1. Practical goals
1. Monitor the running status of your own system to see if any suspicious programs are running.
2. Analyze a malware, analyze the backdoor software generated in Exp2 or Exp3.
2. Practical steps
1. System operation monitoring
Use netstat to monitor regularly
First create a txt file to output the recorded networking results to the netstatlog.txt
file in the format, the content is:
date /t >> c:\netstatlog.txt
time /t >> c:\netstatlog.txt
netstat -bn >> c:\netstatlog.txt
Change the suffix to bat and run the command prompt as an administrator
schtasks /create /TN 20154310 /sc MINUTE /MO 2 /TR "c:\20154310.bat
Once you have collected enough data, import the data into an excel tab.
PivotTable → Process → Create New Worksheet → Count to get the corresponding data statistics.
Use the sysmon tool
First create a txt file.
Run the command prompt as an administrator, jump to the sysmon directory with the cd command, and enter the command sysmon.exe -i 20154310.txt to install the software
start sysmon
Right-click My Computer→Manage→Event Viewer→Application and Service Log→Microsoft→Windows→Sysmon→Operational to view the log file
find my backdoor file
Malware analysis with SysTracer
Use the systracer tool to create 4 snapshots, which are
snapshot#1 Before the backdoor program starts, the system is in normal state
snapshot#2 Start the backdoor to connect back to Linux
snapshot#3 Linux controls windows to create a file in its D drive directory
snapshot#4 closes the backdoor, after disconnecting, the host status
Compare the two
eg 1 and 2
You can see that after opening the backdoor, the contents of the above three registry entries have been modified. In Application - Opened Ports, you can see the IP and port number of the backdoor program.
Malware analysis with Process Explorer
Double-click to open the process, and you can see the IP address and port of the connected Linux in the TCP/IP tab.
3. Experimental experience and experience
There are many softwares used in this experiment, and I chose several of them as analysis tools for malicious code. To be honest, it is very easy to use these tools step by step. But light energy manipulation is not enough, and being able to query and understand the meaning of the captured data allows us to truly learn the corresponding knowledge and lay the foundation for the next experiment.