-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
669 lines (490 loc) · 31.3 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width">
<meta name="theme-color" content="#222"><meta name="generator" content="Hexo 7.1.1">
<link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
<link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
<link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
<link rel="mask-icon" href="/images/logo.svg" color="#222">
<link rel="stylesheet" href="/css/main.css">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.5.1/css/all.min.css" integrity="sha256-wiz7ZSCn/btzhjKDQBms9Hx4sSeUYsDrTLg7roPstac=" crossorigin="anonymous">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/animate.css/3.1.1/animate.min.css" integrity="sha256-PR7ttpcvz8qrF57fur/yAx1qXMFJeJFiA6pSzWi0OIE=" crossorigin="anonymous">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/fancyapps-ui/5.0.33/fancybox/fancybox.css" integrity="sha256-gkQVf8UKZgQ0HyuxL/VnacadJ+D2Kox2TCEBuNQg5+w=" crossorigin="anonymous">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/pace/1.2.4/themes/blue/pace-theme-minimal.css">
<script src="https://cdnjs.cloudflare.com/ajax/libs/pace/1.2.4/pace.min.js" integrity="sha256-gqd7YTjg/BtfqWSwsJOvndl0Bxc8gFImLEkXQT8+qj0=" crossorigin="anonymous"></script>
<script class="next-config" data-name="main" type="application/json">{"hostname":"wtzabc123.github.io","root":"/","images":"/images","scheme":"Pisces","darkmode":false,"version":"8.19.2","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12},"copycode":{"enable":true,"style":"mac"},"fold":{"enable":false,"height":500},"bookmark":{"enable":false,"color":"#222","save":"auto"},"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"stickytabs":false,"motion":{"enable":true,"async":false,"transition":{"menu_item":"fadeInDown","post_block":"fadeIn","post_header":"fadeInDown","post_body":"fadeInDown","coll_header":"fadeInLeft","sidebar":"fadeInUp"}},"i18n":{"placeholder":"搜索...","empty":"没有找到任何搜索结果:${query}","hits_time":"找到 ${hits} 个搜索结果(用时 ${time} 毫秒)","hits":"找到 ${hits} 个搜索结果"},"path":"/search.xml","localsearch":{"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false}}</script><script src="/js/config.js"></script>
<meta name="description" content="心有所向,无问东西">
<meta property="og:type" content="website">
<meta property="og:title" content="lontano's Blog">
<meta property="og:url" content="https://wtzabc123.github.io/index.html">
<meta property="og:site_name" content="lontano's Blog">
<meta property="og:description" content="心有所向,无问东西">
<meta property="og:locale" content="zh_CN">
<meta property="article:author" content="lontano">
<meta property="article:tag" content="编程,网络安全,计算机,CTF">
<meta name="twitter:card" content="summary">
<link rel="canonical" href="https://wtzabc123.github.io/">
<script class="next-config" data-name="page" type="application/json">{"sidebar":"","isHome":true,"isPost":false,"lang":"zh-CN","comments":"","permalink":"","path":"index.html","title":""}</script>
<script class="next-config" data-name="calendar" type="application/json">""</script>
<title>lontano's Blog</title>
<noscript>
<link rel="stylesheet" href="/css/noscript.css">
</noscript>
<link rel="alternate" href="/atom.xml" title="lontano's Blog" type="application/atom+xml">
</head>
<body itemscope itemtype="http://schema.org/WebPage" class="use-motion">
<div class="headband"></div>
<main class="main">
<div class="column">
