CTF内存取证及安洵杯真题分析
root@kali:~# volatility -f /root/桌面/mem.dump imageinfo //获取dump的版本 Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/root/桌面/mem.dump) PAE type : No PAE DTB : 0x187000L KDBG : 0xf80003e02110L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80003e03d00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2019-11-13 08:39:44 UTC+0000 Image local date and time : 2019-11-13 16:39:44 +0800
Win7SP1x64的dump
之后的命令需使用
volatility -f 文件名 --profile dump的系统版本 命令
root@kali:~# volatility -f /root/桌面/mem.dump --profile=Win7SP1x64 pslist Volatility Foundation Volatility Framework 2.6 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0xfffffa800ccc1b10 System 4 0 88 534 ------ 0 2019-11-13 08:31:48 UTC+0000 0xfffffa800d2fbb10 smss.exe 252 4 2 29 ------ 0 2019-11-13 08:31:48 UTC+0000 0xfffffa800e2227e0 csrss.exe 344 328 9 400 0 0 2019-11-13 08:31:49 UTC+0000 0xfffffa800e3f3340 wininit.exe 396 328 3 79 0 0 2019-11-13 08:31:49 UTC+0000 0xfffffa800e3f77d0 csrss.exe 404 388 10 225 1 0 2019-11-13 08:31:49 UTC+0000 0xfffffa800e41fb10 winlogon.exe 444 388 3 111 1 0 2019-11-13 08:31:49 UTC+0000 0xfffffa800e457060 services.exe 500 396 8 210 0 0 2019-11-13 08:31:49 UTC+0000 0xfffffa800e426b10 lsass.exe 508 396 6 554 0 0 2019-11-13 08:31:49 UTC+0000 0xfffffa800e464060 lsm.exe 516 396 9 145 0 0 2019-11-13 08:31:49 UTC+0000 0xfffffa800e4f8b10 svchost.exe 608 500 10 351 0 0 2019-11-13 08:31:50 UTC+0000 0xfffffa800e52bb10 svchost.exe 684 500 8 273 0 0 2019-11-13 08:31:50 UTC+0000 0xfffffa800e570b10 svchost.exe 768 500 21 443 0 0 2019-11-13 08:31:50 UTC+0000 0xfffffa800e5b5b10 svchost.exe 816 500 16 381 0 0 2019-11-13 08:31:50 UTC+0000 0xfffffa800e5d7870 svchost.exe 860 500 18 666 0 0 2019-11-13 08:31:50 UTC+0000 0xfffffa800e5f8b10 svchost.exe 888 500 37 919 0 0 2019-11-13 08:31:50 UTC+0000 0xfffffa800e66c870 svchost.exe 1016 500 5 114 0 0 2019-11-13 08:31:50 UTC+0000 0xfffffa800e74fb10 svchost.exe 1032 500 15 364 0 0 2019-11-13 08:31:51 UTC+0000 0xfffffa800e510320 spoolsv.exe 1156 500 13 273 0 0 2019-11-13 08:31:51 UTC+0000 0xfffffa800e5b0060 svchost.exe 1184 500 11 194 0 0 2019-11-13 08:31:51 UTC+0000 0xfffffa800e56e060 svchost.exe 1276 500 10 155 0 0 2019-11-13 08:31:52 UTC+0000 0xfffffa800e685060 svchost.exe 1308 500 12 228 0 0 2019-11-13 08:31:52 UTC+0000 0xfffffa800e632060 svchost.exe 1380 500 4 167 0 0 2019-11-13 08:31:52 UTC+0000 0xfffffa800e692060 VGAuthService. 1480 500 4 94 0 0 2019-11-13 08:31:52 UTC+0000 0xfffffa800e7dab10 vmtoolsd.exe 1592 500 11 287 0 0 2019-11-13 08:31:52 UTC+0000 0xfffffa800e8a7720 svchost.exe 1824 500 6 92 0 0 2019-11-13 08:31:53 UTC+0000 0xfffffa800e898300 WmiPrvSE.exe 1980 608 10 203 0 0 2019-11-13 08:31:53 UTC+0000 0xfffffa800e8e9b10 dllhost.exe 2044 500 15 197 0 0 2019-11-13 08:31:53 UTC+0000 0xfffffa800e90d840 msdtc.exe 1320 500 14 152 0 0 2019-11-13 08:31:54 UTC+0000 0xfffffa800e991b10 taskhost.exe 2208 500 10 264 1 0 2019-11-13 08:31:56 UTC+0000 0xfffffa800e44a7a0 dwm.exe 2268 816 7 144 1 0 2019-11-13 08:31:57 UTC+0000 0xfffffa800e9b8b10 explorer.exe 2316 2260 25 699 1 0 2019-11-13 08:31:57 UTC+0000 0xfffffa800ea4f060 vm3dservice.ex 2472 2316 2 40 1 