Tags: forensics 

Rating:

# Hidden (100 PTS)
### Description
>Find the hidden process.
>The flag is SharifCTF{MD5(Process id)}.

Flag: ```SharifCTF{4f4adcbf8c6f66dcfc8a3282ac2bf10a}```

### Files

- [dump.zip](https://github.com/VoidHack/write-ups/blob/master/SharifCTF%208/forensics/hidden/dump.zip)

### Solution

Inside of the given archive we can found a raw dump of windows memory. It sounds like [Volatility](http://www.volatilityfoundation.org/) can support us to investigate that dump.
Let's take two listings from commands:
- ```psscan``` (it shows all processes, include hidden)
- ```pslist``` (it show only visible processes)

```
C:\Users\Vova\Desktop\SharifCTF8> volatility.exe -f dump pslist > pslist.txt
Volatility Foundation Volatility Framework 2.4

C:\Users\Vova\Desktop\SharifCTF8> volatility.exe -f dump psscan > psscan.txt
Volatility Foundation Volatility Framework 2.4

C:\Users\Vova\Desktop\SharifCTF8>
```

Now we should find a difference between two files. ```fc``` won't help there cause they aren't in the same format.

![](https://github.com/VoidHack/write-ups/raw/master/SharifCTF%208/forensics/hidden/images/pslist.png)

![](https://github.com/VoidHack/write-ups/raw/master/SharifCTF%208/forensics/hidden/images/psscan.png)

So, can you see the difference? Yes, these three processes:

![](https://github.com/VoidHack/write-ups/raw/master/SharifCTF%208/forensics/hidden/images/difference.png)

As you see, two of them was closed, and we need to submit the last PID.

```
C:\Users\Vova\Desktop\SharifCTF8> python
Python 3.6.4 (v3.6.4:d48eceb, Dec 19 2017, 06:04:45) [MSC v.1900 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> from hashlib import md5
>>> md5(b'404').hexdigest()
'4f4adcbf8c6f66dcfc8a3282ac2bf10a'
>>>
```

Original writeup (https://github.com/VoidHack/write-ups/tree/master/SharifCTF%208/forensics/hidden).