<header class="header" itemscope itemtype="http://schema.org/WPHeader"><div class="site-brand-container">
<div class="site-nav-toggle">
<div class="toggle" aria-label="切换导航栏" role="button">
<span class="toggle-line"></span>
<span class="toggle-line"></span>
<span class="toggle-line"></span>
</div>
</div>
<div class="site-meta">
<a href="/" class="brand" rel="start">
<i class="logo-line"></i>
<h1 class="site-title">lontano's Blog</h1>
<i class="logo-line"></i>
</a>
<p class="site-subtitle" itemprop="description">奔赴山海,保持热爱</p>
</div>
<div class="site-nav-right">
<div class="toggle popup-trigger" aria-label="搜索" role="button">
<i class="fa fa-search fa-fw fa-lg"></i>
</div>
</div>
</div>
<nav class="site-nav">
<ul class="main-menu menu"><li class="menu-item menu-item-home"><a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a></li><li class="menu-item menu-item-about"><a href="/about/" rel="section"><i class="fa fa-user fa-fw"></i>关于</a></li><li class="menu-item menu-item-tags"><a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a></li><li class="menu-item menu-item-categories"><a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a></li><li class="menu-item menu-item-archives"><a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a></li>
<li class="menu-item menu-item-search">
<a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
</a>
</li>
</ul>
</nav>
<div class="search-pop-overlay">
<div class="popup search-popup"><div class="search-header">
<span class="search-icon">
<i class="fa fa-search"></i>
</span>
<div class="search-input-container">
<input autocomplete="off" autocapitalize="off" maxlength="80"
placeholder="搜索..." spellcheck="false"
type="search" class="search-input">
</div>
<span class="popup-btn-close" role="button">
<i class="fa fa-times-circle"></i>
</span>
</div>
<div class="search-result-container no-result">
<div class="search-result-icon">
<i class="fa fa-spinner fa-pulse fa-5x"></i>
</div>
</div>
</div>
</div>
</header>
<aside class="sidebar">
<div class="sidebar-inner sidebar-overview-active">
<ul class="sidebar-nav">
<li class="sidebar-nav-toc">
文章目录
</li>
<li class="sidebar-nav-overview">
站点概览
</li>
</ul>
<div class="sidebar-panel-container">
<!--noindex-->
<div class="post-toc-wrap sidebar-panel">
</div>
<!--/noindex-->
<div class="site-overview-wrap sidebar-panel">
<div class="site-author animated" itemprop="author" itemscope itemtype="http://schema.org/Person">
<img class="site-author-image" itemprop="image" alt="lontano"
src="/images/avatar.jpg">
<p class="site-author-name" itemprop="name">lontano</p>
<div class="site-description" itemprop="description">心有所向,无问东西</div>
</div>
<div class="site-state-wrap animated">
<nav class="site-state">
<div class="site-state-item site-state-posts">
<a href="/archives/">
<span class="site-state-item-count">3</span>
<span class="site-state-item-name">日志</span>
</a>
</div>
<div class="site-state-item site-state-categories">
<a href="/categories/">
<span class="site-state-item-count">2</span>
<span class="site-state-item-name">分类</span></a>
</div>
<div class="site-state-item site-state-tags">
<a href="/tags/">
<span class="site-state-item-count">8</span>
<span class="site-state-item-name">标签</span></a>
</div>
</nav>
</div>
<div class="links-of-author animated">
<span class="links-of-author-item">
<a href="https://github.com/wtzabc123" title="GitHub → https://github.com/wtzabc123" rel="noopener me" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
</span>
