Oke para netter, kali ini saya akan membagi pengalaman saya dalam melakukan analisis seekor malware atau virus. Ada beberapa persiapan yang harus anda miliki agar bisa melakukan analisa seekor malware. Berikut ini beberapa yang harus anda persiapkan :
1. Vmware.
Vmware disini berfungsi sebagai Lab Malware kita. Dimana nanti si malware akan kita jalankan. Dengan ada nya vmware kita bisa dengan leluasa melakukan analisa tanpa harus takut komputer system kita terkena efek dari malware.
2. Tools activity process
Tools ini berguna untuk melihat proses dari si malware itu sendiri. Anda bisa download secara free.
3. DOS
Yups, kenapa dos??? bila anda paham akan dengen beberapa command dos itu sangat berguna sekali dalam melakukan analisa malware.
Attrib
####
C:\>attrib /?
Displays or changes file attributes.
ATTRIB [+R | -R] [+A | -A ] [+S | -S] [+H | -H] [drive:][path][filename]
[/S [/D]]
+ Sets an attribute.
- Clears an attribute.
R Read-only file attribute.
A Archive file attribute.
S System file attribute.
H Hidden file attribute.
[drive:][path][filename]
Specifies a file or files for attrib to process.
/S Processes matching files in the current folder
and all subfolders.
/D Processes folders as well.
berfungsi untuk menampilkan semua semua file yang tersembunyi. Selain itu dengan command attrib kita bisa merubah atribute dari sebuah file.
Tasklist
######
C:\>tasklist /?
TASKLIST [/S system [/U username [/P [password]]]]
[/M [module] | /SVC | /V] [/FI filter] [/FO format] [/NH]
Description:
This command line tool displays a list of application(s) and
associated task(s)/process(es) currently running on either a local or
remote system.
Parameter List:
/S system Specifies the remote system to connect to.
/U [domain\]user Specifies the user context under which
the command should execute.
/P [password] Specifies the password for the given
user context. Prompts for input if omitted.
/M [module] Lists all tasks that have DLL modules loaded
in them that match the given pattern name.
If the module name is not specified,
displays all modules loaded by each task.
/SVC Displays services in each process.
/V Specifies that the verbose information
is to be displayed.
/FI filter Displays a set of tasks that match a
given criteria specified by the filter.
/FO format Specifies the output format.
Valid values: "TABLE", "LIST", "CSV".
/NH Specifies that the "Column Header" should
not be displayed in the output.
Valid only for "TABLE" and "CSV" formats.
/? Displays this help/usage.
Filters:
Filter Name Valid Operators Valid Value(s)
----------- --------------- --------------
STATUS eq, ne RUNNING | NOT RESPONDING
IMAGENAME eq, ne Image name
PID eq, ne, gt, lt, ge, le PID value
SESSION eq, ne, gt, lt, ge, le Session number
SESSIONNAME eq, ne Session name
CPUTIME eq, ne, gt, lt, ge, le CPU time in the format
of hh:mm:ss.
hh - hours,
mm - minutes, ss - seconds
MEMUSAGE eq, ne, gt, lt, ge, le Memory usage in KB
USERNAME eq, ne User name in [domain\]user
format
SERVICES eq, ne Service name
WINDOWTITLE eq, ne Window title
MODULES eq, ne DLL name
Examples:
TASKLIST
TASKLIST /M
TASKLIST /V
TASKLIST /SVC
TASKLIST /M wbem*
TASKLIST /S system /FO LIST
TASKLIST /S system /U domain\username /FO CSV /NH
TASKLIST /S system /U username /P password /FO TABLE /NH
TASKLIST /FI "USERNAME ne NT AUTHORITY\SYSTEM" /FI "STATUS eq running"
TASKLIST [/S system [/U username [/P [password]]]]
[/M [module] | /SVC | /V] [/FI filter] [/FO format] [/NH]
Description:
This command line tool displays a list of application(s) and
associated task(s)/process(es) currently running on either a local or
remote system.
Parameter List:
/S system Specifies the remote system to connect to.
/U [domain\]user Specifies the user context under which
the command should execute.
/P [password] Specifies the password for the given
user context. Prompts for input if omitted.
/M [module] Lists all tasks that have DLL modules loaded
in them that match the given pattern name.
If the module name is not specified,
displays all modules loaded by each task.
/SVC Displays services in each process.
/V Specifies that the verbose information
is to be displayed.
/FI filter Displays a set of tasks that match a
given criteria specified by the filter.
/FO format Specifies the output format.
Valid values: "TABLE", "LIST", "CSV".
/NH Specifies that the "Column Header" should
not be displayed in the output.
Valid only for "TABLE" and "CSV" formats.
/? Displays this help/usage.
Filters:
Filter Name Valid Operators Valid Value(s)
----------- --------------- --------------
STATUS eq, ne RUNNING | NOT RESPONDING
IMAGENAME eq, ne Image name
PID eq, ne, gt, lt, ge, le PID value
SESSION eq, ne, gt, lt, ge, le Session number
SESSIONNAME eq, ne Session name
CPUTIME eq, ne, gt, lt, ge, le CPU time in the format
of hh:mm:ss.
hh - hours,
mm - minutes, ss - seconds
MEMUSAGE eq, ne, gt, lt, ge, le Memory usage in KB
USERNAME eq, ne User name in [domain\]user
format
SERVICES eq, ne Service name
WINDOWTITLE eq, ne Window title
MODULES eq, ne DLL name
Examples:
TASKLIST
TASKLIST /M
TASKLIST /V
TASKLIST /SVC
TASKLIST /M wbem*
TASKLIST /S system /FO LIST
TASKLIST /S system /U domain\username /FO CSV /NH
TASKLIST /S system /U username /P password /FO TABLE /NH
TASKLIST /FI "USERNAME ne NT AUTHORITY\SYSTEM" /FI "STATUS eq running"
Tasklist sama fungsinya dengan taskmanager. Kita bisa melakukan end proses dengan service tasklist.
Dan banyak lagi service dos yang lain yang bisa kita gunakan.
4. Debugger tools (advanced only)
Tools ini diperuntukkan untuk melihat source code dari si malware dan semua aktivitynya. Banyak tools yang anda bisa gunakan. IDA pro, Ollydbg, .... etc.
5. Pemahaman registry tools, System configuration utility, Group policy.
Ketiga service ini sangat berperan penting sekali dalam melakukan analisa malware.
Oke sekian dulu .... maaf bila ada yang ingin ditanyakan silahkan di diskusikan dengan saya langsung.
Postingan
0 komentar :
Posting Komentar