第一章惡意軟件靜態分析基礎

• 《基于數據科學的惡意軟件分析》
• 代碼清單1-1 加載pefile模塊并解析PE文件(ircbot.exe)
• 代碼清單1-2 遍歷PE文件的各個節并打印有關它們的信息
• 代碼清單1-4 從ircbot.exe中提取導入信息
• 代碼清單1-6 從惡意軟件樣本中提取圖像的Shell命令
• 代碼清單1-7 顯示惡意軟件可以將攻擊者指定的文件下載到目標計算機的字符串輸出
• 代碼清單1-8 顯示惡意軟件有一個攻擊者可以連接的HTTP服務器的字符串輸出

《基于數據科學的惡意軟件分析》

Malware Data Science Attack Detection and Attribution
Joshua Saxe Hillary Sanders著 何能強 嚴寒冰 譯

代碼清單1-1 加載pefile模塊并解析PE文件(ircbot.exe)

#終端輸入 pip3 install pefile #jupyter notebook import os print(os.getcwd()) #result:/home/ubuntu20/桌面 import pefile pe = pefile.PE("/home/ubuntu20/桌面/malware_data_science/ch1/ircbot.exe")

代碼清單1-2 遍歷PE文件的各個節并打印有關它們的信息

for section in pe.sections:print(section.Name, hex(section.VirtualAddress), section.SizeOfRawData)#result: b'.text\x00\x00\x00' 0x1000 207360 b'.rdata\x00\x00' 0x34000 17408 b'.data\x00\x00\x00' 0x39000 10752 b'.idata\x00\x00' 0x96000 3072 b'.reloc\x00\x00' 0x97000 8704 for section in pe.sections:print(hex(section.Name, section.Misc_VirtualSize)) #TypeError: hex() takes exactly one argument (2 given)

代碼清單1-4 從ircbot.exe中提取導入信息

pe = pefile.PE("/home/ubuntu20/桌面/malware_data_science/ch1/ircbot.exe") for entry in pe.DIRECTORY_ENTRY_IMPORT:print(entry.dll)for function in entry.imports:print('\t', function.name)#result： b'KERNEL32.DLL'b'GetLocalTime'b'ExitThread'b'CloseHandle'b'WriteFile'b'CreateFileA'b'ExitProcess'b'CreateProcessA'b'GetTickCount'b'GetModuleFileNameA'b'GetSystemDirectoryA'b'Sleep'b'GetTimeFormatA'b'GetDateFormatA'b'GetLastError'b'CreateThread'b'GetFileSize'b'GetFileAttributesA'b'FindClose'b'FileTimeToSystemTime'b'FileTimeToLocalFileTime'b'FindNextFileA'b'FindFirstFileA'b'ReadFile'b'SetFilePointer'b'WriteConsoleA'b'GetStdHandle'b'LoadLibraryA'b'GetProcAddress'b'GetModuleHandleA'b'FormatMessageA'b'GlobalUnlock'b'GlobalLock'b'UnmapViewOfFile'b'MapViewOfFile'b'CreateFileMappingA'b'SetFileTime'b'GetFileTime'b'ExpandEnvironmentStringsA'b'SetFileAttributesA'b'GetTempPathA'b'GetCurrentProcess'b'TerminateProcess'b'OpenProcess'b'GetComputerNameA'b'GetLocaleInfoA'b'GetVersionExA'b'TerminateThread'b'FlushFileBuffers'b'SetStdHandle'b'IsBadWritePtr'b'IsBadReadPtr'b'HeapValidate'b'GetStartupInfoA'b'GetCommandLineA'b'GetVersion'b'DebugBreak'b'InterlockedDecrement'b'OutputDebugStringA'b'InterlockedIncrement'b'HeapAlloc'b'HeapReAlloc'b'HeapFree'b'HeapDestroy'b'HeapCreate'b'VirtualFree'b'VirtualAlloc'b'WideCharToMultiByte'b'MultiByteToWideChar'b'LCMapStringA'b'LCMapStringW'b'GetCPInfo'b'GetACP'b'GetOEMCP'b'UnhandledExceptionFilter'b'FreeEnvironmentStringsA'b'FreeEnvironmentStringsW'b'GetEnvironmentStrings'b'GetEnvironmentStringsW'b'SetHandleCount'b'GetFileType'b'RtlUnwind'b'SetConsoleCtrlHandler'b'GetStringTypeA'b'GetStringTypeW'b'SetEndOfFile' b'USER32.dll'b'MessageBoxA' #推薦學習：python之pefile模塊（解析PE） #https://blog.csdn.net/b_h_l/article/details/9371611