<span class="links-of-author-item">
<a href="mailto:[email protected]" title="E-Mail → mailto:[email protected]" rel="noopener me" target="_blank"><i class="fa fa-envelope fa-fw"></i>E-Mail</a>
</span>
<span class="links-of-author-item">
<a href="https://twitter.com/tor_zhi" title="Twitter → https://twitter.com/tor_zhi" rel="noopener me" target="_blank"><i class="fab fa-twitter fa-fw"></i>Twitter</a>
</span>
</div>
<div class="cc-license animated" itemprop="license">
<a href="https://creativecommons.org/licenses/by-nc-sa/4.0/zh-CN" class="cc-opacity" rel="noopener" target="_blank"><img src="https://cdnjs.cloudflare.com/ajax/libs/creativecommons-vocabulary/2020.11.3/assets/license_badges/small/by_nc_sa.svg" alt="Creative Commons"></a>
</div>
</div>
</div>
</div>
<div class="sidebar-inner sidebar-blogroll">
<div class="links-of-blogroll animated">
<div class="links-of-blogroll-title"><i class="fa fa-globe fa-fw"></i>
链接
</div>
<ul class="links-of-blogroll-list">
<li class="links-of-blogroll-item">
<a href="https://hello-ctf.com/" title="https://hello-ctf.com" rel="noopener" target="_blank">Hello-ctf</a>
</li>
</ul>
</div>
</div>
</aside>
</div>
<div class="main-inner index posts-expand">
<div class="post-block">
<article itemscope itemtype="http://schema.org/Article" class="post-content" lang="">
<link itemprop="mainEntityOfPage" href="https://wtzabc123.github.io/2024/03/29/%E6%95%B0%E6%8D%AE%E9%9A%90%E8%97%8F%E7%9A%84%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.jpg">
<meta itemprop="name" content="lontano">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="lontano's Blog">
<meta itemprop="description" content="心有所向,无问东西">
</span>
<span hidden itemprop="post" itemscope itemtype="http://schema.org/CreativeWork">
<meta itemprop="name" content="undefined | lontano's Blog">
<meta itemprop="description" content="">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/2024/03/29/%E6%95%B0%E6%8D%AE%E9%9A%90%E8%97%8F%E7%9A%84%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/" class="post-title-link" itemprop="url">数据隐藏的学习笔记</a>
</h2>
<div class="post-meta-container">
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建时间:2024-03-29 10:21:15 / 修改时间:22:32:21" itemprop="dateCreated datePublished" datetime="2024-03-29T10:21:15+08:00">2024-03-29</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-folder"></i>
</span>
<span class="post-meta-item-text">分类于</span>
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
<a href="/categories/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/" itemprop="url" rel="index"><span itemprop="name">网络安全</span></a>
</span>
</span>
<span class="post-meta-break"></span>
<span class="post-meta-item" title="本文字数">
<span class="post-meta-item-icon">
<i class="far fa-file-word"></i>
</span>
<span class="post-meta-item-text">本文字数:</span>
<span>5k</span>
</span>
<span class="post-meta-item" title="阅读时长">
<span class="post-meta-item-icon">
<i class="far fa-clock"></i>
</span>
<span class="post-meta-item-text">阅读时长 ≈</span>
<span>9 分钟</span>
</span>
</div>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<p>最近刚看完了Michael Raggo的《数据隐藏技术解密》这本书,书中有些内容值得做一些笔记</p>
<h4 id="1-Word中的数据隐藏"><a href="#1-Word中的数据隐藏" class="headerlink" title="1.Word中的数据隐藏"></a>1.Word中的数据隐藏</h4><p><img src="/2024/03/29/%E6%95%B0%E6%8D%AE%E9%9A%90%E8%97%8F%E7%9A%84%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/1.png"></p>
<p>右键单击,选择”字体”,勾选“隐藏”复选框即可隐藏文字</p>
