zoukankan      html  css  js  c++  java
  • Lab 7-2

    Analyze the malware found in the file Lab07-02.exe.

    Questions and Short Answers

    1. How does this program achieve persistence?

      A: This program does not achieve persistence. It runs once and then exits.

    2. What is the purpose of this program?

      A: The program displays an advertisement web page to the user.

    3. When will this program finish executing?

      A: The program finishes executing after displaying the advertisement.

    Detailed Analysis

    We begin with some basic static analysis. While we don’t see any interesting ASCII strings, we do see one interesting Unicode string: http://www.malwareanalysisbook.com/ad.html. We check the imports and exports of the program, and see only a few imports in addition to the standard imports, as follows:

    All of these functions are COM-related. The CoCreateInstance and OleInitialize functions in particular are required in order to use COM functionality.

    Next, we try dynamic analysis. When we run this program, it opens Internet Explorer and displays an advertisement. There’s no evidence of the program modifying the system or installing itself to execute when the computer is restarted.

    注:这是我掐断网络,运行 Lab07-02 的结果。

    Now we can analyze the code in IDA Pro. We navigate to the _main method and see the code shown in the following listing.

    The first thing the malware does is initialize COM and obtain a pointer to a COM object with OleInitialize at ({color{red} 1 }) and CoCreateInstance at ({color{red} 2 }). The COM object returned will be stored on the stack in a variable that IDA Pro has labeled ppv, as shown at ({color{red} 3}). In order to determine what COM functionality is being used, we need to examine the interface identifier (IID) and class identifier (CLSID).

    Clicking rclsid and riid shows that they are 0002DF01-0000-0000-C000-000000000046 and D30C1661-CDAF-11D0-8A3E-00C04FC9E26E, respectively. To determine which program will be called, check the registry for the CLSID, or search for the IID on the Internet for any documentation. In this case, these values are the same identifiers we used in “The Component Object Model” on page 154. The IID is for IWebBrowser2, and the CLSID is for Internet Explorer.

    As shown in the following listing, the COM object returned by CoCreateInstance is accessed a few instructions later at ({color{red} 1 }​).

    Following this instruction, EAX points to the location of the COM object. At ({color{red}2}), EAX is dereferenced and EDX points to the beginning of the COM object itself. At ({color{red} 3}), the function at an offset of +0x2C from the object is called. As discussed in the chapter, the offset 0x2C for the IWebBrowser2 interface is the Navigate function, and we can use the Structures window in IDA Pro to create a structure and label the offset. When Navigate is called, Internet Explorer navigates to the web address http://www.malwareanalysisbook.com/ad.html.

    注:标识 edx + 2Ch(重命名偏移 2Ch):

    注结束。

    After the call to Navigate, there are a few cleanup functions and then the program ends. The program doesn’t install itself persistently, and it doesn’t modify the system. It simply displays a one-time advertisement.

    When you encounter a simple program like this one, you should consider it suspect. It may come packaged with additional malware, of which this is just one component.

    Preference

    恶意代码分析实战 Lab 7-2 习题笔记

    病毒分析教程第四话--高级静态逆向分析(上)

  • 相关阅读:
    获取网站注册中发送验证信息的链接
    SSH hibernate 使用时最好添加访问数据库的编码
    hibernate 数据行数统计 count(*)
    【转】Java自动装箱、拆箱、缓冲池
    struts2文件下载 火狐浏览器的文件名乱码问题
    struts2 action中传递两个参数到url
    IText 生成简单表格(报表)doc文档 单元居中
    IText 生成横向的doc文档
    IText PdfPTable表格 单元的居中显示
    IText 中文字体解决方案 生成doc文档
  • 原文地址:https://www.cnblogs.com/hacker-x/p/10281419.html
Copyright © 2011-2022 走看看