Chapter One Basic Techniques of Static Analysis
- Malicious code analysis combat
- Malicious code sample download
- 1.1 Anti-virus engine scan
- 1.2 hash value
- 1.3 Find a string
- 1.4 Packing and obfuscating malicious code
- 1.5PE file format
- 1.6 Link libraries and functions
- 1.7 Actual Combat of Static Analysis Technology
- 1.8 PE file header and section
- Lab1-1
Malicious code analysis combat
Michael Sikorski Andrew Honig,
Zhuge Jianwei, Jiang Hui, and Zhang Guangkai
Malicious code sample download
Foreword-Prerequisites-Malware sample download link:
https://practicalmalwareanalysis.com/
1. Click Labs
2. Click Download
NOTE: We provide a self-extracting archive and an encrypted 7-zip file containing the labs. The password " Malware".
Note: We provide self-extracting archives and encrypted 7 zip files containing labs, password "malware"
3. Click Download ZIP
1.1 Anti-virus engine scan
VirusTotal website:
https://www.virustotal.com/
1.2 hash value
MD5 online encryption:
https://www.sojson.com/hash.html
1.3 Find a string
Strings program:
http://technet.microsoft.com/enus/sysinternals/bb897439
https://docs.microsoft.com/zh-cn/sysinternals/downloads/strings
1.4 Packing and obfuscating malicious code
UPX tool:
http://upx.sourceforge.net/
UPX is a free, portable, extensible, high-performance executable file for multiple executable formats
1.5PE file format
1.6 Link libraries and functions
Dependency Walker tool:
http://www.dependencywalker.com/
msvcrt.dll Baidu Encyclopedia
https://baike.baidu.com/item/msvcrt.dll/10968059
msvcrt.dll is the C language runtime library executable file provided by Microsoft in the windows operating system (Microsoft Visual C Runtime Library), which provides The specific operation implementation of C language library functions such as printf, malloc, strcpy, etc., and provides initialization (such as obtaining command line parameters) and exit functions for programs compiled with C/C++ (Vc)
1.7 Actual Combat of Static Analysis Technology
1.8 PE file header and section
1. Use PEview to analyze PE files
2. Use ResourceHacker tool to view resource section
http://www.angusj.com/
3. Use other PE file tools
PEBrowse Professional:
http://www.smidgeonsoft.prohosting.com/ pebrowsepro-file-viewer.html
PE Explorer (charged):
http://www.heaventools.com/
Lab1-1
Experiment title: This experiment uses Lab01-01.exe and Lab01-01.dll files.
Question:
1. Upload the file to https://www.virustotal.com/ for analysis and view the report. Does the file match the signature of the existing anti-virus software?
2. When were these files compiled?
The compilation date of these two files is December 19, 2010.
Lab01-01.dll 2010-12-19 16:16:38
Lab01-01.exe 2010-12-19 16:16:19
3. Are there signs in these two files that they are packed or confused? If so, where are these signs?
One way to detect packed software is to use the PEiD tool.
PEiD normally detects the compilation environment of .dll and .exe, and the EP segment is normal .text.
So these two files show no signs of being packed or confused.
4. Does any imported function show what this malicious code does? If so, what are the imported functions?
The import functions of Lab01-01.dll are CreateProcess and Sleep; this file imports the functions in WS2_32.dll, which provide networking functions.
P14: Wsock32.dll and Ws2_32.dll are networking DLLs. Programs that access any of these DLLs are very likely to connect to the network or perform network-related tasks.
The import functions of Lab01-01.exe are FindFirstFile, FindNextFile and CopyFile. These import functions tell us that this program is searching the file system and copying files.
P17: FindFirstFile and FindNextFile functions are particularly worthy of attention, because they provide a function to search all files in a directory.
5. Are there any other files or host-based signs that you can find on the infected system?
Check C:\Windows\System32\kerne132.dll to find additional malicious activities. Please note that the file kernel132.DLL, with the number 1 instead of the letter l, is to look like the system file kernel32.dll. This file can be used to search the host as a sign of malicious code infection.
P436 detailed analysis process: C:\Windows\System32\kernel32.dll and C:\Windows\System32\kerne132.dll (changes of letter l and number 1), kernel132.dll file obviously wants to pretend to be Windows The system file kernel32.dll. Therefore, kernel132.dll can be used as a host-based sign to find malicious code infection, and it is a clue that we need to pay attention to when analyzing malicious code.
6. Are there signs based on the network that can be used to find this malicious code on the infected machine?
7. Guess what is the purpose of these files?
The .dll file may be a backdoor. The
.exe file is used to install and run DLL files.
P3: Backdoor: Malicious code installs itself on a computer to allow attackers to access it. Backdoor programs usually allow an attacker to connect to a remote computer with little or no authentication, and execute commands on the local system.
Being serious is an attitude but also a responsibility