Forensic
首先安装volatility
随后 vol -f memory.vmem windows.info查看系统基本信息
Kernel Base 0xf80003e63000
DTB 0x187000
Symbols file:///E:/CTF/misc/tool/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/ECE191A20CFF4465AE46DF96C2263845-1.json.xz
Is64Bit True
IsPAE False
layer_name 0 WindowsIntel32e
memory_layer 1 FileLayer
KdDebuggerDataBlock 0xf80004045120
NTBuildLab 7601.24384.amd64fre.win7sp1_ldr_
CSDVersion 1
KdVersionBlock 0xf800040450e8
Major/Minor 15.7601
MachineType 34404
KeNumberProcessors 4
SystemTime 2024-07-22 15:50:04
NtSystemRoot C:\Windows
NtProductType NtProductWinNt
NtMajorVersion 6
NtMinorVersion 1
PE MajorOperatingSystemVersion 6
PE MinorOperatingSystemVersion 1
PE Machine 34404
PE TimeDateStamp Thu Feb 21 03:36:29 2019
随后开始枚举系统进程 vol -f memory.vmem windows.pslist
Volatility 3 Framework 2.5.0
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
4 0 System 0xfa80018d1040 92 464 N/A False 2024-07-22 15:38:55.000000 N/A Disabled
280 4 smss.exe 0xfa800348a920 2 32 N/A False 2024-07-22 15:38:55.000000 N/A Disabled
352 340 csrss.exe 0xfa80039e1060 9 332 0 False 2024-07-22 15:39:02.000000 N/A Disabled
392 340 wininit.exe 0xfa8003aac060 3 82 0 False 2024-07-22 15:39:02.000000 N/A Disabled
404 384 csrss.exe 0xfa8003ab2060 8 140 1 False 2024-07-22 15:39:03.000000 N/A Disabled
432 384 winlogon.exe 0xfa8003b90060 3 117 1 False 2024-07-22 15:39:03.000000 N/A Disabled
488 392 services.exe 0xfa8002e74b00 6 201 0 False 2024-07-22 15:39:05.000000 N/A Disabled
496 392 lsass.exe 0xfa8003bef830 7 538 0 False 2024-07-22 15:39:05.000000 N/A Disabled
504 392 lsm.exe 0xfa8003bf6b00 11 145 0 False 2024-07-22 15:39:05.000000 N/A Disabled
604 488 svchost.exe 0xfa8003c4d060 10 354 0 False 2024-07-22 15:39:06.000000 N/A Disabled
676 488 svchost.exe 0xfa8003c7db00 7 238 0 False 2024-07-22 15:39:07.000000 N/A Disabled
752 488 svchost.exe 0xfa8003bc6640 20 455 0 False 2024-07-22 15:39:08.000000 N/A Disabled
820 488 svchost.exe 0xfa8003cd7860 11 311 0 False 2024-07-22 15:39:08.000000 N/A Disabled
848 488 svchost.exe 0xfa8003cdeb00 29 872 0 False 2024-07-22 15:39:08.000000 N/A Disabled
984 488 svchost.exe 0xfa8003d40300 14 287 0 False 2024-07-22 15:39:09.000000 N/A Disabled
308 488 svchost.exe 0xfa8003d5cb00 16 380 0 False 2024-07-22 15:39:09.000000 N/A Disabled
1084 488 spoolsv.exe 0xfa8003dd1b00 13 287 0 False 2024-07-22 15:39:10.000000 N/A Disabled
1128 488 svchost.exe 0xfa8003e3cb00 19 333 0 False 2024-07-22 15:39:10.000000 N/A Disabled
1592 488 svchost.exe 0xfa8003fb5060 6 99 0 False 2024-07-22 15:39:13.000000 N/A Disabled
1924 488 taskhost.exe 0xfa8003130060 8 172 1 False 2024-07-22 15:39:25.000000 N/A Disabled
2008 820 dwm.exe 0xfa80040a16c0 3 77 1 False 2024-07-22 15:39:25.000000 N/A Disabled
1252 1976 explorer.exe 0xfa80040b3b00 21 768 1 False 2024-07-22 15:39:25.000000 N/A Disabled
1724 488 SearchIndexer. 0xfa8003cb9600 11 537 0 False 2024-07-22 15:39:36.000000 N/A Disabled
1556 488 mscorsvw.exe 0xfa80041f24b0 6 98 0 True 2024-07-22 15:41:13.000000 N/A Disabled
1544 488 mscorsvw.exe 0xfa8003c79310 8 121 0 False 2024-07-22 15:41:14.000000 N/A Disabled
216 488 svchost.exe 0xfa8001a37b00 5 74 0 False 2024-07-22 15:41:14.000000 N/A Disabled