0 2019-11-13 08:31:57 UTC+0000 0xfffffa800ea54b10 vmtoolsd.exe 2480 2316 9 188 1 0 2019-11-13 08:31:57 UTC+0000 0xfffffa800ea9ab10 rundll32.exe 2968 2620 6 611 1 1 2019-11-13 08:32:02 UTC+0000 0xfffffa800e8b59c0 WmiPrvSE.exe 2764 608 11 316 0 0 2019-11-13 08:32:13 UTC+0000 0xfffffa800ea75b10 cmd.exe 2260 2316 1 20 1 0 2019-11-13 08:33:45 UTC+0000 0xfffffa800e687330 conhost.exe 2632 404 2 63 1 0 2019-11-13 08:33:45 UTC+0000 0xfffffa800e41db10 WmiApSrv.exe 2792 500 4 113 0 0 2019-11-13 08:34:27 UTC+0000 0xfffffa800ed68840 CnCrypt.exe 1608 2316 4 115 1 1 2019-11-13 08:34:40 UTC+0000 0xfffffa800e4a5b10 audiodg.exe 2100 768 6 130 0 0 2019-11-13 08:39:29 UTC+0000 0xfffffa800ea57b10 DumpIt.exe 1072 2316 1 26 1 1 2019-11-13 08:39:43 UTC+0000 0xfffffa800ea1c060 conhost.exe 2748 404 2 62 1 0 2019-11-13 08:39:43 UTC+0000
列出进程
volatility -f 文件 --profile=版本 memdump -p [PID] -D [dump 出的文件保存的目录]
提取进程的dump
root@kali:~# volatility -f /root/桌面/mem.dump --profile=Win7SP1x64 cmdscan Volatility Foundation Volatility Framework 2.6 CommandProcess: conhost.exe Pid: 2632 CommandHistory: 0x242350 Application: cmd.exe Flags: Allocated, Reset CommandCount: 1 LastAdded: 0 LastDisplayed: 0 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x60 Cmd #0 @ 0x2229d0: flag.ccx_password_is_same_with_Administrator CommandProcess: conhost.exe Pid: 2748 CommandHistory: 0x2926d0 Application: DumpIt.exe Flags: Allocated CommandCount: 0 LastAdded: -1 LastDisplayed: -1 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x60
cmdscan获取曾经在cmd上输入过的内容 得到信息:存在文件 flag.ccx
该文件的密码和administrator的密码相同
root@kali:~# volatility -f /root/桌面/mem.dump --profile=Win7SP1x64 filescan | grep flag.ccx Volatility Foundation Volatility Framework 2.6 0x000000003e435890 15 0 R--rw- \Device\HarddiskVolume2\Users\Administrator\Desktop\flag.ccx
寻找flag.ccx文件
文件地址为0x3e435890
root@kali:~# volatility -f /root/桌面/mem.dump --profile=Win7SP1x64 dumpfiles -Q 0x3e435890 --dump-dir=./ Volatility Foundation Volatility Framework 2.6 DataSectionObject 0x3e435890 None \Device\HarddiskVolume2\Users\Administrator\Desktop\flag.ccx
dump文件
dump下来的文件
接下来寻找administrator的密码
root@kali:~# volatility -f /root/桌面/mem.dump --profile=Win7SP1x64 printkey -K "SAM\Domains\Account\Users\Names" Volatility Foundation Volatility Framework 2.6 Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: \SystemRoot\System32\Config\SAM Key name: Names (S) Last updated: 2019-10-15 02:56:47 UTC+0000 Subkeys: (S) Administrator (S) Guest Values: REG_NONE : (S)
列出SAM表的用户
root@kali:~# volatility -f /root/桌面/mem.dump --profile=Win7SP1x64 hivelist Volatility Foundation Volatility Framework 2.6 Virtual Physical Name ------------------ ------------------ ---- 0xfffff8a001cfd010 0x0000000039828010 \??\C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat 0xfffff8a002fa2010 0x0000000013a3f010 \??