我最近收到流量分析器的警告,HTTP 请求的有效负载包含 Windows 可执行文件而不是纯文本。
解释此 HTTP 请求的最佳方法是什么以及如何确定有效负载的实际内容?
谢谢!
00000000 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1.200.OK.
00000010 0a 41 63 63 65 70 74 2d 52 61 6e 67 65 73 3a 20 .Accept-Ranges:.
00000020 62 79 74 65 73 0d 0a 43 6f 6e 74 65 6e 74 2d 54 bytes..Content-T
00000030 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d ype:.text/plain.
00000040 0a 45 54 61 67 3a 20 22 32 63 62 34 64 64 63 66 .ETag:."2cb4ddcf
00000050 30 38 65 38 61 62 64 38 63 65 39 64 64 37 62 39 08e8abd8ce9dd7b9
00000060 31 66 39 36 64 63 35 36 3a 31 34 37 38 31 33 35 1f96dc56:1478135
00000070 33 33 30 22 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 330"..Last-Modif
00000080 69 65 64 3a 20 57 65 64 2c 20 30 32 20 4e 6f 76 ied:.Wed,.02.Nov
00000090 20 32 30 31 36 20 32 30 3a 32 35 3a 35 33 20 47 .2016.20:25:53.G
000000a0 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 6b 61 6d MT..Server:.Akam
000000b0 61 69 4e 65 74 53 74 6f 72 61 67 65 0d 0a 43 6f aiNetStorage..Co
000000c0 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 37 36 ntent-Length:.76
000000d0 34 30 0d 0a 44 61 74 65 3a 20 54 75 65 2c 20 30 40..Date:.Tue,.0
000000e0 39 20 4a 75 6e 20 32 30 32 30 20 31 36 3a 33 32 9.Jun.2020.16:32
000000f0 3a 33 39 20 47 4d 54 0d 0a 43 6f 6e 6e 65 63 74 :39.GMT..Connect
00000100 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d ion:.keep-alive.
00000110 0a 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ...MZ...........
00000120 ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 ...........@....
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 ...............@
00000150 00 00 00 50 45 00 00 4c 01 01 00 bc 4b 1a 58 00 ...PE..L....K.X.
00000160 00 00 00 00 00 00 00 e0 00 02 21 0b 01 09 00 00 ..........!.....
00000170 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 ................
00000180 00 00 00 00 00 00 00 00 00 00 10 10 00 00 00 10 ................
00000190 00 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 ................
000001a0 00 00 00 e0 03 00 00 60 01 00 00 00 00 00 00 02 .......`........
000001b0 00 00 05 00 00 10 00 00 10 00 00 00 00 10 00 00 ................
000001c0 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 ................
000001d0 00 00 00 00 00 00 00 00 00 00 00 60 01 00 00 80 ...........`....
000001e0 02 00 00 00 00 00 00 00 00 00 00 90 06 00 00 48 ...............H
000001f0 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000240 00 00 00 00 00 00 00 00 00 00 00 2e 72 73 72 63 ............rsrc
00000250 00 00 00 80 02 00 00 60 01 00 00 80 02 00 00 60 .......`.......`
00000260 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 ...............@
00000270 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 ..@.............
00000280 00 01 00 10 00 00 00 18 00 00 80 00 00 00 00 00 ................
00000290 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 30 ...............0
000002a0 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002b0 00 01 00 09 04 00 00 48 00 00 00 b8 01 00 00 28 .......H.......(
000002c0 02 00 00 00 00 00 00 00 00 00 00 28 02 34 00 00 ...........(.4..
000002d0 00 56 00 53 00 5f 00 56 00 45 00 52 00 53 00 49 .V.S._.V.E.R.S.I
000002e0 00 4f 00 4e 00 5f 00 49 00 4e 00 46 00 4f 00 00 .O.N._.I.N.F.O..
000002f0 00 00 00 bd 04 ef fe 00 00 01 00 06 00 03 00 00 ................
00000300 00 05 00 06 00 03 00 00 00 05 00 00 00 00 00 00 ................
00000310 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00 ................
00000320 00 00 00 00 00 00 00 86 01 00 00 01 00 53 00 74 .............S.t
00000330 00 72 00 69 00 6e 00 67 00 46 00 69 00 6c 00 65 .r.i.n.g.F.i.l.e
00000340 00 49 00 6e 00 66 00 6f 00 00 00 62 01 00 00 01 .I.n.f.o...b....
00000350 00 30 00 34 00 30 00 39 00 30 00 34 00 45 00 34 .0.4.0.9.0.4.E.4
00000360 00 00 00 30 00 08 00 01 00 46 00 69 00 6c 00 65 ...0.....F.i.l.e
00000370 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 .V.e.r.s.i.o.n..
