prehistory
Waxaa dhacday in server-ka uu soo weeraray fayraska ransomware, kaas oo, "shil nasiib leh," qayb ahaan ka tagay faylasha .ibd (faylalka xogta ceeriin ee miisaska innodb) oo aan la taaban, laakiin isla mar ahaantaana si buuxda u sireeyay faylasha .fpm ( faylasha qaab-dhismeedka). Xaaladdan, .idb waxa loo qaybin karaa:
- ku xiran dib u soo celinta iyada oo loo marayo qalabka caadiga ah iyo hagayaasha. Xaaladahan oo kale, waxaa jira wax aad u fiican ;
- miisaska qayb ahaan sir ah. Inta badan kuwani waa miisas waaweyn, kuwaas oo (sida aan fahmay) weerarradu ma haysan RAM ku filan sirta buuxda;
- Hagaag, miisaska si buuxda u qarsoon oo aan dib loo soo celin karin.
Waxaa suurtagal ahayd in la go'aamiyo ikhtiyaarka miisaska ay ka tirsan yihiin adigoo si fudud u furaya tifaftire kasta oo qoraal ah oo hoos yimaada codeynta la rabo (xaaladkeygu waa UTF8) oo si fudud u fiirinaya faylka joogitaanka goobaha qoraalka, tusaale ahaan:
Sidoo kale, bilowga faylka waxaad arki kartaa tiro badan oo 0 bytes ah, iyo fayrasyada adeegsada block encryption algorithm (ka ugu badan) inta badan sidoo kale waxay saameeyaan iyaga.
Xaaladeyda, weerarradu waxay ka tageen xadhig 4-byte ah (1, 0, 0, 0) dhammaadka fayl kasta oo sir ah, kaas oo fududeeyay hawsha. Si loo raadiyo faylalka aan cudurka qabin, qoraalka ayaa ku filnaa:
def opened(path):
files = os.listdir(path)
for f in files:
if os.path.isfile(path + f):
yield path + f
for full_path in opened("C:somepath"):
file = open(full_path, "rb")
last_string = ""
for line in file:
last_string = line
file.close()
if (last_string[len(last_string) -4:len(last_string)]) != (1, 0, 0, 0):
print(full_path)Sidaa darteed, waxaa soo baxday in la helo faylal ka tirsan nooca koowaad. Midda labaad waxay ku lug leedahay shaqo badan oo gacanta ah, laakiin waxa la helay ayaa horeba ugu filnaa. Wax walba way fiicnaan lahaayeen, laakiin waxaad u baahan tahay inaad ogaato qaab dhismeedka saxda ah (dabcan) iyo (dabcan) waxaa soo baxday kiis ah inaan la shaqeeyo miiska isbeddelka badan. Qofna ma xasuusan in nooca goobta la bedelay iyo in tiir cusub lagu daray.
Magaalada Wilds, nasiib daro, ma caawin karto kiiskan oo kale, waana sababta maqaalkan loo qoray.
U dhaadhac qodobka
Waxaa jira qaab dhismeed miis laga soo bilaabo 3 bilood ka hor oo aan ku habboonayn kan hadda jira (laga yaabo in hal beer, iyo laga yaabo in ka badan). Qaab dhismeedka miiska:
CREATE TABLE `table_1` (
`id` INT (11),
`date` DATETIME ,
`description` TEXT ,
`id_point` INT (11),
`id_user` INT (11),
`date_start` DATETIME ,
`date_finish` DATETIME ,
`photo` INT (1),
`id_client` INT (11),
`status` INT (1),
`lead__time` TIME ,
`sendstatus` TINYINT (4)
); kiiskan, waxaad u baahan tahay inaad soo saarto:
id_pointint (11);id_userint (11);date_startDATETIME;date_finishDATETIME.
