Volatility内存取证

安装Volatility

新版kali不自带Volatility,需要自己安装源码编译

1.下载源码

1
2
3
https://pan.baidu.com/s/1r-9VC3aG-sP6wWziYNvXxA  

提取码:4d4w

2.安装依赖

  • crypto库安装

安装pycryptodome

1
2
pip2 install pycryptodome -i https://pypi.tuna.tsinghua.edu.cn/simple
#如果不指定国内源,可能会出现超时错误HTTPSConnectionPool
  • distorm3库安装
1
2
项目地址
https://github.com/vext01/distorm3

解压到kali里面之后用命令 python setup.py install 编译

输入pip2 list查看是否安装成功

1
2
3
4
5
6
7
8
9
Package      Version
------------ -------
cffi 1.14.0
distorm3 2
pip 20.3.4
pycryptodome 3.10.1
setuptools 18.5
volatility 2.6
wheel 0.29.0

3.安装Volatility
将前面下载的项目,解压之后在Volatility中打开终端进行编译

1
python setup.py install 

最后输入vol.py -h测试一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
┌──(root💀kali)-[/home/kali/volatility2.6]
└─# vol.py -h
Volatility Foundation Volatility Framework 2.6
Usage: Volatility - A memory forensics analysis platform.

Options:
-h, --help list all available options and their default values.
Default values may be set in the configuration file
(/etc/volatilityrc)
--conf-file=/root/.volatilityrc
User based configuration file
-d, --debug Debug volatility
--plugins=PLUGINS Additional plugin directories to use (colon separated)
--info Print information about all registered objects
--cache-directory=/root/.cache/volatility
Directory where cache files are stored
--cache Use caching
--tz=TZ Sets the (Olson) timezone for displaying timestamps
using pytz (if installed) or tzset
-f FILENAME, --filename=FILENAME
Filename to use when opening an image
--profile=WinXPSP2x86
Name of the profile to load (use --info to see a list
of supported profiles)
-l LOCATION, --location=LOCATION
A URN location from which to load an address space
-w, --write Enable write support
--dtb=DTB DTB Address
--shift=SHIFT Mac KASLR shift address
--output=text Output in this format (support is module specific, see
the Module Output Options below)
--output-file=OUTPUT_FILE
Write output in this file
-v, --verbose Verbose information
-g KDBG, --kdbg=KDBG Specify a KDBG virtual address (Note: for 64-bit
Windows 8 and above this is the address of
KdCopyDataBlock)
--force Force utilization of suspect profile
--cookie=COOKIE Specify the address of nt!ObHeaderCookie (valid for
Windows 10 only)
-k KPCR, --kpcr=KPCR Specify a specific KPCR address

Supported Plugin Commands:

