user@linuxtrack:~ $ python -c 'print("Soyez les bienvenus !")'
Vous n'êtes pas identifié(e).
- Contributions : Récentes | Sans réponse
Pages : 1
#1 05-11-2013 00:47:00
- koorosh
- Membre
Analyse d'un binaire [.EXE]
Bonjour les pingouins,
Je me permets de poster ce topic afin que vous puissiez m'aider sur un petit sujet épineux .
Comme vous le savez les .EXE sont le coté obscure et il est difficile de détecter leur véritable fonction.
Je voulais savoir si vous connaissez un outils qui me permettrais de détecter ou d'analyser si un .EXE à pour fonction ( Trojan , injection , autre ) .
je vous parle de ca car quand j'ai téléchargé des binaires pour mon pc windows lié à la sécurité, je me suis dit " Mais qui me dit que ce binaire de microsoft n'envoi pas de requête ou autre sur leur serveur ? "
Apres on le sais mais j'aimerai le voir ou savoir comment procéder pour vérifier que ce binaire et bien un programme malicieux.
Merci de votre aide,
cdlt,
koorosh
Dernière modification par koorosh (05-11-2013 00:47:33)
"Les paroles peuvent être plus tranchantes qu'un sabre affûté" écrit par Omar Khayam poète perse.
Hors ligne
#2 05-11-2013 07:36:56
- IceF0x
- #! Gourou Linux
Re : Analyse d'un binaire [.EXE]
Tu peux déjà le lancer en vm et faire une analyse wireshark
Ensuite tu as des tas d'outil comme ollybdg string ghex2 objectdump ida etc.. de la partie reverse engineering de Kali par exemple.
tu peut également faire un file *.exe pour voir si c'est un .Net et voir avec mono.
Utiliser des logiciels propriétaires, c'est comme les plats préparés, on est incapable de dire les conservateurs qu'ils contiennent, on dira toujours que c'est bon, mais ça ne remplacera jamais le repas fait maison par sa maman.
]:D #! Crunchbang & Archlinux GNU/Linux User ]:D
Hors ligne
#3 06-11-2013 13:59:25
- itichy
- #! The itichy and Scratachy Show
Re : Analyse d'un binaire [.EXE]
salut koorosh pour ceux qui est de binaire windows comme dit icefox tu a plein d'outils comme ollydbg,ida pro pour analyse ton binaire. Apres il faut comprendre que tu as de grande chance que ton .exe sois obfusque par un crypter ou un tas de code qui ne sert qu ' a embrouille l'analyse .
Tu as le site de xylitol , apres tu peux aussi utilise une sandbox avec tcpdump pour voir si tu as de traffic sur internet tu a plein de doc .
un bon site pour debute : http://fumalwareanalysis.blogspot.fr/p/ … verse.html
Dernière modification par itichy (06-11-2013 14:00:22)
ядра паники
Hors ligne
#4 07-11-2013 11:53:58
- koorosh
- Membre
Re : Analyse d'un binaire [.EXE]
waaaa magnifique ! merci itichy et coyotus, 'ai suffisamment de support pour m’entraîner 
"Les paroles peuvent être plus tranchantes qu'un sabre affûté" écrit par Omar Khayam poète perse.
Hors ligne
#5 18-11-2013 12:49:24
- koorosh
- Membre
Re : Analyse d'un binaire [.EXE]
je double post pour différencier le sujet que je vais aborder sur ce message 
.
Donc si je comprend bien , Grace à cette liste d'outils que vous m'avez partagé, je pourrais analyser des malwares, rootkits et autre code malveillant afin d'ajouter leur signature sur snort ?
( je me suis remis à snort question de garder au chaud ce logiciel dans ma tête )
EDIT: voici un site qui analyse les EXE = http://anubis.iseclab.org/
Apres 2 jours de documentation et quelques heures de pratique sur l'analyse de malware, j'ai pu analyser des info sur un malware mais vue que je débute en therme de forensic, j'aurrais besoin de vos lumières.
voici les info sur le malware:
[== Indéfini ==]
Analysing the suspected file payload.exe
Analysing if PE file...
[+] Valid PE file.
[+] Malware File Size : 73 KB
[+] Verifying CRC from file
Claimed CRC and Actual CRC are different: Suspicious
Claimed: 0
Actual: 98426
[+] Verifying timestamp from file
[-] Seems fine
[+] Image Base : 0x400000
[+] Address Of Entry Point: 0x5d72
[+] Compile Time: 2009-08-04 04:10:04
[+] Number of RVA and Sizes: 16
[+] Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
[+] Searching for TLS entries..
[+] No TLS entries found..
[+] Found Entry Point at section: .text
[+] Entry point in known section. Seems fine
Checking for Packer Signature....
Couldn't Idenified packer. :( Try Manually
[+] Computing Checksum for malware :payload.exe
[-]Checksum of malware :e9e0b1041f8d284309d66f7a2dd78a0b
-------- Identifying Strings in the malware---------------
!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
.rsrc
D@A
H@A
@<A
!=SSShL@
PQhs
8A
8A
E5P
@8A
L@A
QRa
_hP
~^3
nc
QRP
@0Q
L@A
4Z#
@?QR
H@A
;U`j
-----------Performing signatures based scan---------------
[+]Displaying Interesting System Calls Made.
