{"id":19689,"date":"2022-07-11T11:35:55","date_gmt":"2022-07-11T03:35:55","guid":{"rendered":"https:\/\/blog.pmail.idv.tw\/?p=19689"},"modified":"2022-07-11T11:35:55","modified_gmt":"2022-07-11T03:35:55","slug":"volatility%e8%a8%98%e6%86%b6%e6%86%b6%e9%ab%94%e5%8f%96%e8%ad%89%e5%88%86%e6%9e%90%e5%b7%a5%e5%85%b7%e4%bd%bf%e7%94%a8%e7%ad%86%e8%a8%98","status":"publish","type":"post","link":"https:\/\/blog.pmail.idv.tw\/?p=19689","title":{"rendered":"Volatility\u8a18\u61b6\u61b6\u9ad4\u53d6\u8b49\u5206\u6790\u5de5\u5177\u4f7f\u7528\u7b46\u8a18"},"content":{"rendered":"<p>\u4e4b\u524d\u53c3\u52a0\u4e00\u500b\u8cc7\u5b89\u793e\u5718\u7684\u7dda\u4e0a\u6559\u5b78\uff0c\u5167\u5bb9\u662f\u95dc\u65bc\u7fd2\u85cd\u968a\u5b89\u5168\u7cfb\u5217(\u521d\u5b78\u8005)\uff0c\u5167\u5bb9\u4e2d\u6709\u63d0\u5230 <\/p>\n<p>Volatility\u5de5\u5177\u4f7f\u7528\uff0c\u56e0\u70ba\u8cc7\u5b89\u65b9\u9762\u6211\u4e5f\u4e0d\u719f\u6240\u4ee5\u807d\u8ab2\u4f86\u5b78\u7fd2\uff0c\u611f\u89ba\u6eff\u6709\u8da3\u7684\uff0c\u6240\u4ee5\u505a\u4e86\u4e00 <\/p>\n<p>\u4e0b\u4e0a\u8ab2\u7b46\u8a18\u3002<\/p>\n<p><!--more--><\/p>\n<p>Volatility\u70ba\u958b\u6e90\u7684Windows,Linux,MaC,Android\u7684\u8a18\u61b6\u9ad4\u53d6\u8b49\u5206\u6790\u5de5\u5177,\u7531python\u7de8\u5beb\u6210,\u547d\u4ee4\u5217\u64cd\u4f5c,\u652f\u63f4\u5404\u7a2e\u4f5c\u696d\u7cfb\u7d71. <\/p>\n<p>\u5b89\u88dd: <\/p>\n<p>\u5728windows 10 \u5b89\u88dd <\/p>\n<p>\u5b89\u88dd Python 3.XX \u74b0\u5883 <\/p>\n<p><a href=\"https:\/\/www.python.org\/downloads\/\">https:\/\/www.python.org\/downloads\/<\/a> <\/p>\n<p>\u4e0b\u8f09Python 3.10.5 \u57f7\u884c\u5b89\u88dd <\/p>\n<p>\u8acb\u52fe\u9078 [Add Python 3.10 to PATH] <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image002.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image002\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image002\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image002_thumb.jpg\" width=\"644\" height=\"326\"><\/a> <\/p>\n<p>\u5b89\u88dd\u5b8c\u6210 <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image004.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image004\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image004\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image004_thumb.jpg\" width=\"644\" height=\"311\"><\/a> <\/p>\n<p>\u5b89\u88dd\u5176\u4ed6\u5957\u4ef6 <\/p>\n<p>\u958b\u555f\u547d\u4ee4\u63d0\u793a\u5b57\u5143\u57f7\u884c pip install pefile <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image006.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image006\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image006\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image006_thumb.jpg\" width=\"644\" height=\"255\"><\/a> <\/p>\n<p>\u5b89\u88ddgit <\/p>\n<p>\u8f09\u9ede<a href=\"https:\/\/git-scm.com\/download\/win\">https:\/\/git-scm.com\/download\/win<\/a> <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image008.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image008\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image008\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image008_thumb.jpg\" width=\"615\" height=\"484\"><\/a> <\/p>\n<p>Git \u5b89\u88dd\u5b8c\u6210 <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image010.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image010\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image010\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image010_thumb.jpg\" width=\"625\" height=\"484\"><\/a> <\/p>\n<p>Git\u5b89\u88dd Volatility3 <\/p>\n<p>git clone https:\/\/github.com\/volatilityfoundation\/volatility3.git <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image012.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image012\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image012\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image012_thumb.jpg\" width=\"644\" height=\"145\"><\/a> <\/p>\n<p>\u53e6\u5916\u4e0b\u8f09Volatility2.6\u4f86\u4f7f\u7528 <\/p>\n<p><a href=\"https:\/\/www.volatilityfoundation.org\/26\">https:\/\/www.volatilityfoundation.org\/26<\/a> <\/p>\n<p>\u56e0\u6211\u662f\u5728win10\u74b0\u5883\u6240\u4ee5\u4e0b\u5728windows x64  <\/p>\n<p>\u4e0b\u8f09\u5f8c\u89e3\u58d3\u7e2e\u5f8c\u662f\u4e00\u500b\u57f7\u884c\u6a94 <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image014.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image014\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image014\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image014_thumb.jpg\" width=\"644\" height=\"323\"><\/a> <\/p>\n<p>Volatility2 and Volatility3 \u4f7f\u7528\u4e0a\u7684\u4e00\u4e9b\u8aaa\u660e\u53c3\u8003 <\/p>\n<p><a href=\"https:\/\/blog.onfvp.com\/post\/volatility-cheatsheet\/\">https:\/\/blog.onfvp.com\/post\/volatility-cheatsheet\/<\/a> <\/p>\n<p>\u85cd\u968a BlueTeam Challenges \u7df4\u7fd2\u7db2\u7ad9 <\/p>\n<p><a href=\"https:\/\/cyberdefenders.org\/\">https:\/\/cyberdefenders.org\/<\/a> <\/p>\n<p>\u7df4\u7fd2 <\/p>\n<p>\u5be6\u4f5c\u984c\u76ee\uff0c\u54e1\u5de5\u6536\u5230\u4e00\u4efd\u5b89\u5168\u66f4\u65b0\u4fe1\u4ef6\uff0c\u9032\u884c\u66f4\u65b0\u4e4b\u5f8c\uff0c\u6a5f\u5668\u958b\u59cb\u7570\u5e38\uff0c\u5617\u8a66\u5206\u6790\u8a18\u61b6\u9ad4\u7684\u5167\u5bb9\u627e\u5230\u86db\u7d72\u99ac\u8de1\u3002 <\/p>\n<p><a href=\"https:\/\/cyberdefenders.org\/blueteam-ctf-challenges\/88\">https:\/\/cyberdefenders.org\/blueteam-ctf-challenges\/88<\/a> <\/p>\n<p>\u5728\u8a72\u7db2\u7ad9\u8a3b\u518a\u53ef\u4ee5\u4e0b\u984c\u76ee\u7bc4\u672c <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image016.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image016\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image016\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image016_thumb.jpg\" width=\"644\" height=\"304\"><\/a> <\/p>\n<p>\u4e0b\u8f09\u5f8c\u89e3\u58d3\u7e2e\u6703\u770b\u5230\u4e09\u500b\u8cc7\u6599\u593e\u88e1\u9762\u6709\u76f8\u95dc\u7684.vmss \u6a94\u6848 <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image018.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image018\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image018\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image018_thumb.jpg\" width=\"644\" height=\"310\"><\/a> <\/p>\n<p>\u8981\u5982\u4f55\u4f7f\u7528\u5462? <\/p>\n<p>\u5229\u7528vmss2core\u5de5\u5177\u5c07.vmss \u8f49\u63db\u6210memory.dump \u4f86\u9032\u884c\u5206\u6790 <\/p>\n<p>\u4e0b\u8f09\u7db2\u5740 <\/p>\n<p><a href=\"https:\/\/flings.vmware.com\/vmss2core?download_url=https%3A%2F%2Fdownload3.vmware.com%2Fsoftware%2Fvmw-tools%2Fvmss2core%2Fvmss2core-sb-8456865.exe\">https:\/\/flings.vmware.com\/vmss2core?download_url=https%3A%2F%2Fdownload3.vmware.com%2Fsoftware%2Fvmw-tools%2Fvmss2core%2Fvmss2core-sb-8456865.exe<\/a> <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image020.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image020\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image020\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image020_thumb.jpg\" width=\"644\" height=\"383\"><\/a> <\/p>\n<p>\u9032\u884c\u8f49\u63db <\/p>\n<p>vmss2core.exe -W .\\Bule\\target1\\Target1-1dd8701f.vmss<a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image022.