<p><img src="/2024/03/29/%E6%95%B0%E6%8D%AE%E9%9A%90%E8%97%8F%E7%9A%84%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/2.png"></p>
<p><img src="/2024/03/29/%E6%95%B0%E6%8D%AE%E9%9A%90%E8%97%8F%E7%9A%84%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/3.png"></p>
<p>我们可以在Word的文件->选项->勾选“隐藏文字”复选框,或者“打印隐藏文字”完成隐藏内容的显示</p>
<p><img src="/2024/03/29/%E6%95%B0%E6%8D%AE%E9%9A%90%E8%97%8F%E7%9A%84%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/4.png"></p>
<p>另外一个识别隐藏文字的方法是使用检查文档选项,在文件->信息->检查文档中,可以检查隐藏元数据,例如作者,批注和可识别的其他信息</p>
<p><img src="/2024/03/29/%E6%95%B0%E6%8D%AE%E9%9A%90%E8%97%8F%E7%9A%84%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/5.png"></p>
<p>在Word的属性区域还有很多可以隐藏信息的选项</p>
<p><img src="/2024/03/29/%E6%95%B0%E6%8D%AE%E9%9A%90%E8%97%8F%E7%9A%84%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/6.png"></p>
<h4 id="2-在PDF文件中隐藏信息"><a href="#2-在PDF文件中隐藏信息" class="headerlink" title="2.在PDF文件中隐藏信息"></a>2.在PDF文件中隐藏信息</h4><p>wbStego4open:<a target="_blank" rel="noopener" href="http://www.bailer.at/wbstego/pr_4ixopen.htm">http://www.bailer.at/wbstego/pr_4ixopen.htm</a></p>
<p>可以使用wbStego4open工具在PDF文件中隐藏版权信息,文件等,同时还可以设置密码,操作简单,按软件提示做就可以</p>
<p><img src="/2024/03/29/%E6%95%B0%E6%8D%AE%E9%9A%90%E8%97%8F%E7%9A%84%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/7.png"></p>
<p><img src="/2024/03/29/%E6%95%B0%E6%8D%AE%E9%9A%90%E8%97%8F%E7%9A%84%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/8.png"></p>
<blockquote>
<p>工具原理:</p>
<ol>
<li>将插入数据的每一个ASCII码转换为二进制格式</li>
<li>根据20代表0,09代表1,进行替换</li>
<li>最后将这些20 09序列嵌入PDF文件</li>
</ol>
</blockquote>
<p><img src="/2024/03/29/%E6%95%B0%E6%8D%AE%E9%9A%90%E8%97%8F%E7%9A%84%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/9.png"></p>
<p><img src="/2024/03/29/%E6%95%B0%E6%8D%AE%E9%9A%90%E8%97%8F%E7%9A%84%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/10.png"></p>
<p>原理如图:</p>
<p><img src="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRi-osMdLzjQD8Wl-7sPz0BqxJu-6HpvT8_gQ&s" alt="2.1)【隐写技术】数据的隐藏方法、PDF、可执行 ..."></p>
<!--noindex-->
<div class="post-button">
<a class="btn" href="/2024/03/29/%E6%95%B0%E6%8D%AE%E9%9A%90%E8%97%8F%E7%9A%84%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/#more" rel="contents">
阅读全文 »
</a>
</div>
<!--/noindex-->
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
</div>
<div class="post-block">
<article itemscope itemtype="http://schema.org/Article" class="post-content" lang="">
<link itemprop="mainEntityOfPage" href="https://wtzabc123.github.io/2024/03/24/volatility%E5%86%85%E5%AD%98%E5%8F%96%E8%AF%81%E5%B7%A5%E5%85%B7%E7%9A%84%E5%AD%A6%E4%B9%A0%E5%92%8C%E4%BD%BF%E7%94%A8/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.jpg">
<meta itemprop="name" content="lontano">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="lontano's Blog">
<meta itemprop="description" content="心有所向,无问东西">
</span>
<span hidden itemprop="post" itemscope itemtype="http://schema.org/CreativeWork">
<meta itemprop="name" content="undefined | lontano's Blog">
<meta itemprop="description" content="">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/2024/03/24/volatility%E5%86%85%E5%AD%98%E5%8F%96%E8%AF%81%E5%B7%A5%E5%85%B7%E7%9A%84%E5%AD%A6%E4%B9%A0%E5%92%8C%E4%BD%BF%E7%94%A8/" class="post-title-link" itemprop="url">volatility内存取证工具的学习和使用</a>
</h2>
<div class="post-meta-container">
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建时间:2024-03-24 19:21:23" itemprop="dateCreated datePublished" datetime="2024-03-24T19:21:23+08:00">2024-03-24</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar-check"></i>