amcache Print AmCache information
apihooks Detect API hooks in process and kernel memory
atoms Print session and window station atom tables
atomscan Pool scanner for atom tables
auditpol Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
bigpools Dump the big page pools using BigPagePoolScanner
bioskbd Reads the keyboard buffer from Real Mode memory
cachedump Dumps cached domain hashes from memory
callbacks Print system-wide notification routines
clipboard Extract the contents of the windows clipboard
cmdline Display process command-line arguments
cmdscan Extract command history by scanning for _COMMAND_HISTORY
connections Print list of open connections [Windows XP and 2003 Only]
connscan Pool scanner for tcp connections
consoles Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo Dump crash-dump information
deskscan Poolscaner for tagDESKTOP (desktops)
devicetree Show device tree
dlldump Dump DLLs from a process address space
dlllist Print list of loaded dlls for each process
driverirp Driver IRP hook detection
drivermodule Associate driver objects to kernel modules
driverscan Pool scanner for driver objects
dumpcerts Dump RSA private and public SSL keys
dumpfiles Extract memory mapped and cached files
dumpregistry Dumps registry files out to disk
editbox Displays information about Edit controls. (Listbox experimental.)
envars Display process environment variables
eventhooks Print details on windows event hooks
evtlogs Extract Windows Event Logs (XP/2003 only)
filescan Pool scanner for file objects
gahti Dump the USER handle type information
gditimers Print installed GDI timers and callbacks
gdt Display Global Descriptor Table
getservicesids Get the names of services in the Registry and return Calculated SID
getsids Print the SIDs owning each process
handles Print list of open handles for each process
hashdump Dumps passwords hashes (LM/NTLM) from memory
hibinfo Dump hibernation file information
hivedump Prints out a hive
hivelist Print list of registry hives.
hivescan Pool scanner for registry hives
hpakextract Extract physical memory from an HPAK file
hpakinfo Info on an HPAK file
idt Display Interrupt Descriptor Table
iehistory Reconstruct Internet Explorer cache / history
imagecopy Copies a physical address space out as a raw DD image
imageinfo Identify information for the image
impscan Scan for calls to imported functions
joblinks Print process job link information
kdbgscan Search for and dump potential KDBG values
kpcrscan Search for and dump potential KPCR values
ldrmodules Detect unlinked DLLs
lsadump Dump (decrypted) LSA secrets from the registry
machoinfo Dump Mach-O file format information
malfind Find hidden and injected code
mbrparser Scans for and parses potential Master Boot Records (MBRs)
memdump Dump the addressable memory for a process
memmap Print the memory map
messagehooks List desktop and thread window message hooks
mftparser Scans for and parses potential MFT entries
moddump Dump a kernel driver to an executable file sample
modscan Pool scanner for kernel modules
modules Print list of loaded modules
multiscan Scan for various objects at once
mutantscan Pool scanner for mutex objects
notepad List currently displayed notepad text
objtypescan Scan for Windows object type objects
patcher Patches memory based on page scans
poolpeek Configurable pool scanner plugin
printkey Print a registry key, and its subkeys and values
privs Display process privileges
procdump Dump a process to an executable file sample
pslist Print all running processes by following the EPROCESS lists
psscan Pool scanner for process objects
pstree Print process list as a tree
psxview Find hidden processes with various process listings
qemuinfo Dump Qemu information
raw2dmp Converts a physical memory sample to a windbg crash dump
screenshot Save a pseudo-screenshot based on GDI windows
servicediff List Windows services (ala Plugx)
sessions List details on _MM_SESSION_SPACE (user logon sessions)
shellbags Prints ShellBags info
shimcache Parses the Application Compatibility Shim Cache registry key
shutdowntime Print ShutdownTime of machine from registry
sockets Print list of open sockets
sockscan Pool scanner for tcp socket objects
ssdt Display SSDT entries
strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan Scan for Windows services
symlinkscan Pool scanner for symlink objects
thrdscan Pool scanner for thread objects
threads Investigate _ETHREAD and _KTHREADs
timeliner Creates a timeline from various artifacts in memory
timers Print kernel timers and associated module DPCs
truecryptmaster Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase TrueCrypt Cached Passphrase Finder
truecryptsummary TrueCrypt Summary
unloadedmodules Print list of unloaded modules
userassist Print userassist registry keys and information
userhandles Dump the USER handle tables
vaddump Dumps out the vad sections to a file
vadinfo Dump the VAD info
vadtree Walk the VAD tree and display in tree format
vadwalk Walk the VAD tree
vboxinfo Dump virtualbox information
verinfo Prints out the version information from PE images
vmwareinfo Dump VMware VMSS/VMSN information
volshell Shell in the memory image
windows Print Desktop Windows (verbose details)
wintree Print Z-Order Desktop Windows Tree
wndscan Pool scanner for window stations
yarascan Scan process or kernel memory with Yara signatures

工具介绍

0x00 - 查看镜像系统

1
vol.py -f <镜像文件> imageinfo  #常见的内存镜像文件有raw、vmem、dmp、img等

0x01 - 查看用户名密码信息

1
vol.py -f <镜像文件> --profile=[profile文件] hashdump

0x02 - 查看进程信息

1
2
3
vol.py -f <镜像文件> --profile=[profile文件] pslist

vol.py -f <镜像文件> --profile=[profile文件] pstree #可以识别子进程和父进程,且可以显示出被隐藏的病毒

0x03 - 扫描所有的文件列表

1
2
3
vol.py -f <镜像文件> --profile=[profile文件] filescan

vol.py -f <镜像文件> --profile=[profile文件] filescan | grep flag

0x04 - 查看cmd上的操作

1
2
3
vol.py -f <镜像文件> --profile=[profile文件] cmdscan

vol.py -f <镜像文件> --profile=[profile文件] cmdline #列出命令行下运行的程序

0x05 - 查看具体恶意进程

1
vol.py -f <镜像文件> --profile=[profile文件] pstree  | egrep '(a.exe|b.exe)'   #以树的形式来列出正在进行的进程

