Start with: What about malicious code!

Start with: What about malicious code!
Hacker malicious code

 

Any software or code that causes damage to users, computers, or networks in some way can be considered malicious code.

 

Category

 

Infected Virus Worm Trojan hacker tool HackTool Spyware risk software Riskware Junk file Test file Anti-Virus engine Scan

 

The Suspicious file scanning service mainly checks the key behaviors, process behaviors, file behaviors, network behaviors, registry behaviors, and so on of the sample program to determine whether the file behavior is a malicious code program.

 

Robot Behavior Analysis

 

Website VirusTotal virustotal.com Virscan virscan.org fireeye.ijinshan.com Jott virusscan.jotti.org

 

Environment Construction

 

Dynamic analysis is inevitable when you start to analyze malicious code. You don't know what surprises the malicious code program will bring to you? Therefore, we need to establish a security environment. Here we mainly use the "vmware Virtual Machine" to create a virtual environment for analyzing malicious code.

 

Malicious Code programs sometimes rely on Internet connections to make themselves more like, get commands, accept control, and run other functions. In addition, some malicious codes detect whether they are running in virtual machines and show different behaviors to block the analysis. For the moment, we will not consider these complex situations. We will just introduce the virtual environment for analyzing malicious code.

 

Create a VM

 

Software Download http://dwz.cn/2o4vCU tutorial link http://dwz.cn/2o1i5n

✓ Hardware settings

"USB controller" and "Nic adapter" are removed from virtual machine devices, and shared folders are disabled. The main purpose is to avoid the spread of malicious samples when analyzing malicious samples with infected behaviors.

 

Optimized ingress Configuration

 

After installing the operating system and malicious code analysis tools, we can create an initial snapshot. This initial snapshot is primarily used as the basic image for your clean state. That is to say, after analyzing the malicious code, we can restore the analysis environment to the basic image snapshot, so that we can analyze the malicious code again. To better analyze malicious code, in addition to installing pure system image files, you can also modify the system performance settings.

 

 

 

Others

 

When the analysis program is debugged on the Virtual Machine, if the program runs on the Virtual Machine, the following message is displayed: "Soory, this application cannt rununder a Virtual Machine."

 

Solution

 

Open the corresponding virtual machine configuration file. VMX format (such as Windows XP Professional. vmx), and add the following code at the end of the notepad editor.

 

 

Information Collection

 

Shard Hash Value

 

Each malicious code sample has a unique hash value. MD5 verification is most commonly used in malicious code analysis. During the analysis of suspicious samples, the MD5, SHA1, and CRC32 values of the suspicious samples are calculated using the "MD5 verification tool" to match with known virus samples MD5, SHA1, and CRC32. If a match is found, the sample can be marked as "black". If no match is found, further suspicious sample analysis is required, because virus programs may be changed.

 

 

 

 

Delimiter string

 

The malicious code sample program contains some strings. We can extract the strings contained in the program to make a simple analysis of the sample behavior.

 

Strings Tool

 

A string tool that can extract programs.

 

Example

 

Here, we use the compile program to extract the string information contained in this applet. We can find that the extracted string contains the "MessageBoxW" API function and the path information of the Compilation Program.

 

 

Outer Shell Information

 

Sometimes, when extracting and analyzing malicious program strings, we find that the extracted strings are meaningless strings. In this case, it is likely that the malicious program is shelled or obfuscated by code, as a result, we cannot obtain valuable information by extracting strings.

 

In other words, when we extract a string from a malicious program and find that it has few strings, it is likely to be shelled or obfuscated by code. After shelling or code obfuscation, at least the "LoadLibrary" and "GetProcAddress" functions are included. These two functions are used to load and use other function functions.

 

Function Name function: LoadLibrary loads the dynamic Connection Library GetProcAddress to obtain the function address

What is shell?

 

Shell refers to the compression, encryption, and protection of executable files.

 

Shell Type

 

Compression shell: reduces the size of the software, and encryption protection is not the focus.

