Analyse mémoire 3/5 - Où est le pansement ?

forensics windows memory FCSC 2025 solved on

star star star

Description

The process behind the malware appears legitimate. The attacker likely modified it to inject their code and execute their compromise chain. Identify the malicious Thread. From there, find the virtual address of the PTE modified by the attacker.

The flag is in the format FCSC{<thread_id>:<virtual_address>} where:

  • <thread_id> is the ID of the malicious Thread (TID), and
  • <virtual_address> is the virtual address (within the malicious process context) of the beginning of the modified memory page (PTE).

For example: FCSC{420:0x0022446688aaccee}.

This challenge is part of a serie that should be solved sequentially:

Files

Author

haxom

Flag

Share my success on Fediverse, Twitter, Linkedin, Facebook, or via email.

Submit your solution

You can submit your writeup for this challenge. Read the FAQ to learn how to proceed.

You need to be logged in to submit a writeup.

Writeups

I've been looking for a long time and I still can't find the flag!

You can vote for the solutions you prefer by using the on their respective pages.

DateAuthor Language Tags
2025-06-05
Cyrhades
🇫🇷