文章目录

Memory Forensics
- 1 - What the password?
- 2 - General Info
- 3 - Play Time
- 4 - Name Game
- 5 - Name Game 2
- 6 - Silly Rick
- 7 - Hide And Seek
- 8 - Path To Glory
- 9 - Path To Glory 2
- 10 - Bit 4 Bit
- 11 - Graphic's For The Weak
- 12 - Recovery

Memory Forensics

1 - What the password?

you got a sample of rick’s PC’s memory. can you get his user password?

volatility -f OtterCTF.vmem imageinfo

查看rick的hash密码值然后拿去cmd5解密发现解不出来

volatility -f OtterCTF.vmem --profile=Win7SP1x64 hashdump

518172d012f97d3a8fcc089615283940没解出来，用lsadump这个也是用来提取hash的

volatility -f OtterCTF.vmem --profile=Win7SP1x64 lsadum

rick的密码是 MortyIsReallyAnOtter

2 - General Info

Let’s start easy - whats the PC’s name and IP address?

这个命令是查看注册表的 hivelist 内存镜像的主机名是在注册表的 \REGISTRY\MACHINE\SYSTEM

volatility -f OtterCTF.vmem --profile=Win7SP1x64 hivelist

-o 0xfffff8a000024010 指定输出的内存地址
printkey 常常是用来列举用户及密码、查看获取最后登陆系统的用户。

volatility -f OtterCTF.vmem --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey

PC name : WIN-LO6FAF3DTFE
printkey -K 'ControlSet001\Control\ComputerName\ComputerName'
可以输出层级目录里的东西

volatility -f OtterCTF.vmem --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey -K 'ControlSet001\Control\ComputerName\ComputerName'

PC IP : 192.168.202.131
netscan 是用来查看网络连接既然是主机IP大部分都是一个内网地址

volatility -f OtterCTF.vmem --profile=Win7SP1x64 netscan

3 - Play Time

Rick just loves to play some good old videogames. can you tell which
game is he playing? whats the IP address of the server?

IP address of the server : 77.102.199.102
Game Name : LunarMS

volatility -f OtterCTF.vmem --profile=Win7SP1x64 netscan

4 - Name Game

We know that the account was logged in to a channel called Lunar-3. what is the account name?

Account Name ： 0tt3r8r33z3
grep Lunar-3 -A 5 -B 5 grep是查找命令显示找到的字符 -A 后面多少行 -B 前面多少行

strings OtterCTF.vmem| grep Lunar-3 -A 5 -B 5

5 - Name Game 2

From a little research we found that the username of the logged on
character is always after this signature: 0x64 0x??{6-8} 0x40 0x06
0x??{18} 0x5a 0x0c 0x00{2} What’s rick’s character’s name?

先用memdump把这个进程导出 -p 进程pid -D 导出的目录（./ = 当前目录）

volatility -f OtterCTF.vmem --profile=Win7SP1x64 memdump -p 708 -D ./

根据给出题目给出的16进制字节找出角色名

hexdump -C 708.dmp| grep '5a 0c 00 00' -A 10 -B 10

6 - Silly Rick

Silly rick always forgets his email’s password, so he uses a Stored Password Services online to store his password. He always copy and paste the password so he will not get it wrong. whats rick’s email password?

copy and paste the password 描述说他总是粘贴密码所以我们查看剪切板 clipboard

volatility -f OtterCTF.vmem --profile=Win7SP1x64 clipboard

7 - Hide And Seek

The reason that we took rick’s PC memory dump is because there was a malware infection. Please find the malware process name (including the extension)

我们发现 Rick And Morty
子进程有个 vmware-tray.exe这个进程是VMwareWorkstation虚拟机软件的托盘程序
这个非常不正常，可以猜测这就是恶意程序感染

volatility -f OtterCTF.vmem --profile=Win7SP1x64 pstree

而且在查看dlllist的时候看到一个shell32.dll的程序这个vmware-tray运行的时候是有没有这个dll的

volatility -f OtterCTF.vmem --profile=Win7SP1x64 dlllist -p 3720

8 - Path To Glory

How did the malware got to rick’s PC? It must be one of rick old illegal habits…

题目问恶意程序是怎么进入rick的pc的，无非两种，一是下载，二是插u盘弄进来的
搜索Rick And Morty 文件扫描
发现了一些exe文件和torrent文件，exe的来源不好找，我们分析种子文件

volatility -f OtterCTF.vmem --profile=Win7SP1x64 filescan | grep 'Rick And Morty'

在第二个种子文件里找到一个website19:M3an_T0rren7_4_R!cke%

volatility -f OtterCTF.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007dae9350 -D ./

经过尝试恶意程序的来源网址是 M3an_T0rren7_4_R!ck

9 - Path To Glory 2

Continue the search after the way that malware got in.

