-22 0:22 UC00 7.61817 030-5 13:6 T+00 08a80 x9908 68 8 50 0 1 UP 7 D 0000 ... 21-22 2:24 UC00 030-0 15:2 T+00 08b6c x9938 12 10 1582 6TP C 0000 ... 21-22 0:64 UC00 030-5 50:7 T+00 089e0 x8f08 12 10 1586 6TP C 0000 ... 21-22 0:70 UC00 030-5 51:7 T+00 08b2e x9070 4 45 4 6TP C 0000 ... 21-22 2:22 UC00 030-0 15:0 T+00 08629 x9fe8 92 7 15 3 6TP C 0000 ... 21-22 2:22 UC00 030-0 15:2 T+00 083c8 x9e80 17 16 1211 1 UP 7 D 0000 ... 21-22 2:74 UC00 030-0 15:2 T+00 082b9 x91e8 4 18 3 1 UP 7 D 121.5.3 21-22 0:22 UC00 7.61817 030-5 13:6 T+00 08b4e x9078 12 10 1583 6TP C 0000 ... 21-22 0:42 UC00 030-5 51:9 T+00 080e9 x9ee8 12 10 13 2 1 UP 7 D 121.5.3 21-22 0:22 UC00 7.61817 030-5 13:6 T+00 08cc0 x8808 12 10 13 2 1 UP 7 D 17001 2... 21-22 0:22 UC00 030-5 13:6 T+00 08592 x9680 68 8 0 25Rsre 5 eevd 0000 ... 21-22 2:24 UC00 030-0 15:2 T+00 08900 x8368 17 16 1045 1 UP 7 D 0000 ... 21-22 2:02 UC00 030-0 24:7 T+00 08aa0 x9ad8 17 16 1212 1 UP 7 D 0000 ... 21-22 2:74 UC00 030-0 15:2 T+00 08785 x9160 17 16 1307 1 UP 7 D 0000 ... 21-22 2:32 UC00 030-0 15:7 T+00 08670 x8608 12 10 1584 6TP C 0000 ... 21-22 0:53 UC00 030-5 51:5 T+00 08512 x9540 58 12 8 06 6TP C 17001 2... 21-22 2:25 UC00 030-0 15:0 T+00 08d7c x8fd0 11 26 1090 1 UP 7 D 121.5.3 21-22 0:22 UC00 7.61817 030-5 13:6 T+00 08bbb x8da0 11 26 1090 1 UP 7 D 17001 2... 21-22 0:22 UC00 030-5 13:6 T+00 08a83 x9a50 12 10 2310 6TP C 0000 ... 21-22 1:21 UC00 030-5 81:3 T+00 08649 x94e8 17 16 1308 1 UP 7 D 0000 ... 21-22 2:32 UC00 030-0 15:7 T+00 08740 x9a20 4 19 3 6TP C 121.5.3 21-22 0:22 UC00 7.61817 030-5 13:6 T+00 087f9 x9ae8 68 40 8 50 1 UP 7 D 0000 ... 21-22 2:24 UC00 030-0 15:2 T+00127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 6/14
  7. 7. 3/6/13 IPython Notebook 08bc4 x9c58 12 10 15 85 6TP C 0000 ... 21-22 0:62 UC00 030-5 51:8 T+00 08b20 x90c8 4 45 4 1 UP 7 D 0000 ... 21-22 2:22 UC00 030-0 15:0 T+00 . . . hivelist - Print list of registry hives. I [3: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmhvls n 1] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e ieit Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Vrul ita Pyia hscl Nm ae ----- ----- -- ----- ----- -- 0eee6 01926 eieHrdsVlm1DcmnsadStigetLclStigplcto x1eb0 x40b0 Dvcadikoueouet n etnstsoa etnsApiain DtirsfidwsCasdt aaMcootWnosUrls.a 0efd0 01250 eieHrdsVlm1DcmnsadStigetNUE.A