國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
[trace] unitPos : (0,2) ---> [mark] W32 [trace] unitPos : (0,3) ---> [mark] W32 [trace] unitPos : (0,4) ---> [note] empty [trace] unitPos : (0,5) ---> [mark] W32 [trace] unitPos : (1,0) ---> [mark] W32 [trace] unitPos : (1,1) ---> [note] empty [trace] unitPos : (1,2) ---> [mark] W32 [trace] unitPos : (1,3) ---> [mark] Normal [trace] unitPos : (1,4) ---> [note] empty [trace] unitPos : (1,5) ---> [mark] W32 [trace] unitPos : (4,5)
[trace] unitPos : (0,0) ---> [mark] W32 [trace] unitPos : (0,1) ---> [note] empty
[trace] unitPos : (0,2) ---> [note] pure W32 but has normal [trace] unitPos : (0,3) ---> [note] empty
[trace] unitPos : (0,4) ---> [mark] W32 [trace] unitPos : (1,0) ---> [mark] W32 [trace] unitPos : (1,1) ---> [mark] Normal
[trace] unitPos : (1,2) ---> [note] pure W32 but has normal [trace] unitPos : (1,3) ---> [mark] Normal
[trace] unitPos : (1,4) ---> [mark] W32
Appendix 4. Rule3 GHSOM predicting model for test2
\Windows\System32\ntdll.dll
\Windows\Fonts\vgaoem.fon
\Windows\Fonts\dosapp.fon
\Windows\System32\sxs.dll
\Windows\System32\cryptbase.dll
\Windows\Fonts\cga40woa.fon
\Windows\Fonts\cga80woa.fon
\Windows\Fonts\ega40woa.fon
\Windows\System32\RpcRtRemote.dll
\Windows\System32\mswsock.dll
\Windows\System32\wship6.dll
‧
‧
‧
‧
‧
‧
‧
‧
‧
‧
‧
‧
‧
‧
‧
‧
‧
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
\Windows\System32\NlsData000c.dll
\Windows\Temp\CR_CFDD0.tmp\setup.exe
\Windows\System32\dllhost.exe
\cygwin\home\student\7900_03f912899b3d90f9915d72fc9abb91be.exe
\Windows\System32\locale.nls
\cygwin\home\student\7943_831f4ee0a7d2d1113c80033f8d6ac372.exe
\cygwin\home\student\475_a47c6c159a30e2791ec1d19ead72f88e.exe
\Windows\System32\wbem\cimwin32.dll
\Windows\System32\wbem\wmipcima.dll
\Windows\System32\wbem\en-US\cimwin32.dll.mui
\cygwin\home\student\510_730498b8a6c676e2298d9b1ad7dd5d10.exe
\cygwin\home\student\571_1f696b30880212766a804a20f6c52751.exe
????????????
\Windows\System32\icmp.dll
\Windows\System32\qoysxzo.exe
\Windows\System32\ebsbwfs.exe
\cygwin\home\student\452_c4b7a5607500d75d16addc436ab4c15d.exe
\Windows\System32\wersvc.dll
\Windows\System32\psbase.dll
\Windows\System32\pstorsvc.dll
\cygwin\home\student\2697_8eb1ccf0488e1c9ef98d5d940a090c53.exe
\Windows\System32\pstorec.dll
\Windows\System32\crtdll.dll
\Windows\System32\ReAgent.dll
\cygwin\home\student\5165_9d9d108ababb48fb71d2d2398b5a30a2.exe Appendix 5. Attributes of vectors of ldrmodules raw files 1: W32
\Windows\System32\en-US\taskcomp.dll.mui
\Windows\System32\wbem\WMIADAP.exe
\Windows\System32\umpo.dll
\Windows\System32\msxml3r.dll
\Windows\System32\t2embed.dll
\Windows\System32\sti.dll
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
\Windows\System32\ntdll.dll
\Windows\System32\en-US\sppcommdlg.dll.mui
\Windows\System32\smss.exe
\Windows\System32\werconcpl.dll
\Windows\System32\tdh.dll
\Windows\System32\d3d10_1.dll
\Windows\System32\en-US\win32spl.dll.mui
\Windows\System32\apphelp.dll
\Windows\System32\rasadhlp.dll
2: TR
\Windows\System32\wbem\WMIADAP.exe
\Windows\System32\umpo.dll
\Windows\System32\t2embed.dll
\Windows\System32\sti.dll
\Windows\System32\oleaccrc.dll
\Windows\System32\sppc.dll
\Windows\System32\RpcEpMap.dll
\Windows\System32\ntdll.dll
3: WORM