代碼清單1-6 從惡意軟件樣本中提取圖像的Shell命令

#創建目錄 #/home/ubuntu20/桌面/malware_data_science/ch1/終端輸入： mkdir images #使用wrestool從fakepdfmalware.exe中提取圖像資源到/images目錄 #先下載icoutils sudo apt install icoutils wrestool -x '/home/ubuntu20/桌面/malware_data_science/ch1/fakepdfmalware.exe' -output=images #使用icotool提取并將Adobe中的.ico圖標格式中的所有資源轉換為.png圖形 icotool -x -o image images/*.ico #報錯icotool: images/*.ico: cannot open file

使用其它方法將.ico圖標轉換為.png圖形

wrestool -x --output=. -t14 '/home/ubuntu20/桌面/malware_data_science/ch1/fakepdfmalware.exe' sudo apt install imagemagick-6.q16 for i in *.ico; do convert "$i" "$i.png"; done

images是創建的目錄，utput=images是提取的圖像資源.icon格式，fakepdfmalware.exe_14_101_2052.ico是提取的.icon，fakepdfmalware.exe_14_101_2052.ico.png是轉換的.png

代碼清單1-7 顯示惡意軟件可以將攻擊者指定的文件下載到目標計算機的字符串輸出

代碼清單1-8 顯示惡意軟件有一個攻擊者可以連接的HTTP服務器的字符串輸出

#查看文件中所有字符串 strings '/home/ubuntu20/桌面/malware_data_science/ch1/ircbot.exe' | less #只提取最小長度為10字節的字符串 strings -n 10 '/home/ubuntu20/桌面/malware_data_science/ch1/ircbot.exe' | less #將ircbot.exe中的字符串鏡像到ircbotstring.txt文件中 strings '/home/ubuntu20/桌面/malware_data_science/ch1/ircbot.exe' > ircbotstring.txt #ircbotstring.txt內容如下： !This program cannot be run in DOS mode. Rich .text `.rdata @.data .idata .reloc DSVW h,@C TSVW Ph@@C (_^[ Y_^[ PSVW hh@C DSVW ht@C ht@C Y_^[ DSVW HSVW X_^[ Pj,h Pj,h Pj`hA Pj`h@ PSVW PSVW Ph\GC Ph(GC $hxFC PhpFC PhTFC DSVW @SVW DSVW XSVW YYPh YYPh YYPh YPhTHC Y_^[ LSVW Y_^[ Ph~f Ph~f hPKC h0KC Ph\KC htPC hpOC h|NC PhXNC Ph<NC Ph\MC Ph@MC hlLC DSVW hxQC h`QC YPh`QC xSVW hx[C h\[C hL[C h<[C h [C htZC h`ZC hPZC h<ZC h,ZC hlYC hPYC h4YC h YC h|XC hpXC hdXC hPXC h8XC h(XC hlWC h\WC hTWC hDWC h8WC h,WC h WC h|VC hlVC h\VC hLVC h<VC hlUC hTUC h4UC h(UC htTC hdTC hTTC hDTC h0TC hlSC hTSC h8SC hpRC h`RC hDRC h$RC X_^[ hl]C hP]C h4]C h`\C hD\C h$\C Y_^[ hDcH j?h0dH hDcH hDcH HSVW HSVW DSVW hlCI HSVW LSVW @SVW X_^[ PhLdC Ph0dC lSVW HSVW DSVW h<eC h<eC TSVW PhpeC DSVW PSVW XSVW jIY3 HSVW h,dH hLfC h,fC @SVW X_^[ h,dH hLfC h,fC htkC h`kC h\kC h8kC h0kC h,kC h|jC h\jC h|jC h8jC htiC hpiC hhiC h8iC hhhC YYh`hC h0hC h<gC PhlfC h`fC hXfC E,_^[ DSVW HSVW PSVW PSVW Ph(lC h,lC hSVW hTlC LSVW DSVW hhlC h`lC DSVW HSVW HSVW HSVW HSVW h|lC Y_^[ @SVW %0bI %4bI %8bI %<bI %@bI %DbI %HbI %LbI %PbI %TbI %XbI %\bI %`bI %dbI %hbI %lbI %pbI %tbI %xbI %|bI tzVS GIt% t/Ku t&:a PRSVWh _^[ZX 0SVW ,SVW 0SVW &hhnC QhDnC_^[ RhLpC &h(pC t!hPoC QSVW t!hlqC Rh@qC t!hlqC QSVW t!hlqC QSVW &hlrC Rh@qCQh8rC u+hLsC Rh(sC H0_^[ u.htsC A,+B, J0+H0 hltC PhXtC RhLtC RhDtC \SVW 4SVW QSVW Q,Rh Q0Rh h uC hluC j5hduC hPuC j6hduC h@uC j7hduC h,uC j8hduC _^[] WVS3 ^[_3 h uC j8h|uC j9h|uC GIt# t hPvC h|wC hxwC hxwC h\vC h uC hxxC = FI =pFI =tFI _^[] h uC $SVW h@uC h uC>jUh h yC ^_[3 h uC jAh(yC uZj^h(yC QSVW t!h4yC h(yC hPyC hLyC U`]I E`]I E`]I =l]I =l]I jmhhyC =PFI =tGjyhhyC htyC SVWUj ]_^[ t.;t$$t( VC20XC00U SVWU tEVU t3x< ]_^[ h|wC hxwC hD|C lht|C h`|C QSVW h uC =,HI =,HI hLyC |jyh =(HI =,FI QSVW QSVW =,FI % cI %$cI %(cI %,cI %0cI %4cI %8cI %<cI %@cI %DcI %HcI %LcI %PcI %TcI %XcI %\cI %`cI %dcI %hcI %lcI %pcI %tcI %xcI %|cI %d. %s = %s -[Alias List]- [%.2d-%.2d-%4d %.2d:%.2d:%.2d] %s -[Logs]- [LOGS]: Cleared. [LOG]: List complete. [LOG]: Begin DISPLAY Windown;^ Qkkbal i]Wb 9a&g MGiI wn>Jj #.zf +o*7 [DOWNLOAD]: Bad URL, or DNS Error: %s. [DOWNLOAD]: Update failed: Error executing file: %s. [DOWNLOAD]: Downloaded %.1fKB to %s @ %.1fKB/sec. Updating. [DOWNLOAD]: Opened: %s. open [DOWNLOAD]: Downloaded %.1f KB to %s @ %.1f KB/sec. [DOWNLOAD]: CRC Failed (%d != %d). [DOWNLOAD]: Filesize is incorrect: (%d != %d). [DOWNLOAD]: Update: %s (%dKB transferred). [DOWNLOAD]: File download: %s (%dKB transferred). [DOWNLOAD]: Couldn't open file: %s. Cdrom Network Disk Invalid Unknown %sKB failed [MAIN]: %s Drive (%s): %s total, %s free, %s available. [MAIN]: %s Drive (%s): Failed to stat, device not ready. [HTTPD]: Error: server failed, returned: <%d>. GET HTTP/1.0 200 OK Server: myBot Cache-Control: no-cache,no-store,max-age=0 pragma: no-cache Content-Type: %s Content-Length: %i Accept-Ranges: bytes Date: %s %s GMT Last-Modified: %s %s GMT Expires: %s %s GMT Connection: close HTTP/1.0 200 OK Server: myBot Cache-Control: no-cache,no-store,max-age=0 pragma: no-cache Content-Type: %s Accept-Ranges: bytes Date: %s %s GMT Last-Modified: %s %s GMT Expires: %s %s GMT Connection: close HH:mm:ss ddd, dd MMM yyyy application/octet-stream text/html [HTTPD]: Failed to start worker thread, error: <%d>. [HTTPD]: Worker thread of server thread: %d. %s%s Found: %i Files and %i Directories <TR> <TD COLSPAN="3"><HR></TD> </TR> </TABLE> </BODY> </HTML> PRIVMSG %s :Found %s Files and %s Directories %-31s %-21s (%i bytes) </TD> <TD WIDTH="%d"><CODE>%s</CODE></TD> <TD WIDTH="%d" ALIGN="right"><CODE>%dk</CODE></TD> </TR> "><CODE>%s</CODE></A> "><CODE>%.30s&gt;</CODE></A> PRIVMSG %s :%-31s %-21s (%s bytes) %-31s %-21s </TD> <TD WIDTH="%d"><CODE>%s</CODE></TD> <TD WIDTH="%d" ALIGN="right"><CODE>-</CODE></TD> </TR> "><CODE>%s/</CODE></A> "><CODE>%.29s&gt;/</CODE></A> %s%s/ <TR> <TD WIDTH="%d"><A HREF=" PRIVMSG %s :%-31s %-21s <%s> %2.2d/%2.2d/%4d %2.2d:%2.2d %s <TR> <TD COLSPAN="3"><A HREF="%s"><CODE>Parent Directory</CODE></A></TD> </TR> Searching for: %s <TR> <TD COLSPAN="3"><HR></TD> </TR> <TR> <TD WIDTH="%d"><CODE>Name</CODE></TD> <TD WIDTH="%d"><CODE>Last Modified</CODE></TD> <TD WIDTH="%d" ALIGN="right"><CODE>Size</CODE></TD> </TR> <H1>Index of %s</H1> <TABLE BORDER="0"> <HTML> <HEAD> <TITLE>Index of %s</TITLE> </HEAD> <BODY> PRIVMSG %s :Searching for: %s %s %s HTTP/1.1 Referer: %s Host: %s Connection: close Sending PRIVMSG!!! %s %s :%s PRIVMSG NOTICE [KEYLOG]: %s [%d-%d-%d %d:%d:%d] %s %s (Return) (%s) %s (Buffer full) (%s) %s (Changed Windows: %s) capGetDriverDescriptionA capCreateCaptureWindowA avicap32.dll SQLDisconnect SQLFreeHandle SQLAllocHandle SQLExecDirect SQLSetEnvAttr SQLDriverConnect