maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md

250 lines
11 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Malware Analysis
{{#include ../../banners/hacktricks-training.md}}
## Forensics CheatSheets
[https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/)
## Online servisi
- [VirusTotal](https://www.virustotal.com/gui/home/upload)
- [HybridAnalysis](https://www.hybrid-analysis.com)
- [Koodous](https://koodous.com)
- [Intezer](https://analyze.intezer.com)
- [Any.Run](https://any.run/)
## Offline antivirus i alati za detekciju
### Yara
#### Instalacija
```bash
sudo apt-get install -y yara
```
#### Pripremite pravila
Koristite ovaj skript da preuzmete i spojite sva yara malware pravila sa github-a: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
Kreirajte direktorijum _**rules**_ i pokrenite skript. To će kreirati fajl pod nazivom _**malware_rules.yar**_ koji sadrži sva yara pravila za malware.
```bash
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py
```
#### Skeniranje
```bash
yara -w malware_rules.yar image #Scan 1 file
yara -w malware_rules.yar folder #Scan the whole folder
```
#### YaraGen: Provera za malware i kreiranje pravila
Možete koristiti alat [**YaraGen**](https://github.com/Neo23x0/yarGen) za generisanje yara rules iz binarne datoteke. Pogledajte ove tutorijale: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
```bash
python3 yarGen.py --update
python3.exe yarGen.py --excludegood -m ../../mals/
```
### ClamAV
#### Instalacija
```
sudo apt-get install -y clamav
```
#### Skeniranje
```bash
sudo freshclam #Update rules
clamscan filepath #Scan 1 file
clamscan folderpath #Scan the whole folder
```
### [Capa](https://github.com/mandiant/capa)
**Capa** otkriva potencijalno zlonamerne **sposobnosti** u izvršnim fajlovima: PE, ELF, .NET. Dakle, pronaći će stvari kao što su Att\&ck tactics, ili sumnjive **sposobnosti** kao što su:
- provera OutputDebugString greške
- pokretanje kao servis
- kreiranje procesa
Preuzmi ga iz [**Github repo**](https://github.com/mandiant/capa).
### IOCs
IOC znači Indicator Of Compromise. IOC je skup **uslova koji identifikuju** neki potencijalno neželjeni softver ili potvrđeni **malware**. Blue Teams koriste ovu vrstu definicije da bi **pretražili ovu vrstu malicioznih fajlova** u svojim **sistemima** i **mrežama**.\
Delijenje ovih definicija je veoma korisno, jer kada se malware identifikuje na računaru i za njega se kreira IOC, druge Blue Teams mogu koristiti taj IOC da brže identifikuju malware.
Alat za kreiranje ili modifikovanje IOC-ova je [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html).\
Možete koristiti alate kao što je [**Redline**](https://www.fireeye.com/services/freeware/redline.html) da **pretražite definisane IOC-ove na uređaju**.
### Loki
[**Loki**](https://github.com/Neo23x0/Loki) je skener za Simple Indicators of Compromise.\
Detekcija se zasniva na četiri metode detekcije:
```
1. File Name IOC
Regex match on full file path/name
2. Yara Rule Check
Yara signature matches on file data and process memory
3. Hash Check
Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
4. C2 Back Connect Check
Compares process connection endpoints with C2 IOCs (new since version v.10)
```
### Linux Malware Detect
[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) je malware skener za Linux objavljen pod licencom GNU GPLv2, koji je dizajniran za pretnje sa kojima se susreću okruženja deljenog hostinga. Koristi podatke o pretnjama iz sistema za detekciju upada na mrežnoj ivici da bi izdvojio malware koji se aktivno koristi u napadima i generisao potpise za detekciju. Pored toga, podaci o pretnjama se takođe izvlače iz korisničkih prijava pomoću LMD checkout feature i iz resursa malware zajednice.
### rkhunter
Alati poput [**rkhunter**](http://rkhunter.sourceforge.net) mogu se koristiti za proveru datotečnog sistema u potrazi za mogućim rootkits i malware.
```bash
sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
```
### FLOSS
[**FLOSS**](https://github.com/mandiant/flare-floss) je alat koji pokušava da pronađe obfuscated strings unutar executables koristeći različite tehnike.
### PEpper
[PEpper ](https://github.com/Th3Hurrican3/PEpper)checks some basic stuff inside the executable (binary data, entropy, URLs and IPs, some yara rules).
### PEstudio
[PEstudio](https://www.winitor.com/download) je alat koji omogućava dobijanje informacija o Windows executables kao što su imports, exports, headers, ali će takođe proveriti virus total i pronaći potencijalne Att\&ck tehnike.
### Detect It Easy(DiE)
[**DiE**](https://github.com/horsicq/Detect-It-Easy/) je alat za detekciju da li je fajl encrypted i takođe pronalaženje packers.
### NeoPI
[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI)je Python skript koji koristi različite statistical methods da bi detektovao obfuscated i encrypted sadržaj unutar text/script files. Namena NeoPI-ja je da pomogne pri detekciji hidden web shell code.
### **php-malware-finder**
[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) čini sve što može da detektuje obfuscated/dodgy code kao i fajlove koji koriste PHP funkcije često korišćene u malwares/webshells.