x1108 x6108 Dvcadikoueouet n etnstsTSRDT 0e95c 0117c eieHrdsVlm1DcmnsadStigoaSrieLclStigplcto x1a78 x2778 Dvcadikoueouet n etnsLclevcoa etnsApiain DtirsfidwsCasdt aaMcootWnosUrls.a 0e9c0 011b0 eieHrdsVlm1DcmnsadStigoaSrieNUE.A x1908 x2e08 Dvcadikoueouet n etnsLclevcTSRDT 0e900 01d80 eieHrdsVlm1DcmnsadStigewrSrieLclStigplcto x1808 x1608 Dvcadikoueouet n etnsNtokevcoa etnsApiain DtirsfidwsCasdt aaMcootWnosUrls.a 0e946 01c86 eieHrdsVlm1DcmnsadStigewrSrieNUE.A x17b0 x1db0 Dvcadikoueouet n etnsNtokevcTSRDT 0e656 00d06 eieHrdsVlm1WNOSsse3ofgsfwr x13b0 xfeb0 DvcadikoueIDWytm2cniotae 0e635 00895 eieHrdsVlm1WNOSsse3ofgdfut x1078 xfd78 DvcadikoueIDWytm2cnieal 0e6a6 00eb6 eieHrdsVlm1WNOSsse3ofgSM x12b0 xf1b0 DvcadikoueIDWytm2cniA 0e67c 0084c eieHrdsVlm1WNOSsse3ofgSCRT x1168 xfe68 DvcadikoueIDWytm2cniEUIY 0e326 00706 [onm] x1eb0 xa2b0 n ae 0e056 00306 eieHrdsVlm1WNOSsse3ofgsse x13b0 xa7b0 DvcadikoueIDWytm2cniytm 0e0e0 003a0 [onm] x1208 xa608 n ae . . . hashdump - Dumps passwords hashes (LM/NTLM) from memory I [4: #- =IDWytm2cniA n 1] y WNOSsse3ofgSM #- =IDWytm2cniytm s WNOSsse3ofgsse !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmm-poieWnPPx6hsdm - 0e6a6 - pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e -rfl iXS28 ahup s x12b0 y Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Amnsrtr50adb3b10eadb3b10e:16f01a917c970090: diitao:0:a345544ea345544e3dced6e3b35dec8c:: Get51adb3b10eadb3b10e:16f01a917c970090: us:0:a345544ea345544e3dced6e3b35dec8c:: HlAssat10:81f82ae281ecb913e59f0d56c4f54ed0:: epsitn:0026aba3cc845d53e7:850b0efabb79cb45: SPOT384a:02adb3b10eadb3b10e:35d8761bdc39308b: UPR_895010:a345544ea345544e0750498fea686dd7:: ts:04e2a6499243183ac6:867aef17d6d8078c: et10:5cc71aa2ab0ff6bd84fee8b1a0bd3b56:: .127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 7/14
  8. 8. 3/6/13 IPython Notebook . . Getting help I [5: !yhn/ets/oesc/oaiiyvlp - n 1] pto pnetfrnisvltlt/o.y h Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Uae Vltlt -Ammr frnisaayi pafr. sg: oaiiy eoy oesc nlss ltom Otos pin: -,-hl h -ep ls alaalbeotosadterdfutvle. it l vial pin n hi eal aus Dfutvle myb sti tecniuainfl eal aus a e e n h ofgrto ie (ecvltltr) /t/oaiiyc -cn-ie/ot.oaiiyc -offl=ro/vltltr Ue bsdcniuainfl sr ae ofgrto ie -,-dbg d -eu Dbgvltlt eu oaiiy -puisPUIS -lgn=LGN Adtoa pui