Execute the malware found in the file Lab03-03.exe while monitoring it using basic dynamic analysis tools in a safe environment.

Questions and Short Answers

  1. What do you notice when monitoring this malware with Process Explorer?

    A: The malware performs process replacement on svchost.exe.

  2. Can you identify any live memory modifications?

    A: Comparing the disk image of svchost.exe with its memory image shows that they are not the same. The memory image has strings such as practicalmalwareanalysis.log and [ENTER], but the disk image has neither.

  3. What are the malware’s host-based indicators?

    A: The malware creates the log file practicalmalwareanalysis.log.

  4. What is the purpose of this program?

    A: The program performs process replacement on svchost.exe to launch
    a keylogger.

Detailed Analysis

For this lab, we begin by launching Process Explorer and procmon. When procmon starts, the events stream by quickly, so we use File -> Capture Events to toggle event capture on and off. (It’s best to keep event capture off until all dynamic analysis programs are started and you’re ready to execute the program.) We use Filter -> Filter to open the Filter dialog, and then ensure that only the default filters are enabled by clicking the Reset button.

Lab03-03.exe can be run from the command prompt or by double-clicking its icon. Once run, Lab03-03.exe should be visible inside Process Explorer. Notice how it creates the subprocess svchost.exe, and then exits, but leaves the svchost.exe process running as an orphaned process, as shown in Figure 3-8L. (An orphaned process has no parent process listed in the process tree structure.) The fact that svchost.exe is orphaned is highly unusual and highly suspicious.

Process Explorer 在 Lab03-03.exe 运行前中后的状态如下图:

注:此图是我运行了很多遍,拼手速截的,故进程 PID 会有出入。

Figure 3-8L: Process Explorer view of orphaned svchost.exe

We investigate further by right-clicking and selecting Properties for the orphaned svchost.exe process. As shown in Figure 3-8L, the process appears to be a valid svchost.exe process with PID 204, but this svchost.exe is suspicious because svchost.exe is typically a child of services.exe.

From this same properties page, we select Strings to show the strings in both the executable image on disk and in memory. Toggling between the Image and Memory radio buttons shows significant discrepancies between the images. As shown in Figure 3-9L, the strings in memory on the right contain practicalmalwareanalysis.log and [ENTER], seen at \({\color{red}1}\) and \({\color{red}2}\), neither of which is found in a typical Windows svchost.exe file on disk, as seen on the left.

Figure 3-9L: Process Explorer shows strings that are not normally contained in svchost.exe.

The presence of the string practicalmalwareanalysis.log, coupled with strings like [ENTER] and [CAPS LOCK], suggests that this program is a keylogger. To test our assumption, we open Notepad and type a short message to see if the malware will perform keylogging. To do so, we use the PID (found in Process Explorer) for the orphaned svchost.exe to create a filter in procmon to show only events from that PID (204). As you can see in Figure 3-10L, the CreateFile and WriteFile events for svchost.exe are writing to the file named practicalmalwareanalysis.log. (This same string is visible in the memory view of the orphaned svchost.exe process.)

Figure 3-10L: Procmon output of svchost.exe with PID 204

Opening practicalmalwareanalysis.log with a simple text editor reveals the keystrokes you entered in Notepad. We conclude that this malware is a keylogger that uses process replacement on svchost.exe.

Preference

恶意代码分析实战 Lab 3-3 习题笔记

Lab 3-3的更多相关文章

  1. MIT 6.828 JOS学习笔记18. Lab 3.2 Part B: Page Faults, Breakpoints Exceptions, and System Calls

    现在你的操作系统内核已经具备一定的异常处理能力了,在这部分实验中,我们将会进一步完善它,使它能够处理不同类型的中断/异常. Handling Page Fault 缺页中断是一个非常重要的中断,因为我 ...

  2. MIT 6.828 JOS学习笔记17. Lab 3.1 Part A User Environments

    Introduction 在这个实验中,我们将实现操作系统的一些基本功能,来实现用户环境下的进程的正常运行.你将会加强JOS内核的功能,为它增添一些重要的数据结构,用来记录用户进程环境的一些信息:创建 ...

  3. MIT 6.828 JOS学习笔记16. Lab 2.2

    Part 3 Kernel Address Space JOS把32位线性地址虚拟空间划分成两个部分.其中用户环境(进程运行环境)通常占据低地址的那部分,叫用户地址空间.而操作系统内核总是占据高地址的 ...

  4. MIT 6.828 JOS学习笔记15. Lab 2.1

    Lab 2: Memory Management lab2中多出来的几个文件: inc/memlayout.h kern/pmap.c kern/pmap.h kern/kclock.h kern/k ...

