{"id":861,"date":"2020-05-22T21:47:13","date_gmt":"2020-05-22T21:47:13","guid":{"rendered":"https:\/\/hackemall.live\/?p=861"},"modified":"2020-05-22T23:08:25","modified_gmt":"2020-05-22T23:08:25","slug":"malware-analyst-roadmap","status":"publish","type":"post","link":"https:\/\/hackemall.live\/index.php\/2020\/05\/22\/malware-analyst-roadmap\/","title":{"rendered":"Malware Analyst Roadmap"},"content":{"rendered":"\n

Ch\u00e0o c\u00e1c b\u1ea1n \u0111\u1ebfn v\u1edbi m\u00f4n Ph\u00f2ng ch\u1ed1ng ngh\u1ec7 thu\u1eadt h\u1eafc \u00e1m – Ph\u00f2ng ch\u1ed1ng m\u00e3 \u0111\u1ed9c<\/span><\/strong><\/p>\n\n\n\n

N\u1ebfu c\u00e1c b\u1ea1n \u0111\u00e3 quy\u1ebft \u0111\u1ecbnh t\u00ecm hi\u1ec3u ngh\u1ec1 n\u00e0y, th\u00ec c\u0169ng xin gi\u1edbi thi\u1ec7u \u0111\u00f3 l\u00e0 m\u1ed9t trong 4 nh\u00f3m ngh\u1ec1 m\u00e0 anh ThaiDN c\u00f3 nh\u1eafc t\u1edbi [1]. C\u00f4ng vi\u1ec7c ch\u00ednh c\u1ee7a ch\u00fang ta l\u00e0m trong m\u1ed9t doanh nghi\u1ec7p \u0111\u00f3 l\u00e0 t\u00ecm ki\u1ebfm, ph\u00e2n t\u00edch, v\u00e0 ti\u00eau di\u1ec7t m\u00e3 \u0111\u1ed9c bao g\u1ed3m c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng c\u00f3 ch\u1ee7 \u0111\u00edch. M\u00e3 \u0111\u1ed9c c\u00f3 th\u1ec3 l\u00e0 virus m\u00e1y t\u00ednh, trojan hay c\u00e1c lo\u1ea1i malware n\u00f3i chung v\u00e0 c\u00e1c m\u00e3 khai th\u00e1c 0-day ch\u01b0a \u0111\u01b0\u1ee3c bi\u1ebft \u0111\u1ebfn. <\/p>\n\n\n\n

