Article Source: The World Of The World published by: Web site: http://www.unnoo.com
Author: Huang Xin (glacier@unnoo.com)
As many trojan programs are processed, they gradually feel that the static/dynamic manual analysis process is largely repetitive. It takes half an hour to understand the features of the program. During manual analysis, you may miss a hidden key operation, resulting in incomplete removal. In fact, as long as the API call sequence and corresponding parameters are fully recorded when the trojan is actively installed, the workload of Trojan analysis and removal can be greatly reduced.
I have previously written a small tool that uses API HOOKING principles to record suspicious program operations on files, registries, services, and networks. The advantage of the api hooking method is that when CreateFile is called, the file name can be associated with the handle, and the file name can be obtained easily when WriteFile is called to operate on the handle, this is also true for handle operations such as hKey and socket. However, the disadvantages of this method are also obvious. First, you must write code for every API function that you are interested in. Second, you cannot HOOK all the API functions, due to the lack of complete API call sequence for reference, some small actions may be missed during log analysis.
Another idea is to use the debugging technology to set breakpoints in advance at the entrances of all introduced DLL functions, and obtain parameters through stack information during debugging. Both IDA pro and OllyDbg can be used for dynamic debugging and provide script/plug-in functions. During my meeting in Beijing last week, I used the waking time to write a simple OllyDbg plug-in. I only obtained eight function parameters from the CALL command using the ESP pointer, the EAX and stack content returned by the function are not recorded, and the results are still satisfactory in the test of common (unshelled) programs. You only need to execute "Set breakpoint on every command" in the "Search for-> All intermodular CILS" window to Set the breakpoint, and then run the "Fast trace" function of the plug-in. The log file snippets are as follows:
Note: All single quotes in this article are replaced.
-------------------------------------------------------------------
004099EC: call dword ptr ds: [<& KERNEL32.GetModuleFileNameA>] (kernel32.GetModuleFileNameA)
-------------------------------------------------------------------
ESP + 00 (0012F704): 00000000
ESP + 04 (0012F708): 0012F824 ""
ESP + 08 (0012F70C): 00000104 00000104 ???
ESP + 0C (0012F710): 0012FA6D ""
ESP + 10 (0012F714): 00000001 00000001 ???
ESP + 14 (0012F718): 00000000
ESP + 18 (0012F71C): 575C3A43 575C3A43 ???
ESP + 1C (0012F720): 4F444E49 4F444E49 ???
-------------------------------------------------------------------
00409A00: call dword ptr ds: [<& KERNEL32.CopyFileA>] (kernel32.CopyFileA)
-------------------------------------------------------------------
ESP + 00 (0012F704): 0012F824 "E: rojan.exe"
ESP + 04 (0012F708): 0012F71C "C: WINDOWSsystem32 rojan.exe"
ESP + 08 (0012F70C): 00000000
ESP + 0C (0012F710): 0012FA6D ""
ESP + 10 (0012F714): 00000001 00000001 ???
ESP + 14 (0012F718): 00000000
ESP + 18 (0012F71C): 575C3A43 575C3A43 ???
ESP + 1C (0012F720): 4F444E49 4F444E49 ???
-------------------------------------------------------------------
00409A94: call dword ptr ds: [<& ADVAPI32.OpenSCManagerA>] (ADVAPI32.OpenSCManagerA)
-------------------------------------------------------------------
ESP + 00 (0012F704): 00000000
ESP + 04 (0012F708): 00000000
ESP + 08 (0012F70C): 000F003F 000F003F ???
ESP + 0C (0012F710): 0012FA6D ""
ESP + 10 (0012F714): 00000001 00000001 ???
ESP + 14 (0012F718): 00000000
ESP + 18 (0012F71C): 575C3A43 575C3A43 ???
ESP + 1C (0012F720): 4F444E49 4F444E49 ???
