maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/generic-methodologies-and-resources/basic-forensic-meth

Browse Source
This commit is contained in:
Translator 2025-07-13 02:49:38 +00:00
parent 7c417aa491
commit e56b9b335f
1 changed files with 99 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
View File

@ -2,7 +2,7 @@
{{#include ../../banners/hacktricks-training.md}}
## Vidokezo vya Forensics
## Karatasi za Udanganyifu za Forensics
[https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/)
@ -25,7 +25,7 @@ sudo apt-get install -y yara
#### Andaa sheria
Tumia skripti hii kupakua na kuunganisha sheria zote za yara malware kutoka github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
Unda saraka ya _**rules**_ na uifanye. Hii itaunda faili inayoitwa _**malware_rules.yar**_ ambayo ina sheria zote za yara za malware.
Unda saraka ya _**rules**_ na uitekeleze. Hii itaunda faili inayoitwa _**malware_rules.yar**_ ambayo ina sheria zote za yara za malware.
```bash
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
@ -38,7 +38,7 @@ yara -w malware_rules.yar folder #Scan the whole folder
```
#### YaraGen: Angalia kwa malware na Unda sheria
Unaweza kutumia chombo [**YaraGen**](https://github.com/Neo23x0/yarGen) kuunda sheria za yara kutoka kwa binary. Angalia mafunzo haya: [**Sehemu ya 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Sehemu ya 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Sehemu ya 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
You can use the tool [**YaraGen**](https://github.com/Neo23x0/yarGen) to generate yara rules from a binary. Check out these tutorials: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
```bash
python3 yarGen.py --update
python3.exe yarGen.py --excludegood -m ../../mals/
@ -49,7 +49,7 @@ python3.exe yarGen.py --excludegood -m ../../mals/
```
sudo apt-get install -y clamav
```
#### Skana
#### Scan
```bash
sudo freshclam #Update rules
clamscan filepath #Scan 1 file
@ -57,7 +57,7 @@ clamscan folderpath #Scan the whole folder
```
### [Capa](https://github.com/mandiant/capa)
**Capa** inagundua **uwezo** ambao unaweza kuwa na madhara katika executable: PE, ELF, .NET. Hivyo itapata mambo kama mbinu za Att\&ck, au uwezo wa kutatanisha kama:
**Capa** inagundua uwezo wa **hatari** katika executable: PE, ELF, .NET. Hivyo itapata mambo kama mbinu za Att\&ck, au uwezo wa kushangaza kama:
- angalia kosa la OutputDebugString
- endesha kama huduma
@ -67,15 +67,15 @@ Pata katika [**Github repo**](https://github.com/mandiant/capa).
### IOCs
IOC inamaanisha Kielelezo cha Kuathiriwa. IOC ni seti ya **masharti yanayobaini** baadhi ya programu zisizohitajika au **malware** iliyothibitishwa. Blue Teams hutumia aina hii ya ufafanuzi ili **kutafuta aina hii ya faili zenye madhara** katika **mifumo** yao na **mitandao**.\
Kushiriki ufafanuzi huu ni muhimu sana kwani wakati malware inatambuliwa kwenye kompyuta na IOC kwa malware hiyo inaundwa, Blue Teams wengine wanaweza kuitumia ili kutambua malware haraka.
IOC inamaanisha Kielelezo cha Kuathiriwa. IOC ni seti ya **masharti yanayobaini** baadhi ya programu zisizohitajika au **malware** iliyothibitishwa. Timu za Blue hutumia aina hii ya ufafanuzi ili **kutafuta aina hii ya faili za hatari** katika **mifumo** yao na **mitandao**.\
Kushiriki ufafanuzi huu ni muhimu sana kwani wakati malware inatambuliwa kwenye kompyuta na IOC kwa malware hiyo inaundwa, timu nyingine za Blue zinaweza kuitumia ili kutambua malware hiyo haraka.
Zana ya kuunda au kubadilisha IOCs ni [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
Unaweza kutumia zana kama [**Redline**](https://www.fireeye.com/services/freeware/redline.html) ili **kutafuta IOCs zilizofafanuliwa katika kifaa**.
Unaweza kutumia zana kama [**Redline**](https://www.fireeye.com/services/freeware/redline.html) ili **kutafuta IOCs zilizofafanuliwa kwenye kifaa**.