1716 488 sppsvc.exe 0xfa800186e7d0 4 150 0 False 2024-07-22 15:41:15.000000 N/A Disabled
1976 488 svchost.exe 0xfa80033b9990 9 311 0 False 2024-07-22 15:41:15.000000 N/A Disabled
1864 604 WmiPrvSE.exe 0xfa8001a4cb00 7 117 0 False 2024-07-22 15:43:13.000000 N/A Disabled
1144 1544 mscorsvw.exe 0xfa8001cadb00 9 179 0 False 2024-07-22 15:49:28.000000 N/A Disabled
再去搜索一下进程碎片,防止被隐藏 vol -f memory.vmem windows.psscan
Volatility 3 Framework 2.5.0
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
2008 820 dwm.exe 0x7d6a16c0 3 77 1 False 2024-07-22 15:39:25.000000 N/A Disabled
1252 1976 explorer.exe 0x7d6b3b00 21 768 1 False 2024-07-22 15:39:25.000000 N/A Disabled
1556 488 mscorsvw.exe 0x7d7f24b0 6 98 0 True 2024-07-22 15:41:13.000000 N/A Disabled
1128 488 svchost.exe 0x7d83cb00 19 333 0 False 2024-07-22 15:39:10.000000 N/A Disabled
1592 488 svchost.exe 0x7d9b5060 6 99 0 False 2024-07-22 15:39:13.000000 N/A Disabled
604 488 svchost.exe 0x7da4d060 10 354 0 False 2024-07-22 15:39:06.000000 N/A Disabled
1544 488 mscorsvw.exe 0x7da79310 8 121 0 False 2024-07-22 15:41:14.000000 N/A Disabled
676 488 svchost.exe 0x7da7db00 7 238 0 False 2024-07-22 15:39:07.000000 N/A Disabled
1724 488 SearchIndexer. 0x7dab9600 11 537 0 False 2024-07-22 15:39:36.000000 N/A Disabled
820 488 svchost.exe 0x7dad7860 11 311 0 False 2024-07-22 15:39:08.000000 N/A Disabled
848 488 svchost.exe 0x7dadeb00 29 872 0 False 2024-07-22 15:39:08.000000 N/A Disabled
984 488 svchost.exe 0x7db40300 14 287 0 False 2024-07-22 15:39:09.000000 N/A Disabled
308 488 svchost.exe 0x7db5cb00 16 380 0 False 2024-07-22 15:39:09.000000 N/A Disabled
1084 488 spoolsv.exe 0x7dbd1b00 13 287 0 False 2024-07-22 15:39:10.000000 N/A Disabled
392 340 wininit.exe 0x7dcac060 3 82 0 False 2024-07-22 15:39:02.000000 N/A Disabled
404 384 csrss.exe 0x7dcb2060 8 140 1 False 2024-07-22 15:39:03.000000 N/A Disabled
432 384 winlogon.exe 0x7dd90060 3 117 1 False 2024-07-22 15:39:03.000000 N/A Disabled
752 488 svchost.exe 0x7ddc6640 20 455 0 False 2024-07-22 15:39:08.000000 N/A Disabled
496 392 lsass.exe 0x7ddef830 7 538 0 False 2024-07-22 15:39:05.000000 N/A Disabled
504 392 lsm.exe 0x7ddf6b00 11 145 0 False 2024-07-22 15:39:05.000000 N/A Disabled
352 340 csrss.exe 0x7dfe1060 9 332 0 False 2024-07-22 15:39:02.000000 N/A Disabled
280 4 smss.exe 0x7e28a920 2 32 N/A False 2024-07-22 15:38:55.000000 N/A Disabled
1976 488 svchost.exe 0x7e5b9990 9 311 0 False 2024-07-22 15:41:15.000000 N/A Disabled
1924 488 taskhost.exe 0x7e730060 8 172 1 False 2024-07-22 15:39:25.000000 N/A Disabled
488 392 services.exe 0x7e874b00 6 201 0 False 2024-07-22 15:39:05.000000 N/A Disabled
1144 1544 mscorsvw.exe 0x7faadb00 9 179 0 False 2024-07-22 15:49:28.000000 N/A Disabled
216 488 svchost.exe 0x7fc37b00 5 74 0 False 2024-07-22 15:41:14.000000 N/A Disabled
1864 604 WmiPrvSE.exe 0x7fc4cb00 7 117 0 False 2024-07-22 15:43:13.000000 N/A Disabled
1716 488 sppsvc.exe 0x7ff677d0 4 150 0 False 2024-07-22 15:41:15.000000 N/A Disabled
4 0 System 0x7ffca040 92 464 N/A False 2024-07-22 15:38:55.000000 N/A Disabled
我们发现PID 为848的svchost.exe的句柄数量高的吓人,鉴于熊猫烧香的基本特征,我们需要对其进行进一步排查
看看它加载了什么模块 python vol.py -f quzheng.vmem windows.dlllist –pid 848
Volatility 3 Framework 2.5.0