-------------------------------------------------------------------
00409ACF: call dword ptr ds: [<& ADVAPI32.CreateServiceA>] (ADVAPI32.CreateServiceA)
-------------------------------------------------------------------
ESP + 00 (0012F6DC): 0014F9C0
F8 F9 14 00 98 ba dc fe 00 00 00 B4 F9 CC 53 ...... S
82 6C FC 42 BF 8C 55 14 00 44 14 F4 AB. l. B... U... D ......
AB EE FE 00 00 00 00 00 00 00 ................
20 00 07 00 09 07 18 00 58 FA C3 77 ef cd AB 89... X... w ....
00 00 01 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 ................
06 00 00 00 0A 00 00 00 00 00 30 FB 14 00...
ESP + 04 (0012F6E0): 0042008C "trojan"
ESP + 08 (0012F6E4): 004200C0 "Back door for testing"
ESP + 0C (0012F6E8): 000F01FF 000F01FF ???
ESP + 10 (0012F6EC): 00000120 00000120 ???
ESP + 14 (0012F6F0): 00000002 00000002 ???
ESP + 18 (0012F6F4): 00000001 00000001 ???
ESP + 1C (0012F6F8): 0012F71C "C: WINDOWSsystem32 rojan.exe-start"
......
This simple and rough log is enough for me. To display parameter information in a more friendly way, you must have some data files to describe the calling method, return value type, number of parameters, and so on of each API function. For example:
Int LoadLibraryA ([in] char * lpLibFileName );
Int LoadLibraryW ([in] wchar * lpLibFileName );
Void * GetProcAddress ([in] int hModule, [in] char * lpProcName );
Int GetModuleFileNameA ([in] int hModule, [out] char * lpFilename, [in] int nSize );
Int GetModuleFileNameW ([in] int hModule, [out] wchar * lpFilename, [in] int nSize );
Compile a simple lexical parsing module to directly parse the. h file that comes with VC, which is easier for users. After parameter type resolution, the output information will look much better:
------------------------------------------------------
004099F2-> GetModuleFileNameA (
Int hModule: 0 (unsigned = 0/hex = 0 ),
Char * lpFilename: [0012F824] = "",
Int nSize: 260 (unsigned = 260/hex = 104 ),
13 <results
Int hModule: 0 (unsigned = 0/hex = 0 ),
Char * lpFilename: [0012F824] = "e: rojan.exe" in stack of Thread,
Int nSize: 260 (unsigned = 260/hex = 104)
);
------------------------------------------------------
00409A06-> CopyFileA (
Char * lpExistingFileName: [0012F824] = "e: rojan.exe" in stack of Thread,
Char * lpNewFileName: [0012F71C] = "C: WINDOWSsystem32 rojan.exe" in stack of Thread,
Int bFailIfExists: 0 (unsigned = 0/hex = 0 ),
1 <results
Char * lpExistingFileName: [0012F824] = "",
Char * lpNewFileName: [0012F71C] = "",
Int bFailIfExists: 0 (unsigned = 0/hex = 0)
);
------------------------------------------------------
00409A9A-> OpenSCManagerA (
Char * lpMachineName: [00000000] = (null ),
Char * lpDatabaseName: [00000000] = (null ),
Int dwDesiredAccess: 983103 (unsigne= 983103/hex = F003F ),
1374656 <results
Char * lpMachineName: [00000000] = "",
Char * lpDatabaseName: [00000000] = "",
Int dwDesiredAccess: 983103 (unsigne= 983103/hex = F003F)
);
------------------------------------------------------
00409AD5-> CreateServiceA (
Int hSCManager: 1374656 (unsigne= 1374656/hex = 14F9C0 ),
Char * lpServiceName: [0042008C] = "trojan" in main image (. data ),
Char * lpDisplayName: [004200C0] = "Back door for testing" in main image (. data ),
Int dwDesiredAccess: 983551 (unsigne= 983551/hex = F01FF ),
Int dwServi
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
