Memory Forensics
==========
Tìm hiểu về một số công cụ dùng trong Memory Forensics như Volatility, MemProcFS. Tìm hiểu về địa chỉ ảo, địa chỉ vật lý, các thông tin của process như pid, ppid, process name, commandline. Tìm hiểu về process dump
-h : help
pslist : show all list of running process
# volatility set up
## vol2
This works for me to fix all the errors
Install system dependencies
```
sudo apt install -y build-essential git libdistorm3-dev yara libraw1394-11 libcapstone-dev capstone-tool tzdata
```
Install pip for Python 2
```
sudo apt install -y python2 python2.7-dev libpython2-dev
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py
sudo python2 get-pip.py
sudo python2 -m pip install -U setuptools wheel
```
Install Volatility 2 and its Python dependencies
```
python2 -m pip install -U distorm3 yara pycrypto pillow openpyxl ujson pytz ipython capstone
sudo python2 -m pip install yara
sudo ln -s /usr/local/lib/python2.7/dist-packages/usr/lib/libyara.so /usr/lib/libyara.so
python2 -m pip install -U git+https://github.com/volatilityfoundation/volatility.git
```
from: [https://seanthegeek.net/1172/how-to-install-volatility-2-and-volatility-3-on-debian-ubuntu-or-kali-linux/](https://seanthegeek.net/1172/how-to-install-volatility-2-and-volatility-3-on-debian-ubuntu-or-kali-linux/)
chạy thử:
```bassh!
vol.py -f ch2.dmp --profile=Win7SP0x86 hivelist
```
file ch2.dmp mình cop qua cùng folder mới chạy được.
## vol3
[ ](https://github.com/volatilityfoundation/volatility3?tab=readme-ov-file#quick-start)
1. Clone the latest version of Volatility from GitHub:
```shell
git clone https://github.com/volatilityfoundation/volatility3.git
```
2. See available options:
```shell
python3 vol.py -h
```
3. To get more information on a Windows memory sample and to make sure Volatility supports that sample type, run `python3 vol.py -f <imagepath> windows.info`
Example:
```shell
python3 vol.py -f /home/user/samples/stuxnet.vmem windows.info
```
4. Run some other plugins. The `-f` or `--single-location` is not strictly required, but most plugins expect a single sample. Some also require/accept other options. Run `python3 vol.py <plugin> -h` for more information on a particular command.
Requirements
------------
[ ](https://github.com/volatilityfoundation/volatility3?tab=readme-ov-file#requirements)
Volatility 3 requires Python 3.7.0 or later. To install the most minimal set of dependencies (some plugins will not work) use a command such as:
```shell
pip3 install -r requirements-minimal.txt
```
Alternately, the minimal packages will be installed automatically when Volatility 3 is installed using setup.py. However, as noted in the Quick Start section below, Volatility 3 does not _need_ to be installed via setup.py prior to using it.
```shell
python3 setup.py build
python3 setup.py install
```
To enable the full range of Volatility 3 functionality, use a command like the one below. For partial functionality, comment out any unnecessary packages in [requirements.txt](https://github.com/volatilityfoundation/volatility3/blob/develop/requirements.txt) prior to running the command.
```shell
pip3 install -r requirements.txt
```
chạy thử, nếu có lỗi thì xem với -vvvvv
# [TryHackMe] - Volatility
https://tryhackme.com/r/room/volatility
## Listing Processes and Connections
Five different plugins within Volatility allow you to dump processes and network connections, each with varying techniques used. In this task, we will be discussing each and its pros and cons when it comes to evasion techniques used by adversaries.
The most basic way of listing processes is using `pslist`; this plugin will get the list of processes from the doubly-linked list that keeps track of processes in memory, equivalent to the process list in task manager. The output from this plugin will include all current processes and terminated processes with their exit times.
Syntax: `python3 vol.py -f <file> windows.pslist`
Some malware, typically rootkits, will, in an attempt to hide their processes, unlink itself from the list. By unlinking themselves from the list you will no longer see their processes when using `pslist`. To combat this evasion technique, we can use `psscan`;this technique of listing processes will locate processes by finding data structures that match `_EPROCESS`. While this technique can help with evasion countermeasures, it can also cause false positives.
