CHIqueen
Houseplant Imagery 본문
$ python vol.py -f imagery.raw imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win10x64_17134, Win10x64_14393, Win10x64_10586, Win10x64_16299, Win2016x64_14393, Win10x64_17763, Win10x64_15063 (Instantiated with Win10x64_15063)
AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/sansforensics/Desktop/volatility/imagery.raw)
PAE type : No PAE
DTB : 0x1aa002L
KDBG : 0xf8037f6af5e0L
Number of Processors : 1
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0xfffff8037e54e000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-04-24 09:50:12 UTC+0000
Image local date and time : 2020-04-24 02:50:12 -0700Win10x64_17134로 잡고 시작했다.
$ python vol.py -f imagery.raw --profile=Win10x64_17134 pstree
Volatility Foundation Volatility Framework 2.6.1
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0xffff84024507d140:winlogon.exe 512 436 4 0 2020-04-24 17:42:55 UTC+0000
. 0xffff8402452640c0:dwm.exe 840 512 14 0 2020-04-24 17:42:56 UTC+0000
. 0xffff840247cb2440:userinit.exe 2188 512 0 ------ 2020-04-24 09:43:20 UTC+0000
.. 0xffff840247cf2440:explorer.exe 2416 2188 41 0 2020-04-24 09:43:21 UTC+0000
... 0xffff840245631540:VBoxTray.exe 3264 2416 11 0 2020-04-24 09:44:05 UTC+0000
... 0xffff8402481b9480:SecurityHealth 2908 2416 2 0 2020-04-24 09:44:04 UTC+0000
... 0xffff840245632080:notepad.exe 6076 2416 2 0 2020-04-24 09:44:40 UTC+0000
... 0xffff840245633080:OneDrive.exe 3532 2416 19 0 2020-04-24 09:44:08 UTC+0000
. 0xffff840245122200:fontdrvhost.ex 636 512 5 0 2020-04-24 17:42:56 UTC+0000
0xffff840245004140:csrss.exe 452 436 11 0 2020-04-24 17:42:55 UTC+0000
0xffff840245084080:wininit.exe 444 368 1 0 2020-04-24 17:42:55 UTC+0000
. 0xffff84024512e200:fontdrvhost.ex 644 444 5 0 2020-04-24 17:42:56 UTC+0000
. 0xffff8402450b9140:services.exe 536 444 5 0 2020-04-24 17:42:55 UTC+0000
.. 0xffff840245968080:spoolsv.exe 1600 536 7 0 2020-04-24 09:43:01 UTC+0000
.. 0xffff8402416ea080:svchost.exe 1432 536 2 0 2020-04-24 09:43:00 UTC+0000
.. 0xffff840245941080:svchost.exe 1676 536 14 0 2020-04-24 09:43:01 UTC+0000
.. 0xffff840247cfb300:svchost.exe 2724 536 0 ------ 2020-04-24 09:43:22 UTC+0000
.. 0xffff8402416a6080:svchost.exe 916 536 24 0 2020-04-24 17:42:57 UTC+0000
.. 0xffff840245134300:svchost.exe 664 536 20 0 2020-04-24 17:42:56 UTC+0000
... 0xffff840247f60080:MicrosoftEdge. 3956 664 23 0 2020-04-24 09:43:39 UTC+0000
... 0xffff8402480b1440:smartscreen.ex 1516 664 6 0 2020-04-24 09:44:03 UTC+0000
... 0xffff840248005080:SearchUI.exe 3672 664 34 0 2020-04-24 09:43:35 UTC+0000
... 0xffff8402480b8540:RuntimeBroker. 5124 664 2 0 2020-04-24 09:44:42 UTC+0000
... 0xffff84024813f400:RuntimeBroker. 3784 664 10 0 2020-04-24 09:43:36 UTC+0000
... 0xffff84024861b080:MicrosoftEdgeC 4532 664 13 0 2020-04-24 09:43:52 UTC+0000
... 0xffff8402481c0080:browser_broker 3144 664 3 0 2020-04-24 09:43:40 UTC+0000
... 0xffff84024494c4c0:dllhost.exe 5656 664 6 0 2020-04-24 09:44:19 UTC+0000
... 0xffff840248615400:RuntimeBroker. 4320 664 2 0 2020-04-24 09:43:43 UTC+0000
.... 0xffff840248627080:MicrosoftEdgeS 4596 4320 8 0 2020-04-24 09:43:52 UTC+0000
... 0xffff84024817f400:ApplicationFra 3928 664 4 0 2020-04-24 09:43:39 UTC+0000
... 0xffff840244dec540:WmiPrvSE.exe 5352 664 5 0 2020-04-24 09:47:02 UTC+0000
... 0xffff840247fc70c0:ShellExperienc 3564 664 21 0 2020-04-24 09:43:33 UTC+0000
.. 0xffff840247ca6300:svchost.exe 1308 536 27 0 2020-04-24 09:43:19 UTC+0000
.. 0xffff8402416d8080:svchost.exe 1448 536 4 0 2020-04-24 09:43:00 UTC+0000
.. 0xffff8402452a2300:svchost.exe 940 536 60 0 2020-04-24 17:42:56 UTC+0000
... 0xffff840247b79400:taskhostw.exe 2848 940 9 0 2020-04-24 09:43:16 UTC+0000
