Upload
shang-de-jiang
View
17
Download
0
Embed Size (px)
Citation preview
大家一起看 Anti VirusJohnThunder
一場戰爭病毒與反病毒
防守策略• Signature Based Detection• Static Program Analyze
• Dynamic Program Analyze• Sandbox• Heuristic Analysis• Entropy
攻守一體• Obfuscation
• Packers
• Crypters
Windows Load PE File Address Space Layout Randomization Crypters With PE Injection
“NtUnmapViewOfSection” and “ZwUnmapViewOfSection”
PE Injection
見招拆招
meterpreter reverse tcp shellcode(Before)
meterpreter reverse tcp shellcode(After)
– Decryption loop detected – Reads active computer name – Reads the cryptographic machine GUID – Contacts random domain names – Reads the windows installation date – Drops executable files – Found potential IP address in binary memory – Modifies proxy settings
Heuristic Engines – Installs hooks/patches the running process – Injects into explorer – Injects into remote process – Queries process information – Sets the process error mode to suppress error box – Unusual entrophy – Possibly checks for the presence of antivirus engine – Monitors specific registry key for changes – Contains ability to elevate privileges – Modifies software policy settings
解密過程 Avoid Decryption loop
detected
Decrypt Shellcode
Is Debugger ? Load Fake Library Get Tick Count Number Of Cores Huge Memory Allocations Trap Flag Manipulation Mutex Triggered WinExec
Dynamic Analysis Detection/Anti Detection
Is Debugger ?
Is Debugger ?
Load Fake Library/Get Tick Count
Trap Flag
Mutex Triggered WinExec
DEP機制 使用Windows API 讓 shellcode 包含讀、寫、執行的
address memeory
正確的執行 shellcodes
結論 許多保護機制同時也是可以拿來利用的 (visual studio) Trick 要結合成 Combo 技才能發揮作用