[-]Signatures not found.....
[+]Displaying Registry Hives Edited.
[-]Signatures not found.....
[+]Displaying A Little Online Behaviour.
[-]Signatures not found.....
[+]Displaying the Loaded DLLs.
[-]Signatures not found.....
[+]Commands Inside the Malware.
[-]Signatures not found.....
[+]Sys Calls Made.
[-]Signatures not found.....
[+]Searching if malware is VM aware
[-]Signatures not found.....
---------------------------------------------------------
!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
.rsrc
D@A
H@A
@<A
!=SSShL@
PQhs
8A
8A
E5P
@8A
L@A
QRa
_hP
~^3
nc
QRP
@0Q
L@A
4Z#
@?QR
H@A
;U`j
Malware loads following DLLs
MSVCRT.dll
KERNEL32.dll
ADVAPI32.dll
WSOCK32.dll
WS2_32.dll
[-] Disaassembling the first block
[0x405d72L] add ah bl
[0x405d74L] aaa
[0x405d76L] or eax edi
[0x405d77L] mov ecx edi
[0x405d79L] xchg edx eax
[0x405d7bL] add ch bh
[0x405d7cL] jnp 0x405df0L
[0x405d7eL] aaa
[0x405d80L] xchg ecx eax
[0x405d81L] jno 0x405dfdL
[0x405d82L] dec ecx
[0x405d84L] test al ah
[0x405d85L] jg 0x405e03L
[0x405d87L] adc eax 0x7e34e332
[0x405d89L] inc edx
[0x405d8eL] mov ah 0x22
[0x405d8fL] jmp near 0x405ddbL
[0x405d91L] cmp ebp esi
[0x405ddbL] mov ecx 0x1a7b2770
[0x405dddL] mul eax
[0x405de2L] sub dh dh
[0x405de4L] jecxz 0x405e13L
[0x405de6L] sar ch cl
[0x405de8L] jge 0x405e11L
[0x405deaL] jbe 0x405e1dL
[0x405decL] jb 0x405e2fL
[0x405deeL] and ecx 0x4a
[0x405df0L] a16 test al 0x7e
[0x405df3L] cmp bh ah
[0x405df6L] test ebx ebp
[0x405df8L] xor al 0x7c
[0x405dfaL] sbb ch bh
[0x405dfcL] mov edx 0x71b0938d
[0x405dfeL] or eax 0x25794214
[0x405e03L] xchg ecx eax
[0x405e08L] add al 0x66
[0x405e09L] stc
[0x405e0bL] mov ecx 0x48277549
[0x405e0cL] mov bh 0x37
[0x405e11L] xor eax 0x40d58667
[0x405e13L] cdq
[0x405e18L] cmp al 0x6b
[0x405e19L] aam 0xf5
[0x405e1bL] das
[0x405e1dL] mov ch 0x74
[0x405e1eL] add eax 0x194b9215
[0x405e20L] sar eax 0x24
[0x405e25L] sbb eax 0x73bb98b6
[0x405e28L] or al 0x43
[0x405e2dL] sub al 0x2d
[0x405e2fL] sbb al 0x4a
[0x405e31L] lahf
[0x405e33L] mov dl 0x90
[0x405e34L] cmp eax 0xa9b83f41L
[0x405e36L] imul edx esi 0x9bb1b3b4L
[0x405e3bL] jmp 0x40b94bL
[0x405e41L] nop
[0x40b94bL] cld
[0x40b94cL] nop
[0x40b94dL] jmp near 0x40b95aL
[0x40b94eL] call 0x40bc5eL
[0x40b95aL] nop
[0x40b95fL] pushad
[0x40b960L] jmp near 0x40b972L
[0x40b961L] mov ebp esp
[0x40b972L] xor edx edx
[0x40b974L] mov edx [fs:dx+0x30]
[0x40b976L] nop
[0x40b97aL] mov edx [dx+0xc]
[0x40b97bL] mov edx [dx+0x14]
[0x40b97eL] nop
[0x40b981L] jmp near 0x40b98eL
[0x40b982L] jmp near 0x40b99eL
[0x40b98eL] mov esi [dx+0x28]
[0x40b99eL] nop
[0x40b9a1L] jmp near 0x40b9acL
[0x40b9a2L] movzx ecx [dx+0x26]
[0x40b9acL] nop
[0x40b9b0L] jmp near 0x40b9bbL
[0x40b9b1L] xor edi edi
[0x40b9bbL] jmp near 0x40b9caL
