CreateMutex
까보면 다나와~
유용한 지식 자료들 (89)

Sudo pip install은 안돼요!

https://medium.com/@chullino/sudo-%EC%A0%88%EB%8C%80-%EC%93%B0%EC%A7%80-%EB%A7%88%EC%84%B8%EC%9A%94-8544aa3fb0e7

 

 

 

Sudo pip install은 안돼요!

안녕하세요. 개발자 Chullin입니다.

medium.com

 

TL; DR

  • pip 으로 패키지 설치할 때, sudo는 위험하니 절대 쓰지 맙시다.
  • 대신 가상환경 패키지 매니저를 설치하고 가상환경을 활용합시다.
  • pip 개발자도, 특권이 필요한 경로를 디폴트 경로로 설정한 것에 대해후회한다고 합니다.
  Comments,   0  Trackbacks
댓글 쓰기

Virustotal Enterprise.. not Enteprise

Virustotal Enterprise.. not Enteprise



어제?? 부로 Enterprise 사이트가 생겨나고 Intelligence가 서브 메뉴로 전환되었다.


https://www.virustotal.com/intelligence/

사이트 접근시 이제는 VT Enteprise(오타)라며 아래 사이트로 안내한다.ㅋ


https://www.virustotal.com/gui/



Enterprise.. 검색기능이 좋아진거 같다. 특히 유사한 파일을 검색해주는데 vhash를 이용하지 않았을까



  Comments,   0  Trackbacks
  • 애드웨어(광고창) 삭제 기능이 추가된 컴퓨터 무료 최적화 프로그램의 최강자 이지클린(EzClean)도 사용해보세요.


    네이버 자료실 :
    https://software.naver.com/software/summary.nhn?softwareId=GWS_003052&categoryId=B0600000

    이지클린 홈페이지 :
    http://www.ezclean.info
댓글 쓰기

시스템에서 가장 용량 많은 폴더 10개 뽑기


du -ah / | sort -n -r | head -n 10

  Comments,   0  Trackbacks
댓글 쓰기

Awesome Malware Analysis

https://github.com/rshipp/awesome-malware-analysis


keep)잘 정리된 URL

  Comments,   0  Trackbacks
댓글 쓰기

New Fileless Ransomware with Code Injection Ability Detected in the Wild

https://vulnerablelife.wordpress.com/2017/06/18/new-fileless-ransomware-with-code-injection-ability-detected-in-the-wild/


psexec를 이용해서 원격으로 svchost.exe에 인젝션하고 파일 인크립트한다는 내용



  Comments,   0  Trackbacks
댓글 쓰기

“Zusy” PowerPoint Malware Spreads Without Needing Macros

https://sentinelone.com/blogs/zusy-powerpoint-malware-spreads-without-needing-macros/


매크로 없이 동작하는 오피스 악성코드


대신 사용하는 기능 - "external programs" 


마우스 클릭하지 않아도 동작


external programs를 활성화 할것인지 메세지는 띄워짐


활성화 할경우 powershell 사용한 playload 동작함


C&C는 user-agent를 보내지 않아야 함



  Comments,   0  Trackbacks
댓글 쓰기

안티VM 악성코드 - 사이즈 확인도

최근에 분석한 악성코드.


VMWARE, VirtualBox, VM HDD Size 확인


1. VMWARE magic number ('VMXh') 체크 (이미지 생략)


2. VirtualBox 체크 

- \\\.\\VBoxMiniRdrDn

- VboxHook.dll


3. HDD 용량 체크

GetLogicalDrives로 드라이브를 찾고

GetDiskFreeSpaceExW로 용량 정보를 얻어온다.

특이하게 2부터 7까지 5번 돌면서 G_bytes(위그림의..) 변수에 각 드라이브 용량 합을 20Gbyte와 비교한다.

20G 미만 VM으로 판단


이부분은 처음 봐서 정리함. 


tag - e77d2f10a34

  Comments,   0  Trackbacks
댓글 쓰기

가상머신탐지 코드

https://damagelab.org/lofiversion/index.php?t=24538


매우 오래된 자료네요.


