分享会 misc方向中内存取证和隐写的稿件

其实写这个主要是有人邀请……那就这样得了,双线并行。

内存取证

对应嘛题

去年三校训练赛那边出了道内存取证题(当时用volatility 2,觉得比3好用),然后西湖论剑那边也出了道(虽然我没做出来)

  • 三校联合内部训练赛 GoodRAM
  • (说起来很丢人,虽然隔壁VNCTF那边更丢人)西湖论剑 (原题目忘了)CharlieBrownPC

冷笑话,西湖论剑那边还出了道要用到夜神模拟器的题,但那边给的镜像根本没法导入,甚至上我那Toshiba Satellite L750也一样,虽然那个好像不算内存取证,但没办法,我根本无法判断题型。

这俩题基本都是取证Windows系统的内存镜像,所以直接按Windows说得了,邪教终究是邪教 Arch YES!

嘛是内存取证

我个人理解是提取一个人电脑内存中的东西后用特定工具进行分析,通俗一点说的话则是相当于拿你一根头发丝在那硬分析。

当然就这么写的话肯定不太准确,所以……在主机存活时发现系统被入侵,然后直接把机器的运行内存dump下来,对运行内存进行分析,还原一些进程的中的信息。

……妈的真不如自己总结。

用啥取证

用啥提取镜像

  • DumpIt(Windows)(嗯,goodRAM题目就是用这损玩意儿整来的)
  • Windows 快速启动(冷提醒,快速启动原理就是恢复内存镜像)
  • Windows 任务管理器(创建转储文件)

用啥日镜像

  • Volatility工具(2和3版本,这俩不一样,还有,volatility3别在Arch community源下!自己去GitHub下二进制文件!链接给的官网早就不更新了!)

剩下的freebuf有,给俩链接,虽然这句话并不能写在PPT里

https://www.freebuf.com/column/186799.html

https://www.freebuf.com/articles/network/265797.html

工具咋用

DumpIt

这玩意儿一笔带过得了,没必要玩这么大

点开它,等它跑完,看不懂英语的自备翻译

Volatility 2(是的,2和3命令完全不同)

冷提醒,忘记命令的时候直接在终端跑一下就行,它会自动告诉你咋用

AUR那边缺模块

user@TUSKEDEV ~> ./volatility -h
Volatility Foundation Volatility Framework 2.6
Usage: Volatility - A memory forensics analysis platform.

Options:
  -h, --help            list all available options and their default values.
                        Default values may be set in the configuration file
                        (/etc/volatilityrc)
  --conf-file=/home/user/.volatilityrc
                        User based configuration file
  -d, --debug           Debug volatility
  --plugins=PLUGINS     Additional plugin directories to use (colon separated)
  --info                Print information about all registered objects
  --cache-directory=/home/user/.cache/volatility
                        Directory where cache files are stored
  --cache               Use caching
  --tz=TZ               Sets the (Olson) timezone for displaying timestamps
                        using pytz (if installed) or tzset
  -f FILENAME, --filename=FILENAME
                        Filename to use when opening an image
  --profile=WinXPSP2x86
                        Name of the profile to load (use --info to see a list
                        of supported profiles)
  -l LOCATION, --location=LOCATION
                        A URN location from which to load an address space
  -w, --write           Enable write support
  --dtb=DTB             DTB Address
  --shift=SHIFT         Mac KASLR shift address
  --output=text         Output in this format (support is module specific, see
                        the Module Output Options below)
  --output-file=OUTPUT_FILE
                        Write output in this file
  -v, --verbose         Verbose information
  -g KDBG, --kdbg=KDBG  Specify a KDBG virtual address (Note: for 64-bit
                        Windows 8 and above this is the address of
                        KdCopyDataBlock)
  --force               Force utilization of suspect profile
  -k KPCR, --kpcr=KPCR  Specify a specific KPCR address
  --cookie=COOKIE       Specify the address of nt!ObHeaderCookie (valid for
                        Windows 10 only)

