Home > CTF, Forensics > SECCON 2016 Forensics 100 Memory Analysis writeup

SECCON 2016 Forensics 100 Memory Analysis writeup

Challenge Description:

Memory Analysis
Find the website that the fake svchost is accessing.
You can get the flag if you access the website!

Hint1: http://www.volatilityfoundation.org/
Hint2: Check the hosts file

The first task was to find out all the svchost process running in the machine, then identify suspicious artifacts in order to verify the rogue svchost process. The pstree plugin from the volatility framework would list all the running process in a machine.


svhost.exe is a container of many service DLLs grouped together. They run under a smaller set of svchost.exe, typically you can see 5 or more running instances of svchost.exe in your machine. Now, let’s find out the rogue svchost process based on some artifacts,

There are totally 7 instances of svchost.exe processes running and they are started by their actual parent process services.exe (672). There are no spelling mistakes in the processes names. Well, let’s see if it has a proper image path. A legitimate svchost.exe should run from the following directory : %SystemRoot%\System32\svchost.exe


As you can see the process PIDs : 848,1320,1088,936, 1036 are run from the system32 folder with legitimate parameters ( <DcomLaunch,LocalService>,<NetworkService,rpcss,netsvcs>) for grouping similar services. Now we can rule out the fake svchost.exe process PID is 1776 ^^ as it was made run in a directory other than System32. Will now find at least one or more artifacts to support our findings. Let’s also look if there is any suspicious network activity,


No idea about process IDs : 3676 and 2776 and it is not important here. The only related information is pid 1080 ( IEXPLORER.EXE). It looks legitimate as the browser is communicating over the port 80. But it’s parent process is another IEXPLORE (380) instance started by our fake svchost.exe (1776). I am stopping here and I am sure you can also find some registry artifacts.

If you try strings command after dumping the memory resident pages from the processes 380, 1080, and 1776, you can see iexplore has been run with argument “http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd&#8221;. This would lead you to a blog article. Let’s jot down this information, will be useful for later.

The hint given in the challenge was to reconstruct the c:\windows\system32\drivers\etc\hosts file. The hosts file can be found at the physical offset 0x000000000217b748 (using filescan plugin). Dumping the host file from the memory (using dumpfile plugin) would give the hosts file information.


You can also find the same IP address ( after running the connscan plugin. When we access this IP address, you will see a Nginx page with a welcome message. I added the IP address and the host name in my /etc/hosts file and tried accessing the same page, I got redirected to the same Nginx page. I was wondering where I would have went wrong. They said I will get the flag if I get access to the website. But what I see is just an usual Nginx welcome message. After the contest got over, I was going through my findings and I  found this URL ( “http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd&#8221;) in my notes, that I got after dumping the process memory of the IEXPLORE process!

LOL 😀 😀 I forgot to use this link and I did not refer to my findings!! I opened the URL in a browser and I got the flag.


Anyway it was a good learning experience!

  1. December 11, 2016 at 2:27 pm

    Good job bro .

    I also make a writeup here :

    If you can star that for me .

    Thanks .

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This Week In 4n6

Your weekly roundup of Digital Forensics and Incident Response news

RAM Slack - Random Thoughts from a Computer Forensic Examiner

Random Thoughts from a Computer Forensic Examiner


behind the scenes

DFIR Journal

Trials and Tribulations of a DFIR life

I dont know zilch !

For the noobs out there like me

X-Ways Forensics Practitioner's Guide

The Guide to X-Ways Forensics!

Forensic Focus - Articles

Digital forensics articles and research papers

my abbreviations......

gain,learn and share knowledge!!!!


Windows Logging Service (WLS), DFIR, etc.

Belkasoft Forensic: The Digital Evidence Blog

Searching for, analyzing and recovering digital evidence

Gail Tredwell. Amma. Truth. Lies. Scandals. Fraud. And. Reality

Three things cannot be long hidden: the sun, the moon, and the truth.

Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics

Musings about UAVs, search & rescue, computer forensics, cyber security, and the state of play in all .....

Life is beautiful

when the mind is full with love, you see beauty in every thing

Techno Krat

.... Dare To Try .......

%d bloggers like this: