๋ณธ๋ฌธ ๋ฐ”๋กœ๊ฐ€๊ธฐ

Study34

Malware Analysis Series (MAS) – Article 5 Alexandre Borges์˜ ๋ธ”๋กœ๊ทธ Exploit Reversing์˜ ์•…์„ฑ์ฝ”๋“œ ๋ถ„์„ ์‹œ๋ฆฌ์ฆˆ 'Malware Analysis Series(MAS)'๋ฅผ ๋ฒˆ์—ญํ•˜์—ฌ ๊ณต๋ถ€ํ•ด๋ณด๊ณ , ๋ฐฐ์šด๋Œ€๋กœ ๋ถ„์„ํ•ด๋ณธ์ง€ ๋ฒŒ์จ 2๋‹ฌ์ด ์ง€๋‚ฌ์Šต๋‹ˆ๋‹ค. ๋ฒŒ์จ 5๋ฒˆ์งธ ์•„ํ‹ฐํด์„ ๋ฆฌ๋ทฐํ•˜๋Š” ๊ฒŒ์‹œ๊ธ€์ด๋„ค์š”.์ด๋ฒˆ ๋‹ค์„ฏ ๋ฒˆ์งธ ์•„ํ‹ฐํด์—์„œ๋Š” x64 ์•…์„ฑ์ฝ”๋“œ ๋ถ„์„์— ๋Œ€ํ•ด ๋‹ค๋ฃน๋‹ˆ๋‹ค. [Instruction]์•…์„ฑ์ฝ”๋“œ ๋ถ„์„ ์‹œ๋ฆฌ์ฆˆ(MAS) ๋‹ค์„ฏ ๋ฒˆ์งธ ์•„ํ‹ฐํด์— ์˜ค์‹  ๊ฒƒ์„ ํ™˜์˜ํ•ฉ๋‹ˆ๋‹ค. ์ด ์‹œ๋ฆฌ์ฆˆ์˜ ์ฃผ์š” ๋ชฉํ‘œ๋Š” ์•…์„ฑ์ฝ”๋“œ ๋ถ„์„์— ๋Œ€ํ•œ ๊ธฐ์ดˆ ๊ฐœ๋…๊ณผ ์‹ค์ œ์ ์œผ๋กœ ์ ์šฉ ๊ฐ€๋Šฅํ•œ ์ ‘๊ทผ ๋ฐฉ์‹์„ ์ œ๊ณตํ•˜์—ฌ, ํ•„์š”ํ•œ ๊ธฐ์ˆ ์„ ์Šต๋“ํ•˜๊ณ  ์Šค์Šค๋กœ ๋ถ„์„ํ•˜๊ณ  ํ•™์Šตํ•˜๋Š” ๊ธธ์„ ๋‚˜์•„๊ฐˆ ์ˆ˜ ์žˆ๋„๋ก ๋•๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค. ๊ทธ๋™์•ˆ์˜ ์‹œ๋ฆฌ์ฆˆ๋กœ ๋ณด์…จ๋‹ค์‹œํ”ผ ์–ด๋ ค์šด ์ƒ˜ํ”Œ์€ ์ œ์‹œํ•˜์ง€ ์•Š์„ ๊ฒƒ์ž…๋‹ˆ๋‹ค.์•ž์˜ ๋„ค ๊ฐœ์˜ ์•„ํ‹ฐํด์—์„œ .. 2025. 3. 25.
