CTF内存取证

Posted luocodes

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了CTF内存取证相关的知识,希望对你有一定的参考价值。

获取dump的系统版本

root@kali:/test# volatility -f mem.dump imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/test/mem.dump)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80003e02110L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80003e03d00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2019-11-13 08:39:44 UTC+0000
     Image local date and time : 2019-11-13 16:39:44 +0800

列出进程

root@kali:/test# volatility -f mem.dump --profile=Win7SP1x64 pslist

Volatility Foundation Volatility Framework 2.6
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ -----------
0xfffffa800ccc1b10 System                    4      0     88      534 ------      0 2019-11-13 08:31:48 UTC+0000                                 
0xfffffa800d2fbb10 smss.exe                252      4      2       29 ------      0 2019-11-13 08:31:48 UTC+0000                                 
0xfffffa800e2227e0 csrss.exe               344    328      9      400      0      0 2019-11-13 08:31:49 UTC+0000                                 
0xfffffa800e3f3340 wininit.exe             396    328      3       79      0      0 2019-11-13 08:31:49 UTC+0000                                 
0xfffffa800e3f77d0 csrss.exe               404    388     10      225      1      0 2019-11-13 08:31:49 UTC+0000                                 
0xfffffa800e41fb10 winlogon.exe            444    388      3      111      1      0 2019-11-13 08:31:49 UTC+0000                                 
0xfffffa800e457060 services.exe            500    396      8      210      0      0 2019-11-13 08:31:49 UTC+0000                                 
0xfffffa800e426b10 lsass.exe               508    396      6      554      0      0 2019-11-13 08:31:49 UTC+0000                                 
0xfffffa800e464060 lsm.exe                 516    396      9      145      0      0 2019-11-13 08:31:49 UTC+0000                                 
0xfffffa800e4f8b10 svchost.exe             608    500     10      351      0      0 2019-11-13 08:31:50 UTC+0000                                 
0xfffffa800e52bb10 svchost.exe             684    500      8      273      0      0 2019-11-13 08:31:50 UTC+0000                                 
0xfffffa800e570b10 svchost.exe             768    500     21      443      0      0 2019-11-13 08:31:50 UTC+0000                                 
0xfffffa800e5b5b10 svchost.exe             816    500     16      381      0      0 2019-11-13 08:31:50 UTC+0000                                 
0xfffffa800e5d7870 svchost.exe             860    500     18      666      0      0 2019-11-13 08:31:50 UTC+0000                                 
0xfffffa800e5f8b10 svchost.exe             888    500     37      919      0      0 2019-11-13 08:31:50 UTC+0000                                 
0xfffffa800e66c870 svchost.exe            1016    500      5      114      0      0 2019-11-13 08:31:50 UTC+0000                                 
0xfffffa800e74fb10 svchost.exe            1032    500     15      364      0      0 2019-11-13 08:31:51 UTC+0000                                 
0xfffffa800e510320 spoolsv.exe            1156    500     13      273      0      0 2019-11-13 08:31:51 UTC+0000                                 
0xfffffa800e5b0060 svchost.exe            1184    500     11      194      0      0 2019-11-13 08:31:51 UTC+0000                                 
0xfffffa800e56e060 svchost.exe            1276    500     10      155      0      0 2019-11-13 08:31:52 UTC+0000                                 
0xfffffa800e685060 svchost.exe            1308    500     12      228      0      0 2019-11-13 08:31:52 UTC+0000                                 
0xfffffa800e632060 svchost.exe            1380    500      4      167      0      0 2019-11-13 08:31:52 UTC+0000                                 
0xfffffa800e692060 VGAuthService.         1480    500      4       94      0      0 2019-11-13 08:31:52 UTC+0000                                 
0xfffffa800e7dab10 vmtoolsd.exe           1592    500     11      287      0      0 2019-11-13 08:31:52 UTC+0000                                 
0xfffffa800e8a7720 svchost.exe            1824    500      6       92      0      0 2019-11-13 08:31:53 UTC+0000                                 
0xfffffa800e898300 WmiPrvSE.exe           1980    608     10      203      0      0 2019-11-13 08:31:53 UTC+0000                                 
0xfffffa800e8e9b10 dllhost.exe            2044    500     15      197      0      0 2019-11-13 08:31:53 UTC+0000                                 
0xfffffa800e90d840 msdtc.exe              1320    500     14      152      0      0 2019-11-13 08:31:54 UTC+0000                                 
0xfffffa800e991b10 taskhost.exe           2208    500     10      264      1      0 2019-11-13 08:31:56 UTC+0000                                 
0xfffffa800e44a7a0 dwm.exe                2268    816      7      144      1      0 2019-11-13 08:31:57 UTC+0000                                 
0xfffffa800e9b8b10 explorer.exe           2316   2260     25      699      1      0 2019-11-13 08:31:57 UTC+0000                                 
0xfffffa800ea4f060 vm3dservice.ex         2472   2316      2       40      1      0 2019-11-13 08:31:57 UTC+0000                                 
0xfffffa800ea54b10 vmtoolsd.exe           2480   2316      9      188      1      0 2019-11-13 08:31:57 UTC+0000                                 
0xfffffa800ea9ab10 rundll32.exe           2968   2620      6      611      1      1 2019-11-13 08:32:02 UTC+0000                                 
0xfffffa800e8b59c0 WmiPrvSE.exe           2764    608     11      316      0      0 2019-11-13 08:32:13 UTC+0000                                 
0xfffffa800ea75b10 cmd.exe                2260   2316      1       20      1      0 2019-11-13 08:33:45 UTC+0000                                 
0xfffffa800e687330 conhost.exe            2632    404      2       63      1      0 2019-11-13 08:33:45 UTC+0000                                 
0xfffffa800e41db10 WmiApSrv.exe           2792    500      4      113      0      0 2019-11-13 08:34:27 UTC+0000                                 
0xfffffa800ed68840 CnCrypt.exe            1608   2316      4      115      1      1 2019-11-13 08:34:40 UTC+0000                                 
0xfffffa800e4a5b10 audiodg.exe            2100    768      6      130      0      0 2019-11-13 08:39:29 UTC+0000                                 
0xfffffa800ea57b10 DumpIt.exe             1072   2316      1       26      1      1 2019-11-13 08:39:43 UTC+0000                                 
0xfffffa800ea1c060 conhost.exe            2748    404      2       62      1      0 2019-11-13 08:39:43 UTC+0000                                 
root@kali:/test# 