Syntax: `python3 vol.py -f <file> windows.psscan`
The third process plugin, `pstree`, does not offer any other kind of special techniques to help identify evasion like the last two plugins; however, this plugin will list all processes based on their parent process ID, using the same methods as `pslist`. This can be useful for an analyst to get a full story of the processes and what may have been occurring at the time of extraction.
Syntax: `python3 vol.py -f <file> windows.pstree`
Now that we know how to identify processes, we also need to have a way to identify the network connections present at the time of extraction on the host machine. `netstat` will attempt to identify all memory structures with a network connection.
Syntax: `python3 vol.py -f <file> windows.netstat`
This command in the current state of volatility3 can be very unstable, particularly around old Windows builds. To combat this, you can utilize other tools like bulk_extractor to extract a PCAP file from the memory file. In some cases, this is preferred in network connections that you cannot identify from Volatility alone. [https://tools.kali.org/forensics/bulk-extractor](https://tools.kali.org/forensics/bulk-extractor)
The last plugin we will cover is `dlllist`. This plugin will list all DLLs associated with processes at the time of extraction. This can be especially useful once you have done further analysis and can filter output to a specific DLL that might be an indicator for a specific type of malware you believe to be present on the system.
Syntax: `python3 vol.py -f <file> windows.dlllist`
## Volatility Hunting and Detection Capabilities
Volatility offers a plethora of plugins that can be used to aid in your hunting and detection capabilities when hunting for malware or other anomalies within a system's memory.
It is recommended that you have a basic understanding of how evasion techniques and various malware techniques are employed by adversaries, as well as how to hunt and detect them before going through this section.
The first plugin we will be talking about that is one of the most useful when hunting for code injection is `malfind`. This plugin will attempt to identify injected processes and their PIDs along with the offset address and a Hex, Ascii, and Disassembly view of the infected area. The plugin works by scanning the heap and identifying processes that have the executable bit set `RWE or RX` and/or no memory-mapped file on disk (file-less malware).
Based on what `malfind` identifies, the injected area will change. An MZ header is an indicator of a Windows executable file. The injected area could also be directed towards shellcode which requires further analysis.
Syntax: `python3 vol.py -f <file> windows.malfind`
Volatility also offers the capability to compare the memory file against YARA rules. `yarascan` will search for strings, patterns, and compound rules against a rule set. You can either use a YARA file as an argument or list rules within the command line.
Syntax: `python3 vol.py -f <file> windows.yarascan`
There are other plugins that can be considered part of Volatility's hunting and detection capabilities; however, we will be covering them in the next task.
## Advanced Memory Forensics
Advanced Memory Forensics can become confusing when you begin talking about system objects and how malware interacts directly with the system, especially if you do not have prior experience hunting some of the techniques used such as hooking and driver manipulation. When dealing with an advanced adversary, you may encounter malware, most of the time rootkits that will employ very nasty evasion measures that will require you as an analyst to dive into the drivers, mutexes, and hooked functions. A number of modules can help us in this journey to further uncover malware hiding within memory.
The first evasion technique we will be hunting is hooking; there are five methods of hooking employed by adversaries, outlined below:
- SSDT Hooks
- IRP Hooks
- IAT Hooks
- EAT Hooks
- Inline Hooks
We will only be focusing on hunting SSDT hooking as this one of the most common techniques when dealing with malware evasion and the easiest plugin to use with the base volatility plugins.
The `ssdt` plugin will search for hooking and output its results. Hooking can be used by legitimate applications, so it is up to you as the analyst to identify what is evil. As a brief overview of what SSDT hooking is: `SSDT` stands for _System Service Descriptor Table;_ the Windows kernel uses this table to look up system functions. An adversary can hook into this table and modify pointers to point to a location the rootkit controls.
There can be hundreds of table entries that `ssdt` will dump; you will then have to analyze the output further or compare against a baseline. A suggestion is to use this plugin after investigating the initial compromise and working off it as part of your lead investigation.
Syntax: `python3 vol.py -f <file> windows.ssdt`
Adversaries will also use malicious driver files as part of their evasion. Volatility offers two plugins to list drivers.
