CreateMutex
까보면 다나와~
유용한 지식 자료들 (89)

Sudo pip install은 안돼요!

https://medium.com/@chullino/sudo-%EC%A0%88%EB%8C%80-%EC%93%B0%EC%A7%80-%EB%A7%88%EC%84%B8%EC%9A%94-8544aa3fb0e7

 

 

 

Sudo pip install은 안돼요!

안녕하세요. 개발자 Chullin입니다.

medium.com

 

TL; DR

  • pip 으로 패키지 설치할 때, sudo는 위험하니 절대 쓰지 맙시다.
  • 대신 가상환경 패키지 매니저를 설치하고 가상환경을 활용합시다.
  • pip 개발자도, 특권이 필요한 경로를 디폴트 경로로 설정한 것에 대해후회한다고 합니다.
  Comments,     Trackbacks

Virustotal Enterprise.. not Enteprise

Virustotal Enterprise.. not Enteprise



어제?? 부로 Enterprise 사이트가 생겨나고 Intelligence가 서브 메뉴로 전환되었다.


https://www.virustotal.com/intelligence/

사이트 접근시 이제는 VT Enteprise(오타)라며 아래 사이트로 안내한다.ㅋ


https://www.virustotal.com/gui/



Enterprise.. 검색기능이 좋아진거 같다. 특히 유사한 파일을 검색해주는데 vhash를 이용하지 않았을까



  Comments,     Trackbacks

시스템에서 가장 용량 많은 폴더 10개 뽑기


du -ah / | sort -n -r | head -n 10

  Comments,     Trackbacks

Awesome Malware Analysis

https://github.com/rshipp/awesome-malware-analysis


keep)잘 정리된 URL

  Comments,     Trackbacks

New Fileless Ransomware with Code Injection Ability Detected in the Wild

https://vulnerablelife.wordpress.com/2017/06/18/new-fileless-ransomware-with-code-injection-ability-detected-in-the-wild/


psexec를 이용해서 원격으로 svchost.exe에 인젝션하고 파일 인크립트한다는 내용



  Comments,     Trackbacks

“Zusy” PowerPoint Malware Spreads Without Needing Macros

https://sentinelone.com/blogs/zusy-powerpoint-malware-spreads-without-needing-macros/


매크로 없이 동작하는 오피스 악성코드


대신 사용하는 기능 - "external programs" 


마우스 클릭하지 않아도 동작


external programs를 활성화 할것인지 메세지는 띄워짐


활성화 할경우 powershell 사용한 playload 동작함


C&C는 user-agent를 보내지 않아야 함



  Comments,     Trackbacks

안티VM 악성코드 - 사이즈 확인도

최근에 분석한 악성코드.


VMWARE, VirtualBox, VM HDD Size 확인


1. VMWARE magic number ('VMXh') 체크 (이미지 생략)


2. VirtualBox 체크 

- \\\.\\VBoxMiniRdrDn

- VboxHook.dll


3. HDD 용량 체크

GetLogicalDrives로 드라이브를 찾고

GetDiskFreeSpaceExW로 용량 정보를 얻어온다.

특이하게 2부터 7까지 5번 돌면서 G_bytes(위그림의..) 변수에 각 드라이브 용량 합을 20Gbyte와 비교한다.

20G 미만 VM으로 판단


이부분은 처음 봐서 정리함. 


tag - e77d2f10a34

  Comments,     Trackbacks

가상머신탐지 코드

https://damagelab.org/lofiversion/index.php?t=24538


매우 오래된 자료네요.


VirtualMachineDetect.h
Code://------------------------------------------------------------------------
//Функции для определения факта запуска приложения под виртуальной машиной
//   определяются VirtualBox, VMware, VirtualPC и Parallels Workstation
//------------------------------------------------------------------------
#include <windows.h>
#include <Tlhelp32.h>
#include <iphlpapi.h>

#pragma comment(lib, "IPHLPAPI.lib")

//обнаружение VMware с помощью backdoor-порта
bool VMwareDetect();

//обнаружение VirtualPC с помощью "неправильных" команд процессора
bool VirtualPCDetect();

//обнаружение VMware имени окна "VMSwitchUserControlClass"
bool VMwareWindowDetect();

//обнаружение VirtualBox имени окна "VBoxTrayToolWndClass"
bool VirtualBoxWindowDetect();

//обнаружение VMware по версии BIOS в реестре
bool VMwareBIOSDetect();

