摘要
目的在不清楚盗号木马监控的特定窗体标题及关键配置信息加密情况下,办案人员很难通过网络监听和逆向分析方法获得黑客预置的电子邮箱账户数据。为了有效提取上述信息,本文提出一种基于“执行路径重建”的盗号木马逆向分析取证方法。方法首先逆向分析木马程序的执行路径,随后正向修改、重建木马程序的执行路径,强制木马程序沿着检验人员设定的路径执行电子邮件发送行为,进而获取邮箱配置等关键信息。结果从木马程序执行的邮件发送函数参数中提取出黑客电子邮箱账户、密码等关键配置信息。结论应用本文提出的基于“执行路径重建”的盗号木马逆向分析取证方法可以对木马程序进行有效的检验分析。
Objective It is dif cult for criminal investigators to obtain hacker email account through network monitoring and reverse analysis without knowing the specific form title and key configuration information encrypted. Therefore, a forensic reverse analysis is here proposed through “reconstructing execution path” in order to effectively extract the required information. Methods The execution path of involved Trojan program is reversely analyzed to have it forwardly modi ed and rebuilt so that the Trojan program can be forced to execute the email-sending path speci ed by the inspector, thus the key information, e.g., mailbox con guration, will be acquired. Results With such a forensic approach, the key con guration information including hacker email account and password has been extracted from the related parameters of Trojans email sending function. Conclusions The forensic reverse analysis from “reconstructing execution path” proposed in this paper can effectively test and process Trojan program.
作者
徐国天
XU Guotian(National Police University of China, Shenyang 110854, China)
出处
《刑事技术》
2019年第4期283-288,共6页
Forensic Science and Technology
基金
辽宁省自然科学基金计划项目(No.2015020091)
公安理论及软科学研究计划课题(No.2016LLYJXJXY013)
公安部技术研究计划课题(No.2016JSYJB06)
中央高校基本科研业务费课题(No.3242017013)
关键词
执行路径重建
盗号木马
逆向
网络监听
取证
execution path reconstruction
Trojan
reverse analysis
network monitoring
forensics
