alicangonullu tarafından 2022-08-05 15:29:27 tarihinde yazıldı. Tahmini okunma süresi 26 dakika, 8 saniye. 394 kere görüntülendi.
Disclaimer
Merhaba arkadaşlar,
Bu yazımda sizlerle beraber Volatility 2.6 ile bellek kaydı üzerinde zararlı yazılım analizi yapacağız. Hepinize şimdiden keyifli okumalar.
Volatility, bir bellek inceleme aracıdır. Aldığınız bellek kayıtlarından bilgisayarınız hakkında pek çok bilgiyi edinebilirsiniz. Biz bu yazımızda hem bilgisayar hakkında bilgi edinip hem de zararlı yazılım bulaşmış bir makinayı araştıracağız. Ben araştırmalarımı Windows üzerinden yapacağım. Siz dilediğiniz sistemi kullanabilirsiniz.
Gerekenler,
Öncelikle Volatility 2.6 ile gelen eklentiler listesi şöyledir
banners.Banners,
configwriter.ConfigWriter,
frameworkinfo.FrameworkInfo,
isfinfo.IsfInfo,
layerwriter.LayerWriter,
linux.bash.Bash,
linux.check_afinfo.Check_afinfo,
linux.check_creds.Check_creds,
linux.check_idt.Check_idt,
linux.check_modules.Check_modules,
linux.check_syscall.Check_syscall,
linux.elfs.Elfs,
linux.keyboard_notifiers.Keyboard_notifiers,
linux.kmsg.Kmsg,
linux.lsmod.Lsmod,
linux.lsof.Lsof,
linux.malfind.Malfind,
linux.mountinfo.MountInfo,
linux.proc.Maps,
linux.psaux.PsAux,
linux.pslist.PsList,
linux.pstree.PsTree,
linux.tty_check.tty_check,
mac.bash.Bash,
mac.check_syscall.Check_syscall,
mac.check_sysctl.Check_sysctl,
mac.check_trap_table.Check_trap_table,
mac.ifconfig.Ifconfig,
mac.kauth_listeners.Kauth_listeners,
mac.kauth_scopes.Kauth_scopes,
mac.kevents.Kevents,
mac.list_files.List_Files,
mac.lsmod.Lsmod,
mac.lsof.Lsof,
mac.malfind.Malfind,
mac.mount.Mount,
mac.netstat.Netstat,
mac.proc_maps.Maps,
mac.psaux.Psaux,
mac.pslist.PsList,
mac.pstree.PsTree,
mac.socket_filters.Socket_filters,
mac.timers.Timers,
mac.trustedbsd.Trustedbsd,
mac.vfsevents.VFSevents,
timeliner.Timeliner,
windows.bigpools.BigPools,
windows.cachedump.Cachedump,
windows.callbacks.Callbacks,
windows.cmdline.CmdLine,
windows.crashinfo.Crashinfo,
windows.devicetree.DeviceTree,
windows.dlllist.DllList,
windows.driverirp.DriverIrp,
windows.driverscan.DriverScan,
windows.dumpfiles.DumpFiles,
windows.envars.Envars,
windows.filescan.FileScan,
windows.getservicesids.GetServiceSIDs,
windows.getsids.GetSIDs,
windows.handles.Handles,
windows.hashdump.Hashdump,
windows.org.Info,
windows.ldrmodules.LdrModules,
windows.lsadump.Lsadump,
windows.malfind.Malfind,
windows.mbrscan.MBRScan,
windows.memmap.Memmap,
windows.mftscan.MFTScan,
windows.modscan.ModScan,
windows.modules.Modules,
windows.mutantscan.MutantScan,
windows.netscan.NetScan,
windows.netstat.NetStat,
windows.poolscanner.PoolScanner,
windows.privileges.Privs,
windows.pslist.PsList,
windows.psscan.PsScan,
windows.pstree.PsTree,
windows.registry.certificates.Certificates,
windows.registry.hivelist.HiveList,
windows.registry.hivescan.HiveScan,
windows.registry.printkey.PrintKey,
windows.registry.userassist.UserAssist,
windows.sessions.Sessions,
windows.skeleton_key_check.Skeleton_Key_Check,
windows.ssdt.SSDT,
windows.statistics.Statistics,
windows.strings.Strings,
windows.svcscan.SvcScan,
windows.symlinkscan.SymlinkScan,
windows.vadinfo.VadInfo,
windows.vadyarascan.VadYaraScan,
windows.verinfo.VerInfo,
windows.virtmap.VirtMap,
yarascan.YaraScanNOT : BAZEN VMEM DOSYASINI RAW FORMATINA ÇEVİRMENİZ GEREKEBİLİR ŞU KOMUTU KULLANABİLİRSİNİZ
volatility -f stuxnet.vmem -O stuxnet.raw --profile=WinXPSP3x86 raw2dmpProfiller
Profiles
--------
VistaSP0x64 - A Profile for Windows Vista SP0 x64
VistaSP0x86 - A Profile for Windows Vista SP0 x86
VistaSP1x64 - A Profile for Windows Vista SP1 x64
VistaSP1x86 - A Profile for Windows Vista SP1 x86
VistaSP2x64 - A Profile for Windows Vista SP2 x64
VistaSP2x86 - A Profile for Windows Vista SP2 x86
Win10x64 - A Profile for Windows 10 x64
Win10x64_10586 - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23)
Win10x64_14393 - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16)
Win10x86 - A Profile for Windows 10 x86
Win10x86_10586 - A Profile for Windows 10 x86 (10.0.10586.420 / 2016-05-28)
Win10x86_14393 - A Profile for Windows 10 x86 (10.0.14393.0 / 2016-07-16)
Win2003SP0x86 - A Profile for Windows 2003 SP0 x86
Win2003SP1x64 - A Profile for Windows 2003 SP1 x64
Win2003SP1x86 - A Profile for Windows 2003 SP1 x86
Win2003SP2x64 - A Profile for Windows 2003 SP2 x64
Win2003SP2x86 - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
Win2008R2SP1x64_23418 - A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win2008SP1x64 - A Profile for Windows 2008 SP1 x64
Win2008SP1x86 - A Profile for Windows 2008 SP1 x86
Win2008SP2x64 - A Profile for Windows 2008 SP2 x64
Win2008SP2x86 - A Profile for Windows 2008 SP2 x86
Win2012R2x64 - A Profile for Windows Server 2012 R2 x64
Win2012R2x64_18340 - A Profile for Windows Server 2012 R2 x64 (6.3.9600.18340 / 2016-05-13)
Win2012x64 - A Profile for Windows Server 2012 x64
Win2016x64_14393 - A Profile for Windows Server 2016 x64 (10.0.14393.0 / 2016-07-16)
Win7SP0x64 - A Profile for Windows 7 SP0 x64
Win7SP0x86 - A Profile for Windows 7 SP0 x86
Win7SP1x64 - A Profile for Windows 7 SP1 x64
Win7SP1x64_23418 - A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win7SP1x86 - A Profile for Windows 7 SP1 x86
Win7SP1x86_23418 - A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09)
Win81U1x64 - A Profile for Windows 8.1 Update 1 x64
Win81U1x86 - A Profile for Windows 8.1 Update 1 x86
Win8SP0x64 - A Profile for Windows 8 x64
Win8SP0x86 - A Profile for Windows 8 x86
Win8SP1x64 - A Profile for Windows 8.1 x64
Win8SP1x64_18340 - A Profile for Windows 8.1 x64 (6.3.9600.18340 / 2016-05-13)
Win8SP1x86 - A Profile for Windows 8.1 x86
WinXPSP1x64 - A Profile for Windows XP SP1 x64
WinXPSP2x64 - A Profile for Windows XP SP2 x64
WinXPSP2x86 - A Profile for Windows XP SP2 x86
WinXPSP3x86 - A Profile for Windows XP SP3 x86Tüm bunları indirdikten sonra öncelikle CMD ile stuxnet ve volatility'nin bulunduğu dizine gidiyoruz ve şu komutla belleğimizden bilgiler topluyoruz
volatility -f stuxnet.vmem imageinfoLoglarımızın içeriği şu şekilde olacaktır
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (C:\Users\Ali Can Gönüllü\Desktop\malware_scanner\ramimage\stuxnet.vmem)
PAE type : PAE
DTB : 0x319000L
KDBG : 0x80545ae0L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2011-06-03 04:31:36 UTC+0000
Image local date and time : 2011-06-03 00:31:36 -0400Buradan makinamız hakkında detaylı bilgiler ediniyoruz. Anlaşıldığı kadarıyla makinamız 2010 yılında Windows XP SP2-SP3 32-bit bir sistemle çalışmakta. Bu bilgiler bizim için önemli çünkü makinamızın tüm kaba bilgilerini içeriyor.
