开发者

Debugging and Analyzing a Trojan

I'm interested in using something like OllyDbg to examine a program that potentially has Trojan-like characteristics.

Does anyone know a开发者_运维知识库ny good tutorials on how to do this safely?

Basically the program is a "bot" for a video game, but I suspect that it has back doors and/or will upload information it gathers (such as passwords) to a remote server.

I'd like to find the URLs or IPs it attempts to connect to, prevent it from doing so, etc, so I guess this is a little more specific than the typical "cracking" of a program; I'm mostly interested in ferreting out network-based things it might be doing and either preventing them, or fool it into thinking it was successful.

Also, I'm curious about how to snoop on encrypted network traffic. How can I determine the encryption keys and algorithms a program uses to encrypt what it sends across the network? (I ask, because I am interested in creating a 3rd party client to emulate communication with a game server, and I can't do that without knowing how to discover the keys being used)


You can use a virtual machine (such as VirtualBox) to run the "malware" safely. You can use Process Explorer to see exactly what the process does (registry/disk access, etc).

The virtual machine will also allow you to create snapshots of the OS installed within, so you can easily return everything to a known state (i.e. before running the malware) at the click of a button.

As for snooping the network, I don't know how to do that. I suppose existing network sniffing tools can be used inside the virtual machine itself, but I've never done this so I don't know what to use -- someone else will have to fill in...


  1. What's the name of the suspected trojan?

  2. There is an article on swiftarchitect.com which goes into operation details of a specific trojan which allows to take control of a server remotely:

See: Server Virus under Attack

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