[Uolatility 3] Volatility3을 자바에서 작동시키기

Notice

Recent Posts

Recent Comments

Link

« 2025/02 »
일	월	화	수	목	금	토
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28

Tags more

Archives

Today

Total

관리 메뉴

DDDDigtal 4ensics

[Uolatility 3] Volatility3을 자바에서 작동시키기 본문

Coding/Uolatility 3.0

[Uolatility 3] Volatility3을 자바에서 작동시키기

Dx4 2023. 7. 7. 17:37

볼라틸리티를 java에서 작동시키는 방법은... 내가 생각했을 때 가장 쉬운 방법은 Process를 이용하는 방법이다.

예시를 보여주면

package Uol_Process;

import java.io.BufferedReader;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.text.SimpleDateFormat;
import java.util.Date;

public class test {

	public static void main(String[] args)  {
		
		try {
			Process pro = Runtime.getRuntime().exec("cmd /c py C:\\Users\\KJK\\Desktop\\Uol_process\\Uol_Process\\volatility3\\vol.py -c \"C:\\Users\\KJK\\Desktop\\asdf\\extracted\\config.json\" -f \"C:\\Users\\KJK\\Desktop\\volatility3-develop\\Adam Ferrante - Triage-Memory.mem\" windows.envars");
			BufferedReader br = new BufferedReader(new InputStreamReader(pro.getInputStream()));
			String str;
			while((str = br.readLine()) != null) {
				if(str.split("////").length > 1) {
					String strs = str.replaceAll("\\s+", " ");
					String[] result = strs.split("<Uol.splitString>////");
						String tstr = result[2].trim();
						Long Decimal = Long.parseLong(tstr);
						String hexString = Long.toHexString(Decimal);
						result[2] = "0x" + hexString;
					
					for(int i = 0; i < result.length; i++) {
						if(result[i].contains("volatility3.framework.renderers.UnreadableValue") || result[i].contains("volatility3.framework.renderers.UnparsableValue") || result[i].contains("volatility3.framework.renderers.NotApplicableValue")) {
							String inputtxt = "- ";
							System.out.print(inputtxt);
						} else if(result[i].contains("<Uol.noData>")) {
							String inputtxt = "nodata ";
							System.out.print(inputtxt);
						} else if(result[i].length()  < 1) {
							String inputtxt = "  ";
							System.out.print(inputtxt);
						}
						else {
							String inputtxt  = result[i].trim() + " ";
							System.out.print(inputtxt);
						};
					}
					String inputtxt = System.getProperty("line.separator");
					System.out.print(inputtxt);
				}
			}
		} catch (IOException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		}
		
	}
	
}

이런식으로 사용하면 된다. 물론 파이썬 소스를 내가 막 열심히 바꿧다 정도로 한 건 아니지만 아주 살짝 내 입맛대로

결과값을 수정했기에 가능한 일이기도 하고 ,,,,

사실 일기 느낌으로 쓰는 블로그라 어디서부터 뭘 설명해야할지 모르겠는데 그럼 오늘 간단하게 pslist를 한 번 출력해보겠다.

 str(proc.UniqueProcessId) + "////",
                        str(proc.InheritedFromUniqueProcessId) + "////",
                        proc.ImageFileName.cast(
                            "string",
                            max_length=proc.ImageFileName.vol.count,
                            errors="replace",
                        ) + "////",

                        str(format_hints.Hex(offset)) + "////",
                        str(proc.ActiveThreads) + "////",
                        str(proc.get_handle_count()) + "////",
                        str(proc.get_session_id()) + "////",
                        str(proc.get_is_wow64()) + "////",
                        str(proc.get_create_time()) + "////",
                        str(proc.get_exit_time()) + "////",
                        file_output,

해당 소스는 내가 수정한 pslist의 일부분이다. 모든 출력을 string으로 바꾸고 뒤에 ////를 추가해 ////를 split을 이용하여 자르려고 해당 문자열을 만들었다. 파이썬을 잘하는 사람이라면 저 자체의 결과값을 db에 넣던... 다른 방식으로 더욱 효율적으로 할 수 있겠지만 그 당시의 나에게 이게 가장 나다운 모습이기에 이런 코드를 완성시킨 것 같다.

