Õâ¿î½ÏΪÐÂÓ±µÄ¶ñÒâÈí¼þÊÇÎÒ×òÌìÓöµ½µÄ£¬½ñÌì¾Í±»ÎҸ㶨ÁË£¬
ÐÂÐͶñÒâÈí¼þÔâÓöÕ½²¡¶¾·À·¶
¡£ËüÊÇÒ»¸öÀϵÄ2012 CVEµÄjava¹¥»÷°ü£¨¿ÉÄÜÕë¶ÔSecurityManager£©µÄ¸ºÔØ¡£Ñ¹ËõÓë½âѹËõµÄÔÚVirusTotal/MalwrÉ϶¼Ã»Óв鵽£¬ËùÒÔÕâÓÖÊÇÒ»¸ö0day°¡¡£ÀûÓÃIDA½øÐгõ²½¼ì²â£¬±¨³öÒ»¸ö´íÎó£º
¹À¼ÆÖÆ×÷Õâ¼Ò»ïµÄÐÖµÜÒ²ÖªµÀ, ³ÙÔçijһÌìËü»á±»ÏñÎÒÕâÑùµÄÈËÄÃÀ´³ò³òµÄ¡£È·ÊµÓÐÐí¶àµÄÐ޸ĿÉÒÔÓÃÀ´½ÁÂÒ·´»ã±à½á¹û£¬¶øË¿ºÁ²»Ó°ÏìWindowsÉϵÄÔËÐС£
ÓÃCFF ExplorerÀ´¿´¿´£¬·¢ÏÖNTÍ·²¿µÄÒ»¸ö´íÎóÔÚ“Data Directories”µÄ“Delay Import Directory RVA”ÏîÖС£CFFºÜºÃµÄΪÎÒÃÇÖ¸³ö0×00000040ÖµÊÇ´íµÄ¡£½«ÆäÇåÁã¾Í¿ÉÒÔ½â¾ö´ËÎÊÌâ¡£
±£´æÐ޸ĵÄexe,ÔÚIDAÖÐÖØдò¿ª£¬Ö®Ç°µÄ´íÎóÌáʾ¾ÍÏûʧÁË£¬Ò»ÇÐÕý³£¡£
ÔÚIDAÀï¼òµ¥µÄ¹ýÒ»Ñ۾ͿÉÒÔÖªµÀÕâÊÇÒ»¸öMFC³ÌÐò¡£ÎÒÕ¦ÖªµÀµÄÄØ£¿ÔÚµ¼Èë±íµÄLibrary×ֶκÜÇåÎúµÄ±íÃ÷ÁË¡£
µ±È»ÁË£¬¸Ã³ÌÐò±»Ñ¹ËõÁË¡£Ã»ÓнڱíÐ޸ģ¬µäÐ͵ÄÄÚ´æѹËõ¡£
Õâ¾ÍÒâζמ²Ì¬µÄ·ÖÎö²»ÔÙÓÐЧ£¬ÎÒÃÇÐèÒª¶¯Ì¬·ÖÎöÀ´»ñµÃ¸ü¶àµÄÐÅÏ¢¡£À´°É£¬²ÙÆðImmunity¡£
ÔÚ¿ªÊ¼immunityºÍÐéÄâ»ú֮ǰ£¬exeÎļþÀïÓÐЩÓÐȤµÄ¶«Î÷£¬Ã»ÓкÜÃ÷ÏÔµÄÔÚIDAÀï³öÏÖ£¬µ«ÔÚCFF explorerÀïÎÒÃÇ¿ÉÒÔ¿´µ½¡£Ê×ÏÈ£¬Óм¸¸öÒþ²ØÔÚ×ÊԴĿ¼µÄÎļþ͹ÏÔ³öÀ´¡£
µÚÒ»¸öÊÇPNGÎļþ¡£
È»ºóÊÇÒ»¸öhtmlÎļþ¡£
