포렌식/CTF
UMDCTF Jarred-3
CHIqueen
2020. 4. 22. 19:09
윈도우 메모리문제 kdbgscan으로 Win7SP1x64 찾아주고
python vol.py -f jarred3.vmem kdbgscan
Volatility Foundation Volatility Framework 2.6.1
**************************************************
Instantiating KDBG using: /home/sansforensics/Desktop/volatility/jarred3.vmem WinXPSP2x86 (5.1.0 32bit)
Offset (P) : 0x2a080a0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win7SP1x64
PsActiveProcessHead : 0x2a3eb90
PsLoadedModuleList : 0x2a5ce90
KernelBase : 0xfffff80002817000
프로세스를 먼저보자
# python vol.py -f jarred3.vmem --profile=Win7SP1x64 pstree
Volatility Foundation Volatility Framework 2.6.1
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0xfffffa800418b060:firefox.exe 2228 3204 49 749 2020-04-09 19:23:42 UTC+0000
. 0xfffffa80040f47e0:firefox.exe 3456 2228 10 196 2020-04-09 19:23:44 UTC+0000
. 0xfffffa800417b060:firefox.exe 3656 2228 21 320 2020-04-09 19:23:45 UTC+0000
. 0xfffffa8003860060:tor.exe 3668 2228 5 71 2020-04-09 19:23:44 UTC+0000
. 0xfffffa8002f9f240:firefox.exe 3992 2228 22 301 2020-04-09 19:25:02 UTC+0000
. 0xfffffa8004128630:firefox.exe 2328 2228 26 349 2020-04-09 19:23:45 UTC+0000
0xfffffa8003475b30:wininit.exe 412 332 3 76 2020-04-09 19:10:16 UTC+0000
. 0xfffffa8002919530:services.exe 520 412 6 204 2020-04-09 19:10:16 UTC+0000
.. 0xfffffa8003a98b30:VGAuthService. 1580 520 3 87 2020-04-09 19:10:18 UTC+0000
.. 0xfffffa80040bf310:svchost.exe 2704 520 15 161 2020-04-09 19:12:19 UTC+0000
.. 0xfffffa8003799910:svchost.exe 644 520 12 372 2020-04-09 19:10:17 UTC+0000
... 0xfffffa80063e1b30:WmiPrvSE.exe 1740 644 10 216 2020-04-09 19:10:19 UTC+0000
.. 0xfffffa8003eac890:dllhost.exe 2068 520 13 207 2020-04-09 19:10:20 UTC+0000
.. 0xfffffa8003f51300:svchost.exe 1648 520 13 324 2020-04-09 19:12:19 UTC+0000
.. 0xfffffa800393ba30:spoolsv.exe 1060 520 12 271 2020-04-09 19:10:17 UTC+0000
.. 0xfffffa80039a6b30:taskhost.exe 1192 520 8 155 2020-04-09 19:10:17 UTC+0000
.. 0xfffffa80037f5b30:svchost.exe 812 520 21 476 2020-04-09 19:10:17 UTC+0000
... 0xfffffa800386b060:audiodg.exe 964 812 6 132 2020-04-09 19:10:17 UTC+0000
.. 0xfffffa8004232060:sppsvc.exe 1732 520 4 149 2020-04-09 19:12:19 UTC+0000
.. 0xfffffa800396fa30:svchost.exe 1088 520 19 330 2020-04-09 19:10:17 UTC+0000
.. 0xfffffa80037c9b30:svchost.exe 724 520 8 295 2020-04-09 19:10:17 UTC+0000
.. 0xfffffa80038de060:svchost.exe 600 520 18 489 2020-04-09 19:10:17 UTC+0000
.. 0xfffffa8003cb0b30:vmtoolsd.exe 1684 520 12 276 2020-04-09 19:10:18 UTC+0000
