Pwn2Win CTF 2016 Dump (Forensics 50) Writeup

Problem

Description: We know this dump was generated by a process which was executing as root in the computer, and that it was reading directly from a /dev device. Probably it is part of a keylogger module included in a rootkit which is being tested by the Club. Help us to unveil this message, allowing us to discover why they infected this specific machine.

Solution

The dump file contained data that seemed to align well for 24 bytes, indicating that each record of the captured input was stored in some 24 byte datastructure.

We loaded it into a small C program, and could quickly see that the first 16 bytes were increasing throughout the dump.

00000000568a8e79 00000000000a59d0 0007002800040004
00000000568a8e79 00000000000a59d0 00000000001c0001
00000000568a8e79 00000000000a59d0 0000000000000000
00000000568a8e7b 00000000000ab77f 000700e100040004
00000000568a8e7b 00000000000ab77f 00000001002a0001
00000000568a8e7b 00000000000ab77f 0000000000000000
00000000568a8e7b 00000000000c2e82 0007000c00040004
00000000568a8e7b 00000000000c2e82 0000000100170001
00000000568a8e7b 00000000000c2e82 0000000000000000
00000000568a8e7b 00000000000da586 0007000c00040004
00000000568a8e7b 00000000000da586 0000000000170001
00000000568a8e7b 00000000000da586 0000000000000000
00000000568a8e7b 00000000000de3f9 000700e100040004
00000000568a8e7b 00000000000de3f9 00000000002a0001
00000000568a8e7b 00000000000de3f9 0000000000000000
00000000568a8e7c 000000000000d438 0007002c00040004
00000000568a8e7c 000000000000d438 0000000100390001
00000000568a8e7c 000000000000d438 0000000000000000
00000000568a8e7c 00000000000289a7 0007002c00040004
00000000568a8e7c 00000000000289a7 0000000000390001
00000000568a8e7c 00000000000289a7 0000000000000000
00000000568a8e7c 00000000000325f9 0007000400040004
00000000568a8e7c 00000000000325f9 00000001001e0001
00000000568a8e7c 00000000000325f9 0000000000000000

Translating it to integer reveals that it’s actually a timestamp, or more precisely a timeval struct. The last eight bytes were much more interesting. After Googling a bit, we found that the datastructure input_event defined in linux/input.h is the one used by the Linux kernel to represent keyboard events.

Unpacking the binary data into the struct gave us the message: I am suspicious of Fideleetos intentions

Code:

#include <stdio.h>
#include <stdint.h>
#include <sys/time.h>
#include <linux/input.h>

typedef struct {
	struct timeval t;
	uint16_t type;
	uint16_t code;
	int32_t value;
} input_event_t;

static input_event_t data[512];

static char lookup[256] = {
	[KEY_1] = '1', [KEY_2] = '2', [KEY_3] = '3', [KEY_4] = '4',
	[KEY_5] = '5', [KEY_6] = '6', [KEY_7] = '7', [KEY_8] = '8',
	[KEY_9] = '9', [KEY_0] = '0', [KEY_Q] = 'Q', [KEY_W] = 'W',
	[KEY_E] = 'E', [KEY_R] = 'R', [KEY_T] = 'T', [KEY_Y] = 'Y',
	[KEY_U] = 'U', [KEY_I] = 'I', [KEY_O] = 'O', [KEY_P] = 'P',
	[KEY_A] = 'A', [KEY_S] = 'S', [KEY_D] = 'D', [KEY_F] = 'F',
	[KEY_G] = 'G', [KEY_H] = 'H', [KEY_J] = 'J', [KEY_K] = 'K',
	[KEY_L] = 'L', [KEY_Z] = 'Z', [KEY_X] = 'X', [KEY_C] = 'C',
	[KEY_V] = 'V', [KEY_B] = 'B', [KEY_N] = 'N', [KEY_M] = 'M',
	[KEY_SPACE] = ' ', [KEY_LEFTSHIFT] = '^', [KEY_RIGHTSHIFT] = '^'
};

int
main(void)
{
	FILE *f = fopen("./dump", "r");

	fread(data, sizeof(input_event_t), 255, f);

	int i;
	for (i = 0; i < 255; i++) {
		if (lookup[data[i].code] && data[i].type == 1 && data[i].value == 1)
			printf("%c", lookup[data[i].code]);
	}
	printf("\n");

	fclose(f);

	return 0;
}