ÔÚIfranView£¨×îºÃµÄͼÏñ²é¿´Æ÷£©Àïä¯ÀÀϸÃPNGÎļþ£¬½öÏÔʾÁËÒ»¸öºÜСµÄºÚͼƬ£¬ÕâÏÔÈ»²»×ã55kb´óС¡£ËùÒÔ£¬ÀïÃæ¿Ï¶¨Òþ²ØÁ˵ãɶ¡£´ô»áÔÙÀ´ÊÕÊ°Ëü¡£
À´°É£¬µ½ÄãÁË,htmlÎļþ¡£ÓÃnotepad++¼ÓÔØÇåÀí£¬¿ÉÒÔ¿´µ½Ò»Ð©ä¯ÀÀÆ÷¼ì²â´úÂ룺
ΪɶÕâÀï½öÊǼòµ¥µÄ·ÅÔÚÁË×ÊÔ´½Ú±íÀ¶ø²»Í¬ÆäËû´úÂëÒ»ÆðѹËõ´¦Àí£¿ÕæÊǸöÃÕ°¡¡£ÏÈÔÚÄÔº£ÖмÇ×ÅÕâЩ×ÊÔ´½Ú±í£¬ÉÔºó´¦Àí¡£ÏÖÔÚ»ØÍ·À´½âѹÕâ¼Ò»ï¡£
Ê×ÏÈ¿ªÆôImmunityµ÷ÊÔÆ÷ºÍVirtualBox£¬¼ÓÔØÎÒÃǵÄanti-anti-debug python²å¼þ¡£
ÏÖÔÚ½«Õâ»õÔËÐÐÆðÀ´£¬´ýÆäÍêÈ«ÔËÐÐÖ®ºó¼ì²âÄÚ´æ¡£
¿ÉÒÔ¿´µ½ÓÐЩÄÚ´æÇø¼ä±»±ê¼ÇΪ¿É¶Á¿Éд¿ÉÖ´ÐУ¨RWE)£¬·Ö±ðÔÚ00910000£¬00930000£¬00940000ºÍ00970000¡£¼ì²âÒ»·¬£¬·¢ÏÖ4¸öµ±ÖнöÓÐ3¸ö°üº¬×Å´úÂë¡£¸Ã³ÌÐòÈÔÈ»ÓÐ3¸öÒþ²ØµÄ´úÂ룿̫¿áÁË°É¡£
ÏÖÔÚÎÒÃÇÒª´ÓÄÚ´æÖе¼³ö³ÌÐòµ½ÎļþÀ±ãÓÚºóÐøµÄ·ÖÎö¡£Ê¹³öOllyDumpEx£¬ÌîÈë0090Çø¼ä£¬¿É¿´µ½00910000ºÍ00970000µÄ³ÌÐòͬÔʼµÄ³ÌÐòÔÚ´óС¡¢½Ú±íºÍÊôÐÔÉ϶¼Æ¥Åä¡£¶ø00950000´¦µÄÄÚ´æÓëÆäËûµÄ²»Í¬£ºÓв»Í¬µÄ½Ú±í£¬²»Í¬µÄ´óС¡£Ò»¶¨ÊÇÒþ²Ø×Ųʵ°°¡¡£
ÀûÓÑBinary(Raw)’ģʽ¶ø²»ÊÇÖØй¹½¨Ä£Ê½µ¼³öexeÎļþ£¬ÕâÑù¿ÉÒÔ±£Ö¤µ¼³öµÄÊý¾ÝµÄÍêÕûÐÔ¡£
2¸öÎÞÓõĽڱí±íÃ÷³ÌÐò±»UPX½øÐÐѹËõÁË¡£ÔËÐÐupx¹¤¾ßÈ·ÈÏÁËÕâÒ»µã¡£Òâζ×ÅÎÒÃÇ¿ÉÒÔÔÒ³ö²Êµ°ÁË¡£
