逆向工程 - 可执行数据的内存转储差异 - 吾爱随笔录

我正在将 python 中的内存转储与 diStorm 和波动性进行比较，并尝试分析给定的 MemoryDumps（“转储”和“真相”），无论是否存在进程注入。

主要是我尝试将进程和 vad 匹配到转储中以相互比较它们，但我安静了很多白噪声（误报）。

这是我收到的日志，仅通过比较模块（记事本和计算）来比较两个干净的内存转储：

[10:08:13] Loading  'D:\notepad.zip'
[10:08:36] Loading  'D:\calc.zip'
[10:08:59] No match found for #208 "calc.exe"!
[10:08:59] 01/17    matching "csrss.exe"
[10:09:08] 02/17    matching "VBoxTray.exe"
[10:09:18] 03/17    matching "svchost.exe"
[10:12:51] 04/17    matching "ctfmon.exe"
[10:12:55] 05/17    matching "VBoxService.exe"
[10:13:24] 06/17    matching "smss.exe"
[10:13:25] 07/17    matching "explorer.exe"
[10:14:39] Module difference @ 0x772fb186   "\WINDOWS\system32\shlwapi.dll"
SUB AL, 0x77                    SUB AL, 0x77
POP ESP                         MOV DL, 0x14
DB 0x15                         DB 0xbd
DB 0x2d
[10:14:39] Module difference @ 0x772fb817   "\WINDOWS\system32\shlwapi.dll"
XOR [EAX], EAX                  XOR [EAX], EAX
ADD [EAX], AL                   DB 0x0
DB 0x0                          DB 0xbd
[10:14:39] Module difference @ 0x77fb5e17   "\WINDOWS\system32\ntdll.dll"
ADD [ECX+0x0], AH               ADD [EDI+0x0], CH
INS BYTE [ES:EDI], DX           DB 0x74
[10:14:39] Module difference @ 0x77fb5e1f   "\WINDOWS\system32\ntdll.dll"
ADD [EBP+0x0], AH               ADD [ECX+0x0], AH
DB 0x78                         DB 0x64
[10:14:39] Module difference @ 0x77fb5e27   "\WINDOWS\system32\ntdll.dll"
ADD [EAX], AL                   ADD [EAX+0x0], BH
DB 0x0                          DB 0x65
DB 0x73
[10:14:41] 08/17    matching "spoolsv.exe"
[10:15:24] 10/17    matching "svchost.exe"
[10:15:47] 11/17    matching "msmsgs.exe"
[10:16:06] 12/17    matching "svchost.exe"
[10:16:38] 13/17    matching "svchost.exe"
[10:17:08] 14/17    matching "winlogon.exe"
[10:18:03] 15/17    matching "services.exe"
[10:18:19] 16/17    matching "lsass.exe"
[10:19:15] Module difference @ 0x74414320   "\WINDOWS\system32\samsrv.dll"
ADD [EAX], AL                   JO 0x743bffb4
ADD [EAX], AL                   ADC AL, 0xc
ADD [EAX], AL                   OR AL, 0xde
ADD [EAX], AL                   INTO
[10:19:15] Module difference @ 0x74414546   "\WINDOWS\system32\samsrv.dll"
ADD [EAX], AL                   ADD [EAX], AL
ADD [EAX], AL                   DB 0xff
ADD [EAX], AL                   DB 0xff
DB 0x0                          DB 0xff
[10:19:16] Module difference @ 0x76f411bf   "\WINDOWS\system32\wldap32.dll"
ADD [EAX], AL                   ADD AL, CH
DB 0x3e                         JAE 0x76f2000f
DB 0xc
[10:19:17] Module difference @ 0x77cff169   "\WINDOWS\system32\rpcrt4.dll"
DB 0x3                          MOV AL, [0x49ff5965]
DB 0x35
DB 0xa1
IN AL, 0x3a
[10:19:20] 17/17    matching "System"

如果我还尝试比较进程的可执行映像，我会收到更多噪音

[12:10:13] 01/17    matching "csrss.exe"
[12:10:22] Instruction missmatch @ 0x5302db (13)
ADD [EAX-0x671ea561], CH        ADD AL, CH
RETF                            AND AL, 0x98
AND ECX, 0x2b0003               CWDE
[12:10:22] Instruction missmatch @ 0x53033b (6)
ADD [EBP+0x0], AH               ADD [EBX+0x0], DH
[12:10:22] Instruction missmatch @ 0x5304c7 (9)
ADD [EAX], AH                   ADD AL, CH
ADC EAX, 0x95d8bc65             ADD [EAX], AL
TEST AL, 0xe1                   ADD [EAX], AL
[12:10:22] Instruction missmatch @ 0x53065d (2)
ADD [EBX], AL                   ADD [EAX+EAX], AL
[12:10:22] Instruction missmatch @ 0x5307bb (6)
ADD [EBX+0x0], DH               ADD AL, CH
[12:10:22] Instruction missmatch @ 0x5307c5 (7)
ADD [EAX+EAX-0x439c6800], AH    ADD [ECX+0x0], BL
[12:10:22] Instruction missmatch @ 0x530864 (1)
STD                             FLD DWORD [EAX]
[12:10:22] Instruction missmatch @ 0x53086d (4)
ADD [EAX+EAX+0x18], AL          ADD [EDX+0x60551800], AL
[12:10:22] Instruction missmatch @ 0x53096c (13)
CMP [EBP+0x65], CH              MOV AL, [0x70e18a84]
MOV ESP, 0xe1a895d8             LOOPZ 0x530072
ADD EAX, 0xd0000300             ADD EAX, [EAX]

每个转储都是在同一个 Windows XP VM 上创建的。关于如何过滤噪音的任何想法？感谢您提供任何提示，并为我的英语不好而感到抱歉。