\u0110\u01b0\u01a1ng nhi\u00ean, trong th\u1ef1c t\u1ebf c\u00f4ng vi\u1ec7c m\u00e0 t\u00f4i \u0111\u00e3 tr\u1ea3i nghi\u1ec7m \u1edf m\u1ed9t v\u00e0i c\u00f4ng ty t\u1ea1i Vi\u1ec7t Nam th\u00ec c\u00f2n c\u1ea7n n\u00e2ng c\u1ea5p c\u00e1c h\u1ec7 th\u1ed1ng hi\u1ec7n t\u1ea1i \u0111\u1ec3 ch\u1ed1ng l\u1ea1i c\u00e1c k\u1ef9 thu\u1eadt c\u1ee7a m\u00e3 \u0111\u1ed9c, t\u1ed1i \u01b0u h\u1ec7 th\u1ed1ng \u0111\u1ec3 ph\u00e1t hi\u1ec7n c\u00e1c lo\u1ea1i m\u00e3 \u0111\u1ed9c ch\u01b0a \u0111\u01b0\u1ee3c bi\u1ebft \u0111\u1ebfn, x\u00e2y d\u1ef1ng h\u1ec7 th\u1ed1ng ph\u00e2n t\u00edch m\u00e3 \u0111\u1ed9c t\u1ef1 \u0111\u1ed9ng, x\u00e2y d\u1ef1ng quy tr\u00ecnh x\u1eed l\u00fd s\u1ef1 c\u1ed5 – ph\u1ea3n \u1ee9ng khi c\u00f3 t\u1ea5n c\u00f4ng m\u00e3 \u0111\u1ed9c,\u2026 C\u00f4ng vi\u1ec7c n\u00e0y c\u00f3 v\u1ebb s\u1ebd r\u1ea5t kh\u00f3 kh\u0103n v\u00e0 c\u1ea7n \u0111\u1ebfn c\u00e1c ki\u1ebfn th\u1ee9c c\u01a1 b\u1ea3n nh\u1ea5t c\u1ee7a ng\u00e0nh C\u00f4ng ngh\u1ec7 th\u00f4ng tin nh\u01b0: L\u1eadp tr\u00ecnh ng\u00f4n ng\u1eef b\u1eadc th\u1ea5p, l\u1eadp tr\u00ecnh ng\u00f4n ng\u1eef b\u1eadc cao, hay n\u00f3i chung l\u00e0 c\u1ea7n ph\u1ea3i bi\u1ebft v\u00e0 c\u00f3 th\u1ec3 l\u00e0m vi\u1ec7c \u0111\u01b0\u1ee3c v\u1edbi h\u1ea7u h\u1ebft c\u00e1c ng\u00f4n ng\u1eef l\u1eadp tr\u00ecnh<\/strong>. V\u00ec m\u00e3 \u0111\u1ed9c c\u00f3 th\u1ec3 t\u1ed3n t\u1ea1i \u1edf b\u1ea5t k\u1ef3 d\u1ea1ng ng\u00f4n ng\u1eef l\u1eadp tr\u00ecnh n\u00e0o. C\u00f3 am hi\u1ec3u v\u1ec1 ki\u1ebfn tr\u00fac H\u1ec7 \u0111i\u1ec1u h\u00e0nh, ki\u1ebfn tr\u00fac vi x\u1eed l\u00fd tr\u00ean nhi\u1ec1u n\u1ec1n t\u1ea3ng kh\u00e1c nhau. Tuy nhi\u00ean, c\u0169ng c\u1ea7n l\u01b0u \u00fd r\u1eb1ng kh\u00f4ng y\u00eau c\u1ea7u b\u1ea1n ph\u1ea3i ghi nh\u1edb v\u00e0 bi\u1ebft h\u1ebft m\u1ecdi ki\u1ebfn th\u1ee9c. V\u00ed d\u1ee5 c\u00f3 th\u1ec3 tra c\u1ee9u c\u00e1c c\u00e2u l\u1ec7nh c\u1ee7a Intel x64 khi b\u1ea1n ch\u01b0a nh\u1edb h\u1ebft \u0111\u01b0\u1ee3c to\u00e0n b\u1ed9 c\u00e1c c\u00e2u l\u1ec7nh, nh\u01b0ng y\u00eau c\u1ea7u c\u1ea7n ph\u1ea3i bi\u1ebft \u0111\u01b0\u1ee3c c\u00e1c l\u1ec7nh c\u01a1 b\u1ea3n.
N\u00f3i l\u00e0 ph\u1ea3i bi\u1ebft nhi\u1ec1u nh\u01b0 th\u1ebf, nh\u01b0ng ch\u0103m ch\u1ec9 luy\u1ec7n t\u1eadp v\u00e0 th\u1ef1c h\u00e0nh nhi\u1ec1u s\u1ebd quen d\u1ea7n v\u1edbi c\u00f4ng vi\u1ec7c, v\u00e0 \u0111\u1ebfn m\u1ed9t l\u00fac n\u00e0o \u0111\u00f3 b\u1ea1n c\u00f3 th\u1ec3 hi\u1ec3u m\u00e3 \u0111\u1ed9c nh\u01b0 nh\u1eefng ng\u01b0\u1eddi l\u1eadp tr\u00ecnh ra n\u00f3.<\/p>\n\n\n\n