	Supported Plugin Commands:

		amcache        	Print AmCache information
		apihooks       	Detect API hooks in process and kernel memory
		atoms          	Print session and window station atom tables
		atomscan       	Pool scanner for atom tables
		auditpol       	Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
		bigpools       	Dump the big page pools using BigPagePoolScanner
		bioskbd        	Reads the keyboard buffer from Real Mode memory
		cachedump      	Dumps cached domain hashes from memory
		callbacks      	Print system-wide notification routines
		clipboard      	Extract the contents of the windows clipboard
		cmdline        	Display process command-line arguments
		cmdscan        	Extract command history by scanning for _COMMAND_HISTORY
		connections    	Print list of open connections [Windows XP and 2003 Only]
		connscan       	Pool scanner for tcp connections
		consoles       	Extract command history by scanning for _CONSOLE_INFORMATION
		crashinfo      	Dump crash-dump information
		deskscan       	Poolscaner for tagDESKTOP (desktops)
		devicetree     	Show device tree
		dlldump        	Dump DLLs from a process address space
		dlllist        	Print list of loaded dlls for each process
		driverirp      	Driver IRP hook detection
		drivermodule   	Associate driver objects to kernel modules
		driverscan     	Pool scanner for driver objects
		dumpcerts      	Dump RSA private and public SSL keys
		dumpfiles      	Extract memory mapped and cached files
		dumpregistry   	Dumps registry files out to disk 
		editbox        	Displays information about Edit controls. (Listbox experimental.)
		envars         	Display process environment variables
		eventhooks     	Print details on windows event hooks
		evtlogs        	Extract Windows Event Logs (XP/2003 only)
		filescan       	Pool scanner for file objects
		gahti          	Dump the USER handle type information
		gditimers      	Print installed GDI timers and callbacks
		gdt            	Display Global Descriptor Table
		getservicesids 	Get the names of services in the Registry and return Calculated SID
		getsids        	Print the SIDs owning each process
		handles        	Print list of open handles for each process
		hashdump       	Dumps passwords hashes (LM/NTLM) from memory
		hibinfo        	Dump hibernation file information
		hivedump       	Prints out a hive
		hivelist       	Print list of registry hives.
		hivescan       	Pool scanner for registry hives
		hpakextract    	Extract physical memory from an HPAK file
		hpakinfo       	Info on an HPAK file
		idt            	Display Interrupt Descriptor Table
		iehistory      	Reconstruct Internet Explorer cache / history
		imagecopy      	Copies a physical address space out as a raw DD image
		imageinfo      	Identify information for the image 
		impscan        	Scan for calls to imported functions
		joblinks       	Print process job link information
		kdbgscan       	Search for and dump potential KDBG values
		kpcrscan       	Search for and dump potential KPCR values
		ldrmodules     	Detect unlinked DLLs
		lsadump        	Dump (decrypted) LSA secrets from the registry
		machoinfo      	Dump Mach-O file format information
		malfind        	Find hidden and injected code
		mbrparser      	Scans for and parses potential Master Boot Records (MBRs) 
		memdump        	Dump the addressable memory for a process
		memmap         	Print the memory map
		messagehooks   	List desktop and thread window message hooks
		mftparser      	Scans for and parses potential MFT entries 
		moddump        	Dump a kernel driver to an executable file sample
		modscan        	Pool scanner for kernel modules
		modules        	Print list of loaded modules
		multiscan      	Scan for various objects at once
		mutantscan     	Pool scanner for mutex objects
		notepad        	List currently displayed notepad text
		objtypescan    	Scan for Windows object type objects
		patcher        	Patches memory based on page scans
		poolpeek       	Configurable pool scanner plugin
		printkey       	Print a registry key, and its subkeys and values
		privs          	Display process privileges
		procdump       	Dump a process to an executable file sample
		pslist         	Print all running processes by following the EPROCESS lists 
		psscan         	Pool scanner for process objects
		pstree         	Print process list as a tree
		psxview        	Find hidden processes with various process listings
		qemuinfo       	Dump Qemu information
		raw2dmp        	Converts a physical memory sample to a windbg crash dump
		screenshot     	Save a pseudo-screenshot based on GDI windows
		servicediff    	List Windows services (ala Plugx)
		sessions       	List details on _MM_SESSION_SPACE (user logon sessions)
		shellbags      	Prints ShellBags info
		shimcache      	Parses the Application Compatibility Shim Cache registry key
		shutdowntime   	Print ShutdownTime of machine from registry
		sockets        	Print list of open sockets
		sockscan       	Pool scanner for tcp socket objects
		ssdt           	Display SSDT entries
		strings        	Match physical offsets to virtual addresses (may take a while, VERY verbose)
		svcscan        	Scan for Windows services
		symlinkscan    	Pool scanner for symlink objects
		thrdscan       	Pool scanner for thread objects
		threads        	Investigate _ETHREAD and _KTHREADs
		timeliner      	Creates a timeline from various artifacts in memory 
		timers         	Print kernel timers and associated module DPCs
		truecryptmaster	Recover TrueCrypt 7.1a Master Keys
		truecryptpassphrase	TrueCrypt Cached Passphrase Finder
		truecryptsummary	TrueCrypt Summary
		unloadedmodules	Print list of unloaded modules
		userassist     	Print userassist registry keys and information
		userhandles    	Dump the USER handle tables
		vaddump        	Dumps out the vad sections to a file
		vadinfo        	Dump the VAD info
		vadtree        	Walk the VAD tree and display in tree format
		vadwalk        	Walk the VAD tree
		vboxinfo       	Dump virtualbox information
		verinfo        	Prints out the version information from PE images
		vmwareinfo     	Dump VMware VMSS/VMSN information
		volshell       	Shell in the memory image
		windows        	Print Desktop Windows (verbose details)
		wintree        	Print Z-Order Desktop Windows Tree
		wndscan        	Pool scanner for window stations
		yarascan       	Scan process or kernel memory with Yara signatures

