{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-heroctf-windows-memory-analysis-en","result":{"data":{"markdownRemark":{"id":"76bea52c-9658-56e2-88b7-ccceebb804d9","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-heroctf-windows-memory-analysis\">original page</a>.</p>\n</blockquote>\n<p>In this post, using the Hero CTF 2023 forensic challenge “Windows Stands for Loser” as a case study, I’ll share what I learned about analyzing Windows memory dumps with Volatility.</p>\n<p>The writeups for the other challenges are below.</p>\n<p>Reference: <a href=\"/ctf-heroctf-2023\">Hero CTF 2023 Writeup - Frog’s Secret Base</a></p>\n<!-- omit in toc -->\n<h2 id=\"windows-stands-for-loserforensic\" style=\"position:relative;\"><a href=\"#windows-stands-for-loserforensic\" aria-label=\"windows stands for loserforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Windows Stands for Loser(Forensic)</h2>\n<blockquote>\n<p>This time, no realistic context, we just need you to find the commands that were executed and the time. (we don’t talk about windows commands here :p) (time to find : UTC+2)\nFormat: Hero{secret:dd/mm/YYYY-hh:mm:ss}\nAuthor: Malon</p>\n</blockquote>\n<p>If you inspect the provided challenge file <code class=\"language-text\">memdump.mem</code> with the <code class=\"language-text\">strings</code> command, you can tell that it appears to be a memory dump from a Windows machine.</p>\n<p>However, it was not a crash dump file that could be opened with WinDbg. (Maybe it was acquired with FTK Imager?)</p>\n<p>For now, I decided to solve the challenge while trying a few Volatility3 options to see what kind of information it contains.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li>\n<p><a href=\"#running-volatility3-commands-windows\">Running Volatility3 Commands (Windows)</a></p>\n<ul>\n<li><a href=\"#getting-os-information-from-memory\">Getting OS Information from Memory</a></li>\n<li><a href=\"#investigating-network-activity-from-memory\">Investigating Network Activity from Memory</a></li>\n<li><a href=\"#getting-the-process-list-and-command-lines-from-memory\">Getting the Process List and Command Lines from Memory</a></li>\n<li><a href=\"#dumping-an-entire-process-memory-region\">Dumping an Entire Process Memory Region</a></li>\n<li><a href=\"#extracting-an-image-file-from-a-process\">Extracting an Image File from a Process</a></li>\n<li><a href=\"#collecting-file-objects-from-memory\">Collecting File Objects from Memory</a></li>\n<li><a href=\"#getting-a-list-of-dlls-loaded-by-a-process\">Getting a List of DLLs Loaded by a Process</a></li>\n<li><a href=\"#enumerating-object-handles\">Enumerating Object Handles</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#analyzing-memory-interactively-with-volshell3\">Analyzing Memory Interactively with Volshell3</a></p>\n<ul>\n<li><a href=\"#accessing-eprocess\">Accessing EPROCESS</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#analyzing-the-challenge-file\">Analyzing the Challenge File</a></p>\n<ul>\n<li><a href=\"#investigating-the-wsl-process\">Investigating the WSL Process</a></li>\n<li><a href=\"#manually-analyzing-the-bash-process-memory\">Manually Analyzing the bash Process Memory</a></li>\n<li><a href=\"#retrieving-values-from-virtual-addresses-with-volshell\">Retrieving Values from Virtual Addresses with Volshell</a></li>\n</ul>\n</li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"running-volatility3-commands-windows\" style=\"position:relative;\"><a href=\"#running-volatility3-commands-windows\" aria-label=\"running volatility3 commands windows permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Running Volatility3 Commands (Windows)</h2>\n<p>First, let’s run a few basic commands and inspect the memory information.</p>\n<p>All of the commands used here are for analyzing Windows memory dumps.</p>\n<p>When collecting information from memory on Linux and similar systems, use dedicated commands like those in the <a href=\"https://volatility3.readthedocs.io/en/latest/getting-started-linux-tutorial.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Linux Tutorial</a>.</p>\n<h3 id=\"getting-os-information-from-memory\" style=\"position:relative;\"><a href=\"#getting-os-information-from-memory\" aria-label=\"getting os information from memory permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Getting OS Information from Memory</h3>\n<p>You can inspect OS information with the following command.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">vol3 -f memdump.mem windows.info.Info</code></pre></div>\n<p>The output looked like this.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/c99569f53a8bcdb6055854354239b7ee/c45c7/image-20230521214224535.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 34.166666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAAArUlEQVQoz6WRSwuDMBCEc/YR4yM+iookIpqe/P8/bsospLSXgvbwsbDZzE4map5nLMuCvu9hjEHTNKjrGkVRIEmSS6RpCkWxcRwxTRO6rkNVVSIasdZ+EXtt2wq8w0oTeZ5DresqTYryQGst7lh/wZlP2MuyDOo4DjjnEEJAWZZi+x/Uvu9gjoTPpW1uuos6zxPbtsF7L9nEgOMAt14SDM8A5504HB7D+5fviJEXSBKm+Waff4YAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/c99569f53a8bcdb6055854354239b7ee/8ac56/image-20230521214224535.webp 240w,\n/static/c99569f53a8bcdb6055854354239b7ee/d3be9/image-20230521214224535.webp 480w,\n/static/c99569f53a8bcdb6055854354239b7ee/e46b2/image-20230521214224535.webp 960w,\n/static/c99569f53a8bcdb6055854354239b7ee/16abe/image-20230521214224535.webp 1346w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/c99569f53a8bcdb6055854354239b7ee/8ff5a/image-20230521214224535.png 240w,\n/static/c99569f53a8bcdb6055854354239b7ee/e85cb/image-20230521214224535.png 480w,\n/static/c99569f53a8bcdb6055854354239b7ee/d9199/image-20230521214224535.png 960w,\n/static/c99569f53a8bcdb6055854354239b7ee/c45c7/image-20230521214224535.png 1346w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/c99569f53a8bcdb6055854354239b7ee/d9199/image-20230521214224535.png\"\n            alt=\"image-20230521214224535\"\n            title=\"image-20230521214224535\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Since <code class=\"language-text\">NtMajorVersion</code> is 10, we can tell the OS is Windows 10.</p>\n<p>Also, because the <code class=\"language-text\">Minor Version</code> is 19041, we can tell it corresponds to Windows 10 20H1.</p>\n<h3 id=\"investigating-network-activity-from-memory\" style=\"position:relative;\"><a href=\"#investigating-network-activity-from-memory\" aria-label=\"investigating network activity from memory permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Investigating Network Activity from Memory</h3>\n<p>You can investigate network activity from memory with the following commands.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">vol3 -f memdump.mem windows.netstat.NetStat\nvol3 -f memdump.mem windows.netscan.NetScan</code></pre></div>\n<p>The output is shown in a format similar to running the <code class=\"language-text\">Netstat</code> command.</p>\n<p>At this point, the address recorded in the <code class=\"language-text\">Offset(V)</code> column matches the address of that process’s <code class=\"language-text\">EPROCESS</code> structure.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f3b1ab8ec24395280a12ae797a958811/0b79a/image-20230521214710883.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 37.916666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABIklEQVQoz2WSW4+CQAyFeUMSMEFUBOQiyB0JGPn/P62br8mwa/ahYeb09PS0g1XXtbRtK0mSSBRF8ng8JI5jybJMfN+Xy+UiQRDo+XQ66Zf7+XwWz/O+4ng8ilVVlTyfzz0QpwlnhMMw1GbmfLvdtDFxvV4V4wxOE+v1ekme5xoUQSqKQmgEBqlpGg2KwMdxVLzrOsXRwIRt22K9328py3IXQBR3kMFoMAyDOidHIQI4Q7jve1mWRfOHw+FXkGBv2DeCYOyQIrMCCud5VkEa/RNc13V3+FcQMjgOccJoJscdHDF4mMLAlyB7M4K8NONDppAxacjjkJumSXl8zQPCdxxHrM/ns+8PUQTML8QYYGmayv1+Vx7NzSNs26Y5nLmuq/EDBGbZ87PoPwgAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f3b1ab8ec24395280a12ae797a958811/8ac56/image-20230521214710883.webp 240w,\n/static/f3b1ab8ec24395280a12ae797a958811/d3be9/image-20230521214710883.webp 480w,\n/static/f3b1ab8ec24395280a12ae797a958811/e46b2/image-20230521214710883.webp 960w,\n/static/f3b1ab8ec24395280a12ae797a958811/d6e92/image-20230521214710883.webp 1331w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f3b1ab8ec24395280a12ae797a958811/8ff5a/image-20230521214710883.png 240w,\n/static/f3b1ab8ec24395280a12ae797a958811/e85cb/image-20230521214710883.png 480w,\n/static/f3b1ab8ec24395280a12ae797a958811/d9199/image-20230521214710883.png 960w,\n/static/f3b1ab8ec24395280a12ae797a958811/0b79a/image-20230521214710883.png 1331w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f3b1ab8ec24395280a12ae797a958811/d9199/image-20230521214710883.png\"\n            alt=\"image-20230521214710883\"\n            title=\"image-20230521214710883\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>One especially suspicious point is that <code class=\"language-text\">WWAHost.exe</code>, which runs as a UWP app container, is connected to port 80 on <code class=\"language-text\">192.229.221.95</code>, but I’ll leave that aside for now.