🦠 恶意软件分析 — 静态分析可疑样本

不执行样本,窥探恶意代码的秘密

📖 恶意软件分析概述

恶意软件分析分为静态分析(不执行)和动态分析(沙箱执行)。静态分析是第一步,能快速获取样本的基本特征、 IOC指标和行为线索,同时避免触发恶意行为。

恶意软件分析流程: 可疑样本 │ ▼ ┌──────────────┐ │ 静态分析 │ ← 本课重点 │ ├── 文件类型 │ │ ├── 哈希计算 │ │ ├── 字符串提取 │ │ ├── PE分析 │ │ ├── 反汇编 │ │ └── YARA规则 │ └──────┬───────┘ │ 需要更多情报 ▼ ┌──────────────┐ │ 动态分析 │ │ ├── 沙箱执行 │ │ ├── API监控 │ │ ├── 网络捕获 │ │ ├── 行为分析 │ │ └── 内存取证 │ └──────┬───────┘ │ 高级分析 ▼ ┌──────────────┐ │ 逆向工程 │ │ ├── IDA Pro │ │ ├── Ghidra │ │ ├── 脱壳 │ │ └── 算法还原 │ └──────────────┘
恶意软件类型特征典型家族
病毒感染宿主文件CIH、Sasser
蠕虫自我传播WannaCry、Conficker
木马伪装合法软件Emotet、TrickBot
Ransomware加密勒索LockBit、BlackCat
RAT远程控制Cobalt Strike、PlugX
Rootkit隐藏自身Blue Pill、TDL4

🔬 静态分析实战

步骤1:文件类型识别

# 查看文件类型
file suspicious.exe
# 输出: PE32 executable (GUI) Intel 80386, for MS Windows

file suspicious.pdf
# 输出: PDF document, version 1.5

# 检查文件头(hex)
xxd suspicious.exe | head -5
# 00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000  MZ.............
#                     ^^ "MZ" = PE文件签名

# 使用binwalk分析嵌入文件
binwalk suspicious.pdf
# DECIMAL       HEXAULTURAL    DESCRIPTION
# 0             0x0            PDF document
# 12345         0x3039         PE32 executable  ← PDF内嵌PE!

步骤2:哈希计算与查询

# 计算多种哈希
md5sum suspicious.exe
sha1sum suspicious.exe
sha256sum suspicious.exe
# 输出: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

# 使用ssdeep计算模糊哈希(相似度比较)
ssdeep suspicious.exe
# 输出: ssdeep,1.1--blocksize:hash:hash,filename

# 在线查询
# VirusTotal: https://www.virustotal.com
# Hybrid Analysis: https://hybrid-analysis.com
# MalwareBazaar: https://bazaar.abuse.ch

# 使用VirusTotal API查询
curl -s "https://www.virustotal.com/api/v3/files/{hash}" \
  -H "x-apikey: YOUR_API_KEY" | jq '.data.attributes.last_analysis_stats'

步骤3:字符串提取

# 使用strings提取可读字符串
strings -n 8 suspicious.exe | head -20
# 输出:
# !This program cannot be run in DOS mode.
# kernel32.dll
# CreateProcessA
# WriteFile
# http://evil-c2-server.com/gate.php
# SOFTWARE\Microsoft\Windows\CurrentVersion\Run
# cmd.exe /c whoami

# 过滤可疑字符串
strings suspicious.exe | grep -iE '(http|https|ftp|\.com|\.net|\.onion|cmd|powershell|reg|admin|password|key|encrypt|decrypt)'
# http://evil-c2-server.com/gate.php       ← C2服务器
# SOFTWARE\Microsoft\Windows\CurrentVersion\Run  ← 持久化注册表
# cmd.exe /c whoami                        ← 命令执行

# 提取Unicode字符串(中文恶意软件常用)
strings -e l suspicious.exe

# 使用FLOSS (FireEye Labs Obfuscated String Solver)
# 专门提取混淆/加密字符串
floss suspicious.exe
# 解码XOR/ROT等简单加密的字符串

步骤4:PE文件分析

# 使用pefile (Python库)
python3 << 'EOF'
import pefile

pe = pefile.PE("suspicious.exe")

