\n\uc5f0\uad6c\ubaa9\uc801\uc73c\ub85c \uc0ac\uc6a9\ud558\uc9c0 \uc54a\uace0 \uc545\uc758\uc801\uc778 \ubaa9\uc801\uc73c\ub85c \uc774\uc6a9\ud560 \uacbd\uc6b0 \ubc1c\uc0dd\ud560 \uc218 \uc788\ub294 \ubc95\uc801\uc740 \ucc45\uc784\uc740 \ubaa8\ub450 \ubcf8\uc778\uc5d0\uac8c \uc788\uc2b5\ub2c8\ub2e4.
\n<\/strong><\/p>\n
\uc2e4\uc804 \uc545\uc131\ucf54\ub4dc\uc640 \uba40\uc6e8\uc5b4 \ubd84\uc11d – 1\uc7a5 \uae30\ucd08 \uc815\uc801\ubd84\uc11d \uc2e4\uc2b5 1-1<\/a> \uc2e4\uc2b5\ubb38\uc81c \ub2e4\uc6b4\ub85c\ub4dc \ubc1b\ub294 \uacf3 : http:\/\/nostarch.com\/malware<\/a><\/p>\n \uc2e4\uc2b5 5-1 \uc9c8\ubb38 PSLIST \ub97c \ubcfc \uc218 \uc788\uace0, \uc8fc\uc18c\ub294 0x10007025\uc774\ub2e4. <\/p>\n sub_100036C3 \ud568\uc218\ub97c \ud638\ucd9c\ud558\ub294 \ubd80\ubd84\uc774 \ubcf4\uc778\ub2e4. sub_100036C3 \ub97c \ud655\uc778\ud574\ubcf4\uba74,<\/p>\n GetVersionExA \ud568\uc218\ub97c \ud1b5\ud574 \uc6b4\uc601\uccb4\uc81c\uc758 \ubc84\uc804\uc744 \ud655\uc778\ud558\ub294 \uac83\uc744 \ubcfc \uc218 \uc788\ub2e4.<\/p>\n \ub2e4\uc2dc \ub3cc\uc544\uc640\uc11c \uadf8\ub798\ud504 \ubdf0\ub85c \ud568\uc218\ub97c \ud655\uc778\ud574\ubcf4\uba74, <\/p>\n \ubc84\uc804\uc744 \ud655\uc778\ud574 \ubd84\uae30\ub418\ub294 \uac83\uc744 \ubcfc \uc218 \uc788\uace0, \ub450 \ud568\uc218(sub_1000664C, sub_10006518)\ub97c \ud638\ucd9c\ud558\ub294 \uac83\uc744 \uc54c \uc218 \uc788\uace0, \ub450 \ud568\uc218 \ubaa8\ub450 CreateToolhelp32Snapshot \ub97c \ud638\ucd9c\ud574\uc11c \ud504\ub85c\uc138\uc2a4 \ub9ac\uc2a4\ud2b8\ub97c \uac00\uc838\uc624\ub294 \uac83\uc744 \uc54c\uc218 \uc788\ub2e4.<\/p>\n 12. \uadf8\ub798\ud504\ubaa8\ub4dc\ub97c \uc774\uc6a9\ud574 sub_10004E79 \uc0c1\ud638\ucc38\uc870 \uadf8\ub798\ud504\ub97c \uadf8\ub824\ubcf4\uc790. \uc774 \ud568\uc218\uc5d0 \uc9c4\uc785\ud558\uae30 \uc704\ud574 \ud638\ucd9c\ud558\ub294 API\ud568\uc218\ub294 \ubb34\uc5c7\uc778\uac00? \ud574\ub2f9 API\ud568\uc218\uc5d0\ub9cc \uae30\ubc18\uc744 \ub450\uace0 \uc774 \ud568\uc218\ub97c \uc5b4\ub5a4 \uc774\ub984\uc73c\ub85c \ubcc0\uacbd\ud558\uaca0\ub294\uac00? sub_10004E79 \ub294 sub_1000FF58\uc5d0\uc11c \ud638\ucd9c \ub418\uc5c8\uace0, GetSystemDefaultLangID, sprintf, strlen, sub_100038EE \uc758 \ud568\uc218\ub97c \ud638\ucd9c\ud558\ub294 \uac83\uc744 \ubcfc \uc218 \uc788\ub2e4. \uc774\ub984\uc744 \uc9d3\ub294 \ub2e4\uba74, GetSystemLanguage \uc815\ub3c4?