Şimdi ise bu bellek kaydının alındığı anda çalışan programların listesini edinmek istiyorum. Bunun için şu komutu kullanıyoruz :
volatility -f stuxnet.vmem psinfoBu kaydın çıktısı ise şöyle oluyor
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x823c8830 System 4 0 59 403 ------ 0
0x820df020 smss.exe 376 4 3 19 ------ 0 2010-10-29 17:08:53 UTC+0000
0x821a2da0 csrss.exe 600 376 11 395 0 0 2010-10-29 17:08:54 UTC+0000
0x81da5650 winlogon.exe 624 376 19 570 0 0 2010-10-29 17:08:54 UTC+0000
0x82073020 services.exe 668 624 21 431 0 0 2010-10-29 17:08:54 UTC+0000
0x81e70020 lsass.exe 680 624 19 342 0 0 2010-10-29 17:08:54 UTC+0000
0x823315d8 vmacthlp.exe 844 668 1 25 0 0 2010-10-29 17:08:55 UTC+0000
0x81db8da0 svchost.exe 856 668 17 193 0 0 2010-10-29 17:08:55 UTC+0000
0x81e61da0 svchost.exe 940 668 13 312 0 0 2010-10-29 17:08:55 UTC+0000
0x822843e8 svchost.exe 1032 668 61 1169 0 0 2010-10-29 17:08:55 UTC+0000
0x81e18b28 svchost.exe 1080 668 5 80 0 0 2010-10-29 17:08:55 UTC+0000
0x81ff7020 svchost.exe 1200 668 14 197 0 0 2010-10-29 17:08:55 UTC+0000
0x81fee8b0 spoolsv.exe 1412 668 10 118 0 0 2010-10-29 17:08:56 UTC+0000
0x81e0eda0 jqs.exe 1580 668 5 148 0 0 2010-10-29 17:09:05 UTC+0000
0x81fe52d0 vmtoolsd.exe 1664 668 5 284 0 0 2010-10-29 17:09:05 UTC+0000
0x821a0568 VMUpgradeHelper 1816 668 3 96 0 0 2010-10-29 17:09:08 UTC+0000
0x8205ada0 alg.exe 188 668 6 107 0 0 2010-10-29 17:09:09 UTC+0000
0x820ec7e8 explorer.exe 1196 1728 16 582 0 0 2010-10-29 17:11:49 UTC+0000
0x820ecc10 wscntfy.exe 2040 1032 1 28 0 0 2010-10-29 17:11:49 UTC+0000
0x81e86978 TSVNCache.exe 324 1196 7 54 0 0 2010-10-29 17:11:49 UTC+0000
0x81fc5da0 VMwareTray.exe 1912 1196 1 50 0 0 2010-10-29 17:11:50 UTC+0000
0x81e6b660 VMwareUser.exe 1356 1196 9 251 0 0 2010-10-29 17:11:50 UTC+0000
0x8210d478 jusched.exe 1712 1196 1 26 0 0 2010-10-29 17:11:50 UTC+0000
0x82279998 imapi.exe 756 668 4 116 0 0 2010-10-29 17:11:54 UTC+0000
0x822b9a10 wuauclt.exe 976 1032 3 133 0 0 2010-10-29 17:12:03 UTC+0000
0x81c543a0 Procmon.exe 660 1196 13 189 0 0 2011-06-03 04:25:56 UTC+0000
0x81fa5390 wmiprvse.exe 1872 856 5 134 0 0 2011-06-03 04:25:58 UTC+0000
0x81c498c8 lsass.exe 868 668 2 23 0 0 2011-06-03 04:26:55 UTC+0000
0x81c47c00 lsass.exe 1928 668 4 65 0 0 2011-06-03 04:26:55 UTC+0000
0x81c0cda0 cmd.exe 968 1664 0 -------- 0 0 2011-06-03 04:31:35 UTC+0000 2011-06-03 04:31:36 UTC+0000
0x81f14938 ipconfig.exe 304 968 0 -------- 0 0 2011-06-03 04:31:35 UTC+0000 2011-06-03 04:31:36 UTC+0000 Buradan da anladığımız üzere svchost.exe ve winlogon.exe ile beraber lsass.exe çalışmakta. Bu şüphe uyandırıcı çünkü lsass.exe Yerel Güvenlik Yetkili Alt Sistem Servisi anlamına gelmektedir ve bu servis CPU'yu neredeyse %100 kullanıyor. Ayrıca Windows XP sistemlerde en çok virüs bulaşan yollardan biridir. Ancak svchost.exe de şüphe uyandırıcı bir şekilde çok fazla kaynak kullanıyor.
Ancak bu tek başına bir virüs olduğu anlamına gelmez. Daha detaylı bir araştırma yapmamız lazım. Bunun için cmdscan, connscan, yarascan, svcscan ve mutantscan komutlarını kullanmak istiyorum. Öncelikle cmdscan ile başlamak istiyorum.
volatility -f stuxnet.vmem cmdscanÇıktısı yok yani cmd üzerinden bir komut çalıştırılmamış.
Ardından connscan ile bağlantı kurduğu IP adreslerini inceliyoruz.
volatility -f stuxnet.vmem connscanÇıktımız şu şekilde oluyor
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---Burada herhangi bir IP adresiyle bir veri transferi göremiyoruz. Kısaca virüsümüz online olarak bağlantılı değil diyebiliriz.
svcscan ile de arkada çalışan servislere bakıyoruz.
volatility -f stuxnet.vmem svcscanÇıktımız şu şekilde oluyor
Karakter sınırından dolayı silindi
Tam loglar : https://alicangonullu.com/goruntu/440Buradan sonra artık mutant scan komutuyla sistemi kontrol etmek istiyorum. Şu komutla kontrol edebilirsiniz
volatility -f stuxnet.vmem mutantscanÇıktımız şöyle olacaktır
Offset(P) #Ptr #Hnd Signal Thread CID Name
------------------ -------- -------- ------ ---------- --------- ----
0x0000000001de06e0 1 1 1 0x00000000
0x0000000001de76c0 1 1 1 0x00000000
0x0000000001df95a0 1 1 1 0x00000000
0x0000000001e0fc38 1 1 1 0x00000000
0x0000000001e3ef10 1 1 1 0x00000000
0x0000000001e3f9e0 1 1 1 0x00000000
0x0000000001e43388 1 1 1 0x00000000
0x0000000001e4dbe0 2 1 1 0x00000000 _!SHMSFTHISTORY!_
0x0000000001e62ef0 1 1 1 0x00000000
0x0000000001e685d8 1 1 1 0x00000000
0x0000000001e6cdb8 1 1 1 0x00000000
0x0000000001e6fe60 1 1 1 0x00000000
0x0000000001e8ab88 3 2 1 0x00000000 c:!documents and settings!administrator!cookies!
0x0000000001e8d608 3 2 1 0x00000000 c:!documents and settings!administrator!local settings!history!history.ie5!