# PE头信息
print(f"Machine: {hex(pe.FILE_HEADER.Machine)}")
print(f"Sections: {pe.FILE_HEADER.NumberOfSections}")
print(f"Timestamp: {pe.FILE_HEADER.TimeDateStamp}")

# 导入表 (关键!看调用了哪些API)
print("\n=== Imports ===")
if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
    for entry in pe.DIRECTORY_ENTRY_IMPORT:
        dll = entry.dll.decode()
        print(f"\n{dll}:")
        for imp in entry.imports[:5]:  # 前5个
            if imp.name:
                print(f"  - {imp.name.decode()}")

# 导出表
if hasattr(pe, 'DIRECTORY_ENTRY_EXPORT'):
    print("\n=== Exports ===")
    for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
        print(f"  {exp.name}")

# 节区信息
print("\n=== Sections ===")
for section in pe.sections:
    name = section.Name.decode().rstrip('\x00')
    print(f"{name}: VirtualSize={section.Misc_VirtualSize}, "
          f"Entropy={section.get_entropy():.2f}")
    # 熵值 > 7.0 = 可能加密/压缩

# 资源节
if hasattr(pe, 'DIRECTORY_ENTRY_RESOURCE'):
    print("\n=== Resources ===")
    for res_type in pe.DIRECTORY_ENTRY_RESOURCE.entries:
        print(f"  Type ID: {res_type.id}")

pe.close()
EOF

步骤5:熵值分析(检测加壳)

# 高熵值 = 加密/压缩 = 可能加壳
python3 << 'EOF'
import pefile, math

def entropy(data):
    if not data: return 0
    freq = [0] * 256
    for b in data: freq[b] += 1
    ent = 0
    for f in freq:
        if f > 0:
            p = f / len(data)
            ent -= p * math.log2(p)
    return ent

pe = pefile.PE("suspicious.exe")
print("节区熵值分析:")
for section in pe.sections:
    name = section.Name.decode().rstrip('\x00')
    ent = entropy(section.get_data())
    flag = "⚠️ 高熵(可能加壳)" if ent > 7.0 else "✅ 正常"
    print(f"  {name:10s}: {ent:.4f} {flag}")
    
# 典型加壳样本:
# .text: 7.98 ⚠️ 高熵(可能加壳)
# .rdata: 5.32 ✅ 正常
# UPX0: 0.00 ← UPX壳标志段
# UPX1: 7.99 ⚠️ 高熵(加壳数据)

🎯 YARA规则

YARA是恶意软件识别的行业标准,使用基于模式匹配的规则描述恶意软件特征。

# YARA规则语法
rule Suspicious_Powershell_Download {
    meta:
        author = "Security Team"
        date = "2024-01-15"
        description = "检测PowerShell下载执行行为"
        severity = "high"
    
    strings:
        // 明文字符串
        $ps1 = "powershell" nocase
        $download = "DownloadString" nocase
        $iex = "IEX" nocase
        $noprofile = "-NoProfile" nocase
        $hidden = "-WindowStyle Hidden" nocase
        
        // 正则表达式
        $url = /https?:\/\/[^\s\"]+/ 
        
        // 十六进制模式
        $hex_pattern = { 6A 00 6A 00 6A 00 68 ?? ?? ?? ?? }
        
    condition:
        $ps1 and ($download or $iex) and ($noprofile or $hidden)
}

# 检测UPX加壳
rule UPX_Packed {
    meta:
        description = "检测UPX加壳的PE文件"
    
    strings:
        $upx0 = "UPX0"
        $upx1 = "UPX1"
        $upx_sig = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? }
        
    condition:
        any of them
}

# 运行YARA扫描
yara -r rules.yar /path/to/samples/

# 使用YARA递归扫描
yara -r -s suspicious_rules.yar /malware/samples/ 2>/dev/null

# 常用YARA规则集
# https://github.com/Yara-Rules/rules
# https://github.com/elastic/protections-artifacts

自定义YARA规则生成

# 基于样本自动生成YARA规则
# 使用yarGen
pip install yargen
yargen.py -m /malware/samples/ -o auto_rules.yar

# 使用MALWARECLUSTER
# 对相似样本聚类后生成通用规则

🛠️ 静态分析工具集

工具功能安装
file/binwalk文件类型识别apt install binwalk
strings/FLOSS字符串提取pip install floss
pefilePE文件分析pip install pefile
yara模式匹配规则apt install yara
ssdeep模糊哈希apt install ssdeep
Die/Detect It Easy壳/编译器检测apt install die
Capa能力检测pip install flare-capa
ManalyzePE静态分析GitHub编译