... 0xffff840247b74380:sihost.exe 2768 940 12 0 2020-04-24 09:43:15 UTC+0000
.. 0xffff840247747080:MsMpEng.exe 1988 536 22 0 2020-04-24 09:43:02 UTC+0000
.. 0xffff84024596c080:svchost.exe 1456 536 4 0 2020-04-24 09:43:00 UTC+0000
.. 0xffff8402416ef080:VBoxService.ex 1208 536 11 0 2020-04-24 17:42:57 UTC+0000
.. 0xffff8402457ee300:svchost.exe 1908 536 11 0 2020-04-24 09:43:02 UTC+0000
.. 0xffff840247bdb080:svchost.exe 2964 536 6 0 2020-04-24 09:43:16 UTC+0000
.. 0xffff8402452d2380:svchost.exe 960 536 13 0 2020-04-24 17:42:56 UTC+0000
.. 0xffff8402452d4380:svchost.exe 968 536 14 0 2020-04-24 17:42:56 UTC+0000
.. 0xffff840247a74440:NisSrv.exe 2572 536 6 0 2020-04-24 09:43:10 UTC+0000
.. 0xffff840247e3f080:svchost.exe 3276 536 3 0 2020-04-24 09:43:29 UTC+0000
.. 0xffff840244197540:svchost.exe 336 536 15 0 2020-04-24 17:42:57 UTC+0000
... 0xffff840247be9380:ctfmon.exe 3012 336 8 0 2020-04-24 09:43:16 UTC+0000
... 0xffff8402479e6340:dasHost.exe 2324 336 3 0 2020-04-24 09:43:06 UTC+0000
.. 0xffff84024886a340:SecurityHealth 4664 536 7 0 2020-04-24 09:44:04 UTC+0000
.. 0xffff84024774b2c0:wlms.exe 2004 536 2 0 2020-04-24 09:43:02 UTC+0000
.. 0xffff840245937080:svchost.exe 2776 536 8 0 2020-04-24 09:43:15 UTC+0000
.. 0xffff8402416ee080:svchost.exe 1060 536 20 0 2020-04-24 17:42:57 UTC+0000
.. 0xffff8402416e2080:svchost.exe 1372 536 5 0 2020-04-24 09:43:00 UTC+0000
.. 0xffff84024562e080:SgrmBroker.exe 2036 536 4 0 2020-04-24 09:45:08 UTC+0000
.. 0xffff840245966080:svchost.exe 1632 536 9 0 2020-04-24 09:43:01 UTC+0000
.. 0xffff8402482ed2c0:svchost.exe 5152 536 12 0 2020-04-24 09:45:07 UTC+0000
.. 0xffff840247720400:ruby.exe 1980 536 9 0 2020-04-24 09:43:02 UTC+0000
.. 0xffff840248139300:SearchIndexer. 4776 536 14 0 2020-04-24 09:43:54 UTC+0000
.. 0xffff840245204380:svchost.exe 756 536 9 0 2020-04-24 17:42:56 UTC+0000
.. 0xffff840247dce500:svchost.exe 992 536 6 0 2020-04-24 09:45:14 UTC+0000
. 0xffff8402450bb140:lsass.exe 548 444 7 0 2020-04-24 17:42:55 UTC+0000
0xffff8402453d9540:csrss.exe 376 368 9 0 2020-04-24 17:42:55 UTC+0000
0xffff84024165d300:System 4 0 103 0 2020-04-24 17:42:46 UTC+0000
. 0xffff840241ca4040:smss.exe 288 4 2 0 2020-04-24 17:42:46 UTC+0000
. 0xffff8402416dd040:MemCompression 1332 4 26 0 2020-04-24 09:43:00 UTC+0000
. 0xffff840241792040:Registry 68 4 4 0 2020-04-24 17:42:37 UTC+0000notepad.exe, ruby.exe빼곤 눈에 띄는건 없었다.
$ python vol.py -f imagery.raw --profile=Win10x64_17134 memdump -p 6076 -D ./메모장의 메모리 따로 때준다음
PS D:\ctf\Houseplant\Imagery> .\strings64.exe .\6076.dmp | findstr rtcp
rtcp{camera_goes_click_brrrrrr^and^gives^photo}
rtcp{camera_goes_click_brrrrrr^and^gives^pholto
rtcp{camera_goes_click_brrrrrr^and^gives^photo}
rtcp{camera_goes_click_brrrrrr^and^gives^photo
rtcp{camera_goes_click_brrrrrr^and^gives^pholt
rtcp{camera_goes_click_brrrrrr^and^gives^phot
rtcp
rtcp{camera_goes_click_brrrr
rtcp{camera_goes_click_brrrrrrj
rtcp{camera_goes_click_brrrrrr^and^g
rtcp{camera_goes_click_brrrrrr^an
rtcp{camera_goes_click_brrrrrr^and^
rtcp{camera_goes_click_brrrrrr^
rtcp{camera_goes_click_brrrrrr^and
rtcp{camera_goes_click_brrrrrr^a
Assets\Text\rtcpal_registry.reg
Assets\Text\rtcpal_registry.reg
FINDSTR?: la ligne 2984961 est trop longue.
FINDSTR?: la ligne 2984961 est trop longue.
FINDSTR?: la ligne 2984961 est trop longue.그냥 flag형식을 찾아봤더니 나왔다.
'포렌식 > CTF' 카테고리의 다른 글
| Houseplant Deep Lyrics (0) | 2020.04.30 |
|---|---|
| Houseplant Neko Hero (0) | 2020.04.30 |
| UMDCTF CoolCoin (0) | 2020.04.23 |
| UMDCTF Zero Cool (0) | 2020.04.23 |
| UMDCTF Jarred-3 (0) | 2020.04.22 |
'포렌식/CTF' Related Articles
more
Comments