动态分析可观察恶意代码的真实行为
1 沙箱
缺点:沙箱只能简单的运行恶意程序 ,当程序有命令参数,或后门程序需要接收指令才能运行,在沙箱中无法启动的。
- 恶意代码会检测沙箱环境
- 有些恶意代码在沙箱环境中找不到依赖的环境,无法运行
- 恶意代码运行的操作系统不相符
- 沙箱只能报告恶意代码的功能,不能给出最终结论
2 运行恶意代码
启动dll
rundll32.exe DLLname, Export arguments
Export arguments中DLL文件导出表中的函数或者序号
如
rundll32.exe rip.dll, Install
rundll32.exe rip.dll, #5
windows启动服务
net start service_name
3 进程监视器
ProcessMonitor
过滤器的使用
4 进程浏览器
可查看进程的使用的dll和使用handle(文件句柄,互斥量、事件等等)
可使用验证选项来验证磁盘上的文件是否有微软的签名,可通过内存替换技术绕过
分析恶意文件 如恶意pdf和office文件 来查看创新的新进程和网络行为
5 Regshot比较注册表快照
可以对系统注册表进行快照,对比差异。能够了解 恶意代码的对注册表的操作
下载地址 https://jaist.dl.sourceforge.net/project/regshot/regshot/1.9.0/Regshot-1.9.0.7z
6 模拟网络
- ApateDNS 用来查看恶意程序请求的DNS 域名https://download.csdn.net/download/unlovingset/8228159
- fakenet 一个windows平台下的网络模拟器,用于恶意代码分析
https://sourceforge.net/projects/fakenet/ - netcat https://eternallybored.org/misc/netcat/ 用于TCP/IP连接、代理、隧道,非常强大的工具
nc -l -p 8888
nc www.baidu.com 80
7 抓包
使用wireshark进行抓包
http://down1.jyrd.com:8001/2010/wiresharkportable_3987.com.rar
8 inetsim
inetsim 在linux平台上可以模拟常见的网络服务
root@kali:~# inetsim
INetSim 1.2.8 (2018-06-12) by Matthias Eckert & Thomas Hungenberg
Main logfile '/var/log/inetsim/main.log' does not exist. Trying to create it...
Main logfile '/var/log/inetsim/main.log' successfully created.
Sub logfile '/var/log/inetsim/service.log' does not exist. Trying to create it...
Sub logfile '/var/log/inetsim/service.log' successfully created.
Debug logfile '/var/log/inetsim/debug.log' does not exist. Trying to create it...
Debug logfile '/var/log/inetsim/debug.log' successfully created.
Using log directory: /var/log/inetsim/
Using data directory: /var/lib/inetsim/
Using report directory: /var/log/inetsim/report/
Using configuration file: /etc/inetsim/inetsim.conf
Parsing configuration file.
Configuration file parsed successfully.
=== INetSim main process started (PID 1233) ===
Session ID: 1233
Listening on: 127.0.0.1
Real Date/Time: 2020-02-08 10:13:04
Fake Date/Time: 2020-02-08 10:13:04 (Delta: 0 seconds)
Forking services...
* dns_53_tcp_udp - started (PID 1321)
* irc_6667_tcp - started (PID 1331)
* daytime_13_tcp - started (PID 1338)
* tftp_69_udp - started (PID 1330)
* echo_7_tcp - started (PID 1340)
* finger_79_tcp - started (PID 1333)
* daytime_13_udp - started (PID 1339)
* echo_7_udp - started (PID 1341)
* ntp_123_udp - started (PID 1332)
* time_37_udp - started (PID 1337)
* syslog_514_udp - started (PID 1335)
* ftp_21_tcp - started (PID 1328)
* ident_113_tcp - started (PID 1334)
* discard_9_tcp - started (PID 1345)
* discard_9_udp - started (PID 1346)
* smtps_465_tcp - started (PID 1325)
* time_37_tcp - started (PID 1336)
* smtp_25_tcp - started (PID 1324)
* pop3_110_tcp - started (PID 1326)
* https_443_tcp - started (PID 1323)
* http_80_tcp - started (PID 1322)
* quotd_17_tcp - started (PID 1347)
* chargen_19_udp - started (PID 1351)
* quotd_17_udp - started (PID 1348)
* chargen_19_tcp - started (PID 1349)
* ftps_990_tcp - started (PID 1329)
* dummy_1_udp - started (PID 1353)
* dummy_1_tcp - started (PID 1352)
* pop3s_995_tcp - started (PID 1327)
done.
Simulation running.
网友评论