Trend Micro CTF 2017 Forensic 200 Writeup
メモリフォレンジックの問題
まずvolatilityで情報をいろいろ見てみる
% volatility -f VictimMemory.img imageinfo
Volatility Foundation Volatility Framework 2.5
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP0x86, Win7SP1x86
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/program/ctf/tmctf/2017/Forensic200/VictimMemory.img)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x8333ec28L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0x8333fc00L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2017-04-11 02:35:28 UTC+0000
Image local date and time : 2017-04-11 11:35:28 +0900
% volatility -f VictimMemory.img --profile=Win7SP0x86 pstree [6/1918]
Volatility Foundation Volatility Framework 2.5
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x89d8a530:wininit.exe 412 344 3 78 2017-04-11 02:27:45 UTC+0000
. 0x88a0c030:lsass.exe 516 412 7 547 2017-04-11 02:27:48 UTC+0000
. 0x88a056d8:services.exe 508 412 7 220 2017-04-11 02:27:47 UTC+0000
.. 0x869fa6c0:VSSVC.exe 2304 508 12 194 2017-04-11 02:33:08 UTC+0000
.. 0x89d91030:svchost.exe 1288 508 17 304 2017-04-11 02:28:00 UTC+0000
.. 0x86d7b030:VGAuthService. 1424 508 3 87 2017-04-11 02:28:03 UTC+0000
.. 0x89d6b030:mscorsvw.exe 3096 508 6 74 2017-04-11 02:30:34 UTC+0000
.. 0x88bd3a98:msdtc.exe 1420 508 14 150 2017-04-11 02:28:28 UTC+0000
.. 0x88a4bcd8:vmacthlp.exe 676 508 3 53 2017-04-11 02:27:52 UTC+0000
.. 0x88a808a0:svchost.exe 808 508 20 465 2017-04-11 02:27:53 UTC+0000
... 0x88aa7130:audiodg.exe 952 808 4 122 2017-04-11 02:27:55 UTC+0000
.. 0x869b6030:msiexec.exe 3612 508 9 278 2017-04-11 02:34:25 UTC+0000
.. 0x89c0fb78:svchost.exe 1668 508 8 92 2017-04-11 02:28:12 UTC+0000
.. 0x86986030:sppsvc.exe 3264 508 4 146 2017-04-11 02:30:44 UTC+0000
.. 0x89a3b8e0:SearchIndexer. 2376 508 12 576 2017-04-11 02:29:03 UTC+0000
.. 0x88a87518:svchost.exe 844 508 18 419 2017-04-11 02:27:53 UTC+0000
... 0x88b91030:dwm.exe 568 844 3 70 2017-04-11 02:28:22 UTC+0000
.. 0x86dcf2d0:vmtoolsd.exe 1484 508 8 289 2017-04-11 02:28:07 UTC+0000
.....
.....
0x88bbaab8:explorer.exe 940 356 31 865 2017-04-11 02:28:23 UTC+0000
. 0x8691c030:cmd.exe 4080 940 1 20 2017-04-11 02:32:02 UTC+0000
.. 0x88abfa78:svchost.exe 3828 4080 1 7 2017-04-11 02:35:18 UTC+0000
. 0x88bca030:vmtoolsd.exe 2216 940 6 191 2017-04-11 02:28:51 UTC+0000
% volatility -f VictimMemory.img --profile=Win7SP0x86 cmdscan
Volatility Foundation Volatility Framework 2.5
**************************************************
CommandProcess: conhost.exe Pid: 1868
CommandHistory: 0x31e818 Application: svchost.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x190
Cmd #11 @ 0x10000: ?????
Cmd #37 @ 0x10000: ?????
