不执行样本,窥探恶意代码的秘密
恶意软件分析分为静态分析(不执行)和动态分析(沙箱执行)。静态分析是第一步,能快速获取样本的基本特征、 IOC指标和行为线索,同时避免触发恶意行为。
| 恶意软件类型 | 特征 | 典型家族 |
|---|---|---|
| 病毒 | 感染宿主文件 | CIH、Sasser |
| 蠕虫 | 自我传播 | WannaCry、Conficker |
| 木马 | 伪装合法软件 | Emotet、TrickBot |
| Ransomware | 加密勒索 | LockBit、BlackCat |
| RAT | 远程控制 | Cobalt Strike、PlugX |
| Rootkit | 隐藏自身 | Blue Pill、TDL4 |
# 查看文件类型
file suspicious.exe
# 输出: PE32 executable (GUI) Intel 80386, for MS Windows
file suspicious.pdf
# 输出: PDF document, version 1.5
# 检查文件头(hex)
xxd suspicious.exe | head -5
# 00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ.............
# ^^ "MZ" = PE文件签名
# 使用binwalk分析嵌入文件
binwalk suspicious.pdf
# DECIMAL HEXAULTURAL DESCRIPTION
# 0 0x0 PDF document
# 12345 0x3039 PE32 executable ← PDF内嵌PE!
# 计算多种哈希
md5sum suspicious.exe
sha1sum suspicious.exe
sha256sum suspicious.exe
# 输出: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
# 使用ssdeep计算模糊哈希(相似度比较)
ssdeep suspicious.exe
# 输出: ssdeep,1.1--blocksize:hash:hash,filename
# 在线查询
# VirusTotal: https://www.virustotal.com
# Hybrid Analysis: https://hybrid-analysis.com
# MalwareBazaar: https://bazaar.abuse.ch
# 使用VirusTotal API查询
curl -s "https://www.virustotal.com/api/v3/files/{hash}" \
-H "x-apikey: YOUR_API_KEY" | jq '.data.attributes.last_analysis_stats'
# 使用strings提取可读字符串
strings -n 8 suspicious.exe | head -20
# 输出:
# !This program cannot be run in DOS mode.
# kernel32.dll
# CreateProcessA
# WriteFile
# http://evil-c2-server.com/gate.php
# SOFTWARE\Microsoft\Windows\CurrentVersion\Run
# cmd.exe /c whoami
# 过滤可疑字符串
strings suspicious.exe | grep -iE '(http|https|ftp|\.com|\.net|\.onion|cmd|powershell|reg|admin|password|key|encrypt|decrypt)'
# http://evil-c2-server.com/gate.php ← C2服务器
# SOFTWARE\Microsoft\Windows\CurrentVersion\Run ← 持久化注册表
# cmd.exe /c whoami ← 命令执行
# 提取Unicode字符串(中文恶意软件常用)
strings -e l suspicious.exe
# 使用FLOSS (FireEye Labs Obfuscated String Solver)
# 专门提取混淆/加密字符串
floss suspicious.exe
# 解码XOR/ROT等简单加密的字符串
# 使用pefile (Python库)
python3 << 'EOF'
import pefile
pe = pefile.PE("suspicious.exe")
# PE头信息
print(f"Machine: {hex(pe.FILE_HEADER.Machine)}")
print(f"Sections: {pe.FILE_HEADER.NumberOfSections}")
print(f"Timestamp: {pe.FILE_HEADER.TimeDateStamp}")
# 导入表 (关键!看调用了哪些API)
print("\n=== Imports ===")
if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
for entry in pe.DIRECTORY_ENTRY_IMPORT:
dll = entry.dll.decode()
print(f"\n{dll}:")
for imp in entry.imports[:5]: # 前5个
if imp.name:
print(f" - {imp.name.decode()}")
# 导出表
if hasattr(pe, 'DIRECTORY_ENTRY_EXPORT'):
print("\n=== Exports ===")
for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
print(f" {exp.name}")
# 节区信息
print("\n=== Sections ===")
for section in pe.sections:
name = section.Name.decode().rstrip('\x00')
print(f"{name}: VirtualSize={section.Misc_VirtualSize}, "
f"Entropy={section.get_entropy():.2f}")
# 熵值 > 7.0 = 可能加密/压缩
# 资源节
if hasattr(pe, 'DIRECTORY_ENTRY_RESOURCE'):
print("\n=== Resources ===")
for res_type in pe.DIRECTORY_ENTRY_RESOURCE.entries:
print(f" Type ID: {res_type.id}")
pe.close()
EOF
# 高熵值 = 加密/压缩 = 可能加壳
python3 << 'EOF'
import pefile, math
def entropy(data):
if not data: return 0
freq = [0] * 256
for b in data: freq[b] += 1
ent = 0
for f in freq:
if f > 0:
p = f / len(data)
ent -= p * math.log2(p)
return ent
pe = pefile.PE("suspicious.exe")
print("节区熵值分析:")
for section in pe.sections:
name = section.Name.decode().rstrip('\x00')
ent = entropy(section.get_data())
