티스토리 뷰

안녕하세요.


악성 코드 내용을 보던 도중 Import Address Table에서 아래와 같은 것을 보게 되었습니다.


+ WS2_32.dll

Ord(12)

Ord(3)

Ord(11)

Ord(23)

Ord(20)

Ord(111)

Ord(17)

Ord(15)

Ord(115)

Ord(9)


이게 뭘까 하다가 찾아 보니깐 WS2_32.dll 의 함수에서 ordinal 이름으로 함수가 사용되어 저렇게 이름이 나오는 것을 알게 되었습니다. 그래서 WS2_32.dll과 wsock32.dll 에 대해 함수들이 ordinal 번호가 어떻게 맵핑이 되는지 찾아 보게 되었고 아래와 같음을 알 수 있었습니다.


사용한 툴은 Stud-PE 입니다 (http://www.cgsoftlabs.ro/dl.html)


WSOCK32.dll


Ord

Name
1 accept
2 bind
3 closesocket
4 connect
5 getpeername
6 getsockname
7 getsockopt
8 htonl
9 htons
10 inet_addr
11 inet_ntoa
12 ioctlsocket
13 listen
14 ntohl
15 ntohs
16 recv
17 recvfrom
18 select
19 send
20 sendto
21 setsockopt
22 shutdown
23 socket
24 MigrateWinsockConfiguration
25 gethostbyaddr
26 gethostbyname
27 getprotobyname
28 getprotobynumber
29 getservbyname
30 getservbyport
31 gethostname
32 WSAAsyncSelect
33 WSAAsyncGetHostByAddr
34 WSAAsyncGetHostByName
35 WSAAsyncGetProtoByNumber
36 WSAAsyncGetProtoByName
37 WSAAsyncGetServByPort
38 WSAAsyncGetServByName
39 WSACancelAsyncRequest
40 WSASetBlockingHook
41 WSAUnhookBlockingHook
42 WSAGetLastError
43 WSASetLastError
44 WSACancelBlockingCall
45 WSAIsBlocking
46 WSAStartup
47 WSACleanup
48 __WSAFDIsSet
49 WEP
50 WSApSetPostRoutine
51 inet_network
52 getnetbyname
53 rcmd
54 rexec
55 rresvport
56 sethostname
57 dn_expand
58 WSARecvEx
59 s_perror
60 GetAddressByNameA
61 GetAddressByNameW
62 EnumProtocolsA
63 EnumProtocolsW
64 GetTypeByNameA
65 GetTypeByNameW
66 GetNameByTypeA
67 GetNameByTypeW
68 SetServiceA
69 SetServiceW
70 GetServiceA
71 GetServiceW
72 NPLoadNameSpaces
73 TransmitFile
74 AcceptEx
75 GetAcceptExSockaddrs