 

Encryption shells: There are many types of shells with different focuses. Some shells only protect programs, while others provide additional functions, such as the registration mechanism, number of times of use, and time limit.

 

1. Compressed shell encryption shell virtual machine protection software ASPacK ASProtect VMProtect UPX Themida PECompact Armadillo NsPack EXECrypto

    

   Shell Check Tool

    

   Name PEID http://dwz.cn/2o6sAS ProtectionID http://dwz.cn/2o6u7E Detect it Easy http://dwz.cn/2o6Hmk ExEinfo PE http://dwz.cn/2o6NPm

   Example

    

   Here we mainly use PEID to check the shell of the program and find that the shell added by the program is UPX. It is an application-specific compression and decompression software that supports EXE, COM, DLL, SYS, OCX, and other file formats. After UPX is shelled, the block name of the program is changed to UPX0, UPX1, and RSRC.

    

   
   

   Shelling

    

   Some malicious code programs have a program dedicated to protecting the software from being modified or decompiled. They generally run programs before they get control, and then complete their tasks to protect malicious code programs and increase the difficulty of analysis. To further analyze malicious code programs, we need to remove the shells added by malicious code programs. The main shelling methods include manual shelling and automatic shelling.

   Manual shelling

   Common Methods for manual shelling:

    

   One-step Tracing Method

   ESP Law

   Two breakpoint Methods

   One-step OEP arrival

   Last exception Method

   Simulation Tracing Method

   SFX Method

   Exit sign Method

    

   Automatic shelling

    

   There are also many open automatic shell removal programs and shell removal scripts on the Internet.

    

   1. Software name download link UPX static shelling machine http://dwz.cn/2obbaF ASPACK2.12 shelling tool http://dwz.cn/2obcnr Beidou shelling machine http://dwz.cn/2obfhY PECompact shelling machine http://dwz.cn/2obDvh

       

      Example

       

      The UPX shelling script is used to shell a program with an UPX shell. The program is loaded into OD and imported into the shell removal script using the ODbgScript in the plug-in.

       

      Callback API functions

       

      If we know that a malicious code program has imported the URLDownloadtoFile function, we can initially determine that the program will download some content from the Internet to the local, then the program is likely to be a Downloader. When analyzing malicious code programs, we can use the Dependency Walker tool to obtain the dynamic link functions of executable programs.

       

      Common dynamic link library files

       

      Kernel32.dll

      Includes core system functions, such as accessing and operating memory, files, and hardware

      The DLL Advapi32.dll provides access to core Windows Components. For example, the Service Manager and the Registry User32.dll contain all user interface components, such as buttons, scroll bars, and Gdi32.dll, a component that controls and responds to user operations. This DLL contains the Wsock32.dll function for Graph Display and operation. Programs that access any of these DLL programs are likely to connect to the network, or run the network-related task Ws2_32.dll as above Wininet. dll contains better network functions and implements protocols such as FTP, HTTP, and NTP.

      Kernel32.dll

      CreateDirectoryw create a new directory CreateFileW open or create the following objects, and return the accessible handle: console, communication resources, directory (read-only open), disk drive, file, mail slot, pipeline CreateThread creates a new thread based on the main thread DeleteFileW Delete the specified file ExitProcess terminate a process FindClose close a search handle FindFirstFileW find the file according to the file name, use FindNextFileW to search for files in the specified directory by file name, use GetCommandLineW to obtain a pointer to the current command line buffer using all the files in the specified directory to get GetCurrentProcess to get a pseudo handle of the current process GetCurrentThread to get the current thread handle GetFileSize to get the size of the file GetModuleHandleW to get the module handle of an application or dynamic link library GetProcessHeap returns the default heap handle of the calling process get?pathnamew to get the short path form of the specified HeapAlloc to allocate memory on the specified heap, the allocated memory cannot be moved. HeapFree releases heap memory. IsDebuggerPresent determines whether the calling process is debugged by the user mode debugger. MapViewOffile maps file data to the address space of the process. ReadFile reads data from the file. SetFilePointer description: In a file, set the current read location WriteFile to write data to the file.

      User32.dll