[0x40b9bdL] jmp near 0x40b9d6L
[0x40b9caL] xor eax eax
[0x40b9d6L] nop
[0x40b9d8L] lodsb
[0x40b9d9L] nop
[0x40b9daL] jmp near 0x40b9e9L
[0x40b9dbL] cmp al 0x61
[0x40b9e9L] jl 0x40b9f1L
[0x40b9ebL] nop
[0x40b9edL] sub al 0x20
[0x40b9eeL] nop
[0x40b9f0L] nop
[0x40b9f1L] jmp near 0x40ba02L
[0x40b9f2L] ror edi 0xd
[0x40ba02L] jmp near 0x40ba16L
[0x40ba05L] add edi eax
[0x40ba16L] jmp near 0x40ba29L
[0x40ba18L] dec ecx
[0x40ba29L] jnz 0x40b9caL
[0x40ba2aL] nop
[0x40ba30L] jmp near 0x40ba3cL
[0x40ba31L] push edx
[0x40ba3cL] nop
[0x40ba3dL] push r15d
[0x40ba3eL] nop
[0x40ba3fL] jmp near 0x40ba4bL
[0x40ba40L] mov edx [dx+0x10]
[0x40ba4bL] jmp near 0x40ba5bL
[0x40ba4eL] mov eax [dx+0x3c]
[0x40ba5bL] nop
[0x40ba5eL] jmp near 0x40ba69L
[0x40ba5fL] add eax edx
[0x40ba69L] nop
[0x40ba6bL] jmp near 0x40ba7cL
[0x40ba6cL] mov eax [ax+0x78]
[0x40ba7cL] jmp near 0x40ba8bL
[0x40ba7fL] test eax eax
[0x40ba8bL] jz 0x40bc45L
[0x40ba8dL] add eax edx
[0x40ba93L] nop
[0x40ba95L] jmp near 0x40baa5L
[0x40ba96L] push eax
[0x40baa5L] mov ecx [ax+0x18]
[0x40baa6L] nop
[0x40baa9L] mov ebx [ax+0x20]
[0x40baaaL] nop
[0x40baadL] jmp near 0x40babdL
[0x40baaeL] add ebx edx
[0x40babdL] test ecx ecx
[0x40babfL] jz 0x40bc43L
[0x40bac1L] dec ecx
[0x40bac7L] nop
[0x40bac8L] mov esi [ebx+ecx4]
[0x40bac9L] jmp near 0x40bad7L
[0x40baccL] add esi edx
[0x40bad7L] jmp near 0x40bae6L
[0x40bad9L] xor edi edi
[0x40bae6L] nop
[0x40bae8L] jmp near 0x40baf5L
[0x40bae9L] xor eax eax
[0x40baf5L] jmp near 0x40bb07L
[0x40baf7L] lodsb
[0x40bb07L] nop
[0x40bb08L] jmp near 0x40bb1aL
[0x40bb09L] ror edi 0xd
[0x40bb1aL] add edi eax
[0x40bb1dL] jmp near 0x40bb2eL
[0x40bb1fL] cmp al ah
[0x40bb2eL] nop
[0x40bb30L] jmp near 0x40bb3cL
[0x40bb31L] jnz 0x40bae9L
[0x40bb3cL] nop
[0x40bb42L] add edi [bp-0x8]
[0x40bb43L] cmp edi [bp+0x24]
[0x40bb46L] jmp near 0x40bb54L
[0x40bb49L] jnz 0x40babfL
[0x40bb54L] nop
[0x40bb5aL] jmp near 0x40bb67L
[0x40bb5bL] pop eax
[0x40bb67L] nop
[0x40bb68L] jmp 0x40bb7cL
[0x40bb69L] mov ebx [ax+0x24]
[0x40bb7cL] jmp 0x40bb93L
[0x40bb7fL] add ebx edx
[0x40bb93L] nop
[0x40bb95L] jmp 0x40bbaaL
[0x40bb96L] mov cx [ebx+ecx2]
[0x40bbaaL] jmp 0x40bbc1L
[0x40bbaeL] mov ebx [ax+0x1c]
[0x40bbc1L] jmp 0x40bbd7L
[0x40bbc4L] add ebx edx
[0x40bbd7L] nop
[0x40bbd9L] mov eax [ebx+ecx4]
[0x40bbdaL] nop
[0x40bbddL] add eax edx
[0x40bbdeL] jmp 0x40bbeeL
[0x40bbe0L] jmp 0x40bbffL
[0x40bbeeL] mov [esp+0x24] eax
[0x40bbffL] pop ebx
[0x40bc03L] nop
[0x40bc04L] pop ebx
[0x40bc05L] nop
[0x40bc06L] popad
[0x40bc07L] jmp 0x40bc1cL
[0x40bc08L] pop ecx
[0x40bc1cL] pop edx
[0x40bc1dL] jmp 0x40bc2bL
[0x40bc1eL] push ecx
[0x40bc2bL] jmp eax
The file is potentially suspected. Is it packed??
Identifying Suspicious section. Processing....
