首先做這道題,需要對vm虛擬機有一定的了解,了解虛擬機文件格式、加密虛擬機、掛起虛擬機。
初步分析:
我們看到有三個文件如下圖,有個文件后綴是vmem,因此猜測是vmware的內存文件,用volatility工具分析后無果,看到文件名稱中提示加密,聯想到vm的加密功能,於是我用一個已經有的虛擬機樣本做了加密處理,然后又生成了快照加密文件樣本和掛起加密文件樣本,對照前兩個題目原文件特征與樣本文件逐一比對后發現,Encryption.bin02文件是vmx全局配置文件的加密形式,Encryption.bin01是vmss快照配置文件的加密形式,而vmem正是加密內存快照本體!我們還注意到Encryption.bin02文件內容后跟隨一段二進制內容,它不應該出現在這里,依據二進制文件特征lsilogic與樣本比對后發現是vmdk虛擬機磁盤鏡像文件。而且Encryption.bin02是殘缺的vmx加密文件,需要修復。
文件修復:
首先使用winhex工具截取文件,將Encryption.bin02文件用winhex打開,在可見字符后的十六進制0D0A處的后面截斷,將截斷數據保存到新文件中命名為mem_secret.vmdk后面要用到,截斷的位置如下圖
然后修復缺失的vmx文件
.encoding = "GBK" displayName = "vm" encryption.keySafe = "vmware:key/list/(pair/(phrase/Dg7Se8rqkNI%3d/pass2key%3dPBKDF2%2dHMAC%2dSHA%2d1%3acipher%3dAES%2d256%3arounds%3d10000%3asalt%3d%2b21PdYUqEQd1wdT2AoPEQw%253d%253d,HMAC%2dSHA%2d1,CgKwC5U7lfLjpVohwbpxufC11yU4a0%2byrP08oY0KDDcP1NL%2fRiLojwTz2JnYqm7baAhtgENYUeFUHXwODjSClaJ%2bSRBhKw6UwET6p3AYK8vs4T0cBrvTjYSrs0baLgG7dozcvL5JxA%2fKYJvriz4Mf%2bMmVvE%3d))" encryption.data ="UnIYbS+nasPwdnhtrcPfHLk0VOViI4i1XuasjZgIpp8FsUyeCo6vQ7589Q0ImqTeo8eOV0mJmlrfCKwJeIhE8M4P2vEOmtNvpvCcog+wO7xEg2+YFRdZVz6GDZ7EOl06ZDa1SM+Nt4oKRApQYcOmil0vw9jGJvFT2YYZrInue9luErlFKVCRPSOniNYebiwyEtNOr6Cg2BMYJtxVjJQNoixY8OjEr7Z+Hj/oI7GjYQAuNgh1+FnPf0hxiBT2BVGhyyRzHIl03HXjFQXVHlZE26fsj3Kbjn8m1Eduvw00v1c8Dt1JIp7qFY0lZ9UIMDEdtbVMW/haR84gQ6L9nLdI3JhpCmoF0icdN4pji9XwpmoHqJ5GecpWgdD3mqvuJd9zJSIP8mCCTI9+fpe7pcf8lTpQfppLv1PoLkIZbm91Hkq3sYusrxmuUKX5lIRwHrCpVTquibxDqyoEHjApWg5wvE3y17jOf9xbaMb/5LkYrC9Ql4HwVDzHQ7NyP8xqJXGhcHCRS2PjipxVEJ3fhY2+hxT5cEbvUCp/Yn/YQWXacuwFiMClFY5HN5Yba46lM9/6zWFVDwnHvq2y2URXTCRb/7sd2JhrTe3lvyArErqJZZNw431e7poTBCsGmZipIv6Vbchco/NW2V8JMzFvPfar4YS1oeZsfPrrANBBw3izMPfkwVgOFmk2ZXz8r0YD5Px4a3hxfXzjLD7CJByVxUVfKTPTtiv6es70K5qJ0S8C4aCKQYENR+FL8m4u2w/PC