odbc32.dll SHChangeNotify ShellExecuteA shell32.dll WNetCancelConnection2W WNetCancelConnection2A WNetAddConnection2W WNetAddConnection2A mpr.dll DeleteIpNetEntry GetIpNetTable iphlpapi.dll DnsFlushResolverCacheEntry_A DnsFlushResolverCache dnsapi.dll NetMessageBufferSend NetUserGetInfo NetUserEnum NetUserDel NetUserAdd NetRemoteTOD NetApiBufferFree NetScheduleJobAdd NetShareEnum NetShareDel NetShareAdd netapi32.dll IcmpSendEcho IcmpCloseHandle IcmpCreateFile icmp.dll Mozilla/4.0 (compatible) InternetCloseHandle InternetReadFile InternetCrackUrlA InternetOpenUrlA InternetOpenA InternetConnectA HttpSendRequestA HttpOpenRequestA InternetGetConnectedStateEx InternetGetConnectedState wininet.dll closesocket getpeername gethostbyaddr gethostbyname gethostname getsockname setsockopt accept listen select bind recvfrom recv sendto send ntohl ntohs htonl htons inet_addr inet_ntoa connect ioctlsocket socket WSACleanup WSAGetLastError WSAIoctl __WSAFDIsSet WSAAsyncSelect WSASocketA WSAStartup ws2_32.dll DeleteObject DeleteDC BitBlt SelectObject GetDIBColorTable GetDeviceCaps CreateCompatibleDC CreateDIBSection CreateDCA gdi32.dll GetUserNameA IsValidSecurityDescriptor EnumServicesStatusA CloseServiceHandle DeleteService ControlService StartServiceA OpenServiceA OpenSCManagerA AdjustTokenPrivileges LookupPrivilegeValueA OpenProcessToken RegCloseKey RegDeleteValueA RegQueryValueExA RegSetValueExA RegCreateKeyExA RegOpenKeyExA advapi32.dll GetForegroundWindow GetWindowTextA GetKeyState GetAsyncKeyState ExitWindowsEx CloseClipboard GetClipboardData OpenClipboard DestroyWindow IsWindow FindWindowA SendMessageA user32.dll RegisterServiceProcess QueryPerformanceFrequency QueryPerformanceCounter SearchPathA GetDriveTypeA GetLogicalDriveStringsA GetDiskFreeSpaceExA Module32First Process32Next Process32First CreateToolhelp32Snapshot SetErrorMode kernel32.dll [MAIN]: DLL test complete. Avicap32.dll failed. <%d> Odbc32.dll failed. <%d> Shell32.dll failed. <%d> Mpr32.dll failed. <%d> Iphlpapi.dll failed. <%d> Dnsapi.dll failed. <%d> Netapi32.dll failed. <%d> Icmp.dll failed. <%d> Wininet.dll failed. <%d> Ws2_32.dll failed. <%d> Gdi32.dll failed. <%d> Advapi32.dll failed. <%d> User32.dll failed. <%d> Kernel32.dll failed. <%d> intranet main winpass blank office control nokia siemens compaq dell cisco orainstall sqlpassoainstall db1234 databasepassword data databasepass dbpassword dbpass access domainpassword domainpass domain hello hell slut bitch fuck exchange backup technical loginpass login mary katie kate george eric chris neil brian susan luke peter john mike bill fred win2000 winnt winxp win2k win98 windows oeminstall oemuser user homeuser home accounting accounts internet outlook mail qwerty null server system changeme linux unix demo none test 2004 2003 2002 2001 2000 1234567890 123456789 12345678 1234567 123456 12345 1234 pass pass1234 passwd password password1 oracle database