首页
社区
课程
招聘
[转帖]Analysis Of Unusual ZIP Files
发表于: 2020-2-7 14:22 1766

[转帖]Analysis Of Unusual ZIP Files

2020-2-7 14:22
1766

Original link: https://blog.didierstevens.com/2020/01/06/analysis-of-unusual-zip-files/

 

Intrigued by a blog post from SpiderLabs on a special ZIP file they found, I took a closer look myself.

 

That special ZIP file is a concatenation of 2 ZIP files, the first containing a single PNG file (with extension .jpg) and the second a single EXE file (malware). Various archive managers and security products handle this file differently, some “seeing” only the PNG file, others only the EXE file.

 

My zipdump.py tool reports the following for this special ZIP file:

 

img

 

zipdump.py is essentially a wrapper for Python’s zipfile module, and this module parses ZIP files “starting from the end of the file”. That’s why it finds the second ZIP file (appended to the first ZIP file), containing the malicious EXE file.

 

To help with the analysis of such special/malformed ZIP files, I added an option (-f –find) to zipdump. This option scans the content of the provided file looking for ZIP records. ZIP records start with ASCII string PK followed by 2 bytes to indicate the record type (byte values less than 16).

 

Here I use option “-f list” to list all PK records found in a ZIP file containing a single text file:

 

img

 

This is how a normal ZIP file containing a single file looks on the inside.

 

The file starts with a “local file header”, a PK record that starts with ASCII characters PK followed by bytes 0x03 and 0x04 (that’s 50 4B 03 04 in hexadecimal). In zipdump’s report, such a PK record is identified with PK0304. This header is followed by the contained file (usually compressed).

 

Then there is a “central directory header”, a PK record that starts with ASCII characters PK followed by bytes 0x01 and 0x02 (that’s 50 4B 01 02 in hexadecimal). In zipdump’s report, such a PK record is identified with PK0102. This header contains an offset pointing to the corresponding PK0304 record.

 

And at the end of the ZIP file, there is a “end of central directory”, a PK record that starts with ASCII characters PK followed by bytes 0x05 and 0x06 (that’s 50 4B 05 06 in hexadecimal). In zipdump’s report, such a PK record is identified with PK0506. This header contains an offset pointing to the first PK0102 record.

 

A ZIP file containing 2 files looks like this, when scanned with zipdump’s option -f list:

 

img

 

Starting with 2 PK0304 records (one for each contained file), followed by 2 PK0102 records, and 1 PK0506 record.

 

Armed with this knowledge, we take a look at our malicious ZIP file:

 

img

 

We see 2 PK0506 records, and this is unusual.

 

We see the following sequence of records twice: PK0304, PK0102, PK0506.

 

From our previous examples, we can now understand that this sample contains 2 ZIP files.

 

Remark that zipdump assigned an index to both PK0506 records: 1 and 2. This index can be used to select one of the 2 ZIP files for further analysis. Like in this example, where I select the first ZIP file:

 

img

 

Using option “-f 1” (in stead of “-f list”) selects the first ZIP file in the provide sample, and lists its content.

 

It can then be further analyzed with zipdump like usual, for example, selecting the first file (order.jpg) inside the first ZIP file for an hex/ascii dump:

 

img

 

Likewise, “-f 2” will select the second ZIP file found inside the sample:

 

img

 

img

 

-f is a new option that I added for special/malformed ZIP files, but this is a work in progress, as there are many ways to malform ZIP files.

 

For example, I created a PoC malformed ZIP file that contains a single file, with reversed PK record order. Here is the output for the normal and “reversed” zip files (malformed, e.g. PK records order reversed):

 

img

 

This file can be opened with Windows Explorer, but there are tools and libraries than can not handle it. Like Python’s zipfile module:

 

img

 

I will further develop zipdump to handle malformed ZIP files as best as possible.

 

The current version (zipdump 0.0.16) is just a start:

  • it parses only 3 PK record types (PK0304, PK0102 and PK0506), other types are ignored
  • it does minimal parsing of these records: for example, there is no parsing/checking of offsets in this version

And finally, I also created a video showing how to use this new feature:

 

https://youtu.be/9OxzUaedYyc


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

最后于 2020-2-8 19:55 被kanxue编辑 ,原因:
收藏
免费 0
支持
分享
最新回复 (1)
雪    币: 2510
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
2
感谢分享
2020-2-7 18:43
1
游客
登录 | 注册 方可回帖
返回
//