IR 303: Capturing a RAM from a Process (15 pts)

What You Need for This Project

The Windows Server 2016 cloud machine you prepared in the previous project. If you don't have it, you could use any Windows machine, real or virtual.

Start Your Machine

Launch your Windows cloud machine.

Finding Process IDs

In the bottom left of Windows, click the Magnifying glass and type in Task Manager.

Open Task Manager, click More Details in the bottom and then Details in the top.

Open Internet Explorer.

If you look at Task Manager, there will now be two iexplore.exe processes.

In Internet Explorer, visit these websites:

samsclass.info
ccsf.edu
bing.com

Refer to the Task Manager and write down the PID (process id) for iexplore.exe that is using more memory.

Below it is 3908, yours will likely be different.

Install Procdump

Open a browser and go here:

https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

Click the "Download ProcDump" link. Save the file to your Downloads folder and then click Open, Extract, Extract All.

Change the destination folder to: C:\Windows\System32

Click Yes in the popups to approve the extraction to that folder.

Right click the Windows icon in the lower left of your screen and click Command Prompt (Admin).

In the command prompt navigate to your Desktop folder by typing:

cd C:\Users\yourname\Desktop

Replace "yourname" with your Windows machine login name.

Make a folder called Data and navigate into it by typing:

mkdir Data && cd Data

Note: In the next project, we will be setting up an FTP Server and will grant FTP access to this Data folder.

You can grant FTP access to any folder you wish, but it's good practice to expose the least amount data required in case of a breach.

We will now capture the RAM from each of our processes.

In the command prompt type this and replace the numbers with the process id for iexplore.exe you wrote down:

procdump -ma 3908

Installing HxD

One way to explore the RAM inage is to use a raw hex viewer.

In a Web browser, go to https://mh-nexus.de/en/hxd/

Scroll down and find the download link for modern Windows versions, as shown below.

Click the download link, download the English version, unzip it, and install it with the default options.

Viewing the Memory Image with HxD

In HxD, click File, Open. Open the .dmp file in your Data folder. It should be something like "iexplore.exe_190829_044143.dmp".

In HxD, press Ctrl+F. Search for

samsclass.info

HxD finds the string and highlights it, as shown below.

Flag IR 303.1: Int32 Value (15 pts)

On the right side of the HxD window, a pane shows various interpretations of this byte sequence. The Int32 value is a long number beginning with 19, covered by a green box in the image below. That's the flag.

Updaed to Cloud, removed BCDEdit steps: 8-18-19
Integrated with Canvas 8-20-18
Typos fixed, RAM reducing added, and "net user" removed 8-27-18
Administrator Command Prompt instructions added 8-28-18