VirtualMachineDetect.h
Code://------------------------------------------------------------------------
//Функции для определения факта запуска приложения под виртуальной машиной
//   определяются VirtualBox, VMware, VirtualPC и Parallels Workstation
//------------------------------------------------------------------------
#include <windows.h>
#include <Tlhelp32.h>
#include <iphlpapi.h>

#pragma comment(lib, "IPHLPAPI.lib")

//обнаружение VMware с помощью backdoor-порта
bool VMwareDetect();

//обнаружение VirtualPC с помощью "неправильных" команд процессора
bool VirtualPCDetect();

//обнаружение VMware имени окна "VMSwitchUserControlClass"
bool VMwareWindowDetect();

//обнаружение VirtualBox имени окна "VBoxTrayToolWndClass"
bool VirtualBoxWindowDetect();

//обнаружение VMware по версии BIOS в реестре
bool VMwareBIOSDetect();

//обнаружение VirtualBox по версии BIOS видеоадаптера в реестре
bool VirtualBoxBIOSDetect();

//обнаружение Parallels Workstatin по наличию ключа PRLSACPI в реестре
bool ParallelsRegDetect();

//обнаружение VirtualBox по имени процесса "VBoxTray.exe"
bool VirtualBoxProcessDetect();

//обнаружение VirtualPC по имени процесса "vmusrvc.exe"
bool VirtualPCProcessDetect();

//обнаружение VMware по имени процесса "vmtoolsd.exe"
bool VMwareProcessDetect();

//обнаружение VirtualBox по имени объекта "Device\VBoxMiniRdrDN" и "Device\VBoxGuest"
bool VirtualBoxDevObjDetect();

//обнаружение VirtualPC по имени объекта "Device\\VMDRV"
bool VirtualPCDevObjDetect();

//обнаружение VirtualBox по идентификатору процессора
bool VirtualBoxCPUIDDetect();

//обнаружение VMware по идентификатору процессора
bool VMwareCPUIDDetect();

//обнаружение Parallels Workstatin по идентификатору процессора
bool ParallelsCPUIDDetect();

//обнаружение VirtualPC по MAC-адресу
bool VirtualPCMACDetect();

//обнаружение VirtualBox по MAC-адресу
bool VirtualBoxMACDetect();

//обнаружение VMware по MAC-адресу
bool VMwareMACDetect();

//обнаружение Parallels Workstatin по MAC-адресу
bool ParallelsMACDetect();

//обнаружение виртуальной машины по идентификатору жесткого диска
//для VirtualPC IDDisk - "DiskVirtual"
//для VirtualBox IDDisk - "DiskVBOX_HARDDISK"
//для VMware IDDisk - "Prod_VMware_Virtual"
bool VirtualMachineIDDiskDetect(char* IDDisk);

//обнаружение Parallels Workstatin по видеоадаптеру
bool ParallelsVideoCardDetect();

//обнаружение VirtualBox по видеоадаптеру
bool VirtualBoxVideoCardDetect();

//обнаружение VirtualPC по видеоадаптеру
bool VirtualPCVideoCardDetect();


VirtualMachineDetect.cpp
Code:#include "VirtualMachineDetect.h"

//----------------------------------------------------------------------
bool VMwareDetect()
{
__try
{
__asm
 {
 mov eax, 0x564d5868
 mov ecx, 0x0A
 mov edx, 0x5658
 in eax, dx 
 }
return true;
}
__except(EXCEPTION_EXECUTE_HANDLER) 
{
return false;
}
}
//----------------------------------------------------------------------
bool VirtualPCDetect()
{
__try
{
__asm
 {
 xor ebx, ebx
 mov eax, 1
 __emit(0x0F)
 __emit(0x3F)
 __emit(0x07)
 __emit(0x0B)  
 }
return true;
}
__except(EXCEPTION_EXECUTE_HANDLER) 
{
 return false;
}
}
//----------------------------------------------------------------------
bool VMwareWindowDetect()
{
HWND VMwareWindow = NULL;
VMwareWindow = FindWindowA("VMSwitchUserControlClass",NULL);
if(VMwareWindow != NULL)
{
return true;
}
return false;
}
//----------------------------------------------------------------------
bool VirtualBoxWindowDetect()
{
HWND VBoxWindow = NULL;
VBoxWindow = FindWindowA("VBoxTrayToolWndClass",NULL);
if(VBoxWindow != NULL)
{
return true;
}
return false;
}
//----------------------------------------------------------------------
bool VMwareBIOSDetect()
{
HKEY rKey;
wchar_t RegKey[256];
wchar_t RegVMware[] = {L"VMware Virtual Platform"};
DWORD RegPath = sizeof(RegKey);

RegOpenKeyEx(HKEY_LOCAL_MACHINE,
   L"HARDWARE\\DESCRIPTION\\System\\BIOS",
   0,
   KEY_QUERY_VALUE,
   &rKey);

RegQueryValueEx(rKey,
   L"SystemProductName",
   NULL,
   NULL,
   (BYTE*)RegKey,
   &RegPath);