6VjCC3VX2QZzIE5oOgTTA8kCdQ6ONCCyuOJ02Pa8TqrfkGD5gSkdB9t7Xj0IlmBKHLbOYhvimGQrVJuNePzgUH4siz+YfJFRUsFDR6+EWzUCRuJpiMz5VMH3wVWQnWh7OQ4Mvs5UgkLzxaegmOV0HORfJfzsgP2f/IvVKWvInE7VKoRu1JUc20h9Jp8LYVSUTiFKc+guXvia/lqvpgPIxYW9/A3IswiolTWcbfCWEZiMDPCEDLWWFaLfRIuclxeMUDJItK7c/fkud2DpyVOs4APdA2mXiSVmTrY39s48/s/mBT4ytVcyHxD+GD+QLpR4Fqw2Lb/yWhlBCTfjcV80jiOOYR+Wh55raVJ2BN9fAMjK3woTF0L1lPecIjY6xp78eu765vpRoAG/BASFHFf283GrupDL1KAypKcIlRY2+iKRFuX3OvOjgS9aQ/JSP5he2OqnyD3qQsMEjdkMaKEU/oP5x/jNw6JDFbnsxOf4wg7Z+ggozXsWNQmeICe03RFx0CLOuWXxJYQ/hqPCcjMr2uWYJEPZe9TlRgYJYbjRFfG1/owbFO1Kpv81mTpboA3m7qo0/wzs4fUV/ikqU+5DCKXedwMJCXo46/6q2lb6i/V3e9qaIM7AOJ/XSePqb0RMFj6VypBtrnHcIfMuDFMFx+l8zs4tu4jqJyqETLggeglk+DEzoyToLVeQ+YRZu/AGr0Wk0d3+R4zSMR2RAz8mmOJrmw7yJKogHoPzZxaFkx5yRw21d5yPZH4JRabvZu8fQyuNkdk9tiJ5nREHqy8EzuAPP47Gt/NU7MDZh+BEjYs1o7fwjgwD+kpyfLrnktEVhpX3eJXmOiLAuAzRtirqzXzw7HN872iEChnimEnWhOUOwyAYTuSog9BVliezZVvzG2+3EScZ+wlWWICzQSxxURXaMRaQgtNy4dPAHl2gL+ZkQ3bTcrEBZ6PaIj0biq/+LVaYlb82Z1VquKXVtyyF+jiEU3mIpYAIPULWT80f2Sm8RKmnIqmNmJaDqKgQfyBwAUdX6XpzH0yND4SK+7lnwX8nkGy26e7v9mWGDBdY+vOe/AK/jn/gq1HN8EZutt5FpsOtzJT8wnmUTQut3YWNPEdxPNTTzikbaDyJSP4sKcqiEZW/LOLXsf2vEIY+U1OjW6Xo5EKK8BSr7Vj10CugbiBSISLgP4kTQ/KoaJ9RR9raFIH9G0P5nhKsBiQssV5B9bTfBAayzdGHQLMNsEJksr7Nxxsb+2BV+JBoRmkGcIYjaNA+tXRky0PavYf5LcYY88THy045LRJvOX7QJlxAl99pdeZBT+0IOZJpQIeDwSIxuVSw1g7CUuJ/bVdfvTWmtQ2Tvu8cKsdOcNad8zYs92PdnQGS/22CaxLOjkghB8zu8a4KzGrLqkdSabSWedvOUK7bx5cUPJMKpInbBKKsmSCh89JcVJkglKxI9R4nx8p3UW2GRXLb6Ioce7dq3Zh9Cw8g7VyjSzK4MSw7803Pecez8CjXQ0371kmijZnCB942TjSKz3Vg/wwDufrrTDbgQfqruoDFKWR+2H3k9y2dzMHSIOnUZNkgfDXUetEqRfauwXNHANJGBKpfiNeJGhlmb4H7tGUmo6f5uOqiuS1CHZKx3unNngaziwAs8NztDYHISn0h7eP5VGiTOP+RLY002Ob/OMBWKUTDUQy3rcLaMDUQy7ZlEmj6ObcYctQnnTKShfGEfnA0UnzV39v/cTd3KhgOSgvUFfbnbSngTdF0QoX16OnlvVbLgKdZPamI7Lty/6KOLn/U/+Iv3ziZsJo/FTnYYewnBgLZmBnhugbJpVMSUNRumcsesNveM0Zr+XNZ6ceT2DY6F6xWY1/04jYXPc6T0+sDHxQEO2d+1VVyMKP5BRqlbUyVaVj2RAIYmAsTXqGhMvxMJRN8z/z7nhVVmxHvE+/hz8QOnDpNLpkcQRlcR41yc8j3C2loqvITzEqdp9n/c3pr756uaPq6Xfqbf3Ly30Zb9kSoFZfZH+8ZCRpJdzkCt5G3MjTv/L3SkqzDbjOddxmuQLCXyx3bhdvYEfmWXrUMe+bR7qPi48FOhwm40lP6m6/iFAuGxipWtKq10qHvkC8DoPoNZpYPPvNHTINDU+7U2xZ86Qg1nv5addAOaEk40FpMWrpvF10IXl5G7vsMw9NuNE6C6xWeplUUCs6bXxFZM0PSBW0WSKGBE/YUOZQdqVYJq5r9KbiUvtTb7ZyaTy3uM014xTR8DrZDsll6CDaD+fYGj9IH5ViHJ0fqqSPT9GMPV2TnYhpQrysyGMtHDUuAcDkGS9LYk9YGQnRCBTU93sbHoge7yJBVEUzPwc5gPTfZeZUhPEVB6iMPI1I3zbW1Qckvmwbof4D6l0J1YAtUCCSdWqtWjfvIbXGdwJ4NPQpsPbNTeyoSrisWVRMOul+A/pSm8oh1hlWKdHjmaZEYa6o3y04ahSXPfdMvfU5Fon4YKdtrIPCjmRWe0bo5f9gtm8xTUfVV+8MpDfEo6Gyhef0Bywtg6zNBd8F+W8E1NO/5gN+UaJbIxtPRJ5UDwBl2J6d4ET3GU/fbkd+2KLUxkEoZsQOHNnu3R0QHA4ig6ZjYzVzhEkjcMH7Z+N7PP691/Y3BPBd2decJhIeniMyuFd7X8ElPzccpgdwbQXpmB9zxa8TUZSj6v/CNp/HTEjIOu7ibWK43iRZ68RH0OmBGgZ/tdSPCoNj5oySivoohXjXlFM9siBmsqtqTIWIcFDXx9K8OAD8zjfbLtDRQQadO8SKzvmO6d/Fqq4WtrXewkB6T/VZrsS5gudA6G9c45qed/4OXChKtIa6bLmwkmEz0ChsMnHK3xPxAxtBTcNEw/ztDFf2GhI27EN3F7SsfU7EKqCS4DvJGnTbiK8YpxDkcTPlEZ4TC5jeaU1YcM8Jsk7vFvScQkie/dy5wjIBqUEe8V877dek/c2H7aXHrOdfd6VE+5ZQ2ypUnCHX+JTpwkbjMT9xliMnZZ/po5jPZP4NTbJq13EJDzkfSxasmJOMmleDFotme4dux8UC6zm/sL+uc2aAY3xiEF+TJkQHsdx2igiXuXIdbD0WGhlwcrtrodJUjGILeLMHu1U8ZZYWbKsel4PyaBOXiZiLAksYOyXSuryNmCm9lkkfWsXO/bRhqvOp/tPb5nAZpbrm/wPROmQEUajfhXBEvwa8cl4X6wOI783/CxrqleHacyhLJb3lABwcR6XjQlNVuOoOWYVmxyVQWfcQxhh8cg0jdMy6q43N4O2b1dbbDTHpoKMdKCqM1Lefj2me77gdSijuR63y4bH4Zwd6Hqsq8WfDcJFGrBmNnIuwppni2MjB0yiQ5iBZOFjiSp6dFIk8j8oNc9t9xI54VZoCnNeTdDbgAXf6s9rfDCxXq50wxsz5T7CjbckqXNZCdG2HNUnTTfevFTw3rOfCBupEbTl7227rVHhdeqyge36YXj647NQbd8ZcKck7/7VBsCIQ3FP2/ZMz8baCBJm8GwSOk+fPdKcgF4xYTmt4tifShFEFNY8cbzldNkdfgmiFSqXw87MGFO94YaWyNDuoHrbz4Wc9ZZST5h+wdSkIv+uMi/p2j0YufoCkyMS12Jnvbd8xIqExdtm4DAUbSTk="