0x06 - 检查恶意链接

1
2
检查链接插件:vol.py -f <镜像文件> --profile=[profile文件] connections
检查端口插件:vol.py -f <镜像文件> --profile=[profile文件] sockets

0x07 - 检测DLL

1
2
3
4
vol.py -f <镜像文件> --profile=[profile文件] dlllist -p[pid]
vol.py -f <镜像文件> --profile=[profile文件] ldrmodules -p[pid] -v #显示包括隐藏dll的具体信息

vol.py -f <镜像文件> --profile=[profile文件] malfind -p[pid] #找出注入的可执行代码或者DLL

0x08 - 根据PID导出程序

1
vol.py -f <镜像文件> --profile=[profile文件] prodump -p [PID] -D [目录]

0x09 - 检查驱动程序

1
2
3
vol.py -f <镜像文件> --profile=[profile文件] modules

vol.py -f <镜像文件> --profile=[profile文件] moddump -D [目录] --base [base地址] #提取驱动程序

0x10 - 查看开启的windows服务

1
vol.py -f <镜像文件> --profile=[profile文件] svcscan

0x10 - 查看注册表项

1
vol.py -f <镜像文件> --profile=[profile文件] printkey

0x11 - 列出SAM表中的用户

1
vol.py -f <镜像文件> --profile=[profile文件] printkey -K "SAM\Domains\Account\Users\Names"

0x12 - 获取最后登录系统的用户

1
vol.py -f <镜像文件> --profile=[profile文件] printkey -K "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

0x13 - 查看注册表信息

1
2
3
vol.py -f <镜像文件> --profile=[profile文件] hivelist

vol.py -f <镜像文件> --profile=[profile文件] hivedump -o 0x93fc41e8(注册表的 virtual 地址) #导出注册表

0x14 - 获取浏览器浏览历史

1
vol.py -f <镜像文件> --profile=[profile文件] iehistory

0x15- 查看时间线

1
vol.py -f <镜像文件> --profile=[profile文件] timeliner

CTF中的内存取证题

[湖湘杯2020] passwd

查看内存镜像的基本信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root💀kali)-[/home/kali/volatility2.6]
└─# vol.py -f WIN-BU6IJ7FI9RU-20190927-152050.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/home/kali/volatility2.6/WIN-BU6IJ7FI9RU-20190927-152050.raw)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x83f61c28L
Number of Processors : 2
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0x83f62c00L
KPCR for CPU 1 : 0x807ca000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2019-09-27 15:20:52 UTC+0000
Image local date and time : 2019-09-27 23:20:52 +0800

根据Suggested Profile(s)值,猜测是Win7SP1x86_23418的镜像

查看password的hash值

1
2
3
4
5
6
┌──(root💀kali)-[/home/kali/volatility2.6]
└─# vol.py -f WIN-BU6IJ7FI9RU-20190927-152050.raw --profile=Win7SP1x86_23418 hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
CTF:1000:aad3b435b51404eeaad3b435b51404ee:0a640404b5c386ab12092587fe19cd02:::

对CTF用户的值,在线网站破解hash
在这里插入图片描述

[NEWSCTF2021] very-ez-dump

查看镜像信息,判断是Win7SP1x64镜像

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali㉿kali)-[~/volatility2.6]
└─$ vol.py -f mem.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/kali/volatility2.6/mem.raw)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf8000403e0a0L
Number of Processors : 2
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff8000403fd00L
KPCR for CPU 1 : 0xfffff880009ef000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2021-05-20 13:08:33 UTC+0000
Image local date and time : 2021-05-20 21:08:33 +0800