</p>\n<p>Also, using the <code class=\"language-text\">NetScan</code> plugin produced the following output.</p>\n<p>The results are almost the same, but <code class=\"language-text\">NetScan</code> uses a technique called <a href=\"https://www.sciencedirect.com/science/article/pii/S1742287616000062\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Pool tag quick scanning</a>, so it can collect even hidden artifacts from kernel memory.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e72f6ad2f97fd42795c94e52cc07502d/d5c6f/image-20230521215535469.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 48.75000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABYElEQVQoz22SWY+CQBCEeVQgGvACAQ9EblTiwf//Zb35etOb3WQfOjPDVFVX9eAURSHU6XSSIAjkcDhIFEWSJIlst1tZLpey2WxksVjoPWcqDEM9e56nNZ/PtZyqqlQEASpNUy1EWbMsU2FWa3I8HuVyuch+v5c8z7UhtdvtxPl8PtI0jQLKspQ4jpX8uyA+Hg9tQJq2bRULD0EM0QSu83w+BZdEBgwAERzSETIr94hABNN1nZ7v97sK/UR+v99S17UCLQqCRMARDZkXJBwhfL1eZRgG5dFwvV6L67ri+744r9dLLywagpBXq5XOjKjs+QbOkvR9r2fS/SuIO4A2FyLb7CDQELJFvt1ucj6fZZomxc1ms29Bi2xzY89KTByO46h7SNyxIoQgaeDbDFWQVzaHiPJiAHgIZohja4YQ98zQBOH/EaQDJIAQIeGCR8Ehr8i/hziRwSDEd6IjCN4EvwByug7KhZo1bAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e72f6ad2f97fd42795c94e52cc07502d/8ac56/image-20230521215535469.webp 240w,\n/static/e72f6ad2f97fd42795c94e52cc07502d/d3be9/image-20230521215535469.webp 480w,\n/static/e72f6ad2f97fd42795c94e52cc07502d/e46b2/image-20230521215535469.webp 960w,\n/static/e72f6ad2f97fd42795c94e52cc07502d/8f19f/image-20230521215535469.webp 1261w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e72f6ad2f97fd42795c94e52cc07502d/8ff5a/image-20230521215535469.png 240w,\n/static/e72f6ad2f97fd42795c94e52cc07502d/e85cb/image-20230521215535469.png 480w,\n/static/e72f6ad2f97fd42795c94e52cc07502d/d9199/image-20230521215535469.png 960w,\n/static/e72f6ad2f97fd42795c94e52cc07502d/d5c6f/image-20230521215535469.png 1261w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e72f6ad2f97fd42795c94e52cc07502d/d9199/image-20230521215535469.png\"\n            alt=\"image-20230521215535469\"\n            title=\"image-20230521215535469\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"getting-the-process-list-and-command-lines-from-memory\" style=\"position:relative;\"><a href=\"#getting-the-process-list-and-command-lines-from-memory\" aria-label=\"getting the process list and command lines from memory permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Getting the Process List and Command Lines from Memory</h3>\n<p>You can get a list of processes from memory with the following commands.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># You can also filter like --filters \"ImageFileName,chrome.exe\"</span>\nvol3 -f memdump.mem windows.pslist.PsList\nvol3 -f memdump.mem windows.psscan.PsScan</code></pre></div>\n<p>The output looked like this.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/fbd8296bf30019f116f188882737b2e2/c23ad/image-20230521213729449.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 47.91666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABWUlEQVQoz32S246CQBBEeQRULkYUUS4OKkRQiTFR///DWk8bzLK78WHSZKg6XT0zVlalYvZ7yYtS4jiWzcZIlmWvupE0TWU+n0sYhjKZTHR5nie+78t4PNZv1mg0kiAI9NsK/VCS5VKMeQPKstQKBBhN1uu1rFYrbZTnuex2O91bvnz9QofHCsJAAVVVa+fj8Sj3+12Ntm2raDabSVEUst1u9T/1er2+PJVEUaR+9vFb0Onctq0mappGbrebAlzXVSCjfAOS9nw+69gWUQEiZCzAv4F0JjHHgY56uVwGQPYVSEIiA0qSZADksKfT6Qf4M+FXIAkZFRNAfpK8B2IyxigAXV3XqmMPHZXUnzMkIcLFYiGHw0ETAncc59+EmLuuGyQ8nU7vhP1zQAiQzo/H4w+QI+C5YKQyMkm5SAJ9LgUIKRHxPPoUNOJS+gfbN0ZHBcbjx4OftDR+ArGxDXXO3KyPAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/fbd8296bf30019f116f188882737b2e2/8ac56/image-20230521213729449.webp 240w,\n/static/fbd8296bf30019f116f188882737b2e2/d3be9/image-20230521213729449.webp 480w,\n/static/fbd8296bf30019f116f188882737b2e2/e46b2/image-20230521213729449.webp 960w,\n/static/fbd8296bf30019f116f188882737b2e2/1d5af/image-20230521213729449.webp 1193w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/fbd8296bf30019f116f188882737b2e2/8ff5a/image-20230521213729449.png 240w,\n/static/fbd8296bf30019f116f188882737b2e2/e85cb/image-20230521213729449.png 480w,\n/static/fbd8296bf30019f116f188882737b2e2/d9199/image-20230521213729449.png 960w,\n/static/fbd8296bf30019f116f188882737b2e2/c23ad/image-20230521213729449.png 1193w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/fbd8296bf30019f116f188882737b2e2/d9199/image-20230521213729449.png\"\n            alt=\"image-20230521213729449\"\n            title=\"image-20230521213729449\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>When I looked for anything other than default programs or any unfamiliar processes, I found the following.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token number\">5768</span>    <span class=\"token number\">1464</span>    ubuntu2204.exe\n<span class=\"token number\">8888</span>    <span class=\"token number\">5128</span>    <span class=\"token function\">bash</span>\n<span class=\"token number\">5464</span>    <span class=\"token number\">8020</span>    FTK Imager.exe</code></pre></div>\n<p><code class=\"language-text\">FTK Imager</code> is fine, but this tells us the environment is running WSL.</p>\n<p><code class=\"language-text\">PsScan</code> can also produce equivalent output.</p>\n<p>There also appears to be a <code class=\"language-text\">PsTree</code> plugin that can display process information in tree form.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">vol3 -f memdump.mem windows.pstree.PsTree</code></pre></div>\n<p>That gave the following information.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/738f986db8428225d32c8548196b27fc/6edca/image-20230521220046786.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 46.666666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABU0lEQVQoz12S2ZKCMBBF84qiCCqgbIqKsoNFlf7/j/XU6ak8zDx0BZLbd+nEZFkmaZrK5XKRJEn0O4oiCcNQTqeTrofDQYIgkOPxqGfb7Vb2+724rvun1uu1mPP5LLvdTqqqUtLX6yXTNEkcx+J5nq55nsv9fpemaaRtW+m6TujzfV9Wq5USUZCa6/WqTc/nU3D7eDzk8/moO8CI0Xy73ZQQwXme9Ry3m81GMZCBNxARtSxLBfM/DIPUda0RaWDFJXuQ9n2vWPoQoxDAsSEKShwSh0Ncf79fJUHVkuISUlIsy6LJ+MYMQuANs4OM+UFIAaCZBoaPOnvWPSYoLgwhnNnYhkYbhxnaJsAMGjCCOAFDVCKTiiT0coa44zi/DouiUBJ7KcTFMYo8EcaAI26XaMTleSHKOHgNrPpsIEAFINFw/H6/1ZUltJGtw3EcVYRx/H82P4Uw79Gi7uBBAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/738f986db8428225d32c8548196b27fc/8ac56/image-20230521220046786.webp 240w,\n/static/738f986db8428225d32c8548196b27fc/d3be9/image-20230521220046786.webp 480w,\n/static/738f986db8428225d32c8548196b27fc/e46b2/image-20230521220046786.webp 960w,\n/static/738f986db8428225d32c8548196b27fc/2d20a/image-20230521220046786.webp 1351w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/738f986db8428225d32c8548196b27fc/8ff5a/image-20230521220046786.png 240w,\n/static/738f986db8428225d32c8548196b27fc/e85cb/image-20230521220046786.png 480w,\n/static/738f986db8428225d32c8548196b27fc/d9199/image-20230521220046786.png 960w,\n/static/738f986db8428225d32c8548196b27fc/6edca/image-20230521220046786.png 1351w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/738f986db8428225d32c8548196b27fc/d9199/image-20230521220046786.png\"\n            alt=\"image-20230521220046786\"\n            title=\"image-20230521220046786\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Furthermore, you can collect command-line information for processes running in the system from memory.</p>\n<p>You can enumerate command lines with the following command.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">vol3 -f memdump.mem windows.cmdline.CmdLine</code></pre></div>\n<p>The output is also quite readable.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3affdffc5fc8aef109d5dc799f965025/1b19f/image-20230521223144899.