初めに
どうも、クソ雑魚のなんちゃてエンジニアです。
本記事は CyberDefenders (以下リンク参考)の「BlackEnergy」にチャレンジした際のWalkthroughになります
※本チャレンジについてはRed側のペネトレというよりはBlue側の分析力を問われるものになります。
Which volatility profile would be best for this machine?
imageinfoで出ます。
remnux@remnux:~/Downloads$ vol.py -f CYBERDEF-567078-20230213-171333.raw imageinfo
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/remnux/Downloads/CYBERDEF-567078-20230213-171333.raw)
PAE type : No PAE
DTB : 0x39000L
KDBG : 0x8054cde0L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2023-02-13 18:29:11 UTC+0000
Image local date and time : 2023-02-13 10:29:11 -0800
どれかが答えでしょうね。
How many processes were running when the image was acquired?
pslistでもいいのですが、このコマンドで出ない隠蔽されているProcessも考慮してpsxviewで確認します。
remnux@remnux:~/Downloads$ vol.py -f CYBERDEF-567078-20230213-171333.raw --profile=WinXPSP2x86 psxview
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
0x09a88da0 winlogon.exe 616 True True True True True True True
0x09aa0020 lsass.exe 672 True True True True True True True
0x0994a020 msmsgs.exe 636 True True True True True True True
0x097289a8 svchost.exe 1108 True True True True True True True
0x09982da0 VBoxTray.exe 376 True True True True True True True
0x09a9f6f8 svchost.exe 968 True True True True True True True
0x09aab590 svchost.exe 880 True True True True True True True
0x09aaa3d8 VBoxService.exe 832 True True True True True True True
0x09694388 wscntfy.exe 480 True True True True True True True
0x09730da0 svchost.exe 1060 True True True True True True True
0x097075d0 spoolsv.exe 1608 True True True True True True True
0x099adda0 svchost.exe 1156 True True True True True True True
0x09938998 services.exe 660 True True True True True True True
0x0969d2a0 alg.exe 540 True True True True True True True
0x09a0fda0 DumpIt.exe 276 True True True True True True True
0x09733938 explorer.exe 1484 True True True True True True True
0x09a0d180 notepad.exe 1432 True True False True False False False 2023-02-13 18:28:40 UTC+0000
0x09a18da0 cmd.exe 1960 True True False True False False False 2023-02-13 18:25:26 UTC+0000
0x099e6da0 notepad.exe 1444 True True False True False False False 2023-02-13 18:28:47 UTC+0000
0x096c5020 notepad.exe 528 True True False True False False False 2023-02-13 18:27:46 UTC+0000
0x099dd740 rootkit.exe 964 True True False True False False False 2023-02-13 18:25:26 UTC+0000
0x09c037f8 System 4 True True True True False False False
0x09a98da0 csrss.exe 592 True True True True False True True
0x09a0b2f0 taskmgr.exe 1880 True True False True False False False 2023-02-13 18:26:21 UTC+0000
0x09965020 smss.exe 368 True True True True False False False
remnux@remnux:~/Downloads$
後はExitを考慮するだけですね。
What is the process ID of cmd.exe?
前の問題のコマンドで確認できます。
What is the name of the most suspicious process?
1つ怪しいProcessがありますね。
Which process shows the highest likelihood of code injection?
malfindコマンドで確認できます。
remnux@remnux:~/Downloads$ vol.py -f CYBERDEF-567078-20230213-171333.raw --profile=WinXPSP2x86 malfind
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
Process: csrss.exe Pid: 592 Address: 0x7f6f0000
Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE
Flags: Protection: 6
0x000000007f6f0000 c8 00 00 00 84 01 00 00 ff ee ff ee 08 70 00 00 .............p..
0x000000007f6f0010 08 00 00 00 00 fe 00 00 00 00 10 00 00 20 00 00 ................
0x000000007f6f0020 00 02 00 00 00 20 00 00 8d 01 00 00 ff ef fd 7f ................
0x000000007f6f0030 03 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 ................
...省略
Process: winlogon.exe Pid: 616 Address: 0x62220000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 4, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x0000000062220000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0000000062220010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0000000062220020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0000000062220030 00 00 00 00 2a 00 2a 00 01 00 00 00 00 00 00 00 ....*.*.........