//обнаружение VirtualBox по версии BIOS видеоадаптера в реестре
bool VirtualBoxBIOSDetect();

//обнаружение Parallels Workstatin по наличию ключа PRLSACPI в реестре
bool ParallelsRegDetect();

//обнаружение VirtualBox по имени процесса "VBoxTray.exe"
bool VirtualBoxProcessDetect();

//обнаружение VirtualPC по имени процесса "vmusrvc.exe"
bool VirtualPCProcessDetect();

//обнаружение VMware по имени процесса "vmtoolsd.exe"
bool VMwareProcessDetect();

//обнаружение VirtualBox по имени объекта "Device\VBoxMiniRdrDN" и "Device\VBoxGuest"
bool VirtualBoxDevObjDetect();

//обнаружение VirtualPC по имени объекта "Device\\VMDRV"
bool VirtualPCDevObjDetect();

//обнаружение VirtualBox по идентификатору процессора
bool VirtualBoxCPUIDDetect();

//обнаружение VMware по идентификатору процессора
bool VMwareCPUIDDetect();

//обнаружение Parallels Workstatin по идентификатору процессора
bool ParallelsCPUIDDetect();

//обнаружение VirtualPC по MAC-адресу
bool VirtualPCMACDetect();

//обнаружение VirtualBox по MAC-адресу
bool VirtualBoxMACDetect();

//обнаружение VMware по MAC-адресу
bool VMwareMACDetect();

//обнаружение Parallels Workstatin по MAC-адресу
bool ParallelsMACDetect();

//обнаружение виртуальной машины по идентификатору жесткого диска
//для VirtualPC IDDisk - "DiskVirtual"
//для VirtualBox IDDisk - "DiskVBOX_HARDDISK"
//для VMware IDDisk - "Prod_VMware_Virtual"
bool VirtualMachineIDDiskDetect(char* IDDisk);

//обнаружение Parallels Workstatin по видеоадаптеру
bool ParallelsVideoCardDetect();

//обнаружение VirtualBox по видеоадаптеру
bool VirtualBoxVideoCardDetect();

//обнаружение VirtualPC по видеоадаптеру
bool VirtualPCVideoCardDetect();


VirtualMachineDetect.cpp
Code:#include "VirtualMachineDetect.h"

//----------------------------------------------------------------------
bool VMwareDetect()
{
__try
{
__asm
 {
 mov eax, 0x564d5868
 mov ecx, 0x0A
 mov edx, 0x5658
 in eax, dx 
 }
return true;
}
__except(EXCEPTION_EXECUTE_HANDLER) 
{
return false;
}
}
//----------------------------------------------------------------------
bool VirtualPCDetect()
{
__try
{
__asm
 {
 xor ebx, ebx
 mov eax, 1
 __emit(0x0F)
 __emit(0x3F)
 __emit(0x07)
 __emit(0x0B)  
 }
return true;
}
__except(EXCEPTION_EXECUTE_HANDLER) 
{
 return false;
}
}
//----------------------------------------------------------------------
bool VMwareWindowDetect()
{
HWND VMwareWindow = NULL;
VMwareWindow = FindWindowA("VMSwitchUserControlClass",NULL);
if(VMwareWindow != NULL)
{
return true;
}
return false;
}
//----------------------------------------------------------------------
bool VirtualBoxWindowDetect()
{
HWND VBoxWindow = NULL;
VBoxWindow = FindWindowA("VBoxTrayToolWndClass",NULL);
if(VBoxWindow != NULL)
{
return true;
}
return false;
}
//----------------------------------------------------------------------
bool VMwareBIOSDetect()
{
HKEY rKey;
wchar_t RegKey[256];
wchar_t RegVMware[] = {L"VMware Virtual Platform"};
DWORD RegPath = sizeof(RegKey);

RegOpenKeyEx(HKEY_LOCAL_MACHINE,
   L"HARDWARE\\DESCRIPTION\\System\\BIOS",
   0,
   KEY_QUERY_VALUE,
   &rKey);

RegQueryValueEx(rKey,
   L"SystemProductName",
   NULL,
   NULL,
   (BYTE*)RegKey,
   &RegPath);

RegCloseKey(rKey);

if (memcmp(RegKey, RegVMware, 48) == 0)
{
return true;
}
return false;
}
//----------------------------------------------------------------------
bool VirtualBoxBIOSDetect()
{
HKEY rKey;
wchar_t RegKey[256];
wchar_t RegVBox[] = {L"Oracle VM VirtualBox"};
DWORD RegPath = sizeof(RegKey);