The `modules` plugin will dump a list of loaded kernel modules; this can be useful in identifying active malware. However, if a malicious file is idly waiting or hidden, this plugin may miss it.
This plugin is best used once you have further investigated and found potential indicators to use as input for searching and filtering.
Syntax: `python3 vol.py -f <file> windows.modules`
The `driverscan` plugin will scan for drivers present on the system at the time of extraction. This plugin can help to identify driver files in the kernel that the `modules` plugin might have missed or were hidden.
As with the last plugin, it is again recommended to have a prior investigation before moving on to this plugin. It is also recommended to look through the `modules` plugin before `driverscan`.
Syntax: `python3 vol.py -f <file> windows.driverscan`
In most cases, `driverscan` will come up with no output; however, if you do not find anything with the `modules` plugin, it can be useful to attempt using this plugin.
There are also other plugins listed below that can be helpful when attempting to hunt for advanced malware in memory.
- `modscan`
- `driverirp`
- `callbacks`
- `idt`
- `apihooks`
- `moddump`
- `handles`
Note: Some of these are only present on Volatility2 or are part of third-party plugins. To get the most out of Volatility, you may need to move to some third-party or custom plugins.
## Practical Investigations
### What is the build version of the host machine in Case 001?
```
python3 vol.py -f Investigation-1.vmem windows.info
```
NTBuildLab 2600.xpsp.080413-2111
=> 2600.xpsp.080413-2111
### At what time was the memory file acquired in Case 001?
SystemTime 2012-07-22 02:45:08
=> 2012-07-22 02:45:08
### What process can be considered suspicious in Case 001?
>
> Khi giám sát hệ thống để phát hiện các hoạt động đáng ngờ, có một số tiến trình có thể bị lợi dụng bởi các phần mềm độc hại hoặc kẻ tấn công. Dưới đây là một số tiến trình thông dụng có thể trở nên đáng nghi ngờ khi chúng được sử dụng không đúng mục đích:
>
> 1. **cmd.exe (Command Prompt)**:
>
> - Chạy mà không có lý do rõ ràng.
> - Chạy với quyền quản trị.
> - Chạy kèm theo các lệnh không bình thường hoặc script lạ.
> 2. **powershell.exe**:
>
> - Chạy các script phức tạp hoặc tải xuống mã từ internet.
> - Chạy với quyền quản trị hoặc được gọi từ các ứng dụng không mong muốn.
> - Các tiến trình PowerShell chạy nền mà không rõ lý do.
> 3. **notepad.exe**:
>
> - Sử dụng để mở các file script, mã độc.
> - Mở nhiều bản sao mà không có lý do hợp lý.
> 4. **mspaint.exe (Paint)**:
>
> - Chạy mà không có lý do rõ ràng hoặc liên quan đến việc mở các file hình ảnh đáng ngờ.
> 5. **Microsoft Office (word.exe, excel.exe, etc.)**:
>
> - Chạy kèm theo các macro hoặc script lạ.
> - Tạo ra các tiến trình con như cmd.exe hoặc powershell.exe.
> - Tải hoặc gửi dữ liệu mà không có sự can thiệp của người dùng.
> 6. **explorer.exe**:
>
> - Tạo ra các tiến trình con không bình thường.
> - Tạo kết nối mạng đáng ngờ.
> 7. **svchost.exe**:
>
> - Chạy với tên dịch vụ không hợp lệ hoặc bất thường.
> - Tạo ra lưu lượng mạng đáng ngờ.
> 8. **rundll32.exe**:
>
> - Chạy các DLL không rõ nguồn gốc.
> - Chạy với các tham số lạ.
> 9. **schtasks.exe**:
>
> - Tạo ra các tác vụ theo lịch mà không có lý do rõ ràng.
> - Thực thi các lệnh hoặc script lạ.
> 10. **regsvr32.exe**:
>
> - Đăng ký các DLL đáng ngờ.
> - Thực thi các script hoặc lệnh bất thường.
>
> Các tiến trình này nếu được phát hiện chạy trong hoàn cảnh không bình thường hoặc với các tham số lạ, có thể là dấu hiệu của hoạt động độc hại.
