hacktricks/forensics/basic-forensic-methodology/malware-analysis.md

301 lines
16 KiB
Markdown
Raw Normal View History

2023-08-03 19:12:22 +00:00
# 恶意软件分析
2022-04-28 16:01:33 +00:00
<details>
2023-08-03 19:12:22 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks 云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2023-08-03 19:12:22 +00:00
* 你在一家**网络安全公司**工作吗?你想在 HackTricks 中看到你的**公司广告**吗?或者你想获得**PEASS 的最新版本或下载 HackTricks 的 PDF 版本**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)
* 发现我们的独家 NFT 收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**telegram 群组**](https://t.me/peass) 或在 **Twitter** 上**关注**我 [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
* **通过向** [**hacktricks 仓库**](https://github.com/carlospolop/hacktricks) **和** [**hacktricks-cloud 仓库**](https://github.com/carlospolop/hacktricks-cloud) **提交 PR 来分享你的黑客技巧。**
2022-04-28 16:01:33 +00:00
</details>
2023-08-03 19:12:22 +00:00
## 取证备忘单
2022-05-01 16:32:23 +00:00
[https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/)
2023-08-03 19:12:22 +00:00
## 在线服务
* [VirusTotal](https://www.virustotal.com/gui/home/upload)
* [HybridAnalysis](https://www.hybrid-analysis.com)
* [Koodous](https://koodous.com)
* [Intezer](https://analyze.intezer.com)
* [Any.Run](https://any.run/)
2023-08-03 19:12:22 +00:00
## 离线杀毒和检测工具
### Yara
2023-08-03 19:12:22 +00:00
#### 安装
2020-12-21 20:50:30 +00:00
```bash
sudo apt-get install -y yara
```
2023-08-03 19:12:22 +00:00
#### 准备规则
2023-08-03 19:12:22 +00:00
使用此脚本从 GitHub 下载并合并所有的 YARA 恶意软件规则:[https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
创建名为 _**rules**_ 的目录并执行该脚本。这将创建一个名为 _**malware\_rules.yar**_ 的文件,其中包含所有的恶意软件 YARA 规则。
2020-12-21 20:50:30 +00:00
```bash
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py
```
2023-08-03 19:12:22 +00:00
#### 扫描
Performing a thorough scan of the system is an essential step in malware analysis. The purpose of the scan is to identify any suspicious files, processes, or network connections that may indicate the presence of malware.
执行系统的彻底扫描是恶意软件分析中的一个重要步骤。扫描的目的是识别可能表明恶意软件存在的任何可疑文件、进程或网络连接。
There are several tools and techniques that can be used for scanning, including antivirus software, network monitoring tools, and file analysis tools. These tools can help identify known malware signatures, detect abnormal behavior, and analyze the structure and content of suspicious files.
有几种工具和技术可用于扫描,包括防病毒软件、网络监控工具和文件分析工具。这些工具可以帮助识别已知的恶意软件签名,检测异常行为,并分析可疑文件的结构和内容。
During the scan, it is important to collect as much information as possible about the suspicious files or processes. This includes file hashes, process IDs, network connections, and any other relevant details. This information will be useful for further analysis and investigation.
在扫描过程中收集有关可疑文件或进程的尽可能多的信息非常重要。这包括文件哈希、进程ID、网络连接和其他相关细节。这些信息将有助于进一步的分析和调查。
2023-08-03 19:12:22 +00:00
Once the scan is complete, the results should be carefully reviewed and analyzed. Any identified malware or suspicious activity should be further investigated to determine its nature, impact, and potential mitigation strategies.
2023-08-03 19:12:22 +00:00
扫描完成后,应仔细审查和分析结果。任何已识别的恶意软件或可疑活动都应进一步调查,以确定其性质、影响和潜在的缓解策略。
2020-12-21 20:50:30 +00:00
```bash
yara -w malware_rules.yar image #Scan 1 file
2022-09-08 08:47:03 +00:00
yara -w malware_rules.yar folder #Scan the whole folder
```
2023-08-03 19:12:22 +00:00
#### YaraGen: 检查恶意软件并创建规则
2023-08-03 19:12:22 +00:00
您可以使用工具[**YaraGen**](https://github.com/Neo23x0/yarGen)从二进制文件生成yara规则。查看这些教程[**第1部分**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/)[**第2部分**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/)[**第3部分**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
```bash
python3 yarGen.py --update
python3.exe yarGen.py --excludegood -m ../../mals/
```
### ClamAV
2021-08-16 23:29:43 +00:00
2023-08-03 19:12:22 +00:00
#### 安装
To install ClamAV, you can use the following command:
2021-08-16 23:29:43 +00:00
2021-08-18 23:59:47 +00:00
```bash
2023-08-03 19:12:22 +00:00
sudo apt-get install clamav
2021-08-18 23:59:47 +00:00
```
2023-08-03 19:12:22 +00:00
After the installation is complete, you can update the virus database by running the following command:
```bash
sudo freshclam
```
#### Scanning Files
2023-08-03 19:12:22 +00:00
To scan a specific file or directory, use the following command:
2023-08-03 19:12:22 +00:00
```bash
clamscan [file/directory]
```
For example, to scan a file named `malware.exe`, you would run:
```bash
clamscan malware.exe
```
#### Scanning the Entire System
To scan the entire system, use the following command:
```bash
clamscan -r /
```
This will recursively scan all files and directories starting from the root directory (`/`).
