樣本行爲:
1、CopyFileA( )函數拷貝自身到C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SQLAGENTSAK.exe下(使用的是短路徑)
2、CreateProcessA創建子進程,參數cmd /c ping 1.1.1.1 -n 1 -w 1000 & start C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SQLAGENTSAK.exe
這個創建的子進程應該是2個進程,監控顯示如下:
注意SQLAGENTSAK.exe進程的啓動參數是短路徑
3、樣本繼續自己的惡意行爲
OD調試:
把Temp目錄下的SQLAGENTSAK.exe拖進OD調試,發現樣本不執行惡意行爲就退出。
1、於是查看了CreateProcessA( )函數的前後代碼,發現有一個WaitForInputIdle( )函數,一直懷疑是這個函數作祟
WaitForInputIdle( )函數:等待新進程完成它的初始化並等待用戶輸入,具體使用例子查看:https://blog.csdn.net/iteye_13202/article/details/82403614
2、檢查拖放進OD時的啓動參數,經過檢查是C:\Documents and Settings\Administrator\Local Settings\Temp\SQLAGENTSAK.exe 長路徑
總結:應該時樣本檢查了啓動參數短路徑執行惡意行爲,長路徑就先拷貝、在創建子進程。
解決方法:在樣本自身代碼中添加死循環代碼,再使用OD附加。
續一:
由於長短路徑問題導致OD調試退出,那麼什麼是長路徑、什麼是短路徑?(據說是短路徑是Windows爲例兼容老一點的文件系統,應該是FAT12、FAT16這種),先寫個程序看一下長路徑如何轉換成短路徑
#include <stdio.h>
#include <Windows.h>
int main()
{
char l_szModulePathA[260]={0};
char l_szShortPathA[260]={0};
char l_szTempPathA[260]={0};
GetModuleFileNameA(NULL,l_szModulePathA,260);
printf("ModulePath:%s\n",l_szModulePathA);
GetShortPathNameA(l_szModulePathA,l_szShortPathA,260);
printf("ShortPath:%s\n",l_szShortPathA);
system("pause");
return 0;
}
輸出結果:
目測轉換規則是把路徑名長度大於8的全部縮減到8個字符,而且是全部大寫字母+破浪號(~)+數字(1),有人說文件名也超過8個字符了,咋沒轉成短路徑,好像很有道理的樣子(我也不知道爲啥,嘻嘻)
放上一段文縐縐的轉換規則:
How Windows Generates 8.3 File Names from Long File Names
Windows generates short file names from long file names in the following manner:
- Windows deletes any invalid characters and spaces from the file name. Invalid characters include:
. " / \ [ ] : ; = ,
- Because short file names can contain only one period (.), Windows removes additional periods from the file name if valid, non-space characters follow the final period in the file name. For example, Windows generates the short file name
Thisis~1.txt
from the long file nameThis is a really long filename.123.456.789.txt
Otherwise, Windows ignores the final period and uses the next to the last period. For example, Windows generates the short file nameThisis~1.789
from the long file nameThis is a really long filename.123.456.789.
- Windows truncates the file name, if necessary, to six characters and appends a tilde (~) and a digit. For example, each unique file name created ends with "~1." Duplicate file names end with "~2," "~3," and so on.
- Windows truncates the file name extension to three characters or less.
- Windows translates all characters in the file name and extension to uppercase.
Note that if a folder or file name contains a space, but less than eight characters, Windows still creates a short file name. This behavior may cause problems if you attempt to access such a file or folder over a network. To work around this situation, substitute a valid character, such as an underscore (_), for the space. If you do so, Windows does not create a different short file name
For example, "Afile~1.doc" is generated from "A file.doc" because the long file name contains a space.
No short file name is generated from "A_file.doc" because the file name contains less than eight characters and does not contain a space.
The short file name "Alongf~1.txt" is generated from the long file name "A long filename.txt" because the long file name contains more than eight characters.
鏈接地址:https://www.cnblogs.com/jiangzhen/p/3957333.html