\C:\System Volume Information\Syscache.hve 0xfffff8a00000f010 0x0000000023385010 [no name] 0xfffff8a000024010 0x0000000023510010 \REGISTRY\MACHINE\SYSTEM 0xfffff8a000064010 0x0000000023552010 \REGISTRY\MACHINE\HARDWARE 0xfffff8a0000e7410 0x0000000011bcc410 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT 0xfffff8a000100360 0x0000000015346360 \SystemRoot\System32\Config\SECURITY 0xfffff8a0003f4410 0x000000001527d410 \SystemRoot\System32\Config\DEFAULT 0xfffff8a0007ae010 0x000000001d867010 \Device\HarddiskVolume1\Boot\BCD 0xfffff8a0012d4010 0x000000001c938010 \SystemRoot\System32\Config\SOFTWARE 0xfffff8a001590010 0x000000001151a010 \SystemRoot\System32\Config\SAM 0xfffff8a0015ca010 0x00000000111a3010 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT 0xfffff8a001c34010 0x0000000039803010 \??\C:\Users\Administrator\ntuser.dat
获取SYSTEM SAM的虚拟地址 分别为0xfffff8a000024010 0xfffff8a001590010
root@kali:~# volatility -f /root/桌面/mem.dump --profile=Win7SP1x64 hashdump -y 0xfffff8a000024010 -s 0xfffff8a001590010 Volatility Foundation Volatility Framework 2.6 Administrator:500:6377a2fdb0151e35b75e0c8d76954a50:0d546438b1f4c396753b4fc8c8565d5b::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
hashdump获取用户密码的hash值
CMD5查询hash值得到Administrator账户的密码
=======================至此完成加密文件提取和用户密码提取========================
之前查看进程时发现cncrypt
猜测文件使用cncrypt加密的
CnCrypt加载得到flag
======================================================================
其他volatility命令
hivedump打印出注册表中的数据 :
volatility -f name --profile=WinXPSP2x86 hivedump -o 注册表的 virtual 地址
显示每个进程的加载dll列表
Volatility -f name -profile = Win7SP0x86 dlllist> dlllist.txt
获取SAM表中的用户:
volatility -f name --profile=WinXPSP2x86 printkey -K "SAM\Domains\Account\Users\Names"
登陆账户系统
volatility -f name --profile=WinXPSP2x86 printkey -K "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
userassist键值包含系统或桌面执行文件的信息,如名称、路径、执行次数、最后一次执行时间等
volatility -f name --profile=WinXPSP2x86 userassist
将内存中的某个进程数据以 dmp 的格式保存出来
volatility -f name --profile=WinXPSP2x86 -p [PID] -D [dump 出的文件保存的目录]
提取内存中保留的 cmd 命令使用情况
volatility -f name --profile=WinXPSP2x86 cmdscan
获取到当时的网络连接情况
volatility -f name --profile=WinXPSP2x86 netscan
获取 IE 浏览器的使用情况 :
volatility -f name --profile=WinXPSP2x86 iehistory
获取内存中的系统密码,可以使用 hashdump 将它提取出来
volatility -f name --profile=WinXPSP2x86 hashdump -y (注册表 system 的 virtual 地址 )-s (SAM 的 virtual 地址) volatility -f name --profile=WinXPSP2x86 hashdump -y 0xe1035b60 -s 0xe16aab60 volatility -f name --profile=WinXPSP2x86 timeliner
对文件查找及dumo提取某个进程:
volatility -f name --profile=Win7SP1x64 memdump -D . -p 2872 strings -e l ./2872.dmp | grep flag volatility -f name --profile=Win7SP1x64 dumpfiles -Q 0x000000007e410890 -n --dump-dir=./
HASH匹配用户账户名密码:
Hash, 然后使用john filename --format=NT破解
安全进程扫描
volatility -f name --profile=Win7SP1x64 psscan
Flag字符串扫描:
strings -e l 2616.dmp | grep flag
查找图片:
volatility -f name--profile=Win7SP1x64 filescan | grep -E 'jpg|png|jpeg|bmp|gif volatility -f name --profile=Win7SP1x64 netscan
注册表解析
volatility -f name --profile=Win7SP1x64 hivelist volatility -f name --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001\Control;"
复制、剪切版:
volatility -f name --profile=Win7SP1x64 clipboard volatility -f name --profile=Win7SP1x64 dlllist -p 3820
Dump所有进程:
volatility -f name --profile=Win7SP1x64 memdump -n chrome -D . 利用字符串查找download python vol.py -f name --profile=Win7SP1x86 shimcache
svcscan查看服务
python vol.py -f name --profile=Win7SP1x86 svcscan