default guest wwwadmin teacher student owner computer root staff admin admins administrat administrateur administrador administrator mIRC v6.03 K.Mardam-Bey mIRC v6.01 K.Mardam-Bey mIRC v5.82 K.Mardam-Bey mIRC v5.71 K.Mardam-Bey mIRC32 v6.12 K.Mardam-Bey mIRC32 v6.03 K.Mardam-Bey mIRC32 v6.01 K.Mardam-Bey mIRC32 v5.82 K.Mardam-Bey mIRC v6.03 Khaled Mardam-Bey mIRC v6.12 Khaled Mardam-Bey Yes. Success %s Error: %s <%d>. mIRC explorer.exe %s %s SeShutdownPrivilege %%comspec%% /c %s %s @echo off :repeat del "%%1" if exist "%%1" goto repeat del "%s" %sdel.bat [FLUSHDNS]: Not supported by this system. [FLUSHDNS]: ARP cache is empty. [FLUSHDNS]: Unable to allocation ARP cache. [FLUSHDNS]: Error getting ARP cache: <%d>. %d.%d.%d.%d%s (%d) SeDebugPrivilege [PROC]: Process list failed. [PROC]: Process list completed. [PROC]: Listing processes: [MAIN]: Connected to %s. NICK %s USER %s 0 0 :%s PASS %s hcon httpcon [DOWNLOAD]: Failed to start transfer thread, error: <%d>. [DOWNLOAD]: Downloading URL: %s to: %s. dlz0r d0wnl04d [CAPTURE]: Invalid parameters for amateur video capture. [CAPTURE]: Error while capturing amateur video from webcam. [CAPTURE]: Amateur video saved to: %s. video [CAPTURE]: Invalid parameters for webcam capture. [CAPTURE]: Error while capturing from webcam. [CAPTURE]: Webcam capture saved to: %s. frame [CAPTURE]: Driver list complete. [CAPTURE]: Driver #%d - %s - %s. drivers [CAPTURE]: No filename specified for screen capture. [CAPTURE]: Error while capturing screen. [CAPTURE]: Screen capture saved to: %s. screen capture [KEYLOG]: No key logger thread found. [KEYLOG]: Key logger stopped. (%d thread(s) stopped.) [KEYLOG]: Failed to start logging thread, error: <%d>. [KEYLOG]: Key logger active. [KEYLOG]: Already running. file keylog [HTTPD]: Failed to start server thread, error: <%d>. [HTTPD]: Server listening on IP: %s:%d, Directory: %s\. http httpserver TOPIC [MAIN]: Joined channel: %s. NOTICE %s :%s [MAIN]: User %s logged out. KICK NICK %s MODE %s +i USERHOST %s JOIN %s %s PONG %s PING KBOT5 YEAH %s%i [%s]| [%d]%s %d. %s -[Thread List]- %s: No %s thread found. %s: %s stopped. (%d thread(s) stopped.) i386\chkesp.c The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention. format != NULL sprintf.c string != NULL vsprintf.c Client Ignore Normal Free Error: memory allocation: bad memory block type. Invalid allocation size: %u bytes. Client hook allocation failure. Client hook allocation failure at file %hs line %d. dbgheap.c _CrtCheckMemory() _pFirstBlock == pOldBlock _pLastBlock == pOldBlock fRealloc || (!fRealloc && pNewBlock == pOldBlock) _BLOCK_TYPE(pOldBlock->nBlockUse)==_BLOCK_TYPE(nBlockUse) pOldBlock->nLine == IGNORE_LINE && pOldBlock->lRequest == IGNORE_REQ _CrtIsValidHeapPointer(pUserData) Allocation too large or negative: %u bytes. Client hook re-allocation failure. Client hook re-allocation failure at file %hs line %d. _pFirstBlock == pHead _pLastBlock == pHead pHead->nBlockUse == nBlockUse pHead->nLine == IGNORE_LINE && pHead->lRequest == IGNORE_REQ DAMAGE: after %hs block (#%d) at 0x%08X. DAMAGE: before %hs block (#%d) at 0x%08X. _BLOCK_TYPE_IS_VALID(pHead->nBlockUse) Client hook free failure. memory check error at 0x%08X = 0x%02X, should be 0x%02X. %hs located at 0x%08X is %u bytes long. %hs allocated at file %hs(%d). DAMAGE: on top of Free block at 0x%08X. DAMAGED _heapchk fails with unknown return value! _heapchk fails with _HEAPBADPTR. _heapchk fails with _HEAPBADEND. _heapchk fails with _HEAPBADNODE. _heapchk fails with _HEAPBADBEGIN. Bad memory block found at 0x%08X. _CrtMemCheckPoint: NULL state pointer. _CrtMemDifference: NULL state pointer. Object dump complete. crt block at 0x%08X, subtype %x, %u bytes long. normal block at 0x%08X, %u bytes long. client block at 0x%08X, subtype %x, %u bytes long. {%ld} %hs(%d) : #File Error#(%d) : Dumping objects ->Data: <%s> %s %.2X Detected memory leaks! Total allocations: %ld bytes. Largest number used: %ld bytes. %ld bytes in %ld %hs Blocks. fclose.c str != NULL *mode != _T('\0') mode != NULL *file != _T('\0') fopen.c file != NULL fprintf.c Assertion Failed Error Warning %s(%d) : %s Assertion failed! Assertion failed: _CrtDbgReport: String too long or IO Error Second Chance Assertion Failed: File %s, Line %d wsprintfA Microsoft Visual C++ Debug Library Debug %s! Program: %s%s%s%s%s%s%s%s%s%s%s (Press Retry to debug the application) Module: File: Line: Expression: For information on how your program can cause an assertion failure, see the Visual C++ documentation on asserts. <program name unknown> dbgrpt.c szUserMessage != NULL ("inconsistent IOB fields", stream->_ptr - stream->_base >= 0) _flsbuf.c(8PX 700WP `h```` ppxxxx (null) output.c ch != _T('\0') _freebuf.c stream != NULL _filbuf.c _open.c filename != NULL stream.c ?IsProcessorFeaturePresent KERNEL32 e+000 _sftbuf.c flag == 0 || flag == 1 stdenvp.c stdargv.c a_env.c ioinit.c runtime error TLOSS error SING error DOMAIN error R6028 - unable to initialize heap R6027 - not enough space for lowio initialization R6026 - not enough space for stdio initialization R6025 - pure virtual function call R6024 - not enough space for _onexit/atexit table R6019 - unable to open console device R6018 - unexpected heap error R6017 - unexpected multithread lock error R6016 - not enough space for thread data abnormal program termination R6009 - not enough space for environment R6008 - not enough space for arguments R6002 - floating point not loaded Microsoft Visual C++ Runtime Library Runtime Error! Program: GetLastActivePopup GetActiveWindow MessageBoxA _getbuf.c _file.c osfinfo.c chsize.c size >= 0 1#QNAN 1#INF 1#IND 1#SNAN [ESC] [ESC] [F1] [F1] [F2] [F2] [F3] [F3] [F4] [F4] [F5] [F5] [F6] [F6] [F7] [F7] [F8] [F8] [F9] [F9] [F10] [F10] [F11] [F11] [F12] [F12] [TAB] [TAB] [CTRL] [CTRL] [WIN] [WIN] [WIN] [WIN] [PRSC] [PRSC] [SCLK] [SCLK] [INS] [INS] [HOME] [HOME] [PGUP] [PGUP] [DEL] [DEL] [END] [END] [PGDN] [PGDN] [LEFT] [LEFT] [UP] [UP] [RGHT] [RGHT] [DOWN] [DOWN] [NMLK] [NMLK] bbot