Volatility 3

user@TUSKEDEV ~> vol
Volatility 3 Framework 2.4.2
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]]
                  [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG]
                  [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE]
                  [--write-config] [--save-config SAVE_CONFIG] [--clear-cache]
                  [--cache-path CACHE_PATH] [--offline]
                  [--single-location SINGLE_LOCATION]
                  [--stackers [STACKERS ...]]
                  [--single-swap-locations [SINGLE_SWAP_LOCATIONS ...]]
                  plugin ...
volatility: error: Please select a plugin to run
user@TUSKEDEV ~ [2]> vol -h
Volatility 3 Framework 2.4.2
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]]
                  [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG]
                  [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE]
                  [--write-config] [--save-config SAVE_CONFIG] [--clear-cache]
                  [--cache-path CACHE_PATH] [--offline]
                  [--single-location SINGLE_LOCATION]
                  [--stackers [STACKERS ...]]
                  [--single-swap-locations [SINGLE_SWAP_LOCATIONS ...]]
                  plugin ...

An open-source memory forensics framework

options:
  -h, --help            Show this help message and exit, for specific plugin
                        options use 'volatility <pluginname> --help'
  -c CONFIG, --config CONFIG
                        Load the configuration from a json file
  --parallelism [{processes,threads,off}]
                        Enables parallelism (defaults to off if no argument
                        given)
  -e EXTEND, --extend EXTEND
                        Extend the configuration with a new (or changed)
                        setting
  -p PLUGIN_DIRS, --plugin-dirs PLUGIN_DIRS
                        Semi-colon separated list of paths to find plugins
  -s SYMBOL_DIRS, --symbol-dirs SYMBOL_DIRS
                        Semi-colon separated list of paths to find symbols
  -v, --verbosity       Increase output verbosity
  -l LOG, --log LOG     Log output to a file as well as the console
  -o OUTPUT_DIR, --output-dir OUTPUT_DIR
                        Directory in which to output any generated files
  -q, --quiet           Remove progress feedback
  -r RENDERER, --renderer RENDERER
                        Determines how to render the output (quick, none, csv,
                        pretty, json, jsonl)
  -f FILE, --file FILE  Shorthand for --single-location=file:// if single-
                        location is not defined
  --write-config        Write configuration JSON file out to config.json
  --save-config SAVE_CONFIG
                        Save configuration JSON file to a file
  --clear-cache         Clears out all short-term cached items
  --cache-path CACHE_PATH
                        Change the default path
                        (/home/user/.cache/volatility3) used to store the
                        cache
  --offline             Do not search online for additional JSON files
  --single-location SINGLE_LOCATION
                        Specifies a base location on which to stack
  --stackers [STACKERS ...]
                        List of stackers
  --single-swap-locations [SINGLE_SWAP_LOCATIONS ...]
                        Specifies a list of swap layer URIs for use with
                        single-location

