Reverse Engineering Notes

2017-11-18 本文已影响0人 HenrySHE

Searching Keywords in Google: "volatility 病毒"

Useful Information of Reverse Engineering :

image.png

很有用的讲Memory Forensic的视频（印度口音）

https://www.youtube.com/watch?v=E4W6nK1UcnA

几种常见的MemoryProcess

System Process.png

service.png

csrss.png

Winlogon.png

lsass.png

Detecting Malware with Memory Forensics (PDF)

http://www.deer-run.com/~hal/Detect_Malware_w_Memory_Forensics.pdf

比较重要一个PPT，就是不同版本的虚拟机生成的用于分析的文件后缀都不一样（我估计.img的其实就是一个系统镜像，不是从虚拟机里面生成出来的，抑或是说是压缩成.img格式？）

用于分析的文件后缀.png

Malware Memory Analysis for non-specialists

(PDF- book talks in detailed)
http://cradpdf.drdc-rddc.gc.ca/PDFS/unc166/p801024_A1b.pdf

Case study: Zeus Analysis (Memory Forensics)

https://securityintelligence.com/zeus-analysis-memory-forensics-via-volatility/

常见的volatility 操作：

http://www.restran.net/2017/08/10/memory-forensics-tool-volatility%20-%20副本/

Volatility Command Reference: (最重要🌟🌟🌟)

https://github.com/volatilityfoundation/volatility/wiki/Command-Reference

Analysis Stuxnet using Volatility.(重要🌟🌟🌟)

http://www.behindthefirewalls.com/2013/12/stuxnet-trojan-memory-forensics-with_16.html

We know that lsass.exe is one of the first processes to start when Windows boots. Because of this, it’s normal that “lsass.exe” has a lower Pid. You can see when the three lsass.exe process started in the picture above:

Pid 680 started at 2010-10-29 17:08:54
Pid 868 started at 2011-06-03 04:26:55
Pid 1928 started at 2011-06-03 04:26:55

You can see the “lsass.exe” with lower Pid (680) started in 2010 and the other ones with higher Pid (868 and 1928) started in 2011. It isn’t a normal behavior.

Analysis Zeus using Volatility.(重要🌟🌟🌟)

http://www.behindthefirewalls.com/2013/07/zeus-trojan-memory-forensics-with.html
The same website as above.

Reverse Engineering Notes

通用的介绍:

Process of analysing malware:

Tools that used to analyse malware: