当前位置:网站首页>Memory Forensics Series 1
Memory Forensics Series 1
2022-08-05 00:44:00 【SwBack】
文档说明
作者:SwBack
时间:2022-5-5 11:05
Challenge description
- My sister's computer is broken.We were very lucky to recover this memory dump.Your job is to get all her important files from the system.According to our memory,We suddenly saw a black window pop up,There are some things that are being executed on it.when the crash occurred,She is trying to draw something.That's all we remember from the crash.
注意: This challenge is 3 composed of logos.
- My sister’s computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash.
Note: This challenge is composed of 3 flags.
解题过程
flag1
Extract key information from the question
黑色窗口 疑似cmd.exe 画一些东西(Suspected drawing tool) Important files exist(Documents need to be scanned)
View memory mirroring
volatility -f MemoryDump_Lab1.raw imageinfo
查看进程 发现cmd.exe
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 pslist
Scan command and output 发现base64编码
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 cmdscan
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 consoles
解码base64 获得第一个flag
echo "ZmxhZ3t0aDFzXzFzX3RoM18xc3Rfc3Q0ZzMhIX0=" |base64 -d
flag2
There is a drawing tool for the processmspaint.exe
提取数据
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 memdump -p 2424 -D ./
使用gimp打开(第三方工具,Images can be restored)
调整宽高
flag2
flag3
进程中存在WinRAR.exe Get the decompressed filename
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 dlllist |grep WinRAR
Get the virtual address of the decompressed file
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 filescan |grep Important
提取压缩包
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fa3ebc0 -D ./
Get the zip password prompt
获取hash
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 hashdump
得到flag3
边栏推荐
- Matlab uses plotting method for data simulation and simulation
- 仅3w报价B站up主竟带来1200w播放!品牌高性价比B站投放标杆!
- 2022 Hangzhou Electric Power Multi-School Session 3 Question B Boss Rush
- Software testing interview questions: What are the three modules of LoadRunner?
- SV 类的虚方法 多态
- LiveVideoStackCon 2022 上海站明日开幕!
- Software Testing Interview Questions: What is Software Testing?The purpose and principle of software testing?
- 2022 Hangzhou Electric Power Multi-School Session 3 K Question Taxi
- leetcode:269. 火星词典
- 刘润直播预告 | 顶级高手,如何创造财富
猜你喜欢
![[FreeRTOS] FreeRTOS and stm32 built-in stack occupancy](/img/33/3177b4c3de34d4920d741fed7526ee.png)
随机推荐
如何用 Solidity 创建一个“Hello World”智能合约
Software testing interview questions: the difference and connection between black box testing, white box testing, and unit testing, integration testing, system testing, and acceptance testing?
Will domestic websites use Hong Kong servers be blocked?
【Unity编译器扩展之进度条】
redis可视化管理软件Redis Desktop Manager2022
tiup update
TinyMCE disable escape
Software Testing Interview Questions: What's the Key to a Good Test Plan?
软件测试面试题:软件都有多少种分类?
2022 Multi-school Second Session K Question Link with Bracket Sequence I
ora-00604 ora-02429
oracle create tablespace
canvas Gaussian blur effect
E - Many Operations (bitwise consideration + dp thought to record the result after the operation
翁恺C语言程序设计网课笔记合集
JUC thread pool (1): FutureTask use
SV 类的虚方法 多态
GO中sync包自由控制并发的方法
tensor.nozero(),面具,面具
主库预警日志报错ORA-00270