</span>
<span class="post-meta-item-text">更新于</span>
<time title="修改时间:2024-03-29 10:22:30" itemprop="dateModified" datetime="2024-03-29T10:22:30+08:00">2024-03-29</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-folder"></i>
</span>
<span class="post-meta-item-text">分类于</span>
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
<a href="/categories/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/" itemprop="url" rel="index"><span itemprop="name">网络安全</span></a>
</span>
</span>
<span class="post-meta-break"></span>
<span class="post-meta-item" title="本文字数">
<span class="post-meta-item-icon">
<i class="far fa-file-word"></i>
</span>
<span class="post-meta-item-text">本文字数:</span>
<span>5.2k</span>
</span>
<span class="post-meta-item" title="阅读时长">
<span class="post-meta-item-icon">
<i class="far fa-clock"></i>
</span>
<span class="post-meta-item-text">阅读时长 ≈</span>
<span>9 分钟</span>
</span>
</div>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<p> 我最近正在学习misc的内存取证和日志分析,volalility是一个常用的内存取证分析工具,接下来我们一起来看看它的几个使用方法和典型CTF赛题</p>
<p>volatility下载地址:<a target="_blank" rel="noopener" href="https://github.com/volatilityfoundation/volatility">https://github.com/volatilityfoundation/volatility</a></p>
<p>本文使用的版本非volatility3版本,而是老版本,需要python2运行</p>
<h4 id="例题:"><a href="#例题:" class="headerlink" title="例题:"></a>例题:</h4><p>选自 [陇剑杯 2021]内存分析:</p>
<p>1.网管小王制作了一个虚拟机文件,让您来分析后作答:<br> 虚拟机的密码是_____________。</p>
<p>首先,我们下载附件之后,看到压缩包里有一个vmem格式的文件</p>
<p><img src="/2024/03/24/volatility%E5%86%85%E5%AD%98%E5%8F%96%E8%AF%81%E5%B7%A5%E5%85%B7%E7%9A%84%E5%AD%A6%E4%B9%A0%E5%92%8C%E4%BD%BF%E7%94%A8/1.png"></p>
<blockquote>
<p>Tip:什么是VMEM格式的文件?</p>
<p> VMEM格式的文件通常与虚拟机有关。VMEM文件是VMware虚拟机使用的分页或交换文件,用来备份主内存文件(以.VMX后缀的文件)中的数据,在虚拟机电源被关闭时使用。当虚拟机正在运行而主机的物理内存不足以支持它时,系统会将一部分虚拟机内存数据存储到VMEM文件中。 这个文件通过存储虚拟机的物理RAM内容,可以在虚拟机启动时提供状态恢复功能。如果您需要处理此类文件,通常是因为您正在管理虚拟机或者需要分析虚拟机的运行状态。 在某些情况下,如果虚拟机没有正常关闭,例如突然断电,VMEM文件就可以用来恢复虚拟机运行前的状态。然而,由于这些文件可能非常大,并且包含了大量的数据,所以通常不会被移动或编辑。 正常的虚拟机操作不需要用户直接与VMEM文件交互。</p>
</blockquote>
<p>我们这时就需要用到volatility工具分析这个vmem格式的文件,将其拖入kali linux 虚拟机中,我们可以使用</p>
<figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python2 vol<span class="selector-class">.py</span> -f Target<span class="selector-class">.vmem</span> imageinfo</span><br></pre></td></tr></table></figure>
<p><img src="/2024/03/24/volatility%E5%86%85%E5%AD%98%E5%8F%96%E8%AF%81%E5%B7%A5%E5%85%B7%E7%9A%84%E5%AD%A6%E4%B9%A0%E5%92%8C%E4%BD%BF%E7%94%A8/2.png"></p>
<p>来查看Target.vmem文件的镜像信息,这里的-f 指的是 file ,用于指定文件,imageinfo是查看镜像文件的信息,imageinfo在内存取证中一般都是经常使用的</p>
<p><img src="/2024/03/24/volatility%E5%86%85%E5%AD%98%E5%8F%96%E8%AF%81%E5%B7%A5%E5%85%B7%E7%9A%84%E5%AD%A6%E4%B9%A0%E5%92%8C%E4%BD%BF%E7%94%A8/3.png"></p>
<p>这里的profile给出了一堆操作系统的名称,这是volatility工具预测的该我文件可能的操作系统版本,如果你能确定是哪个就选择哪个,否则可能需要挨个尝试,我们直接选择第一个尝试</p>
<p>我们通过命令</p>
<figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python2 vol<span class="selector-class">.py</span> -f Target<span class="selector-class">.vmem</span> <span class="attr">--profile</span> Win7SP1x64 lsadump</span><br></pre></td></tr></table></figure>
<!--noindex-->
<div class="post-button">
<a class="btn" href="/2024/03/24/volatility%E5%86%85%E5%AD%98%E5%8F%96%E8%AF%81%E5%B7%A5%E5%85%B7%E7%9A%84%E5%AD%A6%E4%B9%A0%E5%92%8C%E4%BD%BF%E7%94%A8/#more" rel="contents">
阅读全文 »
</a>
</div>
<!--/noindex-->
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
</div>
<div class="post-block">