[!] SUSPICIOUS
Section Name: IMAGE_SECTION_HEADER Entropy 7.10880226926
[IMAGE_SECTION_HEADER]
Name: .text
Misc: 0xA966
Misc_PhysicalAddress: 0xA966
Misc_VirtualSize: 0xA966
VirtualAddress: 0x1000
SizeOfRawData: 0xB000
PointerToRawData: 0x1000
PointerToRelocations: 0x0
PointerToLinenumbers: 0x0
NumberOfRelocations: 0x0
NumberOfLinenumbers: 0x0
Characteristics: 0x60000020
**This Test shall be performed when you are confirm that suspect is a malware**
Anti Debugging traces identification
[!] Found a call at: 0x40c018 LoadLibraryA
[!] Found a call at: 0x40c01c GetProcAddress
[!] Found a call at: 0x40c06c GetCurrentProcess
[!] Found a call at: 0x40c074 CloseHandle
Malware File System Activity Traces
[!] Found a call at: 0x40c0ac CreateFileA
Malware System Hook Calls
No System Hook Call traces found :( . Try manually
Malware Keyboard Hook Calls
No Keyboard Hook Call traces found :( . Try manually
Malware Rootkit traces
No Rootkit Hook traces found :( . Try manually
DEP Setting Change trace
No DEP setting change trace found :( . Try manually
DLL Injection trace
No DLL Injection trace found :( . Try manually
Network Connection Traces
No Potential Network trace found :( . Try manually
Privilage Escalation Potential Traces
No Privilage Escalation trace found :( . Try manually
Hardware Breakpoint Potential Traces
No Hardware Breakpoint trace found :( . Try manually
Internet Communication Traces
[!] Found a Potential Internet Communication trace: 0x40c194 WSARecv
[!] Found a Potential Internet Communication trace: 0x40c198 WSASend
Internet Communication Traces
No Anti Process Dumping trace found :( . Try manually
Service Register Traces
No Service register trace found :( . Try manually
Process Creation Traces
No Service register trace found :( . Try manually
TLS aware Traces
[!] Found a TLS aware call : 0x40c060 TlsAlloc
[!] Found a TLS aware call : 0x40c064 TlsFree
Named pipe aware Traces
[!] Found a Named Pipe aware call : 0x40c00c PeekNamedPipe
Temp file aware Traces
No Temp file aware trace found :( . Try manually
Clipboard aware Traces
No Clipboard aware trace found :( . Try manually
Process Enumeration Traces
No Process Enumeration trace found :( . Try manually
[+] Computing Checksum for malware :payload.exe
[-]Checksum of malware :e9e0b1041f8d284309d66f7a2dd78a0b
[!]Online check failed..
[!]Creating signatures of the various sections
[payload.exe Section(1/4,.text)]
signature = 55 8b 64 81 ec 0c 04 00 00 4f d4 02 2d 00 99 56 a3 e8 17 41 00 a3 a8 0b 41 ae a3 44 40 41 00 a3 04 18 41 00 33 c3 a3 48 40 41 00 57 b3 45 0c 53 8d 4d 08 50 51 c7 05 f0 17 41 00 44 e0 40 00 88 1d 40 3c 41 00 e8 dd 4c 90 00 dd e0 5f 40 00 e8 d8 a4 00 00 83 21 3d 53 53 53 68 4c 40 d4 00 e8 fc 3e 73 00
ep_only = false
section_start_only = true
[payload.exe Section(2/4,.rdata)]
signature = 8c cf 00 00 70 cf 00 00 00 00 00 00 52 cf 00 00 46 cf 00 00 3a cf 00 00 2a cf 00 00 18 cf 00 00 08 cf 00 00 f2 ce 00 00 de ce 00 00 c6 ce 00 00 ba ce 00 00 aa ce 00 00 92 ce 00 00 7a ce 00 00 5e ce 00 00 4e ce 00 00 40 ce 00 00 fa cb 00 00 0a cc 00 00 24 cc 00 00 3e cc 00 00 4c cc 00 00 5e cc 00 00
ep_only = false
section_start_only = true
[payload.exe Section(3/4,.data)]
signature = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 64 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 80 c3 c9 01 00 00 00 00 e0 0b 41 00 32 00 00 00 42 00 00 00 4b 00 00 00 50 00 00 00 5a 00 00 00 5f 00 00 00 62 00 00 00 63 00 00 00 64 00 00 00 25 73 3a 20 43 61 6e 6e 6f 74 20 75
ep_only = false
section_start_only = true
[payload.exe Section(4/4,.rsrc)]
signature = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 10 00 00 00 18 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 30 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 48 00 00 00 60 50 01 00 68 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 07 34 00
