我正在将python中的内存转储与diStorm和易失性进行比较,并尝试分析是否有进程注入时给定的MemoryDumps(“转储”和“真相”)。将进程和变量相互匹配以进行转储以进行比较,但是我安静了许多白噪声(误报)。模块(记事本和calc):

[10:08:13] Loading  'D:\notepad.zip'
[10:08:36] Loading  'D:\calc.zip'
[10:08:59] No match found for #208 "calc.exe"!
[10:08:59] 01/17    matching "csrss.exe"
[10:09:08] 02/17    matching "VBoxTray.exe"
[10:09:18] 03/17    matching "svchost.exe"
[10:12:51] 04/17    matching "ctfmon.exe"
[10:12:55] 05/17    matching "VBoxService.exe"
[10:13:24] 06/17    matching "smss.exe"
[10:13:25] 07/17    matching "explorer.exe"
[10:14:39] Module difference @ 0x772fb186   "\WINDOWS\system32\shlwapi.dll"
SUB AL, 0x77                    SUB AL, 0x77
POP ESP                         MOV DL, 0x14
DB 0x15                         DB 0xbd
DB 0x2d
[10:14:39] Module difference @ 0x772fb817   "\WINDOWS\system32\shlwapi.dll"
XOR [EAX], EAX                  XOR [EAX], EAX
ADD [EAX], AL                   DB 0x0
DB 0x0                          DB 0xbd
[10:14:39] Module difference @ 0x77fb5e17   "\WINDOWS\system32\ntdll.dll"
ADD [ECX+0x0], AH               ADD [EDI+0x0], CH
INS BYTE [ES:EDI], DX           DB 0x74
[10:14:39] Module difference @ 0x77fb5e1f   "\WINDOWS\system32\ntdll.dll"
ADD [EBP+0x0], AH               ADD [ECX+0x0], AH
DB 0x78                         DB 0x64
[10:14:39] Module difference @ 0x77fb5e27   "\WINDOWS\system32\ntdll.dll"
ADD [EAX], AL                   ADD [EAX+0x0], BH
DB 0x0                          DB 0x65
DB 0x73
[10:14:41] 08/17    matching "spoolsv.exe"
[10:15:24] 10/17    matching "svchost.exe"
[10:15:47] 11/17    matching "msmsgs.exe"
[10:16:06] 12/17    matching "svchost.exe"
[10:16:38] 13/17    matching "svchost.exe"
[10:17:08] 14/17    matching "winlogon.exe"
[10:18:03] 15/17    matching "services.exe"
[10:18:19] 16/17    matching "lsass.exe"
[10:19:15] Module difference @ 0x74414320   "\WINDOWS\system32\samsrv.dll"
ADD [EAX], AL                   JO 0x743bffb4
ADD [EAX], AL                   ADC AL, 0xc
ADD [EAX], AL                   OR AL, 0xde
ADD [EAX], AL                   INTO
[10:19:15] Module difference @ 0x74414546   "\WINDOWS\system32\samsrv.dll"
ADD [EAX], AL                   ADD [EAX], AL
ADD [EAX], AL                   DB 0xff
ADD [EAX], AL                   DB 0xff
DB 0x0                          DB 0xff
[10:19:16] Module difference @ 0x76f411bf   "\WINDOWS\system32\wldap32.dll"
ADD [EAX], AL                   ADD AL, CH
DB 0x3e                         JAE 0x76f2000f
DB 0xc
[10:19:17] Module difference @ 0x77cff169   "\WINDOWS\system32\rpcrt4.dll"
DB 0x3                          MOV AL, [0x49ff5965]
DB 0x35
DB 0xa1
IN AL, 0x3a
[10:19:20] 17/17    matching "System"


如果我尝试同时还比较该进程的可执行映像,我会收到更多的噪音

每个转储都在同一Windows XP VM上创建。
关于如何过滤该噪音的任何想法?感谢您提供任何提示,并为我的英语不好对不起。

评论

听起来您想禁用ASLR。看看:stackoverflow.com/questions/9560993/…

#1 楼

不幸的是,某些因素在起作用,这将使其难以过滤。具体来说,从调用约定窗口到函数序言的所有内容都用到序言中的空格,以允许进行热修补等。Windows的应用程序二进制接口(ABI)包含在盒子的每次执行中。自然地,这意味着您将无法将其过滤掉,因为一些指令非常常见。在此答案中找到SSDEEP