<article itemscope itemtype="http://schema.org/Article" class="post-content" lang="">
<link itemprop="mainEntityOfPage" href="https://wtzabc123.github.io/2024/03/24/%E6%88%91%E4%B8%BA%E4%BB%80%E4%B9%88%E7%83%AD%E7%88%B1%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%EF%BC%8C%E5%B9%B6%E8%B5%B0%E4%B8%8A%E5%AD%A6%E4%B9%A0%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E7%9A%84%E9%81%93%E8%B7%AF/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.jpg">
<meta itemprop="name" content="lontano">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="lontano's Blog">
<meta itemprop="description" content="心有所向,无问东西">
</span>
<span hidden itemprop="post" itemscope itemtype="http://schema.org/CreativeWork">
<meta itemprop="name" content="undefined | lontano's Blog">
<meta itemprop="description" content="">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/2024/03/24/%E6%88%91%E4%B8%BA%E4%BB%80%E4%B9%88%E7%83%AD%E7%88%B1%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%EF%BC%8C%E5%B9%B6%E8%B5%B0%E4%B8%8A%E5%AD%A6%E4%B9%A0%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E7%9A%84%E9%81%93%E8%B7%AF/" class="post-title-link" itemprop="url">我为什么热爱网络安全,并走上学习网络安全的道路</a>
</h2>
<div class="post-meta-container">
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建时间:2024-03-24 08:40:56" itemprop="dateCreated datePublished" datetime="2024-03-24T08:40:56+08:00">2024-03-24</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar-check"></i>
</span>
<span class="post-meta-item-text">更新于</span>
<time title="修改时间:2024-03-25 12:51:17" itemprop="dateModified" datetime="2024-03-25T12:51:17+08:00">2024-03-25</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-folder"></i>
</span>
<span class="post-meta-item-text">分类于</span>
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
<a href="/categories/%E6%9D%82%E8%B0%88/" itemprop="url" rel="index"><span itemprop="name">杂谈</span></a>
</span>
</span>
<span class="post-meta-break"></span>
<span class="post-meta-item" title="本文字数">
<span class="post-meta-item-icon">
<i class="far fa-file-word"></i>
</span>
<span class="post-meta-item-text">本文字数:</span>
<span>1.7k</span>
</span>
<span class="post-meta-item" title="阅读时长">
<span class="post-meta-item-icon">
<i class="far fa-clock"></i>
</span>
<span class="post-meta-item-text">阅读时长 ≈</span>
<span>3 分钟</span>
</span>
</div>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<p>我为什么热爱网络安全,并走上学习网络安全的道路?🫤 这个嘛~,可以说我很早就有学习网络安全的打算了,在还没进入大学之前,我其实并没有真正很想报考网络空间安全专业,因为在当时我也是一个技术很平庸的人,成为不了最厉害的那一群人,但是,想到我高中参加信息学奥赛的经历,我又感觉想试试另外一个方向。我从小生活在一个四五线小城市,小学的时候家里有一台笔记本电脑,家里的电视虽然可以上网,不过只有那一点点片源(都是11年以前的),一直都没有更新,后来就没有我喜欢看的东西了,于是我就发现可以在电脑上下载影片到U盘或者读卡器然后插到电视上,
<!--noindex-->
<div class="post-button">
<a class="btn" href="/2024/03/24/%E6%88%91%E4%B8%BA%E4%BB%80%E4%B9%88%E7%83%AD%E7%88%B1%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%EF%BC%8C%E5%B9%B6%E8%B5%B0%E4%B8%8A%E5%AD%A6%E4%B9%A0%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E7%9A%84%E9%81%93%E8%B7%AF/#more" rel="contents">
阅读全文 »
</a>
</div>
<!--/noindex-->
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
</div>
</div>
</main>
<footer class="footer">
<div class="footer-inner">
<div class="copyright">
©
<span itemprop="copyrightYear">2024</span>
<span class="with-love">
<i class="fa fa-heart"></i>
</span>
<span class="author" itemprop="copyrightHolder">lontano</span>
</div>
<div class="powered-by">
