Skills to be mastered by virus analysis

"Reprint" http://bbs.pediy.com/showthread.php?t=199036

Although the skills are relatively old, but common sense is to understand

1._declspec (Naked) tells the compiler not to optimize the code

For JMP type hooks, if your own process does not use _DECLSPEC (naked), then the system will automatically add some extra code to control the stack balance, but these additional code will break the stack of the hook function.
For call type hooks, be careful to restore the stack balance if you use _declspec (naked) adornments.
#define NAKED __declspec (NAKED)

void NAKED code (void)
{
__asm
{
Ret
}
}
Use the __declspec (naked) keyword to define a function:
1, use the Naked keyword to build the EBP pointer yourself (if used);
2, you must return using the RET or RET n command yourself (unless you do not return);
_delcspec (Naked) is used in the driver authoring, C language inline assembler to accomplish some specific functions.

2. Virtual Machine detection

Here you can see the < software Debugging > 18th Chapter of the internal and debug engine, detailed virtual machine debugging

3.PE structure

Must be clarified, including some of the possible Packers ' knowledge

4. Injection method

A lot of the virus behavior has been injected in a very much way

5. Counter-debug technology anti-virtual machine detection Flower Instruction solution IDC Script network data analysis debugging method

6. A certain compilation of knowledge

1.mov edi,edi
is a two-byte NOP, which is the same as NOP in the program.
Then why use MOV edi,edi not two NOP?
Because NOP CPU clock cycle is longer than with MOV edi,edi instruction, in order to improve efficiency, use MOV Edi,edi

Prevent thread interruption and cause site damage

Align Byte, nibble byte, but NOP inefficient, use MOV Edi,edi

Now it's compiled with call xxxxxxxxxx and JMP [MessageBoxA]
1. Reduce the number of repositioning in the PE module
2. Try to move the relocation of the module from the main code area of the code so that the code sharing between the processes

2.Test Eax,eax
The test instruction action is a bitwise logical "and" operation of the destination operand and the source operand, and the result is not sent back to the destination operand and then the SF, ZF, and PF flag bits are set based on the result, and the CF and the of Mark bits are zeroed. And JE is when zf=1 jumps.
That is, when the value of eax equals 0 o'clock jumps. So, the test here is to detect if the value of EAX is 0.

Test eax,eax EAX as an operation, and same as, just does not change the value of EAX

Test EAX,EAX CMP eax,2

If EAX is 0 ZF = 1 for JE jump
If EAX is 0 ZF = 1 for JZ jump, not 0 jnz jump

3.Cmp eax, 2
If Eax-2=0 is eax=2 set 0 flag ZF = 1 JZ jump

4.mov DL,0DH Enter the control character Odh
MOV dl,0ah line break control Oah

5.or Al,al to determine if 0
JZ done
or al,20h to convert lowercase letters to uppercase

6.mov ax,5
Lea Ax,[ax+6]
At this time ax=11. In this case, the LEA can basically be seen as adding, but faster than the add speed

More need to accumulate their own

7.SSDT Hook

Some of the functions of the hook, but should now be useless, the kernel protection is very good, it is easy to detect

8. Calling convention

C Call mode _cdecl (parameters from right to left in the stack) Cleanup method: Caller cleanup
For parameters changeable: printf ("XXXXX");
void demo_cdecl (int w,int x, int y, int z)
Asm:
Push Z
Push y
Push X
Push W
Call Demo (entered the function, began to execute ...) )
Add ESP, 4*sizeof (int)

Standard Call _stdcall
void Demo_stdcall (int w,int x, int y, int z)

Asm:
Push Z
Push y
Push X
Push W
Call Demo (entered the function, began to execute ...) )
RET 16

Quick Call _fastcall The first two parameters will be assigned to Ecx,edx other calls by _stdcall RET 8
C + + calling convention using the this pointer
The VC provides a thiscall call to pass this to ECX
Gc++ as a static variable, stored at the top of the stack

