当前位置:网站首页>Memory Forensics Series 1
Memory Forensics Series 1
2022-08-05 00:44:00 【SwBack】
文档说明
作者:SwBack
时间:2022-5-5 11:05
Challenge description
- My sister's computer is broken.We were very lucky to recover this memory dump.Your job is to get all her important files from the system.According to our memory,We suddenly saw a black window pop up,There are some things that are being executed on it.when the crash occurred,She is trying to draw something.That's all we remember from the crash.
注意: This challenge is 3 composed of logos.
- My sister’s computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash.
Note: This challenge is composed of 3 flags.
解题过程
flag1
Extract key information from the question
黑色窗口 疑似cmd.exe 画一些东西(Suspected drawing tool) Important files exist(Documents need to be scanned)
View memory mirroring
volatility -f MemoryDump_Lab1.raw imageinfo
查看进程 发现cmd.exe
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 pslist
Scan command and output 发现base64编码
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 cmdscan
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 consoles
解码base64 获得第一个flag
echo "ZmxhZ3t0aDFzXzFzX3RoM18xc3Rfc3Q0ZzMhIX0=" |base64 -d
flag2
There is a drawing tool for the processmspaint.exe
提取数据
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 memdump -p 2424 -D ./
使用gimp打开(第三方工具,Images can be restored)
调整宽高
flag2
flag3
进程中存在WinRAR.exe Get the decompressed filename
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 dlllist |grep WinRAR
Get the virtual address of the decompressed file
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 filescan |grep Important
提取压缩包
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fa3ebc0 -D ./
Get the zip password prompt
获取hash
volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 hashdump
得到flag3
边栏推荐
- Software testing interview questions: What is the difference between load testing, capacity testing, and strength testing?
- 软件测试面试题:测试生命周期,测试过程分为几个阶段,以及各阶段的含义及使用的方法?
- Software testing interview questions: Have you used some tools for software defect (Bug) management in your past software testing work? If so, please describe the process of software defect (Bug) trac
- leetcode:267. 回文排列 II
- Software Testing Interview Questions: What aspects should be considered when designing test cases, i.e. what aspects should different test cases test against?
- Pytorch使用和技巧
- 软件测试面试题:黑盒测试、白盒测试以及单元测试、集成测试、系统测试、验收测试的区别与联系?
- tiup telemetry
- GCC:编译时库路径和运行时库路径
- 2022杭电多校第一场 1004 Ball
猜你喜欢
活动推荐 | 快手StreamLake品牌发布会,8月10日一起见证!
面试汇总:为何大厂面试官总问 Framework 的底层原理?
QSunSync Qiniu cloud file synchronization tool, batch upload
oracle创建用户
软件基础的理论
Countdown to 1 day!From August 2nd to 4th, I will talk with you about open source and employment!
阶段性测试完成后,你进行缺陷分析了么?
CNI(Container Network Plugin)
MongoDB construction and basic operations
【idea】idea配置sql格式化
随机推荐
软件测试面试题:您如何看待软件过程改进?在您曾经工作过的企业中,是否有一些需要改进的东西呢?您期望的理想的测试人员的工作环境是怎样的?
torch.autograd.grad求二阶导数
lua 如何 实现一个unity协程的工具
Pytorch usage and tricks
软件测试面试题:系统测试的策略有?
redis可视化管理软件Redis Desktop Manager2022
could not build server_names_hash, you should increase server_names_hash_bucket_size: 32
软件测试面试题:手工测试与自动测试有哪些区别?
倒计时1天!8月2日—4日与你聊聊开源与就业那些事!
tiup status
ora-00604 ora-02429
00、数组及字符串常用的 API(详细剖析)
Software Testing Interview Questions: What aspects should be considered when designing test cases, i.e. what aspects should different test cases test against?
【idea】idea配置sql格式化
GO中sync包自由控制并发的方法
2022牛客多校第三场 A Ancestor
Zombie and orphan processes
Redis visual management software Redis Desktop Manager2022
Inter-process communication and inter-thread communication
2022牛客多校训练第二场 H题 Take the Elevator