CTFtime.org

eazy dump

by godspeedcurry / 欸欸欸

Rating:

forensics

tools:https://github.com/volatilityfoundation/volatility

1.First, we just need to look what is in the file.

root@DESKTOP-P7NSD1K:~/aaa/20181110/volatility# python vol.py  -f mem.data imagenfo
Volatility Foundation Volatility Framework 2.6
*** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3)
ERROR   : volatility.debug    : You must specify something to do (try -h)
root@DESKTOP-P7NSD1K:~/aaa/20181110/volatility# ls
1.out  AUTHORS.txt    contrib      dump       LICENSE.txt  MANIFEST.in  PKG-INFO     pyinstaller.spec  resources  tools    user.out    vol.py
2.out  CHANGELOG.txt  CREDITS.txt  LEGAL.txt  Makefile     mem.data     pyinstaller  README.txt        setup.py   uer.out  volatility
root@DESKTOP-P7NSD1K:~/aaa/20181110/volatility# python vol.py  -f mem.data imageinfo
Volatility Foundation Volatility Framework 2.6
*** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3)
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/root/aaa/20181110/volatility/mem.data)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80004035070L
          Number of Processors : 4
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0xfffff80004036d00L
                KPCR for CPU 1 : 0xfffff880009ee000L
                KPCR for CPU 2 : 0xfffff88004568000L
                KPCR for CPU 3 : 0xfffff880045dd000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2018-11-07 08:26:52 UTC+0000
     Image local date and time : 2018-11-07 16:26:52 +0800