WS2_32.dll


Ord Name
1 accept
2 bind
3 closesocket
4 connect
5 getpeername
6 getsockname
7 getsockopt
8 htonl
9 htons
10 ioctlsocket
11 inet_addr
12 inet_ntoa
13 listen
14 ntohl
15 ntohs
16 recv
17 recvfrom
18 select
19 send
20 sendto
21 setsockopt
22 shutdown
23 socket
24 WSApSetPostRoutine
25 FreeAddrInfoEx
26 FreeAddrInfoExW
27 FreeAddrInfoW
28 GetAddrInfoExA
29 GetAddrInfoExW
30 GetAddrInfoW
31 GetNameInfoW
32 InetNtopW
33 InetPtonW
34 SetAddrInfoExA
35 SetAddrInfoExW
36 WPUCompleteOverlappedRequest
37 WSAAccept
38 WSAAddressToStringA
39 WSAAddressToStringW
40 WSAAdvertiseProvider
41 WSACloseEvent
42 WSAConnect
43 WSAConnectByList
44 WSAConnectByNameA
45 WSAConnectByNameW
46 WSACreateEvent
47 WSADuplicateSocketA
48 WSADuplicateSocketW
49 WSAEnumNameSpaceProvidersA
50 WSAEnumNameSpaceProvidersExA
51 gethostbyaddr
52 gethostbyname
53 getprotobyname
54 getprotobynumber
55 getservbyname
56 getservbyport
57 gethostname
58 WSAEnumNameSpaceProvidersExW
59 WSAEnumNameSpaceProvidersW
60 WSAEnumNetworkEvents
61 WSAEnumProtocolsA
62 WSAEnumProtocolsW
63 WSAEventSelect
64 WSAGetOverlappedResult
65 WSAGetQOSByName
66 WSAGetServiceClassInfoA
67 WSAGetServiceClassInfoW
68 WSAGetServiceClassNameByClassIdA
69 WSAGetServiceClassNameByClassIdW
70 WSAHtonl
71 WSAHtons
72 WSAInstallServiceClassA
73 WSAInstallServiceClassW
74 WSAIoctl
75 WSAJoinLeaf
76 WSALookupServiceBeginA
77 WSALookupServiceBeginW
78 WSALookupServiceEnd
79 WSALookupServiceNextA
80 WSALookupServiceNextW
81 WSANSPIoctl
82 WSANtohl
83 WSANtohs
84 WSAPoll
85 WSAProviderCompleteAsyncCall
86 WSAProviderConfigChange
87 WSARecv
88 WSARecvDisconnect
89 WSARecvFrom
90 WSARemoveServiceClass
91 WSAResetEvent
92 WSASend
93 WSASendDisconnect
94 WSASendMsg
95 WSASendTo
96 WSASetEvent
97 WSASetServiceA
98 WSASetServiceW
99 WSASocketA
100 WSASocketW
101 WSAAsyncSelect
102 WSAAsyncGetHostByAddr
103 WSAAsyncGetHostByName
104 WSAAsyncGetProtoByNumber
105 WSAAsyncGetProtoByName
106 WSAAsyncGetServByPort
107 WSAAsyncGetServByName
108 WSACancelAsyncRequest
109 WSASetBlockingHook
110 WSAUnhookBlockingHook
111 WSAGetLastError
112 WSASetLastError
113 WSACancelBlockingCall
114 WSAIsBlocking
115 WSAStartup
116 WSACleanup
117 WSAStringToAddressA
118 WSAStringToAddressW
119 WSAUnadvertiseProvider
120 WSAWaitForMultipleEvents
121 WSCDeinstallProvider
122 WSCDeinstallProvider32
123 WSCEnableNSProvider
124 WSCEnableNSProvider32
125 WSCEnumNameSpaceProviders32
126 WSCEnumNameSpaceProvidersEx32
127 WSCEnumProtocols
128 WSCEnumProtocols32
129 WSCGetApplicationCategory
130 WSCGetProviderInfo
131 WSCGetProviderInfo32
132 WSCGetProviderPath
133 WSCGetProviderPath32
134 WSCInstallNameSpace
135 WSCInstallNameSpace32
136 WSCInstallNameSpaceEx
137 WSCInstallNameSpaceEx32
138 WSCInstallProvider
139 WSCInstallProvider64_32
140 WSCInstallProviderAndChains64_32
141 WSCSetApplicationCategory
142 WSCSetProviderInfo
143 WSCSetProviderInfo32
144 WSCUnInstallNameSpace
145 WSCUnInstallNameSpace32
146 WSCUpdateProvider
147 WSCUpdateProvider32
148 WSCWriteNameSpaceOrder
149 WSCWriteNameSpaceOrder32
150 WSCWriteProviderOrder
151 __WSAFDIsSet
152 WSCWriteProviderOrder32
153 WahCloseApcHelper
154 WahCloseHandleHelper
155 WahCloseNotificationHandleHelper
156 WahCloseSocketHandle
157 WahCloseThread
158 WahCompleteRequest
159 WahCreateHandleContextTable
160 WahCreateNotificationHandle
161 WahCreateSocketHandle
162 WahDestroyHandleContextTable
163 WahDisableNonIFSHandleSupport
164 WahEnableNonIFSHandleSupport
165 WahEnumerateHandleContexts
166 WahInsertHandleContext
167 WahNotifyAllProcesses
168 WahOpenApcHelper
169 WahOpenCurrentThread
170 WahOpenHandleHelper
171 WahOpenNotificationHandleHelper
172 WahQueueUserApc
173 WahReferenceContextByHandle
174 WahRemoveHandleContext
175 WahWaitForNotification
176 WahWriteLSPEvent
177 freeaddrinfo
178 getaddrinfo
179 getnameinfo
180 inet_ntop
181 inet_pton
182 WEP


결론적으로 위의 내용은 아래와 같음을 알 수 있었습니다.


+ WS2_32.dll

Ord(12)    -> inet_ntoa()

Ord(3)     -> closesocket()

Ord(11)    -> inet_addr()

Ord(23)    -> socket()

Ord(20)    -> sendto()

Ord(111)   -> WSAGetLastError()

Ord(17)    -> recvfrom()

Ord(15)    -> ntohs()

Ord(115)   -> WSAStartup()

Ord(9)     -> htons()


이를 통해 뭔가 통신을 하고 있음을 알 수 있었습니다. 재미있네요 :D


댓글