ep_only = false
section_start_only = true
Done
----------DOS_HEADER----------
[IMAGE_DOS_HEADER]
e_magic: 0x5A4D
e_cblp: 0x90
e_cp: 0x3
e_crlc: 0x0
e_cparhdr: 0x4
e_minalloc: 0x0
e_maxalloc: 0xFFFF
e_ss: 0x0
e_sp: 0xB8
e_csum: 0x0
e_ip: 0x0
e_cs: 0x0
e_lfarlc: 0x40
e_ovno: 0x0
e_res:
e_oemid: 0x0
e_oeminfo: 0x0
e_res2:
e_lfanew: 0xE8
----------NT_HEADERS----------
[IMAGE_NT_HEADERS]
Signature: 0x4550
----------FILE_HEADER----------
[IMAGE_FILE_HEADER]
Machine: 0x14C
NumberOfSections: 0x4
TimeDateStamp: 0x4A77987C [Tue Aug 04 02:10:04 2009 UTC]
PointerToSymbolTable: 0x0
NumberOfSymbols: 0x0
SizeOfOptionalHeader: 0xE0
Characteristics: 0x10F
Flags: IMAGE_FILE_LOCAL_SYMS_STRIPPED, IMAGE_FILE_32BIT_MACHINE, IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LINE_NUMS_STRIPPED, IMAGE_FILE_RELOCS_STRIPPED
----------OPTIONAL_HEADER----------
[IMAGE_OPTIONAL_HEADER]
Magic: 0x10B
MajorLinkerVersion: 0x6
MinorLinkerVersion: 0x0
SizeOfCode: 0xB000
SizeOfInitializedData: 0xA000
SizeOfUninitializedData: 0x0
AddressOfEntryPoint: 0x5D72
BaseOfCode: 0x1000
BaseOfData: 0xC000
ImageBase: 0x400000
SectionAlignment: 0x1000
FileAlignment: 0x1000
MajorOperatingSystemVersion: 0x4
MinorOperatingSystemVersion: 0x0
MajorImageVersion: 0x0
MinorImageVersion: 0x0
MajorSubsystemVersion: 0x4
MinorSubsystemVersion: 0x0
Reserved1: 0x0
SizeOfImage: 0x16000
SizeOfHeaders: 0x1000
CheckSum: 0x0
Subsystem: 0x2
DllCharacteristics: 0x0
SizeOfStackReserve: 0x100000
SizeOfStackCommit: 0x1000
SizeOfHeapReserve: 0x100000
SizeOfHeapCommit: 0x1000
LoaderFlags: 0x0
NumberOfRvaAndSizes: 0x10
DllCharacteristics:
----------PE Sections----------
[IMAGE_SECTION_HEADER]
Name: .text
Misc: 0xA966
Misc_PhysicalAddress: 0xA966
Misc_VirtualSize: 0xA966
VirtualAddress: 0x1000
SizeOfRawData: 0xB000
PointerToRawData: 0x1000
PointerToRelocations: 0x0
PointerToLinenumbers: 0x0
NumberOfRelocations: 0x0
NumberOfLinenumbers: 0x0
Characteristics: 0x60000020
Flags: IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Entropy: 7.108802 (Min=0.0, Max=8.0)
MD5 hash: fbe30c1add4aad8f4dae7fea776b4417
SHA-1 hash: e393437318a9c2279ee609a439bf1632ad903965
SHA-256 hash: e8bb4b89aad578e0805575d310894ba1bf884dd7c70da2d2d7179e4ea9d397a5
SHA-512 hash: b6975e4be30622b6267ac63dd30624b4d6219425e2a702d028bff74c259fd0da37acd619a5f61fc3be6bec4d1eadf6fce1bb6f16fb43e8623d20b8a5d8bc3490
[IMAGE_SECTION_HEADER]
Name: .rdata
Misc: 0xFE6
Misc_PhysicalAddress: 0xFE6
Misc_VirtualSize: 0xFE6
VirtualAddress: 0xC000
SizeOfRawData: 0x1000
PointerToRawData: 0xC000
PointerToRelocations: 0x0
PointerToLinenumbers: 0x0
NumberOfRelocations: 0x0
NumberOfLinenumbers: 0x0
Characteristics: 0x40000040
Flags: IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
Entropy: 5.318390 (Min=0.0, Max=8.0)
MD5 hash: 25d7ceee3aa85bb3e8c5174736f6f830
SHA-1 hash: 2d1b3b256819734be18a5171828f544f2fe3c678
SHA-256 hash: c9c158955ada53055c12e5d0c4060730470167d0059b1f02aafcf886370d57e0
SHA-512 hash: eae2c08f6b5deb15bf5306996693e1d901590a8daca97207482324e3d70baaa3cf27224fc6c52473cb87e19ab37437a95c22032178dc4399cb6875363d2e2d62
[IMAGE_SECTION_HEADER]
Name: .data
Misc: 0x705C
Misc_PhysicalAddress: 0x705C
Misc_VirtualSize: 0x705C
VirtualAddress: 0xD000
SizeOfRawData: 0x4000
PointerToRawData: 0xD000
PointerToRelocations: 0x0
PointerToLinenumbers: 0x0
NumberOfRelocations: 0x0
NumberOfLinenumbers: 0x0
Characteristics: 0xC0000040
Flags: IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
Entropy: 4.407841 (Min=0.0, Max=8.0)
MD5 hash: 283b5f792323d57b9db4d2bcc46580f8
SHA-1 hash: 46bdccde681141c8e779b47220c1d7b1a1b9b011