2. Dump all the running processes to see if there was any interesting software running.

python vol.py -f mem.data --profile=Win7SP0x64 psscan

Offset(P)          Name                PID   PPID PDB                Time created                   Time exited
------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------
0x0000000000505340 spoolsv.exe        1096    472 0x000000000b1f9000 2018-11-07 08:12:37 UTC+0000
0x0000000000b0ab30 svchost.exe         648    472 0x000000000c79f000 2018-11-07 08:12:35 UTC+0000
0x000000000116e560 mspaint.exe        2768   1696 0x0000000003b05000 2018-11-07 08:16:05 UTC+0000        <- this one 
0x0000000001210b30 taskhost.exe       1452    472 0x0000000006092000 2018-11-07 08:12:37 UTC+0000
0x0000000002757390 wordpad.exe        1804   1696 0x000000000a876000 2018-11-07 08:15:35 UTC+0000       <- this one 
0x0000000003399b30 SearchIndexer.     2476    472 0x0000000001362000 2018-11-07 08:12:46 UTC+0000
0x00000000033f4b30 explorer.exe       1696   1548 0x000000000bfb0000 2018-11-07 08:12:38 UTC+0000
0x00000000038fd800 WmiPrvSE.exe       3052    648 0x000000000d18a000 2018-11-07 08:12:59 UTC+0000
0x0000000003d1e060 csrss.exe           424    408 0x0000000003d0f000 2018-11-07 08:12:33 UTC+0000
0x00000000042ab630 dllhost.exe        1716    472 0x000000000093d000 2018-11-07 08:12:40 UTC+0000
0x000000000449f060 wininit.exe         416    344 0x0000000004510000 2018-11-07 08:12:33 UTC+0000
0x00000000046bb570 WmiPrvSE.exe       1392    648 0x0000000002bd3000 2018-11-07 08:12:40 UTC+0000
0x0000000005733b30 vmtoolsd.exe       2028   1696 0x000000000babd000 2018-11-07 08:12:39 UTC+0000
0x000000000636f880 lsm.exe             524    416 0x000000000e447000 2018-11-07 08:12:33 UTC+0000
0x000000000670cb30 WmiApSrv.exe       1228    472 0x00000000042be000 2018-11-07 08:13:05 UTC+0000
0x00000000077b7b30 services.exe        472    416 0x000000000e217000 2018-11-07 08:12:33 UTC+0000
0x000000000836f060 conhost.exe        2932    364 0x000000000727e000 2018-11-07 08:26:51 UTC+0000   2018-11-07 08:26:52 UTC+0000
0x00000000089da060 sppsvc.exe         1040    472 0x000000000c494000 2018-11-07 08:14:39 UTC+0000
0x00000000089da630 wmpnetwk.exe       2724    472 0x000000000dbd0000 2018-11-07 08:12:47 UTC+0000
0x00000000092ef060 vmtoolsd.exe       1356    472 0x00000000083d2000 2018-11-07 08:12:37 UTC+0000
0x000000000960db30 dwm.exe            1628    884 0x000000000c5dc000 2018-11-07 08:12:38 UTC+0000
0x00000000097ddb30 lsass.exe           516    416 0x000000000a43f000 2018-11-07 08:12:33 UTC+0000
0x000000000980db30 svchost.exe         844    472 0x00000000048aa000 2018-11-07 08:12:35 UTC+0000
0x0000000009937b30 vmacthlp.exe        704    472 0x0000000009d4c000 2018-11-07 08:12:35 UTC+0000
0x000000000999f060 csrss.exe           364    344 0x000000000841f000 2018-11-07 08:12:33 UTC+0000
0x000000000a65e060 svchost.exe        1376    472 0x000000000095f000 2018-11-07 08:14:39 UTC+0000
0x000000000b3a39e0 svchost.exe         288    472 0x0000000009767000 2018-11-07 08:12:36 UTC+0000
0x000000000b996b30 svchost.exe        2568    472 0x0000000002e83000 2018-11-07 08:12:46 UTC+0000
0x000000000c42b060 VGAuthService.     1300    472 0x00000000070e6000 2018-11-07 08:12:37 UTC+0000
0x000000000d0ebb30 svchost.exe         884    472 0x000000000b3b0000 2018-11-07 08:12:36 UTC+0000
0x000000000d8b0670 winlogon.exe        504    408 0x000000000d895000 2018-11-07 08:12:33 UTC+0000
0x000000000d9cbb30 svchost.exe         520    472 0x00000000025ad000 2018-11-07 08:12:37 UTC+0000
0x000000000dd83b30 msdtc.exe          2236    472 0x000000000dd76000 2018-11-07 08:12:42 UTC+0000
0x000000000dd8fb30 audiodg.exe        1000    844 0x000000000dab6000 2018-11-07 08:12:36 UTC+0000
0x000000000e2d7b30 svchost.exe         912    472 0x000000000c056000 2018-11-07 08:12:36 UTC+0000
0x000000000e36d060 svchost.exe        1124    472 0x000000000b408000 2018-11-07 08:12:37 UTC+0000
0x000000000eab2b30 svchost.exe         748    472 0x000000000a1d8000 2018-11-07 08:12:35 UTC+0000
0x000000000f0729d0 smss.exe            276      4 0x00000000088ec000 2018-11-07 08:12:31 UTC+0000
0x000000000f207470 svchost.exe        2472    472 0x000000000108d000 2018-11-07 08:16:06 UTC+0000
0x000000000f4feb30 cmd.exe            2824   1356 0x00000000092a9000 2018-11-07 08:26:51 UTC+0000   2018-11-07 08:26:52 UTC+0000
0x000000000f59ab30 MineSweeper.ex      312   1696 0x0000000003854000 2018-11-07 08:15:39 UTC+0000
0x000000000ff22040 System                4      0 0x0000000000187000 2018-11-07 08:12:31 UTC+0000

3.dump them to our local directory

mkdir dump

python vol.py -f mem.data --profile=Win7SP0x64 memdump -p 2768 -D dump/

root@DESKTOP-P7NSD1K:~/aaa/20181110/volatility# cd dump
root@DESKTOP-P7NSD1K:~/aaa/20181110/volatility/dump# ls
2768.dmp

4.now let's use another tool.

https://www.gimp.org/ It's icon is a lovely dog! rename our file to 2768.data

5.open it with our dog GIMP

click your mouse randomly

6. I prefer use word2016 to rotate the picture

then I have the flag.

Thanks.

By: godspeedcurry from AAA

Original writeup (https://hctf.io/).

Comments