### Loki
[**Loki**](https://github.com/Neo23x0/Loki) ni skana kwa ajili ya Viashiria Rahisi vya Kuathiriwa.\
[**Loki**](https://github.com/Neo23x0/Loki) ni skana ya Viashiria Rahisi vya Kuathiriwa.\
Ugunduzi unategemea mbinu nne za ugunduzi:
```
1. File Name IOC
@ -92,7 +92,7 @@ Compares process connection endpoints with C2 IOCs (new since version v.10)
```
### Linux Malware Detect
[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) ni skana ya malware kwa Linux iliyotolewa chini ya leseni ya GNU GPLv2, ambayo imeundwa kuzingatia vitisho vinavyokabiliwa katika mazingira ya mwenyeji wa pamoja. Inatumia data za vitisho kutoka kwa mifumo ya kugundua uvamizi kwenye mpaka wa mtandao ili kutoa malware inayotumika kwa shambulio na kuunda saini za kugundua. Zaidi ya hayo, data za vitisho pia zinatokana na michango ya watumiaji kupitia kipengele cha LMD checkout na rasilimali za jamii ya malware.
[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) ni skana ya malware kwa Linux iliyotolewa chini ya leseni ya GNU GPLv2, ambayo imeundwa kuzingatia vitisho vinavyokabiliwa katika mazingira ya mwenyeji wa pamoja. Inatumia data za vitisho kutoka kwa mifumo ya kugundua uvamizi kwenye ukingo wa mtandao ili kutoa malware inayotumika kwa shambulio na kuunda saini za kugundua. Zaidi ya hayo, data za vitisho pia zinatokana na michango ya watumiaji kupitia kipengele cha LMD checkout na rasilimali za jamii ya malware.
### rkhunter
@ -106,11 +106,11 @@ sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--sk
### PEpper
[PEpper](https://github.com/Th3Hurrican3/PEpper) inakagua mambo ya msingi ndani ya executable (data ya binary, entropy, URLs na IPs, baadhi ya sheria za yara).
[PEpper ](https://github.com/Th3Hurrican3/PEpper) inakagua mambo ya msingi ndani ya executable (data ya binary, entropy, URLs na IPs, baadhi ya sheria za yara).
### PEstudio
[PEstudio](https://www.winitor.com/download) ni chombo kinachoruhusu kupata taarifa za Windows executables kama vile imports, exports, headers, lakini pia kitakagua virus total na kupata mbinu za Att\&ck zinazoweza kutokea.
[PEstudio](https://www.winitor.com/download) ni chombo kinachoruhusu kupata taarifa za Windows executables kama vile imports, exports, headers, lakini pia kitakagua virus total na kupata mbinu za Att\&ck zinazoweza kuwa.
### Detect It Easy(DiE)
@ -118,7 +118,7 @@ sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--sk
### NeoPI
[**NeoPI**](https://github.com/CiscoCXSecurity/NeoPI) ni script ya Python inayotumia mbinu mbalimbali za **statistical methods** kugundua maudhui yaliyofichwa na **encrypted** ndani ya faili za maandiko/script. Lengo la NeoPI ni kusaidia katika **detection of hidden web shell code**.
[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI) ni script ya Python inayotumia mbinu mbalimbali za **statistical methods** kugundua maudhui yaliyofichwa na **encrypted** ndani ya faili za maandiko/script. Kusudi lililokusudiwa la NeoPI ni kusaidia katika **detection of hidden web shell code**.
### **php-malware-finder**
@ -126,7 +126,7 @@ sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--sk
### Apple Binary Signatures
Unapokagua baadhi ya **malware sample** unapaswa kila wakati **check the signature** ya binary kwani **developer** aliyeisaini anaweza kuwa tayari **related** na **malware.**
Unapokagua baadhi ya **malware sample** unapaswa kila wakati **check the signature** ya binary kwani **developer** aliyeisaini inaweza kuwa tayari **related** na **malware.**
```bash
#Get signer
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"
@ -141,14 +141,96 @@ spctl --assess --verbose /Applications/Safari.app
### Kuunganisha Faili
Ikiwa unajua kwamba folda fulani inayoshikilia **faili** za seva ya wavuti ilikua **imepitiwa mara ya mwisho kwenye tarehe fulani**. **Angalia** **tarehe** zote za **faili** katika **seva ya wavuti** zilipoundwa na kubadilishwa na ikiwa tarehe yoyote ni **ya kushangaza**, angalia faili hiyo.
Ikiwa unajua kwamba folda fulani inayoshikilia **faili** za seva ya wavuti ilifanywa **kupdate kwa tarehe fulani**. **Angalia** **tarehe** zote za **faili** katika **seva ya wavuti zilizoumbwa na kubadilishwa** na ikiwa tarehe yoyote ni **ya kushangaza**, angalia faili hiyo.
### Msingi
Ikiwa faili za folda **hazipaswi kubadilishwa**, unaweza kuhesabu **hash** ya **faili za asili** za folda na **kulinganisha** na zile **za sasa**. Kila kitu kilichobadilishwa kitakuwa **cha kushangaza**.
Ikiwa faili za folda **hazipaswi kubadilishwa**, unaweza kuhesabu **hash** ya **faili za asili** za folda na **kulinganisha** na zile za **sasa**. Kila kitu kilichobadilishwa kitakuwa **cha kushangaza**.
### Uchambuzi wa Takwimu
Wakati taarifa zimehifadhiwa katika kumbukumbu unaweza **kuangalia takwimu kama vile ni mara ngapi kila faili ya seva ya wavuti ilifikiriwa kama shell ya wavuti inaweza kuwa moja ya** nyingi zaidi.
Wakati habari inahifadhiwa katika kumbukumbu unaweza **kuangalia takwimu kama vile ni mara ngapi kila faili ya seva ya wavuti ilifikiriwa kama shell ya wavuti inaweza kuwa moja ya**.
---
## Kuondoa Ufafanuzi wa Mwelekeo wa Kudumu (JMP/CALL RAX Dispatchers)
Familia za kisasa za malware zinatumia sana ufichaji wa Mchoro wa Mwelekeo (CFG): badala ya kuruka/kuita moja kwa moja wanahesabu marudio wakati wa utendaji na kutekeleza `jmp rax` au `call rax`. *Dispatcher* ndogo (kawaida maagizo tisa) inaweka lengo la mwisho kulingana na bendera za CPU `ZF`/`CF`, ikivunja kabisa urejeleaji wa static CFG.
Mbinu hii iliyowasilishwa na mzigo wa SLOW#TEMPEST inaweza kushindwa kwa mchakato wa hatua tatu unaotegemea tu IDAPython na emulator ya CPU ya Unicorn.
### 1. Pata kila kuruka / kuita isiyo ya moja kwa moja
```python
import idautils, idc
for ea in idautils.FunctionItems(idc.here()):
mnem = idc.print_insn_mnem(ea)
if mnem in ("jmp", "call") and idc.print_operand(ea, 0) == "rax":
print(f"[+] Dispatcher found @ {ea:X}")
```
### 2. Toa byte-code ya dispatcher
```python
import idc
def get_dispatcher_start(jmp_ea, count=9):
s = jmp_ea
for _ in range(count):
s = idc.prev_head(s, 0)
return s
start = get_dispatcher_start(jmp_ea)
size = jmp_ea + idc.get_item_size(jmp_ea) - start
code = idc.get_bytes(start, size)
open(f"{start:X}.bin", "wb").write(code)
```
### 3. Iiga mara mbili kwa kutumia Unicorn
```python
from unicorn import *
from unicorn.x86_const import *
import struct
def run(code, zf=0, cf=0):
BASE = 0x1000
mu = Uc(UC_ARCH_X86, UC_MODE_64)
mu.mem_map(BASE, 0x1000)
mu.mem_write(BASE, code)
mu.reg_write(UC_X86_REG_RFLAGS, (zf << 6) | cf)
mu.reg_write(UC_X86_REG_RAX, 0)
mu.emu_start(BASE, BASE+len(code))
return mu.reg_read(UC_X86_REG_RAX)
```
Kimbia `run(code,0,0)` na `run(code,1,1)` ili kupata malengo ya tawi *false* na *true*.
### 4. Rudisha nyuma kuruka moja kwa moja / wito
```python
import struct, ida_bytes
def patch_direct(ea, target, is_call=False):
op = 0xE8 if is_call else 0xE9 # CALL rel32 or JMP rel32
disp = target - (ea + 5) & 0xFFFFFFFF
ida_bytes.patch_bytes(ea, bytes([op]) + struct.pack('<I', disp))
```
Baada ya kurekebisha, kulazimisha IDA kuchambua tena kazi ili CFG kamili na matokeo ya Hex-Rays yarudishwe:
```python
import ida_auto, idaapi
idaapi.reanalyze_function(idc.get_func_attr(ea, idc.FUNCATTR_START))
```
### 5. Label indirect API calls
Mara tu marudio halisi ya kila `call rax` yanapojulikana unaweza kumwambia IDA ni nini ili aina za parameta na majina ya mabadiliko yaweze kurejeshwa kiotomatiki:
```python
idc.set_callee_name(call_ea, resolved_addr, 0) # IDA 8.3+
```
### Faida za Kivitendo
* Inarejesha CFG halisi → decompilation inabadilika kutoka *10* mistari hadi maelfu.
* Inaruhusu cross-reference za nyuzi & xrefs, ikifanya ujenzi wa tabia kuwa rahisi.
* Scripts zinaweza kutumika tena: ziacha kwenye loader yoyote iliyo na ulinzi wa hila hiyo hiyo.
---
## Marejeleo
- [Unit42 Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/)
{{#include ../../banners/hacktricks-training.md}}