文档库 最新最全的文档下载
当前位置:文档库 › Malware Analysis with Vivsect

Malware Analysis with Vivsect

Malware Analysis with Vivisect

Colin Williams

NEST

What is Vivisect?

?Python framework

?Cross-platform (Windows, Linux, Mac)?Three components:

?Vivisect: Interactive disassembler

?Vtrace: Python debugger module

?Vdb: Command-line debugger (uses Vtrace)?Doesn’t have good documentation

Introduction to Vivisect

?Disassembler with GUI

?Used for static analysis

?Can launch VDB

Introduction to Vdb

?Command-line debugger

?Uses Vtrace API

?Can import scripts

Introduction to Vtrace

?Python Module

?Fully functional debugger

?Control program execution

?Add breakpoints on memory locations, expressions, or memory access ?Run custom code when events occur (load module, load file, etc)

Installing Vivisect

1.Install Python

2.7

2.Install QtPy

3.Go to https://www.wendangku.net/doc/5315160589.html,/static/releases/, and

download the latest version of Vivisect

4.Copy the Vivisect files into Python installation directory

(Optional)

Using Vivisect

?python vivbin

?View->Layouts->Load

?vivisect/qt/default.lyt

Vivisect Windows

?Strings - Displays all strings found in the binary ?Segments - Displays known segments in the binary ?Imports - Displays all function imports used

?Exports - Displays all function exports provided ?Functions - Displays all known functions available in the binary

Vivisect Function Graph

?Displays a program flow graph

?Visualize code paths more

easily

?Comment sections of code

?Rename locations

Vivisect Assembly Window ?Displays assembly for

selected function

?Syntax highlighting

?Cross referencing

?Rename locations

?Comment sections

Using Vdb ?python vdbbin

?exec - execute and attach

?attach - attach to running process

?help - displays command list or help for one command

?bp - manage breakpoints

?dis - disassemble around an address

?mem - print memory (optionally formatted)

?writemem - modify memory

?stepi - step one instruction (after breaking)

?script - run a python script in the context of the debugger

Using Vtrace (in a python script)

?Import vtrace (and optionally vdb)

?import vtrace

?import vdb

?Create a Trace object

?trace = vtrace.getTrace()

?Execute a trace on the program (doesn’t actually execute the program)

?trace.execute(filepath)

Using Vtrace (in a python script) (cntd)

?Set up breakpoints, functions, etc

?Run the program in the trace

?trace.run()

?This WILL run the program - be careful

Example - PMA Lab 01-01

?Practical Malware Analysis, by Sikorski and Honig ?Download from here: https://www.wendangku.net/doc/5315160589.html,/labs/?Chapter 1, Lab 1

?Replaces a system DLL with a modified version that opens a back door.

?Two files - Lab01-01.exe & Lab01-01.dll

?As always, use a virtual machine

General Overview - Vivisect

?Open file in vivisect

?python vivbin Lab01-01.exe

?python vivbin Lab01-01.dll

?Look through strings, imports, functions, etc

Imports (exe) - Vivisect

?File management imports

?CreateFile

?CreateFileMapping

?FindClose

?FindNextFile

?FindFirstFile

?CopyFile

?Probably doing something

with files

Imports (dll) - Vivisect ?Process Management

?CreateProcess

?CreateMutex

?OpenMutex

?Sleep

?Networking

?inet_addr

?connect

?send

?recv

?closesocket

?htons

Strings (exe) - Vivisect

?References to DLL files

? 2 absolute

? 2 relative (local)

?Note the last one

?kerne132.dll, rather than kernel32.dll

Strings (dll) - Vivisect

?IP address

?Indicates network activity

?Sleep, exec, hello

?Unknown at this point

Dynamic - Vtrace

?Set up custom debugger script to control the executable ?Prevent it from actually doing anything harmful

?Determine what it is trying to do

?Use information from Vivisect to determine what breakpoints to use

相关文档