CTFtime.org / ångstromCTF 2016 / volatile / Writeup

Hi EveryBody We Can Check The File Using file or Strings or hexdump or xxd To Get Some Informations About File
This is a Memory Dump so We Can Investigat it, I've Found A Solution Using Volatility Forensics Framework
With Volatility We Can Extract All Precess And Dll's And Administrator Password .......

./volatility -f memdump.mem --profile=WinXPSP2x86 psscan
./volatility -f memdump.mem --profile=WinXPSP2x86 pslist
./volatility -f memdump.mem --profile=WinXPSP2x86 dlllist
.....

Sorry For This Short Writeup because Players CTF Have Not Problem To Use Volatility FrameWork

In This Challenge The Flag Like a KeyLogger Name Thats Why Nothing Seeying In Process list
We Can Scan Command Line To Get Keylogger : who_names_keyloggers_like_this.exe

Writeup Source : https://github.com/MrMugiwara/WriteupsCTF/blob/master/AngstromCTF2016/Volatile90/README.md

Regards,

Original writeup (https://github.com/MrMugiwara/WriteupsCTF/blob/master/AngstromCTF2016/Volatile90/README.md).

volatile

Comments

Sign in with