Viettel MatesCTF May Qualification – Forensics 200

Challenge name : Hidden


The challenge gives us a memory dump. We use imageinfo to identify the operating system, hardware architecture, etc..

We can use psscan or pslist to list the processes of the system. The difference between psscan and pslist is psscan can detect the hidden or unlinked processes:

I tried to extract screenshots of the system but did not find anything interesting. Scanning connection and command prompt history gave the same result. Since the challenge state “Hidden”, I was focusing on dumping “exited” processes. If a process uses DKOM technique to fills in thread’s ExitTime, it will appear as exited even if it’s still running. After one hour digging for nothing, I came to this command:

Shellbags in Windows are very useful to a forensic investigator. In this case, it gave us what we want – hidden.exe, and one more thing : sysWOW64 – This directory only exists on Windows x64, but the memory dump is of a 32bit one.

We can find offset of hidden.exe in the memory by using filescan, then dump it with dumpfiles:

The binary uses DLL Injection technique to inject a DLL into a process :

I used dlllist to display a process’s loaded DLLs, and there was a DLL in sysWOW64 directory loaded into mspaint.exe process :

So far so good. I extracted the suspicious DLL :

Load it into IDA. I found the flag is generated in getkey function :

Flag : matesctf{go to another place}

What a nice challenge 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *