Analyse mémoire 3/5 - Où est le pansement ?

forensics windows memory FCSC 2025 solved on

star star star

Description

The process behind the malware appears legitimate. The attacker likely modified it to inject their code and execute their compromise chain. Identify the malicious Thread. From there, find the virtual address of the PTE modified by the attacker.

The flag is in the format FCSC{<thread_id>:<virtual_address>} where:

  • <thread_id> is the ID of the malicious Thread (TID), and
  • <virtual_address> is the virtual address (within the malicious process context) of the beginning of the modified memory page (PTE).

For example: FCSC{420:0x0022446688aaccee}.

This challenge is part of a serie that should be solved sequentially:

Files

Author

haxom

Flag

Share my success on Fediverse, Twitter, Linkedin, Facebook, or via email.

Submit your solution

You can submit your writeup for this challenge. Read the FAQ to learn how to proceed.

You need to be logged in to submit a writeup.

Writeups

There are no public solutions for this challenge yet, but you can submit yours after getting the flag.