2. Unpacking 2.开箱

Examining the Strings in Lab01-02.exe with BinText用BinText检查Lab01-02.exe中的字符串

Examine the strings in Lab01-02.exe with BinText.用BinText检查Lab01-02.exe中的字符串。

There are only a few strings, and they call only a few ordinary Windows API commands, as shown below.只有几个字符串,它们只能调用一些普通的Windows API命令,如下所示。

These strings aren't from the malware--they are from the UPX packer, as we will show below.这些字符串不是来自恶意软件 - 它们来自UPX打包程序,如下所示。

Examining the File with PEiD用PEiD检查文件

Run PEiD on the file.在文件上运行PEiD。 It shows that the file is packed with UPX, as shown in the "EP Section" below.它显示该文件与UPX打包在一起,如下面的“EP部分”所示。

Examining the File with PEview用PEview检查文件

Run PEview on the file.在文件上运行PEview。 The file has sections labeled UPX0 , UPX1 , and UPX2 , as shown below.该文件具有标记为UPX0UPX1UPX2的部分 ,如下所示。

These are section names produced by the UPX packer.这些是由UPX打包机生成的部分名称。

Unpacking the File with UPX用UPX解压文件

Open a Command Prompt window and execute this command:打开命令提示符窗口并执行以下命令:
UPX
You see a UPX help message, as shown below:你会看到一个UPX帮助信息,如下所示:

Execute these commands to move to the directory containing the malware samples, and list the files there:执行这些命令以移至包含恶意软件样本的目录,并在其中列出文件:

cd "\Users\Administrator\Desktop\Practical Malware Analysis Labs\BinaryCollection\Chapter_1L"

DIR DIR

You see several malware samples, including Lab01-02.exe , as shown below:您会看到几个恶意软件样本,包括Lab01-02.exe ,如下所示:

Execute these commands to unpack the file, and list the files again:执行这些命令来解压文件,并再次列出文件:

UPX -d -o Lab01-02-unpacked.exe Lab01-02.exe

DIR DIR

The unpacked file is much larger than the original file, as shown below:解压后的文件比原始文件大得多,如下所示:

Analyze the unpacked file with PEiD.用PEiD分析解压后的文件。 It now is regognized as a "Microsoft Visual C++ 6.0" file, as shown below.现在它被重新识别为“Microsoft Visual C ++ 6.0”文件,如下所示。

On the right side of the PeID box, find the "First Bytes" value.在PeID框的右侧,找到“First Bytes”值。 The last 2 bytes are redacted in the image above.最后2个字节在上图中被编辑。

Use the form below to put your name on the WINNERS PAGE .使用下面的表格将您的姓名放在赢家页面上

First Bytes (5 pts)第一字节(5分)

Your Name: 你的名字:
Two bytes, like this: A8B8 两个字节,如下所示:A8B8

Imports进口

Find the unpacked file's imports with Dependency Walker.使用Dependency Walker查找解压文件的导入。

The imports from KERNEL32.DLL, ADVAPI32.DLL, and MSVCRT.DLL are uninformative generic functions used by almost every program.从KERNEL32.DLL,ADVAPI32.DLL和MSVCRT.DLL进口是几乎所有程序都使用的非信息泛型函数。

However, the WININET.DLL imports are InternetOpenUrlA and InternetOpenA , as shown below.但是,WININET.DLL导入是InternetOpenUrlAInternetOpenA ,如下所示。 This indicates that the malware connects to a URL.这表明恶意软件连接到一个URL。

Strings字符串

Find the strings in the unpacked file.在解压后的文件中查找字符串。

You should see the API names InternetOpenURLA and InternetOpenA , and the Command-and-Control URL http://www.malwareanalysisbook.com , as shown below.您应该看到API名称InternetOpenURLAInternetOpenA ,以及命令和控制URL http://www.malwareanalysisbook.com ,如下所示。

These suggest that infected machines will connect to http://www.malwareanalysisbook.com .这些表明受感染的机器将连接到http://www.malwareanalysisbook.com The name of the running service, MalService , is also visible.正在运行的服务的名称MalService也是可见的。

The last string is redacted in the image above.最后一个字符串在上图中被编辑。

Use the form below to put your name on the WINNERS PAGE .使用下面的表格将您的姓名放在赢家页面上

Last String (5 pts)最后一个字符串(5分)

Your Name: 你的名字:
Last String: Last String:

Last modified 4-19-18最后修改4-19-18