Plugins:
  For plugin specific options, run 'volatility <plugin> --help'

  plugin
    banners.Banners     Attempts to identify potential linux banners in an
                        image
    configwriter.ConfigWriter
                        Runs the automagics and both prints and outputs
                        configuration in the output directory.
    frameworkinfo.FrameworkInfo
                        Plugin to list the various modular components of
                        Volatility
    isfinfo.IsfInfo     Determines information about the currently available
                        ISF files, or a specific one
    layerwriter.LayerWriter
                        Runs the automagics and writes out the primary layer
                        produced by the stacker.
    linux.bash.Bash     Recovers bash command history from memory.
    linux.check_afinfo.Check_afinfo
                        Verifies the operation function pointers of network
                        protocols.
    linux.check_creds.Check_creds
                        Checks if any processes are sharing credential
                        structures
    linux.check_idt.Check_idt
                        Checks if the IDT has been altered
    linux.check_modules.Check_modules
                        Compares module list to sysfs info, if available
    linux.check_syscall.Check_syscall
                        Check system call table for hooks.
    linux.elfs.Elfs     Lists all memory mapped ELF files for all processes.
    linux.envars.Envars
    linux.envvars.Envvars
                        Lists processes with their environment variables
    linux.iomem.IOMem   Generates an output similar to /proc/iomem on a
                        running system.
    linux.keyboard_notifiers.Keyboard_notifiers
                        Parses the keyboard notifier call chain
    linux.kmsg.Kmsg     Kernel log buffer reader
    linux.lsmod.Lsmod   Lists loaded kernel modules.
    linux.lsof.Lsof     Lists all memory maps for all processes.
    linux.malfind.Malfind
                        Lists process memory ranges that potentially contain
                        injected code.
    linux.mountinfo.MountInfo
                        Lists mount points on processes mount namespaces
    linux.proc.Maps     Lists all memory maps for all processes.
    linux.psaux.PsAux   Lists processes with their command line arguments
    linux.pslist.PsList
                        Lists the processes present in a particular linux
                        memory image.
    linux.psscan.PsScan
                        Scans for processes present in a particular linux
                        image.
    linux.pstree.PsTree
                        Plugin for listing processes in a tree based on their
                        parent process ID.
    linux.sockstat.Sockstat
                        Lists all network connections for all processes.
    linux.tty_check.tty_check
                        Checks tty devices for hooks
    mac.bash.Bash       Recovers bash command history from memory.
    mac.check_syscall.Check_syscall
                        Check system call table for hooks.
    mac.check_sysctl.Check_sysctl
                        Check sysctl handlers for hooks.
    mac.check_trap_table.Check_trap_table
                        Check mach trap table for hooks.
    mac.ifconfig.Ifconfig
                        Lists network interface information for all devices
    mac.kauth_listeners.Kauth_listeners
                        Lists kauth listeners and their status
    mac.kauth_scopes.Kauth_scopes
                        Lists kauth scopes and their status
    mac.kevents.Kevents
                        Lists event handlers registered by processes
    mac.list_files.List_Files
                        Lists all open file descriptors for all processes.
    mac.lsmod.Lsmod     Lists loaded kernel modules.
    mac.lsof.Lsof       Lists all open file descriptors for all processes.
    mac.malfind.Malfind
                        Lists process memory ranges that potentially contain
                        injected code.
    mac.mount.Mount     A module containing a collection of plugins that
                        produce data typically found in Mac's mount command
    mac.netstat.Netstat
                        Lists all network connections for all processes.
    mac.proc_maps.Maps  Lists process memory ranges that potentially contain
                        injected code.
    mac.psaux.Psaux     Recovers program command line arguments.
    mac.pslist.PsList   Lists the processes present in a particular mac memory
                        image.
    mac.pstree.PsTree   Plugin for listing processes in a tree based on their
                        parent process ID.
    mac.socket_filters.Socket_filters
                        Enumerates kernel socket filters.
    mac.timers.Timers   Check for malicious kernel timers.
    mac.trustedbsd.Trustedbsd
                        Checks for malicious trustedbsd modules
    mac.vfsevents.VFSevents
                        Lists processes that are filtering file system events
    timeliner.Timeliner
                        Runs all relevant plugins that provide time related
                        information and orders the results by time.
    windows.bigpools.BigPools
                        List big page pools.
    windows.cachedump.Cachedump
                        Dumps lsa secrets from memory
    windows.callbacks.Callbacks
                        Lists kernel callbacks and notification routines.
    windows.cmdline.CmdLine
                        Lists process command line arguments.