drcoist ue(oo sprtd diinl lgn ietre o s cln eaae) -if -no Pitifrainaotalrgsee ojcs rn nomto bu l eitrd bet -ccedrcoy/ot.ah/oaiiy -ah-ietr=ro/ccevltlt Drcoyweecceflsaesoe ietr hr ah ie r trd -cce -ah Ueccig s ahn -t=Z -zT St tetmzn frdslyn tmsap es h ieoe o ipaig ietms - FLNM,-flnm=IEAE f IEAE -ieaeFLNM Flnm t uewe oeiga iae ieae o s hn pnn n mg -poieWnPPx6 -rfl=iXS28 Nm o tepoiet la ae f h rfl o od - LCTO,-lcto=OAIN l OAIN -oainLCTO . . . sessions - List details on _MM_SESSION_SPACE (user logon sessions) I [7: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmssin n 1] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e esos Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh ************************* ************************* SsinV:bdc0 I:0Poess 2 eso() ac00 D rcse: 9 Pgdoltr:b000 Pgdoln b3ff aePoSat c000 aePoEd cfff Poes 68crsee21-22 2:22 UC00 rcs: 0 ss.x 030-0 15:2 T+00 Poes 62wnoo.x 21-22 2:22 UC00 rcs: 3 ilgnee 030-0 15:2 T+00 Poes 66srie.x 21-22 2:22 UC00 rcs: 7 evcsee 030-0 15:2 T+00 Poes 68lasee21-22 2:22 UC00 rcs: 8 ss.x 030-0 15:2 T+00 Poes 86vatl.x 21-22 2:22 UC00 rcs: 9 mchpee 030-0 15:2 T+00 Poes 98scotee21-22 2:22 UC00 rcs: 0 vhs.x 030-0 15:2 T+00 Poes 92scotee21-22 2:22 UC00 rcs: 7 vhs.x 030-0 15:2 T+00 Poes 12 scotee21-22 2:22 UC00 rcs: 10 vhs.x 030-0 15:2 T+00 Poes 17 scotee21-22 2:22 UC00 rcs: 16 vhs.x 030-0 15:2 T+00 Poes 11 scotee21-22 2:22 UC00 rcs: 26 vhs.x 030-0 15:3 T+00 Poes 14 solvee21-22 2:22 UC00 rcs: 58 pos.x 030-0 15:4 T+00 Poes 18 scotee21-22 2:24 UC00 rcs: 64 vhs.x 030-0 15:1 T+00 Poes 14 vtos.x 21-22 2:24 UC00 rcs: 88 moldee 030-0 15:1 T+00 Poes 42TAtCnSce21-22 2:24 UC00 rcs: 5 Puoonv. 030-0 15:9 T+00 Poes 58agee21-22 2:25 UC00 rcs: 8 l.x 030-0 15:0 T+00 Poes 21 epoe.x 21-22 2:30 UC00 rcs: 02 xlrree 030-0 15:0 T+00 Poes 88rnl3.x 21-22 2:30 UC00 rcs: 0 udl2ee 030-0 15:1 T+00 Poes 62vtos.x 21-22 2:30 UC00 rcs: 9 moldee 030-0 15:1 T+00 Poes 13 TAtCnete21-22 2:30 UC00 rcs: 02 Puoonc. 030-0 15:1 T+00 Poes 16 wctyee21-22 2:30 UC00 rcs: 18 snf.x 030-0 15:2 T+00127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 8/14