Topic 1: Writes out the DLL hijacking principle and writes out which DLLs cannot be hijacked
When the Windows operating system loads the PE file, it takes precedence to load the DLL in the program directory by the input table, and then looks for it in the system directory. The forged DLL is put into the current directory of the program, so that when the original program called the original function called the same name of the forged DLL function, into the hijacked DLL code, after processing, then call the original DLL this function.
This method is only valid for DLLs other than Kernel32.dll, Ntdll.dll and other core system libraries, such as the Ws2_32.dll of network applications, D3d8.dll in game programs, and the Lpk.dll that most applications call, Sxs.dll, these DLLs can be hijacked.
Topic 2: What tools are allowed to debug in kernel mode
SoftICE WinDBG (essentially KD) and homemade syserdebugger.
Topic 3: Write a real-mode addressing method
Immediate number addressing method
Register addressing Mode
Memory addressing Mode
Topic 4: A summary of the features of the game Trojan and downloader.
Topic 5: What do the GDT and Ldt say respectively
Global Descriptor Table Descriptor descriptor
Local Descriptor Table Native Descriptor list
Idt:interrupt Descriptor Table Interrupt Descriptor
Topic 6: A detailed explanation of the differences between SSDT and Hook SSDT
A function Service Description table linked by RING3 with the RING0 direct win API
Example: Call CreateThread and finally call Ntcreatethread to achieve the purpose of creating a thread
Then Hook SSDT establishes an interception function call and creates a monitoring process in the SSDT Function Service Description table in the form of a RING0 system hook.
There are too many ways to enter RING0, such as regular break doors, trap doors, call doors, etc.
This also involves memory mapping, global variable sharing and other concepts
In simple terms, SSDT is a normal behavior
HOOK SSDT is a WS-Behavior.
SetWindowsHookEx-CallNextHookEx
Topic 7: What does hook API have to do with API hooks?
Topic 8: Feature code is divided into several, what is the relationship between features and viruses?
Signatures are divided into two types, memory features, file features
1: Memory Feature: A host program that represents a virus in memory, called code-injection or DLL-injection
2: File Characteristics: By reading a file PE information, or file offset, remove up to 26 hexadecimal characters stored in the virus database
Now kill the soft use is the debug mechanism, short: virtual machine Avira
Characteristic is to prove that this is not a virus, if it is the virus how to deal with.
Topic 9: What does Hook openprocess cause, and what does the red part of SSDT under the ice blade mean?
Title Ten: What are the active defenses?
Hook Hook and then hook all kinds of virus behavior Bai do not know what good to ask ...
Change the registry pull, PE infected pull, sys infection pull shellcode recognition pull ...

How to do a detailed analysis of a sample, whether a detailed analysis

How to extract the signature code

Which virus has been analyzed?

1. How to quickly determine if a file is a virus?
2. What is the difference between a virus and a Trojan horse?
3. How can I tell if a file is an executable file?
A: Find the value of the E_lfanew field in the Image_dos_header structure, and then use that value to add the address of the file base to the memory address to see if the value at that address is 00004550, which is the "PE00" of the ASCII code.
What is the difference between 4.jmp and call?
A: JMP jumps directly to the destination address, and call first presses the address of the next instruction and then jumps to the destination address. The call instruction is equivalent to push + JMP.
7. What is Shellcode? What is the principle?
Shellcode is actually a piece of code (or can be populated with data), which is used to send code to the server to exploit a particular vulnerability, and can generally obtain permissions. In addition, Shellcode is generally sent as data to the attacked service.
What is the 8.JMP machine code?
Answer: The machine code for JMP is EB, E9, EA, FF.
What is the 9.pe file structure?
10. How can I tell if a file is an EXE or a DLL?
Image_file_header file attribute field in the normal EXE file This field value is generally 010fh,dll file the value of this field is 0210h
11. What is a shell?
12. What are the types of Trojans?
13.call A
A:pop eax
What does an instruction mean call a pop EAX statement

1, _stdcall of the parameters of the stack, the balance of the way
This comparison is based on the right-to-left, press-in, call-balance
2, C language wsprintf parameters of the pressure stack way, why
This is also relatively basic, that is, from right to left in turn, call external balance. Why, because the parameters of the wsprintf are variable.
3, PE inside the physical and file address conversion
This also compares base address, I think to PE also calculate understanding, still calculate familiar, so about Va,rva etc this no problem.
4. Common injection methods
Windows hooks, remote thread injection DLLs, remote thread injection code
5, how to analyze a method of data:
I answer: Through the output string, export functions or CE tools, positioning memory address, through the IDA static analysis combined with OD dynamic debugging, you can quickly find the desired.