RegCloseKey(rKey);

if (memcmp(RegKey, RegVMware, 48) == 0)
{
return true;
}
return false;
}
//----------------------------------------------------------------------
bool VirtualBoxBIOSDetect()
{
HKEY rKey;
wchar_t RegKey[256];
wchar_t RegVBox[] = {L"Oracle VM VirtualBox"};
DWORD RegPath = sizeof(RegKey);

RegOpenKeyEx(HKEY_LOCAL_MACHINE,
   L"HARDWARE\\DESCRIPTION\\System",
   0,
   KEY_QUERY_VALUE,
   &rKey);

RegQueryValueEx(rKey,
   L"VideoBiosVersion",
   NULL,
   NULL,
   (BYTE*)RegKey,
   &RegPath);

RegCloseKey(rKey);

if (memcmp(RegKey, RegVBox, 40) == 0)
{
return true;
}
return false;
}
//----------------------------------------------------------------------
bool ParallelsRegDetect()
{
HKEY rKey;

if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
   L"HARDWARE\\ACPI\\DSDT\\PRLS__\\PRLSACPI",
   0,
   KEY_QUERY_VALUE,
   &rKey) == ERROR_SUCCESS)
{
RegCloseKey(rKey);
return true;
}
return false;
}
//----------------------------------------------------------------------
bool VirtualBoxProcessDetect()
{
wchar_t VBoxProcessName[] = {L"VBoxTray.exe"};
PROCESSENTRY32 pe;
HANDLE hSnapShot;
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
ZeroMemory (&pe, sizeof(PROCESSENTRY32W));
pe.dwSize = sizeof(PROCESSENTRY32W); 
Process32First(hSnapShot, &pe);
do
{
if (memcmp(pe.szExeFile, VBoxProcessName, 24) == 0)
{
 CloseHandle(hSnapShot);
 return true;
}
}
while (Process32Next(hSnapShot, &pe));
CloseHandle(hSnapShot);
return false;
}
//----------------------------------------------------------------------
bool VirtualPCProcessDetect()
{
wchar_t VirtualPCProcessName[] = {L"vmusrvc.exe"};
PROCESSENTRY32 pe;
HANDLE hSnapShot;
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
ZeroMemory (&pe, sizeof(PROCESSENTRY32W));
pe.dwSize = sizeof(PROCESSENTRY32W); 
Process32First(hSnapShot, &pe);
do
{
if (memcmp(pe.szExeFile, VirtualPCProcessName, 22) == 0)
{
 CloseHandle(hSnapShot);
 return true;
}
}
while (Process32Next(hSnapShot, &pe));
CloseHandle(hSnapShot);
return false;
}
//----------------------------------------------------------------------
bool VMwareProcessDetect()
{
wchar_t VMwareProcessName[] = {L"vmtoolsd.exe"};
PROCESSENTRY32 pe;
HANDLE hSnapShot;
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
ZeroMemory (&pe, sizeof(PROCESSENTRY32W));
pe.dwSize = sizeof(PROCESSENTRY32W); 
Process32First(hSnapShot, &pe);
do
{
if (memcmp(pe.szExeFile, VMwareProcessName, 24) == 0)
{
 CloseHandle(hSnapShot);
 return true;
}
}
while (Process32Next(hSnapShot, &pe));
CloseHandle(hSnapShot);
return false;
}
//----------------------------------------------------------------------
bool VirtualBoxDevObjDetect()
{
if ((CreateFile(L"\\\\.\\VBoxMiniRdrDN",0,0,0,OPEN_EXISTING,0,0) !=
INVALID_HANDLE_VALUE)||
(CreateFile(L"\\\\.\\VBoxGuest",0,0,0,OPEN_EXISTING,0,0) !=
INVALID_HANDLE_VALUE))
{
return true;
}
else
{
return false;
}
}
//----------------------------------------------------------------------
bool VirtualPCDevObjDetect()
{
if (CreateFile(L"\\\\.\\VMDRV",0,0,0,OPEN_EXISTING,0,0) !=
INVALID_HANDLE_VALUE)
{
return true;
}
else
{
return false;
}
}
//----------------------------------------------------------------------
bool VirtualBoxCPUIDDetect()
{
DWORD ID_1, ID_2, ID_3;
_asm
{
mov eax, 0x1
cpuid
mov eax, 0x40000000
cpuid
mov ID_1, ebx
mov ID_2, ecx
mov ID_3, edx
}
if ((ID_1 == 0x00000340)&&(ID_2 == 0x00000340))