```bash!
python3 vol.py -f Investigation-1.vmem windows.psscan
```
=> reader_sl.exe
### What is the parent process of the suspicious process in Case 001?
```
python3 vol.py -f Investigation-1.vmem windows.pstree
```
=> explorer.exe
### What is the PID of the suspicious process in Case 001?
=> 1640
### What is the parent process PID in Case 001?
=> 1484
### What user-agent was employed by the adversary in Case 001?
```
python3 vol.py -f Investigation-1.vmem -o /mnt/d/fortools/volatility3/volatility3 windows.memmap.Memmap --pid 1640 --dump
```
```
strings /mnt/d/fortools/volatility3/volatility3/*.dmp | grep -i user-agent
```
=> Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
### Was Chase Bank one of the suspicious bank domains found in Case 001? (Y/N)
=> Y
### What suspicious process is running at PID 740 in Case 002?
```
python3 vol.py -f Investigation-2.raw windows.psscan
```
=> @WanaDecryptor@
### What is the full path of the suspicious binary in PID 740 in Case 002?
```
python3 vol.py -f Investigation-2.raw windows.dlllist | grep -i WanaDecryptor
```
=> C:\Intel\ivecuqmanpnirkt615\@WanaDecryptor@.exe
### What is the parent process of PID 740 in Case 002?
```
python3 vol.py -f Investigation-2.raw windows.pstree
```
=> tasksche.exe
### What is the suspicious parent process PID connected to the decryptor in Case 002?
=> 1940
### From our current information, what malware is present on the system in Case 002?
=> Wannacry
### What DLL is loaded by the decryptor used for socket creation in Case 002?
```
python3 vol.py -f Investigation-2.raw windows.dlllist | grep -i Decryptor
```
=> WS2_32.dll
### What mutex can be found that is a known indicator of the malware in question in Case 002?
> what is _mutex_? Simply, it prevents multiple threads accessing the same resource simultaneously. It allows data to be protected.
```
python3 vol.py -f Investigation-2.raw windows.handles |grep 1940
```
Search Wannacry's mutex
=> MsWinZonesCacheCounterMutexA0
### What plugin could be used to identify all files loaded from the malware working directory in Case 002?
```
python3 vol.py -h | grep file
```
=> windows.filescan
**Conclusion:**
There are also a number of wikis and various community resources that can be used for more information about Volatility techniques found below.
- [](https://github.com/volatilityfoundation/volatility/wiki)[https://github.com/volatilityfoundation/volatility/wiki](https://github.com/volatilityfoundation/volatility/wiki)
- [](https://github.com/volatilityfoundation/volatility/wiki/Volatility-Documentation-Projec)[https://github.com/volatilityfoundation/volatility/wiki/Volatility-Documentation-Projec](https://github.com/volatilityfoundation/volatility/wiki/Volatility-Documentation-Projec)
- [](https://digital-forensics.sans.org/media/Poster-2015-Memory-Forensics.pdf)[https://digital-forensics.sans.org/media/Poster-2015-Memory-Forensics.pdf](https://digital-forensics.sans.org/media/Poster-2015-Memory-Forensics.pdf)
- [](https://eforensicsmag.com/finding-advanced-malware-using-volatility/)[https://eforensicsmag.com/finding-advanced-malware-using-volatility/](https://eforensicsmag.com/finding-advanced-malware-using-volatility/)
# [TryHackMe] - Memory Forensics
https://tryhackme.com/r/room/memoryforensics
Cheatsheet: [https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-examples](https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-examples)
## Task 2 - Login
**What is John's password?** - Mật khẩu của John là gì?
Xem profile và lựa cái đầu tiên:
```
vol.py -f /mnt/d/tryhackme/Snapshot6_1609157562389.vmem imageinfo
```
Dump hash của các user sử dụng vol2.
```
vol.py -f /mnt/d/tryhackme/Snapshot6_1609157562389.vmem --profile=Win7SP1x64 hashdump
```
Sau đó echo 47fbd6536d7868c873d5ea455f2fc0c9 > john_hash
Xác định format của hash đó là NT theo như mô tả sau:
Structure of the NTLM Hash Format:
`<username>:<user ID>:<LM hash>:<NT hash>:<extra fields>:::`
1. **Username**: The account name (e.g., `Administrator`, `Guest`, `John`, `HomeGroupUser$`).
2. **User ID (UID)**: A unique identifier for the user in the system (e.g., `500`, `501`, `1001`, `1002`).
3. **LM Hash**: LanMan hash (often disabled and set to `aad3b435b51404eeaad3b435b51404ee` if not used).
4. **NT Hash**: The actual NTLM hash (e.g., `31d6cfe0d16ae931b73c59d7e0c089c0`, `47fbd6536d7868c873d5ea455f2fc0c9`).
5. **Extra Fields**: These fields can contain additional data but are not typically used in cracking.
Cách nhận biết:
1. **Length and Content**:
- The LM hash and NT hash are both 32 characters long, representing 16-byte values in hexadecimal format.
- If the LM hash is `aad3b435b51404eeaad3b435b51404ee`, it indicates that the LM hash is disabled (a common configuration for modern Windows systems).
2. **Typical UID Values**:
- UID `500` typically belongs to the built-in Administrator account.
- UID `501` is for the Guest account.
- UIDs `1000` and above are usually for user-created accounts.
3. **Hash Content**:
- The NTLM hash (`31d6cfe0d16ae931b73c59d7e0c089c0`) corresponds to an empty password.
- Hashes are consistent with the MD4 algorithm used by NTLM.
John cũ của mình có vấn đề là không có format NT, nếu bạn gặp lỗi tương tự thì có thể fix như sau:
* *Steps to Install John the Ripper Jumbo:*
1. **Clone the Repository:**
`git clone https://github.com/openwall/john.git
cd john/src`
2. **Configure and Compile:**
`./configure && make -s clean && make -sj4`
This compiles the Jumbo version of John the Ripper, which includes support for a wide variety of hash formats, including `nt`.
* *Running John the Ripper Jumbo:*
After compiling, you should navigate to the `run` directory and use the newly built `john` executable:
1. **Navigate to the `run` Directory:**
`cd ../run`
2. **Verify Available Formats:** List all supported formats to ensure `nt` is included:
`./john --list=formats | grep -i nt`
3. **Run John the Ripper with the Correct Format:** Assuming your `john_hash.txt` and `rockyou.txt` files are in the same directory:
`./john --format=nt --wordlist=rockyou.txt john_hash.txt`
```
./john --format=nt --wordlist=/mnt/d/fortools/rockyou.txt /mnt/d/fortools/joh
n_hash.txt
```
=> charmander999
## Task 3 - Analysis
**When was the machine last shutdown?** - Lần cuối cùng máy tắt là khi nào?
Xem imageinfo và lựa cái đầu tiên:
```
vol.py -f /mnt/d/tryhackme/memoryforensic/analysis/Snapshot19_1609159453792.vmem imageinfo
```
Xem shutdowntime (Print ShutdownTime of machine from registry):
```
vol.py -f /mnt/d/tryhackme/memoryforensic/analysis/Snapshot19_1609159453792.vmem --profile=Win7SP1x64 shutdowntime
```
=> 2020-12-27 22:50:12
**What did John write?** - John đã viết gì?
Dùng plugin `cmdscan` để quét và phân tích lịch sử các lệnh đã thực thi trong hệ thống từ bộ nhớ đã dump.
```
vol.py -f /mnt/d/tryhackme/memoryforensic/analysis/Snapshot19_1609159453792.vmem --profile=Win7SP1x64 cmdscan
```
=> You_found_me
## Task 4 - TrueCrypt
**What is the TrueCrypt passphrase?** - passphrase của TrueCrypt là gì?
> A common task of forensic investigators is looking for hidden partitions and encrypted files, as suspicion arose when TrueCrypt was found on the suspect's machine and an encrypted partition was found. The interrogation did not yield any success in getting the passphrase from the suspect, however, it may be present in the memory dump obtained from the suspect's computer.