0x0000000062220000 0000 ADD [EAX], AL
0x0000000062220002 0000 ADD [EAX], AL
0x0000000062220004 0000 ADD [EAX], AL
0x0000000062220006 0000 ADD [EAX], AL
0x0000000062220008 0000 ADD [EAX], AL
0x000000006222000a 0000 ADD [EAX], AL
0x000000006222000c 0000 ADD [EAX], AL
0x000000006222000e 0000 ADD [EAX], AL
0x0000000062220010 0000 ADD [EAX], AL
0x0000000062220012 0000 ADD [EAX], AL
0x0000000062220014 0000 ADD [EAX], AL
0x0000000062220016 0000 ADD [EAX], AL
0x0000000062220018 0000 ADD [EAX], AL
0x000000006222001a 0000 ADD [EAX], AL
0x000000006222001c 0000 ADD [EAX], AL
0x000000006222001e 0000 ADD [EAX], AL
0x0000000062220020 0000 ADD [EAX], AL
0x0000000062220022 0000 ADD [EAX], AL
0x0000000062220024 0000 ADD [EAX], AL
0x0000000062220026 0000 ADD [EAX], AL
0x0000000062220028 0000 ADD [EAX], AL
0x000000006222002a 0000 ADD [EAX], AL
0x000000006222002c 0000 ADD [EAX], AL
0x000000006222002e 0000 ADD [EAX], AL
0x0000000062220030 0000 ADD [EAX], AL
0x0000000062220032 0000 ADD [EAX], AL
0x0000000062220034 2a00 SUB AL, [EAX]
0x0000000062220036 2a00 SUB AL, [EAX]
0x0000000062220038 0100 ADD [EAX], EAX
0x000000006222003a 0000 ADD [EAX], AL
0x000000006222003c 0000 ADD [EAX], AL
0x000000006222003e 0000 ADD [EAX], AL
Process: svchost.exe Pid: 880 Address: 0x980000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 9, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x0000000000980000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0x0000000000980010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x0000000000980020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0000000000980030 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 ................
0x0000000000980000 4d DEC EBP
0x0000000000980001 5a POP EDX
0x0000000000980002 90 NOP
0x0000000000980003 0003 ADD [EBX], AL
0x0000000000980005 0000 ADD [EAX], AL
0x0000000000980007 000400 ADD [EAX+EAX], AL
0x000000000098000a 0000 ADD [EAX], AL
0x000000000098000c ff DB 0xff
0x000000000098000d ff00 INC DWORD [EAX]
0x000000000098000f 00b800000000 ADD [EAX+0x0], BH
0x0000000000980015 0000 ADD [EAX], AL
0x0000000000980017 004000 ADD [EAX+0x0], AL
0x000000000098001a 0000 ADD [EAX], AL
0x000000000098001c 0000 ADD [EAX], AL
0x000000000098001e 0000 ADD [EAX], AL
0x0000000000980020 0000 ADD [EAX], AL
0x0000000000980022 0000 ADD [EAX], AL
0x0000000000980024 0000 ADD [EAX], AL
0x0000000000980026 0000 ADD [EAX], AL
0x0000000000980028 0000 ADD [EAX], AL
0x000000000098002a 0000 ADD [EAX], AL
0x000000000098002c 0000 ADD [EAX], AL
0x000000000098002e 0000 ADD [EAX], AL
0x0000000000980030 0000 ADD [EAX], AL
0x0000000000980032 0000 ADD [EAX], AL
0x0000000000980034 0000 ADD [EAX], AL
0x0000000000980036 0000 ADD [EAX], AL
0x0000000000980038 0000 ADD [EAX], AL
0x000000000098003a 0000 ADD [EAX], AL
0x000000000098003c f8 CLC
0x000000000098003d 0000 ADD [EAX], AL
0x000000000098003f 00 DB 0x0
remnux@remnux:~/Downloads$
4d 5a 90 00のマジックナンバーはPEの実行ファイルで見られるもので、PAGE_EXECUTE_READWRITEのパーミッションからもインジェクトされている可能性が高いことが分かります。
あとはそれを探すだけ!
There is an odd file referenced in the recent process. Provide the full path of that file.
上記のインジェクトされているプロセスのダンプを取ります。
remnux@remnux:~/Downloads$ vol.py -f CYBERDEF-567078-20230213-171333.raw --profile=WinXPSP2x86 memdump -p 880 -D out
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
************************************************************************
Writing svchost.exe [ 880] to 880.dmp
その後はフルパスで正規表現でgrepをかけるだけです。
どれでしょうか???
What is the name of the injected dll file loaded from the recent process?