еÄexeÎļþÕýÈ·µÄ½âѹºó¶à³öÁË40KB£¬ÏÖÔÚÎÒÃÇÖÕÓÚ¿ÉÒÔÔÚIDAÀï³ò³òÁË¡£¿´ÏÂstrings£¬ÓÐЩÓÐȤµÄÐÅÏ¢£º
ÕâÊÇɶ£¿HTTPÇëÇóÐÅÏ¢¡£¿´ÆðÀ´Õâ»õʹÓÃPOSTÇëÇó»Ø´«Êý¾Ý°¡¡£
Äã¿ÉÄÜ»áÎÊC&C·þÎñÆ÷ÔÚÄÄÄØ£¿Ëƺõ²»ÔÚ³ÌÐòµÄÃ÷ÎÄÀï¡£»¹¼ÇµÃÇ°ÃæÌáµ½µÄ×ÊÔ´½Ú±íÂð£¿ÔÙÀ´¿´¿´²Êµ°µÄ×ÊÔ´½Ú±í°É¡£
ÇÆ£¬http://31.207.6.161¡£×÷Õß¾ÍÕâÑù½«Æä·ÅÔÚÃ÷ÎÄÀÈÃÎÒÃǼñÁ˸ö´ó±ãÒË¡£Ïëͨ¹ýÒþÄäÀ´»ñÈ¡°²È«£¬Ã»ÃÅ¡£
ÎÒÖªµÀÄãÔÚÏëɶ£¬Ö÷³ÌÐòÔËÐÐÆðÀ´ÊÇɶÑùÄØ£¿¾ÍÈÃÎÒÃÇÀ´¿´¿´°É£º
Ò»ÔËÐÐÆðÀ´£¬¾Í×Ô¶¯µÄ¹Ø±ÕÁËÎÒµÄprocess explorer£¬ÎÒÒªÔËÐÐÈÎÎñ¹ÜÀíÆ÷¶¼»á±»Ò»ÉÁ¶ø¹ýµÄÏûÏ¢´°ÌáÐÑ“ÈÎÎñ¹ÜÀíÆ÷ÒѾ±»¹ÜÀíÔ±½ûÓÔ£¬
µçÄÔ×ÊÁÏ
¡¶ÐÂÐͶñÒâÈí¼þÔâÓöÕ½²¡¶¾·À·¶¡·(https://www.unjs.com)¡£ ÎÒÒ²ºÜÏëչʾϽØÆÁ£¬µ«ÎÒ¶¯×÷ʵÔÚûËüÄÇôѸËÙ¡£¶¯ÓÃImmunity´ò¿ª£¬·¢ÏÖÔʼµÄ“golden_egg.exe”²»ÔÙÔËÐС£ÁíÒ»¸öÃûΪ“zpNvNKSi.exe”µÄ³ÌÐò´ÓÁÙʱÎļþ¼ÐÔËÐÐÆðÀ´ÁË¡£¸ù¾Ýhash±È½Ï£¬ÆäʵÊÇͬһ¸ö³ÌÐò£º
ϲ»¶ÎҵĹþÏ£³ÌÐòÂ𣿵½ÕâÏÂÔØ°É¡£
¹ã¸æʱ¼ä½áÊøÁË¡£ÏÖÔÚºÜÇå³þ¸Ã³ÌÐò×öɶÁË——½ûÓÃÈÎÎñ¹ÜÀíÆ÷£¬ÖÕÖ¹²»ÊÜ»¶ÓµÄ³ÌÐò£¬´ÓÁÙʱÎļþ¼ÐÔËÐС£¼ì²émsconfig·¢ÏÖÌí¼ÓÁË2¸ö×ÔÆô¶¯Îļþ¡£
ÎÒ¶ÔËüÃǶ¼½øÐÐÁ˼ì²é£¬È·ÈÏÕýÊÇÔʼ³ÌÐòµÄÍêÈ«¿½±´¡£
½«³ÌÐò¸½¼Óµ½immunity£¬¼ì²â³ÌÐòÄÚ´æºÍÏß³ÌÊýÄ¿(“t”¼ü£©£¬ÏÔʾ³ö¸Ã³ÌÐòÊǶàÏ̵߳ġ£ÎÒÊýÁËÏ£¬12¸öÏ̡߳£
ÎҲ²âÕâЩÏ̻߳¥Ïà¼à¿Ø¶Ô