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 54.166666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABa0lEQVQoz22S167CMBBE/YZogdAJJPQWSmgP+f8fm6uz0qIg7sPIm3g9ntlxyPNc6/Vau91Om81G/X5fnU5Hg8HAMBwO7V+9Xlej0TA0m01Dq9X6QeDQZDIx0vl8/iGZTqcaj8cajUZfNWi320boF1QRIFssFjqfz4rjWPv9Xq/XS0VR6Ha76Xq96nA4aLlcmgPWLMuMuNvtqtfr2TlWnASaUAch5NvtVo/HQ8fj0Yj4Zh+FKAfUgH7gNU6McLVa6XK5mGUI7vf7Fxn7s9nsQ1S177WTBuxiAXtJklj9fD5FWJC6TeZWq9W+wvl3hqgCkECWpqne77fNEIWuwMNj9VBYf1KGBDsMH4WA+nQ6GQgJy/QxV3p5VgSC2mraRuipYRn7qOUg7xIyVNIDEfPkHwGyEgIJ+wwhD1h0Vf7m3DKoPhvmysW+B1DPPpdAGlCCMt4exCgpy9Jmyj8Sp5lwIAM4cJWchZSzURTpD4yEJEs958PaAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3affdffc5fc8aef109d5dc799f965025/8ac56/image-20230521223144899.webp 240w,\n/static/3affdffc5fc8aef109d5dc799f965025/d3be9/image-20230521223144899.webp 480w,\n/static/3affdffc5fc8aef109d5dc799f965025/e46b2/image-20230521223144899.webp 960w,\n/static/3affdffc5fc8aef109d5dc799f965025/5e0bb/image-20230521223144899.webp 991w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3affdffc5fc8aef109d5dc799f965025/8ff5a/image-20230521223144899.png 240w,\n/static/3affdffc5fc8aef109d5dc799f965025/e85cb/image-20230521223144899.png 480w,\n/static/3affdffc5fc8aef109d5dc799f965025/d9199/image-20230521223144899.png 960w,\n/static/3affdffc5fc8aef109d5dc799f965025/1b19f/image-20230521223144899.png 991w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3affdffc5fc8aef109d5dc799f965025/d9199/image-20230521223144899.png\"\n            alt=\"image-20230521223144899\"\n            title=\"image-20230521223144899\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"dumping-an-entire-process-memory-region\" style=\"position:relative;\"><a href=\"#dumping-an-entire-process-memory-region\" aria-label=\"dumping an entire process memory region permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Dumping an Entire Process Memory Region</h3>\n<p>Also, the following command lets you dump an entire process’s memory.</p>\n<p><em>Depending on the size of the memory image, output may take a little while.</em></p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># vol3 -o &lt;output path> -f memdump.mem windows.memmap --dump --pid &lt;PID></span>\nvol3 -o /tmp -f memdump.mem windows.memmap --dump --pid <span class=\"token number\">1000</span></code></pre></div>\n<h3 id=\"extracting-an-image-file-from-a-process\" style=\"position:relative;\"><a href=\"#extracting-an-image-file-from-a-process\" aria-label=\"extracting an image file from a process permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Extracting an Image File from a Process</h3>\n<p>With the <code class=\"language-text\">PsList</code> plugin, you can not only enumerate processes but also retrieve a process image file.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># vol3 -o &lt;output directory> -f memdump.mem windows.pslist.PsList --pid &lt;process PID> --dump</span>\nvol3 -o /tmp -f memdump.mem windows.pslist.PsList --pid <span class=\"token number\">6724</span> --dump</code></pre></div>\n<p>When you run the above command, the specified process can be dumped as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/c27e3362f1a40b66d34baaef2a4c57ba/cad6c/image-20230521222656884.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 7.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAXklEQVQI1z1NWQoAIRTqv6ioaKGF6v53dPBB8yHigqreO3LOmHOi1opSCsYYiDEKUkowxsB7D+ccQgjCWus/s9aKT1YcpLj34pyDd0DvDVK31uSUOQ/XWn+Pnb23ZB9/3TIXmVYfWAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/c27e3362f1a40b66d34baaef2a4c57ba/8ac56/image-20230521222656884.webp 240w,\n/static/c27e3362f1a40b66d34baaef2a4c57ba/d3be9/image-20230521222656884.webp 480w,\n/static/c27e3362f1a40b66d34baaef2a4c57ba/e46b2/image-20230521222656884.webp 960w,\n/static/c27e3362f1a40b66d34baaef2a4c57ba/44ab2/image-20230521222656884.webp 1339w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/c27e3362f1a40b66d34baaef2a4c57ba/8ff5a/image-20230521222656884.png 240w,\n/static/c27e3362f1a40b66d34baaef2a4c57ba/e85cb/image-20230521222656884.png 480w,\n/static/c27e3362f1a40b66d34baaef2a4c57ba/d9199/image-20230521222656884.png 960w,\n/static/c27e3362f1a40b66d34baaef2a4c57ba/cad6c/image-20230521222656884.png 1339w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/c27e3362f1a40b66d34baaef2a4c57ba/d9199/image-20230521222656884.png\"\n            alt=\"image-20230521222656884\"\n            title=\"image-20230521222656884\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Although the extension is shown as <code class=\"language-text\">.dmp</code>, it is actually dumped as a PE file.</p>\n<h3 id=\"collecting-file-objects-from-memory\" style=\"position:relative;\"><a href=\"#collecting-file-objects-from-memory\" aria-label=\"collecting file objects from memory permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Collecting File Objects from Memory</h3>\n<p>With the following command, you can obtain the addresses and full paths of file objects from memory.</p>\n<p>The output is very large.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">vol3 -f memdump.mem windows.filescan.FileScan</code></pre></div>\n<p>For this challenge memory image, you can identify paths for files inside WSL under the <code class=\"language-text\">jane</code> user folder.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/87dbcd19b4ce12ed18e6b3c5da3f14b3/aa440/image-20230521220421822.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 22.499999999999996%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAq0lEQVQY01WQWwqFMAxE3YEfWhW0vvGJuv/VzeUEIt6P4SRpM0mb7PuuZVkEp2lSXdcqikIhBJVlaSTP81xVVb1nXoecZVmmNE2VPM+j8zx137dxHEcz7rpOfd+rbVuLm6bRMAyWoxjjSwYhTBNM1nWVExNvxOhryDDibx1R9+G2Ic+F13Vp2zYdx/GKnC+h0enCxA0h2/5tSDOH8zzbs51sTIPHyL/mG3PnBxJzict+baSsAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/87dbcd19b4ce12ed18e6b3c5da3f14b3/8ac56/image-20230521220421822.webp 240w,\n/static/87dbcd19b4ce12ed18e6b3c5da3f14b3/d3be9/image-20230521220421822.webp 480w,\n/static/87dbcd19b4ce12ed18e6b3c5da3f14b3/e46b2/image-20230521220421822.webp 960w,\n/static/87dbcd19b4ce12ed18e6b3c5da3f14b3/f992d/image-20230521220421822.webp 1440w,\n/static/87dbcd19b4ce12ed18e6b3c5da3f14b3/293e0/image-20230521220421822.webp 1500w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/87dbcd19b4ce12ed18e6b3c5da3f14b3/8ff5a/image-20230521220421822.png 240w,\n/static/87dbcd19b4ce12ed18e6b3c5da3f14b3/e85cb/image-20230521220421822.png 480w,\n/static/87dbcd19b4ce12ed18e6b3c5da3f14b3/d9199/image-20230521220421822.png 960w,\n/static/87dbcd19b4ce12ed18e6b3c5da3f14b3/07a9c/image-20230521220421822.png 1440w,\n/static/87dbcd19b4ce12ed18e6b3c5da3f14b3/aa440/image-20230521220421822.png 1500w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/87dbcd19b4ce12ed18e6b3c5da3f14b3/d9199/image-20230521220421822.png\"\n            alt=\"image-20230521220421822\"\n            title=\"image-20230521220421822\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>You can also use the address identified here to retrieve the file from memory.</p>\n<p>In the command example below, the <code class=\"language-text\">.bashrc</code> file inside WSL located at <code class=\"language-text\">0xa38f15daa4d0</code> is saved to a tmp directory.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># vol3 -o &lt;output directory> -f memdump.mem windows.dumpfiles.DumpFiles --virtaddr &lt;virtual address of the file object></span>\nvol3 -o /tmp -f memdump.mem windows.dumpfiles.DumpFiles --virtaddr 0xa38f15daa4d0</code></pre></div>\n<p>When retrieval succeeds, it is displayed as follows.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/a4e538d2a93aa92558cf8710ce0f5bdc/d0143/image-20230521222011526.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 11.249999999999998%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAYUlEQVQI13WNuQoAMQgFt80BaTQHISeB/P8XvkWL7bYYxmLU596LMQbEMUYwM0opSClhrYWcM0IIMMbAWvuLcw7eezxzTl2Uo0SsPuegtYbeuyLN3vtDerG0Mtda9TER4QXPUTNczzew3wAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/a4e538d2a93aa92558cf8710ce0f5bdc/8ac56/image-20230521222011526.webp 240w,\n/static/a4e538d2a93aa92558cf8710ce0f5bdc/d3be9/image-20230521222011526.webp 480w,\n/static/a4e538d2a93aa92558cf8710ce0f5bdc/e46b2/image-20230521222011526.webp 960w,\n/static/a4e538d2a93aa92558cf8710ce0f5bdc/d1bdf/image-20230521222011526.webp 1025w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/a4e538d2a93aa92558cf8710ce0f5bdc/8ff5a/image-20230521222011526.png 240w,\n/static/a4e538d2a93aa92558cf8710ce0f5bdc/e85cb/image-20230521222011526.png 480w,\n/static/a4e538d2a93aa92558cf8710ce0f5bdc/d9199/image-20230521222011526.png 960w,\n/static/a4e538d2a93aa92558cf8710ce0f5bdc/d0143/image-20230521222011526.png 1025w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/a4e538d2a93aa92558cf8710ce0f5bdc/d9199/image-20230521222011526.png\"\n            alt=\"image-20230521222011526\"\n            title=\"image-20230521222011526\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>When I inspected the retrieved file, I confirmed that <code class=\"language-text\">.bashrc</code> had indeed been extracted from the memory dump.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 906px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e599bc9e9871c908f482ccc185e6ccc6/6029f/image-20230521222131165.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 54.58333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABQ0lEQVQoz3WT25KCMBBEeVRUREGucsnKJSyy/v/X9dpTNZS62YeuiTE56UwHL+4jZD8pLl2E+vaNWz/B2hHTNKHveyzLgsfjgWEYYIxB13Vo2xZN04jKskRRFKiqCqfTCZ5pDGxvMY0TmrpCLaplwfV6FXFDmj4PvVykJkmCOI6x3W5Fvu9L3e12T+CXQWta5EUui3RjFEU4n88rgIs/td/v/8gjhC7yPMfxeHxb+Dl2AT/BHkFhGIorOmIfKM7p+HVO5w+Hg9OlZ63F/X7HOI5S2XT2kAfQPaW9098cE+wEMjECKI51I92ysn9sxWazWUPQAJxXZvRMUcEMgyDWLMtWhxoUnfEwF+ztyvM8C4CLNWGVQjmv8P+SFof6UPn2CNXU6ZiVIfDq/I+beGXXS1gd8gtgpUuFKVgTDYJA5Hp7r/oF8nUQPgfFokgAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e599bc9e9871c908f482ccc185e6ccc6/8ac56/image-20230521222131165.webp 240w,\n/static/e599bc9e9871c908f482ccc185e6ccc6/d3be9/image-20230521222131165.webp 480w,\n/static/e599bc9e9871c908f482ccc185e6ccc6/45005/image-20230521222131165.webp 906w\"\n              sizes=\"(max-width: 906px) 100vw, 906px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e599bc9e9871c908f482ccc185e6ccc6/8ff5a/image-20230521222131165.png 240w,\n/static/e599bc9e9871c908f482ccc185e6ccc6/e85cb/image-20230521222131165.png 480w,\n/static/e599bc9e9871c908f482ccc185e6ccc6/6029f/image-20230521222131165.png 906w\"\n            sizes=\"(max-width: 906px) 100vw, 906px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e599bc9e9871c908f482ccc185e6ccc6/6029f/image-20230521222131165.png\"\n            alt=\"image-20230521222131165\"\n            title=\"image-20230521222131165\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"getting-a-list-of-dlls-loaded-by-a-process\" style=\"position:relative;\"><a href=\"#getting-a-list-of-dlls-loaded-by-a-process\" aria-label=\"getting a list of dlls loaded by a process permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Getting a List of DLLs Loaded by a Process</h3>\n<p>With the following command, you can obtain a list of DLLs loaded by processes from memory.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">vol3 -f memdump.mem windows.dlllist.DllList</code></pre></div>\n<p>As shown below, you can enumerate DLLs loaded by each process, and you can specify a PID with the <code class=\"language-text\">--pid</code> option.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9479d309ba26d2472ae4f4cb52ec12fa/252a4/image-20230521223949079.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 20.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAApElEQVQY0zWPSwqAMAxEu3TtQlAEtVbrlwpK73+zkRfoYqCdZD5xIQRt22ZY11Xv++q6LqWUNM+zmqbR8zyG+76NO8/T9tlBM46jhmFQVVVyLBTDGKO+7zNDRMwQMNv3XcdxGA9HEbhSZJomtW0r5723AQ0Y5pztjRARIaTzpz2gETwBtKYAu/xd3/cqppDljGVZ1HWdJcNjCOAxQMMFgEBQ17V+bR9z/OyPTR0AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9479d309ba26d2472ae4f4cb52ec12fa/8ac56/image-20230521223949079.webp 240w,\n/static/9479d309ba26d2472ae4f4cb52ec12fa/d3be9/image-20230521223949079.webp 480w,\n/static/9479d309ba26d2472ae4f4cb52ec12fa/e46b2/image-20230521223949079.webp 960w,\n/static/9479d309ba26d2472ae4f4cb52ec12fa/bf23a/image-20230521223949079.webp 1314w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9479d309ba26d2472ae4f4cb52ec12fa/8ff5a/image-20230521223949079.png 240w,\n/static/9479d309ba26d2472ae4f4cb52ec12fa/e85cb/image-20230521223949079.png 480w,\n/static/9479d309ba26d2472ae4f4cb52ec12fa/d9199/image-20230521223949079.png 960w,\n/static/9479d309ba26d2472ae4f4cb52ec12fa/252a4/image-20230521223949079.png 1314w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9479d309ba26d2472ae4f4cb52ec12fa/d9199/image-20230521223949079.png\"\n            alt=\"image-20230521223949079\"\n            title=\"image-20230521223949079\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Also, just like dumping a process image file, you can use the <code class=\"language-text\">--dump</code> option to dump all DLL files loaded by a process.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">vol3 -o /tmp -f memdump.mem windows.dlllist.DllList --pid <span class=\"token number\">6724</span> --dump</code></pre></div>\n<p>You can see that these were also exported as DLL files.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/4650ce4819f6275a1866c511dbfdf3f1/a0730/image-20230521224303356.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 9.166666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAcklEQVQI1zWMOQ7EIAAD01MgasQdQcINEv9/mlcQbeHGM/YVa8QbXzxPxJwTpRTUWrHWQmsNjDEQQqCUQs4ZYwyEEOC9P3z7MX7blBIu1SRMumHvdOAut9B7PwfOOVhrz8GfGWMgpTwRQkBrDc45KKX4AW4wOe/gzzqJAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/4650ce4819f6275a1866c511dbfdf3f1/8ac56/image-20230521224303356.webp 240w,\n/static/4650ce4819f6275a1866c511dbfdf3f1/d3be9/image-20230521224303356.webp 480w,\n/static/4650ce4819f6275a1866c511dbfdf3f1/e46b2/image-20230521224303356.webp 960w,\n/static/4650ce4819f6275a1866c511dbfdf3f1/bcfd3/image-20230521224303356.webp 1131w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/4650ce4819f6275a1866c511dbfdf3f1/8ff5a/image-20230521224303356.png 240w,\n/static/4650ce4819f6275a1866c511dbfdf3f1/e85cb/image-20230521224303356.png 480w,\n/static/4650ce4819f6275a1866c511dbfdf3f1/d9199/image-20230521224303356.png 960w,\n/static/4650ce4819f6275a1866c511dbfdf3f1/a0730/image-20230521224303356.png 1131w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/4650ce4819f6275a1866c511dbfdf3f1/d9199/image-20230521224303356.png\"\n            alt=\"image-20230521224303356\"\n            title=\"image-20230521224303356\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"enumerating-object-handles\" style=\"position:relative;\"><a href=\"#enumerating-object-handles\" aria-label=\"enumerating object handles permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enumerating Object Handles</h3>\n<p>You can enumerate object handles with the following command.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">vol3 -f memdump.mem windows.handles.Handles</code></pre></div>\n<h2 id=\"analyzing-memory-interactively-with-volshell3\" style=\"position:relative;\"><a href=\"#analyzing-memory-interactively-with-volshell3\" aria-label=\"analyzing memory interactively with volshell3 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Analyzing Memory Interactively with Volshell3</h2>\n<p>Volshell3 works as an interactive interface for analyzing memory dumps, and can be operated much like a Python interpreter.</p>\n<p>Reference: <a href=\"https://volatility3.readthedocs.io/en/latest/volshell.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Volshell - A CLI tool for working with memory — Volatility 3 2.4.2 documentation</a></p>\n<p>To analyze a Windows memory dump with Volshell3, run the following command.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">volshell3 -f memdump.mem -w</code></pre></div>\n<p>The <code class=\"language-text\">-w</code> option is important because it tells Volshell3 to use known symbols; without it, you won’t be able to inspect most information.</p>\n<p>When Volshell3 starts, you see a screen like this.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 523px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/5f5c7b76fc65b1e85193e2d5ebdfee3f/3e286/image-20230522211054743.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 46.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABWElEQVQoz21R146CUBTkRQVbWAWkSBOkiZQQ9f+/bNY5ySUkuw+X0yczgxZUPqIuRPD04VUuomeIOE+R3EcEYYqmqdF1Pdq2xfV6RZ7nqKpKcs/z4DgOTNPEbrfDfr+HNnQDpmFCkRXyxn5E+3igLHLcv8dN02AcRyRJgqIoBDDLMkRRhDAMcbvdUJalAG+3W2i6ocP8MeG6rjRdz8X5fIZtO1JfLhdhwmfbNnzfRxAEMjscDsJKPbLU+CGAAqQUHrImGAHYY+Rc1dxRMhlnyYZhyCGlUQ6XmZP+arWCruvSe3xt4Jys2F+v1+DtElAYsskD+lTXtRg+TdPM9nQ6iX/v91tm3CN7eqh8W8rWNpuN+NP3vZhOg4dhkPz1eokdaZri8/kICNXw8Yf8C2hZ1uwf/aE37FHa8XicvWHNnBZQlYp/PCRIHMfCkpGAlLlcWnq0ZKNmy/oXSTPljCP+QZAAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/5f5c7b76fc65b1e85193e2d5ebdfee3f/8ac56/image-20230522211054743.webp 240w,\n/static/5f5c7b76fc65b1e85193e2d5ebdfee3f/d3be9/image-20230522211054743.webp 480w,\n/static/5f5c7b76fc65b1e85193e2d5ebdfee3f/210f1/image-20230522211054743.webp 523w\"\n              sizes=\"(max-width: 523px) 100vw, 523px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/5f5c7b76fc65b1e85193e2d5ebdfee3f/8ff5a/image-20230522211054743.png 240w,\n/static/5f5c7b76fc65b1e85193e2d5ebdfee3f/e85cb/image-20230522211054743.png 480w,\n/static/5f5c7b76fc65b1e85193e2d5ebdfee3f/3e286/image-20230522211054743.png 523w\"\n            sizes=\"(max-width: 523px) 100vw, 523px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/5f5c7b76fc65b1e85193e2d5ebdfee3f/3e286/image-20230522211054743.png\"\n            alt=\"image-20230522211054743\"\n            title=\"image-20230522211054743\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"accessing-eprocess\" style=\"position:relative;\"><a href=\"#accessing-eprocess\" aria-label=\"accessing eprocess permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Accessing EPROCESS</h3>\n<p>For example, running the following commands will enumerate information about <code class=\"language-text\">EPROCESS</code> structures in memory.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">proc <span class=\"token operator\">=</span> ps<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">for</span> <span class=\"token for-or-select variable\">p</span> <span class=\"token keyword\">in</span> proc:\nprint<span class=\"token punctuation\">(</span>p<span class=\"token punctuation\">)</span></code></pre></div>\n<p>The output looks like this.