I. Ki\u1ebfn th\u1ee9c n\u1ec1n t\u1ea3ng<\/span><\/strong><\/p><\/blockquote>\n\n\n\n

\u0110\u1ed5i v\u1edbi c\u00e1c ki\u1ebfn th\u1ee9c n\u1ec1n t\u1ea3ng c\u1ee7a b\u1ed9 m\u00f4n n\u00e0y, y\u00eau c\u1ea7u c\u01a1 b\u1ea3n l\u00e0 c\u1ea7n c\u00f3 ki\u1ebfn th\u1ee9c v\u1ec1 l\u1eadp tr\u00ecnh \u0111\u1eb7c bi\u1ec7t l\u00e0 l\u1eadp tr\u00ecnh h\u1ee3p ng\u1eef v\u00e0 l\u1eadp tr\u00ecnh C<\/strong>. Hai m\u00f4n n\u00e0y \u0111\u1ed1i v\u1edbi c\u00e1c b\u1ea1n trong m\u00f4i tr\u01b0\u1eddng \u0110\u1ea1i h\u1ecdc \u0111\u00e3 \u0111\u01b0\u1ee3c \u0111\u00e0o t\u1ea1o r\u1ed3i, n\u00ean kh\u00f4ng c\u1ea7n ph\u1ea3i gi\u1edbi thi\u1ec7u th\u00eam.<\/p>\n\n\n\n


Cu\u1ed1n s\u00e1ch \u0111\u1ea7u ti\u00ean c\u1ea7n tham kh\u1ea3o l\u00e0 cu\u1ed1n “Secret of Reversing – EldadEilam” [2]<\/strong>. <\/p>\n\n\n\n

<\/p>\n\n\n\n

Cu\u1ed1n s\u00e1ch n\u00e0y s\u1ebd cung c\u1ea5p l\u1ea1i cho b\u1ea1n ki\u1ebfn th\u1ee9c v\u1ec1 d\u1ecbch ng\u01b0\u1ee3c ph\u1ea7n m\u1ec1m, t\u1eeb ng\u00f4n ng\u1eef l\u1eadp tr\u00ecnh b\u1eadc th\u1ea5p, tr\u00ecnh bi\u00ean d\u1ecbch,\u2026 hi\u1ec3u \u0111\u01b0\u1ee3c c\u00e1ch m\u00e0 m\u00e1y t\u00ednh th\u1ef1c thi c\u00e2u l\u1ec7nh khi ch\u00fang ta bi\u00ean d\u1ecbch t\u1eeb m\u00e3 ngu\u1ed3n ph\u1ea7n m\u1ec1m. V\u00e0 “d\u1ecbch ng\u01b0\u1ee3c” l\u00e0 qu\u00e1 tr\u00ecnh m\u00e0 ta hi\u1ec3u \u0111\u01b0\u1ee3c c\u00e1ch ph\u1ea7n m\u1ec1m ho\u1ea1t \u0111\u1ed9ng t\u1eeb c\u00e1c ng\u00f4n ng\u1eef b\u1eadc th\u1ea5p m\u00e0 tr\u00ecnh disassembler hi\u1ec3n th\u1ecb. Cu\u1ed1n s\u00e1ch n\u00e0y c\u0169ng s\u1ebd gi\u1edbi thi\u1ec7u v\u1ec1 ki\u1ebfn tr\u00fac c\u00e1c th\u00e0nh ph\u1ea7n tr\u00ean H\u1ec7 \u0111i\u1ec1u h\u00e0nh Windows, c\u00e1ch hi\u1ec3n th\u1ecb l\u1eddi g\u1ecdi h\u00e0m, ti\u1ebfp \u0111\u00f3 l\u00e0 c\u00e1ch s\u1eed d\u1ee5ng m\u1ed9t s\u1ed1 c\u00f4ng c\u1ee5 cho c\u00f4ng vi\u1ec7c d\u1ecbch ng\u01b0\u1ee3c nh\u01b0 IDA Pro, Ollydbg. C\u00e1ch th\u1ee9c m\u00e0 m\u00e3 \u0111\u1ed9c s\u1eed d\u1ee5ng \u0111\u1ec3 m\u00e3 h\u00f3a, l\u1ea9n tr\u00e1nh c\u00e1c ph\u1ea7n m\u1ec1m Antivirus. <\/p>\n\n\n\n