列出进程,没看到什么有价值的信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
┌──(kali㉿kali)-[~/volatility2.6]
└─$ vol.py -f mem.raw --profile=Win7SP1x64 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa8000cb2040 System 4 0 91 519 ------ 0 2021-05-20 11:21:48 UTC+0000
0xfffffa80016bbb30 smss.exe 256 4 2 30 ------ 0 2021-05-20 11:21:48 UTC+0000
0xfffffa80023c7b30 csrss.exe 348 328 9 437 0 0 2021-05-20 11:21:49 UTC+0000
0xfffffa80025c3060 wininit.exe 400 328 3 81 0 0 2021-05-20 11:21:49 UTC+0000
0xfffffa8001b6f060 csrss.exe 412 392 10 252 1 0 2021-05-20 11:21:49 UTC+0000
0xfffffa800262e7c0 winlogon.exe 464 392 5 121 1 0 2021-05-20 11:21:50 UTC+0000
0xfffffa800260ab30 services.exe 484 400 9 206 0 0 2021-05-20 11:21:50 UTC+0000
0xfffffa8002674a90 lsass.exe 516 400 10 573 0 0 2021-05-20 11:21:50 UTC+0000
0xfffffa800267f060 lsm.exe 524 400 10 142 0 0 2021-05-20 11:21:50 UTC+0000
0xfffffa8002607b30 svchost.exe 640 484 11 359 0 0 2021-05-20 11:21:50 UTC+0000
0xfffffa80026af6a0 svchost.exe 720 484 9 292 0 0 2021-05-20 11:21:51 UTC+0000
0xfffffa8002735b30 svchost.exe 792 484 22 498 0 0 2021-05-20 11:21:51 UTC+0000
0xfffffa800275a060 svchost.exe 844 484 11 258 0 0 2021-05-20 11:21:51 UTC+0000
0xfffffa8002776960 svchost.exe 892 484 34 969 0 0 2021-05-20 11:21:51 UTC+0000
0xfffffa80027b5b30 svchost.exe 1000 484 17 698 0 0 2021-05-20 11:21:51 UTC+0000
0xfffffa80027dab30 svchost.exe 368 484 15 371 0 0 2021-05-20 11:21:51 UTC+0000
0xfffffa8002858b30 spoolsv.exe 1040 484 12 272 0 0 2021-05-20 11:21:52 UTC+0000
0xfffffa800286bb30 svchost.exe 1072 484 18 331 0 0 2021-05-20 11:21:52 UTC+0000
0xfffffa8002938b30 VGAuthService. 1228 484 3 87 0 0 2021-05-20 11:21:52 UTC+0000
0xfffffa800297ab30 taskhost.exe 1344 484 9 175 1 0 2021-05-20 11:21:53 UTC+0000
0xfffffa8002650b30 vmtoolsd.exe 1404 484 11 278 0 0 2021-05-20 11:21:53 UTC+0000
0xfffffa80029a9b30 dwm.exe 1648 844 5 149 1 0 2021-05-20 11:21:54 UTC+0000
0xfffffa8002a47b30 explorer.exe 1700 1596 44 1219 1 0 2021-05-20 11:21:54 UTC+0000
0xfffffa8002b0eb30 WmiPrvSE.exe 1920 640 9 217 0 0 2021-05-20 11:21:55 UTC+0000
0xfffffa8002af06c0 dllhost.exe 1996 484 13 197 0 0 2021-05-20 11:21:55 UTC+0000
0xfffffa8002b93520 vm3dservice.ex 864 1700 2 41 1 0 2021-05-20 11:21:55 UTC+0000
0xfffffa8002b3e060 vmtoolsd.exe 1296 1700 9 193 1 0 2021-05-20 11:21:55 UTC+0000
0xfffffa8000d60060 msdtc.exe 520 484 12 146 0 0 2021-05-20 11:21:58 UTC+0000
0xfffffa8002c42440 SearchIndexer. 2208 484 13 600 0 0 2021-05-20 11:22:01 UTC+0000
0xfffffa8002d23880 wmpnetwk.exe 2360 484 9 214 0 0 2021-05-20 11:22:02 UTC+0000
0xfffffa8002da6b30 svchost.exe 2520 484 15 258 0 0 2021-05-20 11:22:02 UTC+0000
0xfffffa800142d400 sppsvc.exe 2500 484 4 150 0 0 2021-05-20 11:23:54 UTC+0000
0xfffffa8002d90060 svchost.exe 2408 484 13 343 0 0 2021-05-20 11:23:54 UTC+0000
0xfffffa800104ab30 audiodg.exe 2236 792 7 141 0 0 2021-05-20 11:33:37 UTC+0000
0xfffffa80010c7060 cmd.exe 2624 1700 1 21 1 0 2021-05-20 13:04:35 UTC+0000
0xfffffa8000d81550 conhost.exe 1588 412 2 62 1 0 2021-05-20 13:04:35 UTC+0000
0xfffffa8001044710 SearchProtocol 2580 2208 8 285 0 0 2021-05-20 13:08:04 UTC+0000
0xfffffa80010db9b0 SearchFilterHo 316 2208 5 96 0 0 2021-05-20 13:08:04 UTC+0000
0xfffffa8001a29680 dllhost.exe 1888 640 6 87 1 0 2021-05-20 13:08:32 UTC+0000
0xfffffa8002c78060 dllhost.exe 1252 640 6 83 0 0 2021-05-20 13:08:32 UTC+0000
0xfffffa800142f060 DumpIt.exe 2864 1700 1 25 1 1 2021-05-20 13:08:32 UTC+0000
0xfffffa80010e2060 conhost.exe 2824 412 2 61 1 0 2021-05-20 13:08:32 UTC+0000
0xfffffa80010e6860 dllhost.exe 2696 640 6 69 1 0 2021-05-20 13:08:34 UTC+0000

