哈Ha!
OtterCTF最近结束了(对于那些感兴趣的人-到ctftime的链接 ),今年,作为一个与铁紧密联系的人,坦率地让我高兴-有一类单独的Memory Forensics,本质上是对内存转储的分析。 我想在这篇文章中向所有感兴趣的人表明她-欢迎来到cat。
引言
也许,在哈布雷(Habré)上已经有文章描述了波动性的工作,但是不幸的是,我没有找到它们。 如果您输入有误,请在评论中给我一个链接。 本文有两个目标-说明如果攻击者具有RAM转储并让读者了解我认为最漂亮的工具,那么管理员保护系统的所有尝试都是毫无意义的。 好吧,当然,交流经验。 足够的水,让我们开始吧!
了解工具
波动性是社区开发的开放式框架。 它是在第二个python上编写的,并且与模块化体系结构一起使用-有一个所谓的。 可以连接进行分析的插件,您甚至可以自己编写缺少的插件。 可以使用volatility -h查看开箱即用的完整插件列表。
由于使用python,该工具是跨平台的,因此在某些有python的流行操作系统下运行应该不会有问题。 该框架支持大量配置文件(在了解Volatility的基础上,即从中进行转储的系统):从流行的Windows-Linux-MacO到“直接”注销的dd转储和虚拟机转储(QEMU和VirtualBox都包括在内)。 我认为,这是一个非常好的设置。
这个工具的功能真的很棒-我在为ARM调试内核时碰到了它,它完美地分析了我给输入的内容
作为一项奖励-支持几乎您可以想象的任何地址空间。
公关似乎比原计划多了一点。 让我们尝试自己进行分析。
对于那些想要完成本文所有操作的人-带有图像的Mega链接或可以使用wget完成:
wget https://transfer.sh/AesNq/OtterCTF.7z
因此,图像就在我们手中,我们可以开始分析。 首先,您需要了解哪个系统删除了转储。 为此,波动性具有出色的imageinfo插件。 快跑
$ volatility -f %_% imageinfo
在我们的情况下,废气将大致如下:
Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (%%/%_%) PAE type : No PAE DTB : 0x187000L KDBG : 0xf80002c430a0L Number of Processors : 2 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002c44d00L KPCR for CPU 1 : 0xfffff880009ef000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2018-08-04 19:34:22 UTC+0000 Image local date and time : 2018-08-04 22:34:22 +0300
因此,我们获得了有关转储的几乎详尽的信息-大概是它是由什么操作系统制成的(按概率排序),进行转储时的本地日期和时间,地址等等。 因此,我们意识到这是Windows 7 Service Pack 1 x64的转储。 您可以深入研究!
密码是多少
由于这是一次袭击,因此我将对问题进行陈述,然后描述如何借助波动性解决该问题。
第一个任务是获取用户密码
首先,我们将了解系统中有哪些用户,同时尝试获取其密码。 自己获取密码更加困难,因此我们希望我们不会成为一个非常聪明的人,并且可以从他的密码中打开哈希。 它仍然得到它! 为此,尝试查看_CMHIVE通常,在Windows运行时,您总是可以在其中找到一些有趣的东西。 为此,只需在配置文件中指定Win7时插入hivelist插件即可:
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 hivelist Volatility Foundation Volatility Framework 2.6 Virtual Physical Name ------------------ ------------------ ---- 0xfffff8a00377d2d0 0x00000000624162d0 \??\C:\System Volume Information\Syscache.hve 0xfffff8a00000f010 0x000000002d4c1010 [no name] 0xfffff8a000024010 0x000000002d50c010 \REGISTRY\MACHINE\SYSTEM 0xfffff8a000053320 0x000000002d5bb320 \REGISTRY\MACHINE\HARDWARE 0xfffff8a000109410 0x0000000029cb4410 \SystemRoot\System32\Config\SECURITY 0xfffff8a00033d410 0x000000002a958410 \Device\HarddiskVolume1\Boot\BCD 0xfffff8a0005d5010 0x000000002a983010 \SystemRoot\System32\Config\SOFTWARE 0xfffff8a001495010 0x0000000024912010 \SystemRoot\System32\Config\DEFAULT 0xfffff8a0016d4010 0x00000000214e1010 \SystemRoot\System32\Config\SAM 0xfffff8a00175b010 0x00000000211eb010 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT 0xfffff8a00176e410 0x00000000206db410 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT 0xfffff8a002090010 0x000000000b92b010 \??\C:\Users\Rick\ntuser.dat 0xfffff8a0020ad410 0x000000000db41410 \??\C:\Users\Rick\AppData\Local\Microsoft\Windows\UsrClass.dat
太好了! 我们应该获得一个用户名,并同时确保我们所需的SYSTEM和SAM已经加载到内存中。 现在只需获取散列并进行排序:
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 hashdump -y 0xfffff8a000024010 -s 0xfffff8a0016d4010 Volatility Foundation Volatility Framework 2.6 Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Rick:1000:aad3b435b51404eeaad3b435b51404ee:518172d012f97d3a8fcc089615283940:::
结果,我们有三个用户- Administrator(31d6cfe0d16ae931b73c59d7e0c089c0) , Guest(31d6cfe0d16ae931b73c59d7e0c089c0)和我们的Rick(518172d012f97d3a8fcc089615283940) 。 Windows 7的哈希是NTLM,并且在它们上迭代了很长时间。 我可以说我在游戏视频卡上已经进行了将近一天的时间,但从未发现任何问题。 因此,您可以采用更简单的方法尝试使用mimikatz进行突破。 它并不总是灵丹妙药,也不总是有效,但如果有效,它总能带来结果。 这就是波动性的多功能性-有一个自定义的mimikatz插件。 下载到任何方便的文件夹,然后在启动时指定此文件夹的路径:
$ volatility --plugins=%____% -f OtterCTF.vmem --profile=Win7SP1x64 mimikatz
并立即获得用户密码:
Volatility Foundation Volatility Framework 2.6 Module User Domain Password -------- ---------------- ---------------- ---------------------------------------- wdigest Rick WIN-LO6FAF3DTFE MortyIsReallyAnOtter wdigest WIN-LO6FAF3DTFE$ WORKGROUP
一般资讯
任务是获取IP地址和计算机名称
现在我们知道我们是谁,我们需要了解我们在哪里。 也就是说,很高兴知道我们的IP地址和机器名称。 对于IP地址,一切都很简单-我们使用netscan查看转储时的连接列表:
上市 $ volatility -f OtterCTF.vmem --profile=Win7SP1x64 netscan Volatility Foundation Volatility Framework 2.6 Offset(P) Proto Local Address Foreign Address State Pid Owner Created 0x7d60f010 UDPv4 0.0.0.0:1900 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d62b3f0 UDPv4 192.168.202.131:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000 0x7d62f4c0 UDPv4 127.0.0.1:62307 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d62f920 UDPv4 192.168.202.131:62306 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000 0x7d6424c0 UDPv4 0.0.0.0:50762 *:* 4076 chrome.exe 2018-08-04 19:33:37 UTC+0000 0x7d6b4250 UDPv6 ::1:1900 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000 0x7d6e3230 UDPv4 127.0.0.1:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000 0x7d6ed650 UDPv4 0.0.0.0:5355 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d71c8a0 UDPv4 0.0.0.0:0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d71c8a0 UDPv6 :::0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d74a390 UDPv4 127.0.0.1:52847 *:* 2624 bittorrentie.e 2018-08-04 19:27:24 UTC+0000 0x7d7602c0 UDPv4 127.0.0.1:52846 *:* 2308 bittorrentie.e 2018-08-04 19:27:24 UTC+0000 0x7d787010 UDPv4 0.0.0.0:65452 *:* 4076 chrome.exe 2018-08-04 19:33:42 UTC+0000 0x7d789b50 UDPv4 0.0.0.0:50523 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d789b50 UDPv6 :::50523 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d92a230 UDPv4 0.0.0.0:0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d92a230 UDPv6 :::0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7d9e8b50 UDPv4 0.0.0.0:20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000 0x7d9f4560 UDPv4 0.0.0.0:0 *:* 3856 WebCompanion.e 2018-08-04 19:34:22 UTC+0000 0x7d9f8cb0 UDPv4 0.0.0.0:20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000 0x7d9f8cb0 UDPv6 :::20830 *:* 2836 BitTorrent.exe 2018-08-04 19:27:15 UTC+0000 0x7d8bb390 TCPv4 0.0.0.0:9008 0.0.0.0:0 LISTENING 4 System 0x7d8bb390 TCPv6 :::9008 :::0 LISTENING 4 System 0x7d9a9240 TCPv4 0.0.0.0:8733 0.0.0.0:0 LISTENING 4 System 0x7d9a9240 TCPv6 :::8733 :::0 LISTENING 4 System 0x7d9e19e0 TCPv4 0.0.0.0:20830 0.0.0.0:0 LISTENING 2836 BitTorrent.exe 0x7d9e19e0 TCPv6 :::20830 :::0 LISTENING 2836 BitTorrent.exe 0x7d9e1c90 TCPv4 0.0.0.0:20830 0.0.0.0:0 LISTENING 2836 BitTorrent.exe 0x7d42ba90 TCPv4 -:0 56.219.196.26:0 CLOSED 2836 BitTorrent.exe 0x7d6124d0 TCPv4 192.168.202.131:49530 77.102.199.102:7575 CLOSED 708 LunarMS.exe 0x7d62d690 TCPv4 192.168.202.131:49229 169.1.143.215:8999 CLOSED 2836 BitTorrent.exe 0x7d634350 TCPv6 -:0 38db:c41a:80fa:ffff:38db:c41a:80fa:ffff:0 CLOSED 2836 BitTorrent.exe 0x7d6f27f0 TCPv4 192.168.202.131:50381 71.198.155.180:34674 CLOSED 2836 BitTorrent.exe 0x7d704010 TCPv4 192.168.202.131:50382 92.251.23.204:6881 CLOSED 2836 BitTorrent.exe 0x7d708cf0 TCPv4 192.168.202.131:50364 91.140.89.116:31847 CLOSED 2836 BitTorrent.exe 0x7d729620 TCPv4 -:50034 142.129.37.27:24578 CLOSED 2836 BitTorrent.exe 0x7d72cbe0 TCPv4 192.168.202.131:50340 23.37.43.27:80 CLOSED 3496 Lavasoft.WCAss 0x7d7365a0 TCPv4 192.168.202.131:50358 23.37.43.27:80 CLOSED 3856 WebCompanion.e 0x7d81c890 TCPv4 192.168.202.131:50335 185.154.111.20:60405 CLOSED 2836 BitTorrent.exe 0x7d8fd530 TCPv4 192.168.202.131:50327 23.37.43.27:80 CLOSED 3496 Lavasoft.WCAss 0x7d9cecf0 TCPv4 192.168.202.131:50373 173.239.232.46:2997 CLOSED 2836 BitTorrent.exe 0x7d9d7cf0 TCPv4 192.168.202.131:50371 191.253.122.149:59163 CLOSED 2836 BitTorrent.exe 0x7daefec0 UDPv4 0.0.0.0:0 *:* 3856 WebCompanion.e 2018-08-04 19:34:22 UTC+0000 0x7daefec0 UDPv6 :::0 *:* 3856 WebCompanion.e 2018-08-04 19:34:22 UTC+0000 0x7db83b90 UDPv4 0.0.0.0:0 *:* 3880 WebCompanionIn 2018-08-04 19:33:30 UTC+0000 0x7db83b90 UDPv6 :::0 *:* 3880 WebCompanionIn 2018-08-04 19:33:30 UTC+0000 0x7db9cdd0 UDPv4 0.0.0.0:0 *:* 2844 WebCompanion.e 2018-08-04 19:30:05 UTC+0000 0x7db9cdd0 UDPv6 :::0 *:* 2844 WebCompanion.e 2018-08-04 19:30:05 UTC+0000 0x7dc2dc30 UDPv4 0.0.0.0:50879 *:* 4076 chrome.exe 2018-08-04 19:30:41 UTC+0000 0x7dc2dc30 UDPv6 :::50879 *:* 4076 chrome.exe 2018-08-04 19:30:41 UTC+0000 0x7dc83810 UDPv4 0.0.0.0:5355 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7dc83810 UDPv6 :::5355 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7dd82c30 UDPv4 0.0.0.0:5355 *:* 620 svchost.exe 2018-08-04 19:26:38 UTC+0000 0x7df00980 UDPv4 0.0.0.0:0 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7df00980 UDPv6 :::0 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7df04cc0 UDPv4 0.0.0.0:5355 *:* 620 svchost.exe 2018-08-04 19:26:38 UTC+0000 0x7df04cc0 UDPv6 :::5355 *:* 620 svchost.exe 2018-08-04 19:26:38 UTC+0000 0x7df5f010 UDPv4 0.0.0.0:55175 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7dfab010 UDPv4 0.0.0.0:58383 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7dfab010 UDPv6 :::58383 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7e12c1c0 UDPv4 0.0.0.0:0 *:* 3880 WebCompanionIn 2018-08-04 19:33:27 UTC+0000 0x7e163a40 UDPv4 0.0.0.0:0 *:* 3880 WebCompanionIn 2018-08-04 19:33:27 UTC+0000 0x7e163a40 UDPv6 :::0 *:* 3880 WebCompanionIn 2018-08-04 19:33:27 UTC+0000 0x7e1cf010 UDPv4 192.168.202.131:137 *:* 4 System 2018-08-04 19:26:35 UTC+0000 0x7e1da010 UDPv4 192.168.202.131:138 *:* 4 System 2018-08-04 19:26:35 UTC+0000 0x7dc4ad30 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 500 lsass.exe 0x7dc4ad30 TCPv6 :::49155 :::0 LISTENING 500 lsass.exe 0x7dc4b370 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 500 lsass.exe 0x7dd71010 TCPv4 0.0.0.0:445 0.0.0.0:0 LISTENING 4 System 0x7dd71010 TCPv6 :::445 :::0 LISTENING 4 System 0x7ddca6b0 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 492 services.exe 0x7ddcbc00 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 492 services.exe 0x7ddcbc00 TCPv6 :::49156 :::0 LISTENING 492 services.exe 0x7de09c30 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 396 wininit.exe 0x7de09c30 TCPv6 :::49152 :::0 LISTENING 396 wininit.exe 0x7de0d7b0 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 396 wininit.exe 0x7de424e0 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 808 svchost.exe 0x7de45ef0 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 808 svchost.exe 0x7de45ef0 TCPv6 :::49153 :::0 LISTENING 808 svchost.exe 0x7df3d270 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 868 svchost.exe 0x7df3eef0 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 868 svchost.exe 0x7df3eef0 TCPv6 :::49154 :::0 LISTENING 868 svchost.exe 0x7e1f6010 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 712 svchost.exe 0x7e1f6010 TCPv6 :::135 :::0 LISTENING 712 svchost.exe 0x7e1f8ef0 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 712 svchost.exe 0x7db000a0 TCPv4 -:50091 93.142.197.107:32645 CLOSED 2836 BitTorrent.exe 0x7db132e0 TCPv4 192.168.202.131:50280 72.55.154.81:80 CLOSED 3880 WebCompanionIn 0x7dbc3010 TCPv6 -:0 4847:d418:80fa:ffff:4847:d418:80fa:ffff:0 CLOSED 4076 chrome.exe 0x7dc4bcf0 TCPv4 -:0 104.240.179.26:0 CLOSED 3 ?4???? 0x7dc83080 TCPv4 192.168.202.131:50377 179.108.238.10:19761 CLOSED 2836 BitTorrent.exe 0x7dd451f0 TCPv4 192.168.202.131:50321 45.27.208.145:51414 CLOSED 2836 BitTorrent.exe 0x7ddae890 TCPv4 -:50299 212.92.105.227:8999 CLOSED 2836 BitTorrent.exe 0x7ddff010 TCPv4 192.168.202.131:50379 23.37.43.27:80 CLOSED 3856 WebCompanion.e 0x7e0057d0 TCPv4 192.168.202.131:50353 85.242.139.158:51413 CLOSED 2836 BitTorrent.exe 0x7e0114b0 TCPv4 192.168.202.131:50339 77.65.111.216:8306 CLOSED 2836 BitTorrent.exe 0x7e042cf0 TCPv4 192.168.202.131:50372 83.44.27.35:52103 CLOSED 2836 BitTorrent.exe 0x7e08a010 TCPv4 192.168.202.131:50374 89.46.49.163:20133 CLOSED 2836 BitTorrent.exe 0x7e092010 TCPv4 192.168.202.131:50378 120.29.114.41:13155 CLOSED 2836 BitTorrent.exe 0x7e094b90 TCPv4 192.168.202.131:50365 52.91.1.182:55125 CLOSED 2836 BitTorrent.exe 0x7e09ba90 TCPv6 -:0 68f0:181b:80fa:ffff:68f0:181b:80fa:ffff:0 CLOSED 2836 BitTorrent.exe 0x7e0a8b90 TCPv4 192.168.202.131:50341 72.55.154.81:80 CLOSED 3880 WebCompanionIn 0x7e0d6180 TCPv4 192.168.202.131:50349 196.250.217.22:32815 CLOSED 2836 BitTorrent.exe 0x7e108100 TCPv4 192.168.202.131:50360 174.0.234.77:31240 CLOSED 2836 BitTorrent.exe 0x7e124910 TCPv4 192.168.202.131:50366 89.78.106.196:51413 CLOSED 2836 BitTorrent.exe 0x7e14dcf0 TCPv4 192.168.202.131:50363 122.62.218.159:11627 CLOSED 2836 BitTorrent.exe 0x7e18bcf0 TCPv4 192.168.202.131:50333 191.177.124.34:21011 CLOSED 2836 BitTorrent.exe 0x7e1f7ab0 TCPv4 -:0 56.187.190.26:0 CLOSED 3 ?4???? 