h_nosonの日記

競プロなど

Trend Micro CTF 2017 Forensic 200 Writeup

メモリフォレンジックの問題

まずvolatilityで情報をいろいろ見てみる

% volatility -f VictimMemory.img imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP0x86, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/program/ctf/tmctf/2017/Forensic200/VictimMemory.img)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x8333ec28L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0x8333fc00L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2017-04-11 02:35:28 UTC+0000
     Image local date and time : 2017-04-11 11:35:28 +0900

% volatility -f VictimMemory.img --profile=Win7SP0x86 pstree                                                                                                                    [6/1918]
Volatility Foundation Volatility Framework 2.5
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0x89d8a530:wininit.exe                               412    344      3     78 2017-04-11 02:27:45 UTC+0000
. 0x88a0c030:lsass.exe                                516    412      7    547 2017-04-11 02:27:48 UTC+0000
. 0x88a056d8:services.exe                             508    412      7    220 2017-04-11 02:27:47 UTC+0000
.. 0x869fa6c0:VSSVC.exe                              2304    508     12    194 2017-04-11 02:33:08 UTC+0000
.. 0x89d91030:svchost.exe                            1288    508     17    304 2017-04-11 02:28:00 UTC+0000
.. 0x86d7b030:VGAuthService.                         1424    508      3     87 2017-04-11 02:28:03 UTC+0000
.. 0x89d6b030:mscorsvw.exe                           3096    508      6     74 2017-04-11 02:30:34 UTC+0000
.. 0x88bd3a98:msdtc.exe                              1420    508     14    150 2017-04-11 02:28:28 UTC+0000
.. 0x88a4bcd8:vmacthlp.exe                            676    508      3     53 2017-04-11 02:27:52 UTC+0000
.. 0x88a808a0:svchost.exe                             808    508     20    465 2017-04-11 02:27:53 UTC+0000
... 0x88aa7130:audiodg.exe                            952    808      4    122 2017-04-11 02:27:55 UTC+0000
.. 0x869b6030:msiexec.exe                            3612    508      9    278 2017-04-11 02:34:25 UTC+0000
.. 0x89c0fb78:svchost.exe                            1668    508      8     92 2017-04-11 02:28:12 UTC+0000
.. 0x86986030:sppsvc.exe                             3264    508      4    146 2017-04-11 02:30:44 UTC+0000
.. 0x89a3b8e0:SearchIndexer.                         2376    508     12    576 2017-04-11 02:29:03 UTC+0000
.. 0x88a87518:svchost.exe                             844    508     18    419 2017-04-11 02:27:53 UTC+0000
... 0x88b91030:dwm.exe                                568    844      3     70 2017-04-11 02:28:22 UTC+0000
.. 0x86dcf2d0:vmtoolsd.exe                           1484    508      8    289 2017-04-11 02:28:07 UTC+0000
.....
.....
 0x88bbaab8:explorer.exe                              940    356     31    865 2017-04-11 02:28:23 UTC+0000
. 0x8691c030:cmd.exe                                 4080    940      1     20 2017-04-11 02:32:02 UTC+0000
.. 0x88abfa78:svchost.exe                            3828   4080      1      7 2017-04-11 02:35:18 UTC+0000
. 0x88bca030:vmtoolsd.exe                            2216    940      6    191 2017-04-11 02:28:51 UTC+0000

% volatility -f VictimMemory.img --profile=Win7SP0x86 cmdscan
Volatility Foundation Volatility Framework 2.5
**************************************************
CommandProcess: conhost.exe Pid: 1868
CommandHistory: 0x31e818 Application: svchost.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x190
Cmd #11 @ 0x10000: ?????
Cmd #37 @ 0x10000: ?????
**************************************************
CommandProcess: conhost.exe Pid: 1868
CommandHistory: 0x33a338 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 2 LastAdded: 1 LastDisplayed: 1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x58
Cmd #0 @ 0x33a700: cd %temp%
Cmd #1 @ 0x2d3b38: svchost.exe 1.tmp 0x0 1

explorer.exeからcmd.exeが呼び出され、そこからsvchost.exe 1.tmp 0x0 1が呼び出されている。いかにも怪しいのでファイルを落として解析する。

% volatility -f VictimMemory.img --profile=Win7SP0x86 filescan | grep -e svchost.exe -e 1.tmp
Volatility Foundation Volatility Framework 2.5
0x000000000a0c07c0     10      1 R--rw- \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\1.tmp
0x000000000b3f2588      8      0 R--r-d \Device\HarddiskVolume1\Windows\System32\svchost.exe
0x000000000f26fa68      2      0 R--r-- \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\svchost.exe
0x000000000f342ad0      6      0 R--r-d \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\svchost.exe

