动态分析可观察恶意代码的真实行为
1 沙箱
缺点:沙箱只能简单的运行恶意程序 ,当程序有命令参数,或后门程序需要接收指令才能运行,在沙箱中无法启动的。
- 恶意代码会检测沙箱环境
- 有些恶意代码在沙箱环境中找不到依赖的环境,无法运行
- 恶意代码运行的操作系统不相符
- 沙箱只能报告恶意代码的功能,不能给出最终结论
2 运行恶意代码
启动dll
rundll32.exe DLLname, Export arguments
Export arguments中DLL文件导出表中的函数或者序号
如rundll32.exe rip.dll, Installrundll32.exe rip.dll, #5
windows启动服务
net start service_name
3 进程监视器
ProcessMonitor
过滤器的使用4 进程浏览器
可查看进程的使用的dll和使用handle(文件句柄,互斥量、事件等等)
可使用验证选项来验证磁盘上的文件是否有微软的签名,可通过内存替换技术绕过 分析恶意文件 如恶意pdf和office文件 来查看创新的新进程和网络行为5 Regshot比较注册表快照
可以对系统注册表进行快照,对比差异。能够了解 恶意代码的对注册表的操作
下载地址6 模拟网络
- ApateDNS 用来查看恶意程序请求的DNS 域名
- fakenet 一个windows平台下的网络模拟器,用于恶意代码分析
- netcat 用于TCP/IP连接、代理、隧道,非常强大的工具
nc -l -p 8888nc www.baidu.com 80
7 抓包
使用wireshark进行抓包
8 inetsim
inetsim 在linux平台上可以模拟常见的网络服务
root@kali:~# inetsimINetSim 1.2.8 (2018-06-12) by Matthias Eckert & Thomas HungenbergMain logfile '/var/log/inetsim/main.log' does not exist. Trying to create it...Main logfile '/var/log/inetsim/main.log' successfully created.Sub logfile '/var/log/inetsim/service.log' does not exist. Trying to create it...Sub logfile '/var/log/inetsim/service.log' successfully created.Debug logfile '/var/log/inetsim/debug.log' does not exist. Trying to create it...Debug logfile '/var/log/inetsim/debug.log' successfully created.Using log directory: /var/log/inetsim/Using data directory: /var/lib/inetsim/Using report directory: /var/log/inetsim/report/Using configuration file: /etc/inetsim/inetsim.confParsing configuration file.Configuration file parsed successfully.=== INetSim main process started (PID 1233) ===Session ID: 1233Listening on: 127.0.0.1Real Date/Time: 2020-02-08 10:13:04Fake Date/Time: 2020-02-08 10:13:04 (Delta: 0 seconds) Forking services... * dns_53_tcp_udp - started (PID 1321) * irc_6667_tcp - started (PID 1331) * daytime_13_tcp - started (PID 1338) * tftp_69_udp - started (PID 1330) * echo_7_tcp - started (PID 1340) * finger_79_tcp - started (PID 1333) * daytime_13_udp - started (PID 1339) * echo_7_udp - started (PID 1341) * ntp_123_udp - started (PID 1332) * time_37_udp - started (PID 1337) * syslog_514_udp - started (PID 1335) * ftp_21_tcp - started (PID 1328) * ident_113_tcp - started (PID 1334) * discard_9_tcp - started (PID 1345) * discard_9_udp - started (PID 1346) * smtps_465_tcp - started (PID 1325) * time_37_tcp - started (PID 1336) * smtp_25_tcp - started (PID 1324) * pop3_110_tcp - started (PID 1326) * https_443_tcp - started (PID 1323) * http_80_tcp - started (PID 1322) * quotd_17_tcp - started (PID 1347) * chargen_19_udp - started (PID 1351) * quotd_17_udp - started (PID 1348) * chargen_19_tcp - started (PID 1349) * ftps_990_tcp - started (PID 1329) * dummy_1_udp - started (PID 1353) * dummy_1_tcp - started (PID 1352) * pop3s_995_tcp - started (PID 1327) done.Simulation running.