flag = "⚠️ 高熵(可能加壳)" if ent > 7.0 else "✅ 正常"
print(f" {name:10s}: {ent:.4f} {flag}")
# 典型加壳样本:
# .text: 7.98 ⚠️ 高熵(可能加壳)
# .rdata: 5.32 ✅ 正常
# UPX0: 0.00 ← UPX壳标志段
# UPX1: 7.99 ⚠️ 高熵(加壳数据)
YARA是恶意软件识别的行业标准,使用基于模式匹配的规则描述恶意软件特征。
# YARA规则语法
rule Suspicious_Powershell_Download {
meta:
author = "Security Team"
date = "2024-01-15"
description = "检测PowerShell下载执行行为"
severity = "high"
strings:
// 明文字符串
$ps1 = "powershell" nocase
$download = "DownloadString" nocase
$iex = "IEX" nocase
$noprofile = "-NoProfile" nocase
$hidden = "-WindowStyle Hidden" nocase
// 正则表达式
$url = /https?:\/\/[^\s\"]+/
// 十六进制模式
$hex_pattern = { 6A 00 6A 00 6A 00 68 ?? ?? ?? ?? }
condition:
$ps1 and ($download or $iex) and ($noprofile or $hidden)
}
# 检测UPX加壳
rule UPX_Packed {
meta:
description = "检测UPX加壳的PE文件"
strings:
$upx0 = "UPX0"
$upx1 = "UPX1"
$upx_sig = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? }
condition:
any of them
}
# 运行YARA扫描
yara -r rules.yar /path/to/samples/
# 使用YARA递归扫描
yara -r -s suspicious_rules.yar /malware/samples/ 2>/dev/null
# 常用YARA规则集
# https://github.com/Yara-Rules/rules
# https://github.com/elastic/protections-artifacts
# 基于样本自动生成YARA规则
# 使用yarGen
pip install yargen
yargen.py -m /malware/samples/ -o auto_rules.yar
# 使用MALWARECLUSTER
# 对相似样本聚类后生成通用规则
| 工具 | 功能 | 安装 |
|---|---|---|
| file/binwalk | 文件类型识别 | apt install binwalk |
| strings/FLOSS | 字符串提取 | pip install floss |
| pefile | PE文件分析 | pip install pefile |
| yara | 模式匹配规则 | apt install yara |
| ssdeep | 模糊哈希 | apt install ssdeep |
| Die/Detect It Easy | 壳/编译器检测 | apt install die |
| Capa | 能力检测 | pip install flare-capa |
| Manalyze | PE静态分析 | GitHub编译 |
# Capa自动识别PE文件的能力
capa suspicious.exe
# 输出示例:
# +-----------+-------------------------------------------+
# | ATT&CK | Execution::Command and Scripting Interpreter|
# | Capability| execute powershell command |
# | ATT&CK | Persistence::Registry Run Keys |
# | Capability| persist via Windows registry run key |
# | ATT&CK | Command and Control::HTTP |
# | Capability| communicate with HTTP server |
# | ATT&CK | Defense Evasion::Obfuscation |
# | Capability| decode data via XOR |
# +-----------+-------------------------------------------+
# 恶意软件静态分析报告
## 1. 样本基本信息
- 文件名: suspicious.exe
- 文件大小: 245,760 bytes
- 文件类型: PE32 executable (GUI) Intel 80386
- 编译时间: 2024-01-15 08:30:00 UTC
- 哈希值:
- MD5: abc123...
- SHA1: def456...
- SHA256: 789abc...
- SSDeep: 3:abc:def
## 2. 加壳检测
- 检测工具: Detect It Easy
- 壳类型: UPX 3.96
- 入口点: 0x00405000 (非标准.text段)
- 节区熵值:
- .text: 7.89 ⚠️ (加密)
- .rdata: 5.21 ✅
- .data: 3.14 ✅
## 3. 导入表分析
- kernel32.dll: CreateProcessA, WriteFile, VirtualAlloc
- advapi32.dll: RegSetValueExA, RegCreateKeyExA
- wininet.dll: InternetOpenA, HttpSendRequestA
- ws2_32.dll: connect, send, recv
## 4. 字符串分析
- C2服务器: http://evil-c2.com/gate.php
- 持久化位置: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- 命令执行: cmd.exe /c whoami
- 加密标识: AES, base64
## 5. YARA匹配
- rule: Suspicious_Powershell_Download → HIT
- rule: UPX_Packed → HIT
- rule: C2_HTTP_Communication → HIT
## 6. MITRE ATT&CK映射
- T1059.001: Command and Scripting Interpreter - PowerShell
- T1547.001: Boot/Logon Autostart - Registry Run Keys
- T1071.001: Application Layer Protocol - Web Protocols
- T1027.002: Obfuscated Files - Software Packing
## 7. IOC指标
- 网络指标:
- evil-c2.com
- http://evil-c2.com/gate.php
- 185.220.101.xx:443
- 文件指标:
- SHA256: 789abc...
- 注册表: HKLM\...\Run\svchost_update
- 行为指标:
- UPX加壳
- PowerShell下载执行
- 注册表持久化