bBot-Version 0.6 index botirc.net #test irc.server2.net #channel2 channelpass2 wuamgrd32.exe key.txt winnt DNS ident bBot| sysconfig.dat #channel #channel #channel Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\RunServices Software\Microsoft\OLE SYSTEM\CurrentControlSet\Control\Lsa const letter comp country kU'9 HMXB ?Zd; ?/L[ S;uD z?aUY D?$? U>c{ zc%C1 .:3q -64OS NKeb KERNEL32.DLL USER32.dll GetLocalTime ExitThread CloseHandle WriteFile CreateFileA ExitProcess CreateProcessA GetTickCount GetModuleFileNameA GetSystemDirectoryA Sleep GetTimeFormatA GetDateFormatA GetLastError CreateThread GetFileSize GetFileAttributesA FindClose FileTimeToSystemTime FileTimeToLocalFileTime FindNextFileA FindFirstFileA ReadFile SetFilePointer WriteConsoleA GetStdHandle LoadLibraryA GetProcAddress GetModuleHandleA FormatMessageA GlobalUnlock GlobalLock UnmapViewOfFile MapViewOfFile CreateFileMappingA SetFileTime GetFileTime ExpandEnvironmentStringsA SetFileAttributesA GetTempPathA GetCurrentProcess TerminateProcess OpenProcess GetComputerNameA GetLocaleInfoA GetVersionExA TerminateThread FlushFileBuffers SetStdHandle IsBadWritePtr IsBadReadPtr HeapValidate GetStartupInfoA GetCommandLineA GetVersion DebugBreak InterlockedDecrement OutputDebugStringA InterlockedIncrement HeapAlloc HeapReAlloc HeapFree HeapDestroy HeapCreate VirtualFree VirtualAlloc WideCharToMultiByte MultiByteToWideChar LCMapStringA LCMapStringW GetCPInfo GetACP GetOEMCP UnhandledExceptionFilter FreeEnvironmentStringsA FreeEnvironmentStringsW GetEnvironmentStrings GetEnvironmentStringsW SetHandleCount GetFileType RtlUnwind SetConsoleCtrlHandler GetStringTypeA GetStringTypeW SetEndOfFile MessageBoxA #提取代碼清單1-7內容： [DOWNLOAD]: Bad URL, or DNS Error: %s. [DOWNLOAD]: Update failed: Error executing file: %s. [DOWNLOAD]: Downloaded %.1fKB to %s @ %.1fKB/sec. Updating. [DOWNLOAD]: Opened: %s. open [DOWNLOAD]: Downloaded %.1f KB to %s @ %.1f KB/sec. [DOWNLOAD]: CRC Failed (%d != %d). [DOWNLOAD]: Filesize is incorrect: (%d != %d). [DOWNLOAD]: Update: %s (%dKB transferred). [DOWNLOAD]: File download: %s (%dKB transferred). [DOWNLOAD]: Couldn't open file: %s. #提取代碼清單1-8內容： GET HTTP/1.0 200 OK Server: myBot Cache-Control: no-cache,no-store,max-age=0 pragma: no-cache Content-Type: %s Content-Length: %i Accept-Ranges: bytes Date: %s %s GMT Last-Modified: %s %s GMT Expires: %s %s GMT Connection: close HTTP/1.0 200 OK Server: myBot Cache-Control: no-cache,no-store,max-age=0 pragma: no-cache Content-Type: %s Accept-Ranges: bytes Date: %s %s GMT Last-Modified: %s %s GMT Expires: %s %s GMT Connection: close HH:mm:ss ddd, dd MMM yyyy application/octet-stream text/html

認真是一種態度更是一種責任

總結

以上是生活随笔為你收集整理的第一章恶意软件静态分析基础的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。