SHA-256 hash: 36c0aa22fb65d0f60ab7fc5648994eece1f2ef8c5d4d60855fada2f8bff4c3c2
SHA-512 hash: f80868410f7b1ed28c048ef9eea8ea9e3a9d74ceda59237e444adfebb57aef1aa51c4ed230b030cb28993d93c702b4fd6d78b5d6941532ae59532ddff7286430
[IMAGE_SECTION_HEADER]
Name: .rsrc
Misc: 0x7C8
Misc_PhysicalAddress: 0x7C8
Misc_VirtualSize: 0x7C8
VirtualAddress: 0x15000
SizeOfRawData: 0x1000
PointerToRawData: 0x11000
PointerToRelocations: 0x0
PointerToLinenumbers: 0x0
NumberOfRelocations: 0x0
NumberOfLinenumbers: 0x0
Characteristics: 0x40000040
Flags: IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
Entropy: 1.958296 (Min=0.0, Max=8.0)
MD5 hash: c13a9413aea7291b6fc85d75bfcde381
SHA-1 hash: 2e051ef30946f9bed1931d1f9dde3ebdb9b99b89
SHA-256 hash: 77d4d9b7bcf6235ac21dc6b2569ecc9c3a854539e23d8b939078d4ce151baae0
SHA-512 hash: a21ba66c3a384aa7c04bdce1a5a9efb165816ee198a8eabff7d87c3759936d5aba7134660653a08a9bb5536e40b993b55e24590c47d2e88914c43401a1f1a70c
----------Directories----------
[IMAGE_DIRECTORY_ENTRY_EXPORT]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_IMPORT]
VirtualAddress: 0xC76C
Size: 0x78
[IMAGE_DIRECTORY_ENTRY_RESOURCE]
VirtualAddress: 0x15000
Size: 0x7C8
[IMAGE_DIRECTORY_ENTRY_EXCEPTION]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_SECURITY]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_BASERELOC]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_DEBUG]
VirtualAddress: 0xC1E0
Size: 0x1C
[IMAGE_DIRECTORY_ENTRY_COPYRIGHT]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_GLOBALPTR]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_TLS]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_IAT]
VirtualAddress: 0xC000
Size: 0x1E0
[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_RESERVED]
VirtualAddress: 0x0
Size: 0x0
----------Version Information----------
[VS_VERSIONINFO]
Length: 0x768
ValueLength: 0x34
Type: 0x0
[VS_FIXEDFILEINFO]
Signature: 0xFEEF04BD
StrucVersion: 0x10000
FileVersionMS: 0x20002
FileVersionLS: 0xE0000
ProductVersionMS: 0x20002
ProductVersionLS: 0xE0000
FileFlagsMask: 0x3F
FileFlags: 0x0
FileOS: 0x4
FileType: 0x1
FileSubtype: 0x0
FileDateMS: 0x0
FileDateLS: 0x0
[StringFileInfo]
Length: 0x6C6
ValueLength: 0x0
Type: 0x1
[StringTable]
Length: 0x6A2
ValueLength: 0x0
Type: 0x1
LangID: 040904b0
LegalCopyright: Copyright 2009 The Apache Software Foundation.
InternalName: ab.exe
FileVersion: 2.2.14
CompanyName: Apache Software Foundation
Comments: Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
ProductName: Apache HTTP Server
ProductVersion: 2.2.14
FileDescription: ApacheBench command line utility
OriginalFilename: ab.exe
[VarFileInfo]
Length: 0x44
ValueLength: 0x0
Type: 0x1
[Var]
Length: 0x24
ValueLength: 0x4
Type: 0x0
Translation: 0x0409 0x04b0
----------Imported symbols----------
[IMAGE_IMPORT_DESCRIPTOR]
OriginalFirstThunk: 0xC8AC
Characteristics: 0xC8AC
TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
ForwarderChain: 0x0
Name: 0xCB1E
FirstThunk: 0xC0C8
MSVCRT.dll._iob Hint[275]
MSVCRT.dll._except_handler3 Hint[202]
MSVCRT.dll.__set_app_type Hint[129]
MSVCRT.dll.__p__fmode Hint[111]
MSVCRT.dll.__p__commode Hint[106]
MSVCRT.dll._adjust_fdiv Hint[157]
MSVCRT.dll.__setusermatherr Hint[131]
MSVCRT.dll._initterm Hint[271]
MSVCRT.dll.__getmainargs Hint[88]
MSVCRT.dll.__p___initenv Hint[100]
MSVCRT.dll._XcptFilter Hint[72]
MSVCRT.dll._exit Hint[211]
MSVCRT.dll._onexit Hint[390]
MSVCRT.dll.__dllonexit Hint[85]
MSVCRT.dll.strrchr Hint[707]
MSVCRT.dll.wcsncmp Hint[744]
MSVCRT.dll._close Hint[179]
MSVCRT.dll.wcslen Hint[742]
MSVCRT.dll.wcscpy Hint[739]
MSVCRT.dll.strerror Hint[700]
MSVCRT.dll.modf Hint[667]
MSVCRT.dll.strspn Hint[708]
MSVCRT.dll.realloc Hint[679]
MSVCRT.dll.__p__environ Hint[109]
MSVCRT.dll.__p__wenviron Hint[122]