0x0000000001e8d788 1 1 1 0x00000000
0x0000000001e9a030 2 1 1 0x00000000 PerfOS_Perf_Library_Lock_PID_62c
0x0000000001e9a178 1 1 1 0x00000000
0x0000000001e9a540 2 1 1 0x00000000 WmiApRpl_Perf_Library_Lock_PID_62c
0x0000000001e9a6a8 2 1 1 0x00000000 Windows Workflow Foundation 4.0.0.0_Perf_Library_Lock_PID_62c
0x0000000001e9a6f8 2 1 1 0x00000000 TermService_Perf_Library_Lock_PID_62c
0x0000000001e9a860 2 1 1 0x00000000 Tcpip_Perf_Library_Lock_PID_62c
0x0000000001e9a9c8 2 1 1 0x00000000 TapiSrv_Perf_Library_Lock_PID_62c
0x0000000001e9ab30 2 1 1 0x00000000 Spooler_Perf_Library_Lock_PID_62c
0x0000000001e9ab80 2 1 1 0x00000000 SMSvcHost 4.0.0.0_Perf_Library_Lock_PID_62c
0x0000000001e9abd0 2 1 1 0x00000000 ServiceModelService 4.0.0.0_Perf_Library_Lock_PID_62c
0x0000000001e9ac20 2 1 1 0x00000000 ServiceModelOperation 4.0.0.0_Perf_Library_Lock_PID_62c
0x0000000001e9ac70 2 1 1 0x00000000 ServiceModelEndpoint 4.0.0.0_Perf_Library_Lock_PID_62c
0x0000000001e9acc0 2 1 1 0x00000000 RSVP_Perf_Library_Lock_PID_62c
0x0000000001e9ad10 2 1 1 0x00000000 RemoteAccess_Perf_Library_Lock_PID_62c
0x0000000001e9ad60 2 1 1 0x00000000 PSched_Perf_Library_Lock_PID_62c
0x0000000001e9aec8 2 1 1 0x00000000 PerfProc_Perf_Library_Lock_PID_62c
0x0000000001e9c088 3 2 1 0x00000000 WindowsUpdateTracingMutex
0x0000000001e9c740 1 1 1 0x00000000
0x0000000001eb8f40 4 3 1 0x00000000 _!MSFTHISTORY!_
0x0000000001f9eda0 1 1 1 0x00000000
0x0000000001fa1cf8 1 1 1 0x00000000
0x0000000001fa3a38 1 1 1 0x00000000
0x0000000001fa52b8 1 1 1 0x00000000
0x0000000001fab2e0 1 1 1 0x00000000
0x0000000001facde8 1 1 1 0x00000000
0x0000000001face58 1 1 1 0x00000000
0x0000000001fae158 1 1 1 0x00000000
0x0000000001fb23c8 10 9 1 0x00000000 ShimCacheMutex
0x0000000001fb8298 2 1 1 0x00000000 .NET Data Provider for Oracle_Perf_Library_Lock_PID_680
0x0000000001fbbfe0 2 1 1 0x00000000 ContentFilter_Perf_Library_Lock_PID_680
0x0000000001fbc3b0 1 1 1 0x00000000
0x0000000001fbc5f8 1 1 1 0x00000000
0x0000000001fbc840 1 1 1 0x00000000
0x0000000001fbd8a8 1 1 1 0x00000000
0x0000000001fbdea8 3 2 1 0x00000000 TpVcW32ListMutex
0x0000000001fbfae0 1 1 1 0x00000000
0x0000000001fc1988 2 1 1 0x00000000 c:!documents and settings!localservice!local settings!history!history.ie5!
0x0000000001fc1ea8 1 1 1 0x00000000
0x0000000001fc50b8 2 1 1 0x00000000 userenv: user policy mutex
0x0000000001fc60f8 1 1 1 0x00000000
0x0000000001fc6b48 1 1 1 0x00000000
0x0000000001fc7758 1 1 1 0x00000000
0x0000000001fd4d98 4 3 1 0x00000000 RasPbFile
0x0000000001fd6ce0 2 1 1 0x00000000 SingleSesMutex
0x0000000001fdb258 1 1 1 0x00000000
0x0000000001fe50f8 1 1 1 0x00000000
0x0000000001fe61b0 2 1 1 0x00000000 PerfNet_Perf_Library_Lock_PID_62c
0x0000000001fe6318 2 1 1 0x00000000 PerfDisk_Perf_Library_Lock_PID_62c
0x0000000001fe6480 2 1 1 0x00000000 MSDTC Bridge 4.0.0.0_Perf_Library_Lock_PID_62c
0x0000000001fe64d0 2 1 1 0x00000000 MSDTC_Perf_Library_Lock_PID_62c
0x0000000001fe6638 2 1 1 0x00000000 ISAPISearch_Perf_Library_Lock_PID_62c
0x0000000001fe6688 2 1 1 0x00000000 ContentIndex_Perf_Library_Lock_PID_62c
0x0000000001fe66d8 2 1 1 0x00000000 ContentFilter_Perf_Library_Lock_PID_62c
0x0000000001fe6728 2 1 1 0x00000000 aspnet_state_Perf_Library_Lock_PID_62c
0x0000000001fe6778 2 1 1 0x00000000 ASP.NET_4.0.30319_Perf_Library_Lock_PID_62c
0x0000000001fe67c8 2 1 1 0x00000000 ASP.NET_2.0.50727_Perf_Library_Lock_PID_62c
0x0000000001fe6c68 2 1 1 0x00000000 ASP.NET_Perf_Library_Lock_PID_62c
0x0000000001fe6dd0 2 1 1 0x00000000 .NETFramework_Perf_Library_Lock_PID_62c
0x0000000001fe6e20 2 1 1 0x00000000 .NET Memory Cache 4.0_Perf_Library_Lock_PID_62c
0x0000000001fe6e70 2 1 1 0x00000000 .NET Data Provider for SqlServer_Perf_Library_Lock_PID_62c
0x0000000001fe6ec0 2 1 1 0x00000000 .NET Data Provider for Oracle_Perf_Library_Lock_PID_62c
0x0000000001fe6f10 2 1 1 0x00000000 .NET CLR Networking 4.0.0.0_Perf_Library_Lock_PID_62c
0x0000000001fe6f60 2 1 1 0x00000000 .NET CLR Networking_Perf_Library_Lock_PID_62c
0x0000000001fe6fb0 2 1 1 0x00000000 .NET CLR Data_Perf_Library_Lock_PID_62c
0x00000000020081a0 1 1 1 0x00000000
0x0000000002009c10 1 1 1 0x00000000
0x0000000002019390 3 2 1 0x00000000 ZonesCounterMutex
0x000000000205c2d0 1 1 1 0x00000000
0x000000000205e170 2 1 1 0x00000000 746bbf3569adEncrypt
0x000000000205e6c8 1 1 1 0x00000000
0x000000000205eae0 2 1 0 0x81fd8020 1032:1948 Instance0: ESENT Performance Data Schema Version 40
0x00000000020691d8 3 2 1 0x00000000 WininetStartupMutex
0x000000000206c8e8 2 1 1 0x00000000 VMwareGuestCopyPasteMutex
0x000000000206e148 1 1 1 0x00000000
0x000000000206e280 1 1 1 0x00000000
0x000000000206fc00 1 1 1 0x00000000
0x00000000020711e8 1 1 1 0x00000000
0x000000000207e7f0 2 1 1 0x00000000 c:!documents and settings!localservice!cookies!
