Download - 2012 Preiskovanje škodljive kode
![Page 2: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/2.jpg)
ZAKAJ?
![Page 3: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/3.jpg)
KAKO?
• Statična analiza– antivirus– strings– PE struktura• header• sekcije
– dissasembler
• Dinamična analiza– sandbox– zagon v varnem okolju– razhroščevalnik
Foto: Ampelmann, Loozrboy@Flickr
![Page 4: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/4.jpg)
NASLEDNJA PROSOJNICA JE NAMENOMA V
CELOTI BELA
![Page 5: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/5.jpg)
![Page 6: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/6.jpg)
![Page 7: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/7.jpg)
![Page 8: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/8.jpg)
![Page 9: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/9.jpg)
![Page 10: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/10.jpg)
![Page 11: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/11.jpg)
Compilation timedatestamp.....: 2012-10-03 12:11:18Target machine................: 0x14C (Intel 386 or later processors and compatible processors)Entry point address...........: 0x00001240
PE Sections...................:Name Virtual Address Virtual Size Raw Size Entropy MD5.text 4096 10516 10752 5.91 4312d7434a3372946eba33c28fb873b0.data 16384 288 512 2.09 bfb575c0474c82e26c00f249045d7c0d.rdata 20480 7744 8192 5.38 07de6b1763094129fea2aba5c5d4330b.bss 28672 512 0 0.00 d41d8cd98f00b204e9800998ecf8427e.idata 32768 2196 2560 3.94 dafc70a44d21553fd67800c431676326aqylxyp 36864 4096 512 0.00 bf619eac0cdf3f68d496ea9344137e8baqylxyp 40960 8192 6144 5.29 492ef1fa20f3508b61318ebd41b5649bemtbmpa 49152 40960 38400 7.80 b67ff3c94dfdbb663f91c5c3d8cda9aaqdoevxg 90112 4096 512 0.00 bf619eac0cdf3f68d496ea9344137e8b
PE Imports....................:[[KERNEL32.dll]]GetAtomNameA, GetFileSize, AddAtomA, WriteFile, ReadFile, SetUnhandledExceptionFilter, FindAtomA, ExitProcess, CloseHandle, CreateFileA, SetFilePointer, GetModuleFileNameA, VirtualAlloc, GetModuleHandleA[[msvcrt.dll]]_cexit, __p__fmode, malloc, __p__environ, signal, free, _onexit, atexit, abort, _setmode, __getmainargs, fprintf, fflush, _iob, strcmp, __set_app_type[[ws2_32.dll]]listen, htonl, WSAConnect, getpeername, ntohl, inet_addr, getprotobyname, ioctlsocket, gethostbyname, ntohs, getsockname, inet_ntoa, htons, recv, gethostbyaddr, getsockopt[[comctl32.dll]]CreateToolbarEx, ShowHideMenuCtl, DrawInsert, MenuHelp, CreateUpDownControl, MakeDragList, DestroyPropertySheetPage, InitCommonControls, CreateStatusWindowA, CreateMappedBitmap, GetEffectiveClientRect, CreatePropertySheetPageA, ImageList_Add, DrawStatusTextA
![Page 12: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/12.jpg)
Category: Write
Process Name: svchost.exe, PID 148Operation: CreateFilePath: "C:\Documents and Settings\tt\Application Data\msconfig.dat"
Process Name: svchost.exe, PID 148Operation: WriteFilePath: "C:\Documents and Settings\tt\Application Data\msconfig.dat"
Process_Name: svchost.exe, PID 148 Operation: RegSetValuePath: "HKU\...\Windows NT\CurrentVersion\Winlogon\shell„Details: "C:\Documents and Settings\tt\Application Data\msconfig.dat“
![Page 13: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/13.jpg)
Operation: Process Create
Process_Name: Explorer.EXE, PID: 1848Path: C:\users\...\ttvke9443gcw8q7l.exeDetail: PID: 680, Command line: "C:\users\...\ttvke9443gcw8q7l.exe"
Process_Name: ttvke9443gcw8q7l.exe, PID: 680Path: C:\users\...\ttvke9443gcw8q7l.exeDetail: PID: 1124, Command line: "C:\users\...\ttvke9443gcw8q7l.exe"
Process_Name: ttvke9443gcw8q7l.exe, PID 1124Path: C:\WINDOWS\explorer.exeDetail: PID: 2012, Command line: "C:\WINDOWS\explorer.exe"
Process_Name: Explorer.EXE, PID: 1848Path: C:\WINDOWS\system32\svchost.exeDetail: PID: 148, Command line: "C:\WINDOWS\system32\svchost.exe";
![Page 14: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/14.jpg)
![Page 15: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/15.jpg)
![Page 16: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/16.jpg)
Operation: Process Create
Process_Name: Explorer.EXE, PID: 1848Path: C:\users\...\ttvke9443gcw8q7l.exeDetail: PID: 680, Command line: "C:\users\...\ttvke9443gcw8q7l.exe"
Process_Name: ttvke9443gcw8q7l.exe, PID: 680Path: C:\users\...\ttvke9443gcw8q7l.exeDetail: PID: 1124, Command line: "C:\users\...\ttvke9443gcw8q7l.exe"
Process_Name: ttvke9443gcw8q7l.exe, PID 1124Path: C:\WINDOWS\explorer.exeDetail: PID: 2012, Command line: "C:\WINDOWS\explorer.exe"
Process_Name: Explorer.EXE, PID: 1848Path: C:\WINDOWS\system32\svchost.exeDetail: PID: 148, Command line: "C:\WINDOWS\system32\svchost.exe";
![Page 17: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/17.jpg)
1. CreateProcess(…,CREATE_SUSPENDED,…)2. ZwUnmapViewOfSection()3. VirtualAllocEx()4. WriteProcessMemory()5. ResumeThread()
![Page 18: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/18.jpg)
![Page 19: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/19.jpg)
![Page 20: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/20.jpg)
Operation: Process Create
Process_Name: Explorer.EXE, PID: 1848Path: C:\users\...\ttvke9443gcw8q7l.exeDetail: PID: 680, Command line: "C:\users\...\ttvke9443gcw8q7l.exe"
Process_Name: ttvke9443gcw8q7l.exe, PID: 680Path: C:\users\...\ttvke9443gcw8q7l.exeDetail: PID: 1124, Command line: "C:\users\...\ttvke9443gcw8q7l.exe"
Process_Name: ttvke9443gcw8q7l.exe, PID 1124Path: C:\WINDOWS\explorer.exeDetail: PID: 2012, Command line: "C:\WINDOWS\explorer.exe"
Process_Name: Explorer.EXE, PID: 1848Path: C:\WINDOWS\system32\svchost.exeDetail: PID: 148, Command line: "C:\WINDOWS\system32\svchost.exe";
![Page 21: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/21.jpg)
![Page 22: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/22.jpg)
![Page 23: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/23.jpg)
![Page 24: 2012 Preiskovanje škodljive kode](https://reader035.vdocuments.pub/reader035/viewer/2022062418/55666f80d8b42a3d3f8b521f/html5/thumbnails/24.jpg)