期刊文献+

基于“执行路径重建”的盗号木马逆向分析取证方法研究 预览

Reverse Analysis into Stealing-information Trojan through“Reconstructing Execution Path”
在线阅读 下载PDF
收藏 分享 导出
摘要 目的在不清楚盗号木马监控的特定窗体标题及关键配置信息加密情况下,办案人员很难通过网络监听和逆向分析方法获得黑客预置的电子邮箱账户数据。为了有效提取上述信息,本文提出一种基于“执行路径重建”的盗号木马逆向分析取证方法。方法首先逆向分析木马程序的执行路径,随后正向修改、重建木马程序的执行路径,强制木马程序沿着检验人员设定的路径执行电子邮件发送行为,进而获取邮箱配置等关键信息。结果从木马程序执行的邮件发送函数参数中提取出黑客电子邮箱账户、密码等关键配置信息。结论应用本文提出的基于“执行路径重建”的盗号木马逆向分析取证方法可以对木马程序进行有效的检验分析。 Objective It is dif cult for criminal investigators to obtain hacker email account through network monitoring and reverse analysis without knowing the specific form title and key configuration information encrypted. Therefore, a forensic reverse analysis is here proposed through “reconstructing execution path” in order to effectively extract the required information. Methods The execution path of involved Trojan program is reversely analyzed to have it forwardly modi ed and rebuilt so that the Trojan program can be forced to execute the email-sending path speci ed by the inspector, thus the key information, e.g., mailbox con guration, will be acquired. Results With such a forensic approach, the key con guration information including hacker email account and password has been extracted from the related parameters of Trojans email sending function. Conclusions The forensic reverse analysis from “reconstructing execution path” proposed in this paper can effectively test and process Trojan program.
作者 徐国天 XU Guotian(National Police University of China, Shenyang 110854, China)
出处 《刑事技术》 2019年第4期283-288,共6页 Forensic Science and Technology
基金 辽宁省自然科学基金计划项目(No.2015020091) 公安理论及软科学研究计划课题(No.2016LLYJXJXY013) 公安部技术研究计划课题(No.2016JSYJB06) 中央高校基本科研业务费课题(No.3242017013).
关键词 执行路径重建 盗号木马 逆向 网络监听 取证 execution path reconstruction Trojan reverse analysis network monitoring forensics
作者简介 徐国天,男,辽宁沈阳人,硕士,副教授,研究方向为电子物证。E-mail:459536384@qq.com.
  • 相关文献

参考文献3

  • 1张慧琳,邹维,韩心慧.网页木马机理与防御技术[J].软件学报,2013,24(4):843-858. 被引量:26
  • 2余倩..Android木马及其关键技术的研究与实现[D].电子科技大学,2016:
  • 3钱林松,赵海旭著..C++反汇编与逆向分析技术揭秘[M].北京:机械工业出版社,2011:414.

二级参考文献65

  • 1张慧琳,诸葛建伟,宋程昱,韩心慧,邹维,.基于网页动态视图的网页木马检测方法[J].清华大学学报:自然科学版,2009,0(S2):2126-2132. 被引量:8
  • 2Zhuge JW, Holz T, Song CY, Guo JP, Han XH, Zou W. Studying malicious websites and the underground economy on the Chinese Web. In: Johnson ME, ed. Proc. of the Managing Information Risk and the Economics of Security. Berlin, Heidelberg: Springer-Verlag, 2009. 225-244. [doi: 10.1007/978-0-387-09762-6_11]. 被引量:1
  • 3Caballero J, Grier C, Kreibich C, Paxson V. Measuring pay-per-install: The commoditization of malware distribution. In: Proc. of the 20th USENIX Security Symp. Berkeley: USENIX Association, 2011. http://dl.acm.org/citation.cfm?id=2028067.2028080. 被引量:1
  • 4Polychronakis M, Mavrommatis P, Provos N. Ghost turns zombie: Exploring the life cycle of Web-based malware. In: Proc. of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET). Berkeley: USENIX Association, 2008. http://dl. acm.org/citation.cfm?id= 1387709.1387720. 被引量:1
  • 5Wikipedia. Drive-By download. 2005. http://en.wikipedia.org/wiki/Drive-by download. 被引量:1
  • 6Provos N, Mavrommatis P, Rajab MA, Monrose F. All your iFRAMEs point to us. In: Proc. of the 17th USENIX Security Symp. Berkele: USENIX Association, 2008. 1-15. http://dl.acm.org/citation.cfm?id= 1496711.1496712. 被引量:1
  • 7Cova M, Kruegel C, Vigna G. Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: Proc. of the 19th Int'l Conf. on World Wide Web (WWW). New York: ACM Press, 2010.281-290. [doi: 10.1145/1772690.1772720]. 被引量:1
  • 8Nazario J. PhoneyC: A virtual client honeypot. In: Proc. of the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET). Berkeley: USENIX Association, 2009. http://dl.acm.org/citation.cfm?id=1855676.1855682. 被引量:1
  • 9Egele M, Kirda E, Kruegel C. Mitigating drive-by download attacks: Challenges and open problems. In: Camenisch J, Kesdogan D, eds. Proc. of Open Research Problems in Network Security Workshop (iNetSee)llFIP Advances in Information and Communication Technology. Berlin, Heidelberg: Springer-Verlag, 2009. 52-62. [doi: 10.1007/978-3-642-05437-2_5]. 被引量:1
  • 10The MITRE Corporation. CVE-2008-6442.2009. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6442. 被引量:1

共引文献25

投稿分析

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部 意见反馈