恶意样本分析手册——理论篇 – 绿盟科技技术博客
Tags
| attack-pattern: | Data Software - T1592.002 Thread Local Storage - T1055.005 Rootkit - T1014 Rootkit |
Common Information
| Type | Value |
|---|---|
| UUID | 6e53d4b3-fa32-4775-b6be-638c9ad38b2c |
| Fingerprint | a54ba74e588f603 |
| Analysis status | DONE |
| Considered CTI value | 0 |
| Text language | |
| Published | March 28, 2017, 9:23 p.m. |
| Added to db | Jan. 18, 2023, 7:37 p.m. |
| Last updated | Nov. 17, 2024, 5:58 p.m. |
| Headline | 恶意样本分析手册——理论篇 |
| Title | 恶意样本分析手册——理论篇 – 绿盟科技技术博客 |
| Detected Hints/Tags/Attributes | 37/1/38 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | http://blog.nsfocus.net/sample-analysis-manual-theory/ |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | File | 2 | windows.inc |
|
| Details | File | 1 | 索引值在windows.inc |
|
| Details | File | 1 | 后半部分是osloader.exe |
|
| Details | File | 1 | su解析osloader.exe |
|
| Details | File | 1 | e820frame.key |
|
| Details | File | 1 | 循环条件是e820frame.key |
|
| Details | File | 1 | 后面无法加载osloader.exe |
|
| Details | File | 1 | oloader.exe |
|
| Details | File | 6 | osloader.exe |
|
| Details | File | 1 | 即osloader.exe |
|
| Details | File | 1 | 首先需要解析osloader.exe |
|
| Details | File | 1 | 复制完成后返回osloader.exe |
|
| Details | File | 1 | 实际上就是跳转到osloader.exe |
|
| Details | File | 2 | 当user32.dll |
|
| Details | File | 50 | a.exe |
|
| Details | File | 1 | 想要调用b.dll |
|
| Details | File | 1 | 这样的话我们把b.dll |
|
| Details | File | 1 | 改名bb.dll |
|
| Details | File | 1 | 然后我们自己写一个b.dll |
|
| Details | File | 1 | 然后我们在这个函数里加载bb.dll |
|
| Details | File | 1 | 原b.dll |
|
| Details | File | 1 | 对于a.exe |
|
| Details | File | 1 | 也就是b.dll |
|
| Details | File | 1 | 就是先在主程序目录下查找b.dll |
|
| Details | File | 1 | 就要知道b.dll |
|
| Details | File | 125 | ntoskrnl.exe |
|
| Details | File | 291 | user32.dll |
|
| Details | File | 229 | advapi32.dll |
|
| Details | File | 1 | 最终都封装在ntdll.dll |
|
| Details | File | 1 | 可以获得由ntoskrnl.exe |
|
| Details | File | 1 | 具体存在于win32k.sys |
|
| Details | File | 1 | messagebox的函数的实现过程实际上是在user32.dll |
|
| Details | File | 1 | 当这个程序运行时会在user32.dll |
|
| Details | File | 1 | 比如我们的一个驱动程序导入了psgetcurrentprocessid这个ntkrnlpa.exe |
|
| Details | File | 1 | 装载程序会确定ntkrnlpa.exe |
|
| Details | File | 22 | ntkrnlpa.exe |
|
| Details | File | 1 | +ntkrnlpa.exe |
|
| Details | File | 1 | dbg会使用自带的loaddll.exe |