ldrmodulesで確認できます。インジェクトされているProcessの880に対してフィルターかけます。
InLoad InInit InMemのどこかにFalseが混じってると怪しいですね。
remnux@remnux:~/Downloads$ vol.py -f CYBERDEF-567078-20230213-171333.raw --profile=WinXPSP2x86 ldrmodules -p 880
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
Pid Process Base InLoad InInit InMem MappedPath
-------- -------------------- ---------- ------ ------ ----- ----------
880 svchost.exe 0x6f880000 True True True \WINDOWS\AppPatch\AcGenral.dll
880 svchost.exe 0x01000000 True False True \WINDOWS\system32\svchost.exe
880 svchost.exe 0x77f60000 True True True \WINDOWS\system32\shlwapi.dll
880 svchost.exe 0x74f70000 True True True \WINDOWS\system32\icaapi.dll
880 svchost.exe 0x76f60000 True True True \WINDOWS\system32\wldap32.dll
880 svchost.exe 0x77c00000 True True True \WINDOWS\system32\version.dll
880 svchost.exe 0x5ad70000 True True True \WINDOWS\system32\uxtheme.dll
880 svchost.exe 0x76e80000 True True True \WINDOWS\system32\rtutils.dll
880 svchost.exe 0x771b0000 True True True \WINDOWS\system32\wininet.dll
880 svchost.exe 0x76c90000 True True True \WINDOWS\system32\imagehlp.dll
880 svchost.exe 0x76bc0000 True True True \WINDOWS\system32\regapi.dll
880 svchost.exe 0x77dd0000 True True True \WINDOWS\system32\advapi32.dll
880 svchost.exe 0x76f20000 True True True \WINDOWS\system32\dnsapi.dll
880 svchost.exe 0x77be0000 True True True \WINDOWS\system32\msacm32.dll
880 svchost.exe 0x7e1e0000 True True True \WINDOWS\system32\urlmon.dll
880 svchost.exe 0x68000000 True True True \WINDOWS\system32\rsaenh.dll
880 svchost.exe 0x722b0000 True True True \WINDOWS\system32\sensapi.dll
880 svchost.exe 0x76e10000 True True True \WINDOWS\system32\adsldpc.dll
880 svchost.exe 0x76b40000 True True True \WINDOWS\system32\winmm.dll
880 svchost.exe 0x773d0000 True True True \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
880 svchost.exe 0x71a50000 True True True \WINDOWS\system32\mswsock.dll
880 svchost.exe 0x5b860000 True True True \WINDOWS\system32\netapi32.dll
880 svchost.exe 0x00670000 True True True \WINDOWS\system32\xpsp2res.dll
880 svchost.exe 0x76e90000 True True True \WINDOWS\system32\rasman.dll
880 svchost.exe 0x77a80000 True True True \WINDOWS\system32\crypt32.dll
880 svchost.exe 0x71ab0000 True True True \WINDOWS\system32\ws2_32.dll
880 svchost.exe 0x77cc0000 True True True \WINDOWS\system32\activeds.dll
880 svchost.exe 0x71ad0000 True True True \WINDOWS\system32\wsock32.dll
880 svchost.exe 0x774e0000 True True True \WINDOWS\system32\ole32.dll
880 svchost.exe 0x77920000 True True True \WINDOWS\system32\setupapi.dll
880 svchost.exe 0x7e410000 True True True \WINDOWS\system32\user32.dll
880 svchost.exe 0x7c900000 True True True \WINDOWS\system32\ntdll.dll
880 svchost.exe 0x77f10000 True True True \WINDOWS\system32\gdi32.dll
880 svchost.exe 0x77120000 True True True \WINDOWS\system32\oleaut32.dll
880 svchost.exe 0x5cb70000 True True True \WINDOWS\system32\shimeng.dll
880 svchost.exe 0x74980000 True True True \WINDOWS\system32\msxml3.dll
880 svchost.exe 0x009a0000 False False False \WINDOWS\system32\msxml3r.dll
880 svchost.exe 0x77e70000 True True True \WINDOWS\system32\rpcrt4.dll
880 svchost.exe 0x769c0000 True True True \WINDOWS\system32\userenv.dll
880 svchost.exe 0x7c800000 True True True \WINDOWS\system32\kernel32.dll
880 svchost.exe 0x76fd0000 True True True \WINDOWS\system32\clbcatq.dll
880 svchost.exe 0x76b20000 True True True \WINDOWS\system32\atl.dll
880 svchost.exe 0x71bf0000 True True True \WINDOWS\system32\samlib.dll
880 svchost.exe 0x77690000 True True True \WINDOWS\system32\ntmarta.dll
880 svchost.exe 0x77c10000 True True True \WINDOWS\system32\msvcrt.dll
880 svchost.exe 0x760f0000 True True True \WINDOWS\system32\termsrv.dll
880 svchost.exe 0x76fc0000 True True True \WINDOWS\system32\rasadhlp.dll
880 svchost.exe 0x76c30000 True True True \WINDOWS\system32\wintrust.dll
880 svchost.exe 0x7c9c0000 True True True \WINDOWS\system32\shell32.dll
880 svchost.exe 0x77050000 True True True \WINDOWS\system32\comres.dll
880 svchost.exe 0x76eb0000 True True True \WINDOWS\system32\tapi32.dll
880 svchost.exe 0x76a80000 True True True \WINDOWS\system32\rpcss.dll
880 svchost.exe 0x5d090000 True True True \WINDOWS\system32\comctl32.dll
880 svchost.exe 0x71aa0000 True True True \WINDOWS\system32\ws2help.dll
880 svchost.exe 0x776c0000 True True True \WINDOWS\system32\authz.dll
880 svchost.exe 0x76ee0000 True True True \WINDOWS\system32\rasapi32.dll
880 svchost.exe 0x77b20000 True True True \WINDOWS\system32\msasn1.dll
880 svchost.exe 0x75110000 True True True \WINDOWS\system32\mstlsapi.dll
880 svchost.exe 0x77fe0000 True True True \WINDOWS\system32\secur32.dll
What is the base address of the injected dll?
アドレスはMalfindでみることが出来ます。
Process: svchost.exe Pid: 880 Address: 0x980000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 9, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x0000000000980000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0x0000000000980010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x0000000000980020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0000000000980030 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 ................
最後に
dll Injectionのよい勉強になりました。
volatility2はよいなぁ