preface
The final question is extremely difficult. I’m here to record the problem solving ideas and process in detail
Title a preliminary
Get the title, for three files, mem_secret-963a4663. Vmem is a common memory image file, the other two file format unknown.
Profiling using volatility cannot identify profiles.
The encryption. bin01 and encryption. bin02 files were then analyzed, and the encryption. bin01 file was initially analyzed, but nothing was found.
Encryption.bin02 contains a large number of visible characters. You can determine that encryption. bin02 is the VMX VM configuration file encrypted using Vmware by running the strings command
Here introduce virtual machine configuration file VMX, change file located in the virtual machine instance home directory, used to record the virtual machine configuration, such as virtual machine memory, hard disk type, etc., can open the virtual machine file to start the virtual machine operating system, we also by editing the file implement some demand for the virtual machine configuration.
2021 Network security/penetration testing/security learning /100 SRC technical documents (full set of videos, CTF, DACHeng Classics, boutique manuals, essential kits, routes
For the same VM, VMX files before and after vm encryption are different:
The unencrypted VMX file is displayed in clear text, showing the virtual machine’s display name, CPU configuration, memory configuration, and so on. The following image shows an unencrypted VMX file.
The encrypted VMX content is shown in the following figure. As you can see, the configuration content previously presented in plaintext is all encrypted and displayed. The detailed configuration information of the VM cannot be obtained, and keySafe content is added, which is stored here. The diagram below:
The encrypted configuration requires only the contents of the. Encoding, displayName, encryption.keySafe, and encryption.data fields.. Encoding indicates the encoding of the VM configuration file. Password encryption. The keySafe fields to store the virtual machine, the format for vmware: key/list/XXXXXXXXX, encryption, the data is the result of after the original plaintext data encryption.
But comparing encryption. bin02 with the encrypted VMX, there is also a piece of redundant data at the end of encryption. bin02:
Analyze the data and compare the encrypted VM. Based on the lsiogic keyword and the offset space occupied by the content, you can determine that the content is the VMDK part of the encrypted VM
In this title is Lsilogic, but compared to the VIRTUAL machine I use WinXP, does not support Lsilogic, so it is ide, and VMX and VMDK data directly have a blank line NUL data
Encryption.bin02 is the encrypted configuration file for the VMware VIRTUAL machine, so mem_secret-963a4663. Vmem should be the memory page file of the running virtual machine. Encryption.bin01 is a VMSS file based on common virtual machine files and file sizes
VMSS file is used to store the information of the VM in the suspended state. It is the file generated after the suspended operation (equivalent to a snapshot picture).
After further format analysis of encryption. bin01 file, it can be found that the file is highly similar to VMSS file whose vmware Encryption status is suspended, so it can be judged that the file given in this question is vmware encrypted file group
The files given in the preceding paragraph are all encrypted files using virtual machines. Find the password of the virtual machine, use VMware to load the virtual machine, turn off the encryption function of the virtual machine, and restore all files to the plaintext state. At this time, the memory image of the unencrypted state can be obtained, and then use volatility to analyze.
Restore files
After the completion of the idea sorting, it is necessary to separate and repair the file of the topic. After repeated operation and comparison, it is found that the author of the topic deleted some general key information in VMX and VMSS respectively, and restored VMX, VMDK and VMSS files respectively:
Detach and repair VMX filesBefore the repair:
After the repair:
Restore the VMSS file and rename the encryption. bin01 file to mem_secret-963a4663. VMSS file name must be the same as vMEm file name, otherwise the pending state cannot be read.
The restored file directory structure is as follows:
Start a VM.
To open the VM, obtain the password. Obtain the password in brute force mode. Use the encrypted VMX file and PyVMX-cracker to burst the VM password.
The resulting password is 1q2w3e4r
The suspended VM is successfully started
However, the virtual disk file contains certain encryption information. At this time, we have obtained the password of the encrypted VIRTUAL machine, so we can create a new VIRTUAL machine by ourselves.
However, it is not possible to load the VMDK directly to the VIRTUAL machine, because the VIRTUAL machine to be loaded uses VMware encryption, VMDK will be encrypted together, when opening the VMDK will be decrypted first, analyze the VMDK of the unencrypted VIRTUAL machine and the encrypted VIRTUAL machine VMDK for comparison. If you use encryption. bin02, you can directly replace the header of the VMDK encrypted disk generated by yourself. After operation, it is found that this data is the key string used by VMware to decrypt VMDK when opening the VIRTUAL machine, which is related to whether the VMDK of the encrypted virtual machine can be decrypted normally. This is disk data.
Just do the following: To create a new virtual machine, use the 1q2w3e4r password to encrypt the virtual machine using the Encryption configuration in encryption. bin02. Then the VMDK file of the encrypted VIRTUAL machine is taken out for the virtual machine extracted from the original topic to use, but before using, the encrypted string information of the turn-around part needs to be replaced.
Detach and repair VMDK files before repair:
After the repair:
At this point, the VM repair is complete and the VM can be successfully removed and decrypted.Note: The VIRTUAL machine cannot be powered on, or the memory image file vMEm will be deleted
After decryption and removal is complete, the VMEM files in the current directory are vm memory images that are not encrypted by VMware. Theoretically, volatility can be used for normal analysis. When using VOLATIlity2, no profile can be searched. The memory image file with the title Windows10 was speculated and analyzed using Volatility3.
Volatility3 is a rewrite of Volatility2. It is written based on Python3. It is very friendly to Windows 10 and is much faster than Volatility2. For users, the highlights of the new features include: Significantly improved performance, eliminating the –profile dependency so that the framework can determine which symbol table (configuration file) is needed to match the operating system version in the in-memory example, correctly evaluate 32-bit code on 64-bit systems (such as Windows’ WOW64), automatically evaluate in-memory code, To avoid doing as much manual reverse engineering to the analyst as possible.
python3 vol.py -f mem_secret-963a4663.vmem windows.info
Using the Volatility3 parameter, you can see that the operating system version is Windows10 and the specific operating system profile can be identified according to Major/Minor 15.18362. When the –info parameter is used, the corresponding profile is Win10x86_18362. After that, you can return to the value and manually specify the profile to answer the question.
Topic answer
(1) Forensics personnel first verify the basic information of the container, and determine that the basic information of the container is *__*. The answer is 32-bit lowercase MD5 (container operating system version number + container host name + system user name), for example: The OS version is 10.0.22449, the container host name is desktop-0521, and the system login user name is admin. Is the answer for 32-bit lowercase md5 (10.0.22449 DESKTOP – 0521 admin) values ae278d9bc4aa5ee84a4aed858d17d52a)
Using Dumpregistry and wrr. exe to analyze the registry of memory image, we find that the host name is desktop-4N21et2, the system version number is 6.3.18363, and the login user name is Ado. Lowercase 32-bit is calculated md5 (6.3.18363 n21et2ado DESKTOP – 4) value is 38 c9307280315a1888681d133658e6ce.
Use Dumpregistry to export registry related files:
python2 vol.py -f mem_secret-963a4663.vmem --profile=Win10x64_18362 dumpregistry -D ./
Use WRR to parse the system. reg file and obtain the host name desktop-4N21et2
Parsing software.reg yields a system version number of 6.3.18363
Using Windows. filescan, search Desktop for Ado user name
(2) After the hacker intruded into the container, he used Messagebox to send a piece of information through the Trojan horse control end. The content of the information is* * * __ * * *. (Answer: Messagebox)The answer to the second question is the Messagebox shown above in the suspended virtual machine: Best_hacker
(3) After the intrusion analysis, it is found that the reason for the container to be invaded is the illegal game behavior of the user of the container, and the information of the user’s game program is **__****. (The answer is “32-bit lowercase MD5 (game program registration email + game program login user name + game program login password), for example: Registered mail to [email protected], named user login user, password for user1234, then the answer is “[email protected]” lowercase md5 value 5 f4505b7734467bfed3b16d5d6e75c16) * *
Use pslist to check the process information and find that there are a large number of Steam processes. Use Winhex to match the steam process block to the registered email[email protected]
:
Steam username: jock_you1; password: jock.2021
Combination of email address and user name password for [email protected]_you1jock.2021, calculate md5 lowercase 32 values as 39 a9ac5a37f4a4ce27b1227cf83700a6
(4) After the intrusion analysis, it is found that the container has been implanted by hackers into the Trojan horse control information is **_****. (The answer is 32-bit lowercase MD5 (Trojan horse process name + Trojan horse connection IP address + Trojan horse connection IP port), for example: Trojans process called svhost. Exe, Trojan back with IP 1.1.1.1, Trojan back to port 1234, then the answer is “svhost. Exe1.1.1.11234” 32-bit lowercase md5 value f02da74a0d78a13e7944277c3531bbea) * *
Pstree and NetScan are used to analyze malicious programs. When pstREE is used, the Trojan program steam. Exe disguised as Steam is found, which is not steam itself and Wow64 is True.
python3 vol.py -f mem_secret-963a4663.vmem windows.pstree
Use NetScan to scan the network connection of the container, and dynamically test the exported Steam. exe Trojan horse program. It is found that the connection IP address and port number of the Trojan horse program are 192.168.241.147 and 8808, which are the same as those in NetScan:
(5) After the analysis of the intrusion, it is found that the hacker has run the trace clearing tool, and the basic information of the tool is *__*. (The answer is “32 is lowercase MD5” (trace Cleanup program name + last run time), for example: The hacker runs the tool and executes the program named run.exe at 2021-07-10 10:10:13. Ontology is the answer for the lowercase 32-bit md5 (run) exe2021-07-10 10:10:13) value is 82 d7aa7a3f1467b973505702beb35769, note: In this case, the running time is in the format of YY-MM-DD hh:mm:ss and the time zone is UTC+8.
To analyze the last running time of the program, use userAssist registry to analyze the running status of the program, and combine filesCAN to scan the files in the container. Combining the two, you can find the trace clearing software stored on the container desktop. The program execution name of the software is: Wywz.exe, program runtime with UserAssist can be found as 2021-09-10 21:10:13 UTC+8 (note the time zone conversion), Then the answer to lowercase 32-bit md5 (Wywz. Exe2021-09-1021: “yet) d46586ca847e6be1004037bc288bf60c
python2 vol.py -f mem_secret-963a4663.vmem --profile=Win10x64_18362 userassist