    windows.crashinfo.Crashinfo
    windows.devicetree.DeviceTree
                        Listing tree based on drivers and attached devices in
                        a particular windows memory image.
    windows.dlllist.DllList
                        Lists the loaded modules in a particular windows
                        memory image.
    windows.driverirp.DriverIrp
                        List IRPs for drivers in a particular windows memory
                        image.
    windows.drivermodule.DriverModule
                        Determines if any loaded drivers were hidden by a
                        rootkit
    windows.driverscan.DriverScan
                        Scans for drivers present in a particular windows
                        memory image.
    windows.dumpfiles.DumpFiles
                        Dumps cached file contents from Windows memory
                        samples.
    windows.envars.Envars
                        Display process environment variables
    windows.filescan.FileScan
                        Scans for file objects present in a particular windows
                        memory image.
    windows.getservicesids.GetServiceSIDs
                        Lists process token sids.
    windows.getsids.GetSIDs
                        Print the SIDs owning each process
    windows.handles.Handles
                        Lists process open handles.
    windows.hashdump.Hashdump
                        Dumps user hashes from memory
    windows.info.Info   Show OS & kernel details of the memory sample being
                        analyzed.
    windows.joblinks.JobLinks
                        Print process job link information
    windows.ldrmodules.LdrModules
    windows.lsadump.Lsadump
                        Dumps lsa secrets from memory
    windows.malfind.Malfind
                        Lists process memory ranges that potentially contain
                        injected code.
    windows.mbrscan.MBRScan
                        Scans for and parses potential Master Boot Records
                        (MBRs)
    windows.memmap.Memmap
                        Prints the memory map
    windows.mftscan.MFTScan
                        Scans for MFT FILE objects present in a particular
                        windows memory image.
    windows.modscan.ModScan
                        Scans for modules present in a particular windows
                        memory image.
    windows.modules.Modules
                        Lists the loaded kernel modules.
    windows.mutantscan.MutantScan
                        Scans for mutexes present in a particular windows
                        memory image.
    windows.netscan.NetScan
                        Scans for network objects present in a particular
                        windows memory image.
    windows.netstat.NetStat
                        Traverses network tracking structures present in a
                        particular windows memory image.
    windows.poolscanner.PoolScanner
                        A generic pool scanner plugin.
    windows.privileges.Privs
                        Lists process token privileges
    windows.pslist.PsList
                        Lists the processes present in a particular windows
                        memory image.
    windows.psscan.PsScan
                        Scans for processes present in a particular windows
                        memory image.
    windows.pstree.PsTree
                        Plugin for listing processes in a tree based on their
                        parent process ID.
    windows.registry.certificates.Certificates
                        Lists the certificates in the registry's Certificate
                        Store.
    windows.registry.hivelist.HiveList
                        Lists the registry hives present in a particular
                        memory image.
    windows.registry.hivescan.HiveScan
                        Scans for registry hives present in a particular
                        windows memory image.
    windows.registry.printkey.PrintKey
                        Lists the registry keys under a hive or specific key
                        value.
    windows.registry.userassist.UserAssist
                        Print userassist registry keys and information.
    windows.sessions.Sessions
                        lists Processes with Session information extracted
                        from Environmental Variables
    windows.skeleton_key_check.Skeleton_Key_Check
                        Looks for signs of Skeleton Key malware
    windows.ssdt.SSDT   Lists the system call table.
    windows.statistics.Statistics
    windows.strings.Strings
                        Reads output from the strings command and indicates
                        which process(es) each string belongs to.
    windows.svcscan.SvcScan
                        Scans for windows services.
    windows.symlinkscan.SymlinkScan
                        Scans for links present in a particular windows memory
                        image.
    windows.vadinfo.VadInfo
                        Lists process memory ranges.
    windows.vadwalk.VadWalk
                        Walk the VAD tree.
    windows.vadyarascan.VadYaraScan
                        Scans all the Virtual Address Descriptor memory maps
                        using yara.
    windows.verinfo.VerInfo
                        Lists version information from PE files.
    windows.virtmap.VirtMap
                        Lists virtual mapped sections.
    yarascan.YaraScan   Scans kernel memory using yara rules (string or file).