0x0000000002082700 1 1 1 0x00000000
0x0000000002082740 1 1 1 0x00000000
0x0000000002088120 1 1 1 0x00000000
0x0000000002089258 1 1 1 0x00000000
0x000000000208ba80 1 1 1 0x00000000
0x0000000002094500 1 1 1 0x00000000
0x0000000002094588 2 1 1 0x00000000 Tcpip_Perf_Library_Lock_PID_680
0x0000000002098a58 1 1 1 0x00000000
0x000000000209d540 1 1 1 0x00000000
0x00000000020a03d8 1 1 1 0x00000000
0x00000000020a0cd0 2 1 1 0x00000000 PerfDisk_Perf_Library_Lock_PID_680
0x00000000020a5c18 2 1 1 0x00000000 aspnet_state_Perf_Library_Lock_PID_680
0x00000000020a6628 1 1 1 0x00000000
0x00000000020a7128 1 1 1 0x00000000
0x00000000020a9340 1 1 1 0x00000000
0x00000000020acdf0 2 1 1 0x00000000 TapiSrv_Perf_Library_Lock_PID_680
0x00000000020ae8d8 1 1 1 0x00000000
0x00000000020b2e60 1 1 1 0x00000000
0x00000000020b2ec8 1 1 1 0x00000000
0x00000000020b35d8 2 1 1 0x00000000 WPA_LICSTORE_MUTEX
0x00000000020b3628 2 1 1 0x00000000 WPA_HWID_MUTEX
0x00000000020b45f8 1 1 1 0x00000000
0x00000000020bcfe0 1 1 1 0x00000000
0x00000000020d4200 3 2 1 0x00000000 c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
0x00000000020d9610 1 1 1 0x00000000
0x00000000020d9d68 1 1 1 0x00000000
0x00000000020da8d8 1 1 1 0x00000000
0x00000000020dd738 1 1 1 0x00000000
0x00000000020dee50 1 1 1 0x00000000
0x00000000020e0d68 1 1 1 0x00000000
0x00000000020e3980 14 13 1 0x00000000 SHIMLIB_LOG_MUTEX
0x00000000020e9ca0 2 1 1 0x00000000 {A3BD3259-3E4F-428a-84C8-F0463A9D3EB5}
0x00000000020eba00 1 1 1 0x00000000
0x00000000020ebac8 1 1 1 0x00000000
0x00000000020f0560 2 1 1 0x00000000 _SHuassist.mtx
0x00000000020f0960 2 1 1 0x00000000 SMSvcHost 4.0.0.0_Perf_Library_Lock_PID_680
0x00000000020f10e8 1 1 1 0x00000000
0x00000000020f15a0 1 1 1 0x00000000
0x00000000020f18f0 1 1 1 0x00000000
0x00000000020f4020 1 1 1 0x00000000
0x00000000020f7268 1 1 1 0x00000000
0x0000000002108bb0 2 1 0 0x81fc0020 668:568 PrefetchFileCacheOwner
0x000000000210c130 1 1 1 0x00000000
0x0000000002112558 1 1 1 0x00000000
0x000000000211e810 1 1 1 0x00000000
0x00000000021277f8 1 1 1 0x00000000
0x000000000213fab0 1 1 1 0x00000000
0x0000000002163b78 1 1 1 0x00000000
0x0000000002164390 1 1 1 0x00000000
0x00000000021703a8 1 1 1 0x00000000
0x0000000002176020 1 1 1 0x00000000
0x0000000002178ea8 2 1 1 0x00000000 Spooler_Perf_Library_Lock_PID_01F
0x000000000217e138 2 1 1 0x00000000 HGFSMUTEX00000000000003e7
0x00000000021869a0 1 1 1 0x00000000
0x000000000218ba28 1 1 1 0x00000000
0x000000000218ce08 1 1 1 0x00000000
0x000000000218ce48 1 1 1 0x00000000
0x0000000002190490 1 1 1 0x00000000
0x000000000219cc00 1 1 1 0x00000000
0x000000000219d2b0 1 1 1 0x00000000
0x00000000021a2ba8 1 1 1 0x00000000
0x00000000021bee20 1 1 1 0x00000000
0x00000000021c3c80 2 1 1 0x00000000 .NET CLR Networking 4.0.0.0_Perf_Library_Lock_PID_680
0x00000000021c3cd8 4 3 1 0x00000000 {5EC171BB-F130-4a19-B782-B6E655E091B2}
0x00000000021c6dd0 1 1 1 0x00000000
0x00000000021cb830 1 1 1 0x00000000
0x00000000021cba08 1 1 1 0x00000000
0x00000000021d2fe0 1 1 1 0x00000000
0x00000000021d4940 3 2 1 0x00000000 MidiMapper_Configure
0x00000000021e6d70 3 2 1 0x00000000 SRDataStore
0x00000000021e9f70 2 1 1 0x00000000 __PDH_PLA_MUTEX__
0x00000000021f0498 2 1 1 0x00000000 0CADFD67AF62496dB34264F000F5624A
0x00000000021f1638 1 1 1 0x00000000
0x0000000002258208 2 1 1 0x00000000 WPA_PR_MUTEX
0x0000000002258448 2 1 1 0x00000000 TSVNCacheMutex-0000000000029b4c
0x0000000002258f48 2 1 1 0x00000000 msgina: InteractiveLogonMutex
0x000000000225b990 2 1 1 0x00000000 msgina: InteractiveLogonRequestMutex
0x000000000225c020 1 1 1 0x00000000
0x000000000225c2b0 1 1 1 0x00000000
0x000000000225fa90 2 1 1 0x00000000 PnP_Init_Mutex
0x0000000002261408 2 1 1 0x00000000 ServiceModelEndpoint 4.0.0.0_Perf_Library_Lock_PID_680
0x0000000002266ef8 1 1 1 0x00000000
0x0000000002268890 1 1 1 0x00000000
0x0000000002269140 1 1 1 0x00000000
0x0000000002269d68 2 1 1 0x00000000 TermService_Perf_Library_Lock_PID_680
0x000000000226dc38 1 1 1 0x00000000
0x00000000022769d8 2 1 1 0x00000000 ThinPrint-L
0x0000000002283160 1 1 1 0x00000000
0x0000000002283ba0 1 1 1 0x00000000
0x0000000002286a18 3 2 1 0x00000000 ZonesCacheCounterMutex
0x000000000228cb48 3 2 1 0x00000000 HGFSMUTEX0000000000029b4c
0x000000000228e2b0 1 1 1 0x00000000
0x000000000228ecf0 3 2 1 0x00000000 MidiMapper_modLongMessage_RefCnt
0x000000000228fc00 2 1 1 0x00000000 238FAD3109D3473aB4764B20B3731840
0x000000000228fc50 2 1 1 0x00000000 4FCC0DEFE22C4f138FB9D5AF25FD9398
0x0000000002292ad0 2 1 1 0x00000000 MSDTC Bridge 4.0.0.0_Perf_Library_Lock_PID_680
0x000000000229c138 1 1 1 0x00000000
0x000000000229ee10 2 1 1 0x00000000 .NET CLR Networking_Perf_Library_Lock_PID_680
0x00000000022a02e0 2 1 1 0x00000000 PerfOS_Perf_Library_Lock_PID_680
0x00000000022a09d8 1 1 1 0x00000000
0x00000000022a23d8 2 1 1 0x00000000 ServiceModelOperation 4.0.0.0_Perf_Library_Lock_PID_680
0x00000000022a2690 2 1 1 0x00000000 .NET Memory Cache 4.0_Perf_Library_Lock_PID_680
0x00000000022d5298 1 1 1 0x00000000
0x00000000022d93f0 1 1 1 0x00000000
0x00000000022e00e8 1 1 1 0x00000000
0x00000000022e0bd8 1 1 1 0x00000000
0x00000000022e44c8 1 1 1 0x00000000
0x00000000022e4fa8 1 1 1 0x00000000
0x00000000022ea458 1 1 1 0x00000000
0x00000000022ec568 2 1 1 0x00000000 VMwareGuestDnDDataMutex
0x00000000022ed600 1 1 1 0x00000000
0x00000000022ee148 1 1 1 0x00000000