  5. MIT 6.828 JOS学习笔记10. Lab 1 Part 3: The kernel

    Lab 1 Part 3: The kernel 现在我们将开始具体讨论一下JOS内核了.就像boot loader一样,内核开始的时候也是一些汇编语句,用于设置一些东西,来保证C语言的程序能够正确的 ...

  6. MIT 6.828 JOS学习笔记7. Lab 1 Part 2.2: The Boot Loader

    Lab 1 Part 2 The Boot Loader Loading the Kernel 我们现在可以进一步的讨论一下boot loader中的C语言的部分,即boot/main.c.但是在我们 ...

  7. python opencv 利用Lab空间把春天的场景改为秋天

    前一段时间实现了Reinhard颜色迁移算法,感觉挺有意思的,然后在代码上随意做了一些更改,有了一些发现,把Lab通道的a通道值改为127左右,可以将绿色改为黄色,而对其他颜色的改动非常小,因此可以将 ...

  8. Acadia Lab 228 + Lab 222

    又是一对串烧实验,布好线后非常方便就可以一起完成. 连线方案一模一样: Lab 228 数码管骰子 核心代码如下: def loop() : global cnt global btn_read,se ...

  9. Acadia Lab 203 + Lab 231

    在做完 Lab 6 之后,惊觉选做实验缺口很大,于是遍历了一遍夏任务,找到了一条最省力的路线. 做完 Lab 6 的连线不用拆,可以接下来做以下两个实验: Lab 203 网络时钟 核心代码如下: v ...

  10. GJM : 【技术干货】给The Lab Renderer for Unity中地形添加阴影

    感谢您的阅读.喜欢的.有用的就请大哥大嫂们高抬贵手"推荐一下"吧!你的精神支持是博主强大的写作动力以及转载收藏动力.欢迎转载! 版权声明:本文原创发表于 [请点击连接前往] ,未经 ...

随机推荐

  1. 全排列+字符串查找|扑克排序|2014年蓝桥杯A组题解析第六题-fishers

    标题:扑克序列 A A 2 2 3 3 4 4, 一共4对扑克牌.请你把它们排成一行. 要求:两个A中间有1张牌,两个2之间有2张牌,两个3之间有3张牌,两个4之间有4张牌. 请填写出所有符合要求的排 ...

  2. 初识Java框架

    Spring boot>spring>spring mvc SSH:struts2+spring+hibernate SSM(SSH的改进): (过去)spring+struts2+MyB ...

  3. 题解—— 洛谷 p1269 信号放大器(贪心)

    深刻的教训,不要写错读入 #include <cstdio> #include <algorithm> using namespace std; ; ; ,u[MAXM],v[ ...

  4. (转) Supercharging Style Transfer

      Supercharging Style Transfer Wednesday, October 26, 2016 Posted by Vincent Dumoulin*, Jonathon Shl ...

  5. AndroidStudio Gradle下载速度慢解决方法

    1.在软件里点开工程文件下的 build.gradle 2..在 buildscript 和 allprojects 的 repositories 中分别注释掉 jcenter() 3.在 build ...

  6. 检测浏览器(BOM)以及地址栏网址的API

    navigator.userAgent //检测浏览器的版本以及那个厂商的 (不怎么准,你比如360经常跟别人干架,所以别人检测到360浏览器就提示浏览器危险,所以360就自己修改了) //分解这个地 ...

  7. NIO小纪

    我们通常说的NIO大多数场景下都是基于I/O复用技术的NIO,比如jdk中的NIO,当然Tomcat8以后的NIO也是指的基于I/O复用的NIO.注意,使用NIO != 高性能,当连接数<100 ...

  8. tomcat中配置https请求

    一.  创建tomcat证书 这里使用JDK自带的keytool工具来生成证书: 1. 在jdk的安装目录\bin\keytool.exe下打开keytool.exe 2. 在命令行中输入以下命令: ...

  9. Perl中命令行参数以及打开管道文件

    打开管道文件   Linux提供了管道机制,可以方便应用程序之间的数据传递.在Perl中,扣开和使用管道可采用如下形式的open函数:   open(Filehandle,”丨 CMD”);   其中 ...

  10. 彻底弄懂JS事件委托的概念和作用

    一.写在前头    接到某厂电话问什么是事件代理的时候,一开始说addEventListener,然后他说直接绑定新的元素不会报dom不存在的错误吗?然后我就混乱了,我印象中这个方法是可以绑定新节点的 ...