\u0110\u1ed1i v\u1edbi Ch\u01b0\u01a1ng 7<\/strong>, n\u1ebfu c\u00e1c b\u1ea1n ch\u1ec9 c\u1ea7n t\u00ecm hi\u1ec3u v\u1ec1 m\u00e3 \u0111\u1ed9c m\u00e0 kh\u00f4ng quan t\u00e2m t\u1edbi khai th\u00e1c l\u1ed7i ph\u1ea7n m\u1ec1m th\u00ec kh\u00f4ng c\u1ea7n tham kh\u1ea3o. Nh\u01b0ng n\u1ebfu \u0111\u1ecdc th\u00ec c\u00e1c b\u1ea1n s\u1ebd c\u00f3 ki\u1ebfn th\u1ee9c c\u01a1 b\u1ea3n v\u1ec1 vi\u1ebft m\u00e3 khai th\u00e1c ph\u1ea7n m\u1ec1m, cu\u1ed1n s\u00e1ch t\u1eadp trung v\u00e0o c\u00e1c ph\u1ea7n m\u1ec1m ch\u1ee7 y\u1ebfu tr\u00ean Windows. <\/p>\n\n\n\n

Trong Ch\u01b0\u01a1ng 8<\/strong> l\u00e0 ch\u01b0\u01a1ng nh\u1eadp m\u00f4n v\u1ec1 ph\u00e2n t\u00edch m\u00e3 \u0111\u1ed9c, gi\u1edbi thi\u1ec7u c\u00e1c lo\u1ea1i m\u00e3 \u0111\u1ed9c v\u00e0 c\u00e1ch th\u1ee9c ho\u1ea1t \u0111\u1ed9ng c\u1ee7a n\u00f3. Sang ch\u01b0\u01a1ng 9<\/strong> th\u00ec c\u00f3 th\u1ec3 t\u00ecm hi\u1ec3u \u0111\u1ec3 b\u1ebb kh\u00f3a ph\u1ea7n m\u1ec1m ho\u1eb7c thi\u1ebft k\u1ebf m\u1ed9t module \u0111\u1ec3 b\u1ea3o v\u1ec7 b\u1ea3n quy\u1ec1n ph\u1ea7n m\u1ec1m. C\u00e1c ph\u1ea7n c\u00f2n l\u1ea1i cung c\u1ea5p cho c\u00e1c b\u1ea1n ki\u1ebfn th\u1ee9c v\u1ec1 c\u00e1c k\u1ef9 thu\u1eadt \u0111\u1ec3 m\u00e3 ch\u1ed1ng l\u1ea1i nh\u1eefng ng\u01b0\u1eddi d\u1ecbch ng\u01b0\u1ee3c ph\u1ea7n m\u1ec1m, c\u00e1c k\u1ef9 thu\u1eadt \u0111\u1ec3 ph\u00e1t hi\u1ec7n \u0111ang b\u1ecb d\u1ecbch ng\u01b0\u1ee3c hay k\u1ef9 thu\u1eadt ph\u00e1t hi\u1ec7n m\u00f4i tr\u01b0\u1eddng \u1ea3o h\u00f3a m\u00e0 m\u00e3 \u0111\u1ed9c th\u01b0\u1eddng d\u00f9ng. M\u1ed9t ch\u00fat ki\u1ebfn th\u1ee9c v\u1ec1 d\u1ecbch ng\u01b0\u1ee3c c\u00e1c ph\u1ea7n m\u1ec1m \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf tr\u00ean n\u1ec1n t\u1ea3ng .NET trong ch\u01b0\u01a1ng 12<\/strong>.<\/p>\n\n\n\n