문제를 요청한 Kenji Aiko님께 감사 드리며, 출제한 문제에 대한 풀이집을 올립니다.
(Forensic 100)
/////////////////////////////////////////////////////////////////////////////////////////////////////////
Forensic 100 - writeup
Date. 2016. 11. 07.
Written by crattack
|
Question.
컴퓨터를 사용하다가 컴퓨터가 느려지는 현상이 발견되어, 원인을 파악해 보니 특정 파일에서 지속적으로 인터넷을 연결하는 현상이 감지 되었다. 해당 사이트에 접근해보니 특정 문구가 존재하였다. 해당 사이트에 접근하여 특정 문구인 flag를 획득하시오.
コンピューターを使用しながらパソコンが遅くなる現象が発見され、原因を把握してみると、特定ファイルで持続的にインターネットを連結する現象が感知された。 当該サイトへアクセスしてみると、特定のフレーズが存在した。 当該サイトへアクセスして特定のフレーズであるflagを獲得しなさい。 |
Write up.
1. 이미지의 정보를 확인 / イメージの情報を確認
(※ http://downloads.volatilityfoundation.org/releases/2.4/volatility_2.4.win.standalone.zip)
C:\Volatility>vol.py -f "C:\Forensic_100\forensic_100.raw" imageinfo
|
Volatility Foundation Volatility Framework 2.4 *** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara) Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86) AS Layer1 : IA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (C:\Forensic_100\forensic_100.raw) PAE type : PAE DTB : 0x34c000L KDBG : 0x80545ce0L Number of Processors : 1 Image Type (Service Pack) : 3 KPCR for CPU 0 : 0xffdff000L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2016-10-31 05:45:14 UTC+0000 Image local date and time : 2016-10-31 14:45:14 +0900 |
2. DLL 리스트를 활용하여, 이상 프로세스 확인 / DLLリストを活用して、異常プロセス確認
C:\Volatility>vol.py -f "C:\Forensic_100\forensic_100.raw" dlllist > C:\Forensic_100\dlllist.txt
|
*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara) ************************************************************************ System pid: 4 Unable to read PEB for task. ************************************************************************ smss.exe pid: 540 Unable to read PEB for task. ************************************************************************ csrss.exe pid: 604 Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 Service Pack 3
Base Size LoadCount Path ---------- ---------- ---------- ---- 0x4a680000 0x5000 0xffff \??\C:\WINDOWS\system32\csrss.exe 0x7c900000 0xb2000 0xffff C:\WINDOWS\system32\ntdll.dll 0x75b40000 0xb000 0xffff C:\WINDOWS\system32\CSRSRV.dll 0x75b50000 0x10000 0x3 C:\WINDOWS\system32\basesrv.dll 0x75b60000 0x4b000 0x2 C:\WINDOWS\system32\winsrv.dll 0x77f10000 0x49000 0xa C:\WINDOWS\system32\GDI32.dll 0x7c800000 0xf6000 0x1f C:\WINDOWS\system32\KERNEL32.dll 0x7e410000 0x91000 0xa C:\WINDOWS\system32\USER32.dll 0x629c0000 0x9000 0x1 C:\WINDOWS\system32\LPK.DLL 0x74d90000 0x6b000 0x1 C:\WINDOWS\system32\USP10.dll 0x77dd0000 0x9b000 0xd C:\WINDOWS\system32\ADVAPI32.dll 0x77e70000 0x93000 0x7 C:\WINDOWS\system32\RPCRT4.dll 0x77fe0000 0x11000 0x5 C:\WINDOWS\system32\Secur32.dll 0x7e720000 0xb0000 0x1 C:\WINDOWS\system32\sxs.dll ************************************************************************ ………………………………………………
DumpIt.exe pid: 3784 Command line : "C:\Documents and Settings\Administrator\My Documents\Downloads\DumpIt.exe" Service Pack 3
Base Size LoadCount Path ---------- ---------- ---------- ---- 0x00400000 0x35000 0xffff C:\Documents and Settings\Administrator\My Documents\Downloads\DumpIt.exe 0x7c900000 0xb2000 0xffff C:\WINDOWS\system32\ntdll.dll 0x7c800000 0xf6000 0xffff C:\WINDOWS\system32\kernel32.dll 0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll 0x77e70000 0x93000 0xffff C:\WINDOWS\system32\RPCRT4.dll 0x77fe0000 0x11000 0xffff C:\WINDOWS\system32\Secur32.dll 0x77f60000 0x76000 0xffff C:\WINDOWS\system32\SHLWAPI.dll 0x77f10000 0x49000 0xffff C:\WINDOWS\system32\GDI32.dll 0x7e410000 0x91000 0xffff C:\WINDOWS\system32\USER32.dll 0x77c10000 0x58000 0xffff C:\WINDOWS\system32\msvcrt.dll 0x76390000 0x1d000 0x1 C:\WINDOWS\system32\IMM32.DLL 0x629c0000 0x9000 0x1 C:\WINDOWS\system32\LPK.DLL 0x74d90000 0x6b000 0x1 C:\WINDOWS\system32\USP10.dll ************************************************************************ svchost.exe pid: 1776 Command line : "C:\WINDOWS\svchost.exe" Service Pack 3