Progress: 100.00 PDB scanning finished
PID Process Base Size Name Path LoadTime File output
848 svchost.exe 0xfff60000 0xb000 svchost.exe C:\Windows\system32\svchost.exe N/A Disabled
848 svchost.exe 0x76d10000 0x19f000 ntdll.dll C:\Windows\SYSTEM32\ntdll.dll N/A Disabled
848 svchost.exe 0x76bf0000 0x11f000 kernel32.dll C:\Windows\system32\kernel32.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefce60000 0x6a000 KERNELBASE.dll C:\Windows\system32\KERNELBASE.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefede0000 0x9f000 msvcrt.dll C:\Windows\system32\msvcrt.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefd8e0000 0x1f000 sechost.dll C:\Windows\SYSTEM32\sechost.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefd650000 0x12c000 RPCRT4.dll C:\Windows\system32\RPCRT4.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefd900000 0x203000 ole32.dll C:\Windows\system32\ole32.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefd5e0000 0x67000 GDI32.dll C:\Windows\system32\GDI32.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x76af0000 0xfa000 USER32.dll C:\Windows\system32\USER32.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefd010000 0xe000 LPK.dll C:\Windows\system32\LPK.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefef30000 0xc9000 USP10.dll C:\Windows\system32\USP10.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefef00000 0x2e000 IMM32.DLL C:\Windows\system32\IMM32.DLL 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefdb10000 0x109000 MSCTF.dll C:\Windows\system32\MSCTF.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefcad0000 0xf000 CRYPTBASE.dll C:\Windows\system32\CRYPTBASE.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefd780000 0xdb000 ADVAPI32.dll C:\Windows\system32\ADVAPI32.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefaf10000 0xc2000 gpsvc.dll c:\windows\system32\gpsvc.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefbf70000 0x1b000 GPAPI.dll c:\windows\system32\GPAPI.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefee80000 0x52000 WLDAP32.dll C:\Windows\system32\WLDAP32.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefca60000 0xb000 Secur32.dll c:\windows\system32\Secur32.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefcaa0000 0x25000 SSPICLI.DLL C:\Windows\system32\SSPICLI.DLL 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefd5d0000 0x8000 NSI.dll C:\Windows\system32\NSI.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefca50000 0xa000 SYSNTFY.dll c:\windows\system32\SYSNTFY.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefaef0000 0x15000 nlaapi.dll c:\windows\system32\nlaapi.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefae90000 0x37000 profsvc.dll c:\windows\system32\profsvc.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefed00000 0xd7000 OLEAUT32.dll C:\Windows\system32\OLEAUT32.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefbf90000 0x1e000 USERENV.dll c:\windows\system32\USERENV.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefcc40000 0xf000 profapi.dll c:\windows\system32\profapi.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefdc20000 0x71000 SHLWAPI.dll C:\Windows\system32\SHLWAPI.dll 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefae70000 0x19000 ATL.DLL c:\windows\system32\ATL.DLL 2024-07-22 15:39:08.000000 Disabled