4////   0////   System////      275427726142256////     87////  547//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFE9BBAA70>////   False////       2019-03-22 05:31:55//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFE9D54160>////   Disabled
252//// 4////   smss.exe////    275427736248384////     2////   30////  <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEAED2020>////   False////       2019-03-22 05:31:55//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEAD149D0>////   Disabled
332//// 324//// csrss.exe////   275427746989744////     10////  516//// 0////   False////       2019-03-22 05:31:58////
        <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB000D90>////   Disabled
372//// 364//// csrss.exe////   275427749112288////     11////  557//// 1////   False////       2019-03-22 05:31:58////
        <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB019210>////   Disabled
380//// 324//// wininit.exe//// 275427749105760////     3////   78////  0////   False////       2019-03-22 05:31:58////
        <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB018EE0>////   Disabled
416//// 364//// winlogon.exe////        275427749169968////     3////   110//// 1////   False////       2019-03-22 05:31:58//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB01AAD0>////   Disabled
476//// 380//// services.exe////        275427753462032////     12////  224//// 0////   False////       2019-03-22 05:31:59//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0300A0>////   Disabled
484//// 380//// lsass.exe////   275427753493984////     7////   650//// 0////   False////       2019-03-22 05:32:00////
        <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB01B6D0>////   Disabled
492//// 380//// lsm.exe////     275427753552688////     10////  155//// 0////   False////       2019-03-22 05:32:00////
        <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB019C00>////   Disabled
592//// 476//// svchost.exe//// 275427753857120////     9////   375//// 0////   False////       2019-03-22 05:32:01////
        <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB031EA0>////   Disabled
672//// 476//// svchost.exe//// 275427754037344////     7////   341//// 0////   False////       2019-03-22 05:32:02////
        <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB033430>////   Disabled
764//// 476//// svchost.exe//// 275427754370480////     20////  447//// 0////   False////       2019-03-22 05:32:02////
        <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0335E0>////   Disabled
796//// 476//// svchost.exe//// 275427754466096////     15////  368//// 0////   False////       2019-03-22 05:32:03////
        <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB033A90>////   Disabled
820//// 476//// svchost.exe//// 275427754498864////     33////  1073////        0////   False////       2019-03-22 05:32:03//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB04D060>////   Disabled
932//// 476//// svchost.exe//// 275427754765104////     10////  568//// 0////   False////       2019-03-22 05:32:03////
        <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB031930>////   Disabled
232//// 476//// svchost.exe//// 275427754919264////     15////  410//// 0////   False////       2019-03-22 05:32:03////
        <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB030BB0>////   Disabled
864//// 476//// spoolsv.exe//// 275427755362864////     12////  279//// 0////   False////       2019-03-22 05:32:04////
        <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB01A950>////   Disabled
1028////        476//// svchost.exe//// 275427755285296////     19////  307//// 0////   False////       2019-03-22 05:32:05//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB030850>////   Disabled
1136////        476//// OfficeClickToR////      275427756004240////     23////  631//// 0////   False////       2019-03-22 05:32:05//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB01A3E0>////   Disabled
1276////        476//// taskhost.exe////        275427756914624////     8////   183//// 1////   False////       2019-03-22 05:32:07//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB04C5E0>////   Disabled
1292////        820//// taskeng.exe//// 275427756918304////     4////   83////  0////   False////       2019-03-22 05:32:07//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB04E8F0>////   Disabled
1344////        796//// dwm.exe////     275427757025424////     3////   88////  1////   False////       2019-03-22 05:32:07//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0325C0>////   Disabled
1432////        1308////        explorer.exe////        275427727653312////     28////  976//// 1////   False////
        2019-03-22 05:32:07//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB04EF50>////
        Disabled
1476////        476//// FileZilla Serv////      275427757335776////     9////   81////  0////   True////        2019-03-22 05:32:07//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB064520>////   Disabled
1768////        476//// VGAuthService.////      275427758122208////     3////   89////  0////   False////       2019-03-22 05:32:09//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB04ED70>////   Disabled
1828////        1432////        vmtoolsd.exe////        275427758479504////     6////   144//// 1////   False////
        2019-03-22 05:32:10//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0318A0>////
        Disabled
1852////        476//// vmtoolsd.exe////        275427758500656////     10////  314//// 0////   False////       2019-03-22 05:32:11//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0654E0>////   Disabled
1932////        476//// ManagementAgen////      275427758835232////     10////  102//// 0////   False////       2019-03-22 05:32:11//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0310C0>////   Disabled
1996////        1860////        FileZilla Serv////      275427759100608////     3////   99////  1////   True////
        2019-03-22 05:32:12//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB064E20>////
        Disabled
2072////        476//// dllhost.exe//// 275427750875232////     13////  194//// 0////   False////       2019-03-22 05:32:14//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0672E0>////   Disabled
2188////        476//// msdtc.exe////   275427751329888////     12////  146//// 0////   False////       2019-03-22 05:32:15//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0808B0>////   Disabled
2196////        592//// WmiPrvSE.exe////        275427751699328////     11////  222//// 0////   False////       2019-03-22 05:32:15//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB065480>////   Disabled
2456////        476//// SearchIndexer.////      275427751921232////     13////  766//// 0////   False////       2019-03-22 05:32:17//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB080F10>////   Disabled
