当前位置:网站首页>Memory Forensics Series 1
Memory Forensics Series 1
2022-08-05 00:44:00 【SwBack】
文档说明
作者:SwBack
时间:2022-5-5 11:05
Challenge description
- My sister's computer is broken.We were very lucky to recover this memory dump.Your job is to get all her important files from the system.According to our memory,We suddenly saw a black window pop up,There are some things that are being executed on it.when the crash occurred,She is trying to draw something.That's all we remember from the crash.
注意: This challenge is 3 composed of logos.
- My sister’s computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash.
Note: This challenge is composed of 3 flags.
解题过程
flag1
Extract key information from the question
黑色窗口 疑似cmd.exe 画一些东西(Suspected drawing tool) Important files exist(Documents need to be scanned)
View memory mirroring
volatility -f MemoryDump_Lab1.raw imageinfo
查看进程 发现cmd.exe
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 pslist
Scan command and output 发现base64编码
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 cmdscan
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 consoles
解码base64 获得第一个flag
echo "ZmxhZ3t0aDFzXzFzX3RoM18xc3Rfc3Q0ZzMhIX0=" |base64 -d
flag2
There is a drawing tool for the processmspaint.exe
提取数据
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 memdump -p 2424 -D ./
使用gimp打开(第三方工具,Images can be restored)
调整宽高
flag2
flag3
进程中存在WinRAR.exe Get the decompressed filename
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 dlllist |grep WinRAR
Get the virtual address of the decompressed file
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 filescan |grep Important
提取压缩包
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fa3ebc0 -D ./
Get the zip password prompt
获取hash
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 hashdump
得到flag3
边栏推荐
- Pytorch使用和技巧
- uinty lua 关于异步函数的终极思想
- leetcode: 269. The Martian Dictionary
- 国内网站用香港服务器会被封吗?
- D - I Hate Non-integer Number (选数的计数dp
- 【unity编译器扩展之模型动画拷贝】
- matlab 采用描点法进行数据模拟和仿真
- Software Testing Interview Questions: About Automated Testing Tools?
- tiup uninstall
- could not build server_names_hash, you should increase server_names_hash_bucket_size: 32
猜你喜欢
After the staged testing is complete, have you performed defect analysis?
电赛必备技能___定时ADC+DMA+串口通信
B站7月榜单丨飞瓜数据B站UP主排行榜发布!
Will domestic websites use Hong Kong servers be blocked?
could not build server_names_hash, you should increase server_names_hash_bucket_size: 32
![[FreeRTOS] FreeRTOS and stm32 built-in stack occupancy](/img/33/3177b4c3de34d4920d741fed7526ee.png)
[FreeRTOS] FreeRTOS and stm32 built-in stack occupancy
MongoDB construction and basic operations
Redis visual management software Redis Desktop Manager2022
leetcode:266. 回文全排列
oracle创建用户以后的权限问题
随机推荐
node uses redis
gorm的Raw与scan
Software Testing Interview Questions: Qualifying Criteria for Software Acceptance Testing?
uinty lua 关于异步函数的终极思想
matlab中rcosdesign函数升余弦滚降成型滤波器
Software testing interview questions: test life cycle, the test process is divided into several stages, and the meaning of each stage and the method used?
Mysql_12 多表查询
[230] Execute command error after connecting to Redis MISCONF Redis is configured to save RDB snapshots
Software testing interview questions: What are the seven-layer network protocols?
matlab 采用描点法进行数据模拟和仿真
倒计时1天!8月2日—4日与你聊聊开源与就业那些事!
leetcode:266. 回文全排列
软件测试面试题:软件验收测试的合格通过准则?
TinyMCE禁用转义
机器学习(公式推导与代码实现)--sklearn机器学习库
Kubernetes 网络入门
node使用redis
Software Testing Interview Questions: What's the Difference Between Manual Testing and Automated Testing?
翁恺C语言程序设计网课笔记合集
2022杭电多校第三场 K题 Taxi