๐’ƒ๐’†๐’‚๐’–๐’•๐’š ๐’Š๐’๐’•๐’†๐’๐’๐’Š๐’ˆ๐’†๐’๐’•
728x90
๋ฐ˜์‘ํ˜•
article thumbnail
๋ฉ”๋ชจ๋ฆฌ ํฌ๋ Œ์‹์—์„œ volatility ๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด์„œ ... :)

๋ฉ”๋ชจ๋ฆฌ ํฌ๋ Œ์‹์— ๋น ์ ธ์„œ ์š”์ฆ˜ ๊ณต๋ถ€ํ•˜๋‹ค๊ฐ€ volatility๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๋„์ค‘ ์˜๋ฌธ์ด ๋“ค์—ˆ๋‹ค. ์˜๋ฌธ์ด๋ผ๊ธฐ ๋ณด๋‹จ ์ž˜ ๋ณด์ง€ ์•Š์•„ ์ƒ๊ธด ๋ฌธ์ œ์ด์ง€๋งŒ ... ๋จผ์ € imageinfo ๋ฅผ ํ•˜์—ฌ ๋ฉ”๋ชจ๋ฆฌ๋คํ”„์˜ ํ”„๋กœํŒŒ์ผ์„ ํ™•์ธ ํ• ์ˆ˜์žˆ๋‹ค...์—ฌ๊ธฐ์„œ ์˜๋ฌธ์ด ๋“ค์—ˆ๋Š”๋ฐ ........ ๋‘๋‘ฅ !!! BoB.vmem ํŒŒ์ผ์˜ ํ”„๋กœํŒŒ์ผ์€ windows XPSP2x86๊ณผ XPSP3x86 2๊ฐœ๊ฐ€ ๋‚˜์˜จ๋‹ค... ๋ฌผ๋ก  ์•„๋Š” ์‚ฌ๋žŒ๋„ ์žˆ๋‹ค. ์–ด๋–ป๊ฒŒ ์„œ๋น„์ŠคํŒฉ์„ ์ฐพ์•„๋‚ด๋Š”์ง€... ๋ˆˆ์ด์žˆ๋‹ค๋ฉด ์•ˆ๋‹ค... ๋‚œ ๋ˆˆ์ด์—†์—ˆ๋‹ค.๊ทธ๋ž˜์„œ ๋ช…๋ น์–ด๋ฅผ ํ†ตํ•ด์„œ ์•Œ์•„ ๋ดค๋‹ค. ์–ด๋–ป๊ฒŒ? dlllist | grep xpsp2

article thumbnail
seccon2016 - Memory Analysis_100
Wargame/CTF(Capture The Flag) 2016. 12. 13. 22:24

Memory Analysis100 pointsMemory Analysis Find the website that the fake svchost is accessing. You can get the flag if you access the website!!memoryanalysis.zip The challenge files are huge, please download it first. Hint1: http://www.volatilityfoundation.org/ Hint2: Check the hosts filepassword: fjliejflsjiejlsiejee33cnc ์ด๊ฒƒ์ด ๋ฌธ์ œ์ธ๋ฐ ... ํŒŒ์ผ์„ ๋ฐ›์œผ๋ฉด ์ด๋ฏธ์ง€ ํŒŒ์ผ ํ•˜๋‚˜๋ฅผ ๋ฐ›์„ ์ˆ˜ ์žˆ๋‹ค.ํžŒํŠธ 1๋ฒˆ์„ ๋ณด๋ฉด ๋ณผ๋ผํ‹ธ๋ฆฌํ‹ฐ๋ฅผ ์ด์šฉํ•˜์—ฌ ํ‘ธ๋Š” ๊ฒƒ๊ฐ™๋‹ค. ๋จผ์ € ์ด..