.. 0xfffffa8003996b30:SearchIndexer. 2536 520 14 719 2020-04-09 19:10:24 UTC+0000
... 0xfffffa80016226c0:SearchFilterHo 2560 2536 5 100 2020-04-09 19:25:35 UTC+0000
... 0xfffffa8003f5ab30:SearchProtocol 2680 2536 8 449 2020-04-09 19:10:24 UTC+0000
.. 0xfffffa8003eb4b30:msdtc.exe 2156 520 12 148 2020-04-09 19:10:20 UTC+0000
.. 0xfffffa8003840b30:svchost.exe 884 520 42 1023 2020-04-09 19:10:17 UTC+0000
.. 0xfffffa8003810b30:svchost.exe 852 520 13 318 2020-04-09 19:10:17 UTC+0000
... 0xfffffa80039d84c0:dwm.exe 1260 852 3 74 2020-04-09 19:10:18 UTC+0000
.. 0xfffffa8003851b30:svchost.exe 1020 520 9 537 2020-04-09 19:10:17 UTC+0000
. 0xfffffa8005a933e0:lsass.exe 536 412 7 637 2020-04-09 19:10:16 UTC+0000
. 0xfffffa8002f977c0:lsm.exe 544 412 10 148 2020-04-09 19:10:16 UTC+0000
0xfffffa80072ae270:csrss.exe 368 332 10 433 2020-04-09 19:10:16 UTC+0000
0xfffffa8001423890:System 4 0 90 522 2020-04-09 19:10:10 UTC+0000
. 0xfffffa80032bcb30:smss.exe 276 4 2 30 2020-04-09 19:10:10 UTC+0000
0xfffffa80039fc870:explorer.exe 1284 1232 30 742 2020-04-09 19:10:18 UTC+0000
. 0xfffffa8003c903e0:vm3dservice.ex 1560 1284 2 46 2020-04-09 19:10:18 UTC+0000
. 0xfffffa8003c9cb30:iexplore.exe 1596 1284 18 709 2020-04-09 19:10:18 UTC+0000
.. 0xfffffa8003866920:iexplore.exe 1592 1596 17 581 2020-04-09 19:10:19 UTC+0000
.. 0xfffffa80017a9060:iexplore.exe 3276 1596 12 377 2020-04-09 19:15:16 UTC+0000
.. 0xfffffa8004007540:iexplore.exe 1760 1596 21 677 2020-04-09 19:12:25 UTC+0000
. 0xfffffa8003c9e910:vmtoolsd.exe 1572 1284 8 154 2020-04-09 19:10:18 UTC+0000
0xfffffa8006278590:csrss.exe 432 420 11 456 2020-04-09 19:10:16 UTC+0000
0xfffffa80079ad5b0:winlogon.exe 484 420 3 112 2020-04-09 19:10:16 UTC+0000
0xfffffa8001753680:thunderbird.ex 424 1380 64 944 2020-04-09 19:14:33 UTC+0000
. 0xfffffa800163a660:helper.exe 2940 424 0 ------ 2020-04-09 19:26:43 UTC+0000그나마 눈에 들어오는게 tor, ie, thunderbird, helper
우선 thunderbird를 먼저 보자
썬더버드는 메일 클라이언트로 무엇을 하고 있었는지 수상해보이는 helper랑 같이 memdump를 떠보자
# python vol.py -f jarred3.vmem --profile=Win7SP1x64 memdump -p 424 -D ./
Volatility Foundation Volatility Framework 2.6.1
************************************************************************
Writing thunderbird.ex [ 424] to 424.dmp# python vol.py -f jarred3.vmem --profile=Win7SP1x64 memdump -p 2940 -D ./
Volatility Foundation Volatility Framework 2.6.1
************************************************************************
Writing helper.exe [ 2940] to 2940.dmp메모리에서 메일을 찾아봅니다.
첨부파일까지 긁은다음 뽑아서 eml파일로 저장해줍니다.
압축 풀어보면 docx문서가 있는데 아무래도 vba같아 보이죠?