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 696px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/73a9602291aa6ac2522b7e247ac9f6c3/82158/image-20230522211220844.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 47.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABZ0lEQVQoz12SW4+CQAyFeRRUICTGSOQmXlBUQLlEY2L0//+nmq+bMbv70HSmPT1zTsHabrdSlqVEUSRZlkme55IkiWw2G/E8TyaTicZ0OhXXdb9nU/8fVhAEsl6vZbVayXw+F9/3lWg2mylgNBqJ4zhi2/afoG7C1MbjsVj7/V7iOJaiKCRNU1UJOSpRi/rFYqE10yMOh4MwSx83OEWI1fe9Xo7Ho2aAkO92O63RNw/SJzg3TSPX61XatlVSsEpIAQBNyE6nk1RVpQCAXdep2vP5/K2RwYMjc6evhM/nU0G3202Ll8tFw4DpYxFF1AjO9/tdZ+gjiofZv0WTj4I6MlaxxV7YEeTL5VJr9AnOOCGYxyFY/gILFZAwCKmRj2ruvM4Of9fIEDFjLEOult/vt4KxQDaLZgAb9PnaDNd1/SV6PB5q9/V6KW4Yhh/LyGXpqGQQO+YX4U4/DEO1Ss38WuCxCd5gsfwBRNEeolVWAAIAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/73a9602291aa6ac2522b7e247ac9f6c3/8ac56/image-20230522211220844.webp 240w,\n/static/73a9602291aa6ac2522b7e247ac9f6c3/d3be9/image-20230522211220844.webp 480w,\n/static/73a9602291aa6ac2522b7e247ac9f6c3/038cb/image-20230522211220844.webp 696w\"\n              sizes=\"(max-width: 696px) 100vw, 696px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/73a9602291aa6ac2522b7e247ac9f6c3/8ff5a/image-20230522211220844.png 240w,\n/static/73a9602291aa6ac2522b7e247ac9f6c3/e85cb/image-20230522211220844.png 480w,\n/static/73a9602291aa6ac2522b7e247ac9f6c3/82158/image-20230522211220844.png 696w\"\n            sizes=\"(max-width: 696px) 100vw, 696px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/73a9602291aa6ac2522b7e247ac9f6c3/82158/image-20230522211220844.png\"\n            alt=\"image-20230522211220844\"\n            title=\"image-20230522211220844\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Volshell3 also provides a <code class=\"language-text\">dt</code> command.</p>\n<p>This works almost the same way as WinDbg’s <code class=\"language-text\">dt</code> command.</p>\n<p>So, for example, you can use commands like the following to display structure offsets or inspect the contents of a specific <code class=\"language-text\">EPROCESS</code> structure.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># Enumerate information about the EPROCESS structure</span>\ndt<span class=\"token punctuation\">(</span><span class=\"token string\">'_EPROCESS'</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Enumerate the EPROCESS information obtained with ps()[0]</span>\nproc <span class=\"token operator\">=</span> ps<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span>\ndt<span class=\"token punctuation\">(</span>proc<span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"analyzing-the-challenge-file\" style=\"position:relative;\"><a href=\"#analyzing-the-challenge-file\" aria-label=\"analyzing the challenge file permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Analyzing the Challenge File</h2>\n<p>After using Volatility to understand the system’s basic information, I started solving the challenge.</p>\n<p>In this challenge, the flag appears to consist of some command found in memory and the time it was executed.</p>\n<p>However, nothing that looked like a flag appeared in the information enumerated by the <code class=\"language-text\">CmdLine</code> plugin.</p>\n<p>So I focused on the WSL process running in the system.</p>\n<p>According to the page cited in the writeup below, even for a WSL bash process, it seems possible to search in-memory information using the same commands as on normal Linux.</p>\n<p>Reference: <a href=\"https://www.sciencedirect.com/science/article/pii/S1742287618301944\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Memory forensics and the Windows Subsystem for Linux - ScienceDirect</a></p>\n<p>Also, Volatility’s <code class=\"language-text\">linux_bash</code> can apparently scan a bash process heap to easily search execution history.</p>\n<p>Reference: <a href=\"https://volatility-labs.blogspot.com/2013/05/movp-ii-33-automated-linuxandroid-bash.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Volatility Labs: MoVP II - 3.3 - Automated Linux/Android Bash History Scanning</a></p>\n<p>Reference: <a href=\"https://volatility3.readthedocs.io/en/latest/getting-started-linux-tutorial.html#linux-bash\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Linux Tutorial — Volatility 3 2.4.2 documentation</a></p>\n<p>In other words, if we can run the <code class=\"language-text\">linux_bash</code> plugin against a bash process running under WSL, we should be able to identify the executed commands.</p>\n<h3 id=\"investigating-the-wsl-process\" style=\"position:relative;\"><a href=\"#investigating-the-wsl-process\" aria-label=\"investigating the wsl process permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Investigating the WSL Process</h3>\n<p>As confirmed with the <code class=\"language-text\">Info</code> plugin at the beginning, this system’s build is <code class=\"language-text\">20H1</code>, so we know the running WSL version is 1.</p>\n<p>As described in Volume 1 of <em>Windows Internals</em>, WSL1 uses interfaces provided by the PICO providers <code class=\"language-text\">Lxss.sys</code> and <code class=\"language-text\">Lxcore.sys</code> (kernel drivers that obtain access to kernel interfaces using the <code class=\"language-text\">PsRegisterPicoProvider</code> API).</p>\n<p>Processes running under a Pico provider are managed as Pico processes.</p>\n<p>Memory for processes provided under WSL’s Pico provider contains structures similar to Linux’s <code class=\"language-text\">vDSO</code> (<em>Virtual Dynamic Shared Object</em>).</p>\n<p>Reference: <a href=\"https://qiita.com/akachochin/items/d5d1ba84fefae2f781f3\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">I Took a Quick Look at the Implementation of VDSO(arm) - Qiita</a></p>\n<p>As shown in the image below, WSL <code class=\"language-text\">/bin/bash</code> runs as a Pico process managed by a Pico provider.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 775px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/1d35da6d6ab6a90327aadfbaf89d232a/0098c/image-20230522220013888.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 44.166666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABS0lEQVQoz31SwWrCQBDN//+BRbAnexHMwdKkniwWLGoRrLtJql4sRoMJojEabXydGZRCDD547DC783bm7Rrn8xl5MiS+rHkU5a4wipL5gjiOEQQBVqsVjsfjXVFju90iiiLh4XCQIqWUUGuNNE0xnUzw0emg3+thNpv9T1BA473dhlmv47nRwNdwCIdEarUaTNPEq23Dn8/R7XZhWRasFwtDOnMPxm63w5UpdRhSh1ppEf/2POz3eywWC3gUM4PlElmWIabJNpuN7P+eTjgROS+CSUK8iLJXSypyHQe+78uIvI7HY0ynE7FkvV7LJT+0F4WheMzWcUM3j8Jd9D/70I6G4zoYqRFcz5V4MBhAaSWFDO7oZuS8qXwoSRK8tVqwyUPTrKPZbMImD0PqJi908yhF34V9eapWUS6X8VipCB9KJbFCzpFg0b9l/AGpYaccFjHh5wAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/1d35da6d6ab6a90327aadfbaf89d232a/8ac56/image-20230522220013888.webp 240w,\n/static/1d35da6d6ab6a90327aadfbaf89d232a/d3be9/image-20230522220013888.webp 480w,\n/static/1d35da6d6ab6a90327aadfbaf89d232a/05e2a/image-20230522220013888.webp 775w\"\n              sizes=\"(max-width: 775px) 100vw, 775px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/1d35da6d6ab6a90327aadfbaf89d232a/8ff5a/image-20230522220013888.png 240w,\n/static/1d35da6d6ab6a90327aadfbaf89d232a/e85cb/image-20230522220013888.png 480w,\n/static/1d35da6d6ab6a90327aadfbaf89d232a/0098c/image-20230522220013888.png 775w\"\n            sizes=\"(max-width: 775px) 100vw, 775px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/1d35da6d6ab6a90327aadfbaf89d232a/0098c/image-20230522220013888.png\"\n            alt=\"image-20230522220013888\"\n            title=\"image-20230522220013888\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Source: <em>Windows Internals, 7th Edition (Part 1)</em></p>\n<p>The Pico provider has functions to create and terminate Pico processes and threads, and it receives callbacks when Pico threads make syscalls or raise exceptions.</p>\n<p>As a result, Pico processes running under a Pico provider are encapsulated and wrapped as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 871px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/751b9cbcf95b0a539c6d4291457eba0a/9d5da/image-20230522220328415.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 55.