RegOpenKeyEx(HKEY_LOCAL_MACHINE,
   L"HARDWARE\\DESCRIPTION\\System",
   0,
   KEY_QUERY_VALUE,
   &rKey);

RegQueryValueEx(rKey,
   L"VideoBiosVersion",
   NULL,
   NULL,
   (BYTE*)RegKey,
   &RegPath);

RegCloseKey(rKey);

if (memcmp(RegKey, RegVBox, 40) == 0)
{
return true;
}
return false;
}
//----------------------------------------------------------------------
bool ParallelsRegDetect()
{
HKEY rKey;

if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
   L"HARDWARE\\ACPI\\DSDT\\PRLS__\\PRLSACPI",
   0,
   KEY_QUERY_VALUE,
   &rKey) == ERROR_SUCCESS)
{
RegCloseKey(rKey);
return true;
}
return false;
}
//----------------------------------------------------------------------
bool VirtualBoxProcessDetect()
{
wchar_t VBoxProcessName[] = {L"VBoxTray.exe"};
PROCESSENTRY32 pe;
HANDLE hSnapShot;
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
ZeroMemory (&pe, sizeof(PROCESSENTRY32W));
pe.dwSize = sizeof(PROCESSENTRY32W); 
Process32First(hSnapShot, &pe);
do
{
if (memcmp(pe.szExeFile, VBoxProcessName, 24) == 0)
{
 CloseHandle(hSnapShot);
 return true;
}
}
while (Process32Next(hSnapShot, &pe));
CloseHandle(hSnapShot);
return false;
}
//----------------------------------------------------------------------
bool VirtualPCProcessDetect()
{
wchar_t VirtualPCProcessName[] = {L"vmusrvc.exe"};
PROCESSENTRY32 pe;
HANDLE hSnapShot;
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
ZeroMemory (&pe, sizeof(PROCESSENTRY32W));
pe.dwSize = sizeof(PROCESSENTRY32W); 
Process32First(hSnapShot, &pe);
do
{
if (memcmp(pe.szExeFile, VirtualPCProcessName, 22) == 0)
{
 CloseHandle(hSnapShot);
 return true;
}
}
while (Process32Next(hSnapShot, &pe));
CloseHandle(hSnapShot);
return false;
}
//----------------------------------------------------------------------
bool VMwareProcessDetect()
{
wchar_t VMwareProcessName[] = {L"vmtoolsd.exe"};
PROCESSENTRY32 pe;
HANDLE hSnapShot;
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
ZeroMemory (&pe, sizeof(PROCESSENTRY32W));
pe.dwSize = sizeof(PROCESSENTRY32W); 
Process32First(hSnapShot, &pe);
do
{
if (memcmp(pe.szExeFile, VMwareProcessName, 24) == 0)
{
 CloseHandle(hSnapShot);
 return true;
}
}
while (Process32Next(hSnapShot, &pe));
CloseHandle(hSnapShot);
return false;
}
//----------------------------------------------------------------------
bool VirtualBoxDevObjDetect()
{
if ((CreateFile(L"\\\\.\\VBoxMiniRdrDN",0,0,0,OPEN_EXISTING,0,0) !=
INVALID_HANDLE_VALUE)||
(CreateFile(L"\\\\.\\VBoxGuest",0,0,0,OPEN_EXISTING,0,0) !=
INVALID_HANDLE_VALUE))
{
return true;
}
else
{
return false;
}
}
//----------------------------------------------------------------------
bool VirtualPCDevObjDetect()
{
if (CreateFile(L"\\\\.\\VMDRV",0,0,0,OPEN_EXISTING,0,0) !=
INVALID_HANDLE_VALUE)
{
return true;
}
else
{
return false;
}
}
//----------------------------------------------------------------------
bool VirtualBoxCPUIDDetect()
{
DWORD ID_1, ID_2, ID_3;
_asm
{
mov eax, 0x1
cpuid
mov eax, 0x40000000
cpuid
mov ID_1, ebx
mov ID_2, ecx
mov ID_3, edx
}
if ((ID_1 == 0x00000340)&&(ID_2 == 0x00000340))
{
return true;
}
else
{
return false;
}
}
//----------------------------------------------------------------------
bool VMwareCPUIDDetect()
{
