컴퓨터_보안_창과방패.7z.001

컴퓨터_보안_창과방패.7z.002

컴퓨터_보안_창과방패.7z.003



오랜만에 글을 올리게 되었습니다.

최근 강의 자료 공유 요청하는 메일을 종종 받고 있습니다.

따라서, 제 홈페이지에 공유 하도록 하겠습니다.


이한미디어 출판사와는 현재 연락이 되지 않아 

이렇게라도 제가 쓴 책에 대한 보답을 해야 할 것 같아 자료를 공유 합니다.


부족한 부분이 있다면 언제든 연락 주세요.


crattack@gmail.com


강의 자료이기 때문에 개인에게 공유를 드리긴 어려울 것 같습니다.

강의 하시는 분의 학교 계정 메일로 성함과 과목을 함께 기입하셔서 저에게 메일을 주시면 

비밀번호를 공유 드리겠습니다.


책을 구매해주셔서 다시 한번 감사드립니다.

더 좋은 책으로 찾아 뵙도록 노력 하겠습니다.

( _ _ )

'Reverse > SystemDoc' 카테고리의 다른 글

[강의자료] 컴퓨터 보안 창과 방패  (0) 2018.01.25
[HowTo] Windows Testing Mode  (0) 2014.02.04
Windows Veriosn Check  (0) 2014.02.03
Key Log List  (0) 2012.08.07
Windows7 64bit Paros 설치  (1) 2012.01.31
Windows 7 Driver Test 방법  (0) 2012.01.18

문제를 요청한 Kenji Aiko님께 감사 드리며, 출제한 문제에 대한 풀이집을 올립니다.

(Forensic 100)


/////////////////////////////////////////////////////////////////////////////////////////////////////////

 

 

Forensic 100 - writeup

Date. 2016. 11. 07.

Written by crattack

 

 

 

Question.

 

컴퓨터를 사용하다가 컴퓨터가 느려지는 현상이 발견되어, 원인을 파악해 보니 특정 파일에서 지속적으로 인터넷을 연결하는 현상이 감지 되었다. 해당 사이트에 접근해보니 특정 문구가 존재하였다.

해당 사이트에 접근하여 특정 문구인 flag를 획득하시오.

 

コンピュ使用しながらパソコンがくなる現象発見され、原因把握してみると、特定ファイルで続的にインタネットを連結する現象感知された。 当該サイトへアクセスしてみると、特定のフレズが存在した。

当該サイトへアクセスして特定のフレズであるflag獲得しなさい。



Write up.

 

1. 이미지의 정보를 확인 / イメジの情報確認

( http://downloads.volatilityfoundation.org/releases/2.4/volatility_2.4.win.standalone.zip)

C:\Volatility>vol.py -f "C:\Forensic_100\forensic_100.raw" imageinfo

 

Volatility Foundation Volatility Framework 2.4

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

Determining profile based on KDBG search...

 

          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)

                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)

                     AS Layer2 : FileAddressSpace (C:\Forensic_100\forensic_100.raw)

                      PAE type : PAE

                           DTB : 0x34c000L

                          KDBG : 0x80545ce0L

          Number of Processors : 1

     Image Type (Service Pack) : 3

                KPCR for CPU 0 : 0xffdff000L

             KUSER_SHARED_DATA : 0xffdf0000L

           Image date and time : 2016-10-31 05:45:14 UTC+0000

     Image local date and time : 2016-10-31 14:45:14 +0900

 

2. DLL 리스트를 활용하여, 이상 프로세스 확인 / DLLリストを活用して、異常プロセス確認

 

C:\Volatility>vol.py -f "C:\Forensic_100\forensic_100.raw" dlllist > C:\Forensic_100\dlllist.txt

 

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

************************************************************************

System pid:      4

Unable to read PEB for task.

************************************************************************

smss.exe pid:    540

Unable to read PEB for task.

************************************************************************

csrss.exe pid:    604

Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

Service Pack 3

 

Base             Size  LoadCount Path

---------- ---------- ---------- ----

0x4a680000     0x5000     0xffff \??\C:\WINDOWS\system32\csrss.exe

0x7c900000    0xb2000     0xffff C:\WINDOWS\system32\ntdll.dll

0x75b40000     0xb000     0xffff C:\WINDOWS\system32\CSRSRV.dll

0x75b50000    0x10000        0x3 C:\WINDOWS\system32\basesrv.dll

0x75b60000    0x4b000        0x2 C:\WINDOWS\system32\winsrv.dll

0x77f10000    0x49000        0xa C:\WINDOWS\system32\GDI32.dll

0x7c800000    0xf6000       0x1f C:\WINDOWS\system32\KERNEL32.dll

0x7e410000    0x91000        0xa C:\WINDOWS\system32\USER32.dll

0x629c0000     0x9000        0x1 C:\WINDOWS\system32\LPK.DLL

0x74d90000    0x6b000        0x1 C:\WINDOWS\system32\USP10.dll

0x77dd0000    0x9b000        0xd C:\WINDOWS\system32\ADVAPI32.dll

0x77e70000    0x93000        0x7 C:\WINDOWS\system32\RPCRT4.dll

0x77fe0000    0x11000        0x5 C:\WINDOWS\system32\Secur32.dll

0x7e720000    0xb0000        0x1 C:\WINDOWS\system32\sxs.dll

************************************************************************

………………………………………………

 

