Snatching the h@t 2012 | Forensic 400 Writeup

Find the key.
http://116.251.211.163/for/for4.zip
Password: vnsecurity.net

In this challenge, I try to find a backdoor.
I use Volatility Framework to identity the threat. Volatility supports memory dumps from all major 32- and 64-bit Windows versions and service packs including XP, 2003 Server, Vista, Server 2008, Server 2008 R2, and Seven….
http://code.google.com/p/volatility/

Now, let’s start!!!
To find the backdoor, you must list all processes and dll libraries in the memory. To print loaded DLLs with Volatility, use the dlllist command.
volatility dlllist -f ab687c418a83c50e70d9622c18e8a95b.mem >> dlllist.txt
Open file dlllist.txt to view all modules:

Code:

************************************************************************
winlogon.exe pid: 632
Command line : winlogon.exe
Service Pack 3
 
Base            Size Path
---------- ---------- ----
0x01000000    0x81000 \??\C:\WINDOWS\system32\winlogon.exe
0x7c900000    0xb2000 C:\WINDOWS\system32\ntdll.dll
0x7c800000    0xf6000 C:\WINDOWS\system32\kernel32.dll
0x77dd0000    0x9b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000    0x93000 C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000    0x11000 C:\WINDOWS\system32\Secur32.dll
0x776c0000    0x12000 C:\WINDOWS\system32\AUTHZ.dll
0x77c10000    0x58000 C:\WINDOWS\system32\msvcrt.dll
0x77a80000    0x95000 C:\WINDOWS\system32\CRYPT32.dll
0x77b20000    0x12000 C:\WINDOWS\system32\MSASN1.dll
0x7e410000    0x91000 C:\WINDOWS\system32\USER32.dll
0x77f10000    0x49000 C:\WINDOWS\system32\GDI32.dll
0x75940000    0x8000 C:\WINDOWS\system32\NDdeApi.dll
0x75930000    0xa000 C:\WINDOWS\system32\PROFMAP.dll
0x5b860000    0x56000 C:\WINDOWS\system32\NETAPI32.dll
0x769c0000    0xb4000 C:\WINDOWS\system32\USERENV.dll
0x76bf0000    0xb000 C:\WINDOWS\system32\PSAPI.DLL
0x76bc0000    0xf000 C:\WINDOWS\system32\REGAPI.dll
0x77920000    0xf3000 C:\WINDOWS\system32\SETUPAPI.dll
0x77c00000    0x8000 C:\WINDOWS\system32\VERSION.dll
0x76360000    0x10000 C:\WINDOWS\system32\WINSTA.dll
0x76c30000    0x2e000 C:\WINDOWS\system32\WINTRUST.dll
0x76c90000    0x28000 C:\WINDOWS\system32\IMAGEHLP.dll
0x71ab0000    0x17000 C:\WINDOWS\system32\WS2_32.dll
0x71aa0000    0x8000 C:\WINDOWS\system32\WS2HELP.dll
0x76390000    0x1d000 C:\WINDOWS\system32\IMM32.DLL
0x75970000    0xf8000 C:\WINDOWS\system32\MSGINA.dll
0x5d090000    0x9a000 C:\WINDOWS\system32\COMCTL32.dll
0x74320000    0x3e000 C:\WINDOWS\system32\ODBC32.dll
0x763b0000    0x49000 C:\WINDOWS\system32\comdlg32.dll
0x7c9c0000  0x818000 C:\WINDOWS\system32\SHELL32.dll
0x77f60000    0x76000 C:\WINDOWS\system32\SHLWAPI.dll
0x773d0000  0x103000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
0x00930000    0x17000 C:\WINDOWS\system32\odbcint.dll
0x776e0000    0x23000 C:\WINDOWS\system32\SHSVCS.dll
0x76bb0000    0x5000 C:\WINDOWS\system32\sfc.dll
0x76c60000    0x2a000 C:\WINDOWS\system32\sfc_os.dll