DWORD ID_1, ID_2, ID_3;
_asm
{
mov eax, 0x1
cpuid
mov eax, 0x40000000
cpuid
mov ID_1, ebx
mov ID_2, ecx
mov ID_3, edx
}
if ((ID_1 == 0x61774d56)&&(ID_2 == 0x4d566572)&&(ID_3 == 0x65726177))
{
return true;
}
else
{
return false;
}
}
//----------------------------------------------------------------------
bool ParallelsCPUIDDetect()
{
DWORD ID_1, ID_2, ID_3;
_asm
{
mov eax, 0x1
cpuid
mov eax, 0x40000000
cpuid
mov ID_1, ebx
mov ID_2, ecx
mov ID_3, edx
}
if ((ID_1 == 0x70726c20)&&(ID_2 == 0x68797065)&&(ID_3 == 0x72762020))
{
return true;
}
else
{
return false;
}
}
//----------------------------------------------------------------------
bool VirtualPCMACDetect()
{
PIP_ADAPTER_INFO AdapterInfo = NULL;
DWORD OutBufLen;
GetAdaptersInfo(AdapterInfo, &OutBufLen);
AdapterInfo = (PIP_ADAPTER_INFO) new(char[OutBufLen]);
GetAdaptersInfo(AdapterInfo, &OutBufLen);
if (((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x03) &&
((BYTE)AdapterInfo->Address[2] == 0xff) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x12) &&
((BYTE)AdapterInfo->Address[2] == 0x5a) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x1d) &&
((BYTE)AdapterInfo->Address[2] == 0xd8) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x15) &&
((BYTE)AdapterInfo->Address[2] == 0x5d) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x22) &&
((BYTE)AdapterInfo->Address[2] == 0x48) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x0d) &&
((BYTE)AdapterInfo->Address[2] == 0x3a) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x17) &&
((BYTE)AdapterInfo->Address[2] == 0xfa) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x25) &&
((BYTE)AdapterInfo->Address[2] == 0xae) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x50) &&
((BYTE)AdapterInfo->Address[2] == 0xf2) ||
((BYTE)AdapterInfo->Address[0] == 0x28) &&
((BYTE)AdapterInfo->Address[1] == 0x18) &&
((BYTE)AdapterInfo->Address[2] == 0x78) ||
((BYTE)AdapterInfo->Address[0] == 0x60) &&
((BYTE)AdapterInfo->Address[1] == 0x45) &&
((BYTE)AdapterInfo->Address[2] == 0xbd) ||
((BYTE)AdapterInfo->Address[0] == 0x7c) &&
((BYTE)AdapterInfo->Address[1] == 0x1e) &&
((BYTE)AdapterInfo->Address[2] == 0x52) ||
((BYTE)AdapterInfo->Address[0] == 0x7c) &&
((BYTE)AdapterInfo->Address[1] == 0xed) &&
((BYTE)AdapterInfo->Address[2] == 0x8d) ||
((BYTE)AdapterInfo->Address[0] == 0xdc) &&
((BYTE)AdapterInfo->Address[1] == 0xb4) &&
((BYTE)AdapterInfo->Address[2] == 0xc4))
{
delete(AdapterInfo);
return true;
}
else
{
delete(AdapterInfo);
return false;
}  
}
//----------------------------------------------------------------------
bool VirtualBoxMACDetect()
{
PIP_ADAPTER_INFO AdapterInfo = NULL;
DWORD OutBufLen;
GetAdaptersInfo(AdapterInfo, &OutBufLen);
AdapterInfo = (PIP_ADAPTER_INFO) new(char[OutBufLen]);
GetAdaptersInfo(AdapterInfo, &OutBufLen);
if (((BYTE)AdapterInfo->Address[0] == 0x08) &&
((BYTE)AdapterInfo->Address[1] == 0x00) &&
((BYTE)AdapterInfo->Address[2] == 0x27) ||
((BYTE)AdapterInfo->Address[0] == 0x08) &&
((BYTE)AdapterInfo->Address[1] == 0x00) &&
((BYTE)AdapterInfo->Address[2] == 0x20))
{
delete(AdapterInfo);
return true;
}
else
{
delete(AdapterInfo);
return false;
}  
}
//----------------------------------------------------------------------

