Wambita/defuse

# Defuse - 恶意软件分析与清除工具 (Linux 版) ## 项目概述 本项目演示了如何在隔离的 Linux 容器环境中使用 Go 语言进行专业的恶意软件分析和缓解技术。该工具执行全面的恶意软件检测、持久化清除和系统清理，同时维护详细的取证记录。 ## 目录 1. [程序说明](#program-explanation) 2. [分析演练](#analysis-walkthrough) 3. [修复建议](#remediation-recommendations) 4. [恶意软件缓解报告邮件](#malware-mitigation-report-email) 5. [道德黑客报告](#ethical-hacking-report) 6. [安装与使用](#installation--usage) 7. [技术架构](#technical-architecture) ## 程序说明 ### 概述 该恶意软件清除工具使用 Go 编写，由四个协同工作的主要模块组成： ``` MalwareRemover ├── Process Killer // Terminates malware processes ├── Persistence Scanner // Finds and removes persistence mechanisms ├── File Cleaner // Deletes malware artifacts └── Network Monitor // Extracts attacker IP and blocks C2 ``` ### 模块详情 #### 1. 进程终止器 (`internal/process/`) **功能：** - 扫描 `/proc` 文件系统以查找正在运行的进程 - 匹配目标恶意软件名称 - 执行优雅终止 (SIGTERM)，如有需要则随后强制终止 (SIGKILL) - 验证进程终止 **关键代码：** ``` func Kill(pid int) error { // Try SIGTERM first syscall.Kill(pid, syscall.SIGTERM) time.Sleep(100 * time.Millisecond) // If still running, use SIGKILL if processExists(pid) { return syscall.Kill(pid, syscall.SIGKILL) } return nil } ``` #### 2. 持久化扫描器 (`internal/persistence/`) **功能：** - 扫描 7 个以上的持久化位置： - Cron 作业 (/etc/cron*, 用户 crontabs) - Shell 配置文件 (.bashrc, .bash_profile, .zshrc) - Systemd 服务 - Init 脚本 - SSH authorized_keys - Web shells - 隐藏目录 **检测逻辑：** ``` func (s *Scanner) ScanAll() []PersistenceMechanism { s.ScanCron() s.ScanBashRc() s.ScanSystemd() s.ScanInitScripts() s.ScanSSHAuthorizedKeys() s.ScanWebShells() return s.Findings } ``` #### 3. 文件清理器 (`internal/file/`) **功能：** - 递归扫描可疑目录 - 查找匹配恶意软件特征的文件 - 移除隐藏目录和文件 - 优雅地处理权限问题 **目标位置：** - `/tmp`, `/dev/shm`, `/var/tmp` (全局可写) - 用户主目录 - Web 服务器根目录 - 常见藏匿点 (`.hidden`, `...`) #### 4. 网络监视器 (`internal/network/`) **功能：** - 监视进程网络连接 - 提取 C2 服务器 IP 地址 - 提供基于 iptables 的阻断 - 记录连接模式 ### 如何中和恶意软件 **逐步流程：** 1. **进程终止**：终止所有运行中的恶意软件实例 2. **持久化移除**：清理 cron、bashrc、systemd 条目 3. **文件删除**：移除恶意软件二进制文件和工件 4. **网络阻断**：阻止 C2 通信 5. **验证**：确认完全清除 ## 分析演练 ### 环境设置 ``` Isolated Container Specs: - OS: Ubuntu 22.04 (containerized) - Network: Completely isolated (no internet) - Memory: 2GB limit - CPU: 2 cores - Monitoring: strace, ltrace, auditd ``` ### 第 1 步：静态分析 **初始文件检查：** ``` $ file samples/demo_malware demo_malware: ELF 64-bit LSB executable, x86-64 $ strings samples/demo_malware | grep -E "tmp|hidden|cron|bash" /tmp/.hidden/malware /tmp/.hidden/beacon.log 127.0.0.1:4444 crontab .bashrc daemonize ``` **可疑发现：** - 对隐藏目录的引用 - C2 服务器 IP (127.0.0.1:4444) - Cron 操作字符串 - Shell 配置修改 ### 第 2 步：动态分析 **执行前基线：** ``` # 捕获干净状态 $ ps aux > pre_execution.txt $ netstat -tulpn > pre_network.txt $ crontab -l > pre_cron.txt $ find /tmp -type f > pre_files.txt ``` **恶意软件执行：** ``` $ ./samples/demo_malware & [1] 1234 $ ps aux | grep demo analyst 1234 0.0 0.1 1234 123 ? S 10:00 0:00 demo_malware ``` **观察到的行为：** 1. **进程守护化：** 进程树执行前：bash (PID 100) 进程树执行后： bash (100) ─── demo_malware (1234) ─── demo_malware (1235) 2. **文件系统变更：** $ find /tmp -newer pre_execution.txt /tmp/.hidden/ /tmp/.hidden/malware /tmp/.hidden/beacon.log /tmp/cron_temp 3. **持久化安装：** $ crontab -l */5 * * * * /tmp/.hidden/malware $ tail -2 /home/analyst/.bashrc # Malware 持久化 /tmp/.hidden/malware & 4. **网络活动：** $ netstat -tulpn | grep 4444 tcp 0 0 127.0.0.1:4444 0.0.0.0:* LISTEN 1235/demo_malware ### 第 3 步：工具执行 **扫描模式：** ``` $ ./bin/malware-remover -scan -name demo_malware Found 2 malware process(es): - PID: 1234, Name: demo_malware - PID: 1235, Name: demo_malware Found 3 persistence mechanism(s): - Type: cron, Location: /var/spool/cron/crontabs/analyst - Type: shell_config, Location: /home/analyst/.bashrc - Type: hidden_files, Location: /tmp/.hidden Found 4 suspicious file(s): - /tmp/.hidden/malware - /tmp/.hidden/beacon.log - /tmp/cron_temp ``` **清除模式：** ``` $ ./bin/malware-remover -remove -name demo_malware Step 1: Terminating malware processes Terminated PID 1234 (demo_malware) Terminated PID 1235 (demo_malware) Step 2: Removing persistence mechanisms Removed cron job from /var/spool/cron/crontabs/analyst Cleaned /home/analyst/.bashrc Removed systemd service (if present) Step 3: Removing malware files Deleted: /tmp/.hidden/malware Deleted: /tmp/.hidden/beacon.log Deleted: /tmp/cron_temp Removed directory: /tmp/.hidden Step 4: Extracting attacker IP Attacker IP: 127.0.0.1 Malware removal completed ``` ### 第 4 步：验证 **进程验证：** ``` $ ps aux | grep demo_malware [no output] Processes terminated ``` **持久化验证：** ``` $ crontab -l [no output] Cron jobs removed $ grep malware /home/analyst/.bashrc [no output] Bashrc cleaned ``` **文件验证：** ``` $ find /tmp /home -name "*malware*" -o -name "*.hidden*" [no output] Files removed ``` ## 修复建议 ### 立即行动 1. **隔离受影响的系统**，一经发现立即执行 2. **重置所有凭据**，重置受感染系统上使用过的所有凭据 3. **扫描整个网络**，检查是否有其他感染 4. **审查防火墙日志**，查找 C2 通信模式 ### 长期预防 #### 1. 系统加固 ``` # 监控关键目录 auditctl -w /tmp -p wa -k tmp_monitor auditctl -w /etc/cron.d -p wa -k cron_monitor auditctl -w /home -p wa -k home_monitor # 限制全局可写目录 chmod 1777 /tmp # Sticky bit mount -o nosuid,noexec /tmp ``` #### 2. 持久化监控（概念性） ``` // Persistence Monitoring System // Conceptual example - not actual implementation FUNCTION monitor_persistence_changes(): WATCH directories: - /etc/cron.d - /home/*/.bashrc - /etc/systemd/system WHEN file_modified(file_path): IF file_path CONTAINS "cron" OR ".bashrc": LOG_ALERT("Persistence mechanism modified: " + file_path) NOTIFY security_team(file_path) END IF WHEN file_created(file_path): SCAN file_for_malware_patterns(file_path) END ``` #### 3. 网络控制 ``` # 出站过滤 iptables -A OUTPUT -m state --state NEW -j LOG iptables -A OUTPUT -d 10.0.0.0/8 -j ACCEPT # Internal only iptables -A OUTPUT -j DROP # Block all external by default ``` #### 4. 检测规则 (YARA) ``` rule Detect_Hidden_Persistence { strings: $cron = /cron.*\/tmp\/\.hidden/ $bashrc = /.bashrc.*malware/ $hidden = /mkdir.*\.hidden/ condition: any of them } ``` #### 5. 