\Windows\System32\en-US\taskcomp.dll.mui
\Windows\System32\wbem\WMIADAP.exe
\Windows\System32\umpo.dll
\Windows\System32\t2embed.dll
\Windows\System32\sti.dll
\Windows\System32\oleaccrc.dll
6: Normal
\Windows\System32\wbem\WMIADAP.exe
\Windows\System32\fveapi.dll
\Windows\System32\samsrv.dll
\Windows\System32\wininet.dll
\Windows\System32\dhcpcore.dll
\Windows\System32\d3d10_1.dll
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
\Windows\System32\winnsi.dll
\Windows\System32\chtbrkr.dll
\Windows\System32\credssp.dll
\Windows\System32\en-US\umpnpmgr.dll.mui
\Windows\System32\en-US\wdmaud.drv.mui
\Windows\System32\StructuredQuery.dll
\Windows\System32\en-US\devenum.dll.mui
\cygwin\bin\cygssp-0.dll
\Windows\System32\cryptui.dll
7: Malware
\Windows\System32\en-US\taskcomp.dll.mui
\Windows\System32\wbem\WMIADAP.exe
\Windows\System32\umpo.dll
\Windows\System32\t2embed.dll
\Windows\System32\sti.dll
\Windows\System32\PortableDeviceApi.dll
\Windows\System32\en-US\sppcommdlg.dll.mui
\Windows\System32\werconcpl.dll
\Windows\System32\WSDMon.dll
\Windows\System32\fveapi.dll
\Windows\System32\d3d10_1.dll
\Windows\System32\en-US\win32spl.dll.mui
\Windows\System32\IKEEXT.DLL
\Windows\System32\en-US\shlwapi.dll.mui
\Windows\System32\radardt.dll
Appendix 6. Decisive attributes of each class in rule2 in test1 1: W32
\Windows\System32\ncrypt.dll
\Windows\System32\umpo.dll
\Windows\System32\mfc42u.dll
\Windows\System32\uxtheme.dll
‧
‧
‧
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
\Windows\System32\en-US\imageres.dll.mui
2: TR
\Windows\System32\ncrypt.dll
\Windows\System32\sxs.dll
\Windows\System32\en-US\rasdlg.dll.mui
\Windows\System32\nsisvc.dll
\Windows\System32\en-US\sppcommdlg.dll.mui
\Windows\System32\bitsigd.dll
\Windows\System32\dbghelp.dll
\Windows\System32\sppcommdlg.dll
\Windows\System32\en-US\ntdll.dll.mui
\cygwin\bin\cygiconv-2.dll
\Windows\System32\en-US\wisptis.exe.mui
\Windows\System32\ieframe.dll
\Windows\System32\sppcomapi.dll
\Windows\System32\fvecerts.dll
\Windows\System32\bitsperf.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\wscui.cpl
\Windows\System32\ieapfltr.dll
\Windows\System32\wbemcomn.dll
\Windows\System32\en-US\lsasrv.dll.mui
\Windows\System32\AudioEng.dll
\Windows\System32\TabSvc.dll
\Windows\System32\en-US\sndvolsso.dll.mui
\Windows\explorer.exe
\Windows\System32\en-US\imageres.dll.mui
3: WORM
\Windows\System32\ncrypt.dll
\Windows\System32\umpo.dll
‧
‧
‧
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
\Windows\System32\TabSvc.dll
\Windows\System32\en-US\umpnpmgr.dll.mui
\Windows\System32\usp10.dll
\Windows\System32\FXSMON.dll
\Windows\System32\wpdbusenum.dll
\Windows\System32\mlang.dll
\Windows\System32\wiatrace.dll
\Windows\System32\ksuser.dll
\Windows\System32\SnippingTool.exe
\Windows\System32\nlaapi.dll
\Windows\System32\PortableDeviceTypes.dll
\Windows\System32\msctfp.dll
\Windows\System32\ntlanman.dll
\Windows\System32\en-US\gpsvc.dll.mui
\Windows\System32\WindowsCodecs.dll
\Windows\System32\ntmarta.dll
\Windows\System32\vssapi.dll
\Windows\System32\taskeng.exe
\Windows\System32\en-US\sndvolsso.dll.mui
\Windows\System32\wbem\esscli.dll
\cygwin\home\student\2697_8eb1ccf0488e1c9ef98d5d940a090c53.exe
\Windows\System32\ReAgent.dll
\Windows\System32\winspool.drv
\Windows\explorer.exe
\Windows\System32\framedynos.dll
