maride/hacktricks

Fork 0

mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00

Translator 4109ffc434 Fix unmatched refs

2025-09-04 09:17:14 +00:00

11 KiB

Raw Blame History

Malware Uchambuzi

CheatSheets za Forensics

https://www.jaiminton.com/cheatsheet/DFIR/#

Huduma za Mtandaoni

Zana za Antivirus na Ugunduzi Zisizo Mtandaoni

Yara

Sakinisha

sudo apt-get install -y yara

Tayarisha rules

Tumia script hii kupakua na kuunganisha yote yara malware rules kutoka github: https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9
Unda saraka ya rules na uiendeshe. Hii itaunda faili iitwayo malware_rules.yar ambayo ina yara rules zote za malware.

wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py

Skana

yara -w malware_rules.yar image  #Scan 1 file
yara -w malware_rules.yar folder #Scan the whole folder

YaraGen: Angalia malware na unda yara rules

Unaweza kutumia zana YaraGen kutengeneza yara rules kutoka kwa binary. Angalia mafunzo haya: Part 1, Part 2, Part 3

python3 yarGen.py --update
python3.exe yarGen.py --excludegood -m  ../../mals/

ClamAV

Sakinisha

sudo apt-get install -y clamav

Skana

sudo freshclam      #Update rules
clamscan filepath   #Scan 1 file
clamscan folderpath #Scan the whole folder

Capa

Capa hugundua inaweza kuwa hatari sifa katika faili zinazotekelezeka: PE, ELF, .NET. Hivyo itaona vitu kama Att&ck tactics, au sifa zenye shaka kama:

angalia OutputDebugString error
run as a service
create process

Pata kwenye Github repo.

IOCs

IOC inamaanisha Indicator Of Compromise. IOC ni seti ya vigezo vinavyoitambulisha baadhi ya programu zinazoweza kutakiwa au kuthibitishwa kuwa malware. Blue Teams hutumia aina hii ya ufafanuzi ili kutafuta aina hizi za faili zenye madhara katika mifumo na mitandao yao.
Kushiriki ufafanuzi hizi ni muhimu kwa sababu wakati malware inapotambuliwa kwenye kompyuta na IOC ya malware hiyo ikianzishwa, Blue Teams wengine wanaweza kuitumia kutambua malware kwa haraka.

Chombo cha kuunda au kubadilisha IOCs ni IOC Editor.
Unaweza kutumia zana kama Redline kutafuta IOCs zilizofafanuliwa kwenye kifaa.

Loki

Loki ni scanner kwa Simple Indicators of Compromise.
Ugundaji unategemea mbinu nne za kugundua:

1. File Name IOC
Regex match on full file path/name

2. Yara Rule Check
Yara signature matches on file data and process memory

3. Hash Check
Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files

4. C2 Back Connect Check
Compares process connection endpoints with C2 IOCs (new since version v.10)

Linux Malware Detect

Linux Malware Detect (LMD) ni scan ya malware kwa Linux iliyotolewa chini ya leseni ya GNU GPLv2, iliyobuniwa kuangalia vitisho vinavyokumbwa katika mazingira ya hosting ya pamoja. Inatumia data za vitisho kutoka kwa mfumo wa kugundua uvamizi kwenye mipaka ya mtandao ili kupata malware zinazotumika katika mashambulio na kuzalisha saini za kugundua. Zaidi ya hayo, data za vitisho hupatikana pia kutoka kwa michango ya watumiaji kupitia kipengele cha LMD checkout na rasilimali za jamii za malware.

rkhunter

Vyombo kama rkhunter vinaweza kutumika kukagua filesystem kwa uwezekano wa rootkits na malware.

sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]

FLOSS

FLOSS ni zana itakayejaribu kupata obfuscated strings ndani ya executables kwa kutumia mbinu mbalimbali.

PEpper

PEpper huchunguza mambo ya msingi ndani ya executable (binary data, entropy, URLs and IPs, some yara rules).

PEstudio

PEstudio ni zana inayowezesha kupata taarifa za Windows executables kama imports, exports, headers, lakini pia itakagua virus total na kubaini potential Att&ck techniques.

Detect It Easy(DiE)

DiE ni zana ya kugundua kama faili ime encrypted na pia kupata packers.

NeoPI

NeoPI ni script ya Python inayotumia aina mbalimbali za statistical methods kugundua obfuscated na encrypted content ndani ya text/script files. Madhumuni ya NeoPI ni kusaidia katika detection of hidden web shell code.

php-malware-finder

PHP-malware-finder hufanya kila iwezalo kugundua obfuscated/dodgy code pamoja na files zinazotumia PHP functions zinazotumiwa mara kwa mara na malwares/webshells.

Apple Binary Signatures

Wakati wa kukagua baadhi ya malware sample unapaswa kila mara check the signature ya binary kwani developer aliyesaini anaweza kuwa tayari related na malware.

#Get signer
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"

#Check if the app’s contents have been modified
codesign --verify --verbose /Applications/Safari.app

#Check if the signature is valid
spctl --assess --verbose /Applications/Safari.app

Detection Techniques

File Stacking

Ikiwa unajua kwamba folda fulani iliyo na faili za seva ya wavuti ilisasishwa mwisho tarehe fulani, angalia tarehe ambazo faili zote kwenye seva ya wavuti ziliundwa na kubadilishwa, na ikiwa tarehe yoyote ni ya kushuku, angalia faili hiyo.

Baselines

Kama faili za folda hazikutakiwa kubadilishwa, unaweza kuhesabu hash ya faili za awali za folda na kuzi linganisha na za sasa. Kile chochote kilichobadilishwa kitakuwa cha kushuku.

