Malicious Code Analysis Lab 9-2 exercise notes, lab9-2

Malicious Code Analysis Lab 9-2 exercise notes, lab9-2
Lab 9-2Problem1. What static string do you see in a binary file?

A: Let's first check the static string inIDA.IDAEasy to view

The static string in the binary file is displayed here.

2. What happens when you run this binary file?

A: I won't run it anymore. The book says that I quit immediately after running it, so I have to reset the virtual machine. I am too lazy to do it. What happens when I run it is to immediately exit this function.

Next we will start binary analysis.

Here I am using the OD of my love crack version, which is quite helpful (Chinese can be displayed). The only drawback is that I cannot adjust the font.

The function starts to run and calls the first function that is not a system function.00401F08Let's go in and see what it is.

This function has no analytical value. It is a function's heap initialization function.

The next function that is not called by the system is

A00401D5DFunctions

The first call after the incoming call is

A004023C0Function, let's go and see

Here we notice that this function hasGetStartupInfoA, ThisMSDNIn

Retrieves the content of the STARTUPINFO structure specified when the call process is created.

This is also the initialization function.mainFunction

Next Function

Next is the next function.

Called hereGetCommandLineAThis function

This function obtains the Command Parameters entered by the user.

We can see that after this function is called

EAXThe value is immediately changed to our current directory, that isargv[0]Value

Then the next function is

This is called004019DEFunctions

The first call to the function isGetEnvironmentStringsW

InMSDN, We can see the return value

Return value
If the function succeeds, the return value is a pointer to the environment block of the current process.

If the function fails, the return value is NULL.

Then we can runODView the execution result of this function

ThisEAXThe value of is a pointer. Let's check the value on this address.

Here is where we run this filePATH

The following is the next call. This call isGetEnvironmentStringsThis is similar to the above function. Let's look at the returned value, but here we getjmpJump, this function will not be executed

Then we will keep repeating here. This loop is an operation that compares each character at a time.

Then it will end after running it all the time.

Then, according to the practice in the bookmainFunction start (0x401128) Place a breakpoint and then run

Then we come in.mainFunction

The first call to a function isGetModuleFileNamedLet's look at the returned values.

Check the input parameters.

Input parameters at this timePathBufferAlready changed12FC80We jumped to the memory address.

Here0And then we run the call

The address changes immediately. Then, we can view the value, which is the directory where the file is located.

Next call

Here we areIDATo prevent loss.

This function is available inIDAMarked, yes_strrchrThis function isC++Is used to find the character

We noticed the abovepushTwo parameters are added to the stack.

LastpushWhich of the following isecxAnd then look at the value

ECXThe value here is the absolute path of the executable file, that is, the source string, and the character we want to find is5ChThis is\This character

Then the return value of this function is to point to the last one.\Character location. Let's run it.

As we expected, this function returns the last\Character position

Then proceed to the next call

InIDACorresponding

This is a string comparison function._strcmp

Here, the two input parameters areecxAndeaxLet's see what the two values are.

This string is the obfuscated string in the book.

Then, if there is another string, we will go back to the string created above, and then run these values to complete the assignment.

We know0x0In the binary world, it represents the end of a string.\0Characters, so weebpSearch for the two characters

At this timeebpYesWrite code snippets here

Right-click the address in the memory and find it.

The address of the first string is

That is12FF80-1B0=12FDD0

Here you can also see that the next string isocl.exe

If we use this method to find the next0x0If the second string is separated

This value isebp-0x1A0That is

12FF80-1A0=12FDE0

That is, the location below

Then continue to analyze the Function

Here we will compare the two characters

The expected program name should beocl.exeThis character

UsetestDetermine the return value

If the returned value is0For examplejeJump, otherwise the function will end

Then the followingmov edx， 0x1, SetedxAssigned1

Then, test it. It is doomed not to jump here.

Then continue to callWSAStartupFunction, which is calledwinsock dllPrevious initialization steps

Let's take a look12FDE8What is stored

Nothing

This is the case after the function is called.

Then the function is ready to perform this operation.

InitializedTCPOfsocket

After these operations are completed, you are ready to call this function.

InIDALook inside

This function is available inIDAIt is not clearly displayed. It is estimated that it is not a common C function.

Then let's go to this function analysis and look at it.

The input parameter before the function is

In this caseeaxThe value is

Let's take a look at this function.

This function will return0ChIf you use this string

At the end of the function to be returned, this string changes the website after various transformations

Therefore, this function serves as a web site.

Then the following function is ready to connect to the URL

The function connection fails because the URL does not exist. Therefore, the connection ends and some cleanup operations are performed.

Note thatsleepOne30000msTime

We will re-execute this code here, and then do not jump to close the connection when judging it.

Here we will use ourDNS fakeAndInetsimIn this exampleDNSSet usDNS fakeAnd thenDNS fakeThe domain name requested by this code will be returned to ourinetsimAnd the following is the malicious code to connect to thisinetsim

Here we setDNS fakeAfter thatgethostbyname()The returned result is correct.

We will skip the red line.closesocketThis function

Then we will use the next Function

This function isntohsThis is a network initialization function.

The ntohs function converts the u_short from the TCP/IP address byte sequence to the host byte sequence (this is a small end on the intel processor)

The next function is, as expectedconnectNow

After the connection is successful, the next function is displayed.