\Windows\System32\sqlcese30.dll
\Windows\System32\en-US\imageres.dll.mui
\Windows\System32\en-US\crypt32.dll.mui
\Windows\System32\PortableDeviceConnectApi.dll
7: Malware
\Windows\System32\ncrypt.dll
\Windows\System32\umpo.dll
‧
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
\Windows\System32\wbem\esscli.dll
\Windows\System32\winspool.drv
\Windows\explorer.exe
\Windows\System32\en-US\imageres.dll.mui
Appendix 7. Decisive attributes of each class in rule3 in test1 1: W32
\Windows\System32\en-US\taskcomp.dll.mui
\Windows\System32\wbem\WMIADAP.exe
\Windows\System32\umpo.dll
\Windows\System32\t2embed.dll
\Windows\System32\sti.dll
\Windows\System32\oleaccrc.dll
\Windows\System32\sppc.dll
\Windows\System32\RpcEpMap.dll
\Windows\System32\PortableDeviceApi.dll
\Windows\System32\ntdll.dll
\Windows\System32\en-US\sppcommdlg.dll.mui
\Windows\System32\sppcommdlg.dll
\Windows\System32\pnpui.dll
\Windows\System32\werconcpl.dll
\Windows\System32\lsass.exe
\Windows\System32\netapi32.dll
\Windows\System32\en-US\win32spl.dll.mui
\Windows\System32\DWrite.dll
\Windows\System32\wbemcomn.dll
\Windows\System32\psapi.dll
\Windows\AppPatch\AcGenral.dll
\Windows\System32\wuapi.dll
\Windows\System32\radardt.dll
\Windows\explorer.exe
\Windows\System32\pdh.dll
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
\Windows\System32\t2embed.dll
\Windows\System32\sti.dll
\Windows\System32\sppc.dll
\Windows\System32\RpcEpMap.dll
\Windows\System32\ntdll.dll
3: WORM
\Windows\System32\wbem\WMIADAP.exe
\Windows\System32\umpo.dll
\Windows\System32\t2embed.dll
\Windows\System32\sti.dll
\Windows\System32\oleaccrc.dll
6: Normal
\Windows\System32\PortableDeviceApi.dll
\Windows\System32\elslad.dll
\Windows\System32\vdmdbg.dll
\Windows\System32\FWPUCLNT.DLL
\Windows\System32\winnsi.dll
\Windows\System32\fthsvc.dll
\Windows\System32\usbceip.dll
\Windows\System32\audiosrv.dll
\Windows\System32\dwmapi.dll
\Windows\System32\srvsvc.dll
\Windows\System32\dps.dll
\Windows\System32\wship6.dll
\Windows\System32\UI0Detect.exe
\Windows\System32\en-US\crypt32.dll.mui
7: Malware
\Windows\System32\wbem\WMIADAP.exe
\Windows\System32\umpo.dll
\Windows\System32\t2embed.dll
\Windows\System32\en-US\msiexec.exe.mui
\Windows\System32\sti.dll
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
\Windows\System32\oleaccrc.dll
\Windows\System32\pnpui.dll
\Windows\System32\sqlceqp30.dll
\Windows\System32\csrss.exe
\Windows\System32\gpsvc.dll
\Windows\System32\WMALFXGFXDSP.dll
\Windows\System32\wlanapi.dll
\Windows\System32\mshtml.dll
\Windows\System32\aelupsvc.dll
\Windows\System32\netlogon.dll
Appendix 8. Decisive attributes of each class in rule2 for test2 1: W32
\Windows\System32\ncrypt.dll
\Windows\System32\umpo.dll
\Windows\System32\batmeter.dll
\Windows\System32\mfc42u.dll
\Windows\System32\netjoin.dll
\Windows\System32\uxtheme.dll
\Windows\System32\IPHLPAPI.DLL
\Windows\System32\pcasvc.dll
\Windows\System32\msxml3r.dll
\Windows\System32\t2embed.dll
\Windows\System32\WPDShServiceObj.dll
\Windows\System32\en-US\msiexec.exe.mui
\Windows\System32\oleaccrc.dll
\Windows\System32\sppc.dll
\Windows\System32\sysmain.dll
\Windows\System32\SearchIndexer.exe
\Windows\System32\UIRibbonRes.dll
\Windows\System32\sxs.dll
\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.
