My Love Cracking - LCG - LSG | Android Cracking | Virus Analysis | www.52pojie.cn

  Retrieve password
  Register

 QQ login

One step, quick start

see: one million five hundred and forty-nine thousand one hundred and thirty-one | reply: one thousand and forty-eight
 the previous topic  the next topic
 Stow the left side

[ PC sample analysis ] How to quickly determine whether a file is a virus [LSG]

    [Copy Link]
 Jump to the specified floor
Building owner
It's the fragrance of the past Published on 2010-10-29 18:28  Reward for reply
When uploading the sample compressed package using forum attachments, you must use the compressed password protection. The compressed password is 52pojie, otherwise the forum will be misinformed by anti-virus software, etc. The forum has the right to delete relevant attachments and posts at any time!
The virus analysis partition attachment sample and website should be downloaded and clicked carefully, which may damage the computer. It is only for security personnel to study within the legal scope, and illegal use is prohibited!
It is forbidden to ask for illegal penetration tests, illegal network attacks, access to privacy and other illegal content. Even if the other party has illegal content, it should also ask the police for help!
This post was last edited by Xi Liufang at 12:04 on February 11, 2011

First, let's talk about the background and purpose of writing this article. Now my beloved "Original Publishing Area" and "Boutique Software Area" are very popular, with a lot of software released. But there are also some villains who insert some small toys into the released software to become gray guests. It is also very difficult for the forum to send special personnel to check, because the workload is too heavy to check, so it is largely up to the users to identify, so this article comes into being. It should be noted that this article is mainly about quickly identifying normal files and viruses. I am not a professional myself. The method is summarized by myself. It is amateurish, but I think it is still useful. If you have a better way, please follow the post. The following text begins.

There are many ways to analyze whether a file is a virus, For example, using a debugger such as OD and HIPS can achieve the goal. Here we mainly discuss the method of quick judgment, which uses the shortest time and the least knowledge to judge whether a file is safe.

First, let's talk about the necessary tools: Sandbox, PEiD, OD and your anti-virus software.

For example, when I download a software released by someone else from the forum, the anti-virus software may report a virus. In this case, first look at the reported virus name. If you report a shell like "Win32/Packed. VMProtect. AAA Trojan", you can relax your vigilance slightly. Some shells cannot be removed by killing the soft ones. For convenience, they are treated as viruses. In addition, if it is a "Win32/Hupigon. NUK Trojan" or a "Win32/Parite. B Virus", it should be noted that this file may have been maliciously inserted into the Trojan or infected. From the virus name of the kill soft report, we can basically judge whether the file is really faulty or belongs to the false report of kill soft. However, there are some exceptions. For example, "Trojan. Win32. Generic.122E105A" is a virus analyzed by cloud security. There is no effective information, so it is impossible to judge whether it is a misjudgment by virus name.

According to the information about killing software, you can have a preliminary understanding of the security of this file. I don't think anyone will completely trust the soft killer, but more trust themselves. Check the shell with PEiD. If it is a simple compression shell, run OD in the sand table, remove it, and analyze it. What we need to do now is not to follow it step by step, but to find the API called by this file. Right click in the disassembly window to find the name (label) in the current module.


Look at the API. There are some choices. For character functions and string processing functions, the past can be ignored; Pay more attention to registry functions and file functions. For example, if you see CreateFile, you can break up and down this function. Pay attention to whether you have written files to system sensitive locations. Similarly, viewing strings is an effective way. Generally, you can find some virus characteristics from the string. For example, some gray pigeons will have words such as "client installation succeeded", and find some email addresses and corresponding passwords. These are very suspicious. It is very difficult to take off some fierce shells with the help of a sand table.


Let the program run completely in the sandbox, and then terminate all programs.


Check what the program generates.


From the files generated by the program, we can basically determine whether it is a virus. Of course, there are also some sand tables for detection virtual machine Small things of. There is a link to online sand table at the top of the page in the virus sample area. The analysis results are very specific and can be used for reference. If you think manual detection is too troublesome, you can use the online sand table, which is fast and detailed.


Let's take an example

http://www.52pojie.cn/viewthread.php?tid=58683 This is Xiaosheng's analysis of a poisonous plug-in. You can watch the video, which is very meaningful. Now I will do it according to the above method

Check the shell first. It should be empty

At this time, I prefer to use PEiD's disassembly tool to look at strings. This function is very convenient

Note that the selected part is suspicious. It is a URL and points to an exe file. At this time, it should be suspected that the plug-in is a downloader

Next, use OD to load it (in the sandbox or virtual machine). Take a look at the name (tag) in the current module. There is a URLDownloadToFileA. This function can realize the function of downloading a file on the network to the local. It is commonly used by common ShellCodes


Switch the breakpoint on the input function and run it to see the specific behavior

After that, all we have to do is analyze the downloaded file (the address is still valid...)