Statistical Analysis

Wakati taarifa zinahifadhiwa kwenye logs unaweza kuangalia takwimu, kwa mfano ni mara ngapi kila faili ya seva ya wavuti ilifikiwa, kwani web shell inaweza kuwa miongoni mwa zilizofikiwa mara nyingi.

Android in-app native telemetry (no root)

On Android, unaweza kuiweka instrument native code ndani ya mchakato wa target app kwa preload library ndogo ya logger kabla libraries nyingine za JNI hazijaanzishwa. Hii inatoa uonekano wa mapema juu ya tabia za native bila hooks za mfumo mzima au root. Mbinu maarufu ni SoTap: weka libsotap.so kwa ABI sahihi ndani ya APK na ingiza wito wa System.loadLibrary("sotap") mapema (mfano, static initializer au Application.onCreate), kisha ukusanye logs kutoka njia za ndani/za nje au kwa fallback ya Logcat.

See the Android native reversing page for setup details and log paths:

{{#ref}} ../../mobile-pentesting/android-app-pentesting/reversing-native-libraries.md {{#endref}}

Deobfuscating Dynamic Control-Flow (JMP/CALL RAX Dispatchers)

Familia za kisasa za malware zinatumia kupitiliza obfuscation ya Control-Flow Graph (CFG): badala ya jump/call ya moja kwa moja wanahesabu marudio wakati wa utekelezaji na kutekeleza jmp rax au call rax. dispatcher ndogo (kawaida maagizo tisa) huweka lengo la mwisho kulingana na bendera za CPU ZF/CF, ikivunja kabisa urejeshaji wa CFG kwa static.

The technique – showcased by the SLOW#TEMPEST loader – can be defeated with a three-step workflow that only relies on IDAPython and the Unicorn CPU emulator.

1. Pata kila jump / call isiyo ya moja kwa moja

import idautils, idc

for ea in idautils.FunctionItems(idc.here()):
mnem = idc.print_insn_mnem(ea)
if mnem in ("jmp", "call") and idc.print_operand(ea, 0) == "rax":
print(f"[+] Dispatcher found @ {ea:X}")

2. Toa byte-code ya dispatcher

import idc

def get_dispatcher_start(jmp_ea, count=9):
s = jmp_ea
for _ in range(count):
s = idc.prev_head(s, 0)
return s

start = get_dispatcher_start(jmp_ea)
size  = jmp_ea + idc.get_item_size(jmp_ea) - start
code  = idc.get_bytes(start, size)
open(f"{start:X}.bin", "wb").write(code)

3. Iga mara mbili na Unicorn

from unicorn import *
from unicorn.x86_const import *
import struct

def run(code, zf=0, cf=0):
BASE = 0x1000
mu = Uc(UC_ARCH_X86, UC_MODE_64)
mu.mem_map(BASE, 0x1000)
mu.mem_write(BASE, code)
mu.reg_write(UC_X86_REG_RFLAGS, (zf << 6) | cf)
mu.reg_write(UC_X86_REG_RAX, 0)
mu.emu_start(BASE, BASE+len(code))
return mu.reg_read(UC_X86_REG_RAX)

Endesha run(code,0,0) na run(code,1,1) ili kupata malengo ya matawi false na true.

4. Rekebisha tena direct jump / call

import struct, ida_bytes

def patch_direct(ea, target, is_call=False):
op   = 0xE8 if is_call else 0xE9           # CALL rel32 or JMP rel32
disp = target - (ea + 5) & 0xFFFFFFFF
ida_bytes.patch_bytes(ea, bytes([op]) + struct.pack('<I', disp))

Baada ya patching, lazimishe IDA kuchambua upya function ili CFG kamili na output ya Hex-Rays virudishwe:

import ida_auto, idaapi
idaapi.reanalyze_function(idc.get_func_attr(ea, idc.FUNCATTR_START))

5. Lebo wito za API zisizo za moja kwa moja

Mara tu mahali halisi pa kila call rax linapojulikana, unaweza kumwambia IDA ni ipi ili aina za parameter & majina ya vigezo zirudishwe kiotomatiki:

idc.set_callee_name(call_ea, resolved_addr, 0)  # IDA 8.3+

Manufaa ya vitendo

Inarejesha CFG halisi → decompilation inatoka kwenye mistari 10 hadi maelfu.
Huwezesha string-cross-reference & xrefs, ikifanya ujenzi upya wa tabia kuwa rahisi.
Scripts zinaweza kutumika tena: ziweke ndani ya loader yoyote iliyolindwa na trick ile ile.

Marejeo

Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques
SoTap: logger mwepesi wa tabia ndani ya app wa JNI (.so) – github.com/RezaArbabBot/SoTap

11 KiB Raw Blame History Unescape Escape

Malware Uchambuzi

CheatSheets za Forensics

Huduma za Mtandaoni

Zana za Antivirus na Ugunduzi Zisizo Mtandaoni

Yara

Sakinisha

Tayarisha rules

Skana

YaraGen: Angalia malware na unda yara rules

ClamAV

Sakinisha

Skana

Capa

IOCs

Loki

Linux Malware Detect

rkhunter

FLOSS

PEpper

PEstudio

Detect It Easy(DiE)

NeoPI

php-malware-finder

Apple Binary Signatures

Detection Techniques

File Stacking

Baselines

Statistical Analysis

Android in-app native telemetry (no root)

Deobfuscating Dynamic Control-Flow (JMP/CALL RAX Dispatchers)

1. Pata kila jump / call isiyo ya moja kwa moja

2. Toa byte-code ya dispatcher

3. Iga mara mbili na Unicorn

4. Rekebisha tena direct jump / call

5. Lebo wito za API zisizo za moja kwa moja

Manufaa ya vitendo

Marejeo

11 KiB

Raw Blame History