얼마 전 'RC3 2016' CTF에서 재밌는 메모리 포렌식 문제가 나왔다.
500pt로 포렌식 분야에서 배점이 가장 높았고 유일하게 못 푼 문제였다.
'TrueCrypt'에 관한 문제였는데, 목표를 잘 못 잡아 결국 풀지 못했다.
ddddh@siftworkstation:~/Desktop/CTF/rc3/forensics$ vol.py -f memdump.raw imageinfo
Volatility Foundation Volatility Framework 2.4
Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP0x64, Win7SP1x64, Win2008R2SP0x64, Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/sansforensics/Desktop/CTF/rc3/forensics/memdump.raw)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002c0a0a0
Number of Processors : 4
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002c0bd00L
KPCR for CPU 1 : 0xfffff880009ef000L
KPCR for CPU 2 : 0xfffff88003169000L
KPCR for CPU 3 : 0xfffff880031df000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2016-11-16 11:24:51 UTC+0000
Image local date and time : 2016-11-16 06:24:51 -0500
메모리 포렌식을 할 때 가장 먼저 해야될 일은 'imageinfo'를 통해 KDBG 스캔을 하는 것이다.
결과를 통해 나온 Profile 중 하나를 지정해줘서 셋팅 해준다.
ddddh@siftworkstation:~/Desktop/CTF/rc3/forensics$ vol.py -f memdump.raw --profile=Win7SP0x64 pslist
Volatility Foundation Volatility Framework 2.4
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------
0xfffffa8003c78b30 System 4 0 111 531 ------ 0 2016-11-16 11:00:14 UTC+0000
0xfffffa8006239040 smss.exe 316 4 2 32 ------ 0 2016-11-16 11:00:14 UTC+0000
0xfffffa80058f95f0 csrss.exe 396 380 9 477 0 0 2016-11-16 11:00:15 UTC+0000
0xfffffa800662d780 wininit.exe 440 380 3 78 0 0 2016-11-16 11:00:15 UTC+0000
0xfffffa80066342e0 csrss.exe 464 452 12 409 1 0 2016-11-16 11:00:15 UTC+0000
0xfffffa800677f5f0 services.exe 508 440 9 225 0 0 2016-11-16 11:00:15 UTC+0000
0xfffffa80067819d0 lsass.exe 524 440 7 608 0 0 2016-11-16 11:00:15 UTC+0000
0xfffffa8006787b30 lsm.exe 532 440 10 159 0 0 2016-11-16 11:00:15 UTC+0000
0xfffffa80067d2260 winlogon.exe 588 452 5 118 1 0 2016-11-16 11:00:15 UTC+0000
0xfffffa8006790b30 svchost.exe 680 508 9 371 0 0 2016-11-16 11:00:15 UTC+0000
0xfffffa800672e650 vmacthlp.exe 740 508 3 60 0 0 2016-11-16 11:00:16 UTC+0000
0xfffffa8006865b30 svchost.exe 780 508 9 293 0 0 2016-11-16 11:00:16 UTC+0000
0xfffffa80068a2060 svchost.exe 848 508 20 509 0 0 2016-11-16 11:00:16 UTC+0000
0xfffffa80068c0b30 svchost.exe 900 508 20 458 0 0 2016-11-16 11:00:16 UTC+0000
0xfffffa80068deb30 svchost.exe 944 508 40 1063 0 0 2016-11-16 11:00:16 UTC+0000
0xfffffa800695b320 svchost.exe 340 508 9 535 0 0 2016-11-16 11:00:16 UTC+0000
0xfffffa800698ab30 svchost.exe 1032 508 16 385 0 0 2016-11-16 11:00:16 UTC+0000
0xfffffa8006a47380 spoolsv.exe 1212 508 12 356 0 0 2016-11-16 11:00:16 UTC+0000
0xfffffa8006abb890 svchost.exe 1252 508 17 323 0 0 2016-11-16 11:00:16 UTC+0000
0xfffffa8006a1bb30 VGAuthService. 1404 508 3 89 0 0 2016-11-16 11:00:16 UTC+0000
0xfffffa8006c1f780 vmtoolsd.exe 1464 508 9 307 0 0 2016-11-16 11:00:16 UTC+0000
0xfffffa8006d0bb30 WmiPrvSE.exe 1724 680 12 226 0 0 2016-11-16 11:00:16 UTC+0000
0xfffffa8006c43060 dllhost.exe 1920 508 13 198 0 0 2016-11-16 11:00:16 UTC+0000
0xfffffa8006dc0b30 msdtc.exe 2040 508 12 147 0 0 2016-11-16 11:00:17 UTC+0000
0xfffffa8006d616c0 svchost.exe 1312 508 6 96 0 0 2016-11-16 11:00:17 UTC+0000
0xfffffa8004c924f0 taskhost.exe 2324 508 8 194 1 0 2016-11-16 11:00:30 UTC+0000
0xfffffa8005218890 GoogleCrashHan 2472 2448 5 103 0 1 2016-11-16 11:00:31 UTC+0000
0xfffffa8005221b30 GoogleCrashHan 2480 2448 5 97 0 0 2016-11-16 11:00:31 UTC+0000
0xfffffa800526db30 dwm.exe 2604 900 3 78 1 0 2016-11-16 11:00:32 UTC+0000
0xfffffa8005284780 explorer.exe 2628 2592 34 947 1 0 2016-11-16 11:00:32 UTC+0000
0xfffffa800528db30 vmtoolsd.exe 2716 2628 6 251 1 0 2016-11-16 11:00:32 UTC+0000
0xfffffa8005289b30 StikyNot.exe 2724 2628 11 145 1 0 2016-11-16 11:00:32 UTC+0000
0xfffffa8006ec7060 SearchIndexer. 2784 508 15 693 0 0 2016-11-16 11:00:32 UTC+0000
0xfffffa8006ecbb30 RAMDisk.exe 2956 2628 25 729 1 0 2016-11-16 11:01:44 UTC+0000
0xfffffa8005798430 svchost.exe 1044 508 10 158 0 0 2016-11-16 11:01:50 UTC+0000
0xfffffa8006db2b30 wisptis.exe 704 2956 6 132 1 0 2016-11-16 11:01:52 UTC+0000
0xfffffa8006fa5060 MappedDrives.e 1508 2956 0 -------- 1 0 2016-11-16 11:01:54 UTC+0000 2016-11-16 11:01:54 UTC+0000
0xfffffa8003eb4b30 chrome.exe 748 2628 28 1069 1 0 2016-11-16 11:01:59 UTC+0000
0xfffffa8003ec3200 chrome.exe 936 748 6 85 1 0 2016-11-16 11:01:59 UTC+0000
0xfffffa8003f93060 chrome.exe 1148 748 5 182 1 0 2016-11-16 11:01:59 UTC+0000
0xfffffa8003f3a250 chrome.exe 1168 748 10 172 1 0 2016-11-16 11:01:59 UTC+0000
0xfffffa80040449c0 chrome.exe 2672 748 16 214 1 0 2016-11-16 11:01:59 UTC+0000
0xfffffa8006b4a060 chrome.exe 2952 748 10 154 1 0 2016-11-16 11:01:59 UTC+0000
0xfffffa80041b9360 chrome.exe 3188 748 10 308 1 0 2016-11-16 11:02:00 UTC+0000
0xfffffa800613d540 mscorsvw.exe 3620 508 7 90 0 1 2016-11-16 11:02:17 UTC+0000
0xfffffa8004280780 mscorsvw.exe 3664 508 7 83 0 0 2016-11-16 11:02:17 UTC+0000
0xfffffa8003fbab30 sppsvc.exe 3808 508 4 153 0 0 2016-11-16 11:02:17 UTC+0000
0xfffffa8003fc3b30 svchost.exe 3848 508 12 333 0 0 2016-11-16 11:02:17 UTC+0000
0xfffffa80041e2b30 chrome.exe 1068 748 13 261 1 0 2016-11-16 11:04:23 UTC+0000
0xfffffa80068beaa0 audiodg.exe 3476 848 7 137 0 0 2016-11-16 11:17:42 UTC+0000
0xfffffa8006af31b0 taskmgr.exe 3368 3760 8 131 1 0 2016-11-16 11:22:07 UTC+0000
0xfffffa8006aec270 SearchProtocol 2032 2784 7 215 1 0 2016-11-16 11:24:31 UTC+0000
0xfffffa8004252600 SearchFilterHo 3268 2784 5 97 0 0 2016-11-16 11:24:31 UTC+0000
0xfffffa8006b0c450 DumpIt.exe 1536 2628 5 53 1 1 2016-11-16 11:24:41 UTC+0000
0xfffffa8006ab81d0 conhost.exe 1220 464 2 51 1 0 2016-11-16 11:24:41 UTC+0000
현재 실행 중인 프로세스 리스트를 출력해주는 플러그인이다.
