maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
Translator 4109ffc434 Fix unmatched refs
2025-09-04 09:17:14 +00:00

250 lines
11 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Malware Uchambuzi
{{#include ../../banners/hacktricks-training.md}}
## CheatSheets za Forensics
[https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/)
## Huduma za Mtandaoni
- [VirusTotal](https://www.virustotal.com/gui/home/upload)
- [HybridAnalysis](https://www.hybrid-analysis.com)
- [Koodous](https://koodous.com)
- [Intezer](https://analyze.intezer.com)
- [Any.Run](https://any.run/)
## Zana za Antivirus na Ugunduzi Zisizo Mtandaoni
### Yara
#### Sakinisha
```bash
sudo apt-get install -y yara
```
#### Tayarisha rules
Tumia script hii kupakua na kuunganisha yote yara malware rules kutoka github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
Unda saraka ya _**rules**_ na uiendeshe. Hii itaunda faili iitwayo _**malware_rules.yar**_ ambayo ina yara rules zote za malware.
```bash
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py
```
#### Skana
```bash
yara -w malware_rules.yar image #Scan 1 file
yara -w malware_rules.yar folder #Scan the whole folder
```
#### YaraGen: Angalia malware na unda yara rules
Unaweza kutumia zana [**YaraGen**](https://github.com/Neo23x0/yarGen) kutengeneza yara rules kutoka kwa binary. Angalia mafunzo haya: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
```bash
python3 yarGen.py --update
python3.exe yarGen.py --excludegood -m ../../mals/
```
### ClamAV
#### Sakinisha
```
sudo apt-get install -y clamav
```
#### Skana
```bash
sudo freshclam #Update rules
clamscan filepath #Scan 1 file
clamscan folderpath #Scan the whole folder
```
### [Capa](https://github.com/mandiant/capa)
**Capa** hugundua inaweza kuwa hatari **sifa** katika faili zinazotekelezeka: PE, ELF, .NET. Hivyo itaona vitu kama Att\&ck tactics, au sifa zenye shaka kama:
- angalia OutputDebugString error
- run as a service
- create process
Pata kwenye [**Github repo**](https://github.com/mandiant/capa).
### IOCs
IOC inamaanisha Indicator Of Compromise. IOC ni seti ya **vigezo vinavyoitambulisha** baadhi ya programu zinazoweza kutakiwa au kuthibitishwa kuwa **malware**. Blue Teams hutumia aina hii ya ufafanuzi ili **kutafuta aina hizi za faili zenye madhara** katika **mifumo** na **mitandao** yao.\
Kushiriki ufafanuzi hizi ni muhimu kwa sababu wakati malware inapotambuliwa kwenye kompyuta na IOC ya malware hiyo ikianzishwa, Blue Teams wengine wanaweza kuitumia kutambua malware kwa haraka.
Chombo cha kuunda au kubadilisha IOCs ni [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
Unaweza kutumia zana kama [**Redline**](https://www.fireeye.com/services/freeware/redline.html) kutafuta **IOCs zilizofafanuliwa kwenye kifaa**.
### Loki
[**Loki**](https://github.com/Neo23x0/Loki) ni scanner kwa Simple Indicators of Compromise.\
Ugundaji unategemea mbinu nne za kugundua:
```
1. File Name IOC
Regex match on full file path/name
2. Yara Rule Check
Yara signature matches on file data and process memory
3. Hash Check
Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
4. C2 Back Connect Check
Compares process connection endpoints with C2 IOCs (new since version v.10)
```
### Linux Malware Detect
[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) ni scan ya malware kwa Linux iliyotolewa chini ya leseni ya GNU GPLv2, iliyobuniwa kuangalia vitisho vinavyokumbwa katika mazingira ya hosting ya pamoja. Inatumia data za vitisho kutoka kwa mfumo wa kugundua uvamizi kwenye mipaka ya mtandao ili kupata malware zinazotumika katika mashambulio na kuzalisha saini za kugundua. Zaidi ya hayo, data za vitisho hupatikana pia kutoka kwa michango ya watumiaji kupitia kipengele cha LMD checkout na rasilimali za jamii za malware.
### rkhunter
Vyombo kama [**rkhunter**](http://rkhunter.sourceforge.net) vinaweza kutumika kukagua filesystem kwa uwezekano wa **rootkits** na malware.
```bash
sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
```
### FLOSS
[**FLOSS**](https://github.com/mandiant/flare-floss) ni zana itakayejaribu kupata obfuscated strings ndani ya executables kwa kutumia mbinu mbalimbali.
### PEpper
[PEpper ](https://github.com/Th3Hurrican3/PEpper) huchunguza mambo ya msingi ndani ya executable (binary data, entropy, URLs and IPs, some yara rules).
### PEstudio
[PEstudio](https://www.winitor.com/download) ni zana inayowezesha kupata taarifa za Windows executables kama imports, exports, headers, lakini pia itakagua virus total na kubaini potential Att\&ck techniques.
### Detect It Easy(DiE)
[**DiE**](https://github.com/horsicq/Detect-It-Easy/) ni zana ya kugundua kama faili ime **encrypted** na pia kupata **packers**.
### NeoPI
[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI) ni script ya Python inayotumia aina mbalimbali za **statistical methods** kugundua **obfuscated** na **encrypted** content ndani ya text/script files. Madhumuni ya NeoPI ni kusaidia katika **detection of hidden web shell code**.
### **php-malware-finder**
[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) hufanya kila iwezalo kugundua **obfuscated**/**dodgy code** pamoja na files zinazotumia **PHP** functions zinazotumiwa mara kwa mara na **malwares**/webshells.
### Apple Binary Signatures
Wakati wa kukagua baadhi ya **malware sample** unapaswa kila mara **check the signature** ya binary kwani **developer** aliyesaini anaweza kuwa tayari **related** na **malware**.
