Write-up/GrrCON2015
GrrCON 2015 #1
da1seun9
2020. 2. 25. 14:40
GrrCON 2015 Forensic memory부분 문제입니다.
문제 파일을 다운받은 후에 volatility로 까봅시다.
>> volatility.exe -f Target1-1dd8701f.vmss imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : VMWareAddressSpace (Unnamed AS)
AS Layer3 : FileAddressSpace (C:\Users\LG\Desktop\포렌식\포렌식 툴\volatility\volatility_2.6_win64_standalone\Target1-1dd8701f.vmss)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x82765be8L
Number of Processors : 2
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0x82766c00L
KPCR for CPU 1 : 0x807c5000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2015-10-09 12:53:02 UTC+0000
Image local date and time : 2015-10-09 08:53:02 -0400운영체제를 확인한 뒤 분석합시다
>> volatility.exe -f Target1-1dd8701f.vmss --profile=Win7SP0x86 psscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Name PID PPID PDB Time created Time exited
------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------
0x0000000003fbb4e8 System 4 0 0x00185000 2015-10-09 11:30:44 UTC+0000
0x000000003de29968 dwm.exe 2088 836 0x3ecc33c0 2015-10-09 11:31:04 UTC+0000
0x000000003de3e5f8 explorer.exe 2116 2060 0x3ecc3360 2015-10-09 11:31:04 UTC+0000
0x000000003de59030 taskhost.exe 2252 528 0x3ecc33e0 2015-10-09 11:31:04 UTC+0000
0x000000003def3d40 OUTLOOK.EXE 3196 2116 0x3ecc3440 2015-10-09 11:31:32 UTC+0000
0x000000003df21510 svchost.exe 3232 528 0x3ecc3480 2015-10-09 11:31:34 UTC+0000
0x000000003df2d030 iexplore.exe 2996 2984 0x3ecc34a0 2015-10-09 11:31:27 UTC+0000
0x000000003e0338f0 svchost.exe 1124 528 0x3ecc3200 2015-10-09 11:30:53 UTC+0000
0x000000003e075d40 svchost.exe 1256 528 0x3ecc3240 2015-10-09 11:30:53 UTC+0000
0x000000003e100cb0 dllhost.exe 1888 528 0x3ecc32c0 2015-10-09 11:30:54 UTC+0000
0x000000003e103030 vmtoolsd.exe 1432 528 0x3ecc3260 2015-10-09 11:30:54 UTC+0000
0x000000003e163a58 sppsvc.exe 3900 528 0x3ecc3300 2015-10-09 11:32:54 UTC+0000
0x000000003e24c8d8 spoolsv.exe 1228 528 0x3ecc3220 2015-10-09 11:30:53 UTC+0000
0x000000003e25b030 lsass.exe 536 420 0x3ecc30e0 2015-10-09 11:30:48 UTC+0000
0x000000003e25d960 lsm.exe 544 420 0x3ecc3100 2015-10-09 11:30:48 UTC+0000
0x000000003e28fd40 svchost.exe 644 528 0x3ecc3120 2015-10-09 11:30:48 UTC+0000
0x000000003e2d69e8 msdtc.exe 1980 528 0x3ecc32e0 2015-10-09 11:30:55 UTC+0000
0x000000003e2dc278 TeamViewer_Des 1092 2680 0x3ecc34e0 2015-10-09 12:10:56 UTC+0000
0x000000003e3481f0 vmtoolsd.exe 2388 2116 0x3ecc3420 2015-10-09 11:31:04 UTC+0000
0x000000003e355030 svchost.exe 796 528 0x3ecc3160 2015-10-09 11:30:51 UTC+0000
0x000000003e389030 svchost.exe 836 528 0x3ecc3180 2015-10-09 11:30:52 UTC+0000
0x000000003e396318 svchost.exe 1784 528 0x3ecc3280 2015-10-09 11:30:54 UTC+0000
0x000000003e398940 svchost.exe 864 528 0x3ecc31a0 2015-10-09 11:30:52 UTC+0000
0x000000003e3ac920 SearchIndexer. 2544 528 0x3ecc3340 2015-10-09 11:31:10 UTC+0000
0x000000003e3ec2c0 svchost.exe 1008 528 0x3ecc31e0 2015-10-09 11:30:52 UTC+0000
