Volatility
解析してみよう。
$ python2 vol.py -f /mnt/c/Users/ctf/Downloads/umassctf2021/notes/image.mem imageinfo Volatility Foundation Volatility Framework 2.6.1 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/mnt/c/Users/ctf/Downloads/umassctf2021/notes/image.mem) PAE type : No PAE DTB : 0x187000L KDBG : 0xf80002a3b0a0L Number of Processors : 6 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002a3cd00L KPCR for CPU 1 : 0xfffff880009f1000L KPCR for CPU 2 : 0xfffff88002ea9000L KPCR for CPU 3 : 0xfffff88002f1f000L KPCR for CPU 4 : 0xfffff88002f95000L KPCR for CPU 5 : 0xfffff88002fcb000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2021-03-20 18:16:12 UTC+0000 Image local date and time : 2021-03-20 13:16:12 -0500
とりあえず、一番最初のsuggested profileを使ってみる。
$ python2 vol.py -f /mnt/c/Users/ctf/Downloads/umassctf2021/notes/image.mem --profile=Win7SP1x64 pslist -P Volatility Foundation Volatility Framework 2.6.1 Offset(P) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0x000000003ff5f040 System 4 0 173 526 ------ 0 2021-03-20 18:57:47 UTC+0000 0x000000003e832b30 smss.exe 572 4 3 34 ------ 0 2021-03-20 18:57:47 UTC+0000 0x000000003e4287f0 csrss.exe 656 640 10 394 0 0 2021-03-20 18:57:49 UTC+0000 0x000000003ec6e7c0 wininit.exe 688 640 3 82 0 0 2021-03-20 18:57:49 UTC+0000 0x000000003ff6d240 csrss.exe 708 696 10 249 1 0 2021-03-20 18:57:49 UTC+0000 0x000000003edf4b30 services.exe 744 688 8 205 0 0 2021-03-20 18:57:49 UTC+0000 0x000000003eaecb30 lsass.exe 760 688 9 564 0 0 2021-03-20 18:57:49 UTC+0000 0x000000003ec497c0 lsm.exe 768 688 10 149 0 0 2021-03-20 18:57:49 UTC+0000 0x000000003eb95b30 svchost.exe 868 744 10 371 0 0 2021-03-20 18:57:49 UTC+0000 0x000000003e8ce680 VBoxService.ex 928 744 13 146 0 0 2021-03-20 18:57:49 UTC+0000 0x000000003ed974e0 svchost.exe 988 744 8 268 0 0 2021-03-20 17:57:51 UTC+0000 0x000000003ec9d060 svchost.exe 604 744 20 476 0 0 2021-03-20 17:57:51 UTC+0000 0x000000003e9e62d0 svchost.exe 736 744 17 458 0 0 2021-03-20 17:57:51 UTC+0000 0x000000003e9eab30 svchost.exe 980 744 27 791 0 0 2021-03-20 17:57:51 UTC+0000 0x000000003e655b30 svchost.exe 1164 744 16 486 0 0 2021-03-20 17:57:51 UTC+0000 0x000000003e405890 svchost.exe 1264 744 16 426 0 0 2021-03-20 17:57:52 UTC+0000 0x000000003e423b30 spoolsv.exe 1356 744 12 311 0 0 2021-03-20 17:57:52 UTC+0000 0x000000003ed55890 svchost.exe 1384 744 17 317 0 0 2021-03-20 17:57:52 UTC+0000 0x000000003e53d060 svchost.exe 1480 744 16 310 0 0 2021-03-20 17:57:52 UTC+0000 0x000000003e54eb30 WLIDSVC.EXE 1572 744 8 257 0 0 2021-03-20 17:57:52 UTC+0000 0x000000003e17a910 SearchIndexer. 1888 744 14 673 0 0 2021-03-20 17:57:52 UTC+0000 0x000000003e1eb2e0 winlogon.exe 2004 696 3 116 1 0 2021-03-20 17:57:53 UTC+0000 0x000000003dec7b30 WLIDSVCM.EXE 696 1572 3 58 0 0 2021-03-20 17:57:53 UTC+0000 0x000000003dfa5060 taskhost.exe 2156 744 8 152 1 0 2021-03-20 17:57:53 UTC+0000 0x000000003e1beb30 dwm.exe 2236 736 3 94 1 0 2021-03-20 17:57:54 UTC+0000 0x000000003e218060 explorer.exe 2288 2216 27 898 1 0 2021-03-20 17:57:54 UTC+0000 0x000000003dc1db30 VBoxTray.exe 2432 2288 15 156 1 0 2021-03-20 17:57:54 UTC+0000 0x000000003dfe2b30 wmpnetwk.exe 2736 744 9 219 0 0 2021-03-20 17:58:00 UTC+0000 0x000000003facc460 FTK Imager.exe 1552 2708 17 429 1 0 2021-03-20 17:59:24 UTC+0000 0x000000003fe0f060 notepad.exe 2696 2288 4 309 1 0 2021-03-20 17:59:34 UTC+0000 0x000000003fe26b30 mscorsvw.exe 2104 744 7 92 0 1 2021-03-20 17:59:53 UTC+0000 0x000000003dd82590 mscorsvw.exe 1724 744 7 87 0 0 2021-03-20 17:59:53 UTC+0000 0x000000003e573090 SearchProtocol 3292 1888 8 284 0 0 2021-03-20 18:15:53 UTC+0000 0x000000003eb3e4e0 SearchFilterHo 1740 1888 5 103 0 0 2021-03-20 18:15:53 UTC+0000
ok. notepad.exeは何が開かれているんだろうと思いつつ、ファイル一覧を出してみる。
$ python2 vol.py -f /mnt/c/Users/ctf/Downloads/umassctf2021/notes/image.mem --profile=Win7SP1x64 filescan 0x000000003fdccf20 16 0 RW-rw- \Device\HarddiskVolume2\Users\user\Desktop\passwords.txt
沢山出てくるが、気になるのはこの行。 dumpしてこよう。
$ python2 vol.py -f /mnt/c/Users/ctf/Downloads/umassctf2021/notes/image.mem --profile=Win7SP1x64 dumpfiles -D . -Q 0x000000003fdccf20 --name Volatility Foundation Volatility Framework 2.6.1 DataSectionObject 0x3fdccf20 None \Device\HarddiskVolume2\Users\user\Desktop\passwords.txt
中身はVU1BU1N7JDNDVVIzXyQ3MFJhZzN9Cg==
となっており、CyberChefで中身を見てみるとフラグになっている。
UMASS{$3CUR3_$70Rag3}