基于二进制代码重用的攻击取证分析方法林志强

《基于二进制代码重用的攻击取证分析方法林志强》由会员上传分享，免费在线阅读，更多相关内容在学术论文-天天文库。

1、电子取证论坛基于二进制代码重用的攻击取证分析方法林志强（助理教授）德州大学达拉斯分校对内存的攻击取证分析…00001800eb401b02637400f00000000000000000

2、.@..ct..........

3、0000181000000000800000000000000000000000

4、................

5、0000182000000000000000000000000000000000

6、................

7、000018300000000000000000107616cc00000000

8、.........v......

9、000018400019

10、668cd050b808000000668ed0538b

11、..f..P.....f..S.

12、00001850d9ff2d190200000f20c00fbaf01f0f22

13、..-..........."

14、00001860c0eb00b9800000c00f320fbaf0080f30

15、.........2.....0

16、000018700f20e00fbaf0050f22e0609c8bd3c1ea

17、.......".`.....

18、000018800489a3760200000f0183800200000f01

19、...v............

20、000018908b880200008b8

21、b3c0000000bc974128b

22、.......<.....t..

23、DISK000018a0b3380000008bfb81c7003000002bf9f3

24、.8........0..+..

25、000018b0a40f019b900200000f01936802000066

26、...........h...f

27、000018c0b81000668ed8668ec0668ed0668ee066

28、...f..f..f..f..f

29、…*00100f60000000000000000000f0ff5d76e3f02f

30、...........]v../

31、00100f7093c9a41df948be

32、f86cc71d924c1e6e35

33、.....H..l...L.n5

34、00100f80b4f81baef669e8c0b73474a14e5aa793

35、.....i...4t.NZ..

36、00100f90972ff347cfd710dff0d6e39bf5cfa923

37、./.G...........#

38、00100fa0cd9f874f377f1ef1fedc7db9f9f37bef

39、...O7.....}...{.

40、00100fb0cf95bf943f8d639acc8a365b567bd276

41、....?.c...6[V{.v

42、00100fc0b6d9adee61f690a42c2b5

43、46637de3da9

44、....a...,+Tf7.=.

45、00100fd0b9d967371e7ab5ceef0c58ee4d30d09b

46、..g7.z....X.M0..

47、00100fe0c06ebce73df3e7d09abfa4821bc79cf1

48、.n..=...........

49、00100ff0db662bd838cb2a9180ad7d25d80ae5db

50、.f+.8.*...}%....

51、常见方法(1):基于数据结构的域值structuser_account{00:shortintu_type;Password04:pid_tu_pid;08:charu_line[32];

52、40:charuid[4];44:charuser[32];76:charpassword[128];204:charu_host[128];332:shortinte_termination;334:shortinte_exit;336:longintu_session;340:structtimevalu_tv;348:int32_tu_addr_v6[4];}Klist[Rutkowska,2003],GREPEXEC[bugcheck,2006],Volatility[Walters,2006],[Schuster,2006],[Dolan-Gavittetal.,CCS’09]

53、基于数据结构的域值动态分析去得到程序数据结构从常见的域中得到值得特征常见方法(2):基于数据间的关系structtask{值可以很容易[0]structthread*thread;有没有不用值被改?[4]structmemory*mm;[8]structsignal*signal;的Signature?[12]structtask*parent;[16]intmagic_number;}[Dolan-Gavittetal.,CCS’