看下password的hash

1
2
3
4
5
6
┌──(kali㉿kali)-[~/volatility2.6]
└─$ vol.py -f mem.raw --profile=Win7SP1x64 hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:1507e24d634a54c0b14750a7da2bdfdb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:c22b315c040ae6e0efee3518d830362b:::
mumuzi:1000:aad3b435b51404eeaad3b435b51404ee:0606ac59df4a10d3a9e1f97b3612546f:::

mumuzi用户的密码破解不出来,继续往下看

查看cmd下执行的命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(kali㉿kali)-[~/volatility2.6]
└─$ vol.py -f mem.raw --profile=Win7SP1x64 cmdscan
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: conhost.exe Pid: 1588
CommandHistory: 0x117120 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 13 LastAdded: 12 LastDisplayed: 12
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 @ 0x109cf0: dir
Cmd #1 @ 0x108290: ipconfig
Cmd #2 @ 0xf8bd0: ipconfig 192.168.26.2
Cmd #3 @ 0x116aa0: ping newsctf.top
Cmd #4 @ 0x1082d0: network
Cmd #5 @ 0x1082f0: net user
Cmd #6 @ 0xf8c50: net user Guest 123456789
Cmd #7 @ 0xf8c90: net user mumuzi (ljmmz)ovo
Cmd #8 @ 0x108350: clear
Cmd #9 @ 0x116a40: if_you_see_it,
Cmd #10 @ 0xf8cd0: you_will_find_the_flag
Cmd #11 @ 0x116ad0: where_is_the_flag?
Cmd #12 @ 0x1178d0: net user Administrator flag_not_here
Cmd #29 @ 0x90158:
Cmd #30 @ 0x10f920:
**************************************************
CommandProcess: conhost.exe Pid: 2824
CommandHistory: 0x357140 Application: DumpIt.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #29 @ 0x2d0158: 5
Cmd #30 @ 0x34f940: 4

这条指令net user mumuzi (ljmmz)ovo ,添加了一个用户mumuzi,密码是(ljmmz)ovo,继续往下看

查看文件,用grep命令查找含flag的文件

1
2
3
4
5
┌──(kali㉿kali)-[~/volatility2.6]
└─$ vol.py -f mem.raw --profile=Win7SP1x64 filescan | grep flag
Volatility Foundation Volatility Framework 2.6
0x000000003e4b2070 2 0 -W-rwd \Device\HarddiskVolume1\galf\fl^ag.zipesktop\fl^ag.zipp\vmware-mumuzi\VMwareDnD\9451fe4f\flag.zip
0x000000003fa56dd0 2 0 RW-rw- \Device\HarddiskVolume1\Users\mumuzi\AppData\Roaming\Microsoft\Windows\Recent\flag.lnk

看到一个flag.zip,dump下来

1
2
3
4
┌──(kali㉿kali)-[~/volatility2.6]
└─$ vol.py -f mem.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003e4b2070 -D news #-Q是偏移量,-D是存储的文件夹
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3e4b2070 None \Device\HarddiskVolume1\galf\fl^ag.zipesktop\fl^ag.zipp\vmware-mumuzi\VMwareDnD\9451fe4f\flag.zip