0x7e48d9c0 UDPv6 fe80::b06b:a531:ec88:457f:1900 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000 0x7e4ad870 UDPv4 127.0.0.1:1900 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000 0x7e511bb0 UDPv4 0.0.0.0:60005 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000 0x7e5dc3b0 UDPv6 fe80::b06b:a531:ec88:457f:546 *:* 808 svchost.exe 2018-08-04 19:33:28 UTC+0000 0x7e7469c0 UDPv4 0.0.0.0:50878 *:* 4076 chrome.exe 2018-08-04 19:30:39 UTC+0000 0x7e7469c0 UDPv6 :::50878 *:* 4076 chrome.exe 2018-08-04 19:30:39 UTC+0000 0x7e77cb00 UDPv4 0.0.0.0:50748 *:* 4076 chrome.exe 2018-08-04 19:30:07 UTC+0000 0x7e77cb00 UDPv6 :::50748 *:* 4076 chrome.exe 2018-08-04 19:30:07 UTC+0000 0x7e79f3f0 UDPv4 0.0.0.0:5353 *:* 4076 chrome.exe 2018-08-04 19:29:35 UTC+0000 0x7e7a0ec0 UDPv4 0.0.0.0:5353 *:* 4076 chrome.exe 2018-08-04 19:29:35 UTC+0000 0x7e7a0ec0 UDPv6 :::5353 *:* 4076 chrome.exe 2018-08-04 19:29:35 UTC+0000 0x7e7a3960 UDPv4 0.0.0.0:0 *:* 3880 WebCompanionIn 2018-08-04 19:33:30 UTC+0000 0x7e7dd010 UDPv6 ::1:58340 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000 0x7e413a40 TCPv4 -:0 -:0 CLOSED 708 LunarMS.exe 0x7e415010 TCPv4 192.168.202.131:50346 89.64.10.176:10589 CLOSED 2836 BitTorrent.exe 0x7e4202d0 TCPv4 192.168.202.131:50217 104.18.21.226:80 CLOSED 3880 WebCompanionIn 0x7e45f110 TCPv4 192.168.202.131:50211 104.18.20.226:80 CLOSED 3880 WebCompanionIn 0x7e4cc910 TCPv4 192.168.202.131:50228 104.18.20.226:80 CLOSED 3880 WebCompanionIn 0x7e512950 TCPv4 192.168.202.131:50345 77.126.30.221:13905 CLOSED 2836 BitTorrent.exe 0x7e521b50 TCPv4 -:0 -:0 CLOSED 708 LunarMS.exe 0x7e5228d0 TCPv4 192.168.202.131:50075 70.65.116.120:52700 CLOSED 2836 BitTorrent.exe 0x7e52f010 TCPv4 192.168.202.131:50343 86.121.4.189:46392 CLOSED 2836 BitTorrent.exe 0x7e563860 TCPv4 192.168.202.131:50170 103.232.25.44:25384 CLOSED 2836 BitTorrent.exe 0x7e572cf0 TCPv4 192.168.202.131:50125 122.62.218.159:11627 CLOSED 2836 BitTorrent.exe 0x7e5d6cf0 TCPv4 192.168.202.131:50324 54.197.8.177:49420 CLOSED 2836 BitTorrent.exe 0x7e71b010 TCPv4 192.168.202.131:50344 70.27.98.75:6881 CLOSED 2836 BitTorrent.exe 0x7e71d010 TCPv4 192.168.202.131:50351 99.251.199.160:1045 CLOSED 2836 BitTorrent.exe 0x7e74b010 TCPv4 192.168.202.131:50385 209.236.6.89:56500 CLOSED 2836 BitTorrent.exe 0x7e78b7f0 TCPv4 192.168.202.131:50238 72.55.154.82:80 CLOSED 3880 WebCompanionIn 0x7e7ae380 TCPv4 192.168.202.131:50361 5.34.21.181:8999 CLOSED 2836 BitTorrent.exe 0x7e7b0380 TCPv6 -:0 4847:d418:80fa:ffff:4847:d418:80fa:ffff:0 CLOSED 2836 BitTorrent.exe 0x7e7b9010 TCPv4 192.168.202.131:50334 188.129.94.129:25128 CLOSED 2836 BitTorrent.exe 0x7e94b010 TCPv4 192.168.202.131:50356 77.126.30.221:13905 CLOSED 2836 BitTorrent.exe 0x7e9ad840 TCPv4 192.168.202.131:50380 84.52.144.29:56299 CLOSED 2836 BitTorrent.exe 0x7e9bacf0 TCPv4 192.168.202.131:50350 77.253.242.0:5000 CLOSED 2836 BitTorrent.exe 0x7eaac5e0 TCPv4 192.168.202.131:50387 93.184.220.29:80 CLOSED 3856 WebCompanion.e 0x7eab4cf0 TCPv4 -:0 56.219.196.26:0 CLOSED 2836 BitTorrent.exe 0x7fb9cec0 UDPv4 192.168.202.131:1900 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000 0x7fb9d430 UDPv4 127.0.0.1:58341 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+000
找到IP 192.168.202.131 。 当然,这是本地网络上的IP,但是不幸的是,您不会再将其从转储中删除-要获得外部IP,您不仅需要转储。 现在获取计算机的名称。 为此,只需阅读SYSTEM注册表分支:
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 printkey -o 0xfffff8a000024010 -K 'ControlSet001\Control\ComputerName\ComputerName' Volatility Foundation Volatility Framework 2.6 Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: \REGISTRY\MACHINE\SYSTEM Key name: ComputerName (S) Last updated: 2018-06-02 19:23:00 UTC+0000 Subkeys: Values: REG_SZ : (S) mnmsrvc REG_SZ ComputerName : (S) WIN-LO6FAF3DTFE
超级,我们得到了计算机名WIN-LO6FAF3DTFE 。
上场时间
用户喜欢玩旧的视频游戏。 查找他最喜欢的游戏的名称及其服务器的IP地址
只需查看上一步中的netscan排气,然后查看奇怪的LunarMS.exe 。 Google确实是一个视频游戏。 在这里您还可以找到用于打开连接的IP地址77.102.199.102
命名游戏
我们知道用户已登录Lunar-3频道。 但是帐户名称是什么?
由于用户已登录到该通道,因此名称在转储中应为纯文本格式。 我们制作strings并获取标志:
$ strings OtterCTF.vmem | grep Lunar-3 -A 2 -B 3 disabled mouseOver keyFocused Lunar-3 0tt3r8r33z3 Sound/UI.img/ -- c+Yt tb+Y4c+Y b+YLc+Y Lunar-3 Lunar-4 L(dNVxdNV
在所有行中,标志0tt3r8r33z3最相似。 我们尽力而为-就是这样!
傻里克
我们的用户总是忘记他的密码,因此他使用密码管理器并仅在需要登录时复制所需的密码。 也许您能找到一些东西?
