当前位置:网站首页>Memory Forensics Series 1
Memory Forensics Series 1
2022-08-05 00:44:00 【SwBack】
文档说明
作者:SwBack
时间:2022-5-5 11:05
Challenge description
- My sister's computer is broken.We were very lucky to recover this memory dump.Your job is to get all her important files from the system.According to our memory,We suddenly saw a black window pop up,There are some things that are being executed on it.when the crash occurred,She is trying to draw something.That's all we remember from the crash.
注意: This challenge is 3 composed of logos.
- My sister’s computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash.
Note: This challenge is composed of 3 flags.
解题过程
flag1
Extract key information from the question
黑色窗口 疑似cmd.exe 画一些东西(Suspected drawing tool) Important files exist(Documents need to be scanned)
View memory mirroring
volatility -f MemoryDump_Lab1.raw imageinfo
查看进程 发现cmd.exe
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 pslist
Scan command and output 发现base64编码
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 cmdscan
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 consoles
解码base64 获得第一个flag
echo "ZmxhZ3t0aDFzXzFzX3RoM18xc3Rfc3Q0ZzMhIX0=" |base64 -d
flag2
There is a drawing tool for the processmspaint.exe
提取数据
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 memdump -p 2424 -D ./
使用gimp打开(第三方工具,Images can be restored)
调整宽高
flag2
flag3
进程中存在WinRAR.exe Get the decompressed filename
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 dlllist |grep WinRAR
Get the virtual address of the decompressed file
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 filescan |grep Important
提取压缩包
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fa3ebc0 -D ./
Get the zip password prompt
获取hash
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 hashdump
得到flag3
边栏推荐
- The principle of NMS and its code realization
- 创意代码表白
- Software testing interview questions: What are the three modules of LoadRunner?
- 面试汇总:为何大厂面试官总问 Framework 的底层原理?
- oracle创建用户以后的权限问题
- Software testing interview questions: test life cycle, the test process is divided into several stages, and the meaning of each stage and the method used?
- leetcode: 267. Palindromic permutations II
- Software testing interview questions: What are the strategies for system testing?
- Pytorch使用和技巧
- 活动推荐 | 快手StreamLake品牌发布会,8月10日一起见证!
猜你喜欢
JUC线程池(一): FutureTask使用
Matlab uses plotting method for data simulation and simulation
创意代码表白
oracle创建表空间
Mysql_13 事务
Will domestic websites use Hong Kong servers be blocked?
could not build server_names_hash, you should increase server_names_hash_bucket_size: 32
SV class virtual method of polymorphism
![[FreeRTOS] FreeRTOS and stm32 built-in stack occupancy](/img/33/3177b4c3de34d4920d741fed7526ee.png)
[FreeRTOS] FreeRTOS and stm32 built-in stack occupancy
【FreeRTOS】FreeRTOS与stm32内置堆栈的占用情况
随机推荐
NMS原理及其代码实现
僵尸进程和孤儿进程
2022杭电多校 第三场 B题 Boss Rush
5.PCIe官方示例
JUC线程池(一): FutureTask使用
电子行业MES管理系统的主要功能与用途
GCC:屏蔽动态库之间的依赖
00、数组及字符串常用的 API(详细剖析)
GCC:编译时库路径和运行时库路径
canvas Gaussian blur effect
2022牛客多校第三场 A Ancestor
LiveVideoStackCon 2022 上海站明日开幕!
"No title"
Software testing interview questions: What stages should a complete set of tests consist of?
【FreeRTOS】FreeRTOS与stm32内置堆栈的占用情况
QSunSync 七牛云文件同步工具,批量上传
tiup update
E - Distance Sequence (前缀和优化dp
金九银十面试跳槽季;你准备好了吗?
软件测试面试题:负载测试、容量测试、强度测试的区别?