然而,这些写不进PPT里,因为长得很,且要用到的模块很少,例如Linux,在座的除了我在用Arch,还有其他人吗?连tm搞个原神都得找安装脚本,甚至还得烧三炷香

PPT咋设计

因PPT只是用来展示的,故使用LibreOffice以达到更好的体验,毕竟隔壁WPS那边……模板一个个神tm跟政府工作报告似的……

3月31日的分享会PPT设计我觉得挺好的,直接找了个相似的套上去了

因为我实在不知道内存取证这玩意儿该怎么配图,干脆直接拿writeup的图得了

怎么串起逻辑

我个人计划是先一笔带过我接触的Misc的样子,第一反应是东北大乱炖,后面发现不太有冲击力,遂换成铁锅炖或天津的大饼夹一切(我手上没有相关图片,故放弃,这玩意儿要例子的话直接津云/北方网上找)。

然后是介绍内存取证是啥(解释清楚的话我个人认为也可以一笔带过),之后说明工具和用法(主要是俩volatility,因为用法不同且主要),然后通过题目带入通用思路(顺便说明一下如何)。因为这玩意儿主要是面向CTF的,所以如何提取镜像也是一笔代过。

如何讲述

第一页后,这里插个题外话,这是我眼中的Misc和其中的隐写,这也是为什么我会在这里说内存取证而非隐写的主要原因。

第三页(介绍)

一笔带过,因为只是引入。基本上读下上面写的就够了。

第四页(提取镜像软件)

主要介绍DumpIt,顺便抛几个冷提醒。顺带一提,Windows蓝屏错误会自动dump内存,在根目录生成一个名叫memory.dmp文件,那玩意儿可以用WinDbg分析。

第五页(分析镜像软件)

没得说,Volatility,可参考小约翰可汗开头介绍硬核狠人的语气,动画可参考MacOS 8的OOBE。下面让我们介绍,分析内存的最常用软件,更新大版本附赠重新学习大礼包的典范,Volatility。

第六页(Volatility用法)

看个乐呵就得了,没必要那么较真。看几秒就得了,基本操作而已。

第七、八页(Volatility插件)

这个没话可说,看两三秒得了,反正没啥大用,因为可以运行volatility -h(2)或vol -h(3),具体用啥直接填上去就得,即将下海的蔡英文都能会的那种。我想你们肯定会骂为什么字那么小,那是因为……这些东西根本不需要记……

第九页

上手实操,没啥可说的。接下来实操环节。

首先打开terminal跑俩命令,./volatility -h和./volatility –info当说明书摆旁边。(如果不知道后面的版本号啥意思,自行BetaWorld Wiki,这句话只会在有人问起的时候回复。)

然后开nautilus找到文件用GHex打开。顺便提一嘴,如果你们不知道这文件是嘛的时候,直接看二进制。慢慢滚,找到特定字符串后猜测它是什么。看这些字符,像不像Windows的内存镜像。然后找另一个特定字符串确认是Windows的内存镜像。