0x774e0000  0x13e000 C:\WINDOWS\system32\ole32.dll
0x77b40000    0x22000 C:\WINDOWS\system32\Apphelp.dll
0x755c0000    0x2e000 C:\WINDOWS\system32\msctfime.ime
0x723d0000    0x1c000 C:\WINDOWS\system32\WINSCARD.DLL
0x76f50000    0x8000 C:\WINDOWS\system32\WTSAPI32.dll
0x5ad70000    0x38000 C:\WINDOWS\system32\uxtheme.dll
0x76b40000    0x2d000 C:\WINDOWS\system32\WINMM.dll
0x76600000    0x1d000 C:\WINDOWS\system32\cscdll.dll
0x47020000    0x8000 C:\WINDOWS\System32\dimsntfy.dll
0x68000000    0x36000 C:\WINDOWS\system32\rsaenh.dll
0x75950000    0x1a000 C:\WINDOWS\system32\WlNotify.dll
0x71b20000    0x12000 C:\WINDOWS\system32\MPR.dll
0x73000000    0x26000 C:\WINDOWS\system32\WINSPOOL.DRV
0x010d0000    0x3c000 C:\WINDOWS\system32\WgaLogon.dll
0x77120000    0x8b000 C:\WINDOWS\system32\OLEAUT32.dll
0x77690000    0x21000 C:\WINDOWS\system32\NTMARTA.DLL
0x71bf0000    0x13000 C:\WINDOWS\system32\SAMLIB.dll
0x76f60000    0x2c000 C:\WINDOWS\system32\WLDAP32.dll
0x76fd0000    0x7f000 C:\WINDOWS\system32\CLBCATQ.DLL
0x77050000    0xc5000 C:\WINDOWS\system32\COMRes.dll
0x77a20000    0x54000 C:\WINDOWS\system32\cscui.dll
0x01370000  0x2c5000 C:\WINDOWS\system32\xpsp2res.dll
0x77c70000    0x25000 C:\WINDOWS\system32\msv1_0.dll
0x76790000    0xc000 C:\WINDOWS\system32\cryptdll.dll
0x76d60000    0x19000 C:\WINDOWS\system32\iphlpapi.dll
0x72d20000    0x9000 C:\WINDOWS\system32\wdmaud.drv
0x72d10000    0x8000 C:\WINDOWS\system32\msacm32.drv
0x77be0000    0x15000 C:\WINDOWS\system32\MSACM32.dll
0x77bd0000    0x7000 C:\WINDOWS\system32\midimap.dll
0x10000000    0x7000 C:\superkhung\GAOBackdoor.dll
0x78b60000  0x438000 C:\WINDOWS\system32\mfc100.dll
0x78aa0000    0xbf000 C:\WINDOWS\system32\MSVCR100.dll
0x76380000    0x5000 C:\WINDOWS\system32\MSIMG32.dll
0x5d360000    0xd000 C:\WINDOWS\system32\MFC100ENU.DLL
************************************************************************

Tada ! You found a backdoor and the full file path C:\superkhung\GAOBackdoor.dll
Dump this file :
volatility dlldump -b 0×10000000 -p 632 -D D:\ctf\for4 -f ab687c418a83c50e70d9622c18e8a95b.mem
you have this file : module.632.645bda0.10000000.dll
Open it with a disassembler

OK, I will find the encrypted key in the memory space of mspaint.exe.
To list all processes, you use the command:
volatility pslist -f ab687c418a83c50e70d9622c18e8a95b.mem

4
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------------------------------------------------------------------------------------------------

0x85fd99e0mspaint.exe 988 1560 3 112 0 02012-11-2304:27:27
Dump this process by PID and find the key
volatility vaddump -p 988 -f ab687c418a83c50e70d9622c18e8a95b.mem -D D:\ctf\for4\mspaint
Open mspaint.exe.5fd99e0.0x00cd0000-0x00cd0fff.dmp and XOR these bytes with 0×90

You have the key : Th1s_0ne_1s_n0t_3asy_f0r3ns1c

The UG

Featured Content Slider

Snatching the h@t 2012 | Forensic 400 Writeup

0 nhận xét:

Đăng nhận xét

Recent Post

Test Footer 1