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACGklEQVQoz4VTaU8aURTl/9cP9os0kdZYdYSmyD6gwqgJgy2Lw+YMyyzVDw5ESCSVZcJyeu9DtMuHTnLy3n3Leffec8YH+haLBWzbRtfsol6vodUyYFkWej0XzWYDtVqVUBN7Bu3d399BVfPIKTmcnZ9BURTkKR6NRvCtVivmxOXVJb6ehCGnZcSTCYQjJ+KRVqf9B0zbEqR8JhqPCcQScREPBoM3wisiDBNh+jSDBG0y7igT0zIFyQb2DwftdhspepghZ9Kv8+FwCB+TzedzhL6EcCQdCVIpeIy9vU/odjuCpEukG6wJW0jJMpJyShDxyHgl5C9DLwU+BnBweID9z/vwf/BT/5qwHfv/hOm/CJckSjZ7jkQqiTj1I0ljJBqBYZA4RPh7lpuS5fRbqf+UzCpzidvvt7Eb2MWOfwdbW+9QqVQEiUFi8Nh6GXX9FtFYFBECJxF5mQtRNiU3Gg2Uy2VhgWLxO81L6LkuXMKD+yCswyK5ZKV+v0cWqqNKa9lsFpqmoUbxZDKBr9/vk+dMcdmbzVDI58Wc1ecD0+kU4/EYF/TQ4PERnudhQjFX5c08FFQVzz+fsVouxbpvSpdGT09rM1Ovrr9dU0k6HOoVC2KRFzudDtSCKvzHa47joFpdZxcKBZHL5VAqldbG5nI5mwb9EbeGLvqk08Um9Umn+Ea7QbFUhFbVUKQ2cMz7yoUiHBEkQkmShJCc6S/JKvZv0zGNGgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/751b9cbcf95b0a539c6d4291457eba0a/8ac56/image-20230522220328415.webp 240w,\n/static/751b9cbcf95b0a539c6d4291457eba0a/d3be9/image-20230522220328415.webp 480w,\n/static/751b9cbcf95b0a539c6d4291457eba0a/81b74/image-20230522220328415.webp 871w\"\n              sizes=\"(max-width: 871px) 100vw, 871px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/751b9cbcf95b0a539c6d4291457eba0a/8ff5a/image-20230522220328415.png 240w,\n/static/751b9cbcf95b0a539c6d4291457eba0a/e85cb/image-20230522220328415.png 480w,\n/static/751b9cbcf95b0a539c6d4291457eba0a/9d5da/image-20230522220328415.png 871w\"\n            sizes=\"(max-width: 871px) 100vw, 871px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/751b9cbcf95b0a539c6d4291457eba0a/9d5da/image-20230522220328415.png\"\n            alt=\"image-20230522220328415\"\n            title=\"image-20230522220328415\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Source: <em>Windows Internals, 7th Edition (Part 1)</em></p>\n<p>For example, you can enumerate the <code class=\"language-text\">EPROCESS</code> structure information for the bash process with either of the following commands.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># 8888 5128 bash 0xa38f11b8a080</span>\nproc <span class=\"token operator\">=</span> ps<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">for</span> <span class=\"token for-or-select variable\">p</span> <span class=\"token keyword\">in</span> proc:\n<span class=\"token keyword\">if</span> p.UniqueProcessId <span class=\"token operator\">==</span> <span class=\"token number\">8888</span>:\nprint<span class=\"token punctuation\">(</span>dt<span class=\"token punctuation\">(</span>p<span class=\"token punctuation\">))</span>\n\n<span class=\"token comment\"># 8888 5128 bash 0xa38f11b8a080ｆ</span>\ndt<span class=\"token punctuation\">(</span><span class=\"token string\">\"_EPROCESS\"</span>,0xa38f11b8a080<span class=\"token punctuation\">)</span></code></pre></div>\n<p>However, as mentioned above, this bash process is a Pico process encapsulated by a Pico provider, so it does not have PEB information.</p>\n<h3 id=\"manually-analyzing-the-bash-process-memory\" style=\"position:relative;\"><a href=\"#manually-analyzing-the-bash-process-memory\" aria-label=\"manually analyzing the bash process memory permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Manually Analyzing the bash Process Memory</h3>\n<p>Honestly, from here it became completely impossible for me to proceed on my own, so I followed along with the writeup’s explanation.</p>\n<p>Reference: <a href=\"https://github.com/HeroCTF/HeroCTF_v5/blob/main/Forensics/Windows_Stands_For_Loser/README.md\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">HeroCTF<em>v5/README.md at main · HeroCTF/HeroCTF</em>v5 · GitHub</a></p>\n<p>First, dump the memory space of the bash process running as PID <code class=\"language-text\">8888</code> with the following command.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">vol3 -o /tmp -f memdump.mem windows.memmap --dump --pid <span class=\"token number\">8888</span> </code></pre></div>\n<p>When I ran the <code class=\"language-text\">file</code> command on the dumped file, it was recognized as <code class=\"language-text\">glibc locale file LC_CTYPE</code>.</p>\n<p>As mentioned earlier, Volatility’s <code class=\"language-text\">linux_bash</code> plugin can extract command execution history from Linux memory dumps.</p>\n<p>However, since what I extracted this time was only the bash process’s memory space, I couldn’t simply use that plugin as-is.</p>\n<p>Here, the following page explains how <code class=\"language-text\">linux_bash</code> works:</p>\n<blockquote>\n<ol>\n<li>Scan the heap of all running /bin/bash instances, or all processes period if —scan-all is supplied. The ---scan-all allows you to ignore the process name, in case an attacker copied a /bin/bash shell to /tmp/a and then entered commands. Furthermore, since we’re only scanning the heap of the process, its much quicker than a whole process address space scan.</li>\n<li>Look for # characters in heap segments. With the address in process memory for each # character, do a second scan for pointers to that address elsewhere on the heap. The goal is to find the timestamp member of the <em>hist</em>entry structure. We’re essentially linking up data with pointers to the data.</li>\n<li>With each potential timestamp, we subtract 8 bytes (since it exists at offset 8 of the structure). That should give us the base address of the <em>hist</em>entry. Now we can associate any other members of <em>hist</em>entry (in particular the line member) with the timestamp.</li>\n<li>Once the scan is finished, collect all <em>hist</em>entry structures and place them in chronological order by timestamp. Then report the results.</li>\n</ol>\n</blockquote>\n<p>Reference: <a href=\"https://volatility-labs.blogspot.com/2013/05/movp-ii-33-automated-linuxandroid-bash.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Volatility Labs: MoVP II - 3.3 - Automated Linux/Android Bash History Scanning</a></p>\n<p>To obtain command history from a bash process, it first scans the entire bash process, then finds <code class=\"language-text\">#</code> characters in heap segments, and from there identifies the timestamps in <code class=\"language-text\">_hist_entry</code> structures.</p>\n<p>The <code class=\"language-text\">_hist_entry</code> structure contains the entered command-line string, the execution timestamp, and other data.</p>\n<p>Reference: <a href=\"https://linux.die.net/man/3/history\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">history(3): GNU History Library - Linux man page</a></p>\n<p>Next, subtracting 8 bytes from those timestamp addresses gives the base address of the <code class=\"language-text\">_hist_entry</code> structure.</p>\n<p>Finally, you enumerate all <code class=\"language-text\">_hist_entry</code> structures in memory in timestamp order to collect the command execution history from memory.</p>\n<p>After that, I manually followed the above procedure against the dumped bash process memory.</p>\n<p>First, search the entire process for the <code class=\"language-text\">#</code> character, then look for UNIX timestamps in memory.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> os\ni <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nmemdump <span class=\"token operator\">=</span> <span class=\"token string\">\"./pid.8888.dmp\"</span>\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span>memdump<span class=\"token punctuation\">,</span> <span class=\"token string\">\"rb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n<span class=\"token comment\"># Read the file one byte at a time and check whether # exists</span>\n    <span class=\"token keyword\">while</span> i <span class=\"token operator\">&lt;</span> os<span class=\"token punctuation\">.</span>path<span class=\"token punctuation\">.</span>getsize<span class=\"token punctuation\">(</span>memdump<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        diese <span class=\"token operator\">=</span> f<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">if</span> <span class=\"token keyword\">not</span> diese<span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">break</span>\n<span class=\"token comment\"># Advance until the # character is found</span>\n        <span class=\"token keyword\">if</span> diese <span class=\"token operator\">==</span> <span class=\"token string\">b\"\\x23\"</span><span class=\"token punctuation\">:</span>\n            one <span class=\"token operator\">=</span> f<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span> \n            \n<span class=\"token comment\"># Since the target is a UNIX timestamp, the first digit must always be 1</span>\n            <span class=\"token keyword\">if</span> one <span class=\"token operator\">==</span> <span class=\"token string\">b\"\\x31\"</span><span class=\"token punctuation\">:</span> <span class=\"token comment\"># \"1\"</span>\n<span class=\"token comment\"># Once a timestamp is found, read the next 9 bytes and write them to a file</span>\n                next_data <span class=\"token operator\">=</span> f<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token number\">9</span><span class=\"token punctuation\">)</span> \n                <span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"./8888_extracted_info.txt\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"a\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f2<span class=\"token punctuation\">:</span>\n                    f2<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"offset: </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span><span class=\"token punctuation\">}</span></span><span class=\"token string\"> - #1\"</span></span><span class=\"token punctuation\">)</span>\n                    <span class=\"token keyword\">for</span> byte <span class=\"token keyword\">in</span> next_data<span class=\"token punctuation\">:</span>\n                        f2<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span><span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>byte<span class=\"token punctuation\">)</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span>\n                    f2<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"\\n\"</span></span><span class=\"token punctuation\">)</span>\n                i<span class=\"token operator\">+=</span><span class=\"token number\">9</span>\n            i<span class=\"token operator\">+=</span><span class=\"token number\">1</span>\n        i <span class=\"token operator\">+=</span> <span class=\"token number\">1</span></code></pre></div>\n<p>When I ran the script above, there was a lot of noise, but I found the following three timestamps and their offsets.