接下来再开个terminal,好,拿Volatility 2分析这个镜像。我们首先应该跑一遍imageinfo,因为我们并不知道这个镜像需要拿哪个profile跑。然后发现有多个建议的profile,这里有多个推荐的profile,这主要是因为这些系统都是NT 6.1内核,一般取第一个作为首选。

然后运行./volatility -f flag.raw –profile=Win7SP1x64后ctrl-c终止运行,留在终端历史备用。我目前的思路是这样的:首先看看桌面上有啥,然后一步一步走着。

左侧是备用的说明书,在说明书里寻找相应模块。GNOME terminal(GTK 3版)右上角有搜索工具用于寻找单词。因为我目前需要看看桌面上有啥,所以我需要寻找screenshot这个单词。然后找到了screenshot – Save a pseudo-screenshot based on GDI windows,翻译出来就是这个模块主要作用是保存一个基于GDI的伪截图。什么是GDI?上搜索引擎。读一下wiki第一句话就行。

然后生成一个screenshot,提前另外设定一个目录用于保存这些截图。打开nautilus寻找这些截图。咱们看一下这些伪截图。你看这张截图有字,看起来很抽象,但至少它像个桌面。标题栏有字,上面写着dumpit,且镜像生成于3:03,后面应该是资源管理器,打开了C盘……

然后是看看dumpit这个进程是个嘛。既然要看进程,首先得找找它的进程编号P(rocess )ID,我们继续在说明书找带process的内容。看看里面有什么好康的。2345拼音,主动防御……好嘛这系统简直没法要了,哪个傻缺要在屎里淘金啊……好嘛还有个360,这是打算以毒攻毒吗……好了找到了dumpit,PID为2052,PPID为2464。

然后我们需要dump出来这个损玩意儿,继续说明书找。好我们找到了个叫memdump的玩意儿,它能将这个进程所在的内存给提取出来。如果你们不知道怎么操作,直接裸跑就行。你看,它报了个错,说是少了–dump-dir指令。补上后运行,此时它会逐个dump进程。当然实际上根本不需要这么多,我们实际是可以指定pid的,加个-p加pid号就行。这里这么干是为了假装我一脸懵逼。

这里我们再引入一个指令叫strings,它是用来寻找文件内部的字符串的。在左侧跑下strings -h,看看它能干什么。

好的那咱们在右侧分别看看对应进程。这里跑strings *.dmp,通个管道给grep筛一下,然后再导出到一个文件。然后我们要筛什么呢?咱们重新看下题目。关键词:秘密secret,还有典中典flag。各自跑一遍。secret倒是没找出什么。flag那边卧槽一团乱麻,跟尼玛我桌子似的。干脆直接针对性打击DumpIt。你看,介不就flag。

现存什么问题

第一稿

太短,讲不到40min

隐写

为什么要挖出这个坟

很简单,另一个人让我上去讲几句。因为没有指定方向,故挖坟。

预计时间

20分钟。

彩蛋:那些奇奇怪怪的关系

有时候隐写真能用在某些奇奇怪怪的地方上……

虽然……没啥大用,因为有些平台默认压图……

所以……不如……

反正没人看懂,对吧(

筛选用户了属实是(虽然从TG @TuskedEvening0 也能找到我,虽然这样Garden Chen那边也能看到(没啥大事

对应啥题

  • NewStarCTF 2023 Week1 Misc 隐秘的眼睛(SilentEye)
  • NewStarCTF 2023 Week1 Misc 机密图片(LSB隐写)
  • NewStarCTF 2023 Week2 Misc Jvav(Java盲水印)
  • NewStarCTF 2023 Week4 Misc 依旧是空白(SNOW隐写+JPG爆破宽高)
  • NewStarCTF 2023 Week4 Misc R通大残(图片像素RGB值提取)