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image022\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image022\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image022_thumb.jpg\" width=\"644\" height=\"269\"><\/a> <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image024.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image024\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image024\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image024_thumb.jpg\" width=\"644\" height=\"290\"><\/a> <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image026.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image026\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image026\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image026_thumb.jpg\" width=\"644\" height=\"288\"><\/a> <\/p>\n<p>\u5b8c\u6210\u5f8c\uff0c\u6703\u7522\u751fmemory.dump\u6a94\u6848\u5f8c\uff0c\u5c31\u53ef\u4f7f\u7528\u6b64\u6a94\u6848\u4f86\u9032\u884c\u5206\u6790 <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image028.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image028\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image028\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image028_thumb.jpg\" width=\"644\" height=\"240\"><\/a> <\/p>\n<p>\u57f7\u884cVolatility\u5de5\u5177\u5148\u78ba\u8a8d\u8f49\u51fa\u4f86\u984c\u76eedump \u662f\u54ea\u500b\u7248\u672c\u7684\u4f5c\u696d\u7cfb\u7d71 <\/p>\n<p>volatility2.X \u7248\u672c=&gt;\u57f7\u884c\u76f4\u4ee4\u5982\u4e0b : -f \u70badump\u8def\u5f91 \u5e36\u53c3\u6578imageinfo <\/p>\n<p>volatility_2.6_win64_standalone.exe -f c:\\dump\\memory.dmp imageinfo <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image030.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image030\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image030\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image030_thumb.jpg\" width=\"644\" height=\"287\"><\/a> <\/p>\n<p>Volatility3\u57f7\u884c\u6307\u4ee4\u5982\u4e0b : -f \u70badump\u8def\u5f91 \u5e36\u53c3\u6578windows.info <\/p>\n<p>vol.py -f c:\\dump\\memory.dmp windows.info <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image032.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image032\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image032\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image032_thumb.jpg\" width=\"644\" height=\"433\"><\/a> <\/p>\n<p>Q1: <\/p>\n<p>\u627e\u51fa\u54ea\u500be-mail address\u8a98\u9a19\u54e1\u5de5\u5b89\u88dd\u5b89\u5168\u6027\u66f4\u65b0 <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image034.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image034\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image034\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image034_thumb.jpg\" width=\"644\" height=\"120\"><\/a> <\/p>\n<p>\u8207e-mail \u76f8\u95dc\u90a3\u53ef\u80fd\u9700\u8981\u5f9eoutlook \u4e0b\u624b\u6216\u8a31\u6709\u4e9b\u86db\u7d72\u99ac\u8de1 <\/p>\n<p>Volatility2.x:  <\/p>\n<p>\u53ef\u4ee5\u4f7f\u7528<b>pslist <\/b>\u5217\u51fa\u6240\u6709\u57f7\u884c\u7a0b\u5e8f \u2013profile \u5c31\u662f\u524d\u9762\u6b65\u9a5fimageinfo\u627e\u5230\u7684Win7SP1x86 <\/p>\n<p>\u57f7\u884c\u6307\u4ee4\u5982\u4e0b <\/p>\n<p>volatility_2.6_win64_standalone.exe -f c:\\dump\\memory.dmp &#8211;profile=Win7SP1x86 pslist <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image036.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image036\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image036\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image036_thumb.jpg\" width=\"644\" height=\"284\"><\/a> <\/p>\n<p>\u6709\u770b\u5230outlook.exe\u57f7\u884c\u7a0b\u5e8f\u4e14PID\u70ba3196 <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image038.