0x00000000022ef148 1 1 1 0x00000000
0x00000000022f8ad0 1 1 1 0x00000000
0x00000000022f9db0 3 2 1 0x00000000 WininetProxyRegistryMutex
0x00000000022fc2e0 1 1 1 0x00000000
0x00000000022fc8a0 1 1 1 0x00000000
0x0000000002305be0 1 1 1 0x00000000
0x0000000002309dd0 1 1 1 0x00000000
0x0000000002309e38 1 1 1 0x00000000
0x0000000002309ea0 1 1 1 0x00000000
0x0000000002309ee8 1 1 1 0x00000000
0x000000000230ea80 1 1 1 0x00000000
0x000000000230eb08 2 1 1 0x00000000 PerfNet_Perf_Library_Lock_PID_680
0x000000000230f140 1 1 1 0x00000000
0x0000000002312e70 2 1 1 0x00000000 WininetConnectionMutex
0x0000000002314a40 1 1 1 0x00000000
0x0000000002314b70 2 1 1 0x00000000 ISAPISearch_Perf_Library_Lock_PID_680
0x00000000023157f0 2 1 1 0x00000000 RemoteAccess_Perf_Library_Lock_PID_680
0x000000000231d4f0 1 1 1 0x00000000
0x000000000232b500 1 1 1 0x00000000
0x00000000023318d0 1 1 1 0x00000000
0x0000000002337020 1 1 1 0x00000000
0x000000000235e1c8 2 1 1 0x00000000 userenv: Machine Registry policy mutex
0x000000000235ed08 1 1 1 0x00000000
0x00000000023612c0 2 1 1 0x00000000 ASP.NET_Perf_Library_Lock_PID_680
0x00000000023643f8 1 1 1 0x00000000
0x00000000023658b0 2 1 1 0x00000000 ContentIndex_Perf_Library_Lock_PID_680
0x0000000002367ca8 2 1 1 0x00000000 RSVP_Perf_Library_Lock_PID_680
0x00000000023a26d0 1 1 1 0x00000000
0x00000000023a2ac0 3 2 1 0x00000000 ZonesLockedCacheCounterMutex
0x00000000023adc30 2 1 1 0x00000000 VMToolsHookQueueLock
0x00000000023ae9a0 1 1 1 0x00000000
0x00000000023b0cf8 1 1 1 0x00000000
0x00000000023b2600 1 1 1 0x00000000
0x00000000023b75f8 2 1 0 0x81c6d180 668:476 {E41362C3-F75C-4ec2-AF49-3CB6BCA591CA}
0x00000000023b7820 1 1 1 0x00000000
0x000000000240f300 2 1 1 0x00000000 WPA_LT_MUTEX
0x000000000240f350 2 1 1 0x00000000 WPA_RT_MUTEX
0x000000000240f608 1 1 1 0x00000000
0x0000000002415828 1 1 1 0x00000000
0x0000000002416f70 1 1 1 0x00000000
0x0000000002416fe0 1 1 1 0x00000000
0x00000000024193c0 1 1 1 0x00000000
0x000000000241ad28 1 1 1 0x00000000
0x000000000241ec70 1 1 1 0x00000000
0x000000000241ef40 2 1 1 0x00000000 .NET CLR Data_Perf_Library_Lock_PID_680
0x000000000242d248 2 1 0 0x8210d200 1712:1716 SunJavaUpdateSchedulerMutex
0x000000000242e6f8 1 1 1 0x00000000
0x0000000002430d38 1 1 1 0x00000000
0x00000000024333e8 1 1 1 0x00000000
0x0000000002433c38 1 1 1 0x00000000
0x0000000002434148 1 1 1 0x00000000
0x0000000002434960 2 1 1 0x00000000 ExplorerIsShellMutex
0x00000000024361a8 1 1 1 0x00000000
0x0000000002436a68 1 1 1 0x00000000
0x000000000244dfe0 2 1 1 0x00000000 .NET Data Provider for SqlServer_Perf_Library_Lock_PID_680
0x0000000002454e88 2 1 1 0x00000000 PerfProc_Perf_Library_Lock_PID_680
0x000000000245e600 2 1 1 0x00000000 ASP.NET_2.0.50727_Perf_Library_Lock_PID_680
0x000000000245e9b0 2 1 1 0x00000000 winlogon: Logon UserProfileMapping Mutex
0x000000000246a768 1 1 1 0x00000000
0x000000000246e460 1 1 1 0x00000000
0x0000000002473820 1 1 1 0x00000000
0x0000000002473a90 1 1 1 0x00000000
0x0000000002479d38 1 1 1 0x00000000
0x000000000247dda8 1 1 1 0x00000000
0x0000000002487618 3 2 1 0x00000000 85991EC7-5621-4A6F-9453-DC19BAE9C542
0x00000000024898d8 1 1 1 0x00000000
0x000000000248ada8 1 1 1 0x00000000
0x000000000248b2d8 1 1 1 0x00000000
0x000000000248b348 1 1 1 0x00000000
0x0000000002493e10 1 1 1 0x00000000
0x0000000002497020 1 1 1 0x00000000
0x0000000002499c90 1 1 1 0x00000000
0x000000000249c968 2 1 1 0x00000000 ASP.NET_4.0.30319_Perf_Library_Lock_PID_680
0x00000000024a60b8 2 1 1 0x00000000 userenv: User Registry policy mutex
0x00000000024c0470 1 1 1 0x00000000
0x00000000024c09c8 1 1 1 0x00000000
0x00000000024c21d8 2 1 1 0x00000000 c:!documents and settings!localservice!local settings!temporary internet files!content.ie5!
0x00000000024c2a60 2 1 0 0x821b63d0 2040:2044 wscntfy_mtx
0x00000000024c5810 2 1 1 0x00000000 userenv: machine policy mutex
0x00000000024c6b08 1 1 1 0x00000000
0x00000000024ca3c0 1 1 1 0x00000000
0x00000000024cb4d0 2 1 1 0x00000000 DBWinMutex
0x00000000024ea558 2 1 1 0x00000000 .NETFramework_Perf_Library_Lock_PID_680
0x00000000024ea880 2 1 1 0x00000000 PSched_Perf_Library_Lock_PID_680
0x00000000024eabf8 2 1 1 0x00000000 ServiceModelService 4.0.0.0_Perf_Library_Lock_PID_680
0x00000000024eb828 2 1 1 0x00000000 WmiApRpl_Perf_Library_Lock_PID_680
0x000000000250ac70 1 1 1 0x00000000
0x000000000250ef50 2 1 1 0x00000000 Windows Workflow Foundation 4.0.0.0_Perf_Library_Lock_PID_680
0x000000000250f0f8 1 1 1 0x00000000
0x0000000002527c50 1 1 1 0x00000000
0x000000000252b718 1 1 1 0x00000000
0x000000000252b7a0 2 1 1 0x00000000 MSDTC_Perf_Library_Lock_PID_680
0x000000000252c328 1 1 1 0x00000000
0x00000000025310a0 1 1 1 0x00000000
0x0000000002583220 2 1 1 0x00000000 Spooler_Perf_Library_Lock_PID_680
Burada pek bir sıkıntı yok gibi görünüyor ancak YARA KURALLARI İLE TARAMADAN ASLA BİLEMEYİZ.
Ben zaafiyetin ne olduğunu bildiğim için hazır bir yara dosyası kullanacağım. Sizler farklı kurallar bulmak isterseniz buradan ulaşabilirsiniz.
Bu kuralı stuxnet.yar şeklinde kaydediyorum ve şu komutla taramaya başlıyorum
volatility -f stuxnet.vmem yarascan -y stuxnet.yarBu komuttan sonra biraz bekliyoruz. Testten sonra eğer virüs bulunursa çıktı şu şekilde oluyor
Rule: StuxNet_Malware_1
Owner: Process services.exe Pid 668
0x01439071 8b 45 08 35 dd 79 19 ae 33 c9 8b 55 08 89 02 89 .E.5.y..3..U....
