-->
当前位置:首页 > DayDayUp > 正文内容

CTF内存取证及安洵杯真题分析

Luz4年前 (2019-12-01)DayDayUp5432
root@kali:~# volatility -f /root/桌面/mem.dump imageinfo //获取dump的版本
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/root/桌面/mem.dump)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80003e02110L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80003e03d00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2019-11-13 08:39:44 UTC+0000
     Image local date and time : 2019-11-13 16:39:44 +0800

Win7SP1x64的dump

之后的命令需使用

volatility -f 文件名 --profile  dump的系统版本  命令
root@kali:~# volatility -f /root/桌面/mem.dump --profile=Win7SP1x64 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa800ccc1b10 System                    4      0     88      534 ------      0 2019-11-13 08:31:48 UTC+0000                                 
0xfffffa800d2fbb10 smss.exe                252      4      2       29 ------      0 2019-11-13 08:31:48 UTC+0000                                 
0xfffffa800e2227e0 csrss.exe               344    328      9      400      0      0 2019-11-13 08:31:49 UTC+0000                                 
0xfffffa800e3f3340 wininit.exe             396    328      3       79      0      0 2019-11-13 08:31:49 UTC+0000                                 
0xfffffa800e3f77d0 csrss.exe               404    388     10      225      1      0 2019-11-13 08:31:49 UTC+0000                                 
0xfffffa800e41fb10 winlogon.exe            444    388      3      111      1      0 2019-11-13 08:31:49 UTC+0000                                 
0xfffffa800e457060 services.exe            500    396      8      210      0      0 2019-11-13 08:31:49 UTC+0000                                 
0xfffffa800e426b10 lsass.exe               508    396      6      554      0      0 2019-11-13 08:31:49 UTC+0000                                 
0xfffffa800e464060 lsm.exe                 516    396      9      145      0      0 2019-11-13 08:31:49 UTC+0000                                 
0xfffffa800e4f8b10 svchost.exe             608    500     10      351      0      0 2019-11-13 08:31:50 UTC+0000                                 
0xfffffa800e52bb10 svchost.exe             684    500      8      273      0      0 2019-11-13 08:31:50 UTC+0000                                 
0xfffffa800e570b10 svchost.exe             768    500     21      443      0      0 2019-11-13 08:31:50 UTC+0000                                 
0xfffffa800e5b5b10 svchost.exe             816    500     16      381      0      0 2019-11-13 08:31:50 UTC+0000                                 
0xfffffa800e5d7870 svchost.exe             860    500     18      666      0      0 2019-11-13 08:31:50 UTC+0000                                 
0xfffffa800e5f8b10 svchost.exe             888    500     37      919      0      0 2019-11-13 08:31:50 UTC+0000                                 
0xfffffa800e66c870 svchost.exe            1016    500      5      114      0      0 2019-11-13 08:31:50 UTC+0000                                 
0xfffffa800e74fb10 svchost.exe            1032    500     15      364      0      0 2019-11-13 08:31:51 UTC+0000                                 
0xfffffa800e510320 spoolsv.exe            1156    500     13      273      0      0 2019-11-13 08:31:51 UTC+0000                                 
0xfffffa800e5b0060 svchost.exe            1184    500     11      194      0      0 2019-11-13 08:31:51 UTC+0000                                 
0xfffffa800e56e060 svchost.exe            1276    500     10      155      0      0 2019-11-13 08:31:52 UTC+0000                                 
0xfffffa800e685060 svchost.exe            1308    500     12      228      0      0 2019-11-13 08:31:52 UTC+0000                                 
0xfffffa800e632060 svchost.exe            1380    500      4      167      0      0 2019-11-13 08:31:52 UTC+0000                                 
0xfffffa800e692060 VGAuthService.         1480    500      4       94      0      0 2019-11-13 08:31:52 UTC+0000                                 
0xfffffa800e7dab10 vmtoolsd.exe           1592    500     11      287      0      0 2019-11-13 08:31:52 UTC+0000                                 
0xfffffa800e8a7720 svchost.exe            1824    500      6       92      0      0 2019-11-13 08:31:53 UTC+0000                                 
0xfffffa800e898300 WmiPrvSE.exe           1980    608     10      203      0      0 2019-11-13 08:31:53 UTC+0000                                 
0xfffffa800e8e9b10 dllhost.exe            2044    500     15      197      0      0 2019-11-13 08:31:53 UTC+0000                                 
0xfffffa800e90d840 msdtc.exe              1320    500     14      152      0      0 2019-11-13 08:31:54 UTC+0000                                 
0xfffffa800e991b10 taskhost.exe           2208    500     10      264      1      0 2019-11-13 08:31:56 UTC+0000                                 
0xfffffa800e44a7a0 dwm.exe                2268    816      7      144      1      0 2019-11-13 08:31:57 UTC+0000                                 
0xfffffa800e9b8b10 explorer.exe           2316   2260     25      699      1      0 2019-11-13 08:31:57 UTC+0000                                 
0xfffffa800ea4f060 vm3dservice.ex         2472   2316      2       40      1      0 2019-11-13 08:31:57 UTC+0000                                 
0xfffffa800ea54b10 vmtoolsd.exe           2480   2316      9      188      1      0 2019-11-13 08:31:57 UTC+0000                                 
0xfffffa800ea9ab10 rundll32.exe           2968   2620      6      611      1      1 2019-11-13 08:32:02 UTC+0000                                 
0xfffffa800e8b59c0 WmiPrvSE.exe           2764    608     11      316      0      0 2019-11-13 08:32:13 UTC+0000                                 
0xfffffa800ea75b10 cmd.exe                2260   2316      1       20      1      0 2019-11-13 08:33:45 UTC+0000                                 
0xfffffa800e687330 conhost.exe            2632    404      2       63      1      0 2019-11-13 08:33:45 UTC+0000                                 
0xfffffa800e41db10 WmiApSrv.exe           2792    500      4      113      0      0 2019-11-13 08:34:27 UTC+0000                                 
0xfffffa800ed68840 CnCrypt.exe            1608   2316      4      115      1      1 2019-11-13 08:34:40 UTC+0000                                 
0xfffffa800e4a5b10 audiodg.exe            2100    768      6      130      0      0 2019-11-13 08:39:29 UTC+0000                                 
0xfffffa800ea57b10 DumpIt.exe             1072   2316      1       26      1      1 2019-11-13 08:39:43 UTC+0000                                 
0xfffffa800ea1c060 conhost.exe            2748    404      2       62      1      0 2019-11-13 08:39:43 UTC+0000

列出进程

volatility -f 文件 --profile=版本 memdump -p [PID] -D [dump 出的文件保存的目录]

提取进程的dump

root@kali:~# volatility -f /root/桌面/mem.dump --profile=Win7SP1x64 cmdscan
Volatility Foundation Volatility Framework 2.6

CommandProcess: conhost.exe Pid: 2632
CommandHistory: 0x242350 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 1 LastAdded: 0 LastDisplayed: 0
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 @ 0x2229d0: flag.ccx_password_is_same_with_Administrator 

CommandProcess: conhost.exe Pid: 2748
CommandHistory: 0x2926d0 Application: DumpIt.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60

cmdscan获取曾经在cmd上输入过的内容 得到信息:存在文件 flag.ccx 

该文件的密码和administrator的密码相同

root@kali:~# volatility -f /root/桌面/mem.dump --profile=Win7SP1x64 filescan | grep flag.ccx
Volatility Foundation Volatility Framework 2.6
0x000000003e435890     15      0 R--rw- \Device\HarddiskVolume2\Users\Administrator\Desktop\flag.ccx

寻找flag.ccx文件

文件地址为0x3e435890

root@kali:~# volatility -f /root/桌面/mem.dump --profile=Win7SP1x64 dumpfiles -Q 0x3e435890 --dump-dir=./
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3e435890   None   \Device\HarddiskVolume2\Users\Administrator\Desktop\flag.ccx

dump文件


dump下来的文件

接下来寻找administrator的密码

root@kali:~# volatility -f /root/桌面/mem.dump --profile=Win7SP1x64  printkey -K "SAM\Domains\Account\Users\Names"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile
----------------------------
Registry: \SystemRoot\System32\Config\SAM
Key name: Names (S)
Last updated: 2019-10-15 02:56:47 UTC+0000
Subkeys:
  (S) Administrator
  (S) Guest
Values:
REG_NONE                      : (S)