bool VMwareMACDetect()
{
PIP_ADAPTER_INFO AdapterInfo = NULL;
DWORD OutBufLen;
GetAdaptersInfo(AdapterInfo, &OutBufLen);
AdapterInfo = (PIP_ADAPTER_INFO) new(char[OutBufLen]);
GetAdaptersInfo(AdapterInfo, &OutBufLen);
if (((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x05) &&
((BYTE)AdapterInfo->Address[2] == 0x69) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x0c) &&
((BYTE)AdapterInfo->Address[2] == 0x29) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x1c) &&
((BYTE)AdapterInfo->Address[2] == 0x14) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x50) &&
((BYTE)AdapterInfo->Address[2] == 0x56))
{
delete(AdapterInfo);
return true;
}
else
{
delete(AdapterInfo);
return false;
}  
}
//----------------------------------------------------------------------
bool ParallelsMACDetect()
{
PIP_ADAPTER_INFO AdapterInfo = NULL;
DWORD OutBufLen;
GetAdaptersInfo(AdapterInfo, &OutBufLen);
AdapterInfo = (PIP_ADAPTER_INFO) new(char[OutBufLen]);
GetAdaptersInfo(AdapterInfo, &OutBufLen);
if (((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x1c) &&
((BYTE)AdapterInfo->Address[2] == 0x42))
{
delete(AdapterInfo);
return true;
}
else
{
delete(AdapterInfo);
return false;
}  
}
//----------------------------------------------------------------------
bool VirtualMachineIDDiskDetect(char* IDDisk)
{
HKEY rKey;
char RegKey[4096];
DWORD RegPath = sizeof(RegKey);
DWORD Type = REG_SZ;

RegOpenKeyExA(HKEY_LOCAL_MACHINE,
   "SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum",
   0,
   KEY_QUERY_VALUE,
   &rKey);

RegQueryValueExA(rKey,
   "0",
   NULL,
   &Type,
   (LPBYTE)RegKey,
   &RegPath);

RegCloseKey(rKey);

if (strstr(RegKey, IDDisk) != 0)
{
return true;
}
return false;
}
//----------------------------------------------------------------------
bool ParallelsVideoCardDetect()
{
HKEY rKey;

if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
   L"SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_1AB8&DEV_4005&SUBSYS_04001AB8&REV_00",
   0,
   KEY_QUERY_VALUE,
   &rKey) == ERROR_SUCCESS)
{
RegCloseKey(rKey);
return true;
}
return false;
}
//----------------------------------------------------------------------
bool VirtualBoxVideoCardDetect()
{
HKEY rKey;

if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
   L"SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_80EE&DEV_BEEF&SUBSYS_00000000&REV_00",
   0,
   KEY_QUERY_VALUE,
   &rKey) == ERROR_SUCCESS)
{
RegCloseKey(rKey);
return true;
}
return false;
}
//----------------------------------------------------------------------
bool VirtualPCVideoCardDetect()
{
HKEY rKey;

if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
   L"SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00",
   0,
   KEY_QUERY_VALUE,
   &rKey) == ERROR_SUCCESS)
{
RegCloseKey(rKey);
return true;
}
return false;
}
//----------------------------------------------------------------------


  Comments,     Trackbacks

EPM Sandbox (IE)에 대한 글

#EPM이 뭔지

http://www.julien-manici.com/blog/ie10-new-sandbox-enhanced-protected-mode-windows-8/


#EPM 취약점

http://googleprojectzero.blogspot.co.uk/2014/12/internet-explorer-epm-sandbox-escape.html

  Comments,     Trackbacks

리눅스 특정 사이즈 이상 폴더 삭제

ex) du -sk */ | awk 'BEGIN { FS="\t" }; { if($1 > 100000) printf "." $2 }' | xargs rm -rf


xargs rm -rf 대신 xargs du -sh로 폴더 용량 확인하고 삭제 하시길.


응용 : 폴더 depth를 2개까지로 한정하고 용량 범위를 지정하여 삭제

du -k 12*/ --max-depth=1 | awk 'BEGIN { FS="\t" }; { if($1 > 100000 && $1 < 2000000) printf "." $2 }' | xargs rm -rf


'유용한 지식 자료들 > 기타' 카테고리의 다른 글

Awesome Malware Analysis  (0) 2017.08.01
EPM Sandbox (IE)에 대한 글  (0) 2015.01.13
리눅스 폴더별 용량 확인하기  (0) 2014.12.22
Indoor positioning system  (0) 2014.09.23
HashSet HashMap 차이 정리  (0) 2014.08.07
  Comments,     Trackbacks