article thumbnail
volatility ์‚ฌ์šฉ๋ฒ• 3

printkey ์ด ๋ช…๋ น์–ด๋Š” ๋ ˆ์ง€์ŠคํŠธ๋ฆฌ ํ‚ค๊ฐ’์„ ๋ณด์—ฌ์ค€๋‹ค. netscan์ด ๋ช…๋ น์–ด๋Š” ํ™œ์„ฑํ™”๋œ ๋„คํŠธ์›Œํฌ ์ •๋ณด๋ฅผ ์•Œ๋ ค์ค€๋‹ค.(windows 7์—์„œ๋งŒ ์‚ฌ์šฉ๊ฐ€๋Šฅ) connections๋ช…๋ น์–ด๋ฅผ ์ด์šฉํ•˜์—ฌ ๋„คํŠธ์›Œํฌ๋ฅผ ๊ฒ€์‚ฌํ•œ๋‹ค.์—ฌ๊ธฐ์„œ ๋” ์ž์„ธํžˆ ์•Œ๊ธฐ์œ„ํ•ด ๋ฐ‘์˜ ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•œ๋‹ค. connscan ์ด ๋ช…๋ น์–ด๋Š” ์œ„์˜ ๋ช…๋ น์–ด์™€ ๊ฐ™์ง€๋งŒ ์ด๋ฏธ ๋Š์–ด์ง„ ๋„คํŠธ์›Œํฌ๋„ ๋‚˜ํƒ€๋‚ด ์ค€๋‹ค. ] yarascan์ด๋ช…๋ น์–ด๋Š” yara๋ฅผ ์ด์šฉํ•˜์—ฌ ์œ ๋‹ˆ์ฝ”๋“œ ๋“ฑ์„ ๊ฒ€์ƒ‰ํ•˜์—ฌ ์ค€๋‹ค.

article thumbnail
volatility ์‚ฌ์šฉ๋ฒ• 2

kpcrscan์ด๋Š” Finding Object Roots in Vista ์— ๋ฌ˜์‚ฌ๋œ ๊ฒƒ์ฒ˜๋Ÿผ ์ž์ฒด์ฐธ์กฐ ๋ฉค๋ฒ„๋“ค์„ ์ฒดํฌํ•จ์œผ๋กœ์จ ์ž ์žฌ์  KPCR ๊ตฌ์กฐ๋“ค์„ ์Šค์บ”ํ•˜๊ธฐ ์œ„ํ•˜์—ฌ ์‚ฌ์šฉ๋˜๋Š” ๋ช…๋ น์–ด์ด๋‹ค.IDT ์™€ GDT ์ฃผ์†Œ, current,idle, ๊ทธ๋ฆฌ๊ณ  ๋‹ค์Œ ์“ฐ๋ ˆ๋“œ๋“ค, CPU ์ˆซ์ž, ๋ฒค๋”&์†๋„, ๊ทธ๋ฆฌ๊ณ  CR3 ๊ฐ’๋“ค์„ ํฌํ•จํ•˜๋Š” ๊ฐ๊ฐ์˜ ํ”„๋กœ์„ธ์„œ์— ๋Œ€ํ•œ ์ž์„ธํ•œ ์„ธ๋ถ€ ์ •๋ณด๋“ค์— ๋Œ€ํ•ด ์•Œ์•„๋ณด๊ธฐ ์œ„ํ•ด ์‚ฌ์šฉํ•œ๋‹ค. ๋˜ํ•œ ์ด๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•˜๊ธฐ ์œ„ํ•ด profile์ด๋ž€ ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•ด์•ผํ•˜๋Š”๋ฐ. profile ์€ imageinfo๋ช…๋ น์–ด๋ฅผ ์ด์šฉํ•˜์—ฌ ์•Œ์ˆ˜์žˆ๋‹ค. pslist์ด ๋ช…๋ น์–ด๋Š” ์‹œ์Šคํ…œ์˜ ํ”„๋กœ์„ธ์Šค๋“ค์„ ๋ณด์—ฌ์ค€๋‹ค. PsActiveProcessHead ๋ฅผ ๊ฐ€๋ฆฌํ‚ค๋Š” ์ด์ค‘์—ฐ๊ฒฐ๋ฆฌ์ŠคํŠธ๋ฅผ ์ง€๋‚˜๊ฐ€๋ฉฐ ์˜คํ”„์…‹, ํ”„๋กœ์„ธ์Šค ์ด๋ฆ„, ํ”„๋กœ์„ธ์Šค ID, ๋ถ€๋ชจ ํ”„๋กœ์„ธ์Šค ID..

728x90
๋ฐ˜์‘ํ˜•
profile on loading

Loading...