{
return true;
}
else
{
return false;
}
}
//----------------------------------------------------------------------
bool VMwareCPUIDDetect()
{
DWORD ID_1, ID_2, ID_3;
_asm
{
mov eax, 0x1
cpuid
mov eax, 0x40000000
cpuid
mov ID_1, ebx
mov ID_2, ecx
mov ID_3, edx
}
if ((ID_1 == 0x61774d56)&&(ID_2 == 0x4d566572)&&(ID_3 == 0x65726177))
{
return true;
}
else
{
return false;
}
}
//----------------------------------------------------------------------
bool ParallelsCPUIDDetect()
{
DWORD ID_1, ID_2, ID_3;
_asm
{
mov eax, 0x1
cpuid
mov eax, 0x40000000
cpuid
mov ID_1, ebx
mov ID_2, ecx
mov ID_3, edx
}
if ((ID_1 == 0x70726c20)&&(ID_2 == 0x68797065)&&(ID_3 == 0x72762020))
{
return true;
}
else
{
return false;
}
}
//----------------------------------------------------------------------
bool VirtualPCMACDetect()
{
PIP_ADAPTER_INFO AdapterInfo = NULL;
DWORD OutBufLen;
GetAdaptersInfo(AdapterInfo, &OutBufLen);
AdapterInfo = (PIP_ADAPTER_INFO) new(char[OutBufLen]);
GetAdaptersInfo(AdapterInfo, &OutBufLen);
if (((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x03) &&
((BYTE)AdapterInfo->Address[2] == 0xff) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x12) &&
((BYTE)AdapterInfo->Address[2] == 0x5a) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x1d) &&
((BYTE)AdapterInfo->Address[2] == 0xd8) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x15) &&
((BYTE)AdapterInfo->Address[2] == 0x5d) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x22) &&
((BYTE)AdapterInfo->Address[2] == 0x48) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x0d) &&
((BYTE)AdapterInfo->Address[2] == 0x3a) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x17) &&
((BYTE)AdapterInfo->Address[2] == 0xfa) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x25) &&
((BYTE)AdapterInfo->Address[2] == 0xae) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x50) &&
((BYTE)AdapterInfo->Address[2] == 0xf2) ||
((BYTE)AdapterInfo->Address[0] == 0x28) &&
((BYTE)AdapterInfo->Address[1] == 0x18) &&
((BYTE)AdapterInfo->Address[2] == 0x78) ||
((BYTE)AdapterInfo->Address[0] == 0x60) &&
((BYTE)AdapterInfo->Address[1] == 0x45) &&
((BYTE)AdapterInfo->Address[2] == 0xbd) ||
((BYTE)AdapterInfo->Address[0] == 0x7c) &&
((BYTE)AdapterInfo->Address[1] == 0x1e) &&
((BYTE)AdapterInfo->Address[2] == 0x52) ||
((BYTE)AdapterInfo->Address[0] == 0x7c) &&
((BYTE)AdapterInfo->Address[1] == 0xed) &&
((BYTE)AdapterInfo->Address[2] == 0x8d) ||
((BYTE)AdapterInfo->Address[0] == 0xdc) &&
((BYTE)AdapterInfo->Address[1] == 0xb4) &&
((BYTE)AdapterInfo->Address[2] == 0xc4))
{
delete(AdapterInfo);
return true;
}
else
{
delete(AdapterInfo);
return false;
}  
}
//----------------------------------------------------------------------
bool VirtualBoxMACDetect()
{
PIP_ADAPTER_INFO AdapterInfo = NULL;
DWORD OutBufLen;
GetAdaptersInfo(AdapterInfo, &OutBufLen);
AdapterInfo = (PIP_ADAPTER_INFO) new(char[OutBufLen]);
GetAdaptersInfo(AdapterInfo, &OutBufLen);
if (((BYTE)AdapterInfo->Address[0] == 0x08) &&
((BYTE)AdapterInfo->Address[1] == 0x00) &&
((BYTE)AdapterInfo->Address[2] == 0x27) ||
((BYTE)AdapterInfo->Address[0] == 0x08) &&
((BYTE)AdapterInfo->Address[1] == 0x00) &&
((BYTE)AdapterInfo->Address[2] == 0x20))
{
delete(AdapterInfo);
return true;
}
else
{
delete(AdapterInfo);
return false;
}  
}
//----------------------------------------------------------------------