重命名Encryption.bin02為mem_secret.vmx
重命名Encryption.bin01為mem_secret-963a4663.vmss
爆破密碼:
雙擊vmx打開,此時提示輸入密碼,我們不知道密碼是多少,爆破密碼
python3 pyvmx-cracker.py -v mem_secret.vmx -d wordlist. txt
密碼 1q2w3e4r
修復vmdk:
再次打開vmx,提示缺少vmdk虛擬磁盤文件,我們新建一個虛擬機,虛擬機配置依照已知的信息配置,未知信息默認即可。配置vmdk為單文件並重命名為mem_secret.vmdk。下面截圖是我配置好的截圖。注意無需掛載win10系統安裝鏡像。
配置好后用相同密碼加密虛擬機。將mem_secret.vmdk與上一步文件修復中的mem_secret.vmdk比對發現,上一步中的mem_secret.vmdk只是我們剛剛新建的vmdk的一部分,我們用winhex工具將舊的部分替換新的部分,下圖是新建的vmdk,粘貼點在下圖選中的位置,在winhex右鍵編輯--》剪貼板數據--》寫入,替換當前位置的數據。
替換后注意還要修改紅色部分
此時設置去除密碼
大功告成。
直接分析解密好的vmem文件,
注意注意注意這里有個坑,使用最新主線版本的Volatility,不要使用歸檔版本的Volatility(例如2.6.1),因為歸檔版本不支持這個win10
下載鏈接 https://github.com/volatilityfoundation/volatility
獲取系統版本 python2 vol.py -f '/root/Documents/mem_secret-963a4663.vmem' imageinfo ,得知系統是Win10x64_18362
導出注冊表 python2 vol.py -f mem_secret-963a4663.vmem --profile=Win10x64_18362 dumpregistry -D ./
使用MiTeC Windows Registry Recovery工具解析注冊表,查看主機名為DESKTOP-4N21ET2,版本號為6.3.18363
導出文件 python3 vol.py -f mem_secret-963a4663.vmem windows.filescan -D ./
搜索desktop,分析后得知用戶名為Ado
掛起狀態虛擬機中顯示的內容就是答案:Best_hacker
我們在vmem中直接搜索關鍵字 @ 、username 、password 就可以找到答案,steam注冊郵箱為john@uuf.me ,用戶名為jock_you1,密碼為,jock.2021
查看進程 python2 vol.py -f mem_secret-963a4663.vmem --profile=Win10x64_18362 pstree
查看網絡 python2 vol.py -f mem_secret-963a4663.vmem --profile=Win10x64_18362 netscan
馬程序steam.exe,ip為192.168.241.147,端口號為8808
python2 vol.py -f mem_secret-963a4663.vmem --profile=Win10x64_18362 userassist
python2 vol.py -f mem_secret-963a4663.vmem --profile=Win10x64_18362 filescan -D ./
桌面發現可疑文件 Wywz.exe,時間 2021-09-10 21:10:13 UTC+8(注意時區轉換)