Rating:
angstromCTF 2016 - <span>Volatile
</span>Category:Forensics Score: 90
Description:
Help! One of our machines has been compromised! We have a memory dump<span>. Find the suspicious process. The machine was running Windows XP service pack 2.
</span>The memory dump is WinXPSP2x86
#######
Using Volatility Tool :
$ ./vol.py -f memdump.mem --profile=<span>WinXPSP2x86 pslist
################################
</span>Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start
----------------------------------------------------------------------------------------------------------------------------------------------
0x81f88020 wtf_who_names_k 1768 500 1 15 0 0 2015-04-23 04:09:31
----------------------------------------------------------------------------------------------------------------------------------------------
##############################################
$ vol.py -f memdump.mem --profile=WinXPSP2x86 -p 1768 dlllist
##############################################
************************************************************************
wtf_who_names_k pid: 1768
Command line : "C:\Documents and Settings\Administrator\Desktop\wtf_who_names_keyloggers_like_this.exe"
Service Pack 2
Base Size LoadCount Path
---------- ---------- ---------- ----
0x00400000 0x11000 0xffff C:\Documents and Settings\Administrator\Desktop\wtf_who_names_keyloggers_like_this.exe0x7c900000 0xb0000 0xffff C:\WINDOWS\system32\ntdll.dll0x7c800000 0xf4000 0xffff C:\WINDOWS\system32\kernel32.dll0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.DLL0x77e70000 0x91000 0xffff C:\WINDOWS\system32\RPCRT4.dll0x77c10000 0x58000 0xffff C:\WINDOWS\system32\msvcrt.dll0x77d40000 0x90000 0xffff C:\WINDOWS\system32\USER32.dll0x77f10000 0x46000 0xffff C:\WINDOWS\system32\GDI32.dll
####################################################
the Flag is : wtf_who_names_keyloggers_like_this
