QQ 1274510382
Wechat JNZ_aming
Business Alliance QQ group 538250800
Technology trouble QQ group 599020441
Solution QQ group 152889761
Join us QQ group 649347320
Shared learning QQ group 674240731
Chronological technology aming
network security, deep learning, embedded, machine enhancement, biological intelligence, life science .
Ding Ding Ding: The product is online—>Follow the official-WeChat public
account —Jinan Ji Nian Information Technology Co., Ltd. People’s livelihood project: store franchise/entertainment dating/startup business circle/outsourcing part-time development-project release/
security project: situational awareness defense system /Intranet inspection system
Cloud service project: dynamic expansion of cloud host/domain name/elastic storage-database-cloud disk/API-AIeverthing
product consulting/service after-sales (same)
It's always shallow on paper, and I absolutely know that I have to do it! ! !
Looking for like-minded partners to start a business. . . Baotuan Didi aming contact information! !
#This article is the advertising system automatically serving ads
# If there is any infringement, deletion, please contact us quickly
Malicious code analysis combat
Bachelor/College Information Security Major
Computer network, operating system
Experimental purpose The purpose of the
experiment in this chapter is to unpack the malicious code for further analysis.
In this experiment, we will learn to use peid to check the shell,
and manually unpack the malicious files using ASPack and WinUPack. The unpacking
work is mainly carried out in ollydbg, and we will also learn how to use ollydbg's plug-in to assist unpacking
And use import REC to repair the import table.
Preliminary knowledge
1. Ollydbg,
a disassembly tool, also called OllyDebug, is a new dynamic tracking tool that combines IDA with SoftICE. The
Ring 3 debugger has
replaced SoftICE as the most popular debugging decryption tool today.
At the same time, it also supports plug-in extensions and is currently the most powerful debugging tool.
Basically, you usually use vc to debug your own programs because you have source code, and OllyDebug is used to crack other people's programs.
2. Peid
PEiD shell checking tool This software can detect most
PE file packers , encryptors and compilers.
More than 600 different signatures can currently be detected.
Experimental environment
Server: Windows 7
Auxiliary tools: peid, ollydbg, import REC
Experiment Step 1 In
this experiment, we will analyze the lab18-4 and lab18-5 files.
Load lab18-4 into peid
You can see that it is packed with ASPack
Load od
The first one is pushad
We step through pushad
As follows
Select the value of esp follow in dump
Then hit the hardware breakpoint
After execution it looks like this
The previous one of the jnz instruction is popad. We know that the one following the popad instruction should be a tail jump. The
tail jump can switch the program to oep.
We step through jnz
I see retn after the push instruction, it will jump to the address pushed onto the stack, which may be a tail jump
Step over retn and come
Right click and do the following
The result is as follows
So I found the oep
Dump it
Load the dumped file into peid
You can see that the shelling was successful.
Load lab18-5 into peid
You can see that it is obtained by WinUpack packer
Load od
But it will report an error directly
od can load files, but cannot find the entry point of the shelling stub, and will break on the system breakpoint
We single step
Until the value of esp is red
Then, right click -> follow in the data window
Then breakpoint
Stop at the position shown in the figure below after execution
This is the location of oep
Still the same dump operation
Load peid to see that the shelling is successful
But when viewing the imported information, it looks like this
Can't identify correctly
We need to repair the import table
Use import rec to repair
The two arrows in the figure above need to be modified, one is the process of lab18-5, the other is the oep address
Click Auto Search
Click to get output table
Then click Repair Dump File
Click to open
Show saved_success indicating that the repair is complete
Load the repaired file into peid
You can see the import information, etc. can be viewed
Indicates that the shelling was successful
Supporting learning resources
1. "Malicious Code Analysis Actual Combat"