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image038\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image038\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image038_thumb.jpg\" width=\"644\" height=\"237\"><\/a> <\/p>\n<p>\u6709\u770b\u5230outlook.exe \u5728\u57f7\u884c\u90a3\u5982\u679c\u662fexchange\u74b0\u5883\u61c9\u8a72\u6703\u53c8.ost\u6a94 <\/p>\n<p>\u6b64\u6642\u53ef\u4ee5\u5229\u7528 filescan \u53c3\u6578\u624d\u6383\u63cfdmup\u4e2d\u7684\u6a94\u6848 <\/p>\n<p>volatility_2.6_win64_standalone.exe -f c:\\dump\\memory.dmp &#8211;profile=Win7SP1x86 filescan <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image040.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image040\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image040\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image040_thumb.jpg\" width=\"644\" height=\"230\"><\/a> <\/p>\n<p>\u56e0\u6383\u51fa\u4f86\u592a\u591a\u4e0d\u597d\u641c\u5c0b\u6240\u4ee5\u57f7\u884cfilescan\u5f8c\u5c07\u7d50\u679c\u5beb\u5165\u4e00\u500b.txt(\u6307\u4ee4\u5982\u4e0b) <\/p>\n<p>volatility_2.6_win64_standalone.exe -f c:\\dump\\memory.dmp &#8211;profile=Win7SP1x86 filescan &gt;file.txt <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image042.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image042\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image042\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image042_thumb.jpg\" width=\"644\" height=\"105\"><\/a> <\/p>\n<p>\u958b\u555ffile.txt\u5f8c\u76f4\u63a5\u641c\u5c0b.ost <\/p>\n<p>\u627e\u5230\u5169\u500boutlook2.ost.tmp and outlook.ost <\/p>\n<p>\u7406\u8ad6\u4e0a\u61c9\u8a72\u662foutlook2.ost\u624d\u662f\u9700\u8981\u7684.tmp \u662f\u958b\u555foutlook\u7a0b\u5f0f\u7522\u751f\u7684\u66ab\u5b58\u6a94 <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image044.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image044\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image044\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image044_thumb.jpg\" width=\"644\" height=\"122\"><\/a> <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image046.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image046\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image046\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image046_thumb.jpg\" width=\"644\" height=\"201\"><\/a> <\/p>\n<p>\u7adf\u7136\u9700\u8981\u9019\u500bost \u53ef\u4ee5\u4f7f\u7528 dumpfiles \u4f86\u532f\u51fa\u8a18\u61b6\u9ad4\u4e2d\u7684\u66ab\u5b58\u6a94 <\/p>\n<p>\u53c3\u6578 dumpfiles -Q 0x000000003fc61be0 -D .\/  <\/p>\n<p>=&gt; 0x000000003fc61be0 =&gt; \u6b64\u70ba\u524d\u9762\u6b65filescan\u5217\u51fa\u4f86offset(P)\u6b04\u4f4d(\u61c9\u8a72\u662f\u8a18\u61b6\u9ad4\u5b9a\u5740\u4f4d\u7f6e) <\/p>\n<p>=&gt;D c:\\files\\ \u532f\u51fa\u6a94\u6848\u5b58\u653e\u4f4d\u7f6e <\/p>\n<p>=&gt;&nbsp; -u, &#8211;unsafe Relax safety constraints for more data <\/p>\n<p>volatility_2.6_win64_standalone.exe -f c:\\dump\\memory.dmp &#8211;profile=Win7SP1x86 dumpfiles -Q 0x000000003fc61be0 -D c:\\files -u <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image048.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image048\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image048\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image048_thumb.jpg\" width=\"644\" height=\"107\"><\/a> <\/p>\n<p>\u532f\u51fa\u6a94\u6848\u5982\u4e0b\u5716(\u4f46\u9644\u6a94\u540d\u4e0d\u662f.ost) (0KB\u4e0d\u7528\u7406\u6703) <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image050.