电子取证论坛 基于二进制代码重用的 攻击取证分析方法 林志强 （助理教授） 德州大学达拉斯分校 对内存的攻击取证分析 DISK … 00001800 00001810 00001820 00001830 00001840 00001850 00001860 00001870 00001880 00001890 000018a0 000018b0 000018c0 … * 00100f60 00100f70 00100f80 00100f90 00100fa0 00100fb0 00100fc0 00100fd0 00100fe0 00100ff0 eb 00 00 00 00 d9 c0 0f 04 8b b3 a4 b8 40 00 00 00 19 ff eb 20 89 88 38 0f 10 1b 00 00 00 66 2d 00 e0 a3 02 00 01 00 02 00 00 00 8c 19 b9 0f 76 00 00 9b 66 63 80 00 00 d0 02 80 ba 02 00 00 90 8e 74 00 00 00 50 00 00 f0 00 8b 8b 02 d8 00 00 00 00 b8 00 00 05 00 8b fb 00 66 f0 00 00 00 08 0f c0 0f 0f 3c 81 00 8e 00 00 00 10 00 20 0f 22 01 00 c7 0f c0 00 00 00 76 00 c0 32 e0 83 00 00 01 66 00 00 00 16 00 0f 0f 60 80 00 30 93 8e 00 00 00 cc 66 ba ba 9c 02 0b 00 68 d0 00 00 00 00 8e f0 f0 8b 00 c9 00 02 66 00 00 00 00 d0 1f 08 d3 00 74 2b 00 8e 00 00 00 00 53 0f 0f c1 0f 12 f9 00 e0 00 00 00 00 8b 22 30 ea 01 8b f3 66 66 |.@..ct..........| |................| |................| |.........v......| |..f..P.....f..S.| |..-..... ......"| |.........2.....0| |. ......".`.....| |...v............| |.......<.....t..| |.8........0..+..| |...........h...f| |...f..f..f..f..f| 00 93 b4 97 cd cf b6 b9 c0 db 00 c9 f8 2f 9f 95 d9 d9 6e 66 00 a4 1b f3 87 bf ad 67 bc 2b 00 1d ae 47 4f 94 ee 37 e7 d8 00 f9 f6 cf 37 3f 61 1e 3d 38 00 48 69 d7 7f 8d f6 7a f3 cb 00 be e8 10 1e 63 90 b5 e7 2a 00 f8 c0 df f1 9a a4 ce d0 91 00 6c b7 f0 fe cc 2c ef 9a 80 f0 c7 34 d6 dc 8a 2b 0c bf ad ff 1d 74 e3 7d 36 54 58 a4 7d 5d 92 a1 9b b9 5b 66 ee 82 25 76 4c 4e f5 f9 56 37 4d 1b d8 e3 1e 5a cf f3 7b de 30 c7 0a f0 6e a7 a9 7b d2 3d d0 9c e5 2f 35 93 23 ef 76 a9 9b f1 db |...........]v../| |.....H..l...L.n5| |.....i...4t.NZ..| |./.G...........#| |...O7.....}...{.| |....?.c...6[V{.v| |....a...,+Tf7.=.| |..g7.z....X.M0..| |.n..=...........| |.f+.8.*...}%....| 常见方法(1): 基于数据结构的域值 Password struct user_account { 00: short int u_type; 04: pid_t u_pid; 08: char u_line[32]; 40: char uid[4]; 44: char user[32]; 76: char password[128]; 204: char u_host[128]; 332: short int e_termination; 334: short int e_exit; 336: long int u_session; 340: struct timeval u_tv; 348: int32_t u_addr_v6[4]; } Klist [Rutkowska,2003], GREPEXEC [bugcheck, 2006], Volatility [Walters, 2006], [Schuster, 2006], [Dolan-Gavitt et al., CCS’09] 基于数据结构的域值 动态分析去得到 程序数据结构 从常见的域中得 到值得特征 常见方法(2):基于数据间的关系 值可以很容易 被改? [Dolan-Gavitt et al., CCS’09] task struct task { [0] struct thread *thread; [4] struct memory *mm; [8] struct signal *signal; [12] struct task *parent; [16] int magic_number; } magic_number=0xabcdef0f 有没有不用值 的Signature? 常见方法(2):基于数据间的关系 struct task { [0] struct thread *thread; [4] struct memory *mm; [8] struct signal *signal; [12] struct task *parent; } struct thread { [0] struct task *task; } struct memory { [0] struct vma *mmap; [4] void (*map_area) (struct memory* mmap); } struct signal { [0] struct task_status *status; } task(x) thread(*(x+0)) ∧ mm(*(x+4)) ∧ signal(*(x+8)) ∧ task(*(x+12))   task 0 thread 12 4 8 signal mm x A 1st layer task B 0 task 0 4 0 2nd layer 3rd layer 常见方法(2):基于数据间的关系 需要程序的数据 结构 数据结构最好含 有很多指针 第三类方法 基于二进制代码重用的 攻击取证分析方法 程序数据与代码无处不在 Files Registry Virus E-Mail Device-Drivers Executable URLs Networking Processes 对内存的攻击取证分析 DISK 虚拟机视图 … 00001800 00001810 00001820 00001830 00001840 00001850 00001860 00001870 00001880 00001890 000018a0 000018b0 000018c0 … * 00100f60 00100f70 00100f80 00100f90 00100fa0 00100fb0 00100fc0 00100fd0 00100fe0 00100ff0 eb 00 00 00 00 d9 c0 0f 04 8b b3 a4 b8 40 00 00 00 19 ff eb 20 89 88 38 0f 10 1b 00 00 00 66 2d 00 e0 a3 02 00 01 00 02 00 00 00 8c 19 b9 0f 76 00 00 9b 66 63 80 00 00 d0 02 80 ba 02 00 00 90 8e 74 00 00 00 50 00 00 f0 00 8b 8b 02 d8 00 00 00 00 b8 00 00 05 00 8b fb 00 66 f0 00 00 00 08 0f c0 0f 0f 3c 81 00 8e 00 00 00 10 00 20 0f 22 01 00 c7 0f c0 00 00 00 76 00 c0 32 e0 83 00 00 01 66 00 00 00 16 00 0f 0f 60 80 00 30 93 8e 00 00 00 cc 66 ba ba 9c 02 0b 00 68 d0 00 00 00 00 8e f0 f0 8b 00 c9 00 02 66 00 00 00 00 d0 1f 08 d3 00 74 2b 00 8e 00 00 00 00 53 0f 0f c1 0f 12 f9 00 e0 00 00 00 00 8b 22 30 ea 01 8b f3 66 66 |.@..ct..........| |................| |................| |.........v......| |..f..P.....f..S.| |..-..... ......"| |.........2.....0| |. ......".`.....| |...v............| |.......<.....t..| |.8........0..+..| |...........h...f| |...f..f..f..f..f| 00 93 b4 97 cd cf b6 b9 c0 db 00 c9 f8 2f 9f 95 d9 d9 6e 66 00 a4 1b f3 87 bf ad 67 bc 2b