Malware Analysis Series (MAS) – Article 4 Alexandre Borges์˜ ๋ธ”๋กœ๊ทธ Exploit Reversing์˜ ์•…์„ฑ์ฝ”๋“œ ๋ถ„์„ ์‹œ๋ฆฌ์ฆˆ 'Malware Analysis Series(MAS)'๋ฅผ ๋ฆฌ๋ทฐํ•˜๋ฉฐ ๊ณต๋ถ€ํ•ด๋ณด๊ฒ ์Šต๋‹ˆ๋‹ค. ๋„ค ๋ฒˆ์งธ ์•„ํ‹ฐํด์—์„œ๋Š” MAS ์‹œ๋ฆฌ์ฆˆ ์ฒ˜์Œ์œผ๋กœ .NET์— ๋Œ€ํ•ด ๋‹ค๋ฃน๋‹ˆ๋‹ค.   Malware Analysis Series (MAS) – Article 4 [Instruction]์ด๋ฒˆ ์•„ํ‹ฐํด์—์„œ๋Š” ์ฒ˜์Œ์œผ๋กœ .NET ์•…์„ฑ์ฝ”๋“œ ๋ถ„์„์— ๋Œ€ํ•ด ๋‹ค๋ค„๋ณผ ๊ฒƒ์ž…๋‹ˆ๋‹ค. ์—ฌ๋Ÿฌ ๊ฐ€์ง€ ๊ธฐ์ˆ ๊ณผ ํŠธ๋ฆญ๋“ค๋กœ ์–ด๋ ค์šธ ์ˆ˜ ์žˆ์ง€๋งŒ, MSIL(Microsoft Intermediate Language)๋กœ ์ฝ”๋“œ๋ฅผ ๋””์ปดํŒŒ์ผํ•˜๊ณ  ์›๋ณธ์— ๊ทผ์ ‘ํ•œ ๊ณ ๊ธ‰ .NET์–ธ์–ด๋กœ ์ฝ”๋“œ๋ฅผ ์ œ๊ณตํ•ด์ฃผ๋Š” dnSpy์™€ ILSpy ๊ฐ™์€ ํ›Œ๋ฅญํ•œ ๋„๊ตฌ๋“ค์ด ๋„์›€์ด ๋  ๊ฒƒ์ž…๋‹ˆ๋‹ค. ํ•˜์ง€๋งŒ ์ผ๋ถ€ ์ปค์Šคํ…€๋œ ์ธ์ฝ”๋”ฉ๊ณผ .. 2025. 3. 6.
Managed code / Unmanaged code / Native code ์ฐจ์ด Managed code[์ •์˜]๊ด€๋ฆฌํ˜• ํ™˜๊ฒฝ์—์„œ ์‹คํ–‰๋˜๋Š” ์ฝ”๋“œ [ํŠน์ง•]CLR(Common Language Runtime)์—์„œ ์‹คํ–‰๋˜๋ฉฐ CLR์€ ๋‹ค์–‘ํ•œ ๊ด€๋ฆฌ ์ž‘์—…์„ ์ž๋™์œผ๋กœ ์ฒ˜๋ฆฌํ•ด์ค๋‹ˆ๋‹ค.๊ฐ€๋น„์ง€ ์ปฌ๋ ‰์…˜(Garbage Collection)์„ ํ†ตํ•ด ๋ฉ”๋ชจ๋ฆฌ ํ• ๋‹น๊ณผ ํ•ด์ œ๋ฅผ ์ž๋™์œผ๋กœ ์ฒ˜๋ฆฌํ•ฉ๋‹ˆ๋‹ค.์˜ˆ์™ธ ์ฒ˜๋ฆฌ๊ฐ€ ๋˜ํ•œ ์ž๋™์œผ๋กœ ์ด๋ฃจ์–ด์ง‘๋‹ˆ๋‹ค.์ฝ”๋“œ ์‹คํ–‰ ์ค‘ ๋ฐœ์ƒํ•  ์ˆ˜ ์žˆ๋Š” ๋ณด์•ˆ ๋ฌธ์ œ๋ฅผ ๊ด€๋ฆฌํ˜• ํ™˜๊ฒฝ์ด ์ฒ˜๋ฆฌํ•ด์ค๋‹ˆ๋‹ค..NET Framework๋‚˜ Java ๊ฐ™์€ ๊ด€๋ฆฌํ˜• ๋Ÿฐํƒ€์ž„์„ ํ†ตํ•ด ์—ฌ๋Ÿฌ ํ”Œ๋žซํผ์—์„œ ๋™์ผํ•œ ์ฝ”๋“œ๋ฅผ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.CLR์€ ์ฝ”๋“œ๋ฅผ ์‹คํ–‰ํ•  ๋•Œ ๋””๋ฒ„๊น…๊ณผ ํ”„๋กœํŒŒ์ผ๋ง์„ ์ง€์›ํ•ด์ค๋‹ˆ๋‹ค. [์˜ˆ์‹œ]C#VB.NET  Unmanaged code[์ •์˜]์šด์˜์ฒด์ œ๋‚˜ ๋Ÿฐํƒ€์ž„ ํ™˜๊ฒฝ์˜ ์ž๋™ ๊ด€๋ฆฌ ์—†์ด ์‹คํ–‰๋˜๋Š” ์ฝ”๋“œ [ํŠน์ง•]์šด์˜์ฒด์ œ์˜ ๋ฉ”๋ชจ๋ฆฌ ๊ด€๋ฆฌ๋ฅผ ์ˆ˜.. 2025. 2. 27.
