逆向工程 - 打包的 PE 文件和奇怪的标题 - 吾爱随笔录

我是逆向工程的新手，所以我不知道我的问题是否容易。现在我有一个 exe 文件，但它似乎已打包。在十六进制转储中，我确实有以下内容：

000003d0: 0055 5058 3000 0000 0000 e028 0000 1000  .UPX0......(....
000003e0: 0000 0000 0000 0200 0000 0000 0000 0000  ................
000003f0: 0000 0000 0080 0000 e055 5058 3100 0000  .........UPX1...
00000400: 0000 4014 0000 f028 0000 3814 0000 0200  ..@....(..8.....
00000410: 0000 0000 0000 0000 0000 0000 0040 0000  .............@..
00000420: e02e 7273 7263 0000 0000 a007 0000 303d  ..rsrc........0=
00000430: 0000 9207 0000 3a14 0000 0000 0000 0000  ......:.........
00000440: 0000 0000 0040 0000 c033 2e39 3300 5550  .....@...3.93.UP
00000450: 5821 0d09 0201 4482 f819 2707 6e6b 290d  X!....D...'.nk).

我猜我的文件是使用 UPX 打包的。但是我坚持使用文件的其余部分，因为我确实有一个更改的标题：

00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000  MZ..............
00000010: b800 0000 0000 0000 4000 0000 0000 0000  ........@.......
00000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000030: 0000 0000 0000 0000 0000 0000 8000 0000  ................
00000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468  ........!..L.!Th
00000050: 6973 2070 726f 6772 616d 2063 616e 6e6f  is program canno
00000060: 7420 6265 2072 756e 2069 6e20 444f 5320  t be run in DOS
00000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000  mode....$.......
00000080: 5045 0000 4c01 0300 a505 f358 0000 0000  PE..L......X....
[...]
00000250: 4e71 e81b 0068 e81b 004d 5a90 0003 0000  Nq...h...MZ.....
00000260: 0004 0000 00ff ff00 00b8 0000 0000 0000  ................
00000270: 0040 0000 0000 0000 0000 0000 0000 0000  .@..............
00000280: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000290: 0000 0000 0080 0000 000e 1fba 0e00 b409  ................
000002a0: cd21 b801 4ccd 2154 6869 7320 7072 6f67  .!..L.!This prog
000002b0: 7261 6d20 6361 6e6e 6f74 2062 6520 7275  ram cannot be ru
000002c0: 6e20 696e 2044 4f53 206d 6f64 652e 0d0d  n in DOS mode...
000002d0: 0a24 0000 0000 0000 0050 4500 004c 0103  .$.......PE..L..

使用 objdump，我得到以下信息：

architecture: i386, flags 0x0000012f:
HAS_RELOC, EXEC_P, HAS_LINENO, HAS_DEBUG, HAS_LOCALS, D_PAGED
start address 0x0078353e

Characteristics 0x102
    executable
    32 bit words

Time/Date       XXXXXXXXXXXXXXXXXXXXX
Magic           010b    (PE32)
MajorLinkerVersion  11
MinorLinkerVersion  0
SizeOfCode      00381600
SizeOfInitializedData   00000800
SizeOfUninitializedData 00000000
AddressOfEntryPoint 0038353e
BaseOfCode      00002000
BaseOfData      00384000
ImageBase       00400000
SectionAlignment    00002000
FileAlignment       00000200
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion   0
MinorImageVersion   0
MajorSubsystemVersion   4
MinorSubsystemVersion   0
Win32Version        00000000
SizeOfImage     00388000
SizeOfHeaders       00000200
CheckSum        00000000
Subsystem       00000002    (Windows GUI)
DllCharacteristics  00008540
SizeOfStackReserve  00100000
SizeOfStackCommit   00001000
SizeOfHeapReserve   00100000
SizeOfHeapCommit    00001000
LoaderFlags     00000000
NumberOfRvaAndSizes 00000010

The Data Directory
Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 003834e8 00000053 Import Directory [parts of .idata]
Entry 2 00384000 00000598 Resource Directory [.rsrc]
Entry 3 00000000 00000000 Exception Directory [.pdata]
Entry 4 00000000 00000000 Security Directory
Entry 5 00386000 0000000c Base Relocation Directory [.reloc]
Entry 6 003833b0 0000001c Debug Directory
Entry 7 00000000 00000000 Description Directory
Entry 8 00000000 00000000 Special Directory
Entry 9 00000000 00000000 Thread Storage Directory [.tls]
Entry a 00000000 00000000 Load Configuration Directory
Entry b 00000000 00000000 Bound Import Directory
Entry c 00002000 00000008 Import Address Table Directory
Entry d 00000000 00000000 Delay Import Directory
Entry e 00002008 00000048 CLR Runtime Header
Entry f 00000000 00000000 Reserved

There is an import table in .text at 0x7834e8

The Import Tables (interpreted .text section contents)
 vma:            Hint    Time      Forward  DLL       First
                 Table   Stamp     Chain    Name      Thunk


PE File Base Relocations (interpreted .reloc section contents)

There is a debug directory in .text at 0x7833b0

Type                Size     Rva      Offset

Sections:
Idx Name          Size      VMA       LMA       File off  Algn
  0 .text         00381544  00402000  00402000  00000200  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .rsrc         00000598  00784000  00784000  00381800  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .reloc        0000000c  00786000  00786000  00381e00  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
SYMBOL TABLE:
no symbols

那么这个 exe 文件是虚假文件（即隐藏的有效载荷）还是经过混淆的文件？

在virustotal 上，实际文件的检测率为10%。https://www.virustotal.com/en/file/e49be065137b8bd199848e334c3a4c2399bed97e71dd4f10e7d4a7f39e1c9e61/analysis/

如果您需要，这是 md5：48b0bd483d80617d6f4b33731811d248

编辑：发现这个恶意软件是如何落到这里的，这是一次尝试使用生成到 lsass.exe 的恶意线程下载痛苦的 rootkit。最初的攻击媒介是使用永恒之蓝。由于 AV 停止下载，文件已损坏。