会员申请ID:卢宁东
1、申请ID:卢宁东2、个人邮箱:467385039@qq.com
3、原创技术文章:恶意代码扫描加壳识别技术
文章正文:
恶意代码的制作者为了传播 一般都会使用软件加壳 加壳后原特征被隐藏 增加了分析识别的困难
在真实情况下利用被加壳样本程序自身的脱壳代码进行脱壳速度很块 但一定要对加壳程序的脱壳代码进行校验
可校验又会导致失去了对变形加壳代码的识别能力
下面我用UPX1.24 for win 加壳为例 说明处理方式
先使用VC 6.0的AppWizard生成Dialog Based应用程序 test
编译Release版后 得到20,480字节的test.exe
其 MZ/PE 头信息如下:
00000000 4D 5A 90 00 03 00 00 00-04 00 00 00 FF FF 00 00 MZ..............
00000010 B8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
00000020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00-00 00 00 00 D8 00 00 00 ................
00000040 0E 1F BA 0E 00 B4 09 CD-21 B8 01 4C CD 21 54 68 ........!..L.!Th
00000050 69 73 20 70 72 6F 67 72-61 6D 20 63 61 6E 6E 6F is programcanno
00000060 74 20 62 65 20 72 75 6E-20 69 6E 20 44 4F 53 20 t be run inDOS
00000070 6D 6F 64 65 2E 0D 0D 0A-24 00 00 00 00 00 00 00 mode....$.......
00000080 FB C6 9A 8E BF A7 F4 DD-BF A7 F4 DD BF A7 F4 DD ................
00000090 DD B8 E7 DD BB A7 F4 DD-3C BB FA DD BE A7 F4 DD ........<.......
000000A0 57 B8 FE DD B4 A7 F4 DD-57 B8 F0 DD BA A7 F4 DD W.......W.......
000000B0 BF A7 F5 DD CC A7 F4 DD-57 B8 FF DD B9 A7 F4 DD ........W.......
000000C0 07 A1 F2 DD BE A7 F4 DD-52 69 63 68 BF A7 F4 DD ........Rich....
000000D0 00 00 00 00 00 00 00 00-50 45 00 00 4C 01 04 00 ........PE..L...
000000E0 6B 49 EA 3F 00 00 00 00-00 00 00 00 E0 00 0F 01 kI.?............
000000F0 0B 01 06 00 00 10 00 00-00 30 00 00 00 00 00 00 .........0......
00000100 E0 16 00 00 00 10 00 00-00 20 00 00 00 00 40 00 ......... ....@.
00000110 00 10 00 00 00 10 00 00-04 00 00 00 00 00 00 00 ................
00000120 04 00 00 00 00 00 00 00-00 50 00 00 00 10 00 00 .........P......
00000130 00 00 00 00 02 00 00 00-00 00 10 00 00 10 00 00 ................
00000140 00 00 10 00 00 10 00 00-00 00 00 00 10 00 00 00 ................
00000150 00 00 00 00 00 00 00 00-A8 25 00 00 64 00 00 00 .........%..d...
00000160 00 40 00 00 A0 0A 00 00-00 00 00 00 00 00 00 00 .@..............
00000170 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000180 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000190 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000001A0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000001B0 00 20 00 00 DC 01 00 00-00 00 00 00 00 00 00 00 . ..............
000001C0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000001D0 2E 74 65 78 74 00 00 00-42 09 00 00 00 10 00 00 .text...B.......
000001E0 00 10 00 00 00 10 00 00-00 00 00 00 00 00 00 00 ................
000001F0 00 00 00 00 20 00 00 60-2E 72 64 61 74 61 00 00 .... ..`.rdata..
00000200 B6 09 00 00 00 20 00 00-00 10 00 00 00 20 00 00 ..... ....... ..
对该程序开始部分进行反汇编 得到反汇编代码 同时可以看到入口点为 16E0然后使用 UPX1.24 对其加壳
当跟踪执行到 00406B08 处时,可以在 004016E0 处找到如下代码
004016E0 >PUSH EBP
004016E1 MOV EBP,ESP
004016E3 PUSH -1
004016E5 PUSH test.004024F8
004016EA PUSH; SE handlerinstallation……
就是加壳后的test程序人口代码
加壳器的识别上不能于判断节名 目前有许多加壳器的修补工具可以修 改节名及其它大部分特征
比较快速的方法是匹配代码段附近的若干字节
就像UPX1.24加壳后固定在代码段偏移 0x10 处有 DWORD 值 0x909010EB就可以作为该版 UPX 的识别依据
而比较谨慎的方法是匹配脱壳代码的 MD5 或 CRC32 校验值 没看懂表达的什么意思? http://www.haosou.com/s?ie=utf-8&src=360chrome_toolbar_search&q=%E6%96%87%E4%BB%B6%E7%BA%A7%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E6%89%AB%E6%8F%8F%E5%BC%95%E6%93%8E%E4%B8%AD%E7%9A%84%E5%8A%A0%E5%A3%B3%E8%AF%86%E5%88%AB%E6%8A%80%E6%9C%AF67 楼上好赞 3L真相啊 哈哈哈。都是复制粘贴的 楼主是猴子请来的逗比啊
页:
[1]