cyberdefenders blueteam ctf challenges 67
简介
挺简单的一个 Windows 内存取证
解题
1
打开 vol 直接看
2
算个 SHA256
虚拟机里算了一分半,外面就20秒,我怀疑是虚拟机共享文件硬盘读写速度受限
3
windows.pslist
查看进程列表
不知道怎么排版出错了
4
windows.netscan
扫描
一共 10 个
这里有个小坑
用 windows.netstat
扫出来只有 9 个
5
用 windows.netstat
扫出来 ESTABLISHED
状态的连接,然后去查对应 IP AS
但是 wiki 给的定义是包含主机名的完整域名,不理解
最开始我还把 Chrome 的 History 数据库 dump 出来找了半天没找到
6
使用 windows.pslist.PsList --pid <pid> --dump -o <outputFile>
dump 内存
-o
可选
然后使用 md5sum
计算 MD5
7
用 hexeditor
跳转到 0x45BE876
即可
8
用 pstree
插件查看进程树
9
Hint
Hint #4:
Use the "windows.cmdline" plugin to list processes' command lines. Check notepad command line. The full path is C:\Users\JOHNDO~1\AppData\Local\Temp\7zO4FB31F24\accountNum.
用 windows.cmdline
获得启动参数
但是 winodws.filescan
居然扫不出来,不知道为什么
10
Hint:
Hint #4:
Use the "windows.registry.userassist" plugin to list userassist keys and search for brave. The usage time is 04:01:54.
如图
DOT
vol 常用插件
layerwriter.LayerWriter
- Runs the automagics and writes out the primary layer produced by the stacker.
timeliner.Timeliner
- 运行所有提供时间相关信息的相关插件并按时间排序结果。
- Runs all relevant plugins that provide time related information and orders the results by time.
windows.bigpools.BigPools
- 列出大页面池。
- List big page pools.
windows.callbacks.Callbacks
- Lists kernel callbacks and notification routines.
windows.cmdline.CmdLine
- Lists process command line arguments.
- windows.crashinfo.Crashinfo
windows.dlllist.DllList
- Lists the loaded modules in a particular windows memory image.
windows.driverirp.DriverIrp
- List IRPs for drivers in a particular windows memory image.
windows.driverscan.DriverScan
- Scans for drivers present in a particular windows memory image.
windows.dumpfiles.DumpFiles
- Dumps cached file contents from Windows memory samples.
windows.envars.Envars
- Display process environment variables
windows.filescan.FileScan
- Scans for file objects present in a particular windows memory image.
windows.getservicesids.GetServiceSIDs
- Lists process token sids.
windows.getsids.GetSIDs
- Print the SIDs owning each process
windows.handles.Handles
- Lists process open handles.
- windows.info.Info Show OS & kernel details of the memory sample being analyzed.
windows.malfind.Malfind
- Lists process memory ranges that potentially contain injected code.
windows.memmap.Memmap
- Prints the memory map
windows.modscan.ModScan
- Scans for modules present in a particular windows memory image.
windows.modules.Modules
- Lists the loaded kernel modules.
windows.mutantscan.MutantScan
- Scans for mutexes present in a particular windows memory image.
windows.netscan.NetScan
- Scans for network objects present in a particular windows memory image.
windows.netstat.NetStat
- Traverses network tracking structures present in a particular windows memory image.
windows.poolscanner.PoolScanner
- A generic pool scanner plugin.
windows.privileges.Privs
- Lists process token privileges
windows.pslist.PsList
- Lists the processes present in a particular windows memory image.
windows.psscan.PsScan
- Scans for processes present in a particular windows memory image.
windows.pstree.PsTree
- Plugin for listing processes in a tree based on their parent process ID.
windows.registry.certificates.Certificates
- Lists the certificates in the registry's Certificate Store.
windows.registry.hivelist.HiveList
- Lists the registry hives present in a particular memory image.
windows.registry.hivescan.HiveScan
- Scans for registry hives present in a particular windows memory image.
windows.registry.printkey.PrintKey
- Lists the registry keys under a hive or specific key value.
windows.registry.userassist.UserAssist
- Print userassist registry keys and information.
windows.skeleton_key_check.Skeleton_Key_Check
- Looks for signs of Skeleton Key malware
- windows.ssdt.SSDT Lists the system call table.
- windows.statistics.Statistics
windows.strings.Strings
- Reads output from the strings command and indicates which process(es) each string belongs to.
windows.svcscan.SvcScan
- Scans for windows services.
windows.symlinkscan.SymlinkScan
- Scans for links present in a particular windows memory image.
windows.vadinfo.VadInfo
- Lists process memory ranges.
windows.vadyarascan.VadYaraScan
- Scans all the Virtual Address Descriptor memory maps using yara.
windows.verinfo.VerInfo
- Lists version information from PE files.
windows.virtmap.VirtMap
- Lists virtual mapped sections.
- yarascan.YaraScan Scans kernel memory using yara rules (string or file).
FQDN
完全合格域名(英语:Fully qualified domain name),缩写为FQDN,又译为完全资格域名、完整领域名称,又称为绝对领域名称(absolute domain name)、 绝对域名[1],域名的一种,能指定其在域名系统 (DNS) 树状图下的一个确实位置。一个完全资格域名会包含所有域名级别,包括 顶级域名 和 根域名。完整域名这个名称的由来,是因为它没有模糊空间,只能用一种方式来解析。完整域名是因应互联网上需要一个统一识别方式而出现,在1980年代后期快速成长。
完整域名的树状图
完整域名由主机名称与母域名两部分所组成,例如有一部服务器的本地主机名为myhost,而其母域名为example.com.,那指向该服务器的完整域名就是myhost.example.com.。虽然世界上可能有很多服务器的本地主机名是myhost,但myhost.example.com.是唯一的,因此完整域名能识别该特定服务器。