00000380 00 00 00 33 00 2e 00 36 00 2e 00 35 00 2e 00 30 ...3...6...5...0
00000390 00 00 00 34 00 08 00 01 00 50 00 72 00 6f 00 64 ...4.....P.r.o.d
000003a0 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 .u.c.t.V.e.r.s.i
000003b0 00 6f 00 6e 00 00 00 33 00 2e 00 36 00 2e 00 35 .o.n...3...6...5
000003c0 00 2e 00 30 00 00 00 4a 00 15 00 01 00 43 00 6f ...0...J.....C.o
000003d0 00 6d 00 70 00 61 00 6e 00 79 00 4e 00 61 00 6d .m.p.a.n.y.N.a.m
000003e0 00 65 00 00 00 00 00 53 00 6f 00 6c 00 69 00 64 .e.....S.o.l.i.d
000003f0 00 20 00 53 00 74 00 61 00 74 00 65 00 20 00 4e ...S.t.a.t.e...N
00000400 00 65 00 74 00 77 00 6f 00 72 00 6b 00 73 00 00 .e.t.w.o.r.k.s..
00000410 00 00 00 6a 00 23 00 01 00 4c 00 65 00 67 00 61 ...j.#...L.e.g.a
00000420 00 6c 00 43 00 6f 00 70 00 79 00 72 00 69 00 67 .l.C.o.p.y.r.i.g
00000430 00 68 00 74 00 00 00 43 00 6f 00 70 00 79 00 72 .h.t...C.o.p.y.r
00000440 00 69 00 67 00 68 00 74 00 20 00 28 00 43 00 29 .i.g.h.t...(.C.)
00000450 00 20 00 53 00 6f 00 6c 00 69 00 64 00 20 00 53 ...S.o.l.i.d...S
00000460 00 74 00 61 00 74 00 65 00 20 00 4e 00 65 00 74 .t.a.t.e...N.e.t
00000470 00 77 00 6f 00 72 00 6b 00 73 00 00 00 00 00 2e .w.o.r.k.s......
00000480 00 07 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 .....P.r.o.d.u.c
00000490 00 74 00 4e 00 61 00 6d 00 65 00 00 00 00 00 44 .t.N.a.m.e.....D
000004a0 00 69 00 72 00 65 00 63 00 74 00 00 00 00 00 44 .i.r.e.c.t.....D
000004b0 00 00 00 01 00 56 00 61 00 72 00 46 00 69 00 6c .....V.a.r.F.i.l
000004c0 00 65 00 49 00 6e 00 66 00 6f 00 00 00 00 00 24 .e.I.n.f.o.....$
000004d0 00 04 00 00 00 54 00 72 00 61 00 6e 00 73 00 6c .....T.r.a.n.s.l
000004e0 00 61 00 74 00 69 00 6f 00 6e 00 00 00 00 00 09 .a.t.i.o.n......
000004f0 04 e4 04 50 4b 03 04 14 00 03 00 08 00 30 a3 62 ...PK........0.b
00000500 49 9d 8f 4e 82 da 01 00 00 f6 03 00 00 0c 00 2c I..N...........,
00000510 00 6d 61 6e 69 66 65 73 74 2e 78 6d 6c 10 88 28 .manifest.xml..(
00000520 00 d3 06 55 dc c8 c4 17 17 41 5f 6e 22 4d 41 1c ...U.....A_n"MA.
00000530 0b 58 9a f9 bf ac c0 49 22 e6 26 3f e1 b3 ae 2d .X.....I".&?...-
00000540 54 5d b0 62 1d 27 b2 70 68 2c 9d 03 38 6a a7 8f T].b.'.ph,..8j..
00000550 00 58 07 1a 11 02 6d bc c5 e8 8e 33 25 35 6b 9b .X....m....3%5k.
00000560 60 42 9b 2c 5a 83 6e b5 6c e6 f5 0e 96 c8 10 98 `B.,Z.n.l.......
00000570 7f 4b de 7b 95 04 b3 36 7e 4f 7b 58 20 f7 1a db .K.{...6~O{X....
00000580 f9 89 e2 ab ae 1d 4c da cc 45 f1 96 e6 54 4c dd ......L..E...TL.
00000590 9a 4a 4e 01 0e 27 1f 18 b5 f9 37 e3 18 91 3a 54 .JN..'....7...:T
000005a0 7f 5c ed 9d 56 aa e6 b8 d8 4c bd 2e 86 45 01 c2 .\..V....L...E..
000005b0 8c 59 26 97 .Y&.
答案1
在行 00000110 上,实际的 HTTP 响应负载从该行的第四个字节开始。
有效载荷以字母开头MZ
,这是用于 MS-DOS / Windows 可执行文件的标识符。
另外,在第 00000150 行,第四和第五个字母是PE
,这表明该文件是 Windows 可移植可执行文件。
有关可移植可执行文件的更多信息可以在维基百科中找到:https://en.wikipedia.org/wiki/Portable_Executable
答案2
读取元数据是有帮助的,尽管它可能是谎言:
ProductVersion 3.6.5
CompanyName SolidStateNetworks
ProductName Direct
因此,下载下载程序. 通过验证签名并通过恶意软件检测(如 VirusTotal)运行来验证其真实性。
无法确定错误的 Content-Type 是否可疑,或者只是 CDN 损坏了标头。我猜这是个人使用,而不是恶意的,但我没有证据证明这一点。