0x01439081 4a 04 8b 45 08 c7 40 0c 58 bd 43 01 33 c0 5e c9 J..E..@.X.C.3.^.
0x01439091 c3 55 8b ec 83 ec 2c 83 65 e8 00 83 65 f4 00 83 .U....,.e...e...
0x014390a1 65 e4 00 8b 45 20 8b 4d 14 8d 84 01 98 00 00 00 e...E..M........
0x014390b1 89 45 f0 8d 45 f4 50 8d 45 e8 50 8d 45 d8 50 ff .E..E.P.E.P.E.P.
0x014390c1 75 f0 ff 75 08 e8 14 fe ff ff 83 c4 14 89 45 fc u..u..........E.
0x014390d1 83 7d fc 00 74 08 8b 45 fc e9 fd 00 00 00 8b 45 .}..t..E.......E
0x014390e1 e8 89 45 f8 8b 45 e8 05 98 00 00 00 89 45 e8 c7 ..E..E.......E..
0x014390f1 45 e4 98 00 00 00 ff 75 20 ff 75 1c 8b 45 f8 05 E......u..u..E..
0x01439101 84 00 00 00 50 8d 45 e4 50 ff 75 f4 8d 45 e8 50 ....P.E.P.u..E.P
0x01439111 e8 79 fe ff ff 83 c4 18 8b 45 e8 89 45 dc ff 75 .y.......E..E..u
0x01439121 14 ff 75 10 8b 45 f8 05 8c 00 00 00 50 8d 45 e4 ..u..E......P.E.
0x01439131 50 ff 75 f4 8d 45 e8 50 e8 51 fe ff ff 83 c4 18 P.u..E.P.Q......
0x01439141 8b 45 dc 89 45 ec 81 7d 14 00 10 00 00 72 47 8b .E..E..}.....rG.
0x01439151 45 ec 0f b7 00 3d 4d 5a 00 00 75 3a 8b 45 ec 8b E....=MZ..u:.E..
0x01439161 40 3c 05 f8 00 00 00 3b 45 14 73 2a 8b 45 ec 8b @<.....;E.s*.E..
Rule: StuxNet_Malware_1
Owner: Process services.exe Pid 668
0x01457b63 8b 45 08 35 dd 79 19 ae 33 c9 8b 55 08 89 02 89 .E.5.y..3..U....
0x01457b73 4a 04 8b 45 08 c7 40 0c 77 25 40 00 33 c0 5e c9 J..E..@.w%@.3.^.
0x01457b83 c3 55 8b ec 83 ec 2c 83 65 e8 00 83 65 f4 00 83 .U....,.e...e...
0x01457b93 65 e4 00 8b 45 20 8b 4d 14 8d 84 01 98 00 00 00 e...E..M........
0x01457ba3 89 45 f0 8d 45 f4 50 8d 45 e8 50 8d 45 d8 50 ff .E..E.P.E.P.E.P.
0x01457bb3 75 f0 ff 75 08 e8 14 fe ff ff 83 c4 14 89 45 fc u..u..........E.
0x01457bc3 83 7d fc 00 74 08 8b 45 fc e9 fd 00 00 00 8b 45 .}..t..E.......E
0x01457bd3 e8 89 45 f8 8b 45 e8 05 98 00 00 00 89 45 e8 c7 ..E..E.......E..
0x01457be3 45 e4 98 00 00 00 ff 75 20 ff 75 1c 8b 45 f8 05 E......u..u..E..
0x01457bf3 84 00 00 00 50 8d 45 e4 50 ff 75 f4 8d 45 e8 50 ....P.E.P.u..E.P
0x01457c03 e8 79 fe ff ff 83 c4 18 8b 45 e8 89 45 dc ff 75 .y.......E..E..u
0x01457c13 14 ff 75 10 8b 45 f8 05 8c 00 00 00 50 8d 45 e4 ..u..E......P.E.
0x01457c23 50 ff 75 f4 8d 45 e8 50 e8 51 fe ff ff 83 c4 18 P.u..E.P.Q......
0x01457c33 8b 45 dc 89 45 ec 81 7d 14 00 10 00 00 72 47 8b .E..E..}.....rG.
0x01457c43 45 ec 0f b7 00 3d 4d 5a 00 00 75 3a 8b 45 ec 8b E....=MZ..u:.E..
0x01457c53 40 3c 05 f8 00 00 00 3b 45 14 73 2a 8b 45 ec 8b @<.....;E.s*.E..
Rule: Stuxnet_maindll_decrypted_unpacked
Owner: Process services.exe Pid 668
0x0144d998 25 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 %.S.y.s.t.e.m.R.
0x0144d9a8 6f 00 6f 00 74 00 25 00 5c 00 69 00 6e 00 66 00 o.o.t.%.\.i.n.f.
0x0144d9b8 5c 00 6f 00 65 00 6d 00 36 00 43 00 2e 00 50 00 \.o.e.m.6.C...P.
0x0144d9c8 4e 00 46 00 00 00 00 00 4d 00 52 00 78 00 4e 00 N.F.....M.R.x.N.
0x0144d9d8 65 00 74 00 00 00 00 00 4d 00 52 00 58 00 43 00 e.t.....M.R.X.C.
0x0144d9e8 4c 00 53 00 00 00 00 00 44 00 65 00 73 00 63 00 L.S.....D.e.s.c.
0x0144d9f8 72 00 69 00 70 00 74 00 69 00 6f 00 6e 00 00 00 r.i.p.t.i.o.n...
0x0144da08 44 00 69 00 73 00 70 00 6c 00 61 00 79 00 4e 00 D.i.s.p.l.a.y.N.
0x0144da18 61 00 6d 00 65 00 00 00 45 00 72 00 72 00 6f 00 a.m.e...E.r.r.o.
0x0144da28 72 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 r.C.o.n.t.r.o.l.
0x0144da38 00 00 00 00 4e 00 65 00 74 00 77 00 6f 00 72 00 ....N.e.t.w.o.r.
0x0144da48 6b 00 00 00 47 00 72 00 6f 00 75 00 70 00 00 00 k...G.r.o.u.p...
0x0144da58 53 00 74 00 61 00 72 00 74 00 00 00 54 00 79 00 S.t.a.r.t...T.y.
0x0144da68 70 00 65 00 00 00 00 00 44 00 61 00 74 00 61 00 p.e.....D.a.t.a.
0x0144da78 00 00 00 00 4d 00 52 00 58 00 4e 00 45 00 54 00 ....M.R.X.N.E.T.
0x0144da88 00 00 00 00 53 00 65 00 4c 00 6f 00 61 00 64 00 ....S.e.L.o.a.d.
Rule: Stuxnet_maindll_decrypted_unpacked
Owner: Process services.exe Pid 668
0x0145345a 40 00 61 00 62 00 66 00 20 00 76 00 61 00 72 00 @.a.b.f...v.a.r.
0x0145346a 62 00 69 00 6e 00 61 00 72 00 79 00 28 00 34 00 b.i.n.a.r.y.(.4.
0x0145347a 30 00 39 00 36 00 29 00 20 00 45 00 58 00 45 00 0.9.6.)...E.X.E.
0x0145348a 43 00 20 00 40 00 68 00 72 00 20 00 3d 00 20 00 C...@.h.r...=...
0x0145349a 73 00 70 00 5f 00 4f 00 41 00 43 00 72 00 65 00 s.p._.O.A.C.r.e.
0x014534aa 61 00 74 00 65 00 20 00 27 00 41 00 44 00 4f 00 a.t.e...'.A.D.O.
0x014534ba 44 00 42 00 2e 00 53 00 74 00 72 00 65 00 61 00 D.B...S.t.r.e.a.
0x014534ca 6d 00 27 00 2c 00 20 00 40 00 61 00 6f 00 64 00 m.'.,...@.a.o.d.
0x014534da 73 00 20 00 4f 00 55 00 54 00 20 00 49 00 46 00 s...O.U.T...I.F.
0x014534ea 20 00 40 00 68 00 72 00 20 00 3c 00 3e 00 20 00 ..@.h.r...<.>...
0x014534fa 30 00 20 00 47 00 4f 00 54 00 4f 00 20 00 65 00 0...G.O.T.O...e.
0x0145350a 6e 00 64 00 71 00 20 00 45 00 58 00 45 00 43 00 n.d.q...E.X.E.C.
0x0145351a 20 00 40 00 68 00 72 00 20 00 3d 00 20 00 73 00 ..@.h.r...=...s.
0x0145352a 70 00 5f 00 4f 00 41 00 53 00 65 00 74 00 50 00 p._.O.A.S.e.t.P.
0x0145353a 72 00 6f 00 70 00 65 00 72 00 74 00 79 00 20 00 r.o.p.e.r.t.y...
0x0145354a 40 00 61 00 6f 00 64 00 73 00 2c 00 20 00 27 00 @.a.o.d.s.,...'.
Rule: Stuxnet_maindll_decrypted_unpacked
Owner: Process services.exe Pid 668
0x01451aa0 53 00 54 00 4f 00 52 00 41 00 47 00 45 00 23 00 S.T.O.R.A.G.E.#.
0x01451ab0 56 00 6f 00 6c 00 75 00 6d 00 65 00 23 00 31 00 V.o.l.u.m.e.#.1.
0x01451ac0 26 00 31 00 39 00 66 00 37 00 65 00 35 00 39 00 &.1.9.f.7.e.5.9.
0x01451ad0 63 00 26 00 30 00 26 00 00 00 00 00 00 00 00 00 c.&.0.&.........
0x01451ae0 7b 00 35 00 33 00 66 00 35 00 36 00 33 00 30 00 {.5.3.f.5.6.3.0.
0x01451af0 37 00 2d 00 62 00 36 00 62 00 66 00 2d 00 31 00 7.-.b.6.b.f.-.1.
0x01451b00 31 00 64 00 30 00 2d 00 39 00 34 00 66 00 32 00 1.d.0.-.9.4.f.2.
0x01451b10 2d 00 30 00 30 00 61 00 30 00 63 00 39 00 31 00 -.0.0.a.0.c.9.1.
0x01451b20 65 00 66 00 62 00 38 00 62 00 7d 00 00 00 00 00 e.f.b.8.b.}.....
0x01451b30 7b 00 35 00 33 00 66 00 35 00 36 00 33 00 30 00 {.5.3.f.5.6.3.0.
0x01451b40 64 00 2d 00 62 00 36 00 62 00 66 00 2d 00 31 00 d.-.b.6.b.f.-.1.
0x01451b50 31 00 64 00 30 00 2d 00 39 00 34 00 66 00 32 00 1.d.0.-.9.4.f.2.
0x01451b60 2d 00 30 00 30 00 61 00 30 00 63 00 39 00 31 00 -.0.0.a.0.c.9.1.
0x01451b70 65 00 66 00 62 00 38 00 62 00 7d 00 00 00 00 00 e.f.b.8.b.}.....
0x01451b80 5c 00 44 00 6f 00 73 00 44 00 65 00 76 00 69 00 \.D.o.s.D.e.v.i.
0x01451b90 63 00 65 00 73 00 5c 00 00 00 00 00 5c 00 5c 00 c.e.s.\.....\.\.
Rule: Stuxnet_maindll_decrypted_unpacked
Owner: Process services.exe Pid 668
0x0144f9c1 76 69 65 77 20 4d 43 50 56 52 45 41 44 56 41 52 view.MCPVREADVAR
0x0144f9d1 50 45 52 43 4f 4e 20 61 73 20 73 65 6c 65 63 74 PERCON.as.select
0x0144f9e1 20 56 41 52 49 41 42 4c 45 49 44 2c 56 41 52 49 .VARIABLEID,VARI
0x0144f9f1 41 42 4c 45 54 59 50 45 49 44 2c 46 4f 52 4d 41 ABLETYPEID,FORMA
0x0144fa01 54 46 49 54 54 49 4e 47 2c 53 43 41 4c 45 49 44 TFITTING,SCALEID
0x0144fa11 2c 56 41 52 49 41 42 4c 45 4e 41 4d 45 2c 41 44 ,VARIABLENAME,AD
0x0144fa21 44 52 45 53 53 50 41 52 41 4d 45 54 45 52 2c 50 DRESSPARAMETER,P
0x0144fa31 52 4f 54 4f 4b 4f 4c 4c 2c 4d 41 58 4c 49 4d 49 ROTOKOLL,MAXLIMI
0x0144fa41 54 2c 4d 49 4e 4c 49 4d 49 54 2c 53 54 41 52 54 T,MINLIMIT,START
0x0144fa51 56 41 4c 55 45 2c 53 55 42 53 54 56 41 4c 55 45 VALUE,SUBSTVALUE
0x0144fa61 2c 56 41 52 46 4c 41 47 53 2c 43 4f 4e 4e 45 43 ,VARFLAGS,CONNEC
0x0144fa71 54 49 4f 4e 49 44 2c 56 41 52 50 52 4f 50 45 52 TIONID,VARPROPER
0x0144fa81 54 59 2c 43 59 43 4c 45 54 49 4d 45 49 44 2c 4c TY,CYCLETIMEID,L
0x0144fa91 41 53 54 43 48 41 4e 47 45 2c 41 53 44 41 54 41 ASTCHANGE,ASDATA
0x0144faa1 53 49 5a 45 2c 4f 53 44 41 54 41 53 49 5a 45 2c SIZE,OSDATASIZE,
0x0144fab1 56 41 52 47 52 4f 55 50 49 44 2c 56 41 52 58 52 VARGROUPID,VARXR
Rule: Stuxnet_maindll_decrypted_unpacked
Owner: Process services.exe Pid 668
0x01450431 76 69 65 77 20 4d 43 50 56 52 45 41 44 56 41 52 view.MCPVREADVAR
0x01450441 50 45 52 43 4f 4e 20 61 73 20 73 65 6c 65 63 74 PERCON.as.select
0x01450451 20 56 41 52 49 41 42 4c 45 49 44 2c 56 41 52 49 .VARIABLEID,VARI
0x01450461 41 42 4c 45 54 59 50 45 49 44 2c 46 4f 52 4d 41 ABLETYPEID,FORMA
0x01450471 54 46 49 54 54 49 4e 47 2c 53 43 41 4c 45 49 44 TFITTING,SCALEID
0x01450481 2c 56 41 52 49 41 42 4c 45 4e 41 4d 45 2c 41 44 ,VARIABLENAME,AD
0x01450491 44 52 45 53 53 50 41 52 41 4d 45 54 45 52 2c 50 DRESSPARAMETER,P
0x014504a1 52 4f 54 4f 4b 4f 4c 4c 2c 4d 41 58 4c 49 4d 49 ROTOKOLL,MAXLIMI
0x014504b1 54 2c 4d 49 4e 4c 49 4d 49 54 2c 53 54 41 52 54 T,MINLIMIT,START
0x014504c1 56 41 4c 55 45 2c 53 55 42 53 54 56 41 4c 55 45 VALUE,SUBSTVALUE
0x014504d1 2c 56 41 52 46 4c 41 47 53 2c 43 4f 4e 4e 45 43 ,VARFLAGS,CONNEC
0x014504e1 54 49 4f 4e 49 44 2c 56 41 52 50 52 4f 50 45 52 TIONID,VARPROPER
0x014504f1 54 59 2c 43 59 43 4c 45 54 49 4d 45 49 44 2c 4c TY,CYCLETIMEID,L
0x01450501 41 53 54 43 48 41 4e 47 45 2c 41 53 44 41 54 41 ASTCHANGE,ASDATA
