2020JTWLB-个人CTF-MISC-memory
每天一题,只能多不能少
memory
题目分析
1.volatility取证
2.base64换表解密
开始
1.题目
下载下来是一个vmem内存文件。
链接:百度网盘分享地址
提取码:rsmz
2.分析内存
(1)查看镜像信息
root@kali2019:~/CTF/JTWLB# volatility -f base9.vmem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/root/CTF/JTWLB/base9.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf8000403d0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff8000403ed00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-10-13 08:46:11 UTC+0000
Image local date and time : 2020-10-13 16:46:11 +0800
(2)查看进程
oot@kali2019:~/CTF/JTWLB# volatility -f base9.vmem --profile=Win7SP1x64 psscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Name PID PPID PDB Time created Time exited
------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------
0x0000000002151b30 SearchProtocol 2084 940 0x000000002612e000 2020-10-13 08:25:04 UTC+0000
0x000000000237ab30 SearchFilterHo 2152 940 0x000000002d165000 2020-10-13 08:25:05 UTC+0000
0x00000000027739e0 dllhost.exe 1420 508 0x0000000019539000 2020-10-13 08:25:02 UTC+0000
0x0000000002ae24f0 mspaint.exe 2968 1184 0x000000001cbe0000 2020-10-13 08:45:57 UTC+0000
0x0000000002b62060 WmiPrvSE.exe 2488 628 0x0000000008165000 2020-10-13 08:25:20 UTC+0000
0x0000000005451b30 msdtc.exe 2064 508 0x0000000017144000 2020-10-13 08:25:04 UTC+0000
0x000000000be39850 mscorsvw.exe 884 508 0x000000002cb22000 2020-10-13 08:45:45 UTC+0000
0x000000000efe6b30 notepad.exe