7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.175
‧
‧
‧
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
\Windows\System32\en-US\localspl.dll.mui
\Windows\System32\ReAgent.dll
\Windows\System32\wdiasqmmodule.dll
\Windows\System32\devrtl.dll
\Windows\System32\winspool.drv
\Windows\System32\MsCtfMonitor.dll
\Windows\System32\timedate.cpl
\Windows\explorer.exe
\Windows\System32\SearchFilterHost.exe
\Windows\System32\sqlcese30.dll
\Windows\System32\dsrole.dll
2: TR
\Windows\System32\ncrypt.dll
\Windows\System32\umpo.dll
\Windows\System32\uxtheme.dll
\Windows\System32\IPHLPAPI.DLL
\Windows\System32\pcasvc.dll
\Windows\System32\msxml3r.dll
\Windows\System32\t2embed.dll
\Windows\System32\SearchIndexer.exe
\Windows\System32\sxs.dll
\Windows\System32\en-US\rasdlg.dll.mui
\Windows\System32\winrnr.dll
\Windows\System32\bitsigd.dll
\Windows\System32\dwmredir.dll
\cygwin\bin\cygiconv-2.dll
\Windows\System32\ieframe.dll
\Windows\System32\rasman.dll
\Windows\System32\fvecerts.dll
\Windows\System32\bitsperf.dll
\Windows\System32\wscui.cpl
\Windows\System32\pnrpnsp.dll
‧
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
6: Normal
\Windows\System32\ncrypt.dll
\Windows\System32\umpo.dll
\Windows\System32\batmeter.dll
\Windows\System32\mfc42u.dll
\Windows\System32\uxtheme.dll
\Windows\System32\IPHLPAPI.DLL
\Windows\System32\pcasvc.dll
\Windows\System32\msxml3r.dll
\Windows\System32\t2embed.dll
\Windows\System32\WPDShServiceObj.dll
\Windows\servicing\CbsApi.dll
\Windows\System32\oleaccrc.dll
\Windows\System32\sppc.dll
\Windows\System32\SearchIndexer.exe
\Windows\System32\sxs.dll
\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.
7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
\Windows\System32\wscapi.dll
\Windows\System32\en-US\rasdlg.dll.mui
\Windows\System32\en-US\FXSRESM.dll.mui
\Windows\System32\winrnr.dll
\Windows\System32\en-US\sppcommdlg.dll.mui
\Windows\System32\olepro32.dll
\Windows\System32\smss.exe
\cygwin\bin\cygz.dll
\Windows\System32\bitsigd.dll
\Windows\System32\sppcommdlg.dll
\Windows\System32\bcryptprimitives.dll
\Windows\System32\dwmredir.dll
\Windows\System32\en-US\ntdll.dll.mui
\cygwin\bin\cygiconv-2.dll
‧
‧
‧
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
\Windows\System32\mapi32.dll
\Windows\System32\en-US\lsasrv.dll.mui
\Windows\System32\UIRibbon.dll
\Windows\System32\usp10.dll
\Windows\System32\dwm.exe
\Windows\System32\wpdbusenum.dll
\Windows\System32\ksuser.dll
\Windows\System32\schedsvc.dll
\Windows\System32\en-US\gpsvc.dll.mui
\Windows\System32\clbcatq.dll
\Windows\System32\msdmo.dll
\Windows\System32\sppobjs.dll
Appendix 9. Decisive attributes of each class in rule3 for test2
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Appendix 10. Example of resolving memory snapshot
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Starting to resolve the memory snapshot, we need to known the offset to the start of target data structure. Like appendix10, we want to get the DLL library list used by a process. First we use offset 0xb8 to find out the head of double linked list which is a _EPROCESS data structure in each node. _EPROCESS data structure is used to save the information of one process. Against one node of this double linked list, we can find out _PEB pointer which points to _PEB data structure. In a _PEB data structure, we can find out a _PEB_LDR_DATA pointer which points to a _PEB_LDR_DATA data structure. In a _PEB_LDR_DATA data structure, we can find out a _InLoadOrderModuleList pointer which points to a linked list which is a _LDR_DATA_TABLE_ENTRY data structure in each node. One node in this linked list, _LDR_DATA_TABLE_ENTRY data
structure, has one DLL library information which is used by the process we traced. So, tracing all this linked list can help us to find out all DLL library used by one process. If you do the process mentioned above to each _EPROCESS in the double linked list, we can know whole DLL library information of whole processes in the current OS. That is the ldrmodules plugin do and the main effort of this research is about behaviors of DLL library of one VM which is running a malware.