Soo kabashada, falanqaynta byte-by-byte ee faylka .ibd ayaa la isticmaalaa, oo ay ku xigto iyaga oo loo beddelayo qaab la akhriyi karo. Maadaama aan helno waxa aan u baahanahay, waxaan kaliya u baahanahay inaan falanqeyno noocyada xogta sida int iyo datatime, maqaalku wuxuu sharxi doonaa iyaga oo keliya, laakiin mararka qaarkood waxaan sidoo kale tixraaci doonaa noocyada kale ee xogta, kuwaas oo ka caawin kara dhacdooyinka kale ee la midka ah.
Dhibaatada 1: beeraha leh noocyada DATETIME iyo TEXT waxay lahaayeen qiyam NULL ah, oo si fudud ayaa looga booday faylka, sababtaas awgeed, suurtagal ma ahayn in la go'aamiyo qaabdhismeedka lagu soo celinayo kiiskeyga. Tiirarka cusub, qiimihii hore waxa uu ahaa waxba, oo qayb ka mid ah wax kala iibsiga waa la lumin karaa sababtoo ah dejinta innodb_flush_log_at_trx_commit = 0, markaa wakhti dheeraad ah ayaa lagu bixin doonaa si loo go'aamiyo qaabdhismeedka.
Dhibaatada 2Waa in lagu xisaabtamaa in safafka lagu tirtiray DELETE ay dhamaantood ku jiri doonaan faylka ibd, laakiin marka la beddelo TABLE qaabkooda aan la cusboonaysiin doonin. Natiijo ahaan, qaab dhismeedka xogta wuu kala duwanaan karaa bilowga faylka ilaa dhamaadka. Haddii aad inta badan isticmaasho OPTIMIZE Miisaanka, markaas uma badna inaad la kulanto dhibaatadan oo kale.
Feejignow, Nooca DBMS wuxuu saameeyaa habka xogta loo kaydiyo, tusaalahaan waxaa laga yaabaa inuusan u shaqeyn noocyada kale ee waaweyn. Xaaladdayda, nooca windows ee mariadb 10.1.24 ayaa la isticmaalay. Sidoo kale, inkasta oo mariadb aad la shaqeyso miisaska InnoDB, dhab ahaantii way yihiin , kaas oo ka saaraya ku-dhaqanka habka InnoDB mysql.
Falanqaynta faylka
Python, nooca xogta soo bandhigaya xogta Unicode oo ku jira tirooyin joogto ah. In kasta oo aad ku arki karto faylka foomkan, si ay kuugu habboonaato waxaad u beddeli kartaa bytes qaab tirooyin ah adiga oo u beddelaya qaab-dhismeedka byte-ga qaab joogto ah (liiska(tusaale_byte_array)). Si kastaba ha noqotee, labada habba waxay ku habboon yihiin falanqaynta.
Ka dib markaad eegto dhowr faylal ibd, waxaad ka heli kartaa kuwan soo socda:
Waxaa intaa dheer, haddii aad u qaybiso faylka ereyadan muhiimka ah, waxaad heli doontaa inta badan xitaa blocks of data. Infimum waxaan u isticmaali doonaa qaybiye ahaan.
table = table.split("infimum".encode())Kormeer xiiso leh: miisaska leh qadar yar oo xog ah, inta u dhaxaysa kuwa aan fiicneyn iyo kuwa sare waxaa jira tilmaame tirada safafka ee block.
- miiska tijaabada oo leh safka 1aad
- miiska tijaabada oo leh 2 saf
Miiska arrayga[0] waa laga boodi karaa. Ka dib markaan dhex eegay, wali waa aan awoodin inaan helo xogta miiska ceeriin. Inta badan, block-gan waxaa loo isticmaalaa in lagu kaydiyo tusmooyinka iyo furayaasha.