<\/p>\n 13. DllMain\uc774 \uc9c1\uc811\ud638\ucd9c\ud558\ub294 \uc708\ub3c4\uc6b0 API\ud568\uc218\ub294 \uba87 \uac1c \uc778\uac00? \uc5ec\uae30\uc11c Recursion depth\ub294 1\ub85c \uc918\uc57c \ud55c\ub2e4. \uc544\ub2c8\uba74 \uadf8\ub798\ud504\uac00 \ub108\ubb34 \ucee4\uc838\uc11c \ubcf4\uae30 \ud798\ub4e4\ub2e4<\/p>\n DllMain\uc774 \ud638\ucd9c\ud558\ub294 \uc708\ub3c4\uc6b0API\ub294 strncpy, _strnicmp, CreateThread, strlen 4\uac1c \uc774\ub2e4.<\/p>\n 14. 0x10001358\uc5d0\uc11c Sleep \ud638\ucd9c\uc774 \uc874\uc7ac\ud55c\ub2e4.(sleep\uae4c\uc9c0 \uc218\ubc00\ub9ac\ucd08 \uac12\uc744 \ud30c\ub77c\ubbf8\ud130\ub85c \uac16\ub294 API\ud568\uc218) \ucf54\ub4dc \ud6c4\ubc18\ubd80\ub97c \ubcf4\uba74 \uc774 \ucf54\ub4dc\uac00 \uc218\ud589\ub418\ub824\uba74 \ud504\ub85c\uadf8\ub7a8\uc774 \uc5bc\ub9c8\ub3d9\uc548 sleep\ud558\ub294\uac00? \ud574\ub2f9 \uc8fc\uc18c\uc5d0 \uac00\uc11c \ud655\uc778\ud574\ubcf4\ub2c8, [This is CTI]30 \uc758 \ubb38\uc790\uc5f4\uc774 \uc800\uc7a5\ub418\uc5b4\uc788\ub2e4. 15. 0x10001701\uc5d0\uc11c \uc18c\ucf13\uc744 \ud638\ucd9c\ud55c\ub2e4. \uc138\uac00\uc9c0 \ud30c\ub77c\ubbf8\ud130\ub294 \ubb34\uc5c7\uc778\uac00? 6,1,2 \uac00 push \ub428\uc744 \ubcfc \uc218 \uc788\ub2e4. 16. \uc18c\ucf13\uacfc IDA Pro\uc5d0\uc11c \uba85\uba85\ud55c \uc2ec\ubcfc \uc0c1\uc218 \uae30\ub2a5\uc744 \uc774\uc6a9\ud558\uc5ec \uc774 \ud30c\ub77c\ubbf8\ud130\ub97c \uc880 \ub354 \uc720\uc6a9\ud558\uac8c \ud560 \uc218 \uc788\uaca0\ub294\uac00? \ubcc0\uacbd \ud6c4 \ud30c\ub77c\ubbf8\ud130\ub294 \ubb34\uc5c7\uc778\uac00? af=2(AF_INET) : The Internet Protocol version 4 (IPv4) address family. 17. \uba85\ub839\uc5b4 \uc635\ucf54\ub4dc 0xED\uc758 \uc0ac\uc6a9\ubc95\uc744 \ucc3e\uc544\ubcf4\uc790. \uc774 \uba85\ub839\uc5b4\ub294 VMware \ud0d0\uc9c0\ub97c \uc218\ud589\ud558\ub294 VMXh \ub9e4\uc9c1 \ubb38\uc790\uc5f4\ub85c \uc0ac\uc6a9\ud55c\ub2e4. \uc774 \uc545\uc131\ucf54\ub4dc\ub294 \uc774\ub97c \uc774\uc6a9\ud558\uace0 \uc788\ub294\uac00? VMware\ub97c \ud0d0\uc9c0\ud558\ub294 \ub2e4\ub978\uc99d\uac70\uac00 \uc788\ub294\uac00? \uadf8\ub9ac\uace0 Binary Search \ub97c \uc774\uc6a9\ud574 ED \ub97c \uac80\uc0c9\ud588\ub2e4 (Find all occurrences \uccb4\ud06c \ud558\uba74 \ub9e4\uce6d\ub41c \ub9ac\uc2a4\ud2b8\ub97c \ubcfc\uc218 \uc788\ub2e4.)