  9. 9. 3/6/13 IPython Notebook Poes 22 wactee21-22 2:34 UC00 rcs: 54 uul.x 030-0 15:9 T+00 Poes 19 crm.x 21-22 2:21 UC00 rcs: 76 hoeee 030-0 20:2 T+00 Poes 10 crm.x 21-22 2:21 UC00 rcs: 74 hoeee 030-0 20:3 T+00 Poes 18 crm.x 21-22 2:84 UC00 rcs: 40 hoeee 030-0 21:9 T+00 Poes 10 crm.x 21-22 2:55 UC00 rcs: 38 hoeee 030-0 23:7 T+00 Poes 18 crm.x 21-22 2:73 UC00 rcs: 78 hoeee 030-0 23:8 T+00 Poes 28 cdee21-22 0:92 UC00 rcs: 34 m.x 030-5 51:4 T+00 Poes 86crm.x 21-22 0:30 UC00 rcs: 5 hoeee 030-5 73:5 T+00 Poes 36 FKIae.x 21-22 1:53 UC00 rcs: 18 T mgree 030-5 81:7 T+00 Iae 0881b,Adesb800,Nm:wn2.y mg: x9e78 drs f000 ae i3kss Iae 08939,Adesb910,Nm:dgss mg: x9250 drs fc00 ae x.y Iae 08abb,Adesb930,Nm:vxf.l mg: x9b38 drs fd00 ae m_bdl Iae 08545,Adesbf00,Nm:AMDDL mg: x93a8 drs fa00 ae TF.L Iae 0b709,Adesc566,Nm: mg: xff0c drs 0de0 ae . . . Manipulating data into python data structures I [9: dt =!yhn/ets/oesc/oaiiyvlp - ~Dstpmmmmupmmpls n 1] aa pto pnetfrnisvltlt/o.y f /eko/e/edm.e sit dt aa Ot1] [Vltl SsesVltlt Faeok23apa, u[9: oaie ytm oaiiy rmwr ._lh fstV Nm Ofe() ae PD PI I PD Td hs Hd ns Ss Ww4Sat es o6 tr Ei xt , --------------- --- --- --- ---- --- --- --------------- -------- ----- ---------- --- --- --- ---- --- --- --------------- -------- ------- -------, x9780Sse 08c33 ytm 4 0 56 37--- 2 --- 0 , x9900ss.x 087b2 msee 34 8 4 3 2 --- 1 --- 021-22 2:22 UC00 030-0 15:0 T+00 , x9828crsee 087e3 ss.x 68 0 34 8 12 48 4 0 021-22 2:22 UC00 030-0 15:2 T+00 , x9860wnoo.x 087e6 ilgnee 62 3 34 8 19 55 6 0 021-22 2:22 UC00 030-0 15:2 T+00 , x9360srie.x 08651 evcsee 66 7 62 3 16 23 8 0 021-22 2:22 UC00 030-0 15:2 T+00 , x9f80lasee 08a08 ss.x 68 8 62 3 19 31 4 0 021-22 2:22 UC00 030-0 15:2 T+00 , x9a68vatl.x 0870e mchpee 86 9 66 7 1 24 0 021-22 2:22 UC00 030-0 15:2 T+00 , x9538scotee 08b48 vhs.x 98 0 66 7 17 17 9 0 021-22 2:22 UC00 030-0 15:2 T+00 , x9fa8scotee 08647 vhs.x 92 7 66 7 9 26 7 0 021-22 2:22 UC00 030-0 15:2 T+00 , x90d0scotee 08b4a vhs.x 12 10 66 7 61 18 53 0 021-22 2:22 UC00 030-0 15:2 T+00 , x9058scotee 08b27 vhs.x 17 16 66 7 5 87 0 021-22 2:22 UC00 030-0 15:2 T+00 , x9e40scotee 08b06 vhs.x 11 26 66 7 15 24 1 0 021-22 2:22 UC00 030-0 15:3 T+00 , x9c68solvee 08b91 pos.x 14 58 66 7 10 17 2 0 021-22 2:22 UC00 030-0 15:4 T+00 , x9f90scotee 086c8 vhs.x 18 64 66 7 6 89 0 021-22 2:24 UC00 030-0 15:1 T+00 , x9390vtos.x 086e8 moldee 14 88 66 7 7 20 7 0 021-22 2:24 UC00 030-0 15:1 T+00 , x9400TAtCnSce 08842 Puoonv. 42 5 66 7 5 11 0 0 021-22 2:24 UC00 030-0 15:9 T+00 , x9f60agee 089de l.x 58 8 66 7 6 16 0 0 021-22 2:25 UC00 030-0 15:0 T+00 , x95d0epoe.x 0863a xlrree 21 02 16 80 13 42 9 0 021-22 2:30 UC00 030-0 15:0 T+00 , x95d0rnl3.x 08bea udl2ee 88 21 0 02 5 75 0 021-22 2:30 UC00 030-0 15:1 T+00 , x99c0vtos.x 087a2 moldee 62 21 9 02 6 22 4 0 021-22 2:30 UC00 030-0 15:1 T+00127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 9/14