MSVCRT.dll._errno Hint[200]
MSVCRT.dll.free Hint[606]
MSVCRT.dll.strncmp Hint[704]
MSVCRT.dll.strstr Hint[709]
MSVCRT.dll.strncpy Hint[705]
MSVCRT.dll._ftol Hint[241]
MSVCRT.dll.qsort Hint[676]
MSVCRT.dll.fopen Hint[599]
MSVCRT.dll.perror Hint[668]
MSVCRT.dll.fclose Hint[588]
MSVCRT.dll.fflush Hint[591]
MSVCRT.dll.calloc Hint[576]
MSVCRT.dll.malloc Hint[657]
MSVCRT.dll.signal Hint[687]
MSVCRT.dll.printf Hint[670]
MSVCRT.dll._isctype Hint[277]
MSVCRT.dll.atoi Hint[573]
MSVCRT.dll.exit Hint[585]
MSVCRT.dll.__mb_cur_max Hint[97]
MSVCRT.dll._pctype Hint[398]
MSVCRT.dll.strchr Hint[695]
MSVCRT.dll.fprintf Hint[600]
MSVCRT.dll._controlfp Hint[183]
MSVCRT.dll._strdup Hint[447]
MSVCRT.dll._strnicmp Hint[453]
[IMAGE_IMPORT_DESCRIPTOR]
OriginalFirstThunk: 0xC7F0
Characteristics: 0xC7F0
TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
ForwarderChain: 0x0
Name: 0xCF62
FirstThunk: 0xC00C
KERNEL32.dll.PeekNamedPipe Hint[647]
KERNEL32.dll.ReadFile Hint[683]
KERNEL32.dll.WriteFile Hint[919]
KERNEL32.dll.LoadLibraryA Hint[584]
KERNEL32.dll.GetProcAddress Hint[408]
KERNEL32.dll.GetVersionExA Hint[479]
KERNEL32.dll.GetExitCodeProcess Hint[338]
KERNEL32.dll.TerminateProcess Hint[849]
KERNEL32.dll.LeaveCriticalSection Hint[583]
KERNEL32.dll.SetEvent Hint[779]
KERNEL32.dll.ReleaseMutex Hint[696]
KERNEL32.dll.EnterCriticalSection Hint[143]
KERNEL32.dll.DeleteCriticalSection Hint[122]
KERNEL32.dll.InitializeCriticalSection Hint[537]
KERNEL32.dll.CreateMutexA Hint[90]
KERNEL32.dll.GetFileType Hint[350]
KERNEL32.dll.SetLastError Hint[797]
KERNEL32.dll.FreeEnvironmentStringsW Hint[238]
KERNEL32.dll.GetEnvironmentStringsW Hint[335]
KERNEL32.dll.GlobalFree Hint[501]
KERNEL32.dll.GetCommandLineW Hint[265]
KERNEL32.dll.TlsAlloc Hint[854]
KERNEL32.dll.TlsFree Hint[855]
KERNEL32.dll.DuplicateHandle Hint[140]
KERNEL32.dll.GetCurrentProcess Hint[314]
KERNEL32.dll.SetHandleInformation Hint[794]
KERNEL32.dll.CloseHandle Hint[46]
KERNEL32.dll.GetSystemTimeAsFileTime Hint[448]
KERNEL32.dll.FileTimeToSystemTime Hint[188]
KERNEL32.dll.GetTimeZoneInformation Hint[472]
KERNEL32.dll.FileTimeToLocalFileTime Hint[187]
KERNEL32.dll.SystemTimeToFileTime Hint[846]
KERNEL32.dll.SystemTimeToTzSpecificLocalTime Hint[847]
KERNEL32.dll.Sleep Hint[841]
KERNEL32.dll.FormatMessageA Hint[234]
KERNEL32.dll.GetLastError Hint[361]
KERNEL32.dll.WaitForSingleObject Hint[901]
KERNEL32.dll.CreateEventA Hint[73]
KERNEL32.dll.SetStdHandle Hint[812]
KERNEL32.dll.SetFilePointer Hint[784]
KERNEL32.dll.CreateFileA Hint[77]
KERNEL32.dll.CreateFileW Hint[80]
KERNEL32.dll.GetOverlappedResult Hint[396]
KERNEL32.dll.DeviceIoControl Hint[131]
KERNEL32.dll.GetFileInformationByHandle Hint[346]
KERNEL32.dll.LocalFree Hint[594]
[IMAGE_IMPORT_DESCRIPTOR]
OriginalFirstThunk: 0xC7E4
Characteristics: 0xC7E4
TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
ForwarderChain: 0x0
Name: 0xCF96
FirstThunk: 0xC000
ADVAPI32.dll.FreeSid Hint[225]
ADVAPI32.dll.AllocateAndInitializeSid Hint[29]
[IMAGE_IMPORT_DESCRIPTOR]
OriginalFirstThunk: 0xC984
Characteristics: 0xC984
TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
ForwarderChain: 0x0
Name: 0xCFA4
FirstThunk: 0xC1A0
WSOCK32.dll Ordinal[7] (Imported by Ordinal)
WSOCK32.dll Ordinal[4] (Imported by Ordinal)
WSOCK32.dll Ordinal[9] (Imported by Ordinal)
WSOCK32.dll Ordinal[52] (Imported by Ordinal)
WSOCK32.dll Ordinal[14] (Imported by Ordinal)
WSOCK32.dll Ordinal[12] (Imported by Ordinal)
WSOCK32.dll Ordinal[21] (Imported by Ordinal)
WSOCK32.dll Ordinal[23] (Imported by Ordinal)
WSOCK32.dll Ordinal[3] (Imported by Ordinal)
WSOCK32.dll Ordinal[18] (Imported by Ordinal)
WSOCK32.dll Ordinal[10] (Imported by Ordinal)
WSOCK32.dll Ordinal[151] (Imported by Ordinal)