Một số truecrypt options (-h):
`truecryptpassphrase` có sẵn:
```
vol.py -f /mnt/d/tryhackme/memoryforensic/truecrypt/Snapshot14_1609164553061.vmem --pr
ofile=Win7SP1x64 truecryptpassphrase
```
=> forgetmenot
# [RootMe] Command & Control 2-6
## Command Control 2
https://www.root-me.org/en/Challenges/Forensic/Command-Control-level-2?lang=en
Tìm workstation's hostname.
Plugin envars có thể check các biến môi trường của các processes, mình có thể dùng nó để check hostnames. Tên của biến môi trường hostname mình có thể tìm thông qua computername.
```
vol.py -f /mnt/d/rootme/for/cc2/ch2.dmp --profile=Win7SP0x86 envars | grep -i name
```
=> WIN-ETSA91RKCFP
Một cách khác là tìm computername thông qua registry hives. Đầu tiên xác định hive list:
```
python3 vol.py -f /mnt/d/rootme/for/cc2/ch2.dmp windows.registry.hivelist.HiveList
```
Xem key:
```
python3 vol.py -f /mnt/d/rootme/for/cc2/ch2.dmp windows.registry.printkey.PrintKey
```
Computername có thể được tìm theo đường dẫn `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName`
```
python3 vol.py -f /mnt/d/rootme/for/cc2/ch2.dmp windows.registry.printkey.PrintKey --offset 0x8b21c008 --key 'ControlSet001\Control\ComputerName\ComputerName'
```
=> WIN-ETSA91RKCFP
## Command Control 3
https://www.root-me.org/en/Challenges/Forensic/Command-Control-level-3
Tìm malware trong memory dump đó, flag là md5 full path của exe.
Đầu tiền mình dùng pslist để list process.
```
python3 vol.py -f /mnt/d/rootme/for/cc2/ch2.dmp windows.pslist.PsList
```
```
python3 vol.py -f /mnt/d/rootme/for/cc2/ch2.dmp windows.pstree.PsTree
```
Có vẻ chưa có gì đáng ngờ vì kẻ tấn công thường cố gắng giữ tên tương tự để tránh bị phát hiện.
```
python3 vol.py -f /mnt/d/rootme/for/cc2/ch2.dmp windows.cmdline.CmdLine
```
Mình thử sử dụng plugin cmdline để xem các command và thấy điều đáng ngờ là iexplorer.exe được launch bởi user John trong khi nó phải nằm ở `C:\Program Files\Internet Explorer\iexplore.exe`.
```python
>>> import hashlib
>>> hashlib.md5((r"C:\Users\John Doe\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\iexplore.exe").encode('utf-8')).hexdigest()
'49979149632639432397b3a1df8cb43d'
```
=> 49979149632639432397b3a1df8cb43d
## Command Control 4
https://www.root-me.org/en/Challenges/Forensic/Command-Control-level-4
Tìm IP của internal server bị target, format IP:PORT.
Process iexplore.exe có process con là cmd.exe, PID 1616. Đầu tiên mình check network connection của các process.
```
vol.py -f /mnt/d/rootme/for/cc2/ch2.dmp --profile=Win7SP1x86 netscan
```
Nó chỉ hiển thị cho mình localhost IP nên cũng không có gì đặc biệt, vì còn process con cmd.exe nên mình sẽ extract command line history.
```
vol.py -f /mnt/d/rootme/for/cc2/ch2.dmp --profile=Win7SP1x86 consoles
```
cmd.exe có launch một file là tcprelay.exe, tệp thực thi này có thể được sử dụng để chuyển tiếp lưu lượng truy cập, từ đó mình có thể grep xem có ip cần tìm hay không.
```
strings /mnt/d/rootme/for/cc2/ch2.dmp | grep tcprelay.exe
```
=> 192.168.0.22:3389
## Command Control 5
https://www.root-me.org/en/Challenges/Forensic/Command-Control-level-5
Tìm password của John. Dump hash sau đó crack bằng JohnRipper.
=> passw0rd
## Command Control 6
https://www.root-me.org/en/Challenges/Forensic/Command-Control-level-6
```
vol.py -f /mnt/d/rootme/for/cc2/ch2.dmp --profile=Win7SP1x86 procdump --dump-dir=/mnt/d/rootme/for/cc2/ --pid=2772
```
Up lên virus total để phân tích.
