What's new
By:
Filters
Runion

This is a sample guest message. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

STRINGS

B

blacky

Midle Weight
Депозит
$0
The NetUserEnum function retrieves information about all user accounts on a specified remote server or the local computer
Click to expand...
Strings are ASCII and Unicode-printable sequences of characters embedded within a file. Extracting strings can give clues about the program functionality and indicators associated with a suspect binary. For example, if a malware creates a file, the filenameis stored as a string in the binary. Or, if a malware resolves a domain name controlled by the attacker, then the domain name is stored as a string. Strings extracted from the binary can contain references to filenames, URLs, domain names, IP addresses, attack commands, registry keys, and so on. So, it gives an brief idea od what the malware is trying to do
Strings Analysis - This is the process of extracting readable characters and words from the malware.
Strings can give us valuable information about the malware functionality.
Malware will usually contain useful strings and other random strings, also known as garbage strings.
Strings are in ASCII and Unicode format. ( We need to specify the type of strings we want to extract during analysis, as some tools only extract ASCII)
The types of strings we are looking for are:
File names
URL’s (Domains the malware connects to, basically looking for how the malware is communicating with command and control centres(C&C) or how malware is communicating with the attacker)
IP Addresses
Registry Keys (like its setting up assistance or uninstalling or causing damage to any particular registries)
Attackers may also include fake strings to disrupt our analysis.

Note: Strings give us a glimpse of what the malware can do. We will use windows command line utility “strings” to extract strings



Код:
Скопировать в буфер обмена
.\\strings64.exe -a -n 7 D:\\MALWARE\\dc030778938b8b6f98236a709d0d18734c325accf44b12a55ecc2d56b8bb9000 > "C:\\Users\\JohnDoe\\Desktop\\Strings.txt”

A String.txt file is created in Desktop





For fetching unicode strings :



strings64.exe -u -n 6 D:\\MALWARE\\dc030778938b8b6f98236a709d0d18734c325accf44b12a55ecc2d56b8bb9000 >"C:\\Users\\JohnDoe\\Desktop\\strings1.txt”

We can also use pestudio for viewing strings




--------------------------------------This is very basic of viewing strings---------------------------
 
там в паке сисинтерналс есть еще прикольные утилиты, давай сюда обзоры на всё и весь мсдн прихвати с собой!)
 
В качественно написанной малваре прячутся/шифруются все реально используемые строки.
И вместе с тем намеренно в открытом виде пишутся строки, вводящие в заблуждение аналитика или AV.
Например, попрятали все строки с именами API для работы с файлами и вызовами процессов - CreateFile, CreateProcess и тому подобные.
И в открытом виде наоставляли там строки с именами API для работы с пользовательским интерфейсом: CreateWindowEx, MessageBox и т.д.
То есть сделали EXE максимально похожим на легитимное приложение, оставляя там в открытом виде характерные для таких приложений строки.
 
You must log in or register to reply here.
Top