0x000000003e43d030 winlogon.exe 480 412 0x3ecc30c0 2015-10-09 11:30:48 UTC+0000
0x000000003e6e0d40 csrss.exe 432 416 0x3ecc1040 2015-10-09 11:23:53 UTC+0000
0x000000003e6ebd40 csrss.exe 372 364 0x3ecc1060 2015-10-09 11:23:52 UTC+0000
0x000000003e816d40 csrss.exe 432 412 0x3ecc3040 2015-10-09 11:30:48 UTC+0000
0x000000003e855d40 csrss.exe 368 360 0x3ecb1060 2015-10-09 10:48:52 UTC+0000
0x000000003e85e978 mscorsvw.exe 912 460 0x3efa42c0 2015-10-09 05:28:42 UTC+0000 2015-10-09 05:28:46 UTC+0000
0x000000003e897848 svchost.exe 1020 460 0x3efa4220 2015-10-09 05:27:32 UTC+0000
0x000000003e9c7d40 csrss.exe 364 356 0x3eff30a0 2015-10-09 05:29:12 UTC+0000
0x000000003eb4ea68 services.exe 460 368 0x3efa4080 2015-10-09 05:27:25 UTC+0000
0x000000003eb5d9e8 lsass.exe 472 368 0x3efa40e0 2015-10-09 05:27:26 UTC+0000
0x000000003ebe5ac8 LogonUI.exe 1272 368 0x3efa4180 2015-10-09 05:28:45 UTC+0000
0x000000003ec21448 svchost.exe 720 528 0x3ecc3140 2015-10-09 11:30:50 UTC+0000
0x000000003ecb79f8 services.exe 528 420 0x3ecc3080 2015-10-09 11:30:48 UTC+0000
0x000000003ecebb18 csrss.exe 368 360 0x3ecc3060 2015-10-09 11:30:47 UTC+0000
0x000000003ecfcbf0 smss.exe 276 4 0x3ecc3020 2015-10-09 11:30:44 UTC+0000
0x000000003edb7628 wininit.exe 420 360 0x3ecc30a0 2015-10-09 11:30:48 UTC+0000
0x000000003f4387d0 taskhost.exe 3096 524 0x3ecb13a0 2015-10-09 10:52:44 UTC+0000 2015-10-09 10:59:02 UTC+0000
0x000000003f443ab0 explorer.exe 3932 3940 0x3ecb1680 2015-10-09 10:53:29 UTC+0000
0x000000003f447d40 vmtoolsd.exe 4072 3932 0x3ecb16a0 2015-10-09 10:53:29 UTC+0000
0x000000003fa33598 TeamViewer.exe 2680 1696 0x3ecc32a0 2015-10-09 12:08:46 UTC+0000
0x000000003fa37d40 tv_w32.exe 4064 2680 0x3ecc3500 2015-10-09 12:08:47 UTC+0000
0x000000003fc7cd40 conhost.exe 916 432 0x3ecc3560 2015-10-09 11:33:42 UTC+0000
0x000000003fcd5d40 cmd.exe 2496 2116 0x3ecc3540 2015-10-09 11:33:42 UTC+0000
0x000000003fd305f0 cmd.exe 1856 2996 0x3ecc3520 2015-10-09 11:35:15 UTC+0000
0x000000003fd33d40 conhost.exe 1624 432 0x3ecc3580 2015-10-09 11:35:15 UTC+0000
0x000000003fd3ed40 mstsc.exe 2844 2116 0x3ecc34c0 2015-10-09 12:12:03 UTC+0000
0x000000003fdc9030 conhost.exe 676 432 0x3ecc3320 2015-10-09 11:37:32 UTC+0000
0x000000003fdd2d40 cmd.exe 3784 2196 0x3ecc3400 2015-10-09 11:39:22 UTC+0000
0x000000003fdd86a8 cmd.exe 3064 2116 0x3ecc33a0 2015-10-09 11:37:32 UTC+0000
0x000000003fde7c08 conhost.exe 1824 432 0x3ecc31c0 2015-10-09 11:39:22 UTC+0000 여러 프로그램이 있지만 하나 씩 다 찾아봐야겠죠?
모르면 구글선생님한테 갑시다
??? : 쌤 OUTLOOK이 뭔가요!?!??!?!?
갓글 : yeah it is that
전자우편....
전자우편!
문제에 전자우편이 나왔죠?
그럼 덤프를 떠서 확인 해봅시다.
>> volatility.exe -f Target1-1dd8701f.vmss --profile=Win7SP0x86 memdump -p 3196 -D ./
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing OUTLOOK.EXE [ 3196] to 3196.dmp이 덤프파일을 string.exe을 이용하여 txt파일로 변환해서 봅시다.
>> strings.exe 3916.dmp > 3916.txt
아 완료쓰
이제 봅시다
열면 분명 문자들이 엄청많을거에요
하나씩 봐서 문제를 풀면 시간이 다 지나가니까! 우리는 머리를 씁시다.
CTRL + F
우리가 평소에 자주쓰는 이메일주소 검색하면 나올거에요!
정답 :
th3wh1t3r0s3@gmail.com