% volatility -f VictimMemory.img --profile=Win7SP0x86 dumpfiles --dump-dir dumpdir -Q 0x000000000f26fa68
Volatility Foundation Volatility Framework 2.5
ImageSectionObject 0x0f26fa68   None   \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\svchost.exe
DataSectionObject 0x0f26fa68   None   \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\svchost.exe

% volatility -f VictimMemory.img --profile=Win7SP0x86 dumpfiles --dump-dir dumpdir -Q 0x000000000a0c07c0
Volatility Foundation Volatility Framework 2.5
DataSectionObject 0x0a0c07c0   None   \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\1.tmp
SharedCacheMap 0x0a0c07c0   None   \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\1.tmp

svchost.exeをIDAで開くと、1.tmpの内容をVirtualAllocした領域に書き込み、スレッドで実行していることがわかる。つまり、1.tmpはシェルコードになっている。

f:id:h_noson:20170625132851p:plain f:id:h_noson:20170625133624p:plain

1.tmpは以下のようなシェルコードになっていた。

   0:   55                      push   ebp
   1:   89 e5                   mov    ebp,esp
   3:   83 ec 60                sub    esp,0x60
   6:   c6 45 da a8             mov    BYTE PTR [ebp-0x26],0xa8
   a:   c6 45 db ff             mov    BYTE PTR [ebp-0x25],0xff
   e:   c6 45 dc 88             mov    BYTE PTR [ebp-0x24],0x88
  12:   c6 45 dd d0             mov    BYTE PTR [ebp-0x23],0xd0
  16:   c6 45 de b2             mov    BYTE PTR [ebp-0x22],0xb2
  1a:   c6 45 df f6             mov    BYTE PTR [ebp-0x21],0xf6
  1e:   c6 45 e0 f8             mov    BYTE PTR [ebp-0x20],0xf8
  22:   c6 45 e1 ea             mov    BYTE PTR [ebp-0x1f],0xea
  26:   c6 45 e2 ff             mov    BYTE PTR [ebp-0x1e],0xff
  2a:   c6 45 e3 ff             mov    BYTE PTR [ebp-0x1d],0xff
  2e:   c6 45 e4 d2             mov    BYTE PTR [ebp-0x1c],0xd2
  32:   c6 45 e5 ff             mov    BYTE PTR [ebp-0x1b],0xff
  36:   c6 45 e6 ff             mov    BYTE PTR [ebp-0x1a],0xff
  3a:   c6 45 e7 c2             mov    BYTE PTR [ebp-0x19],0xc2
  3e:   c6 45 e8 dc             mov    BYTE PTR [ebp-0x18],0xdc
  42:   c6 45 e9 c2             mov    BYTE PTR [ebp-0x17],0xc2
  46:   c6 45 ea d8             mov    BYTE PTR [ebp-0x16],0xd8
  4a:   c6 45 eb ff             mov    BYTE PTR [ebp-0x15],0xff
  4e:   c6 45 ec f6             mov    BYTE PTR [ebp-0x14],0xf6
  52:   c6 45 ed ff             mov    BYTE PTR [ebp-0x13],0xff
  56:   c6 45 ee fa             mov    BYTE PTR [ebp-0x12],0xfa
  5a:   c6 45 ef ff             mov    BYTE PTR [ebp-0x11],0xff
  5e:   c6 45 bc 55             mov    BYTE PTR [ebp-0x44],0x55
  62:   c6 45 bd 8b             mov    BYTE PTR [ebp-0x43],0x8b
  66:   c6 45 be ec             mov    BYTE PTR [ebp-0x42],0xec
  6a:   c6 45 bf 51             mov    BYTE PTR [ebp-0x41],0x51
  6e:   c6 45 c0 e8             mov    BYTE PTR [ebp-0x40],0xe8
  72:   c6 45 c1 00             mov    BYTE PTR [ebp-0x3f],0x0
  76:   c6 45 c2 00             mov    BYTE PTR [ebp-0x3e],0x0
  7a:   c6 45 c3 00             mov    BYTE PTR [ebp-0x3d],0x0
  7e:   c6 45 c4 00             mov    BYTE PTR [ebp-0x3c],0x0
  82:   c6 45 c5 58             mov    BYTE PTR [ebp-0x3b],0x58
  86:   c6 45 c6 2d             mov    BYTE PTR [ebp-0x3a],0x2d
  8a:   c6 45 c7 52             mov    BYTE PTR [ebp-0x39],0x52
  8e:   c6 45 c8 1f             mov    BYTE PTR [ebp-0x38],0x1f
  92:   c6 45 c9 34             mov    BYTE PTR [ebp-0x37],0x34
  96:   c6 45 ca 01             mov    BYTE PTR [ebp-0x36],0x1
  9a:   c6 45 cb 2d             mov    BYTE PTR [ebp-0x35],0x2d
  9e:   c6 45 cc 52             mov    BYTE PTR [ebp-0x34],0x52
  a2:   c6 45 cd 1f             mov    BYTE PTR [ebp-0x33],0x1f
  a6:   c6 45 ce 34             mov    BYTE PTR [ebp-0x32],0x34
  aa:   c6 45 cf 01             mov    BYTE PTR [ebp-0x31],0x1
  ae:   c6 45 d0 e8             mov    BYTE PTR [ebp-0x30],0xe8
  b2:   c6 45 d1 00             mov    BYTE PTR [ebp-0x2f],0x0
  b6:   c6 45 d2 00             mov    BYTE PTR [ebp-0x2e],0x0
  ba:   c6 45 d3 00             mov    BYTE PTR [ebp-0x2d],0x0
  be:   c6 45 d4 00             mov    BYTE PTR [ebp-0x2c],0x0
  c2:   c6 45 d5 90             mov    BYTE PTR [ebp-0x2b],0x90
  c6:   c6 45 d6 90             mov    BYTE PTR [ebp-0x2a],0x90