从措辞来看,您只需要获取剪贴板的内容。 波动性可以解决这个问题- clipboard插件。 检查并查看密码:
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 clipboard Volatility Foundation Volatility Framework 2.6 Session WindowStation Format Handle Object Data ---------- ------------- ------------------ ------------------ ------------------ -------------------------------------------------- 1 WinSta0 CF_UNICODETEXT 0x602e3 0xfffff900c1ad93f0 M@il_Pr0vid0rs 1 WinSta0 CF_TEXT 0x10 ------------------ 1 WinSta0 0x150133L 0x200000000000 ------------------ 1 WinSta0 CF_TEXT 0x1 ------------------ 1 ------------- ------------------ 0x150133 0xfffff900c1c1adc0
捉迷藏
导致计算机刹车的原因是长期存在于系统中的病毒。 也许你能找到他? 请注意,您只有3次尝试传递此标志!
好吧,如果我们尝试了三遍,那么我们会小心谨慎,因为我们被告知=)
首先,使用pslist获取所有进程的列表:
上市 $ volatility -f OtterCTF.vmem --profile=Win7SP1x64 pslist Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0xfffffa8018d44740 System 4 0 95 411 ------ 0 2018-08-04 19:26:03 UTC+0000 0xfffffa801947e4d0 smss.exe 260 4 2 30 ------ 0 2018-08-04 19:26:03 UTC+0000 0xfffffa801a0c8380 csrss.exe 348 336 9 563 0 0 2018-08-04 19:26:10 UTC+0000 0xfffffa80198d3b30 csrss.exe 388 380 11 460 1 0 2018-08-04 19:26:11 UTC+0000 0xfffffa801a2ed060 wininit.exe 396 336 3 78 0 0 2018-08-04 19:26:11 UTC+0000 0xfffffa801aaf4060 winlogon.exe 432 380 3 113 1 0 2018-08-04 19:26:11 UTC+0000 0xfffffa801ab377c0 services.exe 492 396 11 242 0 0 2018-08-04 19:26:12 UTC+0000 0xfffffa801ab3f060 lsass.exe 500 396 7 610 0 0 2018-08-04 19:26:12 UTC+0000 0xfffffa801ab461a0 lsm.exe 508 396 10 148 0 0 2018-08-04 19:26:12 UTC+0000 0xfffffa8018e3c890 svchost.exe 604 492 11 376 0 0 2018-08-04 19:26:16 UTC+0000 0xfffffa801abbdb30 vmacthlp.exe 668 492 3 56 0 0 2018-08-04 19:26:16 UTC+0000 0xfffffa801abebb30 svchost.exe 712 492 8 301 0 0 2018-08-04 19:26:17 UTC+0000 0xfffffa801ac2e9e0 svchost.exe 808 492 22 508 0 0 2018-08-04 19:26:18 UTC+0000 0xfffffa801ac31b30 svchost.exe 844 492 17 396 0 0 2018-08-04 19:26:18 UTC+0000 0xfffffa801ac4db30 svchost.exe 868 492 45 1114 0 0 2018-08-04 19:26:18 UTC+0000 0xfffffa801ac753a0 audiodg.exe 960 808 7 151 0 0 2018-08-04 19:26:19 UTC+0000 0xfffffa801ac97060 svchost.exe 1012 492 12 554 0 0 2018-08-04 19:26:20 UTC+0000 0xfffffa801acd37e0 svchost.exe 620 492 19 415 0 0 2018-08-04 19:26:21 UTC+0000 0xfffffa801ad5ab30 spoolsv.exe 1120 492 14 346 0 0 2018-08-04 19:26:22 UTC+0000 0xfffffa801ad718a0 svchost.exe 1164 492 18 312 0 0 2018-08-04 19:26:23 UTC+0000 0xfffffa801ae0f630 VGAuthService. 1356 492 3 85 0 0 2018-08-04 19:26:25 UTC+0000 0xfffffa801ae92920 vmtoolsd.exe 1428 492 9 313 0 0 2018-08-04 19:26:27 UTC+0000 0xfffffa8019124b30 WmiPrvSE.exe 1800 604 9 222 0 0 2018-08-04 19:26:39 UTC+0000 0xfffffa801afe7800 svchost.exe 1948 492 6 96 0 0 2018-08-04 19:26:42 UTC+0000 0xfffffa801ae7f630 dllhost.exe 1324 492 15 207 0 0 2018-08-04 19:26:42 UTC+0000 0xfffffa801aff3b30 msdtc.exe 1436 492 14 155 0 0 2018-08-04 19:26:43 UTC+0000 0xfffffa801b112060 WmiPrvSE.exe 2136 604 12 324 0 0 2018-08-04 19:26:51 UTC+0000 0xfffffa801b1e9b30 taskhost.exe 2344 492 8 193 1 0 2018-08-04 19:26:57 UTC+0000 0xfffffa801b232060 sppsvc.exe 2500 492 4 149 0 0 2018-08-04 19:26:58 UTC+0000 0xfffffa801b1fab30 dwm.exe 2704 844 4 97 1 0 2018-08-04 19:27:04 UTC+0000 0xfffffa801b27e060 explorer.exe 2728 2696 33 854 1 0 2018-08-04 19:27:04 UTC+0000 0xfffffa801b1cdb30 vmtoolsd.exe 2804 2728 6 190 1 0 2018-08-04 19:27:06 UTC+0000 0xfffffa801b290b30 BitTorrent.exe 2836 2728 24 471 1 1 2018-08-04 19:27:07 UTC+0000 0xfffffa801b2f02e0 WebCompanion.e 2844 2728 0 -------- 1 0 2018-08-04 19:27:07 UTC+0000 2018-08-04 19:33:33 UTC+0000 0xfffffa801b3aab30 SearchIndexer. 