 

常见的命令

Supported Plugin Commands:

        amcache            Print AmCache information
        apihooks           Detect API hooks in process and kernel memory
        atoms              Print session and window station atom tables
        atomscan           Pool scanner for atom tables
        auditpol           Prints out the Audit Policies from HKLMSECURITYPolicyPolAdtEv
        bigpools           Dump the big page pools using BigPagePoolScanner
        bioskbd            Reads the keyboard buffer from Real Mode memory
        cachedump          Dumps cached domain hashes from memory
        callbacks          Print system-wide notification routines
        clipboard          Extract the contents of the windows clipboard
        cmdline            Display process command-line arguments
        cmdscan            Extract command history by scanning for _COMMAND_HISTORY
        consoles           Extract command history by scanning for _CONSOLE_INFORMATION
        crashinfo          Dump crash-dump information
        deskscan           Poolscaner for tagDESKTOP (desktops)
        devicetree         Show device tree
        dlldump            Dump DLLs from a process address space
        dlllist            Print list of loaded dlls for each process
        driverirp          Driver IRP hook detection
        drivermodule       Associate driver objects to kernel modules
        driverscan         Pool scanner for driver objects
        dumpcerts          Dump RSA private and public SSL keys
        dumpfiles          Extract memory mapped and cached files
        dumpregistry       Dumps registry files out to disk 
        editbox            Displays information about Edit controls. (Listbox experimental.)
        envars             Display process environment variables
        eventhooks         Print details on windows event hooks
        filescan           Pool scanner for file objects
        gahti              Dump the USER handle type information
        gditimers          Print installed GDI timers and callbacks
        getservicesids     Get the names of services in the Registry and return Calculated SID
        getsids            Print the SIDs owning each process
        handles            Print list of open handles for each process
        hashdump           Dumps passwords hashes (LM/NTLM) from memory
        hibinfo            Dump hibernation file information
        hivedump           Prints out a hive
        hivelist           Print list of registry hives.
        hivescan           Pool scanner for registry hives
        hpakextract        Extract physical memory from an HPAK file
        hpakinfo           Info on an HPAK file
        iehistory          Reconstruct Internet Explorer cache / history
        imagecopy          Copies a physical address space out as a raw DD image
        imageinfo          Identify information for the image 
        impscan            Scan for calls to imported functions
        joblinks           Print process job link information
        kdbgscan           Search for and dump potential KDBG values
        kpcrscan           Search for and dump potential KPCR values
        ldrmodules         Detect unlinked DLLs
        lsadump            Dump (decrypted) LSA secrets from the registry
        machoinfo          Dump Mach-O file format information
        malfind            Find hidden and injected code
        mbrparser          Scans for and parses potential Master Boot Records (MBRs) 
        memdump            Dump the addressable memory for a process
        memmap             Print the memory map
        messagehooks       List desktop and thread window message hooks
        mftparser          Scans for and parses potential MFT entries 
        moddump            Dump a kernel driver to an executable file sample
        modscan            Pool scanner for kernel modules
        modules            Print list of loaded modules
        multiscan          Scan for various objects at once
        mutantscan         Pool scanner for mutex objects
        netscan            Scan a Vista (or later) image for connections and sockets
        objtypescan        Scan for Windows object type objects
        patcher            Patches memory based on page scans
        poolpeek           Configurable pool scanner plugin
        pooltracker        Show a summary of pool tag usage
        printkey           Print a registry key, and its subkeys and values
        privs              Display process privileges
        procdump           Dump a process to an executable file sample
        pslist             Print all running processes by following the EPROCESS lists 
        psscan             Pool scanner for process objects
        pstree             Print process list as a tree
        psxview            Find hidden processes with various process listings
        qemuinfo           Dump Qemu information
        raw2dmp            Converts a physical memory sample to a windbg crash dump
        screenshot         Save a pseudo-screenshot based on GDI windows
        sessions           List details on _MM_SESSION_SPACE (user logon sessions)
        shellbags          Prints ShellBags info
        shimcache          Parses the Application Compatibility Shim Cache registry key
        shutdowntime       Print ShutdownTime of machine from registry
        ssdt               Display SSDT entries
        strings            Match physical offsets to virtual addresses (may take a while, VERY verbose)
        svcscan            Scan for Windows services
        symlinkscan        Pool scanner for symlink objects
        thrdscan           Pool scanner for thread objects
        threads            Investigate _ETHREAD and _KTHREADs
        timeliner          Creates a timeline from various artifacts in memory 
        timers             Print kernel timers and associated module DPCs
        truecryptmaster    Recover TrueCrypt 7.1a Master Keys
        truecryptpassphrase    TrueCrypt Cached Passphrase Finder
        truecryptsummary    TrueCrypt Summary
        unloadedmodules    Print list of unloaded modules
        userassist         Print userassist registry keys and information
        userhandles        Dump the USER handle tables
        vaddump            Dumps out the vad sections to a file
        vadinfo            Dump the VAD info
        vadtree            Walk the VAD tree and display in tree format
        vadwalk            Walk the VAD tree
        vboxinfo           Dump virtualbox information
        verinfo            Prints out the version information from PE images
        vmwareinfo         Dump VMware VMSS/VMSN information
        volshell           Shell in the memory image
        windows            Print Desktop Windows (verbose details)
        wintree            Print Z-Order Desktop Windows Tree
        wndscan            Pool scanner for window stations
        yarascan           Scan process or kernel memory with Yara signatures

 

查看cmd历史记录

root@kali:/test# volatility -f mem.dump --profile=Win7SP1x64 cmdscan
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: conhost.exe Pid: 2632
CommandHistory: 0x242350 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 1 LastAdded: 0 LastDisplayed: 0
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 @ 0x2229d0: flag.ccx_password_is_same_with_Administrator 
**************************************************
CommandProcess: conhost.exe Pid: 2748
CommandHistory: 0x2926d0 Application: DumpIt.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
得知存在flag.ccx文件且密码和Administrator密码相同

