原文链接:学习札记-脚本木马的静态启发查杀
脚本木马样本的静态启发查杀 找出下载者木马链接的网站 运行样本文件通过process explore监测,找出所以来运行的PE类 利用OD下断点 bp UrlCanonicalizeA/W找到下载链接 对混淆方式的分析 发现存在大量注释来改变位移偏量 许多用来混淆的双引号与加号隔开网址以及通过ASCII码来规避GET字符 构造python实现解密 对可疑字符串的选取与匹配,利用正则匹配比较限定条件来判断混淆技术是否存在 得到解密后的文件经过进一步简化从而获取文件的本质 # -*- coding: utf-8-*- import sys import re import os def RegularModify(fileName): pattern_notes = re.compile(r'/\*{1,2}[\s\S]*?\*/') pattern_plus = re.compile(r'"[\s\S]{0,1}\+[\s\S]{0,1}"') pattern_ascii= re.compile(r'(\\x([0-9][0-9A-Za-z]))') oriFile = open(fileName) s = oriFile.read() s = pattern_notes.sub('',s) s = pattern_plus.sub('',s) generateFile = open(fileName + "_Gen",'w') ret = pattern_ascii.findall(s) for i in ret: s = s.replace(i[0], chr(int(i[1],16))) generateFile.write(s) generateFile.close() oriFile.close() def FileDetect(fileName): ori = os.path.getsize(fileName) after = os.path.getsize(fileName + "_Gen") generateFile = open(fileName + "_Gen",'r') download = 0; file = 0; for lines in generateFile: if lines.find('GET') != -1 and lines.find('http') != -1: download += 1 elif lines.find('.exe') != -1 and lines.find('%TEMP%') != -1: file += 1 if download and file and (ori/after>10): print (fileName + " detected HEUR:Trojan-Downloader.JS.Notes.gen") else: print (fileName + " Clean") generateFile.close() def Main(): RegularModify(sys.argv[1]) FileDetect(sys.argv[1]) Main() 启发特征提取 eg:样本1 单个字符逐步输入的混淆样本 使用通配符来避免恶意程序的变种 Sig_Static_Word ="C6 84 24 ?? ?? 00 00 ?? C6 84 24 ?? ?? 00 C6 84 24 ??? ?? 00 00 ?? C6 84 24 ?? ?? 00 00 ??"
| 
发表于 2022-11-11 20:57:24