```bash
#Get signer
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"
#Check if the apps contents have been modified
codesign --verify --verbose /Applications/Safari.app
#Check if the signature is valid
spctl --assess --verbose /Applications/Safari.app
```
## Detection Techniques
### File Stacking
Ikiwa unajua kwamba folda fulani iliyo na **faili** za seva ya wavuti ilisasishwa **mwisho tarehe fulani**, **angalia** **tarehe** ambazo **faili** zote kwenye **seva ya wavuti** ziliundwa na kubadilishwa, na ikiwa tarehe yoyote ni **ya kushuku**, angalia faili hiyo.
### Baselines
Kama **faili** za folda **hazikutakiwa kubadilishwa**, unaweza kuhesabu **hash** ya **faili za awali** za folda na kuzi **linganisha** na za **sasa**. Kile chochote kilichobadilishwa kitakuwa **cha kushuku**.
### Statistical Analysis
Wakati taarifa zinahifadhiwa kwenye logs unaweza **kuangalia takwimu, kwa mfano ni mara ngapi kila faili ya seva ya wavuti ilifikiwa, kwani web shell inaweza kuwa miongoni mwa zilizofikiwa mara nyingi**.
---
### Android in-app native telemetry (no root)
On Android, unaweza kuiweka instrument native code ndani ya mchakato wa target app kwa preload library ndogo ya logger kabla libraries nyingine za JNI hazijaanzishwa. Hii inatoa uonekano wa mapema juu ya tabia za native bila hooks za mfumo mzima au root. Mbinu maarufu ni SoTap: weka libsotap.so kwa ABI sahihi ndani ya APK na ingiza wito wa System.loadLibrary("sotap") mapema (mfano, static initializer au Application.onCreate), kisha ukusanye logs kutoka njia za ndani/za nje au kwa fallback ya Logcat.
See the Android native reversing page for setup details and log paths:
{{#ref}}
../../mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
{{#endref}}
---
## Deobfuscating Dynamic Control-Flow (JMP/CALL RAX Dispatchers)
Familia za kisasa za malware zinatumia kupitiliza obfuscation ya Control-Flow Graph (CFG): badala ya jump/call ya moja kwa moja wanahesabu marudio wakati wa utekelezaji na kutekeleza `jmp rax` au `call rax`. *dispatcher* ndogo (kawaida maagizo tisa) huweka lengo la mwisho kulingana na bendera za CPU `ZF`/`CF`, ikivunja kabisa urejeshaji wa CFG kwa static.
The technique showcased by the SLOW#TEMPEST loader can be defeated with a three-step workflow that only relies on IDAPython and the Unicorn CPU emulator.
### 1. Pata kila jump / call isiyo ya moja kwa moja
```python
import idautils, idc
for ea in idautils.FunctionItems(idc.here()):
mnem = idc.print_insn_mnem(ea)
if mnem in ("jmp", "call") and idc.print_operand(ea, 0) == "rax":
print(f"[+] Dispatcher found @ {ea:X}")
```
### 2. Toa byte-code ya dispatcher
```python
import idc
def get_dispatcher_start(jmp_ea, count=9):
s = jmp_ea
for _ in range(count):
s = idc.prev_head(s, 0)
return s
start = get_dispatcher_start(jmp_ea)
size = jmp_ea + idc.get_item_size(jmp_ea) - start
code = idc.get_bytes(start, size)
open(f"{start:X}.bin", "wb").write(code)
```
### 3. Iga mara mbili na Unicorn
```python
from unicorn import *
from unicorn.x86_const import *
import struct
def run(code, zf=0, cf=0):
BASE = 0x1000
mu = Uc(UC_ARCH_X86, UC_MODE_64)
mu.mem_map(BASE, 0x1000)
mu.mem_write(BASE, code)
mu.reg_write(UC_X86_REG_RFLAGS, (zf << 6) | cf)
mu.reg_write(UC_X86_REG_RAX, 0)
mu.emu_start(BASE, BASE+len(code))
return mu.reg_read(UC_X86_REG_RAX)
```
Endesha `run(code,0,0)` na `run(code,1,1)` ili kupata malengo ya matawi *false* na *true*.
### 4. Rekebisha tena direct jump / call
```python
import struct, ida_bytes
def patch_direct(ea, target, is_call=False):
op = 0xE8 if is_call else 0xE9 # CALL rel32 or JMP rel32
disp = target - (ea + 5) & 0xFFFFFFFF
ida_bytes.patch_bytes(ea, bytes([op]) + struct.pack('<I', disp))
```
Baada ya patching, lazimishe IDA kuchambua upya function ili CFG kamili na output ya Hex-Rays virudishwe:
```python
import ida_auto, idaapi
idaapi.reanalyze_function(idc.get_func_attr(ea, idc.FUNCATTR_START))
```
### 5. Lebo wito za API zisizo za moja kwa moja
Mara tu mahali halisi pa kila `call rax` linapojulikana, unaweza kumwambia IDA ni ipi ili aina za parameter & majina ya vigezo zirudishwe kiotomatiki:
```python
idc.set_callee_name(call_ea, resolved_addr, 0) # IDA 8.3+
```
### Manufaa ya vitendo
* Inarejesha CFG halisi → decompilation inatoka kwenye mistari *10* hadi maelfu.
* Huwezesha string-cross-reference & xrefs, ikifanya ujenzi upya wa tabia kuwa rahisi.
* Scripts zinaweza kutumika tena: ziweke ndani ya loader yoyote iliyolindwa na trick ile ile.
---
## Marejeo
- [Unit42 Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/)
- SoTap: logger mwepesi wa tabia ndani ya app wa JNI (.so) [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink