Malicious Code Analysis System Self-protection mechanism bypass causes binary Leakage
The fireeye malicious code analysis system is a malicious code analysis tool released by Kingsoft on the Internet. You can register an account and submit executable programs. The system dynamically analyzes the program to determine whether it is malicious. The analysis programs and drivers in the system have a self-protection mechanism. However, this mechanism is not strict and can be easily bypassed. And the features of the system can be used to easily obtain these protected binary files.
All programs submitted to the eye of fire will be imported to an XP Virtual Machine to run, and there are monitoring drivers and other programs to get the behavior when the program is running. These monitoring drivers and auxiliary programs (distribution, scheduling, and driver loading) are stored in the "C: \ default \" folder of the virtual machine, and an environment variable points to this folder: % FEKERNEL %.
The fire eye provides some protection for this folder. Any program that accesses this folder (traversing enumeration, copying, and reading the content of the file), its analysis report will hide most of the content, including. However, this protection is not complete and can be easily bypassed to copy the content.
Since the copied content is no longer protected, reading these files will not trigger the protection mechanism. You can use a dedicated program to obtain these protected files in a specific way.
Http://fireeye.ijinshan.com/analyse.html? Md5 = 637b6521f0c7560612316a424bfa7f65
Process the sample report as follows:
1. Cut the remaining parts of the Color Block and save them as bmp or png images;
2. Write a decoding script to decode it. The rule is as follows: Read the RGB values of the first three pixels according to Chinese reading habits (from left to right, from top to bottom, a ulong is formed in the order of RGBRGBRGB (the blue component of the last pixel can be discarded). This ULONG is the length of the data block, and then the remaining pixels are read according to the length, write the color component bytes into a file in the order of RGB;
3. Open this file with WINRAR and you will find all the content in the level-1 directory in % FEKERNEL %.
Solution:
This sample report should be used to locate the problem