848 svchost.exe 0x7fefcbe0000 0x14000 RpcRtRemote.dll C:\Windows\system32\RpcRtRemote.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefae20000 0x10000 themeservice.dll c:\windows\system32\themeservice.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefdcf0000 0x99000 CLBCatQ.DLL C:\Windows\system32\CLBCatQ.DLL 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefcc00000 0x3d000 WINSTA.dll C:\Windows\system32\WINSTA.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefc480000 0x18000 CRYPTSP.dll C:\Windows\system32\CRYPTSP.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefad90000 0xc000 dsrole.dll C:\Windows\system32\dsrole.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefad80000 0xb000 slc.dll C:\Windows\system32\slc.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefc180000 0x47000 rsaenh.dll C:\Windows\system32\rsaenh.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefac60000 0x14000 sens.dll c:\windows\system32\sens.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefdca0000 0x4d000 WS2_32.dll C:\Windows\system32\WS2_32.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefa5d0000 0x5e000 shsvcs.dll c:\windows\system32\shsvcs.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefcf90000 0x36000 CFGMGR32.dll C:\Windows\system32\CFGMGR32.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefa490000 0x112000 schedsvc.dll c:\windows\system32\schedsvc.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefbf30000 0xd000 pcwum.dll c:\windows\system32\pcwum.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefdd90000 0xd88000 SHELL32.dll C:\Windows\system32\SHELL32.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefa470000 0x16000 NETAPI32.dll c:\windows\system32\NETAPI32.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefa460000 0xc000 netutils.dll c:\windows\system32\netutils.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefc830000 0x23000 srvcli.dll c:\windows\system32\srvcli.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefa440000 0x15000 wkscli.dll c:\windows\system32\wkscli.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefc6e0000 0x6d000 wevtapi.dll c:\windows\system32\wevtapi.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefc6a0000 0x2f000 AUTHZ.dll c:\windows\system32\AUTHZ.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefc060000 0x39000 UBPM.dll c:\windows\system32\UBPM.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefa430000 0xa000 ktmw32.dll c:\windows\system32\ktmw32.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefade0000 0x35000 XmlLite.dll c:\windows\system32\XmlLite.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefeb20000 0x1d7000 SETUPAPI.dll C:\Windows\system32\SETUPAPI.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefcf70000 0x1a000 DEVOBJ.dll C:\Windows\system32\DEVOBJ.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefcfd0000 0x3b000 WINTRUST.dll C:\Windows\system32\WINTRUST.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefccf0000 0x16d000 CRYPT32.dll C:\Windows\system32\CRYPT32.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefcce0000 0xf000 MSASN1.dll C:\Windows\system32\MSASN1.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefc0a0000 0xa000 credssp.dll C:\Windows\system32\credssp.dll 2024-07-22 15:39:09.000000 Disabled
