LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

@housu_jp

MemLabs Lab2 で Volatility3 を勉強した

Last updated at Posted at 2021-11-20

Volatility3 を勉強した記録
題材 stuxnet999/MemLabs

問題配付サイト

プロセス列挙

2664	2632	explorer.exe	0xfa8001189b30	19	632	2	False	2019-12-14 10:36:29.000000 	N/A
* 2792	2664	VBoxTray.exe	0xfa8001189b30	12	139	2	False	2019-12-14 10:36:30.000000 	N/A
* 2096	2664	cmd.exe	0xfa8001189b30	1	19	2	False	2019-12-14 10:36:35.000000 	N/A
* 2296	2664	chrome.exe	0xfa8001189b30	27	658	2	False	2019-12-14 10:36:45.000000 	N/A
** 2304	2296	chrome.exe	0xfa8001189b30	8	71	2	False	2019-12-14 10:36:45.000000 	N/A
** 1632	2296	chrome.exe	0xfa8001189b30	14	219	2	False	2019-12-14 10:37:12.000000 	N/A
** 2476	2296	chrome.exe	0xfa8001189b30	2	55	2	False	2019-12-14 10:36:46.000000 	N/A
** 2572	2296	chrome.exe	0xfa8001189b30	8	177	2	False	2019-12-14 10:36:56.000000 	N/A
** 2964	2296	chrome.exe	0xfa8001189b30	13	295	2	False	2019-12-14 10:36:47.000000 	N/A
3260	3180	notepad.exe	0xfa8001189b30	1	61	1	False	2019-12-14 10:38:20.000000 	N/A

chromeが気になる

ファイル「History」をダンプする

# python3 vol.py -f MemoryDump_Lab2.raw windows.filescan | grep -i history

0x3ec63a70 100.0\Users\Alissa Simpson\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	216
0x3fa0fb60	\Users\Alissa Simpson\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	216
0x3fa27920	\Users\Alissa Simpson\AppData\Local\Microsoft\Windows\History\desktop.ini	216
0x3fa3e430	\Users\SmartNet\AppData\Local\Google\Chrome\User Data\Default\History-journal	216
0x3fa6e660	\Users\Alissa Simpson\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019121420191215\index.dat	216
0x3fb249a0	\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	216
0x3fb28380	\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	216
0x3fcfb1d0	\Users\SmartNet\AppData\Local\Google\Chrome\User Data\Default\History	216
0x3fd4a670	\Users\SmartNet\AppData\Local\Google\Chrome\User Data\Default\History-journal	216
0x3fd967e0	\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\MpSfc.bin	216
0x3fdae3b0	\Users\Alissa Simpson\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019121420191215\index.dat	216