=> th1sis.l1k3aK3y.org
(dựa vào format của đề bài mình suy ra được flag như vậy, cách này hơi cảm tính vì còn dựa vào format nên mình đang nghiên cứu thêm một cách khác)
Còn một cách theo hướng reverse engineering:
Mở bằng IDA.
```
void __cdecl __noreturn sub_401581(char a1)
{
int v1; // [esp+1Ch] [ebp-Ch]
sub_401890();
v1 = 0;
Sleep(0xDBBA0u);
sub_4012F0(CommandLine, CommandLine);
while ( 1 )
{
if ( v1 > 4 )
v1 = 0;
sub_401358();
sub_4012F0(*(&off_402018 + v1), byte_404050);
if ( sub_4013CD(byte_404050) )
{
if ( sub_401407(byte_404050) )
sub_4014A2();
}
closesocket(s);
WSACleanup();
Sleep(0x3A98u);
++v1;
}
}
```
```
int __cdecl sub_4012F0(int a1, int a2)
{
int result; // eax
int v3; // [esp+8h] [ebp-8h]
int i; // [esp+8h] [ebp-8h]
char v5; // [esp+Fh] [ebp-1h]
v3 = 0;
v5 = 0;
while ( byte_402004[v3] )
v5 += byte_402004[v3++];
for ( i = 0; *(_BYTE *)(a1 + i); ++i )
*(_BYTE *)(a2 + i) = v5++ ^ *(_BYTE *)(a1 + i);
result = a2 + i;
*(_BYTE *)(a2 + i) = 0;
return result;
}
```
# Viblo - Wdiguess
https://ctf.viblo.asia/puzzles/wdiguess-rqjsfadoot9
Phân tích bằng mimikatz dựa theo description của để bài:
```
mimikatz # sekurlsa::minidump "D:\viblo\New folder\lsass.DMP"
Switch to MINIDUMP : 'D:\viblo\New folder\lsass.DMP'
mimikatz # sekurlsa::logonpasswords
```
=> Flag{Ls4s5_duMp3r_M4st3R}
# References and Further Readings
https://quantrimang.com/cong-nghe/phap-y-ky-thuat-so-phan-5-memory-forensics-190538
https://whitehat.vn/threads/forensic-5-memory-forensics.2135
https://hackmd.io/@TuX-/BymMpKd0s
https://blog.onfvp.com/post/volatility-cheatsheet/
https://medium.com/@laupeiip/volatility-tryhackme-write-up-e406b1f5eaa4
https://bizflycloud.vn/tin-tuc/tim-hieu-ve-process-trong-linux-20210430234059408.htm
https://docs.rapid7.com/insightidr/windows-suspicious-process/
https://viblo.asia/p/basic-process-management-quan-ly-tien-trinh-trong-unixlinux-co-ban-LzD5der0KjY
https://medium.com/@jamesjarviscyber/volatility-tryhackme-task-10-only-c34c4f157031
https://blog.didierstevens.com/2017/05/14/quickpost-wannacrys-mutex-is-mswinzonescachecountermutexa0-digit-zero-at-the-end/
https://infosecwriteups.com/memory-forensics-tryhackme-write-up-cyberw1ng-945217d0cbc7
https://www.openwall.com/john/doc/FAQ.shtml
https://apjone.uk/tryhackme-memory-forensics/
https://cysecguide.blogspot.com/2017/11/root-me-write-up-command-control-level-2.html
https://medium.com/@anasabdelalieem9/root-me-command-control-level-2-63193f24fbdc
https://medium.com/@anasabdelalieem9/root-me-command-control-level-3-961254cc70d6
https://spyx.github.io/volatility/
https://unix.stackexchange.com/questions/296596/how-to-check-if-any-ip-address-is-present-in-a-file-using-shell-scripting
https://www.eyehatemalwares.com/digital-forensics/memory-analysis/volatility-pstree/
https://github.com/volatilityfoundation/volatility/wiki/Command-Reference
Sign in with Wallet
Connect another wallet