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image050\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image050\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image050_thumb.jpg\" width=\"644\" height=\"157\"><\/a> <\/p>\n<p>\u624b\u52d5\u6539.dat \u8b8a\u6210.ost <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image052.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image052\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image052\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image052_thumb.jpg\" width=\"644\" height=\"173\"><\/a> <\/p>\n<p>\u5229\u7528sysinfotools ost viewer \u958b\u555fost <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image054.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image054\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image054\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image054_thumb.jpg\" width=\"644\" height=\"281\"><\/a> <\/p>\n<p>\u9ede\u5230inbox \u679c\u7136\u6709\u4e00\u5c01\u4fe1\u4ef6\u7591\u4f3c\u8981\u7528\u6236\u66f4\u65b0vpnclient\u90f5\u4ef6 <\/p>\n<p>\u5bc4\u4ef6\u4eba\u70ba =&gt; th3wh1t3r0s3@gmail.com <\/p>\n<p><a href=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image056.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"clip_image056\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"clip_image056\" src=\"https:\/\/blog.pmail.idv.tw\/wp-content\/uploads\/2022\/07\/clip_image056_thumb.jpg\" width=\"644\" height=\"363\"><\/a>   <\/p>\n<p>\u4ee5\u4e0a\u662f\u7c21\u55ae\u7b46\u8a18\u4e00\u4e0b~~ \u7528\u6cd5\u5176\u5be6\u9084\u662f\u6709\u5f88\u591a\uff0c\u53ef\u4ee5\u7e7c\u7e8c\u6311\u6230\u8a72\u806f\u7e6b\u7db2\u7ad9\u7684\u984c\u76ee\u4f86\u7df4\u7fd2\u3002<\/p>\n<div class=\"21cd169d3c0f71e95b84db320302cb4a\" data-index=\"1\" style=\"float: right; margin:10px 0 10px 10px;\">\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-8711325745898650\"\r\n     crossorigin=\"anonymous\"><\/script>\n<\/div>\n\n<div style=\"font-size: 0px; height: 0px; line-height: 0px; margin: 0; padding: 0; clear: both;\"><\/div>","protected":false},"excerpt":{"rendered":"<p>\u4e4b\u524d\u53c3\u52a0\u4e00\u500b\u8cc7\u5b89\u793e\u5718\u7684\u7dda\u4e0a\u6559\u5b78\uff0c\u5167\u5bb9\u662f\u95dc\u65bc\u7fd2\u85cd\u968a\u5b89\u5168\u7cfb\u5217(\u521d\u5b78\u8005)\uff0c\u5167\u5bb9\u4e2d\u6709\u63d0\u5230 &hellip; <a href=\"https:\/\/blog.pmail.idv.tw\/?p=19689\">\u95b1\u8b80\u5168\u6587 <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[183],"tags":[],"class_list":["post-19689","post","type-post","status-publish","format-standard","hentry","category-183"],"_links":{"self":[{"href":"https:\/\/blog.pmail.idv.tw\/index.php?rest_route=\/wp\/v2\/posts\/19689","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.pmail.idv.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.pmail.idv.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.pmail.idv.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.pmail.idv.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=19689"}],"version-history":[{"count":1,"href":"https:\/\/blog.pmail.idv.tw\/index.php?rest_route=\/wp\/v2\/posts\/19689\/revisions"}],"predecessor-version":[{"id":19690,"href":"https:\/\/blog.pmail.idv.tw\/index.php?rest_route=\/wp\/v2\/posts\/19689\/revisions\/19690"}],"wp:attachment":[{"href":"https:\/\/blog.pmail.idv.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=19689"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.pmail.idv.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=19689"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.pmail.idv.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=19689"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}