우리가 평소에 흔히 접할 수 있는 'StikyNot.exe', 'chrome.exe'이 보이고 덤프는 'DumpIt.exe'으로 만든 것을 확인할 수 있다.
ddddh@siftworkstation:~/Desktop/CTF/rc3/forensics$ vol.py -f memdump.raw --profile=Win7SP0x64 screenshot -D ./Screenshot/
Volatility Foundation Volatility Framework 2.4
Wrote ./Screenshot/session_0.msswindowstation.mssrestricteddesk.png
Wrote ./Screenshot/session_0.Service-0x0-3e4$.Default.png
Wrote ./Screenshot/session_0.Service-0x0-3e5$.Default.png
Wrote ./Screenshot/session_0.WinSta0.Default.png
Wrote ./Screenshot/session_0.WinSta0.Disconnect.png
Wrote ./Screenshot/session_0.WinSta0.Winlogon.png
Wrote ./Screenshot/session_0.Service-0x0-3e7$.Default.png
Wrote ./Screenshot/session_1.WinSta0.Default.png
Wrote ./Screenshot/session_1.WinSta0.Disconnect.png
Wrote ./Screenshot/session_1.WinSta0.Winlogon.png
Wrote ./Screenshot/session_1.Service-0x0-63bca$.sbox_alternate_desktop_0x2EC.png
'screenshot' 플로그인은 덤프를 만들고 있던 당시의 화면을 확인할 수 있다.
pslist의 결과에서 보았듯이, Stickynote와 chrome을 확인할 수 있다.
sansforensics@siftworkstation:~/Desktop/CTF/rc3/forensics$ vol.py -f memdump.raw --profile=Win7SP0x64 filescan
filescan 플러그 인으로 메모리 덤프안의 파일들을 리스트 형식으로 출력할 수 있다.
출력된 결과물을 확인하면 Sticknote를 확인할 수 있고, 'dumpfiles' 플러그인으로 뽑아내어 내용을 확인할 수 있다.
0x000000013ceb23a0 17 1 RW-r-- \Device\HarddiskVolume2\Users\Donald Trump\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt'
ddddh@siftworkstation:~/Desktop/CTF/rc3/forensics$ vol.py -f memdump.raw --profile=Win7SP0x64 dumpfiles -Q 0x000000013ceb23a0 -D ./
Volatility Foundation Volatility Framework 2.4
DataSectionObject 0x13ceb23a0 None \Device\HarddiskVolume2\Users\Donald Trump\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt
'True crypt container in evidence drive(E) and password in Lastpass'
라는 글을 확인할 수 있다.
또 한, 'chromesearchterms' 플러그인을 사용하여 크롬에 대한 정보를 얻을 수 있다.
ddddh@siftworkstation:~/Desktop/CTF/rc3/forensics$ vol.py -f memdump.raw --profile=Win7SP0x64 --plugins=/home/ddddh/v-plugins/ chromesearchterms
Volatility Foundation Volatility Framework 2.4
Row ID Keyword ID URL ID Lowercase Entered Text
------ ---------- ------ ---------------------------------------------------------------- ----------------------------------------------------------------
9 5135 13
11 2 47 facebook facebook
10 2 43 .net framework 4.5 offline installer .net framework 4.5 offline installer
9 2 42 .net framework 4.5 .net framework 4.5
8 2 31 lastpass extension lastpass extension
7 2 30 ramdisk filehippo ramdisk filehippo
6 2 29 truecrypt truecrypt
5 2 26 lastpass lastpass
4 2 21 wireshark wireshark
3 2 18 winrar winrar
2 2 15 atom atom
1 2 14 sysinternals sysinternals
출력된 결과를 보면 'lasspass', 'truecrypt' 두 가지를 발견할 수 있다.
lastpass 라는 플러그인으로 추출 후 복호화 하면 flag가 나온다.
'# write-up > - ctf' 카테고리의 다른 글
| [Plaid CTF 2017] no_mo_flo (0) | 2017.04.27 |
|---|---|
| [ALEX CTF] RE5: packed movement (0) | 2017.02.07 |
| [RC3 2016] - Reversing 200pt (0) | 2016.11.21 |
| [RC3 2016] - Reversing 350pt (0) | 2016.11.21 |
| [RC3 2016] - Reversing 100pt (0) | 2016.11.21 |
