Analyze the malware found in the file Lab03-04.exe using basic dynamic analysis tools. (This program is analyzed further in the Chapter 9 labs.)

Questions and Short Answers

  1. What happens when you run this file?

    A: When you run this malware by double-clicking it, the program immediately deletes itself.

  2. What is causing the roadblock in dynamic analysis?

    A: We suspect that we may need to provide a command-line argument or a missing component to the program.

  3. Are there other ways to run this program?

    A: We try using the command-line parameters shown in the strings listing (like -in), but doing so is not fruitful. More in-depth analysis is required. (We’ll analyze this malware further in the labs for Chapter 9.)

Detailed Analysis

We begin with basic static analysis, examining the PE file structure and strings. We see that this malware imports networking functionality, service-manipulation functions, and registry-manipulation functions. In the following listing, we notice a number of interesting strings.

  • PEview

  • 翻译版书1.3 查找字符串(英文版书,Part 1: Basic Analysis -> Finding Strings)

    步骤:

    1. 下载Strings(英文原版书提供的链接好使,翻译版失效。)

    2. cmd -> 进入下载的strings.exe可执行文件所在文件夹 -> 使用 strings 命令查看

      C:\Documents and Settings\Administrator\桌面\杂\Strings>strings.exe "C:\Documents and Settings\Administrator\桌面\Lab03-04.exe"

We see strings such as a domain name and the registry location SOFTWARE Microsoft \XPS. Strings like DOWNLOAD and UPLOAD, combined with the HTTP/1.0 string, suggest that this malware is an HTTP backdoor. The strings -cc, -re, and -in could be command-line parameters (for example -in may stand for install). Let’s see if basic dynamic techniques show us how these strings are used.

Before we run the malware, we run procmon and clear out all events, start Process Explorer, and set up a virtual network. When we run the malware, it appears to immediately delete itself, and we see nothing else of interest while watching with Process Explorer.

Next, we use procmon with a filter on the process name Lab03-04.exe. There aren’t any interesting WriteFile or RegSetValue entries, but upon further digging, we find an entry for Process Create. Double-clicking this entry brings up the dialog shown in Figure 3-11L, and we see that the malware is deleting itself from the system using "C:\WINDOWS\system32\cmd.exe" /c del Z: Lab03-04.exe >> NUL, as seen at \({\color{red}1}\).

Figure 3-11L: Procmon view of the Process Create performed for self-deletion

We can try to run the malware from the command line using the command-line options we saw in the strings listing (-in, -re, and –cc), but all of them fail and result in the program deleting itself. There isn’t much more we can do with basic dynamic techniques at this point, until we dig deeper into the malware. (We will revisit this malware in the Chapter 9 labs.)

以选项 -in 试验,Lab03-04.exe 执行前:

以选项 -in 试验,Lab03-04.exe 执行后:

Preference

恶意代码分析实战 Lab 3-4 习题笔记

Lab 3-4的更多相关文章

  1. MIT 6.828 JOS学习笔记18. Lab 3.2 Part B: Page Faults, Breakpoints Exceptions, and System Calls

    现在你的操作系统内核已经具备一定的异常处理能力了,在这部分实验中,我们将会进一步完善它,使它能够处理不同类型的中断/异常. Handling Page Fault 缺页中断是一个非常重要的中断,因为我 ...

  2. MIT 6.828 JOS学习笔记17. Lab 3.1 Part A User Environments

    Introduction 在这个实验中,我们将实现操作系统的一些基本功能,来实现用户环境下的进程的正常运行.你将会加强JOS内核的功能,为它增添一些重要的数据结构,用来记录用户进程环境的一些信息:创建 ...

  3. MIT 6.828 JOS学习笔记16. Lab 2.2

    Part 3 Kernel Address Space JOS把32位线性地址虚拟空间划分成两个部分.其中用户环境(进程运行环境)通常占据低地址的那部分,叫用户地址空间.而操作系统内核总是占据高地址的 ...

  4. MIT 6.828 JOS学习笔记15. Lab 2.1

    Lab 2: Memory Management lab2中多出来的几个文件: inc/memlayout.h kern/pmap.c kern/pmap.h kern/kclock.h kern/k ...

