Microsoft Windows uses a paging file, called pagefile.sys, to store page-size blocks of memory that do not current fit into physical memory.
This file, stored in %SystemDrive%\pagefile.sys is a hidden system file and it can never be read or accessed by a user, including Administrator.
This file, stored in %SystemDrive%\pagefile.sys is a hidden system file and it can never be read or accessed by a user, including Administrator.
It is possible to read this file by parsing the raw file system, or exact it using tools like FTKImager.
Analysis with “strings” command
To start your analysis on the page file you could use the strings command.
Here some suggestions:
Here some suggestions:
List all paths in pagefile
$strings pagefile.sys | grep -i "^[a-z]:\\\\" | sort | uniq | less
Search for enviroment variables
$ strings pagefile.sys | grep -i "^[a-zA-Z09_]*=.*" | sort -u | uniq | less
Search for URLs
$ strings pagefile.sys | egrep "^https?://" | sort | uniq | less
Search for email addresses
$ strings pagefile.sys | egrep '([[:alnum:]_.-]{1,64}+@[[:alnum:]_.-]{2,255}+?\.[[:alpha:].]{2,4})'
Analysis with YARA rules
Furthermore, you may scan the pagefile.sys using YARA.
Using (for example) the set of rules obtained with this method, you may scan the pagefile in order to seek some malware artifacts not found in the volatile memory:
Using (for example) the set of rules obtained with this method, you may scan the pagefile in order to seek some malware artifacts not found in the volatile memory:
$ yara malware_rules.yar pagefile.sysPort of the most important GNU utilities to Windows
https://sourceforge.net/projects/unxutils/
Không có nhận xét nào:
Đăng nhận xét