当前位置:网站首页>Memory Forensics Series 1
Memory Forensics Series 1
2022-08-05 00:44:00 【SwBack】
文档说明
作者:SwBack
时间:2022-5-5 11:05
Challenge description
- My sister's computer is broken.We were very lucky to recover this memory dump.Your job is to get all her important files from the system.According to our memory,We suddenly saw a black window pop up,There are some things that are being executed on it.when the crash occurred,She is trying to draw something.That's all we remember from the crash.
注意: This challenge is 3 composed of logos.
- My sister’s computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash.
Note: This challenge is composed of 3 flags.
解题过程
flag1
Extract key information from the question
黑色窗口 疑似cmd.exe 画一些东西(Suspected drawing tool) Important files exist(Documents need to be scanned)
View memory mirroring
volatility -f MemoryDump_Lab1.raw imageinfo
查看进程 发现cmd.exe
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 pslist
Scan command and output 发现base64编码
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 cmdscan
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 consoles
解码base64 获得第一个flag
echo "ZmxhZ3t0aDFzXzFzX3RoM18xc3Rfc3Q0ZzMhIX0=" |base64 -d
flag2
There is a drawing tool for the processmspaint.exe
提取数据
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 memdump -p 2424 -D ./
使用gimp打开(第三方工具,Images can be restored)
调整宽高
flag2
flag3
进程中存在WinRAR.exe Get the decompressed filename
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 dlllist |grep WinRAR
Get the virtual address of the decompressed file
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 filescan |grep Important
提取压缩包
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fa3ebc0 -D ./
Get the zip password prompt
获取hash
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 hashdump
得到flag3
边栏推荐
- oracle创建用户以后的权限问题
- 仅3w报价B站up主竟带来1200w播放!品牌高性价比B站投放标杆!
- Software Testing Interview Questions: What is Software Testing?The purpose and principle of software testing?
- 面试汇总:为何大厂面试官总问 Framework 的底层原理?
- About I double-checked and reviewed the About staff page, returning an industry question
- 2022 Hangzhou Electric Power Multi-School Session 3 Question L Two Permutations
- Software testing interview questions: What stages should a complete set of tests consist of?
- Software Testing Interview Questions: What's the Key to a Good Test Plan?
- Software Testing Interview Questions: What aspects should be considered when designing test cases, i.e. what aspects should different test cases test against?
- 主库预警日志报错ORA-00270
猜你喜欢
"WEB Security Penetration Testing" (28) Burp Collaborator-dnslog out-band technology
redis可视化管理软件Redis Desktop Manager2022
《WEB安全渗透测试》(28)Burp Collaborator-dnslog外带技术
oracle create tablespace
gorm joint table query - actual combat
TinyMCE禁用转义
node使用redis
Redis visual management software Redis Desktop Manager2022
刘润直播预告 | 顶级高手,如何创造财富
面试汇总:为何大厂面试官总问 Framework 的底层原理?
随机推荐
After the staged testing is complete, have you performed defect analysis?
创意代码表白
GCC:头文件和库文件的路径
[230]连接Redis后执行命令错误 MISCONF Redis is configured to save RDB snapshots
2022 Nioke Multi-School Training Session 2 J Question Link with Arithmetic Progression
Software test interview questions: BIOS, Fat, IDE, Sata, SCSI, Ntfs windows NT?
2 用D435i运行VINS-fusion
2022牛客多校训练第二场 H题 Take the Elevator
2022杭电多校第三场 K题 Taxi
Software Testing Interview Questions: What is Software Testing?The purpose and principle of software testing?
Software testing interview questions: What are the three modules of LoadRunner?
D - I Hate Non-integer Number (选数的计数dp
2022杭电多校训练第三场 1009 Package Delivery
00、数组及字符串常用的 API(详细剖析)
倒计时1天!8月2日—4日与你聊聊开源与就业那些事!
关于我仔细检查审核过关于工作人员页面,返回一个所属行业问题
【unity编译器扩展之模型动画拷贝】
Software testing interview questions: test life cycle, the test process is divided into several stages, and the meaning of each stage and the method used?
软件测试面试题:LoadRunner 分为哪三个模块?
GCC:屏蔽动态库之间的依赖