Generally speaking, Microsoft's programs do not have such icons. However, it is strange for an external plug-in to download Microsoft's things for no reason. It can only be said that it is intended to cover up, so it can be killed directly

Similarly, if you run directly in a sandbox, the file will eventually be extracted from the sandbox and found in the temporary directory. A hidden file will also be found in the external directory, which should be a clean external directory

The hanging horse should have changed. It is different from the program in Xiaosheng's attachment

If you think it is troublesome, you can directly throw it into the online sand table and let the machine analyze it for you

For example, I think the nSPack shell of the downloaded file is difficult to remove, or I don't know Shelling , then open http://camas.comodo.com/cgi-bin/submit , select the file path, upload the file, wait for a few minutes, and then the results can be obtained. Other online sand tables are similar to each other


This time I had a lot of trouble finding examples. I didn't have the habit of saving samples. Those who sent trojans were blocked after they were detected, and their glorious attachments could not be found. There was no suitable example. Moreover, it was not realistic to test the real virus. I found the only remaining program in the forum after looking for it for a long time. I will use it as an example if I encounter trojans in the future^_^

comment

This post is not top? It's a shame Published on 2012-10-30 09:29

Free score

Number of participants four hundred and eighty-four Wuai Coin +148 Enthusiastic value +469 Stow reason
Aunt said + 1 Very practical
Intro + 1 Replied!
Sokwva + 1 + 1 I agree!
jun57663796 + 1 + 1 I agree!
Wang Zai Zai + 1 + 1 Thank you!
niksoap + 1 + 1 I have learned something. Thanks for sharing
nx953259696 + 1 I agree!
a2376641a + 1 Deliberate in discussion, and get improvement!
Ice crystal stone + 1 + 1 I agree!
I know you who love me + 1 Warmly reply!
thf1014 + 1 + 1 Very meticulous, practical, highly operational, thanks
polarpig + 1 + 1 I agree!
Stupid and windy + 1 + 1 Thanks for publishing original works. I love cracking forum because you are more wonderful!
Mr Ji + 1 + 1 I agree!
Star Sec + 1 + 1 I agree!
Zeng Zeng Meng + 1 + 1 Thank you!
a7523155 + 1 + 1 We encourage you to post excellent software security tools and documents!
wsp756 + 1 + 1 I agree!
thirty-five million four hundred and sixty-four thousand seven hundred and forty-nine + 1 + 1 I agree!
yamaraja + 1 + 1 Thank you!
liphily + 1 + 1 Thanks for publishing original works. I love cracking forum because you are more wonderful!
A fish with glasses + 1 + 1 I agree!
ccraker + 1 + 1 Welcome to analyze, discuss and exchange. I love the cracking forum more wonderful with you!
lixingcong + 1 + 1 I agree!
xxsmile520 + 1 + 1 Thank you!
Yaoyue + 1 + 1 Deliberate in discussion, and get improvement!
Dust of Soul + 1 + 1 Easy to understand
Dude, play shit + 1 + 1 I agree!
pichuli + 1 + 1 Learned
one billion one hundred and thirty million six hundred and eighty-seven thousand four hundred and nine + 1 + 1 Thank you!
Juanran Junyi + 1 + 1 Learned
Dream white + 1 + 1 Thank you!
Fanilv + 1 + 1 I agree!
Ayang PYF + 1 + 1 Deliberate in discussion, and get improvement!
York2016 + 1 + 1 Warmly reply!
i71998 + 1 + 1 Replied! Thank you
Rose lily + 1 + 1 I agree!
superzhangxue + 1 + 1 Thank you!
xiaoyxf + 1 + 1 I agree!
Never lose + 1 + 1 Deliberate in discussion, and get improvement!
liujunhong + 1 + 1 Thank you!
kangkst + 1 + 1 Great post, positive energy... 32 likes!
firyang + 1 Thank you!
yangstreven + 1 + 1 Thank you!
Cliff Dove + 1 + 1 Warmly reply!
luckypants + 1 + 1 Warmly reply!
herderer + 1 + 1 Deliberate in discussion, and get improvement!
The wind is like the dawn + 1 + 1 Thank you!
ynm3000 + 1 + 1 Warmly reply!
exe19890522 + 1 + 1 Deliberate in discussion, and get improvement!
yj942583252 + 1 + 1 I agree!
Dreamer Xiao Ke + 1 + 1 Thank you!
52pj23444433 + 1 + 1 Thank you!
redpose + 1 + 1 Thank you!
Slipping + 1 + 1 I agree!
If I see you at first + 1 + 1 Thank you!
Thiray + 1 + 1 Welcome to analyze, discuss and exchange. I love the cracking forum more wonderful with you!
zzxmgjy + 1 + 1 I agree!
younge + 1 + 1 I agree!
SsudiN + 1 + 1 Good tutorial!
Miss, don't run away + 1 I feel great
Alex_vk + 1 + 1 I agree!
fringes + 1 + 1 Thank you!
iamcjsyr + 1 + 1 Thank you!
Comeyu + 1 + 1 Deliberate in discussion, and get improvement!
Heart Devil OL + 1 + 1 Daily bubbling
IME + 1 Thank you!
wkhugq + 1 + 1 I agree!
Nanqi + 1 I agree!
langzqf + 1 + 1 Warmly reply!
a37324614 + 1 + 1 I agree!
werido + 1 + 1 Thank you!
Soy sauce + 1 + 1 Thank you!
bluefirejl + 1 + 1 Thank you!
smais + 1 + 1 Learned.
I love 521 + 1 Warmly reply!
ysxsyzx + 1 + 1 Thanks for publishing original works. I love cracking forum because you are more wonderful!
lkqscqaz20 + 1 + 1 Thanks for publishing original works. I love cracking forum because you are more wonderful!
aisiqiba + 1 + 1 Thank you!
eryahuan + 1 + 1 Warmly reply!
bulian + 1 + 1 I agree!
jigsaw + 1 + 1 I agree!
Screwdriver + 1 + 1 Thank you!
Lullaby. + 1 + 1 I learned.
qxyokok + 1 + 1 Thank you!
PJack + 1 + 1 I agree!
Guoshi Wushuang 01 + 1 + 1 I agree!
clwh2006 + 1 + 1 Thank you!
gao0411 + 1 + 1 I agree!
Sanzha + 1 + 1 Thank you!
jackjack999 + 1 + 1 Deliberate in discussion, and get improvement!
XX1967 + 1 + 1 Thank you!
Zhexingsun 12138 + 1 + 1 Warmly reply!
MaxMadcc + 1 + 1 I agree!
ddh191 + 1 + 1 Thank you!
ayaoko + 1 + 1 Thank you!
leaou + 1 + 1 Thank you!
xuanqing + 1 + 1 Thank you!
zyp199708 + 1 + 1 Thank you!
So proud + 1 I agree!

