MISC-cookie
每日一题,只能多不能少
cookie
题目分析
内存取证题,给出了足够的提示。很小很小的坑
开始
1.题目
给出一个1G大小的raw。然后提示:
或许你会内存取证
2.volatility
正常套路分析后,发现进程如下:
Volatility Foundation Volatility Framework 2.6
Offset(P) Name PID PPID PDB Time created Time exited
------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------
0x00000000065f6450 chrome.exe 3140 2608 0x0000000009327000 2020-04-09 03:42:15 UTC+0000
0x000000001fe4b3b0 conhost.exe 3776 416 0x000000002fbf0000 2020-04-09 03:42:25 UTC+0000
0x000000003d6412b0 chrome.exe 2920 2608 0x0000000017b21000 2020-04-09 03:00:28 UTC+0000
0x000000003d6b7b30 WmiPrvSE.exe 2952 644 0x0000000039199000 2020-04-09 03:00:29 UTC+0000
0x000000003d771060 chrome.exe 964 2608 0x0000000029730000 2020-04-09 03:01:29 UTC+0000
0x000000003d82d590 rundll32.exe 2192 2104 0x0000000019353000 2020-04-09 03:14:52 UTC+0000
0x000000003d884060 GoogleCrashHan 2328 2304 0x0000000026c91000 2020-04-09 03:00:15 UTC+0000
0x00000