码迷,mamicode.com
首页 > 其他好文 > 详细

Lab 7-2

时间:2019-01-17 12:07:38      阅读:149      评论:0      收藏:0      [点我收藏+]

标签:sed   cas   model   browser   computer   store   ros   answer   tac   

Analyze the malware found in the file Lab07-02.exe.

Questions and Short Answers

  1. How does this program achieve persistence?

    A: This program does not achieve persistence. It runs once and then exits.

  2. What is the purpose of this program?

    A: The program displays an advertisement web page to the user.

  3. When will this program finish executing?

    A: The program finishes executing after displaying the advertisement.

Detailed Analysis

We begin with some basic static analysis. While we don’t see any interesting ASCII strings, we do see one interesting Unicode string: http://www.malwareanalysisbook.com/ad.html. We check the imports and exports of the program, and see only a few imports in addition to the standard imports, as follows:

技术分享图片

技术分享图片

All of these functions are COM-related. The CoCreateInstance and OleInitialize functions in particular are required in order to use COM functionality.

Next, we try dynamic analysis. When we run this program, it opens Internet Explorer and displays an advertisement. There’s no evidence of the program modifying the system or installing itself to execute when the computer is restarted.

技术分享图片

注:这是我掐断网络,运行 Lab07-02 的结果。

Now we can analyze the code in IDA Pro. We navigate to the *_main* method and see the code shown in the following listing.

技术分享图片

The first thing the malware does is initialize COM and obtain a pointer to a COM object with OleInitialize at \({\color{red} 1 }\) and CoCreateInstance at \({\color{red} 2 }\). The COM object returned will be stored on the stack in a variable that IDA Pro has labeled ppv, as shown at \({\color{red} 3}\). In order to determine what COM functionality is being used, we need to examine the interface identifier (IID) and class identifier (CLSID).

Clicking rclsid and riid shows that they are 0002DF01-0000-0000-C000-000000000046 and D30C1661-CDAF-11D0-8A3E-00C04FC9E26E, respectively. To determine which program will be called, check the registry for the CLSID, or search for the IID on the Internet for any documentation. In this case, these values are the same identifiers we used in “The Component Object Model” on page 154. The IID is for IWebBrowser2, and the CLSID is for Internet Explorer.

技术分享图片

技术分享图片

技术分享图片

As shown in the following listing, the COM object returned by CoCreateInstance is accessed a few instructions later at \({\color{red} 1 }?\).

技术分享图片

Following this instruction, EAX points to the location of the COM object. At \({\color{red}2}\), EAX is dereferenced and EDX points to the beginning of the COM object itself. At \({\color{red} 3}\), the function at an offset of +0x2C from the object is called. As discussed in the chapter, the offset 0x2C for the IWebBrowser2 interface is the Navigate function, and we can use the Structures window in IDA Pro to create a structure and label the offset. When Navigate is called, Internet Explorer navigates to the web address http://www.malwareanalysisbook.com/ad.html.

注:标识 edx + 2Ch(重命名偏移 2Ch):

技术分享图片

技术分享图片

技术分享图片

技术分享图片

技术分享图片

注结束。

After the call to Navigate, there are a few cleanup functions and then the program ends. The program doesn’t install itself persistently, and it doesn’t modify the system. It simply displays a one-time advertisement.

When you encounter a simple program like this one, you should consider it suspect. It may come packaged with additional malware, of which this is just one component.

Preference

恶意代码分析实战 Lab 7-2 习题笔记

病毒分析教程第四话--高级静态逆向分析(上)

Lab 7-2

标签:sed   cas   model   browser   computer   store   ros   answer   tac   

原文地址:https://www.cnblogs.com/d0ct0rx/p/10281419.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!