#### Quarantine Infected Files
If ClamAV detects any infected files, you can quarantine them using the following command:
```bash
clamscan --remove [file/directory]
```
For example, to quarantine a file named `malware.exe`, you would run:
```bash
clamscan --remove malware.exe
```
#### Updating ClamAV
To update ClamAV to the latest version, use the following command:
```bash
sudo apt-get update && sudo apt-get upgrade clamav
```
#### Conclusion
ClamAV is a powerful antivirus tool that can help you detect and remove malware from your system. By following the steps outlined in this guide, you can install ClamAV, scan files and directories, quarantine infected files, and keep ClamAV up to date.
```
sudo apt-get install -y clamav
```
2023-08-03 19:12:22 +00:00
#### 扫描
Performing a scan is an essential step in malware analysis. It helps to identify and gather information about the malware sample. There are various scanning techniques that can be used, such as static analysis and dynamic analysis.
进行扫描是恶意软件分析的重要步骤。它有助于识别和收集有关恶意软件样本的信息。可以使用各种扫描技术,如静态分析和动态分析。
##### Static Analysis
静态分析
Static analysis involves examining the malware sample without executing it. This can be done by analyzing the file's structure, metadata, and code. Some common static analysis techniques include:
静态分析是在不执行恶意软件样本的情况下对其进行检查。这可以通过分析文件的结构、元数据和代码来完成。一些常见的静态分析技术包括:
- File signature analysis: Checking the file signature against known malware signatures.
- 文件签名分析:将文件签名与已知的恶意软件签名进行比对。
- String analysis: Searching for specific strings or keywords within the file.
- 字符串分析:在文件中搜索特定的字符串或关键字。
2023-08-03 19:12:22 +00:00
- Code analysis: Analyzing the code structure and logic to understand its functionality.
- 代码分析:分析代码结构和逻辑以了解其功能。
2023-08-03 19:12:22 +00:00
- Metadata analysis: Examining the file's metadata, such as file size, creation date, and author information.
- 元数据分析:检查文件的元数据,如文件大小、创建日期和作者信息。
##### Dynamic Analysis
动态分析
Dynamic analysis involves executing the malware sample in a controlled environment to observe its behavior. This can be done using techniques such as:
动态分析涉及在受控环境中执行恶意软件样本以观察其行为。可以使用以下技术来完成:
- Sandbox analysis: Running the malware in a virtualized environment to monitor its actions and interactions with the system.
- 沙盒分析:在虚拟化环境中运行恶意软件,以监视其与系统的操作和交互。
- Debugging: Analyzing the malware's execution using a debugger to trace its behavior and identify any malicious activities.
- 调试:使用调试器分析恶意软件的执行,以跟踪其行为并识别任何恶意活动。
- Network analysis: Monitoring the network traffic generated by the malware to understand its communication patterns and potential command and control (C2) servers.
- 网络分析监视恶意软件生成的网络流量以了解其通信模式和潜在的命令和控制C2服务器。
- Behavior analysis: Observing the malware's actions, such as file modifications, registry changes, and process creation, to determine its impact on the system.
- 行为分析:观察恶意软件的行为,如文件修改、注册表更改和进程创建,以确定其对系统的影响。
By combining static and dynamic analysis techniques, analysts can gain a comprehensive understanding of the malware's characteristics and behavior. This information is crucial for further analysis and developing effective countermeasures.
