SECCON 2016 Forensics 100 Memory Analysis writeup

Challenge Description:

Memory Analysis
Find the website that the fake svchost is accessing.
You can get the flag if you access the website!

Hint2: Check the hosts file

The first task was to find out all the svchost process running in the machine, then identify suspicious artifacts in order to verify the rogue svchost process. The pstree plugin from the volatility framework would list all the running process in a machine.


svhost.exe is a container of many service DLLs grouped together. They run under a smaller set of svchost.exe, typically you can see 5 or more running instances of svchost.exe in your machine. Now, let’s find out the rogue svchost process based on some artifacts,

There are totally 7 instances of svchost.exe processes running and they are started by their actual parent process services.exe (672). There are no spelling mistakes in the processes names. Well, let’s see if it has a proper image path. A legitimate svchost.exe should run from the following directory : %SystemRoot%\System32\svchost.exe


As you can see the process PIDs : 848,1320,1088,936, 1036 are run from the system32 folder with legitimate parameters ( <DcomLaunch,LocalService>,<NetworkService,rpcss,netsvcs>) for grouping similar services. Now we can rule out the fake svchost.exe process PID is 1776 ^^ as it was made run in a directory other than System32. Will now find at least one or more artifacts to support our findings. Let’s also look if there is any suspicious network activity,


No idea about process IDs : 3676 and 2776 and it is not important here. The only related information is pid 1080 ( IEXPLORER.EXE). It looks legitimate as the browser is communicating over the port 80. But it’s parent process is another IEXPLORE (380) instance started by our fake svchost.exe (1776). I am stopping here and I am sure you can also find some registry artifacts.

If you try strings command after dumping the memory resident pages from the processes 380, 1080, and 1776, you can see iexplore has been run with argument “;. This would lead you to a blog article. Let’s jot down this information, will be useful for later.

The hint given in the challenge was to reconstruct the c:\windows\system32\drivers\etc\hosts file. The hosts file can be found at the physical offset 0x000000000217b748 (using filescan plugin). Dumping the host file from the memory (using dumpfile plugin) would give the hosts file information.


You can also find the same IP address ( after running the connscan plugin. When we access this IP address, you will see a Nginx page with a welcome message. I added the IP address and the host name in my /etc/hosts file and tried accessing the same page, I got redirected to the same Nginx page. I was wondering where I would have went wrong. They said I will get the flag if I get access to the website. But what I see is just an usual Nginx welcome message. After the contest got over, I was going through my findings and I  found this URL ( “;) in my notes, that I got after dumping the process memory of the IEXPLORE process!

LOL 😀 😀 I forgot to use this link and I did not refer to my findings!! I opened the URL in a browser and I got the flag.


Anyway it was a good learning experience!


2 thoughts on “SECCON 2016 Forensics 100 Memory Analysis writeup

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s