Rating:

angstromCTF 2016 - <span>Volatile 
</span>Category:Forensics Score: 90
Description:
Help! One of our machines has been compromised! We have a memory dump<span>. Find the suspicious process. The machine was running Windows XP service pack 2.
</span>The memory dump is WinXPSP2x86

#######

Using Volatility Tool :

$ ./vol.py -f memdump.mem --profile=<span>WinXPSP2x86  pslist
################################

</span>Offset(V)       Name                          PID   PPID   Thds     Hnds   Sess  Wow64          Start  
----------------------------------------------------------------------------------------------------------------------------------------------                                                 
 0x81f88020 wtf_who_names_k        1768    500      1           15      0      0 2015-04-23 04:09:31  
----------------------------------------------------------------------------------------------------------------------------------------------

##############################################

$ vol.py  -f  memdump.mem --profile=WinXPSP2x86 -p 1768 dlllist   

##############################################

************************************************************************
wtf_who_names_k pid:   1768
Command line : "C:\Documents and Settings\Administrator\Desktop\wtf_who_names_keyloggers_like_this.exe"
 Service Pack 2
Base             Size      LoadCount   Path
----------         ----------    ----------         ----
0x00400000    0x11000     0xffff C:\Documents and Settings\Administrator\Desktop\wtf_who_names_keyloggers_like_this.exe0x7c900000    0xb0000     0xffff C:\WINDOWS\system32\ntdll.dll0x7c800000    0xf4000     0xffff C:\WINDOWS\system32\kernel32.dll0x77dd0000    0x9b000     0xffff C:\WINDOWS\system32\ADVAPI32.DLL0x77e70000    0x91000     0xffff C:\WINDOWS\system32\RPCRT4.dll0x77c10000    0x58000     0xffff C:\WINDOWS\system32\msvcrt.dll0x77d40000    0x90000     0xffff C:\WINDOWS\system32\USER32.dll0x77f10000    0x46000     0xffff C:\WINDOWS\system32\GDI32.dll
                          
####################################################
 
the Flag is : wtf_who_names_keyloggers_like_this