DumpIt.exe pid:   3784

Command line : "C:\Documents and Settings\Administrator\My Documents\Downloads\DumpIt.exe"

Service Pack 3

 

Base             Size  LoadCount Path

---------- ---------- ---------- ----

0x00400000    0x35000     0xffff C:\Documents and Settings\Administrator\My Documents\Downloads\DumpIt.exe

0x7c900000    0xb2000     0xffff C:\WINDOWS\system32\ntdll.dll

0x7c800000    0xf6000     0xffff C:\WINDOWS\system32\kernel32.dll

0x77dd0000    0x9b000     0xffff C:\WINDOWS\system32\ADVAPI32.dll

0x77e70000    0x93000     0xffff C:\WINDOWS\system32\RPCRT4.dll

0x77fe0000    0x11000     0xffff C:\WINDOWS\system32\Secur32.dll

0x77f60000    0x76000     0xffff C:\WINDOWS\system32\SHLWAPI.dll

0x77f10000    0x49000     0xffff C:\WINDOWS\system32\GDI32.dll

0x7e410000    0x91000     0xffff C:\WINDOWS\system32\USER32.dll

0x77c10000    0x58000     0xffff C:\WINDOWS\system32\msvcrt.dll

0x76390000    0x1d000        0x1 C:\WINDOWS\system32\IMM32.DLL

0x629c0000     0x9000        0x1 C:\WINDOWS\system32\LPK.DLL

0x74d90000    0x6b000        0x1 C:\WINDOWS\system32\USP10.dll

************************************************************************

svchost.exe pid:    1776

Command line : "C:\WINDOWS\svchost.exe"

Service Pack 3

 

Base             Size  LoadCount Path

---------- ---------- ---------- ----

0x00400000     0x9000     0xffff C:\WINDOWS\svchost.exe

0x7c900000    0xb2000     0xffff C:\WINDOWS\system32\ntdll.dll

0x7c800000    0xf6000     0xffff C:\WINDOWS\system32\kernel32.dll

0x10000000     0xa000     0xffff C:\WINDOWS\JDMBackgroundProcess.dll

0x77dd0000    0x9b000     0xffff C:\WINDOWS\system32\ADVAPI32.dll

0x77e70000    0x93000     0xffff C:\WINDOWS\system32\RPCRT4.dll

0x77fe0000    0x11000     0xffff C:\WINDOWS\system32\Secur32.dll

0x00350000    0x6d000     0xffff C:\WINDOWS\system32\MSVCP140.dll

0x003c0000    0x15000     0xffff C:\WINDOWS\system32\VCRUNTIME140.dll

0x003e0000     0x4000     0xffff C:\WINDOWS\system32\api-ms-win-crt-runtime-l1-1-0.dll

0x00410000    0xd8000     0xffff C:\WINDOWS\system32\ucrtbase.dll

0x003f0000     0x3000     0xffff C:\WINDOWS\system32\api-ms-win-core-string-l1-1-0.dll

0x004f0000     0x3000     0xffff C:\WINDOWS\system32\api-ms-win-core-errorhandling-l1-1-0.dll

…………………………..

************************************************************************

………………………….

IEXPLORE.EXE pid:   2304

Command line : "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2496 CREDAT:79880

Service Pack 3

……………………………………………………

 

 

3. 의심 프로세스 덤프 후 분석 / いプロセスダンプ分析

 

C:\Volatility>vol.py -f "c:\forensic_100\forensic_100.raw" procdump --pid=1776 -D c:\forensic_100\

 

Volatility Foundation Volatility Framework 2.4

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

Process(V) ImageBase  Name                 Result

---------- ---------- -------------------- ------

0x81f65da0 0x00400000 svchost.exe          OK: executable.1776.exe

 

 



000000001B68   000000403368      0   C:\Program Files\Internet Explorer\iexplore.exe http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd


 

4. 접속 정보 확인 / 続情報確認

 

도메인 확인 / ドメイン確認

 




C:\Volatility>vol.py -f "C:\Forensic_100\forensic_100.raw" connections > C:\Forensic_100\connections.txt


 

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

Offset(V)  Local Address             Remote Address            Pid

---------- ------------------------- ------------------------- ---

0x8213bbe8 192.168.88.131:1034       153.127.200.178:80           1080

 