<\/p>\n opcode \uac00 ED \uc778 \uc5b4\uc148\ube14\ub9ac\uba85\ub839\uc5b4\ub294 in \uba85\ub839\uc774\uc600\ub2e4.<\/p>\n in \uba85\ub839\uc5b4 \uc717\ubd80\ubd84\uc744 \uc0b4\ud3b4\ubcf4\uba74, 564D5868h \uac00 \uc788\ub294 \ub370 ASCII\uc73c\ub85c \ubcc0\uacbd\ud574\ubcf4\uba74 VMXh \uc774\ub2e4. 18. 0x1001D988\ub85c \uc810\ud504\ud574\ubcf4\uc790. \ubb34\uc5c7\uc744 \ucc3e\uc744\uc218 \uc788\ub294\uac00? 19. IDA \ud30c\uc774\uc36c \ud50c\ub7ec\uadf8\uc778\uc744 \uc124\uce58\ud588\ub2e4\uba74(IDA Pro \uc0c1\uc6a9\ubc84\uc804\uc5d0\ub294 \ud3ec\ud568\ub3fc \uc788\uc74c) Lab05-01.py\ub97c \uc2e4\ud589\ud574\ubcf4\uc790. IDA \ud30c\uc774\uc36c \uc2a4\ud06c\ub9bd\ud2b8\ub294 \uc774\ucc45\uc758 \uc545\uc131\ucf54\ub4dc\uc640 \ud568\uaed8 \uc81c\uacf5\ud55c\ub2e4.(\ucee4\uc11c\uac00 0x1001D988\uc5d0 \uc704\uce58\ud574\uc57c\ud568) \uc2a4\ud06c\ub9bd\ud2b8 \uc2e4\ud589 \ud6c4 \ubb34\uc2a8\uc77c\uc774 \uc77c\uc5b4\ub0ac\ub294\uac00? 0x00~0x50 \ub97c \uc77d\uc5b4\uc11c 0x55\uc73c\ub85c xor \ud558\ub294 \ucf54\ub4dc\uc774\ub2e4.<\/p>\n \uadf8\ub798\uc11c \ud574\ub2f9 \ubd80\ubd84\uc744 \uc798\ub77c\uc640\uc11c \ud30c\uc77c\ub85c \ub9cc\ub4e4\uc5c8\ub2e4.<\/p>\n \uadf8\ub9ac\uace0 \ub3d9\uc77c\ud55c \uc77c\uc744 \uc218\ud589\ud558\ub294 \ud30c\uc774\uc36c \ucf54\ub4dc\ub97c \uc791\uc131\ud588\ub2e4.<\/p>\n 20. \ub3d9\uc77c\ud55c \uc704\uce58\uc5d0 \ucee4\uc11c\ub97c \ub450\uace0 \uc774\ub370\uc774\ud130\ub97c ASCII\ubb38\uc790\uc5f4\ub85c \uc5b4\ub5bb\uac8c \ubcc0\ud658\ud560\uc218 \uc788\ub294\uac00? 21. \ubb38\uc790\ud3b8\uc9d1\uae30\ub85c \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uc5f4\uc5b4\ubcf4\uc790. \uc5b4\ub5bb\uac8c \ub3d9\uc791\ud558\ub294\uac00? <\/p>\n","protected":false},"excerpt":{"rendered":" Notice : \ud574\ub2f9 \uc790\ub8cc\uac00 \uc800\uc791\uad8c\ub4f1\uc5d0 \uc758\ud574\uc11c \ubb38\uc81c\uac00 \uc788\ub2e4\uba74 \ubc14\ub85c \uc0ad\uc81c\ud558\uaca0\uc2b5\ub2c8\ub2e4. \uc5f0\uad6c\ubaa9\uc801\uc73c\ub85c \uc0ac\uc6a9\ud558\uc9c0 \uc54a\uace0 \uc545\uc758\uc801\uc778 \ubaa9\uc801\uc73c\ub85c \uc774\uc6a9\ud560 \uacbd\uc6b0 \ubc1c\uc0dd\ud560 \uc218 \uc788\ub294 \ubc95\uc801\uc740 \ucc45\uc784\uc740 \ubaa8\ub450 \ubcf8\uc778\uc5d0\uac8c \uc788\uc2b5\ub2c8\ub2e4. [\uad6c\ub9e4\ud558\uae30] \uc2e4\uc804 \uc545\uc131\ucf54\ub4dc\uc640 \uba40\uc6e8\uc5b4 \ubd84\uc11d – 1\uc7a5 \uae30\ucd08 \uc815\uc801\ubd84\uc11d \uc2e4\uc2b5 1-1 \uc2e4\uc804 \uc545\uc131\ucf54\ub4dc\uc640 \uba40\uc6e8\uc5b4 … Continue reading ![\"Practical_Malware_Analysis\"](\"http:\/\/apollo89.com\/wordpress\/wp-content\/uploads\/2013\/11\/Practical_Malware_Analysis.jpg\")
<\/a>
\n[\uad6c\ub9e4\ud558\uae30]<\/a><\/p>\n
\n\uc2e4\uc804 \uc545\uc131\ucf54\ub4dc\uc640 \uba40\uc6e8\uc5b4 \ubd84\uc11d – 1\uc7a5 \uae30\ucd08 \uc815\uc801\ubd84\uc11d \uc2e4\uc2b5 1-2<\/a>
\n\uc2e4\uc804 \uc545\uc131\ucf54\ub4dc\uc640 \uba40\uc6e8\uc5b4 \ubd84\uc11d – 1\uc7a5 \uae30\ucd08 \uc815\uc801\ubd84\uc11d \uc2e4\uc2b5 1-3<\/a>
\n\uc2e4\uc804 \uc545\uc131\ucf54\ub4dc\uc640 \uba40\uc6e8\uc5b4 \ubd84\uc11d – 1\uc7a5 \uae30\ucd08 \uc815\uc801\ubd84\uc11d \uc2e4\uc2b5 1-4<\/a>
\n\uc2e4\uc804 \uc545\uc131\ucf54\ub4dc\uc640 \uba40\uc6e8\uc5b4 \ubd84\uc11d – 3\uc7a5 \uae30\ucd08 \ub3d9\uc801 \ubd84\uc11d \uc2e4\uc2b5 3-1<\/a>
\n\uc2e4\uc804 \uc545\uc131\ucf54\ub4dc\uc640 \uba40\uc6e8\uc5b4 \ubd84\uc11d – 3\uc7a5 \uae30\ucd08 \ub3d9\uc801 \ubd84\uc11d \uc2e4\uc2b5 3-2<\/a>
\n\uc2e4\uc804 \uc545\uc131\ucf54\ub4dc\uc640 \uba40\uc6e8\uc5b4 \ubd84\uc11d – 3\uc7a5 \uae30\ucd08 \ub3d9\uc801 \ubd84\uc11d \uc2e4\uc2b5 3-3<\/a>
\n\uc2e4\uc804 \uc545\uc131\ucf54\ub4dc\uc640 \uba40\uc6e8\uc5b4 \ubd84\uc11d – 3\uc7a5 \uae30\ucd08 \ub3d9\uc801 \ubd84\uc11d \uc2e4\uc2b5 3-4<\/a>
\n\uc2e4\uc804 \uc545\uc131\ucf54\ub4dc\uc640 \uba40\uc6e8\uc5b4 \ubd84\uc11d – 5\uc7a5 IDA Pro (1)<\/a>
\n\uc2e4\uc804 \uc545\uc131\ucf54\ub4dc\uc640 \uba40\uc6e8\uc5b4 \ubd84\uc11d – 5\uc7a5 IDA Pro (2)<\/a><\/p>\n
\nIDA Pro \ub9cc\uc744 \uc774\uc6a9\ud574 \ud30c\uc77c Lab05-01.dll \ub0b4\uc758 \uc545\uc131\ucf54\ub4dc\ub97c \ubd84\uc11d\ud558\ub77c. \uc774\uc2e4\uc2b5\uc758 \ubaa9\uc801\uc740 IDA Pro\ub97c \uc9c1\uc811 \ub2e4\ub8e8\ub294\ub370 \uc788\ub2e4. \uc774\ubbf8 IDA Pro\ub97c \uc0ac\uc6a9\ud574 \ubcf8 \uc801\uc774 \uc788\uc73c\uba74 \ub2e4\uc74c \ubb38\uc81c\ub97c \ubb34\uc2dc\ud558\uace0 \uc545\uc131\ucf54\ub4dc \ub9ac\ubc84\uc2f1\uc5d0 \ucd08\uc810\uc744 \ub9de\ucdb0\ub3c4 \uc88b\ub2e4.<\/p>\n
\n11. PSLIST \uc775\uc2a4\ud3ec\ud2b8\ub294 \ubb34\uc2a8 \uc5ed\ud560\uc744 \ud558\ub294\uac00?