  10. 10. 3/6/13 IPython Notebook , x9930TAtCnete 087ac Puoonc. 13 02 42 5 1 63 0 021-22 2:30 UC00 030-0 15:1 T+00 , x9978wctyee 087ae snf.x 16 18 12 10 1 27 0 021-22 2:30 UC00 030-0 15:2 T+00 , x9360wactee 08880 uul.x 22 54 12 10 3 12 3 0 021-22 2:34 UC00 030-0 15:9 T+00 , x9338crm.x 08ba2 hoeee 19 76 21 02 27 84 1 0 021-22 2:21 UC00 030-0 20:2 T+00 , x9a98crm.x 08aec hoeee 10 74 19 76 6 97 0 021-22 2:21 UC00 030-0 20:3 T+00 , x8538crm.x 08e15 hoeee 18 40 19 76 7 92 0 021-22 2:84 UC00 030-0 21:9 T+00 , x9400crm.x 08422 hoeee 10 38 19 76 7 94 0 021-22 2:55 UC00 030-0 23:7 T+00 , x8f90crm.x 08ca7 hoeee 18 78 19 76 7 97 0 021-22 2:73 UC00 030-0 23:8 T+00 , x87d0cdee 0890a m.x 28 34 21 02 1 30 0 021-22 0:92 UC00 030-5 51:4 T+00 , x88d0crm.x 08f1a hoeee 86 5 19 76 7 94 0 021-22 0:30 UC00 030-5 73:5 T+00 , x83d0FKIae.x 085da T mgree 36 18 21 02 8 23 2 0 021-22 1:53 UC00 030-5 81:7 T+00 ] . . . Looking at all the strings in the memory dump I [1: tx_tig =!tig /otDstpmmmmupmm n 2] etsrns srns ro/eko/e/edm.e I [2: tx_tig[:0 n 2] etsrns01] Ot2] [mvr.l u[2: sctdl, D3.l GI2dl, ENL2dl, KRE3.l SR2dl, UE3.l DAI2dl, AVP3.l l3.l oe2dl, HWP.l SLAIdl, HOV.l SDCWdl, ss1dl, ml3.l _loei _dlnxt] . . . Created a small grep function to look for "Visited:" I [6: dfgep(erhtr,tx_tig) n 2] e rpysac_em etsrns: tm_it[ epls=]127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 10/14
  11. 11. 3/6/13 IPython Notebook frie i tx_tig: o tm n etsrns i sac_emi ie: f erhtr n tm tm_itapn(tm epls.pedie) rtr tm_it eun epls gep(Vstd ts@,tx_tig) rpy"iie: et" etsrns Ot2] [wVstd ts@c:/ytmcmacrcmamd.t u[6: wiie: ethp/sse/optt/optoehm, iie:ts@tp/cd.ogecmpvltlt/iiVltltBace Vstd etht:/oegol.o//oaiiywk/oaiiyrnhs, iie:ts@tp/wwbn.o/erhsc=0&OMA6qfkiae+ie, Vstd etht:/w.igcmsac?rh16FR=S&=t+mgrlt iie:ts@tp/wwacsdt.o/onod.tl, Vstd etht:/w.cesaacmdwlashm iie:ts@tp/wwfrnisiiogwk/T_mgr, Vstd etht:/w.oescwk.r/iiFKIae iie:ts@tp/wwscrtnwpra.o/teuiyidxhm?il=T_mgrLt_.. Vstd etht:/w.euiyesotlcmiscrt/ne.tltteFKIae_ie261, iie:ts@bu:ln