Connection 정보와 일치하지 않으므로 도메인 관련 변조가 있을 것으로 추정 / Connection情報一致しないのでドメイン関連変造があると推定

 

5. Hosts 파일 덤프 하기 위해 주소 확인 / Hostsファイルダンプするため住所確認

 

C:\Volatility>vol.py -f "C:\Forensic_100\forensic_100.raw" filescan > c:\forensic_100\filescan.txt


 

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

Offset(V)  Local Address             Remote Address            Pid

---------- ------------------------- ------------------------- ---

0x8213bbe8 192.168.88.131:1034       153.127.200.178:80           1080

 

Connection 정보와 일치하지 않으므로 도메인 관련 변조가 있을 것으로 추정 / Connection情報一致しないのでドメイン関連変造があると推定


 

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

Offset(P)            #Ptr   #Hnd Access Name

------------------ ------ ------ ------ ----

0x0000000001734038      3      0 RWD--- \Device\HarddiskVolume1\$Directory

0x000000000174a270      3      0 RWD--- \Device\HarddiskVolume1\$Directory

0x0000000001756cf8      1      0 R--r-d \Device\HarddiskVolume1??????


?

0x00000000017634f0      1      0 -W---- \Device\HarddiskVolume1??????????????

0x0000000001763c60      1      0 R--r-d \Device\HarddiskVolume1?

0x0000000001794b18      3      0 RWD--- \Device\HarddiskVolume1\$Directory

.........................................

0x00000000020f0268      1      0 R--rw- \Device\HarddiskVolume1\WINDOWS\svchost.exe

0x00000000020f0a90      2      1 ------ \Device\NamedPipe\PCHHangRepExecPipe

0x00000000020f3888      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobeflashcs3.txt

0x00000000020f4f90      1      1 ------ \Device\NamedPipe\net\NtControlPipe8

0x00000000020f5028      2      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\041e

0x00000000020f50d0      2      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\0425

0x00000000020f5e38      3      0 RWD--- \Device\HarddiskVolume1\$Directory

0x00000000020f5f90      3      0 RWD--- \Device\HarddiskVolume1\$Directory

0x00000000020f6108      2      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\040C

0x00000000020f8658      3      0 RWD--- \Device\HarddiskVolume1\$ConvertToNonresident

.............................

0x000000000217b748      1      0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts

………………………

 

Hosts 파일의 메모리 주소를 활용하여 Dump / Hostsファイルのメモリアドレスを活用してDump

 

C:\Volatility>vol.py -f "c:\forensic_100\forensic_100.raw" dumpfiles -Q 0x217b748 --dump-dir=c:\forensic_100\

 

# Copyright (c) 1993-1999 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

#      102.54.94.97     rhino.acme.com          # source server

#       38.25.63.10     x.acme.com              # x client host

 

127.0.0.1       localhost

153.127.200.178    crattack.tistory.com

 

http://153.127.200.178/entry/Data-Science-import-pandas-as-pd



------------------------------------------------------

이상으로 write up을 마칩니다.

오랜만에 문제를 만드니까 즐거웠습니다. ( _ _ )


1. Threshold 간단하게 표현 하자.



많은 데이터 중에서 특정 값 이상인 데이터 수를 확인 하기 위해서는 다음과 같이 interact 라이브러리를 활용하여

threshold bar로 표현 할 수 있다.



from ipywidgets import interact


@interact

def show_nrows(distance_threshold=(0, 200)):

    return len(data.loc[data.trip_distance > distance_threshold]) 




위 그림과 같이 69보다 큰 데이터가 11개 존재하는 것을 interact 라이브러리로 표현 할 수 있다.


2. Anaconda Package 설치 하기



conda install [package name] -q -y 


[실행결과]


C:\Users\crattack>conda install seaborn -q -y

Using Anaconda Cloud api site https://api.anaconda.org

Fetching package metadata: ....

Solving package specifications: .........


Package plan for installation in environment C:\Anaconda2:


The following packages will be downloaded:


    package                    |            build

    ---------------------------|-----------------

    conda-env-2.6.0            |                0          498 B

    python-2.7.12              |                0        23.5 MB

    ruamel_yaml-0.11.14        |           py27_0         212 KB

    conda-4.2.12               |           py27_0         454 KB

    seaborn-0.7.1              |           py27_0         272 KB

    ------------------------------------------------------------

                                           Total:        24.4 MB


The following NEW packages will be INSTALLED:


    ruamel_yaml: 0.11.14-py27_0

    seaborn:     0.7.1-py27_0


The following packages will be UPDATED:


    conda:       4.0.5-py27_0 --> 4.2.12-py27_0

    conda-env:   2.4.5-py27_0 --> 2.6.0-0

    python:      2.7.11-4     --> 2.7.12-0