**************************************************
CommandProcess: conhost.exe Pid: 1868
CommandHistory: 0x33a338 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 2 LastAdded: 1 LastDisplayed: 1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x58
Cmd #0 @ 0x33a700: cd %temp%
Cmd #1 @ 0x2d3b38: svchost.exe 1.tmp 0x0 1
explorer.exeからcmd.exeが呼び出され、そこからsvchost.exe 1.tmp 0x0 1が呼び出されている。いかにも怪しいのでファイルを落として解析する。
% volatility -f VictimMemory.img --profile=Win7SP0x86 filescan | grep -e svchost.exe -e 1.tmp Volatility Foundation Volatility Framework 2.5 0x000000000a0c07c0 10 1 R--rw- \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\1.tmp 0x000000000b3f2588 8 0 R--r-d \Device\HarddiskVolume1\Windows\System32\svchost.exe 0x000000000f26fa68 2 0 R--r-- \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\svchost.exe 0x000000000f342ad0 6 0 R--r-d \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\svchost.exe % volatility -f VictimMemory.img --profile=Win7SP0x86 dumpfiles --dump-dir dumpdir -Q 0x000000000f26fa68 Volatility Foundation Volatility Framework 2.5 ImageSectionObject 0x0f26fa68 None \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\svchost.exe DataSectionObject 0x0f26fa68 None \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\svchost.exe % volatility -f VictimMemory.img --profile=Win7SP0x86 dumpfiles --dump-dir dumpdir -Q 0x000000000a0c07c0 Volatility Foundation Volatility Framework 2.5 DataSectionObject 0x0a0c07c0 None \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\1.tmp SharedCacheMap 0x0a0c07c0 None \Device\HarddiskVolume1\Users\Taro\AppData\Local\Temp\1.tmp
svchost.exeをIDAで開くと、1.tmpの内容をVirtualAllocした領域に書き込み、スレッドで実行していることがわかる。つまり、1.tmpはシェルコードになっている。
1.tmpは以下のようなシェルコードになっていた。
0: 55 push ebp 1: 89 e5 mov ebp,esp 3: 83 ec 60 sub esp,0x60 6: c6 45 da a8 mov BYTE PTR [ebp-0x26],0xa8 a: c6 45 db ff mov BYTE PTR [ebp-0x25],0xff e: c6 45 dc 88 mov BYTE PTR [ebp-0x24],0x88 12: c6 45 dd d0 mov BYTE PTR [ebp-0x23],0xd0 16: c6 45 de b2 mov BYTE PTR [ebp-0x22],0xb2 1a: c6 45 df f6 mov BYTE PTR [ebp-0x21],0xf6 1e: c6 45 e0 f8 mov BYTE PTR [ebp-0x20],0xf8 22: c6 45 e1 ea mov BYTE PTR [ebp-0x1f],0xea 26: c6 45 e2 ff mov BYTE PTR [ebp-0x1e],0xff 2a: c6 45 e3 ff mov BYTE PTR [ebp-0x1d],0xff 2e: c6 45 e4 d2 mov BYTE PTR [ebp-0x1c],0xd2 32: c6 45 e5 ff mov BYTE PTR [ebp-0x1b],0xff 36: c6 45 e6 ff mov BYTE PTR [ebp-0x1a],0xff 3a: c6 45 e7 c2 mov BYTE PTR [ebp-0x19],0xc2 3e: c6 45 e8 dc mov BYTE PTR [ebp-0x18],0xdc 42: c6 45 e9 c2 mov BYTE PTR [ebp-0x17],0xc2 46: c6 45 ea d8 mov BYTE PTR [ebp-0x16],0xd8 4a: c6 45 eb ff mov BYTE PTR [ebp-0x15],0xff 4e: c6 45 ec f6 mov BYTE PTR [ebp-0x14],0xf6 52: c6 45 ed ff mov BYTE PTR [ebp-0x13],0xff 56: c6 45 ee fa mov BYTE PTR [ebp-0x12],0xfa 5a: c6 45 ef ff mov BYTE PTR [ebp-0x11],0xff 5e: c6 45 bc 55 mov BYTE PTR [ebp-0x44],0x55 62: c6 45 bd 8b mov BYTE PTR [ebp-0x43],0x8b 66: c6 45 be ec mov BYTE PTR [ebp-0x42],0xec 6a: c6 45 bf 51 mov BYTE PTR [ebp-0x41],0x51 6e: c6 45 c0 e8 mov BYTE PTR [ebp-0x40],0xe8 72: c6 45 c1 00 mov BYTE PTR [ebp-0x3f],0x0 76: c6 45 c2 00 mov BYTE PTR [ebp-0x3e],0x0 7a: c6 45 c3 00 mov BYTE PTR [ebp-0x3d],0x0 7e: c6 45 c4 00 mov BYTE PTR [ebp-0x3c],0x0 82: c6 45 c5 58 mov BYTE PTR [ebp-0x3b],0x58 86: c6 45 c6 2d mov BYTE PTR [ebp-0x3a],0x2d 8a: c6 45 c7 52 mov BYTE PTR [ebp-0x39],0x52 8e: c6 45 c8 1f mov BYTE PTR [ebp-0x38],0x1f 92: c6 45 c9 34 mov BYTE PTR [ebp-0x37],0x34 96: c6 45 ca 01 mov BYTE PTR [ebp-0x36],0x1 9a: c6 45 cb 2d mov BYTE PTR [ebp-0x35],0x2d 9e: c6 45 cc 52 mov BYTE PTR [ebp-0x34],0x52 a2: c6 45 cd 1f mov BYTE PTR [ebp-0x33],0x1f a6: c6 45 ce 34 mov BYTE PTR [ebp-0x32],0x34 aa: c6 45 cf 01 mov BYTE PTR [ebp-0x31],0x1 ae: c6 45 d0 e8 mov BYTE PTR [ebp-0x30],0xe8 b2: c6 45 d1 00 mov BYTE PTR [ebp-0x2f],0x0 b6: c6 45 d2 00 mov BYTE PTR [ebp-0x2e],0x0 ba: c6 45 d3 00 mov BYTE PTR [ebp-0x2d],0x0 be: c6 45 d4 00 mov BYTE PTR [ebp-0x2c],0x0 c2: c6 45 d5 90 mov BYTE PTR [ebp-0x2b],0x90 c6: c6 45 d6 90 mov BYTE PTR [ebp-0x2a],0x90 ca: c6 45 d7 c9 mov BYTE PTR [ebp-0x29],0xc9 ce: c6 45 d8 c3 mov BYTE PTR [ebp-0x28],0xc3 d2: c6 45 d9 cc mov BYTE PTR [ebp-0x27],0xcc d6: c6 45 a6 00 mov BYTE PTR [ebp-0x5a],0x0 da: c6 45 a7 5b mov BYTE PTR [ebp-0x59],0x5b de: c6 45 a8 00 mov BYTE PTR [ebp-0x58],0x0 e2: c6 45 a9 00 mov BYTE PTR [ebp-0x57],0x0 e6: c6 45 aa 00 mov BYTE PTR [ebp-0x56],0x0 ea: c6 45 ab 00 mov BYTE PTR [ebp-0x55],0x0 ee: c6 45 ac 00 mov BYTE PTR [ebp-0x54],0x0 f2: c6 45 ad 00 mov BYTE PTR [ebp-0x53],0x0 f6: c6 45 ae 2b mov BYTE PTR [ebp-0x52],0x2b fa: c6 45 af 17 mov BYTE PTR [ebp-0x51],0x17 fe: c6 45 b0 00 mov BYTE PTR [ebp-0x50],0x0 102: c6 45 b1 19 mov BYTE PTR [ebp-0x4f],0x19 106: c6 45 b2 3f mov BYTE PTR [ebp-0x4e],0x3f 10a: c6 45 b3 00 mov BYTE PTR [ebp-0x4d],0x0 10e: c6 45 b4 00 mov BYTE PTR [ebp-0x4c],0x0 112: c6 45 b5 00 mov BYTE PTR [ebp-0x4b],0x0 116: c6 45 b6 00 mov BYTE PTR [ebp-0x4a],0x0 11a: c6 45 b7 03 mov BYTE PTR [ebp-0x49],0x3 11e: c6 45 b8 00 mov BYTE PTR [ebp-0x48],0x0 122: c6 45 b9 13 mov BYTE PTR [ebp-0x47],0x13 126: c6 45 ba 00 mov BYTE PTR [ebp-0x46],0x0 12a: c6 45 bb 05 mov BYTE PTR [ebp-0x45],0x5 12e: c7 45 fc 16 00 00 00 mov DWORD PTR [ebp-0x4],0x16 135: c7 45 f4 00 00 00 00 mov DWORD PTR [ebp-0xc],0x0 13c: c7 45 f0 00 00 00 00 mov DWORD PTR [ebp-0x10],0x0 143: 8b 45 f0 mov eax,DWORD PTR [ebp-0x10] 