<!--由 <a href="https://hexo.io/" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.js.org/pisces/" rel="noopener" target="_blank">NexT.Pisces</a> 强力驱动 -->
</div>
<!-- <br /> -->
<!-- 网站运行时间的设置 -->
<span id="timeDate">载入天数...</span>
<!-- <span id="times">载入时分秒...</span> -->
<script>
var now = new Date();
function createtime() {
var grt= new Date("3/24/2024 0:00:00");//此处修改你的建站时间或者网站上线时间
now.setTime(now.getTime()+250);
days = (now - grt ) / 1000 / 60 / 60 / 24; dnum = Math.floor(days);
hours = (now - grt ) / 1000 / 60 / 60 - (24 * dnum); hnum = Math.floor(hours);
if(String(hnum).length ==1 ){hnum = "0" + hnum;} minutes = (now - grt ) / 1000 /60 - (24 * 60 * dnum) - (60 * hnum);
mnum = Math.floor(minutes); if(String(mnum).length ==1 ){mnum = "0" + mnum;}
seconds = (now - grt ) / 1000 - (24 * 60 * 60 * dnum) - (60 * 60 * hnum) - (60 * mnum);
snum = Math.round(seconds);
if(String(snum).length ==1 ){snum = "0" + snum;}
// var times = document.getElementById("times").innerHTML = hnum + " 小时 " + mnum + " 分 " + snum + " 秒";
document.getElementById("timeDate").innerHTML = "本站已安全运行 "+dnum+" 天 "+hnum + " 小时 " + mnum + " 分 " + snum + " 秒";
}
setInterval("createtime()",250);
</script>
</div>
</footer>
<div class="back-to-top" role="button" aria-label="返回顶部">
<i class="fa fa-arrow-up fa-lg"></i>
<span>0%</span>
</div>
<a href="https://github.com/wtzabc123" class="github-corner" title="在 GitHub 上关注我" aria-label="在 GitHub 上关注我" rel="noopener" target="_blank"><svg width="80" height="80" viewBox="0 0 250 250" aria-hidden="true"><path d="M0,0 L115,115 L130,115 L142,142 L250,250 L250,0 Z"></path><path d="M128.3,109.0 C113.8,99.7 119.0,89.6 119.0,89.6 C122.0,82.7 120.5,78.6 120.5,78.6 C119.2,72.0 123.4,76.3 123.4,76.3 C127.3,80.9 125.5,87.3 125.5,87.3 C122.9,97.6 130.6,101.9 134.4,103.2" fill="currentColor" style="transform-origin: 130px 106px;" class="octo-arm"></path><path d="M115.0,115.0 C114.9,115.1 118.7,116.5 119.8,115.4 L133.7,101.6 C136.9,99.2 139.9,98.4 142.2,98.6 C133.8,88.0 127.5,74.4 143.8,58.0 C148.5,53.4 154.0,51.2 159.7,51.0 C160.3,49.4 163.2,43.6 171.4,40.1 C171.4,40.1 176.1,42.5 178.8,56.2 C183.1,58.6 187.2,61.8 190.9,65.4 C194.5,69.0 197.7,73.2 200.1,77.6 C213.8,80.2 216.3,84.9 216.3,84.9 C212.7,93.1 206.9,96.0 205.4,96.6 C205.1,102.4 203.0,107.8 198.3,112.5 C181.9,128.9 168.3,122.5 157.7,114.1 C157.9,116.9 156.7,120.9 152.7,124.9 L141.0,136.5 C139.8,137.7 141.6,141.9 141.8,141.8 Z" fill="currentColor" class="octo-body"></path></svg></a>
<noscript>
<div class="noscript-warning">Theme NexT works best with JavaScript enabled</div>
</noscript>
<script src="https://cdnjs.cloudflare.com/ajax/libs/animejs/3.2.1/anime.min.js" integrity="sha256-XL2inqUJaslATFnHdJOi9GfQ60on8Wx1C2H8DYiN1xY=" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/fancyapps-ui/5.0.33/fancybox/fancybox.umd.js" integrity="sha256-+2+qOqR8CKoHh/AsVR9k2qaDBKWjYNC2nozhYmv5j9k=" crossorigin="anonymous"></script>
<script src="/js/comments.js"></script><script src="/js/utils.js"></script><script src="/js/motion.js"></script><script src="/js/next-boot.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/hexo-generator-searchdb/1.4.1/search.js" integrity="sha256-1kfA5uHPf65M5cphT2dvymhkuyHPQp5A53EGZOnOLmc=" crossorigin="anonymous"></script>
<script src="/js/third-party/search/local-search.js"></script>
<script src="/js/third-party/fancybox.js"></script>
<script src="/js/third-party/pace.js"></script>
<script type="text/javascript" src="//cdn.bootcss.com/canvas-nest.js/1.0.0/canvas-nest.min.js"> </script>
</body>
</html>