bool VMwareMACDetect()
{
PIP_ADAPTER_INFO AdapterInfo = NULL;
DWORD OutBufLen;
GetAdaptersInfo(AdapterInfo, &OutBufLen);
AdapterInfo = (PIP_ADAPTER_INFO) new(char[OutBufLen]);
GetAdaptersInfo(AdapterInfo, &OutBufLen);
if (((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x05) &&
((BYTE)AdapterInfo->Address[2] == 0x69) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x0c) &&
((BYTE)AdapterInfo->Address[2] == 0x29) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x1c) &&
((BYTE)AdapterInfo->Address[2] == 0x14) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x50) &&
((BYTE)AdapterInfo->Address[2] == 0x56))
{
delete(AdapterInfo);
return true;
}
else
{
delete(AdapterInfo);
return false;
}  
}
//----------------------------------------------------------------------
bool ParallelsMACDetect()
{
PIP_ADAPTER_INFO AdapterInfo = NULL;
DWORD OutBufLen;
GetAdaptersInfo(AdapterInfo, &OutBufLen);
AdapterInfo = (PIP_ADAPTER_INFO) new(char[OutBufLen]);
GetAdaptersInfo(AdapterInfo, &OutBufLen);
if (((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x1c) &&
((BYTE)AdapterInfo->Address[2] == 0x42))
{
delete(AdapterInfo);
return true;
}
else
{
delete(AdapterInfo);
return false;
}  
}
//----------------------------------------------------------------------
bool VirtualMachineIDDiskDetect(char* IDDisk)
{
HKEY rKey;
char RegKey[4096];
DWORD RegPath = sizeof(RegKey);
DWORD Type = REG_SZ;

RegOpenKeyExA(HKEY_LOCAL_MACHINE,
   "SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum",
   0,
   KEY_QUERY_VALUE,
   &rKey);

RegQueryValueExA(rKey,
   "0",
   NULL,
   &Type,
   (LPBYTE)RegKey,
   &RegPath);

RegCloseKey(rKey);

if (strstr(RegKey, IDDisk) != 0)
{
return true;
}
return false;
}
//----------------------------------------------------------------------
bool ParallelsVideoCardDetect()
{
HKEY rKey;

if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
   L"SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_1AB8&DEV_4005&SUBSYS_04001AB8&REV_00",
   0,
   KEY_QUERY_VALUE,
   &rKey) == ERROR_SUCCESS)
{
RegCloseKey(rKey);
return true;
}
return false;
}
//----------------------------------------------------------------------
bool VirtualBoxVideoCardDetect()
{
HKEY rKey;

if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
   L"SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_80EE&DEV_BEEF&SUBSYS_00000000&REV_00",
   0,
   KEY_QUERY_VALUE,
   &rKey) == ERROR_SUCCESS)
{
RegCloseKey(rKey);
return true;
}
return false;
}
//----------------------------------------------------------------------
bool VirtualPCVideoCardDetect()
{
HKEY rKey;

if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
   L"SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00",
   0,
   KEY_QUERY_VALUE,
   &rKey) == ERROR_SUCCESS)
{
RegCloseKey(rKey);
return true;
}
return false;
}
//----------------------------------------------------------------------


'유용한 지식 자료들 > Anti Reversing 기법' 카테고리의 다른 글

가상머신탐지 코드  (0) 2015.12.29
안티 디버깅(anti-debugging) 기법들  (0) 2011.11.29
CMPXCHG8B and LOCK  (0) 2011.11.29
Red Pill  (1) 2011.11.29
OpenRCE Anti Reverse Engineering Techniques Database  (0) 2011.11.29
windows-anti-debug-reference  (0) 2011.11.29
  Comments,   0  Trackbacks
댓글 쓰기

EPM Sandbox (IE)에 대한 글

#EPM이 뭔지

http://www.julien-manici.com/blog/ie10-new-sandbox-enhanced-protected-mode-windows-8/


#EPM 취약점

http://googleprojectzero.blogspot.co.uk/2014/12/internet-explorer-epm-sandbox-escape.html

  Comments,   0  Trackbacks
댓글 쓰기

리눅스 특정 사이즈 이상 폴더 삭제

ex) du -sk */ | awk 'BEGIN { FS="\t" }; { if($1 > 100000) printf "." $2 }' | xargs rm -rf


xargs rm -rf 대신 xargs du -sh로 폴더 용량 확인하고 삭제 하시길.


응용 : 폴더 depth를 2개까지로 한정하고 용량 범위를 지정하여 삭제

du -k 12*/ --max-depth=1 | awk 'BEGIN { FS="\t" }; { if($1 > 100000 && $1 < 2000000) printf "." $2 }' | xargs rm -rf


  Comments,   0  Trackbacks
댓글 쓰기