Ka bilow shaxda[1] oo aad u tarjunto qaab nambareed, waxaad horeba u ogaan kartaa qaababka qaarkood, oo kala ah:
Kuwani waa qiimayaal int lagu kaydiyo xadhig. Baytka kowaad waxa uu tilmaamayaa in nambarku uu togan yahay iyo in kale. Xaaladeyda, dhammaan tirooyinka waa kuwo togan. Laga soo bilaabo 3 bytes ee soo hadhay, waxaad go'aamin kartaa lambarka adoo isticmaalaya shaqada soo socota. Qoraal:
def find_int(val: str): # example '128, 1, 2, 3'
val = [int(v) for v in val.split(", ")]
result_int = val[1]*256**2 + val[2]*256*1 + val[3]
return result_intTusaale ahaan, 128, 0, 0, 1 = 1, ama 128, 0, 75, 108 = 19308.
Jadwalku wuxuu lahaa furaha aasaasiga ah oo si toos ah loo kordhiyo, sidoo kale waxaa laga heli karaa halkan
Marka la barbar dhigo xogta shaxda imtixaanada, waxaa la ogaaday in DATETIME shayga uu ka kooban yahay 5 bytes oo uu ku bilaabmay 153 (waxay u badan tahay inay muujinayaan xilliyo sannadle ah). Maadaama kala duwanaanshaha DATTIME uu yahay '1000-01-01' ilaa '9999-12-31', waxaan filayaa in tirada bytes ay kala duwanaan karaan, laakiin xaaladdeyda, xogtu waxay ku dhacdaa muddada u dhaxaysa 2016 ilaa 2019, marka waxaan u qaadan doonaa in 5 bytes ku filan.
Si loo go'aamiyo wakhti aan ilbiriqsi la'aan, hawlaha soo socda ayaa la qoray. Qoraal:
day_ = lambda x: x % 64 // 2 # {x,x,X,x,x }
def hour_(x1, x2): # {x,x,X1,X2,x}
if x1 % 2 == 0:
return x2 // 16
elif x1 % 2 == 1:
return x2 // 16 + 16
else:
raise ValueError
min_ = lambda x1, x2: (x1 % 16) * 4 + (x2 // 64) # {x,x,x,X1,X2}Suurtagal ma ahayn in la qoro shaqo shaqaynaysa sanadka iyo bisha, markaa waa inaan jabsadaa. Qoraal:
ym_list = {'2016, 1': '153, 152, 64', '2016, 2': '153, 152, 128',
'2016, 3': '153, 152, 192', '2016, 4': '153, 153, 0',
'2016, 5': '153, 153, 64', '2016, 6': '153, 153, 128',
'2016, 7': '153, 153, 192', '2016, 8': '153, 154, 0',
'2016, 9': '153, 154, 64', '2016, 10': '153, 154, 128',
'2016, 11': '153, 154, 192', '2016, 12': '153, 155, 0',
'2017, 1': '153, 155, 128', '2017, 2': '153, 155, 192',
'2017, 3': '153, 156, 0', '2017, 4': '153, 156, 64',
'2017, 5': '153, 156, 128', '2017, 6': '153, 156, 192',
'2017, 7': '153, 157, 0', '2017, 8': '153, 157, 64',
'2017, 9': '153, 157, 128', '2017, 10': '153, 157, 192',
'2017, 11': '153, 158, 0', '2017, 12': '153, 158, 64',
'2018, 1': '153, 158, 192', '2018, 2': '153, 159, 0',
'2018, 3': '153, 159, 64', '2018, 4': '153, 159, 128',
'2018, 5': '153, 159, 192', '2018, 6': '153, 160, 0',
'2018, 7': '153, 160, 64', '2018, 8': '153, 160, 128',
'2018, 9': '153, 160, 192', '2018, 10': '153, 161, 0',
'2018, 11': '153, 161, 64', '2018, 12': '153, 161, 128',
'2019, 1': '153, 162, 0', '2019, 2': '153, 162, 64',
'2019, 3': '153, 162, 128', '2019, 4': '153, 162, 192',
'2019, 5': '153, 163, 0', '2019, 6': '153, 163, 64',
'2019, 7': '153, 163, 128', '2019, 8': '153, 163, 192',
'2019, 9': '153, 164, 0', '2019, 10': '153, 164, 64',
'2019, 11': '153, 164, 128', '2019, 12': '153, 164, 192',
'2020, 1': '153, 165, 64', '2020, 2': '153, 165, 128',
'2020, 3': '153, 165, 192','2020, 4': '153, 166, 0',
'2020, 5': '153, 166, 64', '2020, 6': '153, 1, 128',
'2020, 7': '153, 166, 192', '2020, 8': '153, 167, 0',
'2020, 9': '153, 167, 64','2020, 10': '153, 167, 128',
'2020, 11': '153, 167, 192', '2020, 12': '153, 168, 0'}
def year_month(x1, x2): # {x,X,X,x,x }
for key, value in ym_list.items():
key = [int(k) for k in key.replace("'", "").split(", ")]
value = [int(v) for v in value.split(", ")]
if x1 == value[1] and x2 // 64 == value[2] // 64:
return key
return 0, 0Waxaan hubaa in haddii aad waqti ku bixiso n, isfaham la'aantan la sixi karo.