Then let's go in and see

Then we found a function call,ODWe didn't mark this function. The first thing we felt was to see if it was a system function call. Then we usedIDATo open it.

This function is available inIDAMark_memsetThis function

This is the function initialization function.

Then we encountered another function.IDA

InIDAOf0040102CThis is the function (below the above function ).

This is also the initialization function. We ignore it.

Then the following function starts to create a process.

SlaveODOfLastErrorWe can see that the function used to create the process has been successfully created.

Then the next function is

The WaitForSingleObject function is used to detect the signal status of the hHandle event. When the function execution time exceeds dwMilliseconds, it returns. However, if the dwMilliseconds parameter is INFINITE, the function returns only when the corresponding time event changes to a signal state, otherwise, the system waits until the WaitForSingleObject returns the code that follows.

So here we will keep waiting for the corresponding time. This event ishObject=7C81D63BThis thing

After this function is completed, it will return

Then this function can be named

CreateProcessAndWaitSignalOf course, this is my personal name. This function will create a process to process and server connections, and then the main process continues to execute

Here is a trick:sleepUsenopFilled, saving it a waste of time for execution

Then the function will jump back to the original InitializationsocketThat place

Here, we have just missing a point in our analysis:ntohsThe input parameter of this function. The input parameter here is

It can be seen from this that this is a fixed value,0x270Fh=9999d

So here it will connect to the malicious domain name9999Port

Next, we will execute the command for the second time.connectThe returned value is-1dBecause of ourinetsimNot Enabled9999Port

Then we will keep repeating the connection here. The book prompts that there will beReverse shell.

That is_memsetThis place

Here, the hidden mode createscmd.exeWindow

This indicates that this is a hidden window. The hidden window is not created here.

Yes, here it is setwShowWindowThis option isSW_HIDE

Then here

SethStdInputAndhStdErrorAndhStdOutputThe three values are all one socket, that is, the socket we just connected.

So here, the code is basically analyzed, and the code is not as complex and huge as the previous one.

3. How to run the malicious code payload?

Answer: change the code nameocl.exe

4. What happened at address 0x00401133?

A: The address is used to assign values to each character.

Here0Indicates the string Terminator.\0

5. What is the parameter passed to the Child column Program (function) 0x401089?

A: The parameters of this function areODYou can clearly see

The encrypted string.

6. What is the domain name used by malicious code?

Answer: This malicious domain name is actually the returned value of the previous question.

That is, the domain name of the author. Hahaha

7. What encoding functions does malicious code use to confuse domain names?

Answer: This can be analyzed and analyzed.Unique or encryptedLet's try to analyze it.

When a function starts, the first function called is_strlenThis

This_strlenThe length of the input characters is calculated.

Then the return value of the function is0xChThat is12d

Then the function will perform the following operations:

HereespIs the address that stores the encrypted string

Let's look for this address.

add esp, 0x4Before this operation,espThe value is0012FB54This adds0x4After that0012FB58

And then pointstackNext Value

Stack storage on this address0012FD8EThis value

Then the followinglocal.65The value isebp-0x104,ebpYes0012FC64The final result address is0012FB60

Then the value of this address is changedC

Then the next variable islocal.66The address isebp-0x108, That is0012FB5C

The variable is assigned0

Then there is an unconditional jumpJMPAnd then jump to the following

We just assigned a value here.local.66Is0And then callcmpCommand, pay attention to this0x20Written by the author of malicious code, not based onstrlenCalculated

The jump is abnormal. The jump condition isSF=OF

HereSFYes. If the result is negative, the value is1, If it is a positive number, it is0

ThenOFIndicates the overflow flag. If overflow exists, the value is1Otherwise0,cmpThe function is actually a subtraction operation, but the value is not saved.

Here welocal.66=0, Minus0x20And the value is negative,SF=1, The value does not overflow,OF=0, SoSF<>OFWill not jump here

Then, set the input parameterarg.2The value is assignededxLet's see what the input parameter is.

Next, let's look at the memory and stack values.

The indication in the stack is like a pointer, but this pointer address is relatively large, and it is unlikely that there is such a large pointer. In the memory, it will find that this memory address does not exist.

The next step isaddOperation

Here we willlocal.66AndedxAdd,edxValue unchanged

The next step ismovsxCommand, which is assigned toecx

Original Value deployment54160646hWell,movsxOnly the last eight digits are shown.46=01000110The first character is0So after this extension00000046hNow

ThenmovSeteaxValue assigned0

NowecxHas been changed46hNow

The next command iscdq, This iseaxExtendededx:eaxBefore this operation is performed.eaxYes0x0h,edxYes0012FD90, TogetheredxAll are assigned0

idivWhen the divisor is 32 bitslocal.65Or equal0xCh

Then the divisor here islocal.65, Divisor isedx:eax, That isedx:eax/local.65This means

Result vendors are stored ineaxAnd the remainder is stored inedxHere, note that the Division is signed.

ODAfter this command is completed,EAXAndEDXNot changed

Here, the encrypted string is assignedeax, And then the signed Extensionedx

FinaledxChanged0x31h

Then

Then pass the value here and jump.

8. What is the significance of malicious code calling the CreateProcessA function at 0x0040106E? Copyright Disclaimer: This article is an original article by the bloggers who have worked hard on code. repost it and remember to indicate the source ~