Vstd etaotbak, iie:ts@tp:/w.ogecmit/ncrm/rwe/hnyuhm Vstd ethts/wwgol.o/nle/hoebosrtako.tl, iie:ts@tp/wwbn.o/erhsc=0&OMA6qcrm Vstd etht:/w.igcmsac?rh16FR=S&=hoe, iie:ts@tp/spotgol.o/hoebnase.yh=nase=54 Vstd etht:/upr.ogecmcrm/i/nwrp?le&nwr936, iie:ts@tp:/w.ogecmit/ncrm Vstd ethts/wwgol.o/nle/hoe, iie:ts@ie//:Dcmns2ad2Stig/etDstpwnmm131zp, Vstd etfl:/C/ouet%0n%0etnsts/eko/ipe-...i iie:ts@bu:oe, Vstd etaotHm iie:ts@e:/:IDWsse3sdccdldsro.t Vstd etrs/CWNOSytm2hol.l/nerrhm, iie:ts@tp/wwbn.o/erhsc=0&OMA6qmzla, Vstd etht:/w.igcmsac?rh16FR=S&=oil iie:ts@tp:/oegol.o//oaiiydwlasdti?aewnmm131zp, Vstd ethts/cd.ogecmpvltlt/onod/ealnm=ipe-...i iie:ts@tp/dc.yhnogfqwnos, Vstd etht:/ospto.r/a/idw iie:ts@tp:/oaiiygolcd.o/ie/ipe-...i Vstd ethts/vltlt.ogeoecmflswnmm131zp, iie:ts@tp/at.erhmncmrsos.s?Tpto+idwx&rh3po=uf Vstd etht:/uosac.s.o/epneapM=yhnwno+psc=&rv&t8, iie:ts@tp/wwbn.o/erhsc=0&OMA6qpto+idwx Vstd etht:/w.igcmsac?rh16FR=S&=yhnwno+p, iie:ts@tp/dc.yhnog2fqwnos, Vstd etht:/ospto.r//a/idw iie:ts@tp/wwbn.o/erhsc=0&OMA6qvltlt++ehpeiwwnos, Vstd etht:/w.igcmsac?rh16FR=S&=oaiiy3tc+rve+idw iie:ts@tp/wwscrtnwpra.o/euiylg/ril.h?il=T_mgrLt_.. Vstd etht:/w.euiyesotlcmscrtbosatcepptteFKIae_ie261, iie:ts@tp/cd.ogecmpvltlt/iiVltltRamp, Vstd etht:/oegol.o//oaiiywk/oaiiyoda iie:ts@tp/cd.ogecmpvltlt/iiSmlMmrIae Vstd etht:/oegol.o//oaiiywk/apeeoymgs, iie:ts@tp:/lgol.o/a//pgi%D786D4-5443-F1A99509%D2id3%B66BE21- Vstd ethts/d.ogecmtgsapud3%BA935D6-6CAF-6DE3F67%6i%D78895-83 D7-7C 31C3- 49AD06%D2ln%Dn2bosr322uaett%D%6pnm%Doge22Crm%6edamn3peesudt2isalr/h 98B30E7%6ag3e%6rwe%D%6sgsas302apae3Gol%50hoe2nesdi%Drfr/pae/ntlesCr iie:ts@tp/cd.ogecmpvltlt/iiVltltBace Vstd etht:/oegol.o//oaiiywk/oaiiyrnhs, iie:ts@tp/wwbn.o/erhsc=0&OMA6qfkiae+ie, Vstd etht:/w.igcmsac?rh16FR=S&=t+mgrlt iie:ts@tp/wwacsdt.o/onod.tl, Vstd etht:/w.cesaacmdwlashm iie:ts@tp/wwfrnisiiogwk/T_mgr, Vstd etht:/w.oescwk.r/iiFKIae iie:ts@tp/wwscrtnwpra.o/teuiyidxhm?il=T_mgrLt_.. Vstd etht:/w.euiyesotlcmiscrt/ne.tltteFKIae_ie261, iie:ts@bu:ln Vstd etaotbak, iie:ts@tp:/w.ogecmit/ncrm/rwe/hnyuhm Vstd ethts/wwgol.o/nle/hoebosrtako.tl, iie:ts@tp/wwbn.o/erhsc=0&OMA6qcrm Vstd etht:/w.igcmsac?rh16FR=S&=hoe, iie:ts@tp/spotgol.o/hoebnase.yh=nase=54 Vstd etht:/upr.ogecmcrm/i/nwrp?le&nwr936, iie:ts@tp:/w.ogecmit/ncrm Vstd