3064 492 11 610 0 0 2018-08-04 19:27:14 UTC+0000 0xfffffa801b4a7b30 bittorrentie.e 2308 2836 15 337 1 1 2018-08-04 19:27:19 UTC+0000 0xfffffa801b4c9b30 bittorrentie.e 2624 2836 13 316 1 1 2018-08-04 19:27:21 UTC+0000 0xfffffa801b5cb740 LunarMS.exe 708 2728 18 346 1 1 2018-08-04 19:27:39 UTC+0000 0xfffffa801988c2d0 PresentationFo 724 492 6 148 0 0 2018-08-04 19:27:52 UTC+0000 0xfffffa801b603610 mscorsvw.exe 412 492 7 86 0 1 2018-08-04 19:28:42 UTC+0000 0xfffffa801a6af9f0 svchost.exe 164 492 12 147 0 0 2018-08-04 19:28:42 UTC+0000 0xfffffa801a6c2700 mscorsvw.exe 3124 492 7 77 0 0 2018-08-04 19:28:43 UTC+0000 0xfffffa801a6e4b30 svchost.exe 3196 492 14 352 0 0 2018-08-04 19:28:44 UTC+0000 0xfffffa801a4e3870 chrome.exe 4076 2728 44 1160 1 0 2018-08-04 19:29:30 UTC+0000 0xfffffa801a4eab30 chrome.exe 4084 4076 8 86 1 0 2018-08-04 19:29:30 UTC+0000 0xfffffa801a502b30 chrome.exe 576 4076 2 58 1 0 2018-08-04 19:29:31 UTC+0000 0xfffffa801a4f7b30 chrome.exe 1808 4076 13 229 1 0 2018-08-04 19:29:32 UTC+0000 0xfffffa801aa00a90 chrome.exe 3924 4076 16 228 1 0 2018-08-04 19:29:51 UTC+0000 0xfffffa801a7f98f0 chrome.exe 2748 4076 15 181 1 0 2018-08-04 19:31:15 UTC+0000 0xfffffa801b486b30 Rick And Morty 3820 2728 4 185 1 1 2018-08-04 19:32:55 UTC+0000 0xfffffa801a4c5b30 vmware-tray.ex 3720 3820 8 147 1 1 2018-08-04 19:33:02 UTC+0000 0xfffffa801b18f060 WebCompanionIn 3880 1484 15 522 0 1 2018-08-04 19:33:07 UTC+0000 0xfffffa801a635240 chrome.exe 3648 4076 16 207 1 0 2018-08-04 19:33:38 UTC+0000 0xfffffa801a5ef1f0 chrome.exe 1796 4076 15 170 1 0 2018-08-04 19:33:41 UTC+0000 0xfffffa801b08f060 sc.exe 3208 3880 0 -------- 0 0 2018-08-04 19:33:47 UTC+0000 2018-08-04 19:33:48 UTC+0000 0xfffffa801aeb6890 sc.exe 452 3880 0 -------- 0 0 2018-08-04 19:33:48 UTC+0000 2018-08-04 19:33:48 UTC+0000 0xfffffa801aa72b30 sc.exe 3504 3880 0 -------- 0 0 2018-08-04 19:33:48 UTC+0000 2018-08-04 19:33:48 UTC+0000 0xfffffa801ac01060 sc.exe 2028 3880 0 -------- 0 0 2018-08-04 19:33:49 UTC+0000 2018-08-04 19:34:03 UTC+0000 0xfffffa801aad1060 Lavasoft.WCAss 3496 492 14 473 0 0 2018-08-04 19:33:49 UTC+0000 0xfffffa801a6268b0 WebCompanion.e 3856 3880 15 386 0 1 2018-08-04 19:34:05 UTC+0000 0xfffffa801b1fd960 notepad.exe 3304 3132 2 79 1 0 2018-08-04 19:34:10 UTC+0000 0xfffffa801a572b30 cmd.exe 3916 1428 0 -------- 0 0 2018-08-04 19:34:22 UTC+0000 2018-08-04 19:34:22 UTC+0000 0xfffffa801a6643d0 conhost.exe 2420 348 0 30 0 0 2018-08-04 19:34:22 UTC+0000 2018-08-04 19:34:22 UTC+0000
嗯 某种程度上,它不是很方便地分析。 我们还有另一个插件pstree ,它以树的形式显示进程(通常是逻辑上的):
上市 $ volatility -f OtterCTF.vmem --profile=Win7SP1x64 pstree Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0xfffffa801b27e060:explorer.exe 2728 2696 33 854 2018-08-04 19:27:04 UTC+0000 . 0xfffffa801b486b30:Rick And Morty 3820 2728 4 185 2018-08-04 19:32:55 UTC+0000 .. 0xfffffa801a4c5b30:vmware-tray.ex 3720 3820 8 147 2018-08-04 19:33:02 UTC+0000 . 0xfffffa801b2f02e0:WebCompanion.e 2844 2728 0 ------ 2018-08-04 19:27:07 UTC+0000 . 0xfffffa801a4e3870:chrome.exe 4076 2728 44 1160 2018-08-04 19:29:30 UTC+0000 .. 0xfffffa801a4eab30:chrome.exe 4084 4076 8 86 2018-08-04 19:29:30 UTC+0000 .. 0xfffffa801a5ef1f0:chrome.exe 1796 4076 15 170 2018-08-04 19:33:41 UTC+0000 .. 0xfffffa801aa00a90:chrome.exe 3924 4076 16 228 2018-08-04 19:29:51 UTC+0000 .. 0xfffffa801a635240:chrome.exe 3648 4076 16 207 2018-08-04 19:33:38 UTC+0000 .. 0xfffffa801a502b30:chrome.exe 576 4076 2 58 2018-08-04 19:29:31 UTC+0000 .. 0xfffffa801a4f7b30:chrome.exe 1808 4076 13 229 2018-08-04 19:29:32 UTC+0000 .. 0xfffffa801a7f98f0:chrome.exe 2748 4076 15 181 2018-08-04 19:31:15 UTC+0000 . 0xfffffa801b5cb740:LunarMS.exe 708 2728 18 346 2018-08-04 19:27:39 UTC+0000 . 0xfffffa801b1cdb30:vmtoolsd.exe 2804 2728 6 190 2018-08-04 19:27:06 UTC+0000 . 0xfffffa801b290b30:BitTorrent.exe 2836 2728 24 471 2018-08-04 19:27:07 UTC+0000 .. 