下から4つめ

python3 vol.py -f MemoryDump_Lab2.raw windows.dumpfiles --physaddr 0x3fcfb1d0

Sqlite

sqlite3 file.0x3fcfb1d0.0xfa8000efd1d0.DataSectionObject.History.dat

sqlite> SELECT datetime((visits.visit_time/1000000)-11644473600,'unixepoch','localtime') as 'date', urls.url as 'url', urls.title as 'title', urls.visit_count as 'count' FROM visits,urls WHERE urls.id = visits.url;
2019-12-14 18:16:05|https://chrome.google.com/webstore?hl=en|Chrome Web Store - Extensions|1
2019-12-14 18:16:08|https://chrome.google.com/webstore/category/extensions?hl=en|Chrome Web Store - Extensions|1
2019-12-14 18:16:12|https://www.google.com/|Google|2
2019-12-14 18:16:14|https://www.google.com/|Google|2
2019-12-14 18:16:18|http://bing.com/|Bing|1
2019-12-14 18:16:18|https://bing.com/|Bing|1
2019-12-14 18:16:18|https://www.bing.com/?toWww=1&redig=2BBD701F84AA44D2A71D870534D085AE|Bing|1
2019-12-14 18:16:32|https://www.facebook.com/|Facebook – log in or sign up|3
2019-12-14 18:16:47|https://www.facebook.com/|Facebook – log in or sign up|3
2019-12-14 18:27:31|http://volatilevirus.home.blog/|Abhiram's Blog – Dying Is The Day Worth Living For!!|1
2019-12-14 18:27:31|https://volatilevirus.home.blog/|Abhiram's Blog – Dying Is The Day Worth Living For!!|1
2019-12-14 18:29:17|http://r3xnation.wordpress.com/|R3xNation – Free Flowing passions|1
2019-12-14 18:29:17|https://r3xnation.wordpress.com/|R3xNation – Free Flowing passions|1
2019-12-14 18:29:33|http://ashutosh1206.github.io/|Home | Ashutosh|1
2019-12-14 18:29:33|https://ashutosh1206.github.io/|Home | Ashutosh|1
2019-12-14 18:29:37|https://www.onlinesbi.com/|State Bank of India|1
2019-12-14 18:30:08|https://www.india.com/|Latest India News, Breaking News, Entertainment News | India.com News|1
2019-12-14 18:30:43|https://ashutosh1206.github.io/writeups/|Writeups | Ashutosh|1
2019-12-14 18:30:46|https://volatilevirus.home.blog/blog-posts/|Blog Posts – Abhiram's Blog|1
2019-12-14 18:30:55|http://bbc.com/|BBC - Homepage|1
2019-12-14 18:30:55|https://bbc.com/|BBC - Homepage|1
2019-12-14 18:30:55|https://www.bbc.com/|BBC - Homepage|1
2019-12-14 18:31:35|https://www.bbc.com/sport/football/50780855|Jurgen Klopp signs new Liverpool deal until 2024 - BBC Sport|1
2019-12-14 18:32:52|https://www.google.com/|Google|2
2019-12-14 18:32:53|https://chrome.google.com/webstore/category/extensions?hl=en|Chrome Web Store - Extensions|1
2019-12-14 18:33:00|https://www.bing.com/?toWww=1&redig=2BBD701F84AA44D2A71D870534D085AE|Bing|1
2019-12-14 18:33:05|https://www.facebook.com/|Facebook – log in or sign up|3
2019-12-14 18:33:12|https://www.facebook.com/common/referer_frame.php||1
2019-12-14 18:33:15|https://www.facebook.com/|Facebook – log in or sign up|3
2019-12-14 18:33:25|http://yahoo.in/|Yahoo India | News, Finance, Cricket, Lifestyle and Entertainment|1
2019-12-14 18:33:25|http://in.yahoo.com/|Yahoo India | News, Finance, Cricket, Lifestyle and Entertainment|1
2019-12-14 18:33:25|https://in.yahoo.com/|Yahoo India | News, Finance, Cricket, Lifestyle and Entertainment|2
2019-12-14 18:33:32|https://in.yahoo.com/|Yahoo India | News, Finance, Cricket, Lifestyle and Entertainment|2
2019-12-14 18:33:53|https://www.youtube.com/|YouTube|1
2019-12-14 18:38:17|https://r3xnation.wordpress.com/about/|About – R3xNation|1
2019-12-14 18:41:52|http://blog.bi0s.in/|bi0s|1
2019-12-14 18:41:52|https://blog.bi0s.in/|bi0s|1
2019-12-14 19:04:59|https://www.youtube.com/|YouTube|1
2019-12-14 19:07:31|https://r3xnation.wordpress.com/about/|About – R3xNation|1
2019-12-14 19:07:32|https://ashutosh1206.github.io/writeups/|Writeups | Ashutosh|1
2019-12-14 19:07:35|https://volatilevirus.home.blog/blog-posts/|Blog Posts – Abhiram's Blog|1
2019-12-14 19:18:09|http://ndtv.com/|NDTV: Latest News, India News, Breaking News, Business, Bollywood, Cricket, Videos & Photos|1
2019-12-14 19:18:09|https://www.ndtv.com/|NDTV: Latest News, India News, Breaking News, Business, Bollywood, Cricket, Videos & Photos|1
2019-12-14 19:18:12|https://blog.bi0s.in/|bi0s|1
2019-12-14 19:21:38|https://mega.nz/#F!TrgSQQTS!H0ZrUzF0B-ZKNM3y9E76lg|MEGA|2
2019-12-14 19:21:39|https://mega.nz/#F!TrgSQQTS!H0ZrUzF0B-ZKNM3y9E76lg|MEGA|2
2019-12-14 19:37:11|http://bi0s.in/|Amrita Bios|1
2019-12-14 19:37:11|https://bi0s.in/|Amrita Bios|1

下から3行目にアクセス
https://mega.nz/#F!TrgSQQTS!H0ZrUzF0B-ZKNM3y9E76lg

image.png

ネットからファイルが取れた!

が,パスワードがかかってるw

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?