oletools를 사용합니다. https://www.decalage.info/python/oletools
oletools - python tools to analyze OLE and MS Office files | Decalage
python-oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis
www.decalage.info
olevba를 돌려보면
# olevba LovinInvoice.zip
olevba 0.55.1 on Python 2.7.12 - http://decalage.info/python/oletools
===============================================================================
FILE: LovinInvoice.zip
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Const qeletzpyif = 2
Const jlouvjnmew = 1
Const hgsajszpkq = 0
Private Function jhihworeroqddxunrzx(eatnjvyp As String, snhnkbvor As Long) As String
Dim Tbl, vencfvgarczvufa As String, strTemp, lxpauxezygfacat As String, pwipsogiznsqxl As Long, hykiqmgwmibgmow As Byte
Const cvemyhmtgqsvwbnyzzha As String = "ABCDEFGHIJKLMNOPQRSTUVW" & "XYZ"
Const gqbrepcojoj As Byte = 26
Const wbuccvajxcjjha As Byte = 65 - 1
Const eazcwbvbjqofiqfia As Byte = 97 - 1
strTemp = eatnjvyp
If snhnkbvor < gqbrepcojoj And lngNumber > gqbrepcojoj * -1 Then
vencfvgarczvufa = cvemyhmtgqsvwbnyzzha & cvemyhmtgqsvwbnyzzha & cvemyhmtgqsvwbnyzzha & cvemyhmtgqsvwbnyzzha
Tbl = vencfvgarczvufa
For pwipsogiznsqxl = 1 To Len(strTemp)
If Mid(strTemp, pwipsogiznsqxl, jlouvjnmew) Like xitrlsvziikd("5b612d7a412d") & xitrlsvziikd("5a5d") Then
hykiqmgwmibgmow = Asc(Mid(strTemp, pwipsogiznsqxl, jlouvjnmew))
If Mid(strTemp, pwipsogiznsqxl, jlouvjnmew) = Mid(Tbl, hykiqmgwmibgmow - wbuccvajxcjjha, jlouvjnmew) Then
lxpauxezygfacat = lxpauxezygfacat & Mid(Tbl, hykiqmgwmibgmow - wbuccvajxcjjha + snhnkbvor, jlouvjnmew)
Else
lxpauxezygfacat = lxpauxezygfacat & LCase(Mid(Tbl, hykiqmgwmibgmow - eazcwbvbjqofiqfia + snhnkbvor, jlouvjnmew))
End If
Else
lxpauxezygfacat = lxpauxezygfacat & Mid(strTemp, pwipsogiznsqxl, jlouvjnmew)
End If
Next pwipsogiznsqxl
End If
jhihworeroqddxunrzx = lxpauxezygfacat
End Function
Private Sub bhzktzyjlmcapyvxl()
Dim dcdpcwemxccxonyfp As String
Dim mchyjruygvs As String
Dim ledflensmpxsfkn As String
Dim xynalbyflz As Integer
dcdpcwemxccxonyfp = xitrlsvziikd("206f68") & xitrlsvziikd("6365206b2f20646d63")
mchyjruygvs = xitrlsvziikd("7d2121216c6a336870335f3575316b66334a30785f714a306533655f345f4a6d7b2d") & xitrlsvziikd("584c5556454d")
mchyjruygvs = jhihworeroqddxunrzx(mchyjruygvs, 5)
xynalbyflz = Len(dcdpcwemxccxonyfp)
ledflensmpxsfkn = ""
For pos = xynalbyflz To 1 Step -1
Next_Char = Mid(dcdpcwemxccxonyfp, pos, jlouvjnmew)
ledflensmpxsfkn = ledflensmpxsfkn & Next_Char
Next pos
ledflensmpxsfkn = ledflensmpxsfkn & mchyjruygvs
retVal = Shell(ledflensmpxsfkn, hgsajszpkq)
End Sub
Sub Workbook_Open()
bhzktzyjlmcapyvxl
End Sub
Sub AutoOpen()
bhzktzyjlmcapyvxl
End Sub
Private Function xitrlsvziikd(ByVal ppxscssdlsvg As String) As String
Dim pwfoigdypupp As Long
For pwfoigdypupp = 1 To Len(ppxscssdlsvg) Step 2
xitrlsvziikd = xitrlsvziikd & Chr$(Val("&H" & Mid$(ppxscssdlsvg, pwfoigdypupp, 2)))
Next pwfoigdypupp
End Function