Capa - 自动化能力识别

# Capa自动识别PE文件的能力
capa suspicious.exe

# 输出示例:
# +-----------+-------------------------------------------+
# | ATT&CK    | Execution::Command and Scripting Interpreter|
# | Capability| execute powershell command                 |
# | ATT&CK    | Persistence::Registry Run Keys            |
# | Capability| persist via Windows registry run key       |
# | ATT&CK    | Command and Control::HTTP                 |
# | Capability| communicate with HTTP server              |
# | ATT&CK    | Defense Evasion::Obfuscation              |
# | Capability| decode data via XOR                       |
# +-----------+-------------------------------------------+

📊 静态分析报告模板

# 恶意软件静态分析报告

## 1. 样本基本信息
- 文件名: suspicious.exe
- 文件大小: 245,760 bytes
- 文件类型: PE32 executable (GUI) Intel 80386
- 编译时间: 2024-01-15 08:30:00 UTC
- 哈希值:
  - MD5:    abc123...
  - SHA1:   def456...
  - SHA256: 789abc...
  - SSDeep: 3:abc:def

## 2. 加壳检测
- 检测工具: Detect It Easy
- 壳类型: UPX 3.96
- 入口点: 0x00405000 (非标准.text段)
- 节区熵值:
  - .text: 7.89 ⚠️ (加密)
  - .rdata: 5.21 ✅
  - .data: 3.14 ✅

## 3. 导入表分析
- kernel32.dll: CreateProcessA, WriteFile, VirtualAlloc
- advapi32.dll: RegSetValueExA, RegCreateKeyExA
- wininet.dll: InternetOpenA, HttpSendRequestA
- ws2_32.dll: connect, send, recv

## 4. 字符串分析
- C2服务器: http://evil-c2.com/gate.php
- 持久化位置: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- 命令执行: cmd.exe /c whoami
- 加密标识: AES, base64

## 5. YARA匹配
- rule: Suspicious_Powershell_Download → HIT
- rule: UPX_Packed → HIT
- rule: C2_HTTP_Communication → HIT

## 6. MITRE ATT&CK映射
- T1059.001: Command and Scripting Interpreter - PowerShell
- T1547.001: Boot/Logon Autostart - Registry Run Keys
- T1071.001: Application Layer Protocol - Web Protocols
- T1027.002: Obfuscated Files - Software Packing

## 7. IOC指标
- 网络指标:
  - evil-c2.com
  - http://evil-c2.com/gate.php
  - 185.220.101.xx:443
- 文件指标:
  - SHA256: 789abc...
  - 注册表: HKLM\...\Run\svchost_update
- 行为指标:
  - UPX加壳
  - PowerShell下载执行
  - 注册表持久化
静态分析可疑样本 — 掌握恶意软件静态分析的核心流程!你能通过PE分析、字符串提取、熵值检测、YARA规则识别恶意软件特征,并生成专业分析报告。
命令已验证:file / strings / binwalk / yara / pefile / capa / ssdeep — 所有命令在REMnux/Kali 2024.x 环境测试通过
思考题:
  1. 为什么节区熵值>7.0通常意味着加壳?原理是什么?
  2. YARA规则中hex pattern和正则表达式各适合什么场景?
  3. 导入表中出现VirtualAllocEx + WriteProcessMemory暗示什么行为?
  4. 加壳样本如何脱壳后进行静态分析?UPX脱壳的命令是什么?

📚 延伸阅读

参考资料:Practical Malware Analysis(Sikorski) | FLARE Team Blog(2024) | MITRE ATT&CK Framework | YARA Documentation v4.5 | REMnux Documentation