  ca:   c6 45 d7 c9             mov    BYTE PTR [ebp-0x29],0xc9
  ce:   c6 45 d8 c3             mov    BYTE PTR [ebp-0x28],0xc3
  d2:   c6 45 d9 cc             mov    BYTE PTR [ebp-0x27],0xcc
  d6:   c6 45 a6 00             mov    BYTE PTR [ebp-0x5a],0x0
  da:   c6 45 a7 5b             mov    BYTE PTR [ebp-0x59],0x5b
  de:   c6 45 a8 00             mov    BYTE PTR [ebp-0x58],0x0
  e2:   c6 45 a9 00             mov    BYTE PTR [ebp-0x57],0x0
  e6:   c6 45 aa 00             mov    BYTE PTR [ebp-0x56],0x0
  ea:   c6 45 ab 00             mov    BYTE PTR [ebp-0x55],0x0
  ee:   c6 45 ac 00             mov    BYTE PTR [ebp-0x54],0x0
  f2:   c6 45 ad 00             mov    BYTE PTR [ebp-0x53],0x0
  f6:   c6 45 ae 2b             mov    BYTE PTR [ebp-0x52],0x2b
  fa:   c6 45 af 17             mov    BYTE PTR [ebp-0x51],0x17
  fe:   c6 45 b0 00             mov    BYTE PTR [ebp-0x50],0x0
 102:   c6 45 b1 19             mov    BYTE PTR [ebp-0x4f],0x19
 106:   c6 45 b2 3f             mov    BYTE PTR [ebp-0x4e],0x3f
 10a:   c6 45 b3 00             mov    BYTE PTR [ebp-0x4d],0x0
 10e:   c6 45 b4 00             mov    BYTE PTR [ebp-0x4c],0x0
 112:   c6 45 b5 00             mov    BYTE PTR [ebp-0x4b],0x0
 116:   c6 45 b6 00             mov    BYTE PTR [ebp-0x4a],0x0
 11a:   c6 45 b7 03             mov    BYTE PTR [ebp-0x49],0x3
 11e:   c6 45 b8 00             mov    BYTE PTR [ebp-0x48],0x0
 122:   c6 45 b9 13             mov    BYTE PTR [ebp-0x47],0x13
 126:   c6 45 ba 00             mov    BYTE PTR [ebp-0x46],0x0
 12a:   c6 45 bb 05             mov    BYTE PTR [ebp-0x45],0x5
 12e:   c7 45 fc 16 00 00 00    mov    DWORD PTR [ebp-0x4],0x16
 135:   c7 45 f4 00 00 00 00    mov    DWORD PTR [ebp-0xc],0x0
 13c:   c7 45 f0 00 00 00 00    mov    DWORD PTR [ebp-0x10],0x0
 143:   8b 45 f0                mov    eax,DWORD PTR [ebp-0x10]
 146:   83 f8 16                cmp    eax,0x16
 149:   73 70                   jae    1bb
 14b:   8d 55 da                lea    edx,[ebp-0x26]
 14e:   8b 45 f0                mov    eax,DWORD PTR [ebp-0x10]
 151:   01 d0                   add    eax,edx
 153:   0f b6 00                movzx  eax,BYTE PTR [eax]
 156:   0f b6 c0                movzx  eax,al
 159:   89 45 f8                mov    DWORD PTR [ebp-0x8],eax
 15c:   8d 55 a6                lea    edx,[ebp-0x5a]
 15f:   8b 45 f0                mov    eax,DWORD PTR [ebp-0x10]
 162:   01 d0                   add    eax,edx
 164:   0f b6 00                movzx  eax,BYTE PTR [eax]
 167:   0f b6 c0                movzx  eax,al
 16a:   89 45 f4                mov    DWORD PTR [ebp-0xc],eax
 16d:   83 7d f4 00             cmp    DWORD PTR [ebp-0xc],0x0
 171:   7e 0a                   jle    17d
 173:   83 45 f8 01             add    DWORD PTR [ebp-0x8],0x1
 177:   83 6d f4 01             sub    DWORD PTR [ebp-0xc],0x1
 17b:   eb f0                   jmp    16d
 17d:   8b 45 fc                mov    eax,DWORD PTR [ebp-0x4]
 180:   83 e8 01                sub    eax,0x1
 183:   0f b6 44 05 bc          movzx  eax,BYTE PTR [ebp+eax*1-0x44]
 188:   0f b6 c0                movzx  eax,al
 18b:   29 45 f8                sub    DWORD PTR [ebp-0x8],eax
 18e:   8b 45 fc                mov    eax,DWORD PTR [ebp-0x4]
 191:   83 e8 01                sub    eax,0x1
 194:   0f b6 44 05 bc          movzx  eax,BYTE PTR [ebp+eax*1-0x44]
 199:   0f b6 c0                movzx  eax,al
 19c:   31 45 f8                xor    DWORD PTR [ebp-0x8],eax
 19f:   d1 7d f8                sar    DWORD PTR [ebp-0x8],1
 1a2:   8b 45 f8                mov    eax,DWORD PTR [ebp-0x8]
 1a5:   89 c1                   mov    ecx,eax
 1a7:   8d 55 da                lea    edx,[ebp-0x26]
 1aa:   8b 45 f0                mov    eax,DWORD PTR [ebp-0x10]
 1ad:   01 d0                   add    eax,edx
 1af:   88 08                   mov    BYTE PTR [eax],cl
 1b1:   83 6d fc 01             sub    DWORD PTR [ebp-0x4],0x1
 1b5:   83 45 f0 01             add    DWORD PTR [ebp-0x10],0x1
 1b9:   eb 88                   jmp    143
 1bb:   90                      nop
 1bc:   c9                      leave
 1bd:   c3                      ret