Base Size LoadCount Path ---------- ---------- ---------- ---- 0x00400000 0x9000 0xffff C:\WINDOWS\svchost.exe 0x7c900000 0xb2000 0xffff C:\WINDOWS\system32\ntdll.dll 0x7c800000 0xf6000 0xffff C:\WINDOWS\system32\kernel32.dll 0x10000000 0xa000 0xffff C:\WINDOWS\JDMBackgroundProcess.dll 0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll 0x77e70000 0x93000 0xffff C:\WINDOWS\system32\RPCRT4.dll 0x77fe0000 0x11000 0xffff C:\WINDOWS\system32\Secur32.dll 0x00350000 0x6d000 0xffff C:\WINDOWS\system32\MSVCP140.dll 0x003c0000 0x15000 0xffff C:\WINDOWS\system32\VCRUNTIME140.dll 0x003e0000 0x4000 0xffff C:\WINDOWS\system32\api-ms-win-crt-runtime-l1-1-0.dll 0x00410000 0xd8000 0xffff C:\WINDOWS\system32\ucrtbase.dll 0x003f0000 0x3000 0xffff C:\WINDOWS\system32\api-ms-win-core-string-l1-1-0.dll 0x004f0000 0x3000 0xffff C:\WINDOWS\system32\api-ms-win-core-errorhandling-l1-1-0.dll ………………………….. ************************************************************************ …………………………. IEXPLORE.EXE pid: 2304 Command line : "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2496 CREDAT:79880 Service Pack 3 …………………………………………………… |
3. 의심 프로세스 덤프 후 분석 / 疑いプロセスダンプ後、分析
C:\Volatility>vol.py -f "c:\forensic_100\forensic_100.raw" procdump --pid=1776 -D c:\forensic_100\
|
Volatility Foundation Volatility Framework 2.4 *** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara) Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ 0x81f65da0 0x00400000 svchost.exe OK: executable.1776.exe |
000000001B68 000000403368 0 C:\Program Files\Internet Explorer\iexplore.exe http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
4. 접속 정보 확인 / 接続情報確認
도메인 확인 / ドメイン確認
C:\Volatility>vol.py -f "C:\Forensic_100\forensic_100.raw" connections > C:\Forensic_100\connections.txt
|
*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara) Offset(V) Local Address Remote Address Pid ---------- ------------------------- ------------------------- --- 0x8213bbe8 192.168.88.131:1034 153.127.200.178:80 1080 |
Connection 정보와 일치하지 않으므로 도메인 관련 변조가 있을 것으로 추정 / Connection情報と一致しないのでドメイン関連変造があると推定
5. Hosts 파일 덤프 하기 위해 주소 확인 / Hostsファイルダンプするため住所確認
C:\Volatility>vol.py -f "C:\Forensic_100\forensic_100.raw" filescan > c:\forensic_100\filescan.txt
|
*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara) Offset(V) Local Address Remote Address Pid ---------- ------------------------- ------------------------- --- 0x8213bbe8 192.168.88.131:1034 153.127.200.178:80 1080 |
Connection 정보와 일치하지 않으므로 도메인 관련 변조가 있을 것으로 추정 / Connection情報と一致しないのでドメイン関連変造があると推定
|
*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara) Offset(P) #Ptr #Hnd Access Name ------------------ ------ ------ ------ ---- 0x0000000001734038 3 0 RWD--- \Device\HarddiskVolume1\$Directory 0x000000000174a270 3 0 RWD--- \Device\HarddiskVolume1\$Directory 0x0000000001756cf8 1 0 R--r-d \Device\HarddiskVolume1?????? ? 0x00000000017634f0 1 0 -W---- \Device\HarddiskVolume1?????????????? 0x0000000001763c60 1 0 R--r-d \Device\HarddiskVolume1? 0x0000000001794b18 3 0 RWD--- \Device\HarddiskVolume1\$Directory ......................................... 0x00000000020f0268 1 0 R--rw- \Device\HarddiskVolume1\WINDOWS\svchost.exe 0x00000000020f0a90 2 1 ------ \Device\NamedPipe\PCHHangRepExecPipe 0x00000000020f3888 1 0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobeflashcs3.txt 0x00000000020f4f90 1 1 ------ \Device\NamedPipe\net\NtControlPipe8 0x00000000020f5028 2 1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\041e 0x00000000020f50d0 2 1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\0425 0x00000000020f5e38 3 0 RWD--- \Device\HarddiskVolume1\$Directory 0x00000000020f5f90 3 0 RWD--- \Device\HarddiskVolume1\$Directory 0x00000000020f6108 2 1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\040C 0x00000000020f8658 3 0 RWD--- \Device\HarddiskVolume1\$ConvertToNonresident ............................. 0x000000000217b748 1 0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts ……………………… |
Hosts 파일의 메모리 주소를 활용하여 Dump / Hostsファイルのメモリアドレスを活用してDump
C:\Volatility>vol.py -f "c:\forensic_100\forensic_100.raw" dumpfiles -Q 0x217b748 --dump-dir=c:\forensic_100\
|
# Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost 153.127.200.178 crattack.tistory.com |
http://153.127.200.178/entry/Data-Science-import-pandas-as-pd
------------------------------------------------------
이상으로 write up을 마칩니다.
오랜만에 문제를 만드니까 즐거웠습니다. ( _ _ )
'Reverse > 분석 문서' 카테고리의 다른 글
| [chatGPT] QEMU (0) | 2023.03.09 |
|---|---|
| [CVE-2022-4510] binwalk 로컬 실행 취약점 (0) | 2023.02.01 |
| [Adware] 광고 조회 프로그램 (0) | 2016.06.23 |
| [WinDbg 따라하기 - 0x00A] crash 파일 분석 하기 (0) | 2014.03.13 |
| [WinDbg 따라하기 - 0x009] Interrupt 확인 하기 (0) | 2014.03.10 |