UCCU Anti Virus overview
-
Upload
shang-de-jiang -
Category
Engineering
-
view
22 -
download
0
Transcript of UCCU Anti Virus overview
![Page 1: UCCU Anti Virus overview](https://reader036.fdocuments.net/reader036/viewer/2022062903/58ed3fb41a28ab2b118b4589/html5/thumbnails/1.jpg)
大家一起看 Anti VirusJohnThunder
![Page 3: UCCU Anti Virus overview](https://reader036.fdocuments.net/reader036/viewer/2022062903/58ed3fb41a28ab2b118b4589/html5/thumbnails/3.jpg)
一場戰爭病毒與反病毒
![Page 4: UCCU Anti Virus overview](https://reader036.fdocuments.net/reader036/viewer/2022062903/58ed3fb41a28ab2b118b4589/html5/thumbnails/4.jpg)
![Page 5: UCCU Anti Virus overview](https://reader036.fdocuments.net/reader036/viewer/2022062903/58ed3fb41a28ab2b118b4589/html5/thumbnails/5.jpg)
防守策略• Signature Based Detection• Static Program Analyze
• Dynamic Program Analyze• Sandbox• Heuristic Analysis• Entropy
![Page 6: UCCU Anti Virus overview](https://reader036.fdocuments.net/reader036/viewer/2022062903/58ed3fb41a28ab2b118b4589/html5/thumbnails/6.jpg)
攻守一體• Obfuscation
• Packers
• Crypters
![Page 7: UCCU Anti Virus overview](https://reader036.fdocuments.net/reader036/viewer/2022062903/58ed3fb41a28ab2b118b4589/html5/thumbnails/7.jpg)
Windows Load PE File Address Space Layout Randomization Crypters With PE Injection
“NtUnmapViewOfSection” and “ZwUnmapViewOfSection”
PE Injection
![Page 8: UCCU Anti Virus overview](https://reader036.fdocuments.net/reader036/viewer/2022062903/58ed3fb41a28ab2b118b4589/html5/thumbnails/8.jpg)
見招拆招
![Page 9: UCCU Anti Virus overview](https://reader036.fdocuments.net/reader036/viewer/2022062903/58ed3fb41a28ab2b118b4589/html5/thumbnails/9.jpg)
meterpreter reverse tcp shellcode(Before)
![Page 10: UCCU Anti Virus overview](https://reader036.fdocuments.net/reader036/viewer/2022062903/58ed3fb41a28ab2b118b4589/html5/thumbnails/10.jpg)
meterpreter reverse tcp shellcode(After)
![Page 11: UCCU Anti Virus overview](https://reader036.fdocuments.net/reader036/viewer/2022062903/58ed3fb41a28ab2b118b4589/html5/thumbnails/11.jpg)
– Decryption loop detected – Reads active computer name – Reads the cryptographic machine GUID – Contacts random domain names – Reads the windows installation date – Drops executable files – Found potential IP address in binary memory – Modifies proxy settings
Heuristic Engines – Installs hooks/patches the running process – Injects into explorer – Injects into remote process – Queries process information – Sets the process error mode to suppress error box – Unusual entrophy – Possibly checks for the presence of antivirus engine – Monitors specific registry key for changes – Contains ability to elevate privileges – Modifies software policy settings
![Page 12: UCCU Anti Virus overview](https://reader036.fdocuments.net/reader036/viewer/2022062903/58ed3fb41a28ab2b118b4589/html5/thumbnails/12.jpg)
解密過程 Avoid Decryption loop
detected
Decrypt Shellcode
![Page 13: UCCU Anti Virus overview](https://reader036.fdocuments.net/reader036/viewer/2022062903/58ed3fb41a28ab2b118b4589/html5/thumbnails/13.jpg)
Is Debugger ? Load Fake Library Get Tick Count Number Of Cores Huge Memory Allocations Trap Flag Manipulation Mutex Triggered WinExec
Dynamic Analysis Detection/Anti Detection
![Page 14: UCCU Anti Virus overview](https://reader036.fdocuments.net/reader036/viewer/2022062903/58ed3fb41a28ab2b118b4589/html5/thumbnails/14.jpg)
Is Debugger ?
![Page 15: UCCU Anti Virus overview](https://reader036.fdocuments.net/reader036/viewer/2022062903/58ed3fb41a28ab2b118b4589/html5/thumbnails/15.jpg)
Is Debugger ?
![Page 16: UCCU Anti Virus overview](https://reader036.fdocuments.net/reader036/viewer/2022062903/58ed3fb41a28ab2b118b4589/html5/thumbnails/16.jpg)
Load Fake Library/Get Tick Count
![Page 17: UCCU Anti Virus overview](https://reader036.fdocuments.net/reader036/viewer/2022062903/58ed3fb41a28ab2b118b4589/html5/thumbnails/17.jpg)
Trap Flag
![Page 18: UCCU Anti Virus overview](https://reader036.fdocuments.net/reader036/viewer/2022062903/58ed3fb41a28ab2b118b4589/html5/thumbnails/18.jpg)
Mutex Triggered WinExec
![Page 19: UCCU Anti Virus overview](https://reader036.fdocuments.net/reader036/viewer/2022062903/58ed3fb41a28ab2b118b4589/html5/thumbnails/19.jpg)
DEP機制 使用Windows API 讓 shellcode 包含讀、寫、執行的
address memeory
正確的執行 shellcodes
![Page 20: UCCU Anti Virus overview](https://reader036.fdocuments.net/reader036/viewer/2022062903/58ed3fb41a28ab2b118b4589/html5/thumbnails/20.jpg)
結論 許多保護機制同時也是可以拿來利用的 (visual studio) Trick 要結合成 Combo 技才能發揮作用