2628////        476//// wmpnetwk.exe////        275427752607840////     9////   210//// 0////   False////       2019-03-22 05:32:18//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0824A0>////   Disabled
2888////        476//// svchost.exe//// 275427759532848////     11////  152//// 0////   False////       2019-03-22 05:32:20//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB064190>////   Disabled
3032////        1432////        notepad.exe//// 275427751858272////     1////   60////  1////   False////       2019-03-22 05:32:22//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB081960>////   Disabled
2436////        592//// WmiPrvSE.exe////        275427759809600////     9////   245//// 0////   False////       2019-03-22 05:32:33//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB083460>////   Disabled
1272////        1432////        EXCEL.EXE////   275427750806496////     21////  789//// 1////   True////        2019-03-22 05:33:49//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB080A60>////   Disabled
1408////        1432////        cmd.exe////     275427732661296////     1////   23////  1////   False////       2019-03-22 05:34:12//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB066D40>////   Disabled
1008////        372//// conhost.exe//// 275427732665888////     2////   55////  1////   False////       2019-03-22 05:34:12//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0992A0>////   Disabled
1156////        820//// taskeng.exe//// 275427733014048////     4////   93////  1////   False////       2019-03-22 05:34:14//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB09A860>////   Disabled
3260////        476//// sppsvc.exe////  275427733211952////     4////   149//// 0////   False////       2019-03-22 05:34:15//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0833D0>////   Disabled
3300////        476//// svchost.exe//// 275427733205088////     13////  346//// 0////   False////       2019-03-22 05:34:15//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB09AEC0>////   Disabled
3688////        1432////        OUTLOOK.EXE//// 275427737518176////     30////  2023////        1////   True////
        2019-03-22 05:34:37//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0B0490>////
        Disabled
3792////        1432////        taskmgr.exe//// 275427737533232////     6////   134//// 1////   False////       2019-03-22 05:34:38//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB099210>////   Disabled
1628////        1432////        StikyNot.exe////        275427760302032////     8////   183//// 1////   False////
        2019-03-22 05:34:42//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB082110>////
        Disabled
3548////        1432////        calc.exe////    275427737830176////     3////   77////  1////   False////       2019-03-22 05:34:43//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0B1330>////   Disabled
3576////        592//// iexplore.exe////        275427738038368////     12////  403//// 1////   True////        2019-03-22 05:34:48//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB082380>////   Disabled
2780////        3576////        iexplore.exe////        275427738162496////     6////   233//// 1////   True////
        2019-03-22 05:34:48//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0B2110>////
        Disabled
3952////        1432////        hfs.exe////     275427739325984////     6////   214//// 1////   True////        2019-03-22 05:34:51//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0B2B00>////   Disabled
4048////        1432////        POWERPNT.EXE////        275427750654048////     23////  765//// 1////   True////
        2019-03-22 05:35:09//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0B3E80>////
        Disabled
3192////        1432////        FTK Imager.exe////      275427730405504////     6////   353//// 1////   False////
        2019-03-22 05:35:12//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0B0070>////
        Disabled
3248////        1432////        chrome.exe////  275427732863792////     32////  841//// 1////   False////       2019-03-22 05:35:14//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0C8310>////   Disabled
3244////        3248////        chrome.exe////  275427737987888////     7////   91////  1////   False////       2019-03-22 05:35:15//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0C9690>////   Disabled
2100////        3248////        chrome.exe////  275427749724256////     2////   59////  1////   False////       2019-03-22 05:35:15//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0B0550>////   Disabled
1816////        3248////        chrome.exe////  275427749988080////     14////  328//// 1////   False////       2019-03-22 05:35:16//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0B2E60>////   Disabled
4156////        3248////        chrome.exe////  275427749792560////     14////  216//// 1////   False////       2019-03-22 05:35:17//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB09B7C0>////   Disabled
4232////        3248////        chrome.exe////  275427751111472////     14////  233//// 1////   False////       2019-03-22 05:35:17//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0999F0>////   Disabled
4240////        3248////        chrome.exe////  275427750943536////     14////  215//// 1////   False////       2019-03-22 05:35:17//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0B1B40>////   Disabled
4520////        3248////        chrome.exe////  275427750894384////     10////  234//// 1////   False////       2019-03-22 05:35:18//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB080FA0>////   Disabled
4688////        3248////        chrome.exe////  275427750624048////     13////  168//// 1////   False////       2019-03-22 05:35:19//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB080970>////   Disabled
5116////        3952////        wscript.exe//// 275427757654112////     8////   312//// 1////   True////        2019-03-22 05:35:32//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB083BE0>////   Disabled
3496////        5116////        UWkpjFjDzM.exe////      275427757251040////     5////   109//// 1////   True////
        2019-03-22 05:35:33//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB0B3E50>////
        Disabled
4660////        3496////        cmd.exe////     275427758899296////     1////   33////  1////   True////        2019-03-22 05:35:36//// <volatility3.framework.renderers.NotApplicableValue object at 0x000001FFEB067C40>////   Disabled
4656////        372//// conhost.exe//// 275427759336240////     2////   49////  1////   False////       2019-03-22 05:35Progress:  100.00               PDB scanning finished                  x000001FFEB04CD00>////   Disabled