146: 83 f8 16 cmp eax,0x16 149: 73 70 jae 1bb 14b: 8d 55 da lea edx,[ebp-0x26] 14e: 8b 45 f0 mov eax,DWORD PTR [ebp-0x10] 151: 01 d0 add eax,edx 153: 0f b6 00 movzx eax,BYTE PTR [eax] 156: 0f b6 c0 movzx eax,al 159: 89 45 f8 mov DWORD PTR [ebp-0x8],eax 15c: 8d 55 a6 lea edx,[ebp-0x5a] 15f: 8b 45 f0 mov eax,DWORD PTR [ebp-0x10] 162: 01 d0 add eax,edx 164: 0f b6 00 movzx eax,BYTE PTR [eax] 167: 0f b6 c0 movzx eax,al 16a: 89 45 f4 mov DWORD PTR [ebp-0xc],eax 16d: 83 7d f4 00 cmp DWORD PTR [ebp-0xc],0x0 171: 7e 0a jle 17d 173: 83 45 f8 01 add DWORD PTR [ebp-0x8],0x1 177: 83 6d f4 01 sub DWORD PTR [ebp-0xc],0x1 17b: eb f0 jmp 16d 17d: 8b 45 fc mov eax,DWORD PTR [ebp-0x4] 180: 83 e8 01 sub eax,0x1 183: 0f b6 44 05 bc movzx eax,BYTE PTR [ebp+eax*1-0x44] 188: 0f b6 c0 movzx eax,al 18b: 29 45 f8 sub DWORD PTR [ebp-0x8],eax 18e: 8b 45 fc mov eax,DWORD PTR [ebp-0x4] 191: 83 e8 01 sub eax,0x1 194: 0f b6 44 05 bc movzx eax,BYTE PTR [ebp+eax*1-0x44] 199: 0f b6 c0 movzx eax,al 19c: 31 45 f8 xor DWORD PTR [ebp-0x8],eax 19f: d1 7d f8 sar DWORD PTR [ebp-0x8],1 1a2: 8b 45 f8 mov eax,DWORD PTR [ebp-0x8] 1a5: 89 c1 mov ecx,eax 1a7: 8d 55 da lea edx,[ebp-0x26] 1aa: 8b 45 f0 mov eax,DWORD PTR [ebp-0x10] 1ad: 01 d0 add eax,edx 1af: 88 08 mov BYTE PTR [eax],cl 1b1: 83 6d fc 01 sub DWORD PTR [ebp-0x4],0x1 1b5: 83 45 f0 01 add DWORD PTR [ebp-0x10],0x1 1b9: eb 88 jmp 143 1bb: 90 nop 1bc: c9 leave 1bd: c3 ret
これをデバッガで実行し、retの直前で止めるとフラグが得られる。
[----------------------------------registers-----------------------------------]
EAX: 0x16
EBX: 0x0
ECX: 0x7d ('}')
EDX: 0xffffdae2 ("TMCTF{static_analyzer}\026")
ESI: 0xf7fc3000 --> 0x1afdb0
EDI: 0xf7fc3000 --> 0x1afdb0
EBP: 0x0
ESP: 0xffffdb0c --> 0xf7e2b637 (<__libc_start_main+247>: add esp,0x10)
EIP: 0x804859d (<end+2>: ret)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x8048599 <next+60>: jmp 0x8048523 <loop>
0x804859b <end>: nop
0x804859c <end+1>: leave
=> 0x804859d <end+2>: ret
0x804859e <end+3>: xchg ax,ax
0x80485a0 <__libc_csu_init>: push ebp
0x80485a1 <__libc_csu_init+1>: push edi
0x80485a2 <__libc_csu_init+2>: push esi
[------------------------------------stack-------------------------------------]
0000| 0xffffdb0c --> 0xf7e2b637 (<__libc_start_main+247>: add esp,0x10)
0004| 0xffffdb10 --> 0x1
0008| 0xffffdb14 --> 0xffffdba4 --> 0xffffdcc7 ("/program/ctf/tmctf/2017/Forensic200/test")
0012| 0xffffdb18 --> 0xffffdbac --> 0xffffdcf0 ("LOGNAME=ubuntu")
0016| 0xffffdb1c --> 0x0
0020| 0xffffdb20 --> 0x0
0024| 0xffffdb24 --> 0x0
0028| 0xffffdb28 --> 0xf7fc3000 --> 0x1afdb0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 2, 0x0804859d in end ()
gdb-peda$
flag: TMCTF{static_analyzer}