Malware Analysis Series (MAS) – Article 3 Alexandre Borges์˜ ๋ธ”๋กœ๊ทธ Exploit Reversing์˜ ์•…์„ฑ์ฝ”๋“œ ๋ถ„์„ ์‹œ๋ฆฌ์ฆˆ 'Malware Analysis Series(MAS)'๋ฅผ ๋ฆฌ๋ทฐํ•˜๋ฉฐ ๊ณต๋ถ€ํ•ด๋ณด๊ฒ ์Šต๋‹ˆ๋‹ค. ์„ธ ๋ฒˆ์งธ ์•„ํ‹ฐํด์€ ์ œ์–ด ํ๋ฆ„ ํ‰ํƒ„ํ™”(control flow flattening), API ๋ฆฌ์กธ๋น™, C2 IP ์ฃผ์†Œ ๋ณตํ˜ธํ™” ๊ณผ์ •์— ๋Œ€ํ•œ ๋‚ด์šฉ์ž…๋‹ˆ๋‹ค.  Malware Analysis Series (MAS) – Article 3 [Instruction]์šฐ์„  ์ง„ํ–‰ํ•˜๊ธฐ ์ „์—, ๊ฐ€์ƒ ๋จธ์‹ ์˜ ์Šค๋ƒ…์ƒท์„ ์ฐ๊ณ  ๋„คํŠธ์›Œํฌ ํ†ต์‹  ๋ฐ ๊ณต์œ  ํด๋”๋ฅผ ๊บผ๋‘๋Š” ๊ฒƒ์„ ์ถ”์ฒœํ•ฉ๋‹ˆ๋‹ค. ๋žœ์„ฌ์›จ์–ด๋ฅผ ๋‹ค๋ฃจ๋Š” ๊ฒƒ์€ ์•„๋‹ˆ์ง€๋งŒ ์•…์„ฑ์ฝ”๋“œ ์ƒ˜ํ”Œ์„ ๋ถ„์„ํ•  ๋•Œ ๊ฐ€์ƒ๋จธ์‹ ์ด ๋กœ์ปฌ ๋„คํŠธ์›Œํฌ์— ๋…ธ์ถœ๋˜์ง€ ์•Š๋„๋ก ํ•˜์„ธ์š”.์ €๋Š” ๋ถ„์„์„ ์ˆ˜ํ–‰ํ•˜๊ธฐ ์œ„ํ•ด REMnux์™€ Windows 8.1/10 (64.. 2025. 2. 17.