0x01450511 53 49 5a 45 2c 4f 53 44 41 54 41 53 49 5a 45 2c SIZE,OSDATASIZE,
0x01450521 56 41 52 47 52 4f 55 50 49 44 2c 56 41 52 58 52 VARGROUPID,VARXR
Rule: Stuxnet_maindll_decrypted_unpacked
Owner: Process services.exe Pid 668
0x01450f71 76 69 65 77 20 4d 43 50 56 52 45 41 44 56 41 52 view.MCPVREADVAR
0x01450f81 50 45 52 43 4f 4e 20 61 73 20 73 65 6c 65 63 74 PERCON.as.select
0x01450f91 20 56 41 52 49 41 42 4c 45 49 44 2c 56 41 52 49 .VARIABLEID,VARI
0x01450fa1 41 42 4c 45 54 59 50 45 49 44 2c 46 4f 52 4d 41 ABLETYPEID,FORMA
0x01450fb1 54 46 49 54 54 49 4e 47 2c 53 43 41 4c 45 49 44 TFITTING,SCALEID
0x01450fc1 2c 56 41 52 49 41 42 4c 45 4e 41 4d 45 2c 41 44 ,VARIABLENAME,AD
0x01450fd1 44 52 45 53 53 50 41 52 41 4d 45 54 45 52 2c 50 DRESSPARAMETER,P
0x01450fe1 52 4f 54 4f 4b 4f 4c 4c 2c 4d 41 58 4c 49 4d 49 ROTOKOLL,MAXLIMI
0x01450ff1 54 2c 4d 49 4e 4c 49 4d 49 54 2c 53 54 41 52 54 T,MINLIMIT,START
0x01451001 56 41 4c 55 45 2c 53 55 42 53 54 56 41 4c 55 45 VALUE,SUBSTVALUE
0x01451011 2c 56 41 52 46 4c 41 47 53 2c 43 4f 4e 4e 45 43 ,VARFLAGS,CONNEC
0x01451021 54 49 4f 4e 49 44 2c 56 41 52 50 52 4f 50 45 52 TIONID,VARPROPER
0x01451031 54 59 2c 43 59 43 4c 45 54 49 4d 45 49 44 2c 4c TY,CYCLETIMEID,L
0x01451041 41 53 54 43 48 41 4e 47 45 2c 41 53 44 41 54 41 ASTCHANGE,ASDATA
0x01451051 53 49 5a 45 2c 4f 53 44 41 54 41 53 49 5a 45 2c SIZE,OSDATASIZE,
0x01451061 56 41 52 47 52 4f 55 50 49 44 2c 56 41 52 58 52 VARGROUPID,VARXR
Rule: StuxNet_Malware_1
Owner: Process svchost.exe Pid 940
0x00d49071 8b 45 08 35 dd 79 19 ae 33 c9 8b 55 08 89 02 89 .E.5.y..3..U....
0x00d49081 4a 04 8b 45 08 c7 40 0c 58 bd d4 00 33 c0 5e c9 J..E..@.X...3.^.
0x00d49091 c3 55 8b ec 83 ec 2c 83 65 e8 00 83 65 f4 00 83 .U....,.e...e...
0x00d490a1 65 e4 00 8b 45 20 8b 4d 14 8d 84 01 98 00 00 00 e...E..M........
0x00d490b1 89 45 f0 8d 45 f4 50 8d 45 e8 50 8d 45 d8 50 ff .E..E.P.E.P.E.P.
0x00d490c1 75 f0 ff 75 08 e8 14 fe ff ff 83 c4 14 89 45 fc u..u..........E.
0x00d490d1 83 7d fc 00 74 08 8b 45 fc e9 fd 00 00 00 8b 45 .}..t..E.......E
0x00d490e1 e8 89 45 f8 8b 45 e8 05 98 00 00 00 89 45 e8 c7 ..E..E.......E..
0x00d490f1 45 e4 98 00 00 00 ff 75 20 ff 75 1c 8b 45 f8 05 E......u..u..E..
0x00d49101 84 00 00 00 50 8d 45 e4 50 ff 75 f4 8d 45 e8 50 ....P.E.P.u..E.P
0x00d49111 e8 79 fe ff ff 83 c4 18 8b 45 e8 89 45 dc ff 75 .y.......E..E..u
0x00d49121 14 ff 75 10 8b 45 f8 05 8c 00 00 00 50 8d 45 e4 ..u..E......P.E.
0x00d49131 50 ff 75 f4 8d 45 e8 50 e8 51 fe ff ff 83 c4 18 P.u..E.P.Q......
0x00d49141 8b 45 dc 89 45 ec 81 7d 14 00 10 00 00 72 47 8b .E..E..}.....rG.
0x00d49151 45 ec 0f b7 00 3d 4d 5a 00 00 75 3a 8b 45 ec 8b E....=MZ..u:.E..
0x00d49161 40 3c 05 f8 00 00 00 3b 45 14 73 2a 8b 45 ec 8b @<.....;E.s*.E..
Rule: StuxNet_Malware_1
Owner: Process svchost.exe Pid 940
0x00e14bd5 8b 45 08 35 dd 79 19 ae 33 c9 8b 55 08 89 02 89 .E.5.y..3..U....
0x00e14be5 4a 04 8b 45 08 c7 40 0c 58 3f 00 10 33 c0 5e c9 J..E..@.X?..3.^.
0x00e14bf5 c3 55 8b ec 83 ec 2c 83 65 e8 00 83 65 f4 00 83 .U....,.e...e...
0x00e14c05 65 e4 00 8b 45 20 8b 4d 14 8d 84 01 98 00 00 00 e...E..M........
0x00e14c15 89 45 f0 8d 45 f4 50 8d 45 e8 50 8d 45 d8 50 ff .E..E.P.E.P.E.P.
0x00e14c25 75 f0 ff 75 08 e8 14 fe ff ff 83 c4 14 89 45 fc u..u..........E.
0x00e14c35 83 7d fc 00 74 08 8b 45 fc e9 fd 00 00 00 8b 45 .}..t..E.......E
0x00e14c45 e8 89 45 f8 8b 45 e8 05 98 00 00 00 89 45 e8 c7 ..E..E.......E..
0x00e14c55 45 e4 98 00 00 00 ff 75 20 ff 75 1c 8b 45 f8 05 E......u..u..E..
0x00e14c65 84 00 00 00 50 8d 45 e4 50 ff 75 f4 8d 45 e8 50 ....P.E.P.u..E.P
0x00e14c75 e8 79 fe ff ff 83 c4 18 8b 45 e8 89 45 dc ff 75 .y.......E..E..u
0x00e14c85 14 ff 75 10 8b 45 f8 05 8c 00 00 00 50 8d 45 e4 ..u..E......P.E.
0x00e14c95 50 ff 75 f4 8d 45 e8 50 e8 51 fe ff ff 83 c4 18 P.u..E.P.Q......
0x00e14ca5 8b 45 dc 89 45 ec 81 7d 14 00 10 00 00 72 47 8b .E..E..}.....rG.
0x00e14cb5 45 ec 0f b7 00 3d 4d 5a 00 00 75 3a 8b 45 ec 8b E....=MZ..u:.E..
0x00e14cc5 40 3c 05 f8 00 00 00 3b 45 14 73 2a 8b 45 ec 8b @<.....;E.s*.E..
Kıssadan hisse...
Bu makinada belirli araştırma yöntemlerini kullanarak stuxnet virüsünün svchost.exe ve services.exe üzerine bulaştığını görmekteyiz. Burada derhal makinayı kapatıp dışarıya kapalı bir ağda gereken aksiyonları almalıyız.
Değerli vaktinizi ayırdığınız için teşekkür ederim. Daha fazla bu tarz makale için takip etmeyi unutmayın.
Destekleri icin Numan Kuzu'ya teşekkürler