CTFtime.org

Attaaaaack7

by siunam / siunam

Tags: forensics memorydump volatility darkcomet 

Rating:

# Attaaaaack7

## Background

Q7. What is the API used by the malware to retrieve the status of a specified virtual key on the keyboard ?

flag format : crew{AbcDef}

Author : 0xSh3rl0ck

![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/CrewCTF-2023/images/Pasted%20image%2020230710142906.png)

## Find the flag

**Since we found the sussy executable, we can dump that file:**
```shell
┌[siunam♥Mercury]-(~/ctf/CrewCTF-2023/Forensics/Attaaaaack)-[2023.07.08|19:10:29(HKT)]
└> mkdir runddl
┌[siunam♥Mercury]-(~/ctf/CrewCTF-2023/Forensics/Attaaaaack)-[2023.07.08|19:10:43(HKT)]
└> python2 /opt/volatility/vol.py --profile=Win7SP1x86_23418 -f memdump.raw procdump --pid=300 --dump-dir=runddl
[...]
┌[siunam♥Mercury]-(~/ctf/CrewCTF-2023/Forensics/Attaaaaack)-[2023.07.08|19:10:58(HKT)]
└> ls -lah runddl
total 668K
drwxr-xr-x 2 siunam nam 4.0K Jul 8 18:47 .
drwxr-xr-x 3 siunam nam 4.0K Jul 8 18:51 ..
-rw-r--r-- 1 siunam nam 659K Jul 8 18:47 executable.300.exe
┌[siunam♥Mercury]-(~/ctf/CrewCTF-2023/Forensics/Attaaaaack)-[2023.07.08|19:11:06(HKT)]
└> file runddl/executable.300.exe
runddl/executable.300.exe: PE32 executable (GUI) Intel 80386, for MS Windows, 9 sections
```

Since this challenge is asking for the API (**Not API key**) to retrieve status on the keyboard, we can use `strings` and `grep` to find `key` related strings:

```shell
┌[siunam♥Mercury]-(~/ctf/CrewCTF-2023/Forensics/Attaaaaack)-[2023.07.08|19:12:12(HKT)]
└> strings runddl/executable.300.exe | grep -i 'key'
AutoHotkeysd-C
AutoHotkeys
AutoHotkeys
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
TKeyEvent
TKeyPressEvent
HelpKeyword nA
80211_SHARED_KEY
KEYNAME
KEYNAME
KEYNAME
KEYNAME
RegOpenKeyExA
RegCloseKey
GetKeyboardType
keybd_event
VkKeyScanA
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
ActivateKeyboardLayout
RegQueryInfoKeyA
RegOpenKeyExA
RegOpenKeyA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
RegCloseKey
UntKeylogger
UntControlKey
```

As you can see, the `GetKeyboardState` and `GetKeyState` API looks promising.

- **Flag: `crew{GetKeyState}`**

Original writeup (https://siunam321.github.io/ctf/CrewCTF-2023/Forensics/Attaaaaack1-13/#attaaaaack7).

Comments