Malicious Code Analysis Lab 9-2 exercise notes, lab9-2
Lab 9-2Problem1. What static string do you see in a binary file?
A: Let's first check the static string inIDA
.IDA
Easy to view
The static string in the binary file is displayed here.
2. What happens when you run this binary file?
A: I won't run it anymore. The book says that I quit immediately after running it, so I have to reset the virtual machine. I am too lazy to do it. What happens when I run it is to immediately exit this function.
Next we will start binary analysis.
Here I am using the OD of my love crack version, which is quite helpful (Chinese can be displayed). The only drawback is that I cannot adjust the font.
The function starts to run and calls the first function that is not a system function.00401F08
Let's go in and see what it is.
This function has no analytical value. It is a function's heap initialization function.
The next function that is not called by the system is
A00401D5D
Functions
The first call after the incoming call is
A004023C0
Function, let's go and see
Here we notice that this function hasGetStartupInfoA
, ThisMSDN
In
Retrieves the content of the STARTUPINFO structure specified when the call process is created.
This is also the initialization function.main
Function
Next Function
Next is the next function.
Called hereGetCommandLineA
This function
This function obtains the Command Parameters entered by the user.
We can see that after this function is called
EAX
The value is immediately changed to our current directory, that isargv[0]
Value
Then the next function is
This is called004019DE
Functions
The first call to the function isGetEnvironmentStringsW
InMSDN
, We can see the return value
Return value
If the function succeeds, the return value is a pointer to the environment block of the current process.
If the function fails, the return value is NULL.
Then we can runOD
View the execution result of this function
ThisEAX
The value of is a pointer. Let's check the value on this address.
Here is where we run this filePATH
The following is the next call. This call isGetEnvironmentStrings
This is similar to the above function. Let's look at the returned value, but here we getjmp
Jump, this function will not be executed
Then we will keep repeating here. This loop is an operation that compares each character at a time.
Then it will end after running it all the time.
Then, according to the practice in the bookmain
Function start (0x401128
) Place a breakpoint and then run
Then we come in.main
Function
The first call to a function isGetModuleFileNamed
Let's look at the returned values.
Check the input parameters.
Input parameters at this timePathBuffer
Already changed12FC80
We jumped to the memory address.
Here0
And then we run the call
The address changes immediately. Then, we can view the value, which is the directory where the file is located.
Next call
Here we areIDA
To prevent loss.
This function is available inIDA
Marked, yes_strrchr
This function isC++
Is used to find the character
We noticed the abovepush
Two parameters are added to the stack.
Lastpush
Which of the following isecx
And then look at the value
ECX
The value here is the absolute path of the executable file, that is, the source string, and the character we want to find is5Ch
This is\
This character
Then the return value of this function is to point to the last one.\
Character location. Let's run it.
As we expected, this function returns the last\
Character position
Then proceed to the next call
InIDA
Corresponding
This is a string comparison function._strcmp
Here, the two input parameters areecx
Andeax
Let's see what the two values are.
This string is the obfuscated string in the book.
Then, if there is another string, we will go back to the string created above, and then run these values to complete the assignment.
We know0x0
In the binary world, it represents the end of a string.\0
Characters, so weebp
Search for the two characters
At this timeebp
YesWrite code snippets here
Right-click the address in the memory and find it.
The address of the first string is
That is12FF80
-1B0
=12FDD0
Here you can also see that the next string isocl.exe
If we use this method to find the next0x0
If the second string is separated
This value isebp-0x1A0
That is
12FF80
-1A0
=12FDE0
That is, the location below
Then continue to analyze the Function
Here we will compare the two characters
The expected program name should beocl.exe
This character
Usetest
Determine the return value
If the returned value is0
For exampleje
Jump, otherwise the function will end
Then the followingmov edx, 0x1
, Setedx
Assigned1
Then, test it. It is doomed not to jump here.
Then continue to callWSAStartup
Function, which is calledwinsock dll
Previous initialization steps
Let's take a look12FDE8
What is stored
Nothing
This is the case after the function is called.
Then the function is ready to perform this operation.
InitializedTCP
Ofsocket
After these operations are completed, you are ready to call this function.
InIDA
Look inside
This function is available inIDA
It is not clearly displayed. It is estimated that it is not a common C function.
Then let's go to this function analysis and look at it.
The input parameter before the function is
In this caseeax
The value is
Let's take a look at this function.
This function will return0Ch
If you use this string
At the end of the function to be returned, this string changes the website after various transformations
Therefore, this function serves as a web site.
Then the following function is ready to connect to the URL
The function connection fails because the URL does not exist. Therefore, the connection ends and some cleanup operations are performed.
Note thatsleep
One30000ms
Time
We will re-execute this code here, and then do not jump to close the connection when judging it.
Here we will use ourDNS fake
AndInetsim
In this exampleDNS
Set usDNS fake
And thenDNS fake
The domain name requested by this code will be returned to ourinetsim
And the following is the malicious code to connect to thisinetsim
Here we setDNS fake
After thatgethostbyname()
The returned result is correct.
We will skip the red line.closesocket
This function
Then we will use the next Function
This function isntohs
This is a network initialization function.
The ntohs function converts the u_short from the TCP/IP address byte sequence to the host byte sequence (this is a small end on the intel processor)
The next function is, as expectedconnect
Now
After the connection is successful, the next function is displayed.