수정을 완료하면 이렇게 어지러운 상태의 결과값을 얻을 수 있지만 나에겐 가장 이상적인 출력값들이기에 만족한다.

package Uol_Process;

import java.io.BufferedReader;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.text.SimpleDateFormat;
import java.util.Date;

public class test {

	public static void main(String[] args)  {
		
		try {
			Process pro = Runtime.getRuntime().exec("cmd /c py C:\\Users\\KJK\\Desktop\\Uolatility3.0\\volatility3\\vol.py -c \"C:\\Users\\KJK\\Desktop\\Uolatility3.0\\volatility3\\config.json\" -f \"C:\\Users\\KJK\\Desktop\\Uolatility3.0\\volatility3\\Adam Ferrante - Triage-Memory.mem\" windows.pslist");
			BufferedReader br = new BufferedReader(new InputStreamReader(pro.getInputStream()));
			String str;
			while((str = br.readLine()) != null) {
				if(str.split("////").length > 1) {
					String[] strs = str.split("////");
					for(int i = 0; i < strs.length; i++) {
						if(strs[i].contains("NotApplicableValue")) {
							System.out.print("- ");
						}else {
							System.out.print(strs[i].trim() + " ");
						}
					}
				}
				System.out.println();
			}
		} catch (IOException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		}
		