\nA : Exports \ucc3d\uc744 \ud655\uc778\ud574 \ubcf4\uc558\ub2e4.
\n![\"5-1-19\"](\"http:\/\/apollo89.com\/wordpress\/wp-content\/uploads\/2014\/01\/5-1-19.png\")
<\/p>\n![\"5-1-20\"](\"http:\/\/apollo89.com\/wordpress\/wp-content\/uploads\/2014\/01\/5-1-20.png\")
<\/p>\n![\"5-1-22\"](\"http:\/\/apollo89.com\/wordpress\/wp-content\/uploads\/2014\/01\/5-1-22.png\")
<\/p>\n![\"5-1-21\"](\"http:\/\/apollo89.com\/wordpress\/wp-content\/uploads\/2014\/01\/5-1-21.png\")
<\/p>\n
\nA : View > Graphs > User xrefs charts \ub97c \uc774\uc6a9\ud574 \uc0c1\ud638\ucc38\uc870 \uadf8\ub798\ud504\ub97c \uadf8\ub824\ubcf4\uba74,<\/p>\n![\"5-1-23\"](\"http:\/\/apollo89.com\/wordpress\/wp-content\/uploads\/2014\/01\/5-1-23.png\")
<\/p>\n
\nA : View > Graphs > User xrefs charts \ub97c \uc774\uc6a9\ud574 \uc0c1\ud638\ucc38\uc870 \uadf8\ub798\ud504\ub97c \uadf8\ub824\ubcf4\uc790<\/p>\n![\"5-1-24\"](\"http:\/\/apollo89.com\/wordpress\/wp-content\/uploads\/2014\/01\/5-1-24.png\")
<\/p>\n![\"5-1-25\"](\"http:\/\/apollo89.com\/wordpress\/wp-content\/uploads\/2014\/01\/5-1-25.png\")
<\/p>\n
\nA : Sleep \uc704\uc758 \ucf54\ub4dc\ub97c \uc870\uae08 \uc0b4\ud3b4\ubcf4\uba74, \uba3c\uc800 off_10019020 \uac00 \ubcf4\uc778\ub2e4.<\/p>\n![\"5-1-26\"](\"http:\/\/apollo89.com\/wordpress\/wp-content\/uploads\/2014\/01\/5-1-26.png\")
<\/p>\n
\n\uc5ec\uae30\uc5d0 0Dh \ub97c \ub354\ud55c\ub2e4. [This is CTI]\uc744 \ube7c\uace0 30\ubd80\ubd84\ub9cc \uac00\uc838\uc628\ub2e4.
\n30\uc774 \ubb38\uc790\uc774\ub2c8 atoi\uc73c\ub85c \uc22b\uc790\ub97c \ub9cc\ub4e4\uc5b4 3E8h(\uc2ed\uc9c4\uc218\ub85c 1000)\ub97c \uacf1\ud574\uc900\ub2e4.