๋ฐ”์ด๋„ˆ๋ฆฌ์—์„œ ์•”ํ˜ธํ™”๋œ ๋ฌธ์ž์—ด ์ถ”์ถœ(๋ณตํ˜ธํ™”)ํ•˜๊ธฐ ์•…์„ฑ์ฝ”๋“œ๋Š” ํ”ํžˆ XOR ์—ฐ์‚ฐ์„ ํ†ตํ•ด ๋‚œ๋…ํ™”ํ•˜๊ณ  ๋‚ด๋ถ€ ๋ฐ์ดํ„ฐ๋ฅผ ์ˆจ๊น๋‹ˆ๋‹ค.์ด๋ฅผ ๋ณตํ˜ธํ™”ํ•˜๋Š” python ์Šคํฌ๋ฆฝํŠธ์— ๋Œ€ํ•ด ๊ณต๋ถ€ํ•ด๋ณด๊ฒ ์Šต๋‹ˆ๋‹ค. (์Šคํฌ๋ฆฝํŠธ๋Š” ๋ชจ๋‘ Alexandre Borges์˜ "Malware Analysis Series(MAS) – Article 2"๋ฅผ ์ฐธ์กฐํ•˜์˜€์Šต๋‹ˆ๋‹ค.) ์ƒ˜ํ”Œ ํ•ด์‹œ(SHA256)๋Š” 73e4969db4253f9aeb2cbc7462376fb7e26cc4bb5bd23b82e2af0eaaf5ae66a8์ž…๋‹ˆ๋‹ค.ํ•ด๋‹น ์ƒ˜ํ”Œ์€ Qakbot ์•…์„ฑ์ฝ”๋“œ๋กœ ์–ธํŒจํ‚นํ•œ ํ›„ ์ง„ํ–‰ํ•˜์˜€์Šต๋‹ˆ๋‹ค.  ๋จผ์ € ์•…์„ฑ์ฝ”๋“œ์˜ ์ž์ฒด ๋ณตํ˜ธํ™” ํ•จ์ˆ˜๋ฅผ ์‚ดํŽด๋ณด๊ฒ ์Šต๋‹ˆ๋‹ค.๋ณตํ˜ธํ™” ๋ฃจํ‹ด sub_100085dC๋ฅผ ๋ณด๋ฉด, ๋‘ ๋ฒˆ์งธ ์ธ์ˆ˜๋Š” ์•”ํ˜ธํ™”๋œ ๋ฌธ์ž์—ด๋กœ 0x1001D5A8์— ์žˆ๊ณ  ์ƒˆ ๋ฒˆ์งธ ์ธ์ˆ˜์ธ ๋ณตํ˜ธํ™” ํ‚ค๋Š” ์ฃผ์†Œ 0x1001E3F8์— ์žˆ์Šต๋‹ˆ๋‹ค.. 2025. 2. 6.
Malware Analysis Series (MAS) – Article 2 Alexandre Borges์˜ ๋ธ”๋กœ๊ทธ Exploit Reversing์˜ ์•…์„ฑ์ฝ”๋“œ ๋ถ„์„ ์‹œ๋ฆฌ์ฆˆ 'Malware Analysis Series(MAS)'๋ฅผ ๋ฆฌ๋ทฐํ•˜๋ฉฐ ๊ณต๋ถ€ํ•ด๋ณด๊ฒ ์Šต๋‹ˆ๋‹ค. ๋‘ ๋ฒˆ์งธ ์•„ํ‹ฐํด์€ API ๋ฆฌ์กธ๋น™, C++ ๊ตฌ์กฐ์ฒด์— ๋Œ€ํ•œ ๋‚ด์šฉ์ž…๋‹ˆ๋‹ค.  Malware Analysis Series (MAS) – Article 2 [Instruction]์ด๋ฒˆ ์•„ํ‹ฐํด์—์„œ๋Š” ๊ฐ„๋‹จํ•œ ์•…์„ฑ์ฝ”๋“œ Qakbot์„ ๋ถ„์„ํ•˜๋ฉฐ ๋ฌธ์ž์—ด ๋ณตํ˜ธํ™”, API ๋ฆฌ์กธ๋น™, C++ ๊ตฌ์กฐ์ฒด ๊ทธ๋ฆฌ๊ณ  C2 ๋ฐ์ดํ„ฐ ์ถ”์ถœ์— ๋Œ€ํ•ด ์„ค๋ช…ํ•ด๋ณด๊ฒ ์Šต๋‹ˆ๋‹ค. ์š”์ฆ˜์—๋Š” ํŒจํ‚น๋˜์ง€ ์•Š์€ ์•…์„ฑ์ฝ”๋“œ๊ฐ€ ๊ฝค ๋“œ๋ฌผ๊ธฐ ๋•Œ๋ฌธ์— ๋„ค์ดํ‹ฐ๋ธŒ(native) ์ฝ”๋“œ๋ฅผ ์–ธํŒจํ‚นํ•  ๋•Œ breakpoint๋ฅผ ์„ค์ •ํ•ด์•ผํ•  API์— ๋Œ€ํ•ด ์•Œ์•„๋‘๋Š” ๊ฒƒ์ด ์ข‹์Šต๋‹ˆ๋‹ค. API ๋ชฉ๋ก์€ ์•„๋ž˜์™€ ๊ฐ™์Šต๋‹ˆ๋‹ค.CreatePr.. 2025. 1. 16.

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”