Then let's go in and see
Then we found a function call,OD
We didn't mark this function. The first thing we felt was to see if it was a system function call. Then we usedIDA
To open it.
This function is available inIDA
Mark_memset
This function
This is the function initialization function.
Then we encountered another function.IDA
InIDA
Of0040102C
This is the function (below the above function ).
This is also the initialization function. We ignore it.
Then the following function starts to create a process.
SlaveOD
OfLastError
We can see that the function used to create the process has been successfully created.
Then the next function is
The WaitForSingleObject function is used to detect the signal status of the hHandle event. When the function execution time exceeds dwMilliseconds, it returns. However, if the dwMilliseconds parameter is INFINITE, the function returns only when the corresponding time event changes to a signal state, otherwise, the system waits until the WaitForSingleObject returns the code that follows.
So here we will keep waiting for the corresponding time. This event ishObject
=7C81D63B
This thing
After this function is completed, it will return
Then this function can be named
CreateProcessAndWaitSignal
Of course, this is my personal name. This function will create a process to process and server connections, and then the main process continues to execute
Here is a trick:sleep
Usenop
Filled, saving it a waste of time for execution
Then the function will jump back to the original Initializationsocket
That place
Here, we have just missing a point in our analysis:ntohs
The input parameter of this function. The input parameter here is
It can be seen from this that this is a fixed value,0x270Fh
=9999d
So here it will connect to the malicious domain name9999
Port
Next, we will execute the command for the second time.connect
The returned value is-1d
Because of ourinetsim
Not Enabled9999
Port
Then we will keep repeating the connection here. The book prompts that there will beReverse shell
.
That is_memset
This place
Here, the hidden mode createscmd.exe
Window
This indicates that this is a hidden window. The hidden window is not created here.
Yes, here it is setwShowWindow
This option isSW_HIDE
Then here
SethStdInput
AndhStdError
AndhStdOutput
The three values are all one socket, that is, the socket we just connected.
So here, the code is basically analyzed, and the code is not as complex and huge as the previous one.
3. How to run the malicious code payload?
Answer: change the code nameocl.exe
4. What happened at address 0x00401133?
A: The address is used to assign values to each character.
Here0
Indicates the string Terminator.\0
5. What is the parameter passed to the Child column Program (function) 0x401089?
A: The parameters of this function areOD
You can clearly see
The encrypted string.
6. What is the domain name used by malicious code?
Answer: This malicious domain name is actually the returned value of the previous question.
That is, the domain name of the author. Hahaha
7. What encoding functions does malicious code use to confuse domain names?
Answer: This can be analyzed and analyzed.Unique or encrypted
Let's try to analyze it.
When a function starts, the first function called is_strlen
This
This_strlen
The length of the input characters is calculated.
Then the return value of the function is0xCh
That is12d
Then the function will perform the following operations:
Hereesp
Is the address that stores the encrypted string
Let's look for this address.
add esp, 0x4
Before this operation,esp
The value is0012FB54
This adds0x4
After that0012FB58
And then pointstack
Next Value
Stack storage on this address0012FD8E
This value
Then the followinglocal.65
The value isebp-0x104
,ebp
Yes0012FC64
The final result address is0012FB60
Then the value of this address is changedC
Then the next variable islocal.66
The address isebp-0x108
, That is0012FB5C
The variable is assigned0
Then there is an unconditional jumpJMP
And then jump to the following
We just assigned a value here.local.66
Is0
And then callcmp
Command, pay attention to this0x20
Written by the author of malicious code, not based onstrlen
Calculated
The jump is abnormal. The jump condition isSF=OF
HereSF
Yes. If the result is negative, the value is1
, If it is a positive number, it is0
ThenOF
Indicates the overflow flag. If overflow exists, the value is1
Otherwise0
,cmp
The function is actually a subtraction operation, but the value is not saved.
Here welocal.66
=0
, Minus0x20
And the value is negative,SF
=1
, The value does not overflow,OF
=0
, SoSF
<>OF
Will not jump here
Then, set the input parameterarg.2
The value is assignededx
Let's see what the input parameter is.
Next, let's look at the memory and stack values.
The indication in the stack is like a pointer, but this pointer address is relatively large, and it is unlikely that there is such a large pointer. In the memory, it will find that this memory address does not exist.
The next step isadd
Operation
Here we willlocal.66
Andedx
Add,edx
Value unchanged
The next step ismovsx
Command, which is assigned toecx
Original Value deployment54160646h
Well,movsx
Only the last eight digits are shown.46
=01000110
The first character is0
So after this extension00000046h
Now
Thenmov
Seteax
Value assigned0
Nowecx
Has been changed46h
Now
The next command iscdq
, This iseax
Extendededx:eax
Before this operation is performed.eax
Yes0x0h
,edx
Yes0012FD90
, Togetheredx
All are assigned0
idiv
When the divisor is 32 bitslocal.65
Or equal0xCh
Then the divisor here islocal.65
, Divisor isedx:eax
, That isedx:eax
/local.65
This means
Result vendors are stored ineax
And the remainder is stored inedx
Here, note that the Division is signed.
OD
After this command is completed,EAX
AndEDX
Not changed
Here, the encrypted string is assignedeax
, And then the signed Extensionedx
Finaledx
Changed0x31h
Then
Then pass the value here and jump.
8. What is the significance of malicious code calling the CreateProcessA function at 0x0040106E? Copyright Disclaimer: This article is an original article by the bloggers who have worked hard on code. repost it and remember to indicate the source ~