I just clicked “Step Over” (tool bar button) somewhere between 513 and 4600 times while watching the Memory Map.
These lines here need much more clarification:
Then, we can select file → open and select the restart-service.exe to import it and start the debugging. Once imported, we right click inside the CPU view and Follow in Memory Map:
Checking the memory maps at this stage of the execution…
I stepped away from this “monster” for several months.
Did the other modules. By now I am 97% done with the pentester path.
I have the “Attacking Enterprise Modules” left to do and 4 more questions in other modules.
This question is one of the 4 that are left over to do.
No matter what I do on the changing the access permissions on the Temp folder it does not take it.
The below is the description from the module:
In order to capture the files, it is required to change the permissions of the Temp folder to disallow file deletions. To do this, we right-click the folder C:\Users\Matt\AppData\Local\Temp and under Properties → Security → Advanced → cybervaca → Disable inheritance → Convert inherited permissions into explicit permissions on this object → Edit → Show advanced permissions, we deselect the Delete subfolders and files, and Delete checkboxes.
Finally, we click OK → Apply → OK → OK on the open windows
Then I run the oracle application and also look at the content of Temp\2 it looks like below.
I never see the .bat file written into the Temp\2 directory.
Have rebooted the box many times and tried small variations of the described approach. Nothing works. Must be making some basic selection or sequence mistake.
I did never find any menu “Dump to memory” in the window showing my MZ executable. It helped to mark all lines in this windows and save the content via Binary->Save to a File.
I am wondering why nobody else ran into that problem but if you are stuck here, this might help.
Now I got to the dnSpy but I think I am not using the right file… I use a 3000 MAP R-W file but it does not end in the one you mentioned here… mine ends in B40000…
Powershell did NOT work for me either after many hours of trial and error but you can do the same thing if you create a .bat file with:
@echo off
setlocal
:: Define file paths
set "input_file=C:\ProgramData\oracle.txt"
set "output_file=C:\ProgramData\restart-service.exe"
:: Decode the Base64 encoded file
certutil -decode "%input_file%" "%output_file%"
echo Decoded and written to %output_file%
:: Clean up the certutil output files
del /F /Q "%input_file%.bak"
endlocal