Marka xigta, shaqo ka soo celisa shay taariikhi ah xadhig. Qoraal:
def find_data_time(val:str):
val = [int(v) for v in val.split(", ")]
day = day_(val[2])
hour = hour_(val[2], val[3])
minutes = min_(val[3], val[4])
year, month = year_month(val[1], val[2])
return datetime(year, month, day, hour, minutes)Waxaan awoodnay inaan ogaano qiyamka soo noqnoqda ee int, int, taariikhda taariikhda, wakhtiga taariikhda , waxay u egtahay in tani ay tahay waxa aad u baahan tahay. Waxaa intaa dheer, isku xigxiga noocan oo kale ah laguma soo celiyo laba jeer xariiq kasta.
Isticmaalka odhaah joogto ah, waxaanu helnaa xogta lagama maarmaanka ah:
fined = re.findall(r'128, d*, d*, d*, 128, d*, d*, d*, 153, 1[6,5,4,3]d, d*, d*, d*, 153, 1[6,5,4,3]d, d*, d*, d*', int_array)Fadlan la soco in marka la raadinayo isticmaalka odhaahdan, suurtogal ma noqon doonto in la go'aamiyo qiyamka NULL ee meelaha loo baahan yahay, laakiin xaaladdeyda tani maaha mid muhiim ah. Kadibna waxaynu maraynaa wixii aanu ka helnay wareeg. Qoraal:
result = []
for val in fined:
pre_result = []
bd_int = re.findall(r"128, d*, d*, d*", val)
bd_date= re.findall(r"(153, 1[6,5,4,3]d, d*, d*, d*)", val)
for it in bd_int:
pre_result.append(find_int(bd_int[it]))
for bd in bd_date:
pre_result.append(find_data_time(bd))
result.append(pre_result)Dhab ahaantii, taasi waa dhammaan, xogta laga helay soo diyaarinta natiijada waa xogta aan u baahanahay. ###PS.###
Waxaan fahamsanahay in habkani aanu ku habboonayn qof kasta, laakiin ujeedada ugu weyn ee maqaalku waa in la dedejiyo ficilka halkii aad xallin lahayd dhammaan dhibaatooyinkaaga. Waxaan u maleynayaa in xalka ugu saxsan uu yahay inaad adigu bilowdo inaad barato koodhka isha , laakiin wakhtiga xaddidan awgeed, habka hadda socda ayaa u muuqday mid ugu dhaqsiyaha badan.
Xaaladaha qaarkood, ka dib marka la falanqeeyo faylka, waxaad awoodi doontaa inaad go'aamiso qaab-dhismeedka qiyaasaha ah oo aad dib u soo celiso adigoo isticmaalaya mid ka mid ah hababka caadiga ah ee xiriirka sare. Tani waxay noqon doontaa mid aad u sax ah waxayna sababi doontaa dhibaatooyin yar.
Source: www.habr.com