	}
	
}

해당 소스를 이용하여 값을 깍는다면



4 0 System 275427726142256 87 547 - False 2019-03-22 05:31:55 - Disabled 
252 4 smss.exe 275427736248384 2 30 - False 2019-03-22 05:31:55 - Disabled 
332 324 csrss.exe 275427746989744 10 516 0 False 2019-03-22 05:31:58 - Disabled 
372 364 csrss.exe 275427749112288 11 557 1 False 2019-03-22 05:31:58 - Disabled 
380 324 wininit.exe 275427749105760 3 78 0 False 2019-03-22 05:31:58 - Disabled 
416 364 winlogon.exe 275427749169968 3 110 1 False 2019-03-22 05:31:58 - Disabled 
476 380 services.exe 275427753462032 12 224 0 False 2019-03-22 05:31:59 - Disabled 
484 380 lsass.exe 275427753493984 7 650 0 False 2019-03-22 05:32:00 - Disabled 
492 380 lsm.exe 275427753552688 10 155 0 False 2019-03-22 05:32:00 - Disabled 
592 476 svchost.exe 275427753857120 9 375 0 False 2019-03-22 05:32:01 - Disabled 
672 476 svchost.exe 275427754037344 7 341 0 False 2019-03-22 05:32:02 - Disabled 
764 476 svchost.exe 275427754370480 20 447 0 False 2019-03-22 05:32:02 - Disabled 
796 476 svchost.exe 275427754466096 15 368 0 False 2019-03-22 05:32:03 - Disabled 
820 476 svchost.exe 275427754498864 33 1073 0 False 2019-03-22 05:32:03 - Disabled 
932 476 svchost.exe 275427754765104 10 568 0 False 2019-03-22 05:32:03 - Disabled 
232 476 svchost.exe 275427754919264 15 410 0 False 2019-03-22 05:32:03 - Disabled 
864 476 spoolsv.exe 275427755362864 12 279 0 False 2019-03-22 05:32:04 - Disabled 
1028 476 svchost.exe 275427755285296 19 307 0 False 2019-03-22 05:32:05 - Disabled 
1136 476 OfficeClickToR 275427756004240 23 631 0 False 2019-03-22 05:32:05 - Disabled 
1276 476 taskhost.exe 275427756914624 8 183 1 False 2019-03-22 05:32:07 - Disabled 
1292 820 taskeng.exe 275427756918304 4 83 0 False 2019-03-22 05:32:07 - Disabled 
1344 796 dwm.exe 275427757025424 3 88 1 False 2019-03-22 05:32:07 - Disabled 
1432 1308 explorer.exe 275427727653312 28 976 1 False 2019-03-22 05:32:07 - Disabled 
1476 476 FileZilla Serv 275427757335776 9 81 0 True 2019-03-22 05:32:07 - Disabled 
1768 476 VGAuthService. 275427758122208 3 89 0 False 2019-03-22 05:32:09 - Disabled 
1828 1432 vmtoolsd.exe 275427758479504 6 144 1 False 2019-03-22 05:32:10 - Disabled 
1852 476 vmtoolsd.exe 275427758500656 10 314 0 False 2019-03-22 05:32:11 - Disabled 
1932 476 ManagementAgen 275427758835232 10 102 0 False 2019-03-22 05:32:11 - Disabled 
1996 1860 FileZilla Serv 275427759100608 3 99 1 True 2019-03-22 05:32:12 - Disabled 
2072 476 dllhost.exe 275427750875232 13 194 0 False 2019-03-22 05:32:14 - Disabled 
2188 476 msdtc.exe 275427751329888 12 146 0 False 2019-03-22 05:32:15 - Disabled 
2196 592 WmiPrvSE.exe 275427751699328 11 222 0 False 2019-03-22 05:32:15 - Disabled 
2456 476 SearchIndexer. 275427751921232 13 766 0 False 2019-03-22 05:32:17 - Disabled 
2628 476 wmpnetwk.exe 275427752607840 9 210 0 False 2019-03-22 05:32:18 - Disabled 
2888 476 svchost.exe 275427759532848 11 152 0 False 2019-03-22 05:32:20 - Disabled 