ethts/wwgol.o/nle/hoe, iie:ts@tp/cd.ogecmpvltlt/iiSmlMmrIae Vstd etht:/oegol.o//oaiiywk/apeeoymgs, iie:ts@tp:/lgol.o/a//pgi%D786D4-5443-F1A99509%D2id3%B66BE21- Vstd ethts/d.ogecmtgsapud3%BA935D6-6CAF-6DE3F67%6i%D78895-83 D7-7C 31C3- 49AD06%D2ln%Dn2bosr322uaett%D%6pnm%Doge22Crm%6edamn3peesudt2isalr/h 98B30E7%6ag3e%6rwe%D%6sgsas302apae3Gol%50hoe2nesdi%Drfr/pae/ntlesCr wiie:ts@bu:ln wVstd etaotbak, wiie:ts@bu:ln wVstd etaotbak, iie:ts@tp/cd.ogecmpvltlt/iiSmlMmrIae Vstd etht:/oegol.o//oaiiywk/apeeoymgs, iie:ts@tp:/lgol.o/a//pgi%D786D4-5443-F1A99509%D2id3%B66BE21- Vstd ethts/d.ogecmtgsapud3%BA935D6-6CAF-6DE3F67%6i%D78895-83 D7-7C 31C3- 49AD06%D2ln%Dn2bosr322uaett%D%6pnm%Doge22Crm%6edamn3peesudt2isalr/h 98B30E7%6ag3e%6rwe%D%6sgsas302apae3Gol%50hoe2nesdi%Drfr/pae/ntlesCr . . . Searching for data in sockets I [3: scesls =!yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmsces n 2] okt_it pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e okt I [5: frie i scesls[:: n 2] o tm n okt_it3]127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 11/14
  12. 12. 3/6/13 IPython Notebook ie =ie.pi( tm tmslt) i "7.61817 i ie: f 121.5.3" n tm pitie[] ie[] ie[] rn tm5, tm6, tm7 121.5.3 21-22 0:22 7.61817 030-5 13:6 121.5.3 21-22 0:22 7.61817 030-5 13:6 121.5.3 21-22 0:22 7.61817 030-5 13:6 121.5.3 21-22 0:22 7.61817 030-5 13:6 121.5.3 21-22 0:22 7.61817 030-5 13:6 I [6: scesls n 2] okt_it Ot2] [Vltl SsesVltlt Faeok23apa, u[6: oaie ytm oaiiy rmwr ._lh fstV Ofe() PD Pr PooPooo I ot rt rtcl Ades drs Cet Tm rae ie, --------- --- --- ----------------------, ----- ---- --- --- ------- ------- ----- x9308 086a0 17 16 13 01 1 UP 7 D 0000 ... 21-22 2:30 UC00 030-0 15:1 T+00, x9a68 08b3c 4 17 3 1 UP 7 D 121.5.3 21-22 0:22 UC00 7.61817 030-5 13:6 T+00, x9908 08a80 68 8 50 0 1 UP 7 D 0000 ... 21-22 2:24 UC00 030-0 15:2 T+00, x9938 08b6c 12 10 15 82 6TP C 0000 ... 21-22 0:64 UC00 030-5 50:7 T+00, x8f08 089e0 12 10 15 86 6TP C 0000 ... 21-22 0:70 UC00 030-5 51:7 T+00, x9070 08b2e 4 45 4 6TP C 0000 ... 21-22 2:22 UC00 030-0 15:0 T+00, x9fe8 08629 92 7 15 3 6TP C 0000 ... 21-22 2:22 UC00 030-0 15:2 T+00, x9e80 083c8 17 16 12 11 1 UP 7 D 0000 ... 21-22 2:74 UC00 030-0 15:2 T+00, x91e8 082b9 4 18 3 1 UP 7 D 121.5.3 21-22 0:22 UC00 7.61817 030-5 13:6 T+00, x9078 08b4e 12 10 15 83 6TP C 0000 ... 