\n\uc989, 30000 \ubc00\ub9ac\ucd08, 30\ucd08 \ub3d9\uc548 sleep \ud55c\ub2e4.<\/p>\n
\nA : \ud574\ub2f9 \uc8fc\uc18c\uc758 \ucf54\ub4dc\ub97c \ubcf4\uba74,
\n![\"5-1-27\"](\"http:\/\/apollo89.com\/wordpress\/wp-content\/uploads\/2014\/01\/5-1-27.png\")
<\/p>\n
\nMSDN \uc5d0\uc11c \ud655\uc778\ud574\ubcf4\uba74, (http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms740506(v=vs.85).aspx<\/a>)<\/p>\nSOCKET WSAAPI socket(\r\n _In_ int af,\r\n _In_ int type,\r\n _In_ int protocol\r\n);\r\n<\/pre>\n
\nA : AF_INET, SOCK_STREAM, IPPROTO_TCP <\/p>\n
\ntype=1(SOCK_STREAM) : A socket type that provides sequenced, reliable, two-way, connection-based byte streams with an OOB data transmission mechanism. This socket type uses the Transmission Control Protocol (TCP) for the Internet address family (AF_INET or AF_INET6).
\nprotocol=6 (IPPROTO_TCP) : The Transmission Control Protocol (TCP). This is a possible value when the af parameter is AF_INET or AF_INET6 and the type parameter is SOCK_STREAM.<\/p>\n
\nA : Opcode\ub97c \ud655\uc778\ud558\uae30 \uc704\ud574 \uc635\ucf54\ub4dc\uac00 \ubcf4\uc774\ub3c4\ub85d \uc124\uc815\uc744 \ud588\ub2e4. (Options > General \uc5d0 Number of Opcodes Bytes Bytes \ub97c 6\uc73c\ub85c \uc124\uc815)
\n![\"5-1-28\"](\"http:\/\/apollo89.com\/wordpress\/wp-content\/uploads\/2014\/01\/5-1-28.png\")
<\/p>\n![\"5-1-29\"](\"http:\/\/apollo89.com\/wordpress\/wp-content\/uploads\/2014\/01\/5-1-29.png\")
<\/p>\n![\"5-1-30\"](\"http:\/\/apollo89.com\/wordpress\/wp-content\/uploads\/2014\/01\/5-1-30.png\")
<\/p>\n
\n\uadf8\ub9ac\uace0 in \uba85\ub839\uc774 \ud3ec\ud568\ub41c \ud568\uc218\uc758 \uc0c1\ud638 \ucc38\uc870\ub97c \ud1b5\ud558\uc5ec Found Virtual Machine,Install Cancel. \uc758 \ubb38\uad6c\ub3c4 \ud655\uc778\ud560\uc218 \uc788\uc5c8\ub2e4.<\/p>\n
\nA : \ubb38\uc790\ub4e4\uc774 \ubcf4\uc778\ub2e4.
\n![\"5-1-31\"](\"http:\/\/apollo89.com\/wordpress\/wp-content\/uploads\/2014\/01\/5-1-31.png\")
<\/p>\n
\nA : \uc548\ud0c0\uae5d\uc9c0\ub9cc \uc0c1\uc6a9\ubc84\uc804\uc774 \ub098\ub2cc free \ubc84\uc804\uc774\ub77c \uc2e4\ud589\ud574\ubcfc\uc218 \uc5c6\uc5c8\ub2e4..\u3160
\n\uc6b0\uc120 Lab05-01.py \ucf54\ub4dc\ub97c \ubcf4\uc790..<\/p>\nsea = ScreenEA()\r\n\r\nfor i in range(0x00,0x50):\r\n b = Byte(sea+i)\r\n decoded_byte = b ^ 0x55\r\n PatchByte(sea+i,decoded_byte)\r\n<\/pre>\n
b = bytearray(open('5-1', 'rb').read())\r\nfor i in range(len(b)):\r\n b[i] ^= 0x55\r\nopen('5-1-xor', 'wb').write(b)\r\n<\/pre>\n
\nA : \uc704\uc5d0\uc11c \uc791\uc131\ud55c \ucf54\ub4dc\ub97c \ub3cc\ub824\ubcf4\ub2c8, \uc544\ub798\uc640 \uac19\uc740 \ubb38\uc790\uc5f4\uc744 \ud655\uc778\ud560\uc218 \uc788\uc5c8\ub2e4.
\nxdoor is this backdoor, string decoded for Practical Malware Analysis Lab :)1234<\/p>\n
\nA : \uc704\uc5d0\uc11c \uc774\ubbf8 \ud574\ubd24\uc74c..\u314b<\/p>\n