The skills required by a virus analyst are as follows:
1, at least to understand the behavior of viruses generally have what
2, the virus behavior of the detailed process to know
3, the development of some simple tools will at least
4, the use of analytical tools will be at least
5, at least to be able to write some auxiliary virus analysis tools

As a virus analyst needs to understand the types of viruses, and their behavioral characteristics, but also need to understand the characteristics of their mutation, but also to understand the virus commonly used APIs, as well as various types of virus-specific APIs, such as pure Ring3 virus and loaded driver virus, The difference is that the load-driven virus has a specific behavior, using a number of specialized APIs, and registry operations, and so on, for a virus analyst, we need to pinpoint whether it is a virus, or is not a Trojan horse, can not rely on the API alone to determine if it is a virus, For example, a program inside the normal use of openfile, but you see the use of the API, it is defined as a virus is wrong, for this, we need to write some tools to determine its behavior characteristics, such as hook virus call API, we create a hang process of the virus, We then create a remote thread to hook off the relevant API, the virus using the relative dangerous API parameters are all recorded, so that we can quickly determine the general common virus, for those of the fierce virus, or the virus that destroys the system, then we need to analyze the virus in a safe environment, In order to prevent the virus to destroy our virus analysis environment, such as you on the real machine to analyze some stolen Trojan horse, or steal bank account of the Trojan, it is more dangerous, generally I think the virus analysis of the environment is, if it is infected with the virus, we need to open the restore system, restore each disk, General analysis of dangerous viruses This should be enough, for those who destroy the restoration of the virus, I believe that the general analysis of the virus can not be analyzed!
We also need to understand and use commonly used virus analysis tools, such as disassembly tools, and dynamic debuggers, various monitors, and anti-rootkit tools, the general analysis process is summarized as follows:
1, protect the safety of their own machines, that is, restore protection
2, the monitor is open,
3. Disassembly tool, Dynamic debugger
4, their own virus analysis aids
5, summarize the type of virus
6, summarize the virus behavior and harm
Is the skills you need to master, and some of the basic skills below.
We need to write some auxiliary tools to help us analyze the virus, the following is a description of Ring3, of course you can also write RING0 tools.
1, registry Monitor, some viruses often registry to fight some to kill or protect themselves, such as image hijacking, as well as I have previously sent the registry control 360 switch.
2, File monitor, some viruses such as the keyboard record such a large amount of storage, it is necessary to write files, and create files and so on,
3, thread monitor, we need to monitor the creation of remote threads, when to create, when to stop, or not to stop
4, Process monitor, some viruses often create processes to load some DLLs, and start the process of others.
5, Network Monitor, virus necessary tools, viruses generally get what they need to send to their own machine, then we can write some monitoring tools to assist the packet analysis, captured packet analysis and so on, as well as get the target IP address, good report and so on.

Common win API functions (here is the API used to do Trojan virus)

1. Restricting program function function

EnableMenuItem allow, disallow, or darken a specified menu entry
EnableWindow allows or disables the mouse and keyboard control of specified windows and entries (the menu is dimmed when forbidden)

2. dialog box function

Createdialog Creating a Non modal dialog window from a resource template
Createdialogparam Creating a Non modal dialog window from a resource template
Createdialogindirect creating a non-modal dialog window from a memory template
Createdialogindirectparam creating a non-modal dialog window from a memory template

DialogBox Creating a modal dialog window from a resource template
Dialogboxparam Creating a modal dialog window from a resource template
Dialogboxindirect Creating a modal dialog window from a memory template
Dialogboxindirectparam Creating a modal dialog window from a memory template
EndDialog end a modal dialog window

MessageBox displays a message dialog box
Messageboxex Display a message dialog box
Messageboxindirect Display a Certain Information dialog box

Getdlgitemint to specify an integer value for the input box
GetDlgItemText to specify input box input string
Getdlgitemtexta to specify input box input string
hmemcpy memory Replication (non-application direct call)

3. Disk processing function

Getdiskfreespacea get information about the organization of a disk, and understand the capacity of the remaining space
Getdiskfreespaceexa get information about the organization of a disk and the amount of space remaining
Getdrivetypea determine the type of a disk drive
GetLogicalDrives determine which logical drive letters exist in the system
Getfullpathnamea gets the detailed path of the specified file
Getvolumeinformationa getting information about a disk volume
Getwindowsdirectorya get the full path name of the Windows directory
Getsystemdirectorya get the full pathname of the Windows system directory (that is, the system directory)

4. File processing function

Createfilea opening and creating files, pipelines, mail slots, communications services, devices, and consoles
OpenFile This function can perform a number of different file operations
ReadFile reading data from a file
ReadFileEx is similar to ReadFile, except that it can only be used for asynchronous read operations and contains a complete callback
WriteFile writing data to a file
WriteFileEx is similar to WriteFile, except that it can only be used for asynchronous write operations and includes a complete callback
SetFilePointer setting the current read and write location in a file
SetEndOfFile sets the current file location to the end of the file for an open file
CloseHandle closes a kernel object. These include files, file mappings, processes, threads, security, and synchronization objects.

