Upgrade to Pro — share decks privately, control downloads, hide ads and more …

なぜマルウェア解析は自動化できないのか

Avatar for Yuma Kurogome Yuma Kurogome
August 14, 2016
Programming
4.4k
6

 なぜマルウェア解析は自動化できないのか

セキュリティ・キャンプ全国大会2016 講義資料

Avatar for Yuma Kurogome

Yuma Kurogome

August 14, 2016

More Decks by Yuma Kurogome

See All by Yuma Kurogome
The Art of De-obfuscation
Avatar for Yuma Kurogome ntddk
16
28k
死にゆくアンチウイルスへの祈り
Avatar for Yuma Kurogome ntddk
55
39k
Windows Subsystem for Linux Internals
Avatar for Yuma Kurogome ntddk
10
3.2k
Linear Obfuscation to Drive angr Angry
Avatar for Yuma Kurogome ntddk
4
910
CAPTCHAとボットの共進化
Avatar for Yuma Kurogome ntddk
2
1.2k
マルウェアを機械学習する前に
Avatar for Yuma Kurogome ntddk
3
1.7k
Peeling Onions
Avatar for Yuma Kurogome ntddk
7
3.8k
仮想化技術を用いたマルウェア解析
Avatar for Yuma Kurogome ntddk
8
27k
An Introduction to Drawbridge(ja)
Avatar for Yuma Kurogome ntddk
11
3.5k

Other Decks in Programming

See All in Programming
作って学ぶ、 JSX (TSX) ランタイムの基本
Avatar for syumai syumai
7
1.6k
Dataformのリポジトリを立ち上げるときにまずやること / dataform-day0-2026
Avatar for snhryt snhryt
0
150
The Arts and Crafts of Work in the AI Era — Toward Mastery in Software Development
Avatar for Yoshihito Kuranuki / 倉貫義人 kuranuki
1
750
ふつうのFeature Flag実践入門
Avatar for irof irof
7
3.7k
Old Dog, New Tricks: The Java 25 Reinvention - JNation
Avatar for A N M Bazlur Rahman bazlur_rahman
0
150
Spec Driven Development | AI Summit Lisbon
Avatar for Daniel Sogl danielsogl
PRO
0
180
AIで効率化できた業務・日常
Avatar for Ochtum ochtum
0
120
CSC307 Lecture 17
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
320
A2UI という光を覗いてみる
Avatar for SatohJohn satohjohn
1
120
Technical Debt: Understanding it Rightly, Engaging it Rightly #LaravelLiveJP
Avatar for shogogg shogogg
0
210
軽量Java基盤の設計 DIコンテナに頼らない、長期保守と1秒起動の実現 JJUG CCC 2026 Spring
Avatar for Masaaki Takahashi macha64
0
490
TSKaigi Night Talks 2026_TypeScriptでサプライチェーンの整合性を型に閉じ込める
Avatar for ギークプラス ソフトウェア事業部 geekplus_tech
0
330

Featured

See All Featured
Technical Leadership for Architectural Decision Making
Avatar for Kenny Baas-Schwegler baasie
3
400
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
413
23k
Amusing Abliteration
Avatar for ianozsvald ianozsvald
1
200
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
17k
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
32
2.9k
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
250
1.3M
The innovator’s Mindset - 
Leading Through an Era of Exponential Change - McGill University 2025
Avatar for Jean-Marc De Jonghe jdejongh
PRO
1
200
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
135
9.9k
The Hidden Cost of Media on the Web [PixelPalooza 2025]
Avatar for Tammy Everts tammyeverts
2
330
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
PRO
201
75k
Learning to Love Humans: Emotional Interface Design
Avatar for Aarron Walter aarron
275
41k
JAMstack: Web Apps at Ludicrous Speed - All Things Open 2022
Avatar for David Neal reverentgeek
1
470

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None

  6. • • • • • • • • • •

    • • • •

  7. • • • •

  8. • • • • • • • • • •

    • • • •

  9. • • • • • • • • • •

    • • •
  10. None

  11. • • • • • • • • • •

    • • • • • • • • • • • • • • • • • • • •

  12. • • • • • •

  13. typedef struct _IMAGE_OPTIONAL_HEADER { WORD Magic; ... DWORD SizeOfCode; //

    コード全体のサイズ ... DWORD AddressOfEntryPoint; // エントリポイントのアドレス (RVA) DWORD BaseOfCode; // コード領域のベースアドレス (RVA) DWORD BaseOfData; // グローバル変数などの値が確定していないデータ領域のベースアドレス (RVA) DWORD ImageBase; // 仮想メモリにロードされるときの開始(ベース)アドレス // RVAはImageBaseのアドレスを引いた相対アドレス ... DWORD SizeOfImage; // メモリにロードされたときの全体サイズ DWORD SizeOfHeaders; ... IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; // インポート情報やエクスポート情報などへのアドレス (RVA) } IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;
  14. None

  15. • • • • • •

  16. None

  17. • • • • • • •

  18. • • • • • • • •

  19. • • • •

  20. • MOV EBX, EAX ADD EAX, $0x4 … MOV EBX,

    EAX ADD EAX, $0x4 … • • • mov_i32 ebx, eax movi_i32 tmp1, 0x4 add_i32 eax, tmp1 •

  23. None
  24. None

  25. • • • • • • • • •

  26. • • •

  27. • • • • •

  28. • • • • •

  29. None

  30. • • • • •

  31. • • • • • •

  32. • •

  33. • • • • • • • •

  34. from datetime import date from hashlib import sha256 def dyre_dga(num,

    date_str=None): if None == date_str: date_str = '{0.year}-{0.month}-{0.day}'.format(date.today()) tlds = ['.cc', '.ws', '.to', '.in', '.hk', '.cn', '.tk', '.so'] hash = sha256('{0}{1}'.format(date_str, num)).hexdigest()[3:36] replace_char = chr(0xFF & ((num % 26) + 97)) return '{0}{1}{2}:443'.format(replace_char, hash, tlds[num % len(tlds)]) todays_domains = [dyre_dga(i) for i in xrange(333)]

  35. • • • •

  36. • •

  37. • • •

  38. None
  39. None

  40. • • • • • • • • •

  41. • • • •

  42. • •

  43. cmp eax, 0x7E0 je 0xdeadbaad if(x!=2016) Invalid. ASSERT( INPUT_*_*_* =0hex7E0

    ); (a1 or !a2 or a3 … or an) and (b1 or b2 or !b3 … or !bn) and …
  44. None

  45. • •

  47. None

  48. • •

  49. None

  51. None

  52. • • • • • •

  53. • • •