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">offset: 0x30a100 - <span class=\"token comment\">#1683741543</span>\noffset: 0x362d30 - <span class=\"token comment\">#1683741570</span>\noffset: 0x376d10 - <span class=\"token comment\">#1683741539</span></code></pre></div>\n<p>Next, after determining the virtual addresses corresponding to these timestamp offsets, I found pointers referencing those addresses and used them to identify the base addresses of the <code class=\"language-text\">_hist_entry</code> structures.</p>\n<p>The mapping between offsets in the extracted memory dump and loaded virtual addresses can be referenced from the output of <code class=\"language-text\">vol3 -o /tmp -f memdump.mem windows.memmap --dump --pid 8888</code> shown earlier.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 504px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b99dbdb7c97fa3263bb8f6069ea34ec3/08115/image-20230522231930837.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 72.91666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAABnUlEQVQ4y5WT2Y6CUBBE+REQVBB3EcF994H//6GenE6K4DgxmYfOvb1VVfeFYLVa2Ww2s/l8bqPRyKbTqW02G1sulzaZTNzSNLUwDK3X67lFUfTnGcexBePx2LA8z72ZM0kS6/f77lMIEaRZlrkRHwwG3oevHMABxRgBAcMEKD6ANBNH6XA49BNCxagj7oBlWdp2u3U7n89WFIWPX1WV+4zPGk6nk69hsVh4jlXRQ369XrsIyIPdbmfH49EbHo+H1XXtjfjP59ObASEHGc3cIQUM0svlYuCg+g0QAABh7/o0cweMibizN+7UAbjf7z8BYUYRSohRKEByAJK73W6tQvpQ2Sqk4XA4eEA7k8Lr9eoEqOFOHND7/e4xwOmFnH1+VcgIXYWMqR0KsKuwHRlkATKKXhBmVH0bmR3S+wYohRjMelWK5AvwXwoxjYxCfJRIISBSyJ1vE1/TtY/SBdTIfIe/ATUyZAAyrj6bj1fujqxXZocUChBw1JEjjhDIqQOU0wEBUjNNFKKQe9M07gP4er1cETleXHU8HEaO//8H6Ize20XM8k8AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b99dbdb7c97fa3263bb8f6069ea34ec3/8ac56/image-20230522231930837.webp 240w,\n/static/b99dbdb7c97fa3263bb8f6069ea34ec3/d3be9/image-20230522231930837.webp 480w,\n/static/b99dbdb7c97fa3263bb8f6069ea34ec3/062aa/image-20230522231930837.webp 504w\"\n              sizes=\"(max-width: 504px) 100vw, 504px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b99dbdb7c97fa3263bb8f6069ea34ec3/8ff5a/image-20230522231930837.png 240w,\n/static/b99dbdb7c97fa3263bb8f6069ea34ec3/e85cb/image-20230522231930837.png 480w,\n/static/b99dbdb7c97fa3263bb8f6069ea34ec3/08115/image-20230522231930837.png 504w\"\n            sizes=\"(max-width: 504px) 100vw, 504px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b99dbdb7c97fa3263bb8f6069ea34ec3/08115/image-20230522231930837.png\"\n            alt=\"image-20230522231930837\"\n            title=\"image-20230522231930837\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>For example, since <code class=\"language-text\">0x30a000</code> corresponds to <code class=\"language-text\">0x00007fffeca66000</code>, we can see that address <code class=\"language-text\">0x30a100</code> corresponds to <code class=\"language-text\">0x00007fffeca66100</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 571px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3ec359b28743f317d41c23c363ec6ff1/17d73/image-20230522232313436.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 44.583333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABpklEQVQoz1VSSW7bQBDkQySYiygO91WkSJESqY0QLMCHAD7k6pP9Cd/yjvy0MtUJDzk0ZnqZ6urqMSzLgm3bMPXpOA7oW//um81GcpK3HbzEPczsDFNl2t/AdFzYrgeLZuka04Sx2+3Qti36vsf9fkdVVeKfTidcLhfxx/EEPy7g/fiF9OM31PEdrvLhpxXK/QFZ00MFEVxNwEjTFGVZoigKdF2HJEnkTlA2831f4mEYIY5CNHUF13Xhbj3khX5XVnJyqtVqBaOua+z3e2E4z7Mwok92x+MRURThdrtJ/HA44Pl86liIIAgkfz6fMY2jNFmv1zAWRmS5MMyyTNg1TSOAbBDHsa7LMQwDPM8TYxMSolFzAeRDPiDYwpBAo+56vV6lEdnyrOoO1/kVfhBqKZRMxToy5QIFMM9zKWYXJsiO/iJDnmd61B5lkeJ1ivHzrUWeeBowkBpqTdtut3+3zCDHINjj8fhPT9FOg9/uM4Zuh6/3BN+furbRGoaJbJ/sp2mCUkq+l2yZtohOrchy2TLF7/Q90vE41ZO0g2xYaQ0XnWmLhn8AUYEfytC8Q0AAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3ec359b28743f317d41c23c363ec6ff1/8ac56/image-20230522232313436.webp 240w,\n/static/3ec359b28743f317d41c23c363ec6ff1/d3be9/image-20230522232313436.webp 480w,\n/static/3ec359b28743f317d41c23c363ec6ff1/9ac82/image-20230522232313436.webp 571w\"\n              sizes=\"(max-width: 571px) 100vw, 571px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3ec359b28743f317d41c23c363ec6ff1/8ff5a/image-20230522232313436.png 240w,\n/static/3ec359b28743f317d41c23c363ec6ff1/e85cb/image-20230522232313436.png 480w,\n/static/3ec359b28743f317d41c23c363ec6ff1/17d73/image-20230522232313436.png 571w\"\n            sizes=\"(max-width: 571px) 100vw, 571px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3ec359b28743f317d41c23c363ec6ff1/17d73/image-20230522232313436.png\"\n            alt=\"image-20230522232313436\"\n            title=\"image-20230522232313436\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Likewise, after determining the mappings for the other two offsets, I established the following correspondences.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">offset: 0x30a100 <span class=\"token builtin class-name\">:</span> 0x00007fffeca66100\noffset: 0x362d30 <span class=\"token builtin class-name\">:</span> 0x00007fffecabed30\noffset: 0x376d10 <span class=\"token builtin class-name\">:</span> 0x00007fffecad2d10</code></pre></div>\n<p>Convert these virtual addresses to little-endian and search for them in memory.</p>\n<p>You can use any suitable hex editor for the search; this time I used <code class=\"language-text\">HxD</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 628px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/667446fdfaa802b35f70f1990f6ed0c0/3d84d/image-20230522234809916.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 48.75000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABv0lEQVQoz4VSS5KbMBTk9sliKvfIGVKV7Cer7DKZsrGNASH0AyQxY5h0WpInlV0WXdD6vNevW9W17dFcGkxuwr7v2Lbtjv0/2HC7FbyvpfvVICKMWeH9DTHuGd4XBF/4smwZ83xDCDvctN333qD1BilfodQrC/5GdThEXJoXGG2gRwVrbPmSpzVnXdlTGuq+P8oRYVk4lYPl/jhqDGLIKqunp4DzeeWiwjgM+dIgBJSUkOSpkOThkTwh8b7rsUwTBM81zRV9L9B1HUKMqJ5/BRyPEY7dnDFZWVFS/meuz9ZkLISfqEopvARP5TorXOOKNcTi4alOI6+Y2HG+Q/NCKu5YwLgZ18GiERpXopUWp3aEsjP905xsxMCR+2GEZ9HsYX1a/ypMXZNn1jjE2eHH2eLjlxafvnUZD187fCD//L1D9DODWvCztXg8aAiGVh1TKJdS0KYRTAnHUGUeKYVABYre6RQOG0mp4BefQxH01/HJLeT7/oaqpn9ty5R50ZqSajafoyQvnbW5eG5GTOQpsJSyED3qukbX9wzqn1BOHDmZq1OSg8zPwtwLGCpLDd6TN9pmHjxDMUW59yE3T4/9D8hj85Lkck/WAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/667446fdfaa802b35f70f1990f6ed0c0/8ac56/image-20230522234809916.webp 240w,\n/static/667446fdfaa802b35f70f1990f6ed0c0/d3be9/image-20230522234809916.webp 480w,\n/static/667446fdfaa802b35f70f1990f6ed0c0/724e7/image-20230522234809916.webp 628w\"\n              sizes=\"(max-width: 628px) 100vw, 628px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/667446fdfaa802b35f70f1990f6ed0c0/8ff5a/image-20230522234809916.png 240w,\n/static/667446fdfaa802b35f70f1990f6ed0c0/e85cb/image-20230522234809916.png 480w,\n/static/667446fdfaa802b35f70f1990f6ed0c0/3d84d/image-20230522234809916.png 628w\"\n            sizes=\"(max-width: 628px) 100vw, 628px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/667446fdfaa802b35f70f1990f6ed0c0/3d84d/image-20230522234809916.png\"\n            alt=\"image-20230522234809916\"\n            title=\"image-20230522234809916\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This let me identify the addresses that hold pointers to the timestamps.</p>\n<p>In other words, I could determine that the address written in the preceding 8 bytes is a pointer to the command-line string contained in the <code class=\"language-text\">_hist_entry</code> structure.