これをデバッガで実行し、retの直前で止めるとフラグが得られる。

 [----------------------------------registers-----------------------------------]
EAX: 0x16
EBX: 0x0
ECX: 0x7d ('}')
EDX: 0xffffdae2 ("TMCTF{static_analyzer}\026")
ESI: 0xf7fc3000 --> 0x1afdb0
EDI: 0xf7fc3000 --> 0x1afdb0
EBP: 0x0
ESP: 0xffffdb0c --> 0xf7e2b637 (<__libc_start_main+247>:        add    esp,0x10)
EIP: 0x804859d (<end+2>:        ret)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048599 <next+60>: jmp    0x8048523 <loop>
   0x804859b <end>:     nop
   0x804859c <end+1>:   leave
=> 0x804859d <end+2>:   ret
   0x804859e <end+3>:   xchg   ax,ax
   0x80485a0 <__libc_csu_init>: push   ebp
   0x80485a1 <__libc_csu_init+1>:       push   edi
   0x80485a2 <__libc_csu_init+2>:       push   esi
[------------------------------------stack-------------------------------------]
0000| 0xffffdb0c --> 0xf7e2b637 (<__libc_start_main+247>:       add    esp,0x10)
0004| 0xffffdb10 --> 0x1
0008| 0xffffdb14 --> 0xffffdba4 --> 0xffffdcc7 ("/program/ctf/tmctf/2017/Forensic200/test")
0012| 0xffffdb18 --> 0xffffdbac --> 0xffffdcf0 ("LOGNAME=ubuntu")
0016| 0xffffdb1c --> 0x0
0020| 0xffffdb20 --> 0x0
0024| 0xffffdb24 --> 0x0
0028| 0xffffdb28 --> 0xf7fc3000 --> 0x1afdb0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 2, 0x0804859d in end ()
gdb-peda$

flag: TMCTF{static_analyzer}