848 svchost.exe 0x7fefa290000 0x56000 FVEAPI.dll C:\Windows\system32\FVEAPI.dll 2024-07-22 15:39:10.000000 Disabled
848 svchost.exe 0x7fefa280000 0x9000 tbs.dll C:\Windows\system32\tbs.dll 2024-07-22 15:39:10.000000 Disabled
848 svchost.exe 0x7fefa270000 0x9000 FVECERTS.dll C:\Windows\system32\FVECERTS.dll 2024-07-22 15:39:10.000000 Disabled
848 svchost.exe 0x7fefc270000 0x30000 LOGONCLI.DLL C:\Windows\system32\LOGONCLI.DLL 2024-07-22 15:39:10.000000 Disabled
848 svchost.exe 0x7fefa1f0000 0x77000 taskcomp.dll C:\Windows\system32\taskcomp.dll 2024-07-22 15:39:10.000000 Disabled
848 svchost.exe 0x7fefa1e0000 0xf000 wiarpc.dll C:\Windows\system32\wiarpc.dll 2024-07-22 15:39:10.000000 Disabled
848 svchost.exe 0x7fefbda0000 0xc000 VERSION.dll C:\Windows\system32\VERSION.dll 2024-07-22 15:39:10.000000 Disabled
848 svchost.exe 0x7fefb080000 0x2d000 ntmarta.dll C:\Windows\system32\ntmarta.dll 2024-07-22 15:39:10.000000 Disabled
848 svchost.exe 0x7fefc420000 0x55000 mswsock.dll C:\Windows\system32\mswsock.dll 2024-07-22 15:39:10.000000 Disabled
848 svchost.exe 0x7fefbe70000 0x7000 wshtcpip.dll C:\Windows\System32\wshtcpip.dll 2024-07-22 15:39:10.000000 Disabled
848 svchost.exe 0x7fefc410000 0x7000 wship6.dll C:\Windows\System32\wship6.dll 2024-07-22 15:39:10.000000 Disabled
848 svchost.exe 0x7fefb430000 0x1d000 SAMLIB.dll C:\Windows\system32\SAMLIB.dll 2024-07-22 15:39:10.000000 Disabled
848 svchost.exe 0x7fefc5e0000 0x32000 netjoin.dll C:\Windows\system32\netjoin.dll 2024-07-22 15:39:10.000000 Disabled
848 svchost.exe 0x7fefab00000 0x11000 WTSAPI32.dll C:\Windows\system32\WTSAPI32.dll 2024-07-22 15:39:10.000000 Disabled
848 svchost.exe 0x7fefb4a0000 0x1f4000 comctl32.dll C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll 2024-07-22 15:39:10.000000 Disabled
848 svchost.exe 0x7fefb6b0000 0x12c000 PROPSYS.dll C:\Windows\system32\PROPSYS.dll 2024-07-22 15:39:10.000000 Disabled
848 svchost.exe 0x7fef9600000 0x40000 wmisvc.dll c:\windows\system32\wbem\wmisvc.dll 2024-07-22 15:39:11.000000 Disabled
848 svchost.exe 0x7fef94a0000 0x86000 wbemcomn.dll C:\Windows\system32\wbemcomn.dll 2024-07-22 15:39:11.000000 Disabled
848 svchost.exe 0x7fef9590000 0x3d000 srvsvc.dll c:\windows\system32\srvsvc.dll 2024-07-22 15:39:12.000000 Disabled
848 svchost.exe 0x7fefaa40000 0x27000 IPHLPAPI.DLL c:\windows\system32\IPHLPAPI.DLL 2024-07-22 15:39:12.000000 Disabled
848 svchost.exe 0x7fefaa20000 0xb000 WINNSI.DLL c:\windows\system32\WINNSI.DLL 2024-07-22 15:39:12.000000 Disabled
848 svchost.exe 0x7fef9470000 0x25000 browser.dll c:\windows\system32\browser.dll 2024-07-22 15:39:12.000000 Disabled
848 svchost.exe 0x7fefb3d0000 0x56000 UxTheme.dll C:\Windows\system32\UxTheme.dll 2024-07-22 15:39:12.000000 Disabled
848 svchost.exe 0x7fef93d0000 0x92000 iphlpsvc.dll c:\windows\system32\iphlpsvc.dll 2024-07-22 15:39:12.000000 Disabled
848 svchost.exe 0x7fefbdb0000 0xbb000 FirewallAPI.dll c:\windows\system32\FirewallAPI.dll 2024-07-22 15:39:12.000000 Disabled
848 svchost.exe 0x7fefa860000 0x53000 fwpuclnt.dll c:\windows\system32\fwpuclnt.dll 2024-07-22 15:39:12.000000 Disabled
848 svchost.exe 0x7fefa090000 0x11000 rtutils.dll c:\windows\system32\rtutils.dll 2024-07-22 15:39:12.000000 Disabled
848 svchost.exe 0x7fef9540000 0x42000 sqmapi.dll c:\windows\system32\sqmapi.dll 2024-07-22 15:39:12.000000 Disabled
848 svchost.exe 0x7fef9380000 0x47000 WDSCORE.dll c:\windows\system32\WDSCORE.dll 2024-07-22 15:39:12.000000 Disabled
848 svchost.exe 0x7fef9530000 0x8000 SSCORE.DLL C:\Windows\system32\SSCORE.DLL 2024-07-22 15:39:12.000000 Disabled
848 svchost.exe 0x7fef91c0000 0x50000 CLUSAPI.DLL C:\Windows\system32\CLUSAPI.DLL 2024-07-22 15:39:12.000000 Disabled
848 svchost.exe 0x7fefc750000 0x14000 cryptdll.dll C:\Windows\system32\cryptdll.dll 2024-07-22 15:39:12.000000 Disabled
848 svchost.exe 0x7fef91a0000 0x19000 RESUTILS.DLL C:\Windows\system32\RESUTILS.DLL 2024-07-22 15:39:12.000000 Disabled
848 svchost.exe 0x7fefbfb0000 0x12000 devrtl.DLL C:\Windows\system32\devrtl.DLL 2024-07-22 15:39:12.000000 Disabled
848 svchost.exe 0x7fef9840000 0x1b0000 VSSAPI.DLL C:\Windows\system32\VSSAPI.DLL 2024-07-22 15:39:12.000000 Disabled
848 svchost.exe 0x7fef9670000 0x17000 VssTrace.DLL C:\Windows\system32\VssTrace.DLL 2024-07-22 15:39:12.000000 Disabled
848 svchost.exe 0x7fefa2f0000 0x14000 samcli.dll C:\Windows\system32\samcli.dll 2024-07-22 15:39:13.000000 Disabled
848 svchost.exe 0x7fef9080000 0x1a000 NCI.dll C:\Windows\system32\NCI.dll 2024-07-22 15:39:13.000000 Disabled
848 svchost.exe 0x7fef9000000 0x74000 netprofm.dll C:\Windows\System32\netprofm.dll 2024-07-22 15:39:13.000000 Disabled
848 svchost.exe 0x7fefc2a0000 0x5b000 DNSAPI.dll C:\Windows\system32\DNSAPI.dll 2024-07-22 15:39:13.000000 Disabled
848 svchost.exe 0x7fef8ed0000 0x12f000 wbemcore.dll C:\Windows\system32\wbem\wbemcore.dll 2024-07-22 15:39:13.000000 Disabled
848 svchost.exe 0x7fef8e60000 0x6f000 esscli.dll C:\Windows\system32\wbem\esscli.dll 2024-07-22 15:39:13.000000 Disabled
848 svchost.exe 0x7fef9250000 0xe2000 FastProx.dll C:\Windows\system32\wbem\FastProx.dll 2024-07-22 15:39:13.000000 Disabled
848 svchost.exe 0x7fef9220000 0x27000 NTDSAPI.dll C:\Windows\system32\NTDSAPI.dll 2024-07-22 15:39:13.000000 Disabled
848 svchost.exe 0x7fef8e40000 0x14000 wbemsvc.dll C:\Windows\system32\wbem\wbemsvc.dll 2024-07-22 15:39:13.000000 Disabled
848 svchost.exe 0x7fef8e10000 0x26000 wmiutils.dll C:\Windows\system32\wbem\wmiutils.dll 2024-07-22 15:39:13.000000 Disabled
848 svchost.exe 0x7fefa630000 0x11000 dhcpcsvc6.DLL C:\Windows\system32\dhcpcsvc6.DLL 2024-07-22 15:39:13.000000 Disabled
848 svchost.exe 0x7fefa5b0000 0x18000 dhcpcsvc.DLL C:\Windows\system32\dhcpcsvc.DLL 2024-07-22 15:39:13.000000 Disabled
848 svchost.exe 0x7fef8d90000 0x73000 repdrvfs.dll C:\Windows\system32\wbem\repdrvfs.dll 2024-07-22 15:39:13.000000 Disabled
848 svchost.exe 0x7fef8d80000 0x8000 rasadhlp.dll C:\Windows\system32\rasadhlp.dll 2024-07-22 15:39:13.000000 Disabled
848 svchost.exe 0x7fef8d40000 0x15000 aelupsvc.dll c:\windows\system32\aelupsvc.dll 2024-07-22 15:39:13.000000 Disabled
