6. Keylogger 6.键盘记录

What you need:你需要什么:

Purpose目的

You will practice the techniques in chapter 3.你将在第3章练习这些技巧。

This project follows Lab 3-3 in the textbook.该项目遵循教科书中的实验3-3

Preparing Windows准备Windows

On your desktop, open the " Practical Malware Analysys Labs " folder.在桌面上,打开“ 实用恶意软件易观实验室 ”文件夹。 Open the " Binary Collection " and Chapter_3L folders.打开“ Binary Collection ”和Chapter_3L文件夹。

Open Process Explorer and move it so you can see it at the same time as the Explorer window.打开Process Explorer并移动它,以便您可以在Explorer窗口的同时看到它。 Scroll to the bottom to show explorer.exe (your desktop) and its children, which are processes launched by the currently logged-in user, as shown below.滚动到底部以显示explorer.exe (您的桌面)及其子项,这是当前登录的用户启动的进程,如下所示。

Launch the Malware启动恶意软件

Double-click Lab03-03.exe and watch what happens in Process Explorer.双击Lab03-03.exe并观察Process Explorer中发生的情况。 First two new processes appear, shown in green below: Lab03-03.exe and svchost.exe .前两个新进程出现,如下所示: Lab03-03.exesvchost.exe

After a second or two, the Lab03-03.exe process terminates, leaving the svchost.exe running as an orphan process, as shown below.一两秒钟后,Lab03-03.exe进程终止,将svchost.exe作为孤立进程运行,如下所示。

This is highly unusual and suspicious behavior.这是非常不寻常和可疑的行为。

Observing Process Replacement观察过程更换

This svchost process is strange in another way: the code running in RAM does not match the code on the disk.这种svchost进程在另一个方面很奇怪:运行在RAM中的代码与磁盘上的代码不匹配。

To see that, in Process Explorer, right-click svchost.exe and click Properties .要查看该文件,请在Process Explorer中右键单击svchost.exe ,然后单击“ 属性”

Click the Strings tab.单击字符串选项卡。 At the bottom, make sure Image is selected, as shown below.在底部,确保选择了图像 ,如下所示。

These are the strings on the disk, in the real svchost.exe file.这些是真正的svchost.exe文件中的磁盘上的字符串。

At the bottom of the box, click the Memory button.在框的底部,单击Memory按钮。 Now the strings are completely different, and contain these suspicious items: GetActiveWindow and SetWindowsHookExA .现在这些字符串是完全不同的,并且包含这些可疑项目: GetActiveWindowSetWindowsHookExA

Those functions can be used by a keylogger, to hook the keypresses and run added code to record them.键盘记录器可以使用这些函数来钩住按键并运行添加的代码来记录它们。

Scroll down and find the string practicalmalwareanalysis.log , as shown below.向下滚动并找到字符串practicalmalwareanalysis.log ,如下所示。 This may be the filename used to store the keypresses.这可能是用于存储按键的文件名。

Testing the Keylogger测试键盘记录器

Open Notepad and type in some text.打开记事本并键入一些文字。 A file appears in the Chapter_3L folder named practicalmalwareanalysis.log , as shown below.一个文件出现在名为practicalmalwareanalysis.log的Chapter_3L文件夹中,如下所示。

Double-click the practicalmalwareanalysis.log file.双击实用的malwareanalysis.log文件。 The stolen keystrokes appear, as shown below.出现被盗的按键,如下所示。

Killing the Keylogger Process杀死键盘记录程序

In Process Explorer, below "explorer.exe", find the svchost.exe process.在Process Explorer中,在“explorer.exe”下面,找到svchost.exe进程。 Right-click it, as shown below, and click " Kill Process ".右键单击它,如下所示,然后单击“ 杀死进程 ”。

Find the Logfile (15 pts)找到日志文件(15分)

In your Documents folder, find the file chal6.exe在您的文档文件夹中,找到文件chal6.exe

If you aren't using the VM your instructor provided, download the file here .如果您没有使用教师提供的虚拟机,请在此处下载该文件。

This file is a keylogger.这个文件是一个键盘记录器。 Find the file containing the captured keystrokes.找到包含捕获的击键的文件。 Use the form below to get your points.使用下面的表格来获得你的观点。

Your Name: 你的名字:
Filename like this: 像这样的文件名:
keylog.txt
Last modified 7-29-17最后修改7-29-17