3032 1432 notepad.exe 275427751858272 1 60 1 False 2019-03-22 05:32:22 - Disabled 
2436 592 WmiPrvSE.exe 275427759809600 9 245 0 False 2019-03-22 05:32:33 - Disabled 
1272 1432 EXCEL.EXE 275427750806496 21 789 1 True 2019-03-22 05:33:49 - Disabled 
1408 1432 cmd.exe 275427732661296 1 23 1 False 2019-03-22 05:34:12 - Disabled 
1008 372 conhost.exe 275427732665888 2 55 1 False 2019-03-22 05:34:12 - Disabled 
1156 820 taskeng.exe 275427733014048 4 93 1 False 2019-03-22 05:34:14 - Disabled 
3260 476 sppsvc.exe 275427733211952 4 149 0 False 2019-03-22 05:34:15 - Disabled 
3300 476 svchost.exe 275427733205088 13 346 0 False 2019-03-22 05:34:15 - Disabled 
3688 1432 OUTLOOK.EXE 275427737518176 30 2023 1 True 2019-03-22 05:34:37 - Disabled 
3792 1432 taskmgr.exe 275427737533232 6 134 1 False 2019-03-22 05:34:38 - Disabled 
1628 1432 StikyNot.exe 275427760302032 8 183 1 False 2019-03-22 05:34:42 - Disabled 
3548 1432 calc.exe 275427737830176 3 77 1 False 2019-03-22 05:34:43 - Disabled 
3576 592 iexplore.exe 275427738038368 12 403 1 True 2019-03-22 05:34:48 - Disabled 
2780 3576 iexplore.exe 275427738162496 6 233 1 True 2019-03-22 05:34:48 - Disabled 
3952 1432 hfs.exe 275427739325984 6 214 1 True 2019-03-22 05:34:51 - Disabled 
4048 1432 POWERPNT.EXE 275427750654048 23 765 1 True 2019-03-22 05:35:09 - Disabled 
3192 1432 FTK Imager.exe 275427730405504 6 353 1 False 2019-03-22 05:35:12 - Disabled 
3248 1432 chrome.exe 275427732863792 32 841 1 False 2019-03-22 05:35:14 - Disabled 
3244 3248 chrome.exe 275427737987888 7 91 1 False 2019-03-22 05:35:15 - Disabled 
2100 3248 chrome.exe 275427749724256 2 59 1 False 2019-03-22 05:35:15 - Disabled 
1816 3248 chrome.exe 275427749988080 14 328 1 False 2019-03-22 05:35:16 - Disabled 
4156 3248 chrome.exe 275427749792560 14 216 1 False 2019-03-22 05:35:17 - Disabled 
4232 3248 chrome.exe 275427751111472 14 233 1 False 2019-03-22 05:35:17 - Disabled 
4240 3248 chrome.exe 275427750943536 14 215 1 False 2019-03-22 05:35:17 - Disabled 
4520 3248 chrome.exe 275427750894384 10 234 1 False 2019-03-22 05:35:18 - Disabled 
4688 3248 chrome.exe 275427750624048 13 168 1 False 2019-03-22 05:35:19 - Disabled 
5116 3952 wscript.exe 275427757654112 8 312 1 True 2019-03-22 05:35:32 - Disabled 
3496 5116 UWkpjFjDzM.exe 275427757251040 5 109 1 True 2019-03-22 05:35:33 - Disabled 
4660 3496 cmd.exe 275427758899296 1 33 1 True 2019-03-22 05:35:36 - Disabled 
4656 372 conhost.exe 275427759336240 2 49 1 False 2019-03-22 05:35:36 - Disabled

이렇게 이쁜 결과를 얻을 수 있을 것 이다.

앞으로 이 관련 포스팅을 하며 가장 많이 볼 문자열이

Process pro = runtime.getRuntime.exec("cmd /c "); 이 부분일건데... 이 기능을 잘 이용하면 진짜 어렵지 않게 윈도우에서 필요한 모든 기능을 이용할 수 있다.

'Coding > Uolatility 3.0' 카테고리의 다른 글

[Uolatility 3]Volatility 3 GUI로 개발해보기 (0)	2023.07.04

'Coding/Uolatility 3.0' Related Articles

[Uolatility 3]Volatility 3 GUI로 개발해보기 2023.07.04

DDDDigtal 4ensics

[Uolatility 3] Volatility3을 자바에서 작동시키기 본문

[Uolatility 3] Volatility3을 자바에서 작동시키기

'Coding > Uolatility 3.0' 카테고리의 다른 글

티스토리툴바