  5. MIT 6.828 JOS学习笔记10. Lab 1 Part 3: The kernel

    Lab 1 Part 3: The kernel 现在我们将开始具体讨论一下JOS内核了.就像boot loader一样,内核开始的时候也是一些汇编语句,用于设置一些东西,来保证C语言的程序能够正确的 ...

  6. MIT 6.828 JOS学习笔记7. Lab 1 Part 2.2: The Boot Loader

    Lab 1 Part 2 The Boot Loader Loading the Kernel 我们现在可以进一步的讨论一下boot loader中的C语言的部分,即boot/main.c.但是在我们 ...

  7. python opencv 利用Lab空间把春天的场景改为秋天

    前一段时间实现了Reinhard颜色迁移算法,感觉挺有意思的,然后在代码上随意做了一些更改,有了一些发现,把Lab通道的a通道值改为127左右,可以将绿色改为黄色,而对其他颜色的改动非常小,因此可以将 ...

  8. Acadia Lab 228 + Lab 222

    又是一对串烧实验,布好线后非常方便就可以一起完成. 连线方案一模一样: Lab 228 数码管骰子 核心代码如下: def loop() : global cnt global btn_read,se ...

  9. Acadia Lab 203 + Lab 231

    在做完 Lab 6 之后,惊觉选做实验缺口很大,于是遍历了一遍夏任务,找到了一条最省力的路线. 做完 Lab 6 的连线不用拆,可以接下来做以下两个实验: Lab 203 网络时钟 核心代码如下: v ...

  10. GJM : 【技术干货】给The Lab Renderer for Unity中地形添加阴影

    感谢您的阅读.喜欢的.有用的就请大哥大嫂们高抬贵手"推荐一下"吧!你的精神支持是博主强大的写作动力以及转载收藏动力.欢迎转载! 版权声明:本文原创发表于 [请点击连接前往] ,未经 ...

随机推荐

  1. batchGetAnchorLevel(dubbo接口)

    一.编写脚本前的准备工作 1.安装idea,安装本地maven库,并在idea里面配置maven 2.导入git源码(目的在于下载所依赖的基础包)-->File-new-Project from ...

  2. QML的Window与ApplicationWindow

    ApplicationWindow需要导入QtQuick.Controls Window需要导入QtQuick.Window . 默认不可见,需要设置visible:true才可见. 主要区别就是Ap ...

  3. Delphi XE5 for Android (十)

    我觉得Delphi最强大的的功能之一就是开发数据库三层应用的DataSnap,在Android上的实现,首先是完成服务器的设计: (1)利用向导完成DataSnap服务器的框架,如下图: 由于是实验, ...

  4. 【做题】arc068_f-Solitaire——糊结论

    把所有数字放入双端队列后,结果大概是这样一个排列: \[P_1 1 P_2\] 其中\(P_1\)是递减序列,\(P_2\)是递增序列. 我们以\(1\)所在的位置\(k\)分割最终的排列\(A\). ...

  5. mysql中创建时间和更新时间的区别

    `create_time` ) NULL DEFAULT CURRENT_TIMESTAMP COMMENT '创建时间', `update_time` ) ) COMMENT '更新时间', 而在界 ...

  6. 【C#】非常重要的泛型

    泛型 为什么要有泛型, 在没有泛型之前, 什么东西充当了泛型的作用? 在泛型出现之前, 代码中会有很多需要强制转换的地方. 比如 int a = (int) object, 对于这样类似的代码, 编译 ...

  7. .psl脚本介绍

    .ps1文件是PowerShell写好的脚本文件 可以在记事本中写一段PowerShell代码,然后将其保存为“xxx.ps1”,后面要使用它的时候,双击即可运行了.这有点像批处理的“.bat”文件, ...

  8. Lintcode35-Reverse Linked List-Easy

    35. Reverse Linked List Reverse a linked list. Example Example1:For linked list 1->2->3, the r ...

  9. unity shader base pass and additional pass

      [Unity Shaders]Shader中的光照,shadersshader 写在前面 自己写过Vertex & Fragment Shader的童鞋,大概都会对Unity的光照痛恨不已 ...

  10. Intellij idea创建maven项目并配置tomcat

    今天刷知乎的时候刷到这么一句话 我觉得还是蛮有趣的,形容的也比较到位,正好最近新建maven项目进行了thrift数据的传输,在此做一个记录 首先idea整合了maven,不需要单独下载 新建一个Pr ...