带密码的压缩包,密码就是上面的(ljmmz)ovo,解压得到flag

1
flag{ez_di_imp_1t_y0u_like?}

福莱格殿下

参考:https://blog.csdn.net/weixin_43891422/article/details/107852416

1.查看内存镜像信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿kali)-[~/volatility2.6]
└─$ vol.py -f zy.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/home/kali/volatility2.6/zy.raw)
PAE type : PAE
DTB : 0xaff000L
KDBG : 0x80546ae0L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2020-07-25 16:50:35 UTC+0000
Image local date and time : 2020-07-26 00:50:35 +0800

镜像系统为WinXPSP2x86

2.获取进程信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(kali㉿kali)-[~/volatility2.6]
└─$ vol.py -f zy.raw --profile=WinXPSP2x86 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x821b9830 System 4 0 58 254 ------ 0
0x81c04ba0 smss.exe 536 4 3 19 ------ 0 2020-07-25 15:35:26 UTC+0000
0x81f59da0 csrss.exe 604 536 11 365 0 0 2020-07-25 15:35:29 UTC+0000
0x82007d10 winlogon.exe 632 536 18 451 0 0 2020-07-25 15:35:31 UTC+0000
0x82085560 services.exe 716 632 16 269 0 0 2020-07-25 15:35:31 UTC+0000
0x81c944a8 lsass.exe 728 632 22 355 0 0 2020-07-25 15:35:31 UTC+0000
0x81f767f0 vmacthlp.exe 904 716 1 25 0 0 2020-07-25 15:35:32 UTC+0000
0x82054988 svchost.exe 916 716 15 189 0 0 2020-07-25 15:35:32 UTC+0000
0x81c1e2a0 svchost.exe 964 716 11 254 0 0 2020-07-25 15:35:33 UTC+0000
0x81d57360 svchost.exe 1104 716 55 1147 0 0 2020-07-25 15:35:33 UTC+0000
0x81bc5458 svchost.exe 1152 716 4 77 0 0 2020-07-25 15:35:33 UTC+0000
0x81bcf650 svchost.exe 1192 716 14 198 0 0 2020-07-25 15:35:35 UTC+0000
0x81d61650 explorer.exe 1596 1540 16 536 0 0 2020-07-25 15:35:39 UTC+0000
0x82006da0 spoolsv.exe 1700 716 10 114 0 0 2020-07-25 15:35:40 UTC+0000
0x81ffda48 rundll32.exe 1808 1596 4 78 0 0 2020-07-25 15:35:40 UTC+0000
0x8200a7e0 vmtoolsd.exe 1816 1596 7 246 0 0 2020-07-25 15:35:40 UTC+0000
0x81d87c10 ctfmon.exe 1824 1596 1 71 0 0 2020-07-25 15:35:40 UTC+0000
0x81feabb8 svchost.exe 1784 716 4 84 0 0 2020-07-25 15:35:56 UTC+0000
0x81c96790 VGAuthService.e 1996 716 2 60 0 0 2020-07-25 15:35:56 UTC+0000
0x81bf0c10 vmtoolsd.exe 176 716 7 267 0 0 2020-07-25 15:35:56 UTC+0000
0x81fe0578 wmiprvse.exe 1040 916 13 237 0 0 2020-07-25 15:36:04 UTC+0000
0x81c395a8 wscntfy.exe 1188 1104 1 39 0 0 2020-07-25 15:36:04 UTC+0000
0x81bb3498 alg.exe 1552 716 5 102 0 0 2020-07-25 15:36:04 UTC+0000
0x81d89da0 notepad.exe 1352 1596 2 92 0 0 2020-07-25 15:38:22 UTC+0000
0x8206fda0 conime.exe 1832 1320 1 38 0 0 2020-07-25 15:49:44 UTC+0000
0x81d89a08 DumpIt.exe 800 1596 1 25 0 0 2020-07-25 16:50:34 UTC+0000

可疑程序smss.exe

3.提取进程

1
2
3
4
5
┌──(kali㉿kali)-[~/volatility2.6]
└─$ vol.py -f zy.raw --profile=WinXPSP2x86 memdump -p 536 -D ./
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing smss.exe [ 536] to 536.dmp