848 svchost.exe 0x7fefcb80000 0x57000 apphelp.dll C:\Windows\system32\apphelp.dll 2024-07-22 15:39:13.000000 Disabled
848 svchost.exe 0x7fef8d30000 0xc000 npmproxy.dll C:\Windows\System32\npmproxy.dll 2024-07-22 15:39:13.000000 Disabled
848 svchost.exe 0x7fef8700000 0xbc000 wmiprvsd.dll C:\Windows\system32\wbem\wmiprvsd.dll 2024-07-22 15:39:17.000000 Disabled
848 svchost.exe 0x7fef86e0000 0x16000 NCObjAPI.DLL C:\Windows\system32\NCObjAPI.DLL 2024-07-22 15:39:17.000000 Disabled
848 svchost.exe 0x7fef8660000 0x7e000 wbemess.dll C:\Windows\system32\wbem\wbemess.dll 2024-07-22 15:39:17.000000 Disabled
848 svchost.exe 0x7fefbfd0000 0x1f000 SPINF.dll C:\Windows\system32\SPINF.dll 2024-07-22 15:39:20.000000 Disabled
848 svchost.exe 0x7fefcae0000 0x91000 SXS.DLL C:\Windows\system32\SXS.DLL 2024-07-22 15:39:25.000000 Disabled
848 svchost.exe 0x7fef4b30000 0x16000 ncprov.dll C:\Windows\system32\wbem\ncprov.dll 2024-07-22 15:40:04.000000 Disabled
848 svchost.exe 0x7fef42f0000 0x253000 wuaueng.dll c:\windows\system32\wuaueng.dll 2024-07-22 15:41:16.000000 Disabled
848 svchost.exe 0x7fef63f0000 0x27a000 ESENT.dll c:\windows\system32\ESENT.dll 2024-07-22 15:41:16.000000 Disabled
848 svchost.exe 0x7fef82f0000 0x71000 WINSPOOL.DRV c:\windows\system32\WINSPOOL.DRV 2024-07-22 15:41:16.000000 Disabled
848 svchost.exe 0x7fef9a60000 0x71000 WINHTTP.dll c:\windows\system32\WINHTTP.dll 2024-07-22 15:41:16.000000 Disabled
848 svchost.exe 0x7fef99f0000 0x64000 webio.dll c:\windows\system32\webio.dll 2024-07-22 15:41:16.000000 Disabled
848 svchost.exe 0x7fef4ab0000 0x1b000 Cabinet.dll c:\windows\system32\Cabinet.dll 2024-07-22 15:41:16.000000 Disabled
848 svchost.exe 0x7fef4aa0000 0xf000 mspatcha.dll c:\windows\system32\mspatcha.dll 2024-07-22 15:41:16.000000 Disabled
848 svchost.exe 0x76ec0000 0x7000 psapi.dll C:\Windows\system32\psapi.dll 2024-07-22 15:41:16.000000 Disabled
848 svchost.exe 0x7fefc860000 0x8000 WMsgAPI.dll C:\Windows\system32\WMsgAPI.dll 2024-07-22 15:41:16.000000 Disabled
848 svchost.exe 0x7fef8850000 0x7c000 wer.dll C:\Windows\system32\wer.dll 2024-07-22 15:42:02.000000 Disabled
848 svchost.exe 0x7fef8510000 0x62000 RasApi32.dll C:\Windows\system32\RasApi32.dll 2024-07-22 15:48:34.000000 Disabled
848 svchost.exe 0x7fef84f0000 0x1c000 rasman.dll C:\Windows\system32\rasman.dll 2024-07-22 15:48:34.000000 Disabled
848 svchost.exe 0x7fefad10000 0x67000 ES.DLL C:\Windows\system32\ES.DLL 2024-07-22 15:48:34.000000 Disabled
848 svchost.exe 0x7fefad10000 0x67000 ES.DLL C:\Windows\system32\ES.DLL 2024-07-22 15:48:34.000000 Disabled
这一行较为可疑 因为Windows默认没有这个东西,说明这就是病毒的模块,地址为0x7fefad10000
下一步去提取密码 python vol.py -f quzheng.vmem windows.hashdump
Volatility 3 Framework 2.5.0
Progress: 100.00 PDB scanning finished
User rid lmhash nthash
Administrator 500 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0
Guest 501 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0
Fc04dB 1000 aad3b435b51404eeaad3b435b51404ee 595e6c659822d30825b3ddb524e76bc3
hash去解密一下
W31c0me
E:\CTF\misc\tool\volatility3>python vol.py -f quzheng.vmem windows.filescan | findstr /i xiongmaoshaoxiang.exe
0x7d6eb070 100.0\Users\Fc04dB\Desktop\xiongmaoshaoxiang.exe 216
VIDAR{W31c0me_0x7d6eb070} 把0补上
题干:
寄,突然发现电脑似乎被控制了!