21-22 0:42 UC00 030-5 51:9 T+00, x9ee8 080e9 12 10 13 2 1 UP 7 D 121.5.3 21-22 0:22 UC00 7.61817 030-5 13:6 T+00, x8808 08cc0 12 10 13 2 1 UP 7 D 17001 2... 21-22 0:22 UC00 030-5 13:6 T+00, x9680 08592 68 8 0 25Rsre 5 eevd 0000 ... 21-22 2:24 UC00 030-0 15:2 T+00, x8368 08900 17 16 10 45 1 UP 7 D 0000 ... 21-22 2:02 UC00 030-0 24:7 T+00, x9ad8 08aa0 17 16 12 12 1 UP 7 D 0000 ... 21-22 2:74 UC00 030-0 15:2 T+00, x9160 08785 17 16 13 07 1 UP 7 D 0000 ... 21-22 2:32 UC00 030-0 15:7 T+00, x8608 08670 12 10 15 84 6TP C 0000 ... 21-22 0:53 UC00 030-5 51:5 T+00, x9540 08512 58 12 8 06 6TP C 17001 2... 21-22 2:25 UC00 030-0 15:0 T+00, x8fd0 08d7c 11 26 10 90 1 UP 7 D 121.5.3 21-22 0:22 UC00 7.61817 030-5 13:6 T+00, x8da0 08bbb 11 26 10 90 1 UP 7 D 17001 2... 21-22 0:22 UC00 030-5 13:6 T+00, x9a50 08a83 12 10 23 10 6TP C 0000 ... 21-22 1:21 UC00 030-5 81:3 T+00, x94e8 08649 17 16 13 08 1 UP 7 D 0000 ... 21-22 2:32 UC00 030-0 15:7 T+00, x9a20 08740 4 19 3 6TP C 121.5.3 21-22 0:22 UC00 7.61817 030-5 13:6 T+00, x9ae8 087f9 68 40 8 50 1 UP 7 D 0000 ... 21-22 2:24 UC00 030-0 15:2 T+00, x9c58 08bc4 12 10 15 85 6TP C 0000 ... 21-22 0:62 UC00 030-5 51:8 T+00, x90c8 08b20 4 45 4 1 UP 7 D 0000 ... 21-22 2:22 UC00 030-0 15:0 T+00] . . . Malfind plugin I [7: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmmlid n 2] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e afn Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Poes crseePd 68Ades 07600 rcs: ss.x i: 0 drs: xff00 VdTg Vd Poeto:PG_XCT_EDRT a a: a rtcin AEEEUERAWIE Fas Poeto:6 lg: rtcin 07600 xff00 c 0 0 0 9 0 0 0 f e f e 0 7 0 0 8 0 0 0 c 1 0 0 f e f e 8 0 0 0 ........ ......p. 07601 xff00 0 0 0 0 0 f 0 0 0 0 1 0 0 2 0 0 8 0 0 0 0 e 0 0 0 0 0 0 0 0 0 0 ........ ........ 07602 xff00 0 0 0 0 0 2 0 0 8 0 0 0 f e f 7 0 2 0 0 0 0 0 0 d 1 0 0 f f d f ........ ........ 07603 xff00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 0 8 6 0 0 0 0 0 0 0 0 0 0 0 0 ........ ........ 07600 c000 xff00 8000 ETR00 00 NE x, x 07600 9 xff04 c PSF UH 07600 00 xff05 10 AD[A] EX D EX, A 07600 0f xff07 0f ADB,B D H H 07600 e xff09 e OTD,A U X L 07600 f xff0a f D 0f B xf 07600 e xff0b e OTD,A U X L 07600 070 xff0c 800 O [A+x] D R EX00, H 07600 00 xff0f 08 AD[A] C D EX, L 07601 00 xff01 00 AD[A] A D EX, L127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 12/14

×