1. Basic Static Techniques 1.基本静态技术

What you need:你需要什么:

Malware Samples恶意软件样本

This project follows Lab01-01 in the book, using Lab01-01.exe and Lab01-01.dll .该项目遵循本书Lab01-01 ,使用Lab01-01.exeLab01-01.dll

VirusTotal VirusTotal

This Google product compares a file to a database of antivirus engines.此Google产品将文件与防病毒引擎数据库进行比较。 You can upload files, but that may alert attackers that you have detected an intrusion.您可以上传文件,但这可能会提醒攻击者您已检测到入侵。 Using it to search for a hash value of a sample is safer.使用它来搜索样本的散列值更安全。

As shown below, some of the engines detect Lab01-01.dll .如下所示,一些引擎检测Lab01-01.dll

PEview PEview

PEview shows the sections that make up a PE (Portable Executable) file. PEview显示组成PE(可移植可执行文件)文件的部分。 The "Time Date Stamp" shows when the files were compiled. “时间日期戳记”显示文件编译时间。 This is often used as an indication of the time zone the attackers live in.这通常用作攻击者居住时区的指示。

The files were both compiled on the same date within a minute of each other, indicating that they are part of the same package.这些文件都是在相同的日期在一分钟内彼此编译的,表明它们是同一个软件包的一部分。

PEiD PEID

PEiD shows what language the sample was written in, or what packer was used if it's packed. PEiD显示样本的编写语言,或打包时使用的打包器。

These files are identified as "Microsoft Visual C++" files, which shows that they are unpacked.这些文件被标识为“Microsoft Visual C ++”文件,这表明它们是解压缩的。

BinText BinText

BinText is a handy tool to view strings. BinText是查看字符串的方便工具。

Look at the strings for Lab01-01.dll .查看Lab01-01.dll的字符串。

Notice these items, as shown below:注意这些项目,如下所示:

The command to launch a program is missing.启动程序的命令丢失。 To see it, click the Filter tab and adjust the "Min. text length" to 4 as shown below.要查看它,请单击“ 过滤器”选项卡,然后将“最小文本长度”调整为4 ,如下所示。

Click the Search tab.点击搜索标签。 At the top right, click Go .点击右上角的开始。

Now you can see that the command to launch a program is exec , as shown below.现在您可以看到启动程序的命令是exec ,如下所示。

*** ANSWER: 127.26.152.13 *** Then collect the strings from the Lab01-01.exe file. ***答案:127.26.152.13 ***然后从Lab01-01.exe文件中收集字符串。

Notice these items, as shown below:注意这些项目,如下所示:

Dependency Walker依赖沃克

Open Lab01-01.exe in Dependency Walker.在Dependency Walker中打开Lab01-01.exe

The top left pane is the In the top left pane is called " Module Dependency Tree View ".左上窗格是在左上窗格中称为“ 模块依赖树视图 ”。 It shows the EXE file and the two Windows libraries it uses: MSVCRT.DLL and KERNEL32.DLL.它显示了EXE文件和它使用的两个Windows库:MSVCRT.DLL和KERNEL32.DLL。

In the top left pane, click MSVCRT.DLL .在左上角的窗格中,单击MSVCRT.DLL The top right pane shows " Parent Imports ".右上窗格显示“ 父项导入 ”。 These are the functions the EXE file uses from the library file.这些是EXE文件在库文件中使用的函数。

As shown below, this executable uses only a small number of library functions, and none of them indicate much about its purpose.如下所示,这个可执行文件只使用少量的库函数,而且它们都没有多说明它的用途。 One of them is named _stricmp , which indicates that this progam performs a string copmarison, but that's a very common operation.其中一个名为_stricmp ,表示该程序执行字符串copmarison,但这是一个非常常见的操作。

In the top left pane, click KERNEL32.DLL .在左上角的窗格中,单击KERNEL32.DLL

The top right pane shows that this file uses several functions that manipulate files, including FindNextFileA and FindFirstFileA , as shown below.右上窗格显示该文件使用几个操作文件的函数,包括FindNextFileAFindFirstFileA ,如下所示。

This suggests that the malware searches through the file system and can open and modify files.这表明恶意软件通过文件系统进行搜索并可以打开和修改文件。

Open Lab01-01.dll in Dependency Walker.在Dependency Walker中打开Lab01-01.dll In the top left pane, partially collapse the tree to match the image below and click WS2_32.DLL .在左上方的窗格中,部分折叠树以匹配下面的图像并单击WS2_32.DLL

The top right pane doesn't show function names this time, it only shows "Ordinal" numbers.右上角的窗格不显示功能名称,它只显示“序号”数字。 This is called Linking by Ordinal , and it's an annoyance to us because we can't easily see what functions are in use.这就是所谓的按序连接 ,这对我们来说是一个烦恼,因为我们无法轻松看到正在使用的功能。

However, the center-right pane shows the Exports of WS2_32.DLL, which include accept , bind , and connect .但是,中间右侧窗格显示WS2_32.DLL的导出 ,其中包括接受绑定连接 These are the standard Berkeley Sockets functions used for networking.这些是用于联网的标准Berkeley套接字函数。 This suggest that the malware performs some networking functions, such as connecting to a server and opening a listening port.这表明恶意软件执行一些网络功能,例如连接到服务器并打开侦听端口。

In the top let pane, click KERNEL32.DLL .在顶部放置窗格中,单击KERNEL32.DLL The top right pane shows the "Parent Imports", which include CreateProcessA and Sleep , as shown below.右上方的窗格显示“Parent Imports”,其中包括CreateProcessASleep ,如下所示。

For more information about using Dependency Walker, see ths tutorial:有关使用Dependency Walker的更多信息,请参阅教程:

Analyzing dependencies with Dependency Walker 使用Dependency Walker分析依赖关系

Find the Downloaded File (5 pts)找到下载的文件(5分)

Analyze the sample Lab01-04.exe分析样本Lab01-04.exe

It downloads a file from this domain: practicalmalwareanalysis.com它从该域下载文件: practicalmalwareanalysis.com

Find that file's name and use the form below to get your points.找到该文件的名称并使用下面的表格来获得您的观点。

Your Name: 你的名字:
Filename like this: 像这样的文件名:
keylog.txt

Find the Downloaded File (5 pts)找到下载的文件(5分)

Analyze the sample Lab01-04.exe分析样本Lab01-04.exe

It imports a function from WINTRUST.DLL它从WINTRUST.DLL导入函数

Find that function's name and use the form below to get your points.找到该函数的名称并使用下面的表格来获得你的观点。

Your Name: 你的名字:
Function name like this: 函数名称如下所示:
AdjustTokenPrivileges

Last modified 7-15-17最后修改7-15-17