### Apple Binary Signatures
Prilikom provere nekog malware sample-a uvek treba proveriti signature binarnog fajla, jer developer koji ga je potpisao može već biti povezan sa malware-om.
```bash
#Get signer
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"
#Check if the apps contents have been modified
codesign --verify --verbose /Applications/Safari.app
#Check if the signature is valid
spctl --assess --verbose /Applications/Safari.app
```
## Tehnike detekcije
### File Stacking
Ako znate da je neki direktorijum koji sadrži **fajlove** web servera bio **poslednji put ažuriran na neki datum**, **proverite** **datum** kada su svi **fajlovi** na **web serveru** kreirani i izmenjeni, i ako je neki datum **sumnjiv**, proverite taj fajl.
### Baselines
Ako fajlovi u direktorijumu **ne bi trebalo da budu izmenjeni**, možete izračunati **hash** **originalnih fajlova** direktorijuma i **uporediti** ih sa **trenutnim**. Sve što je izmenjeno biće **sumnjivo**.
### Statistical Analysis
Kada se informacije čuvaju u logovima, možete **proveriti statistiku, npr. koliko puta je svaki fajl na web serveru bio pristupan — web shell može biti jedan od najčešće pristupanih**.
---
### Android in-app native telemetry (no root)
On Android, you can instrument native code inside the target app process by preloading a tiny logger library before other JNI libs initialize. This gives early visibility into native behavior without system-wide hooks or root. A popular approach is SoTap: drop libsotap.so for the right ABI into the APK and inject a System.loadLibrary("sotap") call early (e.g., static initializer or Application.onCreate), then collect logs from internal/external paths or Logcat fallback.
See the Android native reversing page for setup details and log paths:
{{#ref}}
../../mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
{{#endref}}
---
## Deobfuskovanje dinamičkog kontrolnog toka (JMP/CALL RAX Dispatchers)
Modern malware families heavily abuse Control-Flow Graph (CFG) obfuscation: instead of a direct jump/call they compute the destination at run-time and execute a `jmp rax` or `call rax`. A small *dispatcher* (typically nine instructions) sets the final target depending on the CPU `ZF`/`CF` flags, completely breaking static CFG recovery.
The technique showcased by the SLOW#TEMPEST loader can be defeated with a three-step workflow that only relies on IDAPython and the Unicorn CPU emulator.
### 1. Pronađite svaki indirektni jump / call
```python
import idautils, idc
for ea in idautils.FunctionItems(idc.here()):
mnem = idc.print_insn_mnem(ea)
if mnem in ("jmp", "call") and idc.print_operand(ea, 0) == "rax":
print(f"[+] Dispatcher found @ {ea:X}")
```
### 2. Izvucite dispatcher byte-code
```python
import idc
def get_dispatcher_start(jmp_ea, count=9):
s = jmp_ea
for _ in range(count):
s = idc.prev_head(s, 0)
return s
start = get_dispatcher_start(jmp_ea)
size = jmp_ea + idc.get_item_size(jmp_ea) - start
code = idc.get_bytes(start, size)
open(f"{start:X}.bin", "wb").write(code)
```
### 3. Emulirajte ga dva puta koristeći Unicorn
```python
from unicorn import *
from unicorn.x86_const import *
import struct
def run(code, zf=0, cf=0):
BASE = 0x1000
mu = Uc(UC_ARCH_X86, UC_MODE_64)
mu.mem_map(BASE, 0x1000)
mu.mem_write(BASE, code)
mu.reg_write(UC_X86_REG_RFLAGS, (zf << 6) | cf)
mu.reg_write(UC_X86_REG_RAX, 0)
mu.emu_start(BASE, BASE+len(code))
return mu.reg_read(UC_X86_REG_RAX)
```
Pokrenite `run(code,0,0)` i `run(code,1,1)` да бисте добили *false* и *true* циљеве грана.
### 4. Вратите (patch back) директни jump / call
```python
import struct, ida_bytes
def patch_direct(ea, target, is_call=False):
op = 0xE8 if is_call else 0xE9 # CALL rel32 or JMP rel32
disp = target - (ea + 5) & 0xFFFFFFFF
ida_bytes.patch_bytes(ea, bytes([op]) + struct.pack('<I', disp))
```
Nakon patching-a, naterajte IDA da ponovo analizira funkciju kako bi se kompletan CFG i Hex-Rays izlaz obnovili:
```python
import ida_auto, idaapi
idaapi.reanalyze_function(idc.get_func_attr(ea, idc.FUNCATTR_START))
```
### 5. Obeležite indirektne API pozive
Kada je stvarna destinacija svakog `call rax` poznata, možete reći IDA-u šta je to tako da se tipovi parametara i imena promenljivih automatski rekonstrušu:
```python
idc.set_callee_name(call_ea, resolved_addr, 0) # IDA 8.3+
```
### Praktične prednosti
* Vraća stvarni CFG → dekompilacija prelazi sa *10* linija na na hiljade.
* Omogućava string-cross-reference & xrefs, čineći rekonstrukciju ponašanja trivijalnom.
* Scripts su ponovo upotrebljive: ubaci ih u bilo koji loader zaštićen istim trikom.
---
## References
- [Unit42 Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/)
- SoTap: Lightweight in-app JNI (.so) behavior logger [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink