2023-01-28: Asking MEMORY.DMP and Volatility to make up

A few days ago I've posted RE category write-ups from the KnightCTF 2023. Another category I've looked at – quite intensely at that – was forensics. While this blog post isn't a write-up for that category, I still wanted (and well, was asked to actually) write down some steps I took to make Volatility work with MEMORY.DMP file provided in the "Take care of this" challenge series. Or actually steps I took to convert MEMORY.DMP into something volatility could work with. I have to add that I didn't get the flags for these challenges*, so again, this isn't a write-up.
* It turned out that the flags weren't based on the MEMORY.DMP – the sole resource provided – at all due to an oversight in challenge creation. It was a pretty amusing situation we've learnt about after the CTF, but what can you do.

Let's start by stating the problem: neither Volatility 2 nor Volatility 3 were able to use MEMORY.DMP as input. WinDBG on the other hand had no issues at all, so we knew the file was correct.

$ python2 vol.py --profile Win7SP1x64 -f ../MEMORY.DMP pslist Volatility Foundation Volatility Framework 2.6 No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64BitMap: No base Address Space WindowsCrashDumpSpace64: No base Address Space ...

If you're unfamiliar with Volatility, it's an open-source forensics framework written in Python 2 and Python 3 respectively, which allows an investigator to run queries on computer system's memory dumps. Technically it understands internal Windows and Linux kernel memory objects and can walk through them to do stuff like listing running processes, dumping console buffers or the content of the clipboard, digging through the registry (it's in-memory version), etc. See this example for instance. Pretty neat tool!

Some theory on how Volatility works

As said, the input is a system memory dump. These however come in different shapes and sizes, depending on how one might have acquired it. For example, the one common source is a Blue Screen of Death-time automatic memory dump creation – it's usual purpose is to allow folks to put it in WinDBG and figure out why the system crashed. Another typical example includes providing a raw dump of physical memory – these can be acquired in a multitude of ways, though they don't really include any useful metadata (will get to this later). Either way, usually what you get is a dump of physical memory – physical being the keyword here.

Physical memory however won't do. That's because the great majority of the kernel structures – as well as literally everything in user-land – operates on virtual memory. So the first thing volatility has to do is basically load the proper parser for the given input format and then provide a virtual memory view for it. This can of course be done easily based on the page table structure which maps virtual addresses to physical addresses.

One important thing to note here is that there isn't just one page table structure in memory. There are a lot of them – usually one per process, though in some cases even each thread might have one. That's OK however, since even if you find only a single page table in memory you'll be able to access the process/task/thread list, and these in turn hold physical addresses of their respective page tables. This means that each process/task/thread "sees different things" in memory, though usually at least the kernel part is seen by all of them in the same way.

Read more... [ 0 comments ]

2022-10-16: Rozwiązania MSHP CTF (październik 2022)

Odbywający się 17 października 2022 Sekurak Mega Hacking Party w zasadzie rozpoczął się dwa dni wcześniej od indywidualnego CTFa. W którego miałem nie grać. Bo miałem robić inne Ważniejsze Rzeczy™. Ale wyszło jak zwykle - i w sumie fajnie, bo CTF okazał się być bardzo sympatyczny.

Poniżej znajdują się rozwiązania zadań, w których udało mi się zdobyć flagę. Rozwiązania są dość skrótowe, ale starałem się mniej więcej wskazać jaką drogą poszedłem.

Rozwiązania innych osób:

Czytaj dalej... [ 2 komentarze ]

Five newest or recently updated notes (these are unfinished posts, code snippets, links or commands I find useful but always forget, and other notes that just don't fit on the blog):

Click here for a list of all notes.

EN Security papers and research notes

Some conference slides are linked at the bottom of this page.

EN Selected vulnerabilities

The full list of vulnerabilities discovered by me (including collaborative work) can be found here (please note that the list might be out of date).

The Google Application Security / Research site might also contain some of my findings.

EN Coding (selected posts)
EN Tools and libraries
  • PiXieServ is a simplified PXE (network boot) server for Windows and Linux-based OS, created for testing of very small home-made OS. See also the post about it.
  • ExcpHook, a system-wide exception monitor for Windows XP 32-bit. Useful if you're fuzzing something that doesn't like having a debugger attached.
  • Ent is an entropy measuring tool for reverse engineering reconnaissance (see also a post explaining how to use it).
  • HiperDrop is a simple command line process memory dumper for Windows, with a few different work modes.
  • asmloader - this little app executes headerless machine code (compiled assembly code). It's meant to be an aid in learning/teaching and playing with assembly, as well as the right tool when you just need to execute some machine code.
  • NetSock is a simple socket/networking lib/wrapper for C++ I've wrote back in 2003 and update from time to time - I use it for most of my network-enabled projects.
PL Videotutoriale i podcasty [ 0 views | 0 videos | 0 subscribers ]

Subscribe to me on YouTube W wolnym czasie prowadzę videocasty na żywo o programowaniu, reverse engineeringu oraz hackingu/security:

Livestream | Kanał na YT | Archiwum starszych odcinków

Najnowszy odcinek: Gynvael's Livestream #75: Implementujemy serwer FTP
[ 0 thumbs up | 0 comments | 0 views ]

Dodatkowo: ReverseCraft - starsza seria podcastów o reverse engineeringu i assembly.

PL Edukacyjnie (wybrane posty)

Dla programistów:

Security / hacking:

  • Hacking - jak uczyć się security/hackingu i spać spokojnie.

Dodatkowo, kilka przemyśleń na temat odnajdywania się na rynku pracy w IT:

PL Programowanie (wybrane posty)

← trochę więcej postów jest po angielskojęzycznej stronie.

PL Gamedev i GFX (wybrane posty)

Grafika generowana proceduralnie:

【 design & art by Xa / Gynvael Coldwind 】 【 logo font (birdman regular) by utopiafonts / Dale Harris 】