0xfffffa801b4c9b30:bittorrentie.e 2624 2836 13 316 2018-08-04 19:27:21 UTC+0000 .. 0xfffffa801b4a7b30:bittorrentie.e 2308 2836 15 337 2018-08-04 19:27:19 UTC+0000 0xfffffa8018d44740:System 4 0 95 411 2018-08-04 19:26:03 UTC+0000 . 0xfffffa801947e4d0:smss.exe 260 4 2 30 2018-08-04 19:26:03 UTC+0000 0xfffffa801a2ed060:wininit.exe 396 336 3 78 2018-08-04 19:26:11 UTC+0000 . 0xfffffa801ab377c0:services.exe 492 396 11 242 2018-08-04 19:26:12 UTC+0000 .. 0xfffffa801afe7800:svchost.exe 1948 492 6 96 2018-08-04 19:26:42 UTC+0000 .. 0xfffffa801ae92920:vmtoolsd.exe 1428 492 9 313 2018-08-04 19:26:27 UTC+0000 ... 0xfffffa801a572b30:cmd.exe 3916 1428 0 ------ 2018-08-04 19:34:22 UTC+0000 .. 0xfffffa801ae0f630:VGAuthService. 1356 492 3 85 2018-08-04 19:26:25 UTC+0000 .. 0xfffffa801abbdb30:vmacthlp.exe 668 492 3 56 2018-08-04 19:26:16 UTC+0000 .. 0xfffffa801aad1060:Lavasoft.WCAss 3496 492 14 473 2018-08-04 19:33:49 UTC+0000 .. 0xfffffa801a6af9f0:svchost.exe 164 492 12 147 2018-08-04 19:28:42 UTC+0000 .. 0xfffffa801ac2e9e0:svchost.exe 808 492 22 508 2018-08-04 19:26:18 UTC+0000 ... 0xfffffa801ac753a0:audiodg.exe 960 808 7 151 2018-08-04 19:26:19 UTC+0000 .. 0xfffffa801ae7f630:dllhost.exe 1324 492 15 207 2018-08-04 19:26:42 UTC+0000 .. 0xfffffa801a6c2700:mscorsvw.exe 3124 492 7 77 2018-08-04 19:28:43 UTC+0000 .. 0xfffffa801b232060:sppsvc.exe 2500 492 4 149 2018-08-04 19:26:58 UTC+0000 .. 0xfffffa801abebb30:svchost.exe 712 492 8 301 2018-08-04 19:26:17 UTC+0000 .. 0xfffffa801ad718a0:svchost.exe 1164 492 18 312 2018-08-04 19:26:23 UTC+0000 .. 0xfffffa801ac31b30:svchost.exe 844 492 17 396 2018-08-04 19:26:18 UTC+0000 ... 0xfffffa801b1fab30:dwm.exe 2704 844 4 97 2018-08-04 19:27:04 UTC+0000 .. 0xfffffa801988c2d0:PresentationFo 724 492 6 148 2018-08-04 19:27:52 UTC+0000 .. 0xfffffa801b603610:mscorsvw.exe 412 492 7 86 2018-08-04 19:28:42 UTC+0000 .. 0xfffffa8018e3c890:svchost.exe 604 492 11 376 2018-08-04 19:26:16 UTC+0000 ... 0xfffffa8019124b30:WmiPrvSE.exe 1800 604 9 222 2018-08-04 19:26:39 UTC+0000 ... 0xfffffa801b112060:WmiPrvSE.exe 2136 604 12 324 2018-08-04 19:26:51 UTC+0000 .. 0xfffffa801ad5ab30:spoolsv.exe 1120 492 14 346 2018-08-04 19:26:22 UTC+0000 .. 0xfffffa801ac4db30:svchost.exe 868 492 45 1114 2018-08-04 19:26:18 UTC+0000 .. 0xfffffa801a6e4b30:svchost.exe 3196 492 14 352 2018-08-04 19:28:44 UTC+0000 .. 0xfffffa801acd37e0:svchost.exe 620 492 19 415 2018-08-04 19:26:21 UTC+0000 .. 0xfffffa801b1e9b30:taskhost.exe 2344 492 8 193 2018-08-04 19:26:57 UTC+0000 .. 0xfffffa801ac97060:svchost.exe 1012 492 12 554 2018-08-04 19:26:20 UTC+0000 .. 0xfffffa801b3aab30:SearchIndexer. 3064 492 11 610 2018-08-04 19:27:14 UTC+0000 .. 0xfffffa801aff3b30:msdtc.exe 1436 492 14 155 2018-08-04 19:26:43 UTC+0000 . 0xfffffa801ab3f060:lsass.exe 500 396 7 610 2018-08-04 19:26:12 UTC+0000 . 0xfffffa801ab461a0:lsm.exe 508 396 10 148 2018-08-04 19:26:12 UTC+0000 0xfffffa801a0c8380:csrss.exe 348 336 9 563 2018-08-04 19:26:10 UTC+0000 . 0xfffffa801a6643d0:conhost.exe 2420 348 0 30 2018-08-04 19:34:22 UTC+0000 0xfffffa80198d3b30:csrss.exe 388 380 11 460 2018-08-04 19:26:11 UTC+0000 0xfffffa801aaf4060:winlogon.exe 432 380 3 113 2018-08-04 19:26:11 UTC+0000 0xfffffa801b18f060:WebCompanionIn 3880 1484 15 522 2018-08-04 19:33:07 UTC+0000 . 0xfffffa801aa72b30:sc.exe 3504 3880 0 ------ 2018-08-04 19:33:48 UTC+0000 . 0xfffffa801aeb6890:sc.exe 452 3880 0 ------ 2018-08-04 19:33:48 UTC+0000 . 0xfffffa801a6268b0:WebCompanion.e 3856 3880 15 386 2018-08-04 19:34:05 UTC+0000 . 0xfffffa801b08f060:sc.exe 3208 3880 0 ------ 2018-08-04 19:33:47 UTC+0000 . 0xfffffa801ac01060:sc.exe 2028 3880 0 ------ 2018-08-04 19:33:49 UTC+0000 0xfffffa801b1fd960:notepad.exe 3304 3132 2 79 2018-08-04 19:34:10 UTC+0000
!