把chrome.exe的dump下来，然后查找关键字 Rick And Morty season 1 download.exe

volatility -f OtterCTF.vmem --profile=Win7SP1x64 memdump -n chrome.exe -D ./chrome

strings ./chrome/* | grep 'Rick And Morty season 1 download.exe' -C 10

正确答案是 Hum@n_I5_Th3_Weak3s7_Link_In_Th3_Ch@in Yaer不知道为什么不算在里面

10 - Bit 4 Bit

We’ve found out that the malware is a ransomware. Find the attacker’s
bitcoin address.

procdump导出直接将原文件格式导出
memdump导出的文件为dmp格式

放入IDA里寻找bitcoin address

11 - Graphic’s For The Weak

There’s something fishy in the malware’s graphics.

把恶意程序导出，然后foremost可以分离出png

volatility -f OtterCTF.vmem --profile=Win7SP1x64 procdump -p 3720 -D ./

12 - Recovery

Rick got to have his files recovered! What is the random password used
to encrypt the files?

IDA查看恶意程序在sendpassword中看到C

Memory Forensics (内存取证)相关推荐

利用Volatility进行Windows内存取证分析(一)：初体验
简介承接上文,上文中使用cuckoo沙箱的时候提到过,分析恶意代码的时候,首先利用沙箱做粗略分析,然后可以目标程序进行动态分析(OD,Windbg调试)或者静态分析(IDA静态反汇编).如果嫌每次逆 ...
MISC之内存取证_Kali环境下使用volatility
文章目录前言一.安装volatility及相关依赖文件二.例题 1.memory.raw 2.Cookie.raw 3.forensics.raw 4.disk.img 4.memory_5 前 ...
[2021首届“陇剑杯”网络安全大赛决赛]内存取证writeup
决赛不能联网-手上有只有vol2.6,这道题完全死了文章目录 [2021首届"陇剑杯"网络安全大赛决赛]内存取证 writeup 产品密钥匿名邮箱远控后门数据清除时间 [ ...
Otterctf 2018 内存取证
CTF 内存取证 https://otterctf.com/challenges 1- What the password? 问题:找到 Rick 的密码: 先使用 imageinfo 判断系统版本 ...
linux 内存取证_内存取证工具-volatility、foremost
内存取证 1. 内存取证工具volatility 猜测dump文件的profile值 root@kali:~/CTF# volatility -f mem.vmem imageinfo Volatil ...
内存取证工具——volatility 常用命令
点击可跳转前言正文猜测镜像系统调出shell窗口列举进程将内存中的某个进程保存出来列举缓存在内存的注册表列出SAM表中的用户获取最后登录系统的用户获取内存中正运行的程序列举时间线 ...
Windows Mobile使用Shared Memory(共享内存)进行IPC(进程间通信)的开发
背景在Unix-like系统进行IPC(Inter-process communication)通信,Shared memory是效率最高的,我称之为IPC的王中王. 简介本文讲述在Windows ...
苹果内存取证工具volafox
苹果内存取证工具volafox volafox是一款针对苹果内存取证的专用工具.该工具使用Python语言编写.该工具内置了overlay data数据,用户可以直接分析苹果10.6-10.11的各种 ...
Advanced Memory Allocation 内存分配进阶
Advanced Memory Allocation 内存分配进阶 URL: http://blog.csdn.net/amwihihc/article/details/7481656 May 01, ...
命名空间不能直接包含字段或方法之类的成员_Linux内存取证：解析用户空间进程堆（中）...
上文我们对解析用户空间进程堆的动机和历史,做了一个简要的概述.另外,我们Glibc堆的3层结构也做了一些概述,这些结构是解析用户空间进程堆的关键.至于每个结构所起的作用,请看本文的分析. 内存视图本 ...

Memory Forensics (内存取证)

文章目录

Memory Forensics

1 - What the password?

2 - General Info

3 - Play Time

4 - Name Game

5 - Name Game 2

6 - Silly Rick

7 - Hide And Seek

8 - Path To Glory

9 - Path To Glory 2

10 - Bit 4 Bit

11 - Graphic’s For The Weak

12 - Recovery

Memory Forensics (内存取证)相关推荐

最新文章

热门文章