One Article Review
| Source |  w00tsec |
|---|---|
| Identifiant | 8300162 |
| Date de publication | 2015-02-27 00:56:54 (vue: 2023-01-11 16:56:00) |
| Titre | Extracting RAW pictures from memory dumps |
| Texte | IntroductionEarlier today, while reading my Twitter timeline, I saw some Infosec folks discussing about scripts/tools to identify RAW pictures in memory dumps. I decided, then, to write this blog post and share a small hack that I use to visualize data (including memory dumps). A few months ago, I wrote a post detailing how to Scan the Internet & Screenshot All the Things, now it's time to Dump the Memory & Screenshot All the Things. Memory DumpsThe first thing you will want to do is to narrow the analysis to the process containing interesting images/pictures. I'm going to use three different memory dumps here:Remote Desktop Client - Windows 7 x64 (mstsc.exe)Let's use the Windows built-in RDP client to connect to an external server and dump the processmemory using procdump: procdump.exe -ma mstsc.exe mstsc.dmp Microsoft Paint - Windows 7 x64 (mspaint.exe)Let's load/save a simple image file on Paint and run procdump again: procdump.exe -ma mspaint.exe mspaint.dmp 9447 2014 CTF Challenge: coor coor - Windows XP (VirtualBox.exe)There's an awesome write-up for this CTF chall |
| Envoyé | Oui |
| Condensat | 1440 1440x900 1568 2014 9447 :that about accordingly account adjust adjustment after again:procdump ago aligned all also among analyse analysis and any are artifacts artificial asking automagically avoiding awesome back backdoors background/patterns based because big bigger binwalk binwalk/volatility blog bmp brain browse browser building built but bytes can carve cat challenge challenge: check client code collected commands:windows commandsremote common compressed computer connect connection container containing coor corresponding could create ctf data datarename decided deflate/lzma desktop detailing different dir=dump/raw discussing disk display displayed dmp dmp9447 dmpmicrosoft down download/install gimp and dump dump:python dumpfiles dumps dumpsthe during easily etc example exe expert extensions external extract extracting far few file find first folks for foremost friends from game get gimp going google hack hackers hard haven headers helps here here:remote heuristics hope how iconconclusionthis icons identify image images images/pictures in:enhance including infosec inside interesting internet introductionearlier investigation isolate just killer kind know lenovo let like load/save magic may memdump memory mentioning microsoft module molester instead monitor months more most mspaint mstsc multi multiple narrow navigate need not notice now off offset offsets one open otr our paint patterns perfectly picture pictures pidgin pixels/bitmaps plslooks plugin plugin showed plumbing points possible post previous procdump procdump:procdump process processmemory programs pslistpython raw rdp read reading rendered resolution resolutions retrieve rom run running saw screen screenshot screenshot/it screwed scripts/tools sections see server sessionthe setting settings:while share shelf should side simple skills small some source spot spotted: stored:we streams suggestions:set superfishal taskbar technique template testicool69@yodawg that the their them then there these they thing things this those three tile tiles time timeline to scan today tool top true: truecrypt try twitter types up:python upside use user usernames using values variable very videos view/side virtualbox virtualbox:virtualbox visualization visualize vmem vol volatility want was way were what while why width widths widths: will window windowrdp windows wisely within won worth write writing wrote x64 yeah yeeaaah yet you yourself zooming |
| Tags | Hack Tool |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.