WSOCK32.dll Ordinal[115] (Imported by Ordinal)
WSOCK32.dll Ordinal[116] (Imported by Ordinal)
WSOCK32.dll Ordinal[111] (Imported by Ordinal)
[IMAGE_IMPORT_DESCRIPTOR]
OriginalFirstThunk: 0xC978
Characteristics: 0xC978
TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
ForwarderChain: 0x0
Name: 0xCFC4
FirstThunk: 0xC194
WS2_32.dll.WSARecv Hint[52]
WS2_32.dll.WSASend Hint[57]
----------Resource directory----------
[IMAGE_RESOURCE_DIRECTORY]
Characteristics: 0x0
TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
MajorVersion: 0x0
MinorVersion: 0x0
NumberOfNamedEntries: 0x0
NumberOfIdEntries: 0x1
Id: [0x10] (RT_VERSION)
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
Name: 0x10
OffsetToData: 0x80000018
[IMAGE_RESOURCE_DIRECTORY]
Characteristics: 0x0
TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
MajorVersion: 0x0
MinorVersion: 0x0
NumberOfNamedEntries: 0x0
NumberOfIdEntries: 0x1
Id: [0x1]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
Name: 0x1
OffsetToData: 0x80000030
[IMAGE_RESOURCE_DIRECTORY]
Characteristics: 0x0
TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
MajorVersion: 0x0
MinorVersion: 0x0
NumberOfNamedEntries: 0x0
NumberOfIdEntries: 0x1
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
Name: 0x409
OffsetToData: 0x48
[IMAGE_RESOURCE_DATA_ENTRY]
OffsetToData: 0x15060
Size: 0x768
CodePage: 0x0
Reserved: 0x0
----------Debug information----------
[IMAGE_DEBUG_DIRECTORY]
Characteristics: 0x0
TimeDateStamp: 0x4AC18036 [Tue Sep 29 03:34:14 2009 UTC]
MajorVersion: 0x0
MinorVersion: 0x0
Type: 0x2
SizeOfData: 0x4A
AddressOfRawData: 0x0
PointerToRawData: 0x12000
Type: IMAGE_DEBUG_TYPE_CODEVIEWEn revanche, ces ligne ont attiré mon intention:
[!]Creating signatures of the various sections
[payload.exe Section(1/4,.text)]
signature = 55 8b 64 81 ec 0c 04 00 00 4f d4 02 2d 00 99 56 a3 e8 17 41 00 a3 a8 0b 41 ae a3 44 40 41 00 a3 04 18 41 00 33 c3 a3 48 40 41 00 57 b3 45 0c 53 8d 4d 08 50 51 c7 05 f0 17 41 00 44 e0 40 00 88 1d 40 3c 41 00 e8 dd 4c 90 00 dd e0 5f 40 00 e8 d8 a4 00 00 83 21 3d 53 53 53 68 4c 40 d4 00 e8 fc 3e 73 00
ep_only = false
section_start_only = true[payload.exe Section(2/4,.rdata)]
signature = 8c cf 00 00 70 cf 00 00 00 00 00 00 52 cf 00 00 46 cf 00 00 3a cf 00 00 2a cf 00 00 18 cf 00 00 08 cf 00 00 f2 ce 00 00 de ce 00 00 c6 ce 00 00 ba ce 00 00 aa ce 00 00 92 ce 00 00 7a ce 00 00 5e ce 00 00 4e ce 00 00 40 ce 00 00 fa cb 00 00 0a cc 00 00 24 cc 00 00 3e cc 00 00 4c cc 00 00 5e cc 00 00
ep_only = false
section_start_only = true[payload.exe Section(3/4,.data)]
signature = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 64 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 80 c3 c9 01 00 00 00 00 e0 0b 41 00 32 00 00 00 42 00 00 00 4b 00 00 00 50 00 00 00 5a 00 00 00 5f 00 00 00 62 00 00 00 63 00 00 00 64 00 00 00 25 73 3a 20 43 61 6e 6e 6f 74 20 75
ep_only = false
section_start_only = true[payload.exe Section(4/4,.rsrc)]
signature = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 10 00 00 00 18 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 30 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 48 00 00 00 60 50 01 00 68 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 07 34 00
ep_only = false
section_start_only = true
je me souviens plus comment faire pour ajouter la signature du malware sur la base de snort. Je sais comment ajouter une regle dans snort avec la fonction "content" mais c'est la signature du malware que je bloque.
Est ce que je suis sur la bonne voie ?
Merci de votre aide.
Dernière modification par koorosh (20-11-2013 23:33:09)
"Les paroles peuvent être plus tranchantes qu'un sabre affûté" écrit par Omar Khayam poète perse.
Hors ligne
Pages : 1