通过结合静态和动态分析技术,分析人员可以全面了解恶意软件的特征和行为。这些信息对进一步的分析和制定有效的对策至关重要。
2020-12-21 20:50:30 +00:00
```bash
sudo freshclam #Update rules
clamscan filepath #Scan 1 file
2022-09-08 08:47:03 +00:00
clamscan folderpath #Scan the whole folder
```
### [Capa](https://github.com/mandiant/capa)
2023-08-03 19:12:22 +00:00
**Capa**检测可执行文件PE、ELF、.NET中的潜在恶意功能。因此它可以发现诸如Att\&ck战术或可疑功能的事物例如
2023-08-03 19:12:22 +00:00
- 检查OutputDebugString错误
- 作为服务运行
- 创建进程
2023-08-03 19:12:22 +00:00
在[**Github仓库**](https://github.com/mandiant/capa)中获取它。
2023-08-03 19:12:22 +00:00
### IOC指标泄露
2021-08-16 23:29:43 +00:00
2023-08-03 19:12:22 +00:00
IOC代表指标泄露。IOC是一组条件用于识别一些潜在的不受欢迎的软件或已确认的恶意软件。蓝队使用这种定义来在其系统和网络中搜索此类恶意文件。\
共享这些定义非常有用因为当在计算机中识别出恶意软件并创建了该恶意软件的IOC时其他蓝队可以使用它来更快地识别出该恶意软件。
2021-08-16 23:29:43 +00:00
2023-08-03 19:12:22 +00:00
创建或修改IOC的工具是[**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**。**\
您可以使用诸如[**Redline**](https://www.fireeye.com/services/freeware/redline.html)的工具在设备中搜索定义的IOC。
2021-08-16 23:29:43 +00:00
### Loki
2023-08-03 19:12:22 +00:00
[**Loki**](https://github.com/Neo23x0/Loki)是一个用于简单指标泄露的扫描器。\
检测基于四种检测方法:
```
1. File Name IOC
2023-08-03 19:12:22 +00:00
Regex match on full file path/name
2. Yara Rule Check
2023-08-03 19:12:22 +00:00
Yara signature matches on file data and process memory
3. Hash Check
2023-08-03 19:12:22 +00:00
Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
4. C2 Back Connect Check
2023-08-03 19:12:22 +00:00
Compares process connection endpoints with C2 IOCs (new since version v.10)
```
2023-08-03 19:12:22 +00:00
### Linux 恶意软件检测
2023-08-03 19:12:22 +00:00
[**Linux 恶意软件检测 (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) 是一个针对 Linux 的恶意软件扫描器,采用 GNU GPLv2 许可证发布,旨在解决共享托管环境中面临的威胁。它利用网络边缘入侵检测系统的威胁数据来提取正在攻击中使用的恶意软件,并生成用于检测的签名。此外,威胁数据还来自用户提交的 LMD 检查功能和恶意软件社区资源。
### rkhunter
2020-12-23 19:52:25 +00:00
2023-08-03 19:12:22 +00:00
可以使用类似 [**rkhunter**](http://rkhunter.sourceforge.net) 的工具来检查文件系统中可能存在的 **rootkit** 和恶意软件。
2020-12-23 19:52:25 +00:00
```bash
sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
```
### FLOSS
2023-08-03 19:12:22 +00:00
[FLOSS](https://github.com/mandiant/flare-floss)是一种工具,它将尝试使用不同的技术在可执行文件中查找混淆的字符串。
### PEpper
2020-12-23 19:52:25 +00:00
2023-08-03 19:12:22 +00:00
[PEpper](https://github.com/Th3Hurrican3/PEpper)检查可执行文件中的一些基本内容二进制数据、熵、URL和IP地址一些yara规则
2020-12-23 19:52:25 +00:00
### PEstudio
2023-08-03 19:12:22 +00:00
[PEstudio](https://www.winitor.com/download)是一种工具可以获取Windows可执行文件的信息如导入、导出、头部还会检查病毒总和并找到潜在的Att\&ck技术。
### Detect It Easy(DiE)
2023-08-03 19:12:22 +00:00
[DiE](https://github.com/horsicq/Detect-It-Easy/)是一种工具,用于检测文件是否被加密,并找到打包程序。
### NeoPI
2023-08-03 19:12:22 +00:00
[NeoPI](https://github.com/CiscoCXSecurity/NeoPI)是一个使用各种统计方法来检测文本/脚本文件中的混淆和加密内容的Python脚本。NeoPI的预期目的是帮助检测隐藏的Web Shell代码。
2023-08-03 19:12:22 +00:00
### php-malware-finder
2023-08-03 19:12:22 +00:00
[PHP-malware-finder](https://github.com/nbs-system/php-malware-finder)尽其所能检测混淆/可疑代码,以及使用在恶意软件/ Web Shell中经常使用的PHP函数的文件。
2023-08-03 19:12:22 +00:00
### Apple二进制签名
2023-08-03 19:12:22 +00:00
在检查一些恶意软件样本时,您应该始终检查二进制文件的签名,因为签名它的开发者可能已经与恶意软件有关。
```bash
#Get signer
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"
#Check if the apps contents have been modified
codesign --verify --verbose /Applications/Safari.app
#Check if the signature is valid
spctl --assess --verbose /Applications/Safari.app
```
2023-08-03 19:12:22 +00:00
## 检测技术
2023-08-03 19:12:22 +00:00
### 文件堆叠
2023-08-03 19:12:22 +00:00
如果你知道一个包含网页服务器**文件**的文件夹在**某个日期**之后**最后更新**过。**检查**网页服务器上所有**文件**的创建和修改**日期**,如果有任何**可疑**日期,检查该文件。
2023-08-03 19:12:22 +00:00
### 基准线
2023-08-03 19:12:22 +00:00
如果一个文件夹的文件**不应该被修改**,你可以计算文件夹中**原始文件**的**哈希值**,并与**当前文件**进行**比较**。任何被修改的文件都是**可疑**的。
2023-08-03 19:12:22 +00:00
### 统计分析
2023-08-03 19:12:22 +00:00
当信息保存在日志中时,你可以**检查统计数据**,比如一个网页服务器的每个文件被访问的次数,因为其中可能有一个**Web shell**。
2022-04-28 16:01:33 +00:00
<details>
2023-04-25 18:35:28 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2023-08-03 19:12:22 +00:00
* 你在一家**网络安全公司**工作吗你想在HackTricks中看到你的**公司广告**吗?或者你想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)
* 发现我们的独家[NFT](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获得[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass),或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**
2022-04-28 16:01:33 +00:00
</details>