Another challenge from SharifCTF called hidden.

• Category: Forensics
• Points: 100

### Solution

First inspections using the file command does not reveal a lot, but we seem to get what’s the content of the dump with the strings tool.

As we know that’s it’s the memory dump, I decided to run this awesome linux tool for memory dump analysis called Volatility. Firstly I’ll run it with imageinfo option that will show us basic information about the dump.

From that information, the most essential one is the suggested profile WinXPSP2x86, we’ll use it in later analysis. As we have to get the PID of the hidden process, I decided to look into the documentation of this tool and here it is - psxview.

Let’s run the analysis.

Now we can see that the only process with false value is vmtoolsd.exe with PID 404. The last step is to calculate MD5 hash out of that PID and submit the flag.

SharifCTF{4f4adcbf8c6f66dcfc8a3282ac2bf10a}

Volatility

### References

https://github.com/volatilityfoundation/volatility/wiki/Command-Reference-Mal#psxview