View all ratings

This post is recommended by the following TaoAlbum:

Make good use of it before posting Forum Search Function. There may be the answer you are looking for or someone has already published the same content. Please do not repeat posting.

recommend
Sunshine Coke Published on 2014-11-20 16:41
Technical stickers must be topped
recommend
qawsed Published on 2010-10-30 19:14
After watching Xiaosheng's video and talking with the landlord, I learned a bit of anti horse skills
The sand table is a good thing, smaller than the virtual machine, and easy to test
hoho

Free score

Number of participants two Enthusiastic value +2 Stow reason
The shadow of fallen leaves + 1 Warmly reply!
a_lee + 1 Boutique articles

View all ratings

recommend
Building owner | It's the fragrance of the past Published on 2010-10-29 19:10 | Building owner
reply 2# lkou

http://www.52pojie.cn/thread-30084-1-2.html http://www.52pojie.cn/thread-30109-1-2.html


These two posts are quite detailed
The HIPS is relatively small, which is basically very troublesome. If you want to use it, you can write your own rules

Free score

Number of participants one Enthusiastic value +1 Stow reason
Gds snow wolf + 1 Thank you!

View all ratings

recommend
Xiaoai 1994 Published on 2014-11-20 18:31
As a newcomer, I may not understand, but I will use it later
recommend
lkou Published on 2010-10-29 18:46
Not bad, top you, what is a small and powerful introduction to HIPS?
It seems inconvenient
recommend
MissSun Published on 2014-8-1 11:07
En En, learn to avoid being suspicious by anti-virus software in the future. Thanks
recommend
yayaxueyu88 Published on 2010-10-29 19:06
To learn the method.. [s:365]
recommend
wawaluoxu Published on 2014-11-21 19:32
... Such an old post has been dug up again {: 1_930:}
recommend
brianwz Published on 2014-7-24 23:02
Thank you for sharing, although these are useless! It will be used later
seven #
lkou Published on 2010-10-29 19:15
Okay, let me see
Head image is blocked
eight #
qq526033781 Published on 2010-10-29 19:34
Ha, no need to use direct perception to judge in the future. I have collected it. Thank you!
nine #
Sloth Published on 2010-10-29 20:21
Not bad, Xiao Fang is my model
ten #
cv900302 Published on 2010-10-30 06:37
Learn!

This version of integral rules Warning: prohibited in this section irrigation Or reply to content irrelevant to the subject, offenders will be severely punished!

Quick reply Favorite Posts Back to list search

RSS Subscription | A small dark room | Penalty record | contact us | My love cracking - LCG - LSG ( Jing ICP Bei No. 16042023 | Jing Gong Wang An Bei No. 11010502030087 )

GMT+8, 2024-3-28 22:54

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

Quick reply Back to top Back to list