Volatility 3 から cmdscan と consoles が無くなった。
と言っても Volatility 2 を使ったとしても Windows 10 のメモリからは, Windows 7 のように typeした結果が見えたりはしない。
Windows 7 の終焉とともに Volatility 2 もその役目を終えるはずだ。
現在は過渡期ではあるが,今後は Volatility 2 にとって代わるであろう Volatility 3 で WaniCTF 2020 ALLIGATOR_02 にチャレンジした。
まずはお約束 plist
$ python3 vol.py -f ALLIGATOR.raw windows.pslist
Volatility 3 Framework 1.0.1
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
4 0 System 0x83d3ac58 82 541 N/A False 2020-10-26 19:00:20.000000 N/A Disabled252 4 smss.exe 0x84429020 2 32 N/A False 2020-10-26 19:00:20.000000 N/A Disabled
328 320 csrss.exe 0x84a54ab0 9 411 0 False 2020-10-26 19:00:23.000000 N/A Disabled
364 320 wininit.exe 0x843da208 3 77 0 False 2020-10-26 19:00:23.000000 N/A Disabled
376 356 csrss.exe 0x84a66030 8 145 1 False 2020-10-26 19:00:23.000000 N/A Disabled
408 356 winlogon.exe 0x849c0220 3 110 1 False 2020-10-26 19:00:23.000000 N/A Disabled
460 364 services.exe 0x84a5c7a8 6 211 0 False 2020-10-26 19:00:23.000000 N/A Disabled
476 364 lsass.exe 0x84a89850 7 601 0 False 2020-10-26 19:00:23.000000 N/A Disabled
484 364 lsm.exe 0x84a5f250 10 170 0 False 2020-10-26 19:00:23.000000 N/A Disabled596 460 svchost.exe 0x84aa58b8 9 354 0 False 2020-10-26 19:00:24.000000 N/A Disabled
660 460 VBoxService.ex 0x84abc030 12 116 0 False 2020-10-26 19:00:24.000000 N/A Disabled
712 460 svchost.exe 0x84ac6810 8 276 0 False 2020-10-26 03:00:25.000000 N/A Disabled
768 460 svchost.exe 0x84aded20 20 455 0 False 2020-10-26 03:00:25.000000 N/A Disabled
880 460 svchost.exe 0x84b11710 18 414 0 False 2020-10-26 03:00:25.000000 N/A Disabled
920 460 svchost.exe 0x84b22030 16 344 0 False 2020-10-26 03:00:25.000000 N/A Disabled
944 460 svchost.exe 0x84aa0448 34 962 0 False 2020-10-26 03:00:25.000000 N/A Disabled
1008 768 audiodg.exe 0x84b2fd20 6 122 0 False 2020-10-26 03:00:25.000000 N/A Disabled
1040 460 svchost.exe 0x84b35030 7 135 0 False 2020-10-26 03:00:25.000000 N/A Disabled
1164 460 svchost.exe 0x84c5a9d8 16 365 0 False 2020-10-26 03:00:26.000000 N/A Disabled
1300 460 spoolsv.exe 0x84c9e668 13 294 0 False 2020-10-26 03:00:26.000000 N/A Disabled
1340 460 svchost.exe 0x84cad2c8 18 309 0 False 2020-10-26 03:00:26.000000 N/A Disabled
1444 460 taskhost.exe 0x84ce78f0 8 163 1 False 2020-10-26 03:00:26.000000 N/A Disabled
1544 880 dwm.exe 0x84d05570 3 68 1 False 2020-10-26 03:00:26.000000 N/A Disabled1564 1532 explorer.exe 0x84d12be0 18 644 1 False 2020-10-26 03:00:26.000000 N/A Disabled
1572 460 svchost.exe 0x84d14a80 10 144 0 False 2020-10-26 03:00:26.000000 N/A Disabled
1628 460 svchost.exe 0x84d3d798 12 216 0 False 2020-10-26 03:00:26.000000 N/A Disabled
1840 460 cygrunsrv.exe 0x84dbbd20 6 101 0 False 2020-10-26 03:00:27.000000 N/A Disabled
1880 1564 VBoxTray.exe 0x84dc8a38 12 142 1 False 2020-10-26 03:00:27.000000 N/A Disabled