请回答以下问题,答案使用 CBCTF{} 包裹,所有答案均在本题提交框输入
(1)flag.txt
(2)我的用户密码是什么
(3)攻击者尝试使用python弹计算器恶搞我,但是失败了,找找命令中的flag吧
(4)木马文件名
(5)反连地址,例:CBCTF{127.0.0.1:80}
1)直接爆搜flag即可获取结果
2 )python vol.py -f quzheng.vmem windows.hashdump
然后hashcat爆破
3)我们获取到几个碎片:
python -c "eval(bytes.fromhex(‘657865632822613d5f5f6275696c74696
exec("a=builtins.__
6275696c74696e735f5f2e5f5f646963745f5f5b276279746573275d2
builtins__.dict[‘bytes’]
2c39352c39352c34302c33392c3131312c3131352c33392c34312c34362c3131352c3132312c3131352c3131362
__(‘os’).system
392c39372c3130382c39392c33392c34315d29292229′))"
9,97,108,99,9,41]"))
s.fromhex(‘657865632822613d5f5f6275696c74696e735f5f2e5f5f646963745f5f5b276279746573275d285b3
exec("a=builtins.dict[‘bytes’]([
初步猜测 这是在试图使用16进制转换的方式绕过明文调用,但是获取到的都不完整。
于是逆向思维查找 ,既然要调用calc 那么一定会存在:
所以逆向查找,真的找到了恶意构造的payload:
于是提取到了完整的payload:
3130322c3130382c39372c3130332c39352c3130352c3131302c39352c39392c3130392c3130302c3130382c3130352c3131302c3130312c39352c3131382c3130312c3131342c3132312c39352c3130312c39372c3131352c3132312c3132355d293b7072696e743d5f5f6275696c74696e735f5f2e5f5f646963745f5f5b276576616c275d3b7072696e74285f5f6275696c74696e735f5f2e5f5f646963745f5f5b276279746573275d285b39352c39352c3130352c3130392c3131322c3131312c3131342c3131362c39352c39352c34302c33392c3131312c3131352c33392c34312c34362c3131352c3132312c3131352c3131362c3130312c3130392c34302c33392c39392c39372c3130382c39392c33392c34315d29292229'))"
flag_in_cmdline_very_easy]);print=__builtins__.__dict__['eval'];print(__builtins__.__dict__['bytes']([95,95,105,109,112,111,114,116,95,95,40,39,111,115,39,41,46,115,121,115,116,101,109,40,39,99,97,108,99,39,41])))
得到flag
4)5)直接找网络相关调用 发现了有一个奇怪的应用正在建立tcp链接,并且根据之前3)得到的线索,可以发现这个192.168.88.1就是恶意地址。所以得到:
恶意软件 fbf56526tcp.exe
反链地址 192.168.88.1:8084
CBCTF{has_lots_of_ways_to_get_this_flag}
用户 test
密码 q1w2e3r4t5 ok
恶意软件 fbf56526tcp.exe
反链地址 192.168.88.1:8084
正文完