当前位置:网站首页>Memory Forensics Series 1
Memory Forensics Series 1
2022-08-05 00:44:00 【SwBack】
文档说明
作者:SwBack
时间:2022-5-5 11:05
Challenge description
- My sister's computer is broken.We were very lucky to recover this memory dump.Your job is to get all her important files from the system.According to our memory,We suddenly saw a black window pop up,There are some things that are being executed on it.when the crash occurred,She is trying to draw something.That's all we remember from the crash.
注意: This challenge is 3 composed of logos.
- My sister’s computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash.
Note: This challenge is composed of 3 flags.
解题过程
flag1
Extract key information from the question
黑色窗口 疑似cmd.exe 画一些东西(Suspected drawing tool) Important files exist(Documents need to be scanned)
View memory mirroring
volatility -f MemoryDump_Lab1.raw imageinfo
查看进程 发现cmd.exe
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 pslist
Scan command and output 发现base64编码
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 cmdscan
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 consoles
解码base64 获得第一个flag
echo "ZmxhZ3t0aDFzXzFzX3RoM18xc3Rfc3Q0ZzMhIX0=" |base64 -d
flag2
There is a drawing tool for the processmspaint.exe
提取数据
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 memdump -p 2424 -D ./
使用gimp打开(第三方工具,Images can be restored)
调整宽高
flag2
flag3
进程中存在WinRAR.exe Get the decompressed filename
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 dlllist |grep WinRAR
Get the virtual address of the decompressed file
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 filescan |grep Important
提取压缩包
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fa3ebc0 -D ./
Get the zip password prompt
获取hash
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 hashdump
得到flag3
边栏推荐
- Software testing interview questions: What is the difference between load testing, capacity testing, and strength testing?
- uinty lua 关于异步函数的终极思想
- 僵尸进程和孤儿进程
- 机器学习(公式推导与代码实现)--sklearn机器学习库
- 软件测试面试题:一套完整的测试应该由哪些阶段组成?
- ora-01105 ora-03175
- ORA-00257
- SV 类的虚方法 多态
- Software test interview questions: BIOS, Fat, IDE, Sata, SCSI, Ntfs windows NT?
- 【Unity编译器扩展之进度条】
猜你喜欢
oracle创建用户
![[idea] idea configures sql formatting](/img/89/98cd23aff3e2f15ecb489f8b3c50e9.png)
[idea] idea configures sql formatting
"WEB Security Penetration Testing" (28) Burp Collaborator-dnslog out-band technology
TinyMCE disable escape
SV class virtual method of polymorphism
gorm joint table query - actual combat
软件基础的理论
Redis visual management software Redis Desktop Manager2022
oracle create tablespace
JUC thread pool (1): FutureTask use
随机推荐
Kubernetes 网络入门
电赛必备技能___定时ADC+DMA+串口通信
[230]连接Redis后执行命令错误 MISCONF Redis is configured to save RDB snapshots
Software testing interview questions: Have you used some tools for software defect (Bug) management in your past software testing work? If so, please describe the process of software defect (Bug) trac
2022 Hangzhou Electric Multi-School 1004 Ball
The method of freely controlling concurrency in the sync package in GO
tiup telemetry
Matlab uses plotting method for data simulation and simulation
2022 Hangzhou Electric Power Multi-School Session 3 Question B Boss Rush
EL定时刷新页面中的皕杰报表实例
leetcode: 269. The Martian Dictionary
[230] Execute command error after connecting to Redis MISCONF Redis is configured to save RDB snapshots
Software Testing Interview Questions: What is Software Testing?The purpose and principle of software testing?
tensor.nozero(),面具,面具
NMS原理及其代码实现
After the staged testing is complete, have you performed defect analysis?
Software testing interview questions: test life cycle, the test process is divided into several stages, and the meaning of each stage and the method used?
Software testing interview questions: How many types of software are there?
LiveVideoStackCon 2022 上海站明日开幕!
2022杭电多校 第三场 B题 Boss Rush