_lcreat Creating a file
_lopen to open the specified file in binary mode
_lread reading data from a file into a memory buffer
_lwrite writes data from a memory buffer to a file
_llseek the current location for reading and writing in the settings file
_lclose closing the specified file
_hread reading data from a file into a memory buffer
_hwrite writes data from a memory buffer to a file

Openfilemappinga open a ready-made file mapping object
Createfilemappinga creating a new file-mapping object
MapViewOfFile mapping a file mapping object to the address space of the current application
Mapviewoffileex (Content Ibid.)

Createdirectorya Create a new directory
Createdirectoryexa Create a new directory
Removedirectorya Delete the specified directory
Setcurrentdirectorya Setting the current directory

Movefilea Moving files
DeleteFileA Delete the specified file
Copyfilea Copying files
Comparefiletime vs. two files time
Setfileattributesa Setting file properties
Setfiletime setting file creation, access, and last modified time
Findfirstfilea finding files by file name
Findnextfilea finds the next file based on a file name specified when the FindFirstFile function is called
FindClose close a search handle created by the FindFirstFile function
Searchpatha finding the specified file

Getbinarytypea determine if the file can be executed
Getfileattributesa to determine the properties of a specified file
GetFileSize determine file length
Getfiletime time information to obtain the specified file
Getfiletype to determine the file type if the file handle is given
5. Registry handler function

Regopenkeya Open an existing registry key
Regopenkeyexa Open an existing registry key
Regcreatekeya Create or open an item under the specified key
Regcreatekeyexa more complex ways to create new items under a specified item
Regdeletekeya Delete a specified subkey under an existing item
Regdeletevaluea Delete a value below the specified item
Regqueryvaluea gets the setting value of an item
Regqueryvalueexa gets the setting value of an item
Regsetvaluea setting the value of the specified item or subkey
Regsetvalueexa setting the value of the specified item
RegCloseKey Close an entry (or key) in the system registry
6. Time processing function

Comparefiletime compare two file time
Getfiletime file creation, last visit, modified time
Getlocaltime Current local time
GetSystemTime Current system time
GetTickCount Windows boot to current millisecond
Setfiletime Setting file time
Setlocaltime Setting local time
SetSystemTime Setting the system time

7. Process function

CreateProcessA Creating a new process
ExitProcess close a process in a clean way
Findexecutablea find the file name of the program associated with a specified file
Freelibray releasing the specified dynamic chain library
GetCurrentProcess gets a pseudo handle to the current process
GetCurrentProcessId gets the current process a unique identifier
GetCurrentThread gets a pseudo handle to the current thread
Getexitcodeproces get exit code for an end process
GetExitCodeThread get exit code for a terminated thread
Getmodulehandlea gets the module handle of an application or dynamic-link library
Getpriorityclassa getting the priority level of a particular process

LoadLibraryA loads the specified dynamic-link library and maps it to the address space used by the current process
Loadlibraryexa loads the specified dynamic-link library and maps it to the address space for the current process
LoadModule load a Windows application and run it in the specified environment

TerminateProcess End a process

1. Reading a handle to a form via FindWindow
2. Reading the PID value of the lookup form handle process via GetWindowThreadProcessId
Var
Nprocid:dword;
Nprocid:=getwindowthreadprocessid (Hfound, @nProcId);
3. With OpenProcess (process_query_information or process_vm_operation or Process_vm_read or process_vm_write, 0, ProcessId) Open the process that found the PID value. This open has read, write, and query permissions
4.ReadProcessMemory read out the specified memory address data
BOOL ReadProcessMemory (
HANDLE hprocess,//handle of the read process;
Lpcvoid lpbaseaddress,//read the starting address;
LPVOID lpbuffer,//store read data buffer;
DWORD nSize,//number of bytes read at a time;
Lpdword Lpnumberofbytesread//number of bytes actually read;
);

Skills to be mastered by virus analysis