</p>\n<h3 id=\"retrieving-values-from-virtual-addresses-with-volshell\" style=\"position:relative;\"><a href=\"#retrieving-values-from-virtual-addresses-with-volshell\" aria-label=\"retrieving values from virtual addresses with volshell permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Retrieving Values from Virtual Addresses with Volshell</h3>\n<p>Finally, I used the identified virtual addresses of the <code class=\"language-text\">_hist_entry</code> structures to dump raw data from memory and obtain the command-line information.</p>\n<p>First, I changed the context to the bash process with the <code class=\"language-text\">cc</code> command, then used <code class=\"language-text\">db</code> to retrieve information at the virtual address.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># cc(offset=None, pid=None, name=None) : Change current shell context.</span>\ncc<span class=\"token punctuation\">(</span>pid<span class=\"token operator\">=</span><span class=\"token number\">8888</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># >>> db(0x00007fffecabc4c0) /!\\ you can ask to display more bits</span>\n<span class=\"token operator\">>></span><span class=\"token operator\">></span> db<span class=\"token punctuation\">(</span>0x00007fffecabc4c0,200<span class=\"token punctuation\">)</span>\n0x7fffecabc4c0  <span class=\"token number\">65</span> <span class=\"token number\">63</span> <span class=\"token number\">68</span> 6f <span class=\"token number\">20</span> 4b <span class=\"token number\">48</span> <span class=\"token number\">42</span> <span class=\"token number\">73</span> 5a <span class=\"token number\">57</span> <span class=\"token number\">46</span> 7a 5a <span class=\"token number\">53</span> <span class=\"token number\">42</span>   echo.KHBsZWFzZSB\n0x7fffecabc4d0  6b <span class=\"token number\">62</span> <span class=\"token number\">32</span> <span class=\"token number\">34</span> 6e <span class=\"token number\">64</span> <span class=\"token number\">43</span> <span class=\"token number\">42</span> 6d <span class=\"token number\">61</span> <span class=\"token number\">57</span> <span class=\"token number\">35</span> 6b <span class=\"token number\">49</span> <span class=\"token number\">47</span> <span class=\"token number\">31</span>   kb24ndCBmaW5kIG1\n0x7fffecabc4e0  6c <span class=\"token number\">49</span> <span class=\"token number\">48</span> <span class=\"token number\">64</span> <span class=\"token number\">70</span> <span class=\"token number\">64</span> <span class=\"token number\">47</span> <span class=\"token number\">67</span> <span class=\"token number\">67</span> <span class=\"token number\">64</span> <span class=\"token number\">47</span> <span class=\"token number\">68</span> 6c <span class=\"token number\">49</span> <span class=\"token number\">43</span> 4a   lIHdpdGggdGhlICJ\n0x7fffecabc4f0  7a <span class=\"token number\">64</span> <span class=\"token number\">48</span> 4a <span class=\"token number\">70</span> <span class=\"token number\">62</span> 6d <span class=\"token number\">64</span> 7a <span class=\"token number\">49</span> <span class=\"token number\">69</span> <span class=\"token number\">42</span> 6a <span class=\"token number\">62</span> <span class=\"token number\">32</span> <span class=\"token number\">31</span>   zdHJpbmdzIiBjb21\n0x7fffecabc500  <span class=\"token number\">74</span> <span class=\"token number\">59</span> <span class=\"token number\">57</span> <span class=\"token number\">35</span> 6b 4c <span class=\"token number\">43</span> <span class=\"token number\">42</span> <span class=\"token number\">30</span> <span class=\"token number\">61</span> <span class=\"token number\">47</span> <span class=\"token number\">56</span> <span class=\"token number\">79</span> 5a <span class=\"token number\">53</span> <span class=\"token number\">42</span>   tYW5kLCB0aGVyZSB\n0x7fffecabc510  <span class=\"token number\">70</span> <span class=\"token number\">63</span> <span class=\"token number\">79</span> <span class=\"token number\">42</span> <span class=\"token number\">68</span> <span class=\"token number\">49</span> <span class=\"token number\">47</span> 5a <span class=\"token number\">31</span> <span class=\"token number\">62</span> 6d <span class=\"token number\">35</span> <span class=\"token number\">70</span> 5a <span class=\"token number\">58</span> <span class=\"token number\">49</span>   pcyBhIGZ1bm5pZXI\n0x7fffecabc520  <span class=\"token number\">67</span> <span class=\"token number\">62</span> <span class=\"token number\">57</span> <span class=\"token number\">56</span> <span class=\"token number\">30</span> <span class=\"token number\">61</span> <span class=\"token number\">47</span> <span class=\"token number\">39</span> 6b 4b <span class=\"token number\">53</span> <span class=\"token number\">35</span> <span class=\"token number\">55</span> <span class=\"token number\">61</span> <span class=\"token number\">47</span> <span class=\"token number\">55</span>   gbWV0aG9kKS5UaGU\n0x7fffecabc530  <span class=\"token number\">67</span> <span class=\"token number\">63</span> <span class=\"token number\">32</span> <span class=\"token number\">56</span> 6a <span class=\"token number\">63</span> 6d <span class=\"token number\">56</span> <span class=\"token number\">30</span> <span class=\"token number\">49</span> <span class=\"token number\">47</span> 6c 7a <span class=\"token number\">49</span> <span class=\"token number\">44</span> 6f   gc2VjcmV0IGlzIDo\n0x7fffecabc540  <span class=\"token number\">67</span> <span class=\"token number\">64</span> 7a <span class=\"token number\">56</span> <span class=\"token number\">73</span> <span class=\"token number\">58</span> 7a <span class=\"token number\">42</span> <span class=\"token number\">75</span> 4d <span class=\"token number\">77</span> 3d 3d <span class=\"token number\">20</span> 7c <span class=\"token number\">20</span>   <span class=\"token assign-left variable\">gdzVsXzBuMw</span><span class=\"token operator\">==</span>.<span class=\"token operator\">|</span><span class=\"token builtin class-name\">.</span>\n0x7fffecabc550  <span class=\"token number\">62</span> <span class=\"token number\">61</span> <span class=\"token number\">73</span> <span class=\"token number\">65</span> <span class=\"token number\">36</span> <span class=\"token number\">34</span> <span class=\"token number\">20</span> 2d <span class=\"token number\">64</span> 00 ab ec ff 7f 00 00   base64.-d<span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>.\n\n<span class=\"token operator\">>></span><span class=\"token operator\">></span> db<span class=\"token punctuation\">(</span>0x00007fffecabed30<span class=\"token punctuation\">)</span>\n0x7fffecabed30  <span class=\"token number\">23</span> <span class=\"token number\">31</span> <span class=\"token number\">36</span> <span class=\"token number\">38</span> <span class=\"token number\">33</span> <span class=\"token number\">37</span> <span class=\"token number\">34</span> <span class=\"token number\">31</span> <span class=\"token number\">35</span> <span class=\"token number\">37</span> <span class=\"token number\">30</span> 00 00 00 00 00   <span class=\"token comment\">#1683741570.....</span></code></pre></div>\n<p>This allowed me to identify the executed command line and the timestamp, and I obtained the flag.</p>\n<p>For some reason, however, the <code class=\"language-text\">cc</code> command raises an error in Volshell3, so I used Volatility 2 only for this part.</p>\n<p>Reference: <a href=\"https://github.com/volatilityfoundation/volatility/wiki/Command-Reference\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Command Reference · volatilityfoundation/volatility Wiki</a></p>\n<p>Reference: <a href=\"https://blog.onfvp.com/post/volatility-cheatsheet/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Volatility 3 CheatSheet - onfvpBlog [Ashley Pearson]</a></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>The challenge I used as the theme this time was quite difficult, and only 3 teams solved it.</p>\n<p>I think it was a great challenge that broadened the ways I can use Volatility and taught me a lot.</p>\n<p>I want to become a forensic investigator.</p>","fields":{"slug":"/ctf-heroctf-windows-memory-analysis-en","tagSlugs":["/tag/ctf-en/","/tag/windows-en/","/tag/volatility-en/","/tag/english/"]},"frontmatter":{"date":"2023-05-23","description":"Using a HeroCTF 2023 challenge as a case study, I analyzed Windows memory with Volatility and extracted command lines from a WSL process.","tags":["CTF (en)","Windows (en)","Volatility (en)","English"],"title":"Analyzing Windows Memory with Volatility3 and Identifying Command History from a WSL bash Process","socialImage":{"publicURL":"/static/4f6c6e5db0b60c8a5e5bdc889052ff86/ctf-heroctf-windows-memory-analysis.png"}}}},"pageContext":{"slug":"/ctf-heroctf-windows-memory-analysis-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}