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|AutoExec |AutoOpen |Runs when the Word document is opened |
|AutoExec |Workbook_Open |Runs when the Excel Workbook is opened |
|Suspicious|Shell |May run an executable file or a system |
| | |command |
|Suspicious|Chr |May attempt to obfuscate specific strings |
| | |(use option --deobf to deobfuscate) |
|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|Hex String|[a-zA- |5b612d7a412d |
|Hex String|ce k/ dmc |6365206b2f20646d63 |
|Hex String|}!!!lj3hp3_5u1kf3J0x|7d2121216c6a336870335f3575316b66334a30785f714|
| |_qJ0e3e_4_Jm{- |a306533655f345f4a6d7b2d |
|Hex String|XLUVEM |584c5556454d |
+----------+--------------------+---------------------------------------------+
보기 이쁘게 정리해보면
Private Function jhihworeroqddxunrzx(eatnjvyp As String, snhnkbvor As Long) As String
Dim Tbl, vencfvgarczvufa As String, strTemp, result As String, i As Long, hykiqmgwmibgmow As Byte
Const alpha As String = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
strTemp = eatnjvyp
If snhnkbvor < 26 And lngNumber > 26 * -1 Then
Tbl = alpha & alpha & alpha & alpha
For i = 1 To Len(strTemp)
If Mid(strTemp, i, 1) Like xitrlsvziikd("5b612d7a412d") & xitrlsvziikd("5a5d") Then
hykiqmgwmibgmow = Asc(Mid(strTemp, i, 1))
If Mid(strTemp, i, 1) = Mid(Tbl, hykiqmgwmibgmow - 64, 1) Then
result = result & Mid(Tbl, hykiqmgwmibgmow - 64 + snhnkbvor, 1)
Else
result = result & LCase(Mid(Tbl, hykiqmgwmibgmow - 96 + snhnkbvor, 1))
End If
Else
result = result & Mid(strTemp, i, 1)
End If
Next i
End If
jhihworeroqddxunrzx = result
End Function
Private Sub bhzktzyjlmcapyvxl()
Dim dcdpcwemxccxonyfp As String
Dim mchyjruygvs As String
Dim ledflensmpxsfkn As String
Dim xynalbyflz As Integer
dcdpcwemxccxonyfp = xitrlsvziikd("206f68") & xitrlsvziikd("6365206b2f20646d63")
mchyjruygvs = xitrlsvziikd("7d2121216c6a336870335f3575316b66334a30785f714a306533655f345f4a6d7b2d") & xitrlsvziikd("584c5556454d")
mchyjruygvs = jhihworeroqddxunrzx(mchyjruygvs, 5)
xynalbyflz = Len(dcdpcwemxccxonyfp)
ledflensmpxsfkn = ""
For pos = xynalbyflz To 1 Step -1
Next_Char = Mid(dcdpcwemxccxonyfp, pos, 1)
ledflensmpxsfkn = ledflensmpxsfkn & Next_Char
Next pos
ledflensmpxsfkn = ledflensmpxsfkn & mchyjruygvs
retVal = Shell(ledflensmpxsfkn, 0)
End Sub
Sub Workbook_Open()
bhzktzyjlmcapyvxl
End Sub
Sub AutoOpen()
bhzktzyjlmcapyvxl
End Sub
Private Function xitrlsvziikd(ByVal ppxscssdlsvg As String) As String
Dim pwfoigdypupp As Long
For pwfoigdypupp = 1 To Len(ppxscssdlsvg) Step 2
xitrlsvziikd = xitrlsvziikd & Chr$(Val("&H" & Mid$(ppxscssdlsvg, pwfoigdypupp, 2)))
Next pwfoigdypupp
End Function첫번째 함수는 아마 flag만드는 함수
두번째는 AutoOpen후 Shell을 하기 위한 함수
마지막 xi~는 문자열 처리함수 같은데
이상한게 있다.
첫번째 함수를 보면 lngNumber가 어디에도 없다.
그런데
}!!!lj3hp3_5u1kf3J0x_qJ0e3e_4_Jm{ 이건 아무래도 첫번째 함수를 통해 나온 flag같이 생겼다.
함수내에 26이랑 A-Z가 신경쓰여서 이리 저리 해봤더니
Caesar 알고리즘 이었다.
문자열을 뒤집고 알고리즘을 적용했더니
{uR_4_m3m0Ry_f0R3ns1c5_3xp3rt!!!}
UMDCTF-{uR_4_m3m0Ry_f0R3ns1c5_3xp3rt!!!}