0xfffffa801b486b30:Rick And Morty 3820 2728 4 185 2018-08-04 19:32:55 UTC+0000 .. 0xfffffa801a4c5b30:vmware-tray.ex 3720 3820 8 147 2018-08-04 19:33:02 UTC+0000
, PID' 3820 PID' 3720. . dll-, :
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 dlllist -p 3820 Volatility Foundation Volatility Framework 2.6 ************************************************************************ Rick And Morty pid: 3820 Command line : "C:\Torrents\Rick And Morty season 1 download.exe" Note: use ldrmodules for listing DLLs in Wow64 processes Base Size LoadCount Path ------------------ ------------------ ------------------ ---- 0x0000000000400000 0x56000 0xffff C:\Torrents\Rick And Morty season 1 download.exe 0x00000000776f0000 0x1a9000 0xffff C:\Windows\SYSTEM32\ntdll.dll 0x0000000075210000 0x3f000 0x3 C:\Windows\SYSTEM32\wow64.dll 0x00000000751b0000 0x5c000 0x1 C:\Windows\SYSTEM32\wow64win.dll 0x00000000751a0000 0x8000 0x1 C:\Windows\SYSTEM32\wow64cpu.dll
. Exe ? - . ntdll.dll . dll, 3720:
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 dlllist -p 3720 Volatility Foundation Volatility Framework 2.6 ************************************************************************ vmware-tray.ex pid: 3720 Command line : "C:\Users\Rick\AppData\Local\Temp\RarSFX0\vmware-tray.exe" Note: use ldrmodules for listing DLLs in Wow64 processes Base Size LoadCount Path ------------------ ------------------ ------------------ ---- 0x0000000000ec0000 0x6e000 0xffff C:\Users\Rick\AppData\Local\Temp\RarSFX0\vmware-tray.exe 0x00000000776f0000 0x1a9000 0xffff C:\Windows\SYSTEM32\ntdll.dll 0x0000000075210000 0x3f000 0x3 C:\Windows\SYSTEM32\wow64.dll 0x00000000751b0000 0x5c000 0x1 C:\Windows\SYSTEM32\wow64win.dll 0x00000000751a0000 0x8000 0x1 C:\Windows\SYSTEM32\wow64cpu.dll
. . , , , . memdump :
$ volatility -f OtterCTF.vmem --profile=Win7SP1x64 memdump -p 3720 --dump-dir=%___% Volatility Foundation Volatility Framework 2.6 Process(V) ImageBase Name Result ------------------ ------------------ -------------------- ------ 0xfffffa801a4c5b30 0x0000000000ec0000 vmware-tray.ex OK: executable.3720.exe
, , , , .NET, . — , . . .
Bit by Bit Graphics is for the weak
- , !
1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M , . ,
Recovery
. !
, , , . CreatePassword . -, "" :
public string CreatePassword(int length) { StringBuilder stringBuilder = new StringBuilder(); Random random = new Random(); while (0 < length--) { stringBuilder.Append("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/"[random.Next("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/".Length)]); } return stringBuilder.ToString(); }
, . abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/ , . , , - :D
, :
public void startAction() { string password = this.CreatePassword(15); string str = "\\Desktop\\"; string location = this.userDir + this.userName + str; this.SendPassword(password); this.encryptDirectory(location, password); this.messageCreator(); }
- , , 15 . , :`
$ strings 3720.dmp > analyze.txt && wc -l 1589147 analyze.txt
. , , , - . !
$ grep -E '^.[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/]{14}$' analyze.txt | grep -vE 'Systems|Key|Java|Align|Driver|printer|MCLN|object|software|enough|Afd|enable|System|UUUU|Pos|SU|text|Body|Buffer|Length|match|Document|Un|On|tal|ing|ype|ign|Info|Instance|id32|p1|l1|File|Store|Selector|Available|Dll|Call|Make|maker|Init|Target|Put|Get|Requires|Column|0a1|0h1|0u1|0Z1|Params|resolve|0w1|0L1|0000000000000|Month|ByName|0000|000|2018|GUI|Command|long|status|Permission|IL|Il|Nil|web|NID|Runtime|es|Lower|Delayed|Transition|Bus|Flags|Image|Memory|Window|Loader|Manage|Class|Sink|Sys|Wow|MM|Create' | uniq | wc -l 2915
, . — - , . , - . , :
$ grep -E '^.[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/]{14}$' analyze.txt | grep -vE 'Systems|Key|Java|Align|Driver|printer|MCLN|object|software|enough|Afd|enable|System|UUUU|Pos|SU|text|Body|Buffer|Length|match|Document|Un|On|tal|ing|ype|ign|Info|Instance|id32|p1|l1|File|Store|Selector|Available|Dll|Call|Make|maker|Init|Target|Put|Get|Requires|Column|0a1|0h1|0u1|0Z1|Params|resolve|0w1|0L1|0000000000000|Month|ByName|0000|000|2018|GUI|Command|long|status|Permission|IL|Il|Nil|web|NID|Runtime|es|Lower|Delayed|Transition|Bus|Flags|Image|Memory|Window|Loader|Manage|Class|Sink|Sys|Wow|MM|Create' | uniq | less 444444440444444 66666FFFFFFFFFF 444444444444433 CLIPBRDWNDCLASS utav4823DF041B0 aDOBofVYUNVnmp7 444444440444444 66666FFFFFFFFFF 444444444444433 ffnLffnLffnpffm lemeneoepeqerep .........
, . b03f5f7f11d50a3a . , 3K . :) :
$ $ grep -E '^.[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/]{15}$' analyze.txt | grep -vE 'Systems|Key|Java|Align|Driver|printer|MCLN|object|software|enough|Afd|enable|System|UUUU|Pos|SU|text|Body|Buffer|Length|match|Document|Un|On|tal|ing|ype|ign|Info|Instance|id32|p1|l1|File|Store|Selector|Available|Dll|Call|Make|maker|Init|Target|Put|Get|Requires|Column|0a1|0h1|0u1|0Z1|Params|resolve|0w1|0L1|0000000000000|Month|ByName|0000|000|2018|GUI|Command|long|status|Permission|IL|Il|Nil|web|ID|Runtime|es|Lower|Delayed|Transition|Bus|Flags|Image|Memory' | uniq | less ssssssssssssssss b03f5f7f11d50a3a CryptoStreamMode ContainerControl ICryptoTransform encryptDirectory MSTaskListWClass ssssssssssssssss `ubugukupuvuxuzu PAQARASATAUAVAWA MRNRORPRQRRRSRTR D!E!F!G!H!I!J!K! ......
, - . , BruteForce
, — , . . aDOBofVYUNVnmp7 , .
而不是结论
, . - — , . , . . , - . , , , , - — . :3