4.查看dump信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
┌──(kali㉿kali)-[~/volatility2.6]
└─$ strings -e l 536.dmp | grep flag
flag.jpg
flag.png
flag.jpg
flag.jpg
flag.jpg
flag.jpg
flag.png
flag.png
flag.png
flag.jpg
flag.jpg
flag.png
flag.lnk
flag.jpg
\flag.jpg*C:\Documents and Settings\Administrator\
flag.png
flag.jpg
flag.lnk
notiflag.exe
\Documents and Settings\Administrator\Recent\flag.lnk
flag.png
flag.jpg
flag.png
flag.png
flag.jpg
flag.lnk
flag.jpg
flag.lnk
flag.jpg
flag.png
\flag.jpg
\flag.jpg
\flag.png
\flag.jpg
\flag.png
\flag.jpg
\flag.png
\flag.jpg
\flag.png
\flag.jpg
\flag.png
flag.png
1\flag.jpg
\flag.jpg
flag.jpg
\flag.jpg
flag.png
flag.lnk
flag.png
\flag.jpg.jpg
\flag.png
1\flag.jpg
\Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\flag.lnk
\flag.jpg
\flag.jpg
flag.jpg
\flag.jpg
\flag.jpg
\Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\flag.lnk
\flag.png
1\flag.png
\flag.jpg
\flag.png
flag.png
flag.jpg
usbflags
usbflags
usbflags
usbflags\vvvvpppprrrr
usbflags

可疑文件flag.jpg和flag.png

5.获取浏览器浏览历史

1
2
3
┌──(kali㉿kali)-[~/volatility2.6]
└─$ vol.py -f zy.raw --profile=WinXPSP2x86 iehistory
Volatility Foundation Volatility Framework 2.6

在大师傅博客里面能看到hint.txt,但我这里啥也没有,继续往下看吧

6.扫描并提取文件

1
2
3
4
┌──(kali㉿kali)-[~/volatility2.6]
└─$ vol.py -f zy.raw --profile=WinXPSP2x86 filescan | grep hint
Volatility Foundation Volatility Framework 2.6
0x0000000002456028 1 0 RW-r-- \Device\HarddiskVolume1\Documents and Settings\Administrator\My Documents\hint.txt

7.使用dumpfiles提取文件

1
2
3
4
┌──(kali㉿kali)-[~/volatility2.6]
└─$ vol.py -f zy.raw --profile=WinXPSP2x86 dumpfiles -Q 0x0000000002456028 -D ./
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x02456028 None \Device\HarddiskVolume1\Documents and Settings\Administrator\My Documents\hint.txt

得到file.None.0x821231b8.dat
在这里插入图片描述
修改后缀为txt,hint提示文件名为fl4g

8.扫描查找fl4g文件

1
2
3
4
┌──(kali㉿kali)-[~/volatility2.6]
└─$ vol.py -f zy.raw --profile=WinXPSP2x86 filescan | grep fl4g
Volatility Foundation Volatility Framework 2.6
0x0000000002052028 1 0 R--rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\桌面\fl4g.zip

9.把fl4g文件dump下来

1
2
3
4
┌──(kali㉿kali)-[~/volatility2.6]
└─$ vol.py -f zy.raw --profile=WinXPSP2x86 dumpfiles -Q 0x0000000002052028 -D ./
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x02052028 None \Device\HarddiskVolume1\Documents and Settings\Administrator\桌面\fl4g.zip

修改后缀为zip,解压出来flag.png和flag.jpg

10.LSB双图隐写
先用StegSlove打开flag.png,然后点击Analyse->Image Combiner打开flag.jpg,进行异或会得到二维码
在这里插入图片描述
11.扫码解flag

二维码信息

1
https://fanyi.baidu.com/translate?aldtype=16047&query=%E6%B0%9F%E5%BE%95%E6%A0%BC%E4%B9%83%E9%8C%B5%E6%89%A9%E5%8F%B7%E6%AC%B8%E5%BF%85%E8%A5%BF%E5%BC%9F%E4%BA%BF%E8%89%BE%E8%99%8E%E9%94%AF%E9%8C%B5%E6%89%A9%E5%8F%B7&keyfrom=baidu&smartresult=dict&lang=auto2zh#zh/en/%E6%B0%9F%E5%BE%95%E6%A0%BC%E4%B9%83%E9%8C%B5%E6%89%A9%E5%8F%B7%E6%AC%B8%E5%BF%85%E8%A5%BF%E5%BC%9F%E4%BA%BF%E8%89%BE%E8%99%8E%E9%94%AF%E9%8C%B5%E6%89%A9%E5%8F%B7

根据读音最终flag为

1
flag{abcdefg}

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!