Viettel MatesCTF May Qualification – Forensics 200

Challenge name : Hidden


The challenge gives us a memory dump. We use imageinfo to identify the operating system, hardware architecture, etc..

We can use psscan or pslist to list the processes of the system. The difference between psscan and pslist is psscan can detect the hidden or unlinked processes:

I tried to extract screenshots of the system but did not find anything interesting. Scanning connection and command prompt history gave the same result. Since the challenge state “Hidden”, I was focusing on dumping “exited” processes. If a process uses DKOM technique to fills in thread’s ExitTime, it will appear as exited even if it’s still running. After one hour digging for nothing, I came to this command:

Shellbags in Windows are very useful to a forensic investigator. In this case, it gave us what we want – hidden.exe, and one more thing : sysWOW64 – This directory only exists on Windows x64, but the memory dump is of a 32bit one.

We can find offset of hidden.exe in the memory by using filescan, then dump it with dumpfiles:

The binary uses DLL Injection technique to inject a DLL into a process :

I used dlllist to display a process’s loaded DLLs, and there was a DLL in sysWOW64 directory loaded into mspaint.exe process :

So far so good. I extracted the suspicious DLL :

Load it into IDA. I found the flag is generated in getkey function :

Flag : matesctf{go to another place}

What a nice challenge 🙂

Viettel MatesCTF March Qualification – Forensics 150


We are given a memory dump. As usual when working with volatility, we check for memory profile first :

We use psscan to see any interesting process :

The first idea came into my mind, the flag could be painted in mspaint.exe. Since we can screenshot nearly all the things in the memory dump when the machine was running, we can easily get the flag in mspaint.exe.

Dump mspaint.exe memory :

Rename it into .data in order to import to GIMP as a raw data (GIMP support importing Raw data image). Although we didn’t see the flag, but an interesting thing :


This mspaint.exe is not a normal mspaint.exe. It’s a console application and its size is too small. We dumped this process and loaded into IDA, figured out the main function and got the flag :

Flag : matesctf{mem_baby}