用户教育 - 培训用户识别网络钓鱼企图 - 建立明确的事件报告程序 - 定期的安全意识培训 - 最小权限原则的执行 ## 恶意软件缓解报告邮件 ``` To: security@organization.com Subject: Malware Analysis Report: Mitigation of "demo_malware" Priority: High Date: March 10, 2026 Dear Security Team, I am writing to report the successful analysis and mitigation of "demo_malware" identified during an educational malware analysis exercise conducted in an isolated container environment. ### 总结 The malware (demo_malware) exhibited sophisticated persistence mechanisms and C2 communication capabilities. Key behaviors observed: - **Process Behavior**: Daemonized to run in background, forked to avoid direct parent-child tracking - **Persistence**: Installed via cron jobs (5-minute intervals) and .bashrc modifications for auto-start on shell login - **File System**: Created hidden directory `/tmp/.hidden/` storing malware binary and beacon logs - **Network**: Attempted regular beaconing to C2 server at 127.0.0.1:4444 every 30 seconds - **Impact**: Could provide persistent backdoor access, exfiltrate data, and serve as launch point for additional attacks ### 缓解措施证明 The following actions were successfully completed: **Process Termination**: - Malware processes (PIDs 1234, 1235) terminated - Verified no remaining processes via `/proc` scan **Persistence Removal**: - Cron job removed from `/var/spool/cron/crontabs/analyst` - Malicious entries cleaned from `/home/analyst/.bashrc` - No systemd services or init scripts compromised **File System Cleanup**: - Removed `/tmp/.hidden/` directory and all contents - Deleted `/tmp/cron_temp` (temporary cron file) - Verified complete removal with filesystem scan **Network Blocking**: - C2 communication blocked via iptables - No active connections to attacker IP ### 攻击者信息 - **IP Address**: 127.0.0.1 (localhost - lab environment) - **Port**: 4444 - **Beacon Pattern**: 30-second intervals - **Protocol**: TCP (simulated) ### 技术指标 (IOCs) File Hashes: - demo_malware: sha256: [hash] - /tmp/.hidden/malware: sha256: [hash] Network Indicators: - Destination: 127.0.0.1:4444 - Beacon interval: 30 seconds File System Indicators: - /tmp/.hidden/ - /tmp/.hidden/beacon.log - /tmp/cron_temp ### 建议 1. Implement file integrity monitoring for world-writable directories 2. Deploy cron job auditing across all systems 3. Enable bashrc change alerts via auditd 4. Review and restrict outbound network connections 5. Conduct user awareness training on persistence mechanisms Please feel free to reach out for additional details or clarification. Best regards, [Your Name] Malware Analyst [Your Contact Information] ``` ## 道德黑客报告 ### 恶意软件分析中的道德考量 #### 1. 受控环境的重要性 **为何隔离至关重要：** ``` # 我们的隔离措施： - Complete network isolation (no internet) - Containerized environment - No access to production systems - All artifacts contained - Automated cleanup after analysis ``` **不受控分析的风险：** - 恶意软件传播到生产网络 - 数据被窃取到实际的 C2 服务器 - 持久化机制感染宿主系统 - 因造成的损害而承担法律责任 - 违反计算机欺诈法规 #### 2. 法律框架 **适用法律：** - **计算机欺诈与滥用法 (CFAA)** - 未经授权的访问 - **GDPR** - 数据保护违规 - **当地网络犯罪法律** - 因司法管辖区而异 - **DMCA** - 反规避条款 **法律要求：** - 分析需获得书面授权 - 隔离环境强制令 - 妥善处置恶意软件样本 - 记录所有操作 - 证据保管链 #### 3. 道德界限 **应做：** - 仅在获得明确许可后进行分析 - 使用隔离的、一次性的环境 - 彻底记录所有发现 - 通过适当渠道负责任地报告 - 分析后销毁样本 **禁做：** - 切勿在生产系统上分析 - 不要公开分享恶意软件样本 - 避免连接到实际的 C2 服务器 - 未经授权切勿部署 - 切勿用于未经授权的访问 #### 4. 专业责任 **作为一名恶意软件分析师，我必须：** - 保持严格的操作安全 - 保护知识产权 - 尊重受影响用户的隐私 - 提供准确、可操作的情报 - 不断更新技能和知识 - 遵循负责任的披露做法 #### 5. 风险缓解策略 **技术控制：** ``` # 网络隔离 iptables -P OUTPUT DROP iptables -A OUTPUT -o lo -j ACCEPT # 系统隔离 docker run --network none --read-only \ -v samples:/samples:ro malware-lab # 样本处理 sha256sum malware_sample > hash.txt gpg --encrypt --recipient team malware_sample ``` **程序控制：** - 样本处理的双人规则 - 定期安全审计 - 事件响应计划 - 数据销毁证明 - 访问日志记录和审查 #### 6. 道德分析方法论 **我们的方法：** 1. **授权**：获得书面许可 2. **隔离**：无网络访问的容器 3. **文档记录**：每一步都记录并加上时间戳 4. **最小化**：仅执行必要的分析 5. **遏制**：所有工件均在容器内 6. **处置**：分析后销毁容器 7. **报告**：仅进行负责任的披露 #### 7. 道德准则声明 ``` // Malware Analyst Ethics Framework // Conceptual guidelines - not executable code ETHICS_PROTOCOL MalwareAnalysis: REQUIREMENTS: - Written authorization must be obtained - Isolated environment must be used - All actions must be logged - Samples must be destroyed after analysis PROCEDURE analyze_malware(sample): IF NOT has_permission(sample): REJECT with "No authorization" RETURN IF NOT environment_is_isolated(): HALT with "Inadequate isolation" RETURN findings = PERFORM_SAFE_ANALYSIS(sample) DISCLOSE_RESPONSIBLY(findings) SECURELY_DESTROY(sample) END ``` ### 结论 恶意软件分析是提高安全性的强大工具，但它承载着重大的道德和法律责任。我们的方法论在提供对恶意软件行为的宝贵见解的同时，优先考虑安全性、合法性和专业操守。本项目演示的技术仅用于在获得适当授权的受控环境中进行教育目的。 ## 安装与使用 ### 前置条件 - Docker 或 Podman - Go 1.20+ (用于开发) - Linux 主机 (或 Windows 上的 WSL2) ### 快速开始 ``` # 克隆 repository git clone https://learn.zone01kisumu.ke/git/shfana/defuse.git cd defuse # 构建并启动 container cd docker podman-compose -f docker-compose.linux.yml up -d # 进入 container podman exec -it linux-malware-lab bash # 在 container 内部，构建工具 cd /malware-lab go build -o bin/malware-remover cmd/remover/main.go # 编译 demo malware（可选） gcc -o samples/demo_malware samples/demo_malware.c # 运行分析 ./bin/malware-remover -scan -name demo_malware ./bin/malware-remover -remove -name demo_malware ./bin/malware-remover -report -output report.txt ``` ### 命令参考 ``` # 扫描 malware malware-remover -scan -name [malware_name] # 移除 malware malware-remover -remove -name [malware_name] # 生成报告 malware-remover -report -output [file.txt] # 保存扫描结果 malware-remover -scan -name [name] -output results.txt ``` ## 技术架构 ``` malware-analysis-lab/ ├── main.go # Main entry point ├── internal/ │ ├── process.go # Process management │ ├── scanner.go # Persistence detection │ ├── file.go # File operations │ └── network.go # Network monitoring │ └── registry.go ├── | logger.go # Logging utilities │ ├── docker/ │ ├── Dockerfile.linux # Container definition │ └── docker-compose.linux.yml # Orchestration ├── samples/ # Malware samples (mounted) ├── scripts/ │ └── analyze_malware.sh # Analysis automation ├── reports/ # Generated reports └── README.md # This file ``` ## 许可证 本项目仅用于教育目的。未经授权使用这些技术是被禁止的，并可能违反当地法律。 **免责声明**：作者不对滥用本软件负责。在分析任何恶意软件之前，请务必获得适当的授权。

标签：C2阻断, DAST, DNS 解析, EVTX分析, Go语言, IP 地址批量处理, Vue, 子域名变形, 容器化环境, 库, 应急响应, 恶意软件分析, 恶意软件清除, 持久化移除, 搜索语句（dork）, 数字取证, 文件系统扫描, 日志审计, 私有化部署, 程序破解, 系统清理, 网络信息收集, 网络安全, 自动化脚本, 自动化运维, 自定义DNS解析器, 请求拦截, 进程查杀, 防御规避, 隐私保护, 隔离环境