查找flag文件

root@kali:/test# volatility -f mem.dump --profile=Win7SP1x64 filescan | grep flag
Volatility Foundation Volatility Framework 2.6
0x000000003e435890     15      0 R--rw- DeviceHarddiskVolume2UsersAdministratorDesktopflag.ccx

得知flag文件地址为0x3e435890

 

dump目标文件(flag.ccx)

root@kali:/test# volatility -f mem.dump --profile=Win7SP1x64 dumpfiles -Q 0x3e435890 --dump-dir=./
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3e435890   None   DeviceHarddiskVolume2UsersAdministratorDesktopflag.ccx

 

寻找Administrator的密码

列出SAM表用户

root@kali:/test# volatility -f mem.dump --profile=Win7SP1x64 printkey -K "SAMDomainsAccountUsersNames"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: SystemRootSystem32ConfigSAM
Key name: Names (S)
Last updated: 2019-10-15 02:56:47 UTC+0000

Subkeys:
  (S) Administrator
  (S) Guest

Values:
REG_NONE                      : (S) 

 

获取System和ASM的虚拟地址

root@kali:/test# volatility -f mem.dump --profile=Win7SP1x64 hivelist
Volatility Foundation Volatility Framework 2.6
Virtual            Physical           Name
------------------ ------------------ ----
0xfffff8a001cfd010 0x0000000039828010 ??C:UsersAdministratorAppDataLocalMicrosoftWindowsUsrClass.dat
0xfffff8a002fa2010 0x0000000013a3f010 ??C:System Volume InformationSyscache.hve
0xfffff8a00000f010 0x0000000023385010 [no name]
0xfffff8a000024010 0x0000000023510010 REGISTRYMACHINESYSTEM
0xfffff8a000064010 0x0000000023552010 REGISTRYMACHINEHARDWARE
0xfffff8a0000e7410 0x0000000011bcc410 ??C:WindowsServiceProfilesNetworkServiceNTUSER.DAT
0xfffff8a000100360 0x0000000015346360 SystemRootSystem32ConfigSECURITY
0xfffff8a0003f4410 0x000000001527d410 SystemRootSystem32ConfigDEFAULT
0xfffff8a0007ae010 0x000000001d867010 DeviceHarddiskVolume1BootBCD
0xfffff8a0012d4010 0x000000001c938010 SystemRootSystem32ConfigSOFTWARE
0xfffff8a001590010 0x000000001151a010 SystemRootSystem32ConfigSAM
0xfffff8a0015ca010 0x00000000111a3010 ??C:WindowsServiceProfilesLocalServiceNTUSER.DAT
0xfffff8a001c34010 0x0000000039803010 ??C:UsersAdministrator
tuser.dat

System:0xfffff8a000024010

ASM:    0xfffff8a001590010

 

hashdump获取用户密码的hash值

命令:volatility -f name --profile=WinXPSP2x86 hashdump -y (注册表 system 的 virtual 地址 )-s (SAM 的 virtual 地址)

root@kali:/test# volatility -f mem.dump --profile=Win7SP1x64 hashdump -y 0xfffff8a000024010 -s 0xfffff8a001590010
Volatility Foundation Volatility Framework 2.6
Administrator:500:6377a2fdb0151e35b75e0c8d76954a50:0d546438b1f4c396753b4fc8c8565d5b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

得知Administrator密码的hash值为0d546438b1f4c396753b4fc8c8565d5b

解码得到ABCabc123

技术图片

 

使用CnCrypt加载flag文件

技术图片

 

 

 

题目地址:链接:https://pan.baidu.com/s/1WMyjP7E66fbT0KECBfAAig  提取码:a1nm

参考:https://www.52pojie.cn/thread-1079259-1-1.html

以上是关于CTF内存取证的主要内容,如果未能解决你的问题,请参考以下文章

CTF必备取证神器(volatilityPTF取证大师Magnet AXIOM)

内存取证三项CTF学习

[内存取证]Volatility基本用法

OtterCTF 内存取证(1-5)

OtterCTF 内存取证(1-5)

有关流量分析和内存取证的