2024 460 wlms.exe 0x84e024e8 4 46 0 False 2020-10-26 03:00:27.000000 N/A Disabled
1772 1840 cygrunsrv.exe 0x84dc8030 0 - 0 False 2020-10-26 03:00:28.000000 2020-10-26 03:00:28.000000 Disabled
336 328 conhost.exe 0x84aeab70 2 33 0 False 2020-10-26 03:00:28.000000 N/A Disabled
856 1772 sshd.exe 0x84aa1510 4 100 0 False 2020-10-26 03:00:28.000000 N/A Disabled
1908 460 sppsvc.exe 0x84d1d458 4 146 0 False 2020-10-26 03:00:29.000000 N/A Disabled
2052 460 svchost.exe 0x84e7f258 5 92 0 False 2020-10-26 03:00:29.000000 N/A Disabled
2332 460 SearchIndexer. 0x84f0d9c0 11 688 0 False 2020-10-26 03:00:33.000000 N/A Disabled
2400 2332 SearchProtocol 0x84f32030 6 279 0 False 2020-10-26 03:00:33.000000 N/A Disabled
2676 2656 csrss.exe 0x8448eb18 7 218 2 False 2020-10-26 03:01:39.000000 N/A Disabled
2700 2656 winlogon.exe 0x84a22710 3 107 2 False 2020-10-26 03:01:39.000000 N/A Disabled
2884 460 taskhost.exe 0x84a4bd20 10 250 2 False 2020-10-26 03:01:43.000000 N/A Disabled
2948 880 dwm.exe 0x84f49300 3 72 2 False 2020-10-26 03:01:43.000000 N/A Disabled2964 2932 explorer.exe 0x84435030 34 1091 2 False 2020-10-26 03:01:43.000000 N/A Disabled
3108 2964 VBoxTray.exe 0x84dd8030 13 143 2 False 2020-10-26 03:01:43.000000 N/A Disabled
3632 2964 evil.exe 0x84dd6b28 1 21 2 False 2020-10-26 03:01:55.000000 N/A Disabled
3728 2964 cmd.exe 0x8494c030 1 19 2 False 2020-10-26 03:02:09.000000 N/A Disabled3736 2676 conhost.exe 0x83eb8d20 2 53 2 False 2020-10-26 03:02:09.000000 N/A Disabled
3912 460 svchost.exe 0x8493e578 13 379 0 False 2020-10-26 03:02:30.000000 N/A Disabled
1108 596 WmiPrvSE.exe 0x84e6a910 7 161 0 False 2020-10-26 03:03:16.000000 N/A Disabled
2212 944 wuauclt.exe 0x83ee7d20 5 93 2 False 2020-10-26 03:03:31.000000 N/A Disabled
2660 2332 SearchFilterHo 0x83f211a8 5 99 0 False 2020-10-26 03:03:33.000000 N/A Disabled
3376 596 WmiPrvSE.exe 0x83f3ac68 8 117 0 False 2020-10-26 03:04:27.000000 N/A Disabled
3740 2964 MRCv120.exe 0x83f52d20 16 356 2 False 2020-10-26 03:04:32.000000 N/A Disabled
あやしいのは cmd.exe
ダンプして,strings をかける。
$ python3 vol.py -f ALLIGATOR.raw windows.pslist --pid 3728 --dump
Volatility 3 Framework 1.0.1
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
3728 2964 cmd.exe 0x8494c030 1 19 2 False 2020-10-26 03:02:09.000000 N/A pid.3728.0x49f20000.dmp
$ strings -a pid.3728.0x49f20000.dmp > ascii.txt
$ strings -a -el pid.3728.0x49f20000.dmp > unicode.txt
なんかいいもの発見!
メモリの中に flag.txt は存在するか?
$ python3 vol.py -f ALLIGATOR.raw windows.filescan | grep -i flag
0x3fcffab8 100.0\Users\ALLIGATOR\Desktop\flag.txt 128
ビンゴ
あとは取り出すだけ
$ python3 vol.py -f ALLIGATOR.raw windows.dumpfiles --physaddr 0x3fcffab8
Volatility 3 Framework 1.0.1
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0x3fcffab8 flag.txt file.0x3fcffab8.0x84ae8c80.DataSectionObject.flag.txt.dat
参考としたサイト(ありがとうございました。)