然而肯定不止这些,因为光我从别人手里拿到的工具就比这些题*3还要多。

而且不止这些。BiliBili上搜索“R6SLAB”,你能搜到好多基于各种奇奇怪怪的方案的彩虹六号直播方案。

什么特征

又杂又乱,甚至根本找不到切入点。

那咋办?设置个情景引入吧。

原定情景引入

因为一些特殊原因,我只能在写完那五周的WriteUp才能在群里发言。但是我不想去写那么多,然后我想到了贿赂某个管理。鉴于那个管理和群主一个宿舍,直球贿赂有被群主发现的风险。

所以我得用点隐写。

粗略该讲啥

因时间所限,我个人选择其中一种方案进行演示,其余均为讲题环节,切入点实际上极其混乱。实际上跟念WriteUp屁区别没有。也许下次就该试试讲点pwn和reverse了,但是还没入门,而且是下一个图文的预计内容。

该用什么图演示

  • Pixiv 110011602
  • 微信聊天记录
  • BV1GM4y1b7JB 00:35

这张图同时也是题图。

侧重点在哪

如果真是和念WriteUp一样,那不如直接念得了,用不着写这篇文章。所以这篇稿件最应该侧重于原理解说。

内容来源?

很简单,NewStarCTF。

PPT如何设计及具体如何讲述

以下使用软件为LibreOffice。

第一页/封面

因为原PPT丢了,所以图片来源直接贴上面了。

附注,改了仨字,顺便改成了4:3。

其实这个题图后续也是有用的。

第二页/情景引入

拿自己开涮先。犹记得一个月前,*神曾禁了我30天言,等写完NewStarCTF除misc外的任意一个方向的所有周的WriteUp才能解封。这工作量想想都大,毕竟你抄人家现有打法糊弄,人家可能还会加码30天。加上我身上屁事一堆,那只能找其他人说情呗。然后就是题图里说的事情了。

第三页/介绍内容

因时间所限,我只说这些,全部取自已经完事的NewStarCTF,你可以看作是2K23似的拙劣换皮。但是这里我会花更多的时间去讲原理,因为题解已经有人讲过了,我再讲一遍没有任何意义,甚至不如隔壁EA的Switch版FC Sports 24。

第四-六页/LSB隐写

附注,我特意和一个内容对调了,因为后者依赖前者。

第四页/LSB是什么

这是我在PS Touch里截的一张图,其中操作图像的最低单位是一个像素,该像素拥有它自己的RGB值,默认我们是以十进制输入它的,它实际存储的是其二进制值,这些8位二进制值的最后一位就是最低有效位,简称LSB。至于为什么刻意遮挡全称,记下来没用。

第五页/为什么LSB可以用于隐写

来来来,哥哥们姐姐们,你认为这俩色你分的出来吗?如果你能,你就是这个👍🏻。我想但凡是个人都分不清这俩玩意儿的区别。

第六页/怎么读取其中的信息

https://github.com/Giotino/stegsolve/

如图。

第七-八页/SilentEye

第七页/SilentEye是什么

这页看看就得了,水一下时长。纯粹取自于其官网。

第八页/SilentEye原理

其实跟LSB隐写原理基本相同,只是被隐写数据处理的方法不同。

第九-十页/盲水印

导向 https://zhuanlan.zhihu.com/p/33526455 。

第九页(原理):盲水印原理自己看吧,我高数不好。你实际也不会去自己实现的,因为网上有现成脚本。NewStarCTF官方题解用到了一个Java实现。

第十页(特性):这个自己看看得了。哦对了,鲁棒性可以简单的理解为抗破坏性或可靠性,在直言trigger的某个视频里有提到过。

第11页/SNOW概述

只需读下划线内容即可。需注意,部分翻译没有官方译名,由我进行翻译,不代表官方观点,也可能不契合原文含义。

文章的局限性

因写作时间过度紧张,我无法把一些东西塞进去,也无法做到其百分百准确和普适。

现存问题

很明显,太短,明显达不到预定的20分钟。

而且,因为刚刚招新,纯理论这条路是走不通的,已有人反馈听不懂。

选题也有重大问题,过度宽泛导致稿件难产,连带着各种准备不足,以至于最多的评价是“抽象”。

Comment

您的电子邮箱地址不会被公开。 必填项已用 * 标注