列出SAM表的用户

root@kali:~# volatility -f /root/桌面/mem.dump --profile=Win7SP1x64  hivelist
Volatility Foundation Volatility Framework 2.6
Virtual            Physical           Name
------------------ ------------------ ----
0xfffff8a001cfd010 0x0000000039828010 \??\C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat
0xfffff8a002fa2010 0x0000000013a3f010 \??\C:\System Volume Information\Syscache.hve
0xfffff8a00000f010 0x0000000023385010 [no name]
0xfffff8a000024010 0x0000000023510010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000064010 0x0000000023552010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a0000e7410 0x0000000011bcc410 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xfffff8a000100360 0x0000000015346360 \SystemRoot\System32\Config\SECURITY
0xfffff8a0003f4410 0x000000001527d410 \SystemRoot\System32\Config\DEFAULT
0xfffff8a0007ae010 0x000000001d867010 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a0012d4010 0x000000001c938010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a001590010 0x000000001151a010 \SystemRoot\System32\Config\SAM
0xfffff8a0015ca010 0x00000000111a3010 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0xfffff8a001c34010 0x0000000039803010 \??\C:\Users\Administrator\ntuser.dat

获取SYSTEM SAM的虚拟地址 分别为0xfffff8a000024010  0xfffff8a001590010

root@kali:~# volatility -f /root/桌面/mem.dump --profile=Win7SP1x64  hashdump -y 0xfffff8a000024010 -s 0xfffff8a001590010
Volatility Foundation Volatility Framework 2.6
Administrator:500:6377a2fdb0151e35b75e0c8d76954a50:0d546438b1f4c396753b4fc8c8565d5b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

hashdump获取用户密码的hash值

CMD5查询hash值得到Administrator账户的密码


=======================至此完成加密文件提取和用户密码提取========================


之前查看进程时发现cncrypt

猜测文件使用cncrypt加密的

CnCrypt加载得到flag

======================================================================

其他volatility命令

hivedump打印出注册表中的数据 :

volatility -f name  --profile=WinXPSP2x86 hivedump -o 注册表的 virtual 地址


显示每个进程的加载dll列表

Volatility -f name -profile = Win7SP0x86 dlllist> dlllist.txt


获取SAM表中的用户:

volatility -f name --profile=WinXPSP2x86 printkey -K "SAM\Domains\Account\Users\Names"


登陆账户系统

volatility -f name --profile=WinXPSP2x86 printkey -K "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"


userassist键值包含系统或桌面执行文件的信息,如名称、路径、执行次数、最后一次执行时间等

volatility -f name --profile=WinXPSP2x86 userassist


将内存中的某个进程数据以 dmp 的格式保存出来

volatility -f name --profile=WinXPSP2x86 -p [PID] -D [dump 出的文件保存的目录]


提取内存中保留的 cmd 命令使用情况

volatility -f name --profile=WinXPSP2x86 cmdscan


获取到当时的网络连接情况

volatility -f name --profile=WinXPSP2x86 netscan


获取 IE 浏览器的使用情况 :

volatility -f name --profile=WinXPSP2x86 iehistory


获取内存中的系统密码,可以使用 hashdump 将它提取出来

volatility -f name --profile=WinXPSP2x86 hashdump -y (注册表 system 的 virtual 地址 )-s (SAM 的 virtual 地址)
volatility -f name --profile=WinXPSP2x86 hashdump -y 0xe1035b60 -s 0xe16aab60
volatility -f name --profile=WinXPSP2x86 timeliner


对文件查找及dumo提取某个进程:

volatility -f name --profile=Win7SP1x64 memdump -D . -p 2872
strings -e l ./2872.dmp | grep flag
volatility -f name --profile=Win7SP1x64 dumpfiles -Q 0x000000007e410890 -n --dump-dir=./


HASH匹配用户账户名密码:

Hash, 然后使用john filename --format=NT破解


安全进程扫描

volatility -f name --profile=Win7SP1x64 psscan


Flag字符串扫描:

strings -e l 2616.dmp | grep flag


查找图片:

volatility -f name--profile=Win7SP1x64 filescan | grep -E 'jpg|png|jpeg|bmp|gif
volatility -f name --profile=Win7SP1x64 netscan


注册表解析

volatility -f name --profile=Win7SP1x64 hivelist
volatility -f name --profile=Win7SP1x64  -o 0xfffff8a000024010 printkey -K "ControlSet001\Control;"


复制、剪切版:

volatility -f name --profile=Win7SP1x64 clipboard
volatility -f name --profile=Win7SP1x64 dlllist -p 3820


Dump所有进程:

volatility -f name --profile=Win7SP1x64 memdump -n chrome -D .
利用字符串查找download
python vol.py -f name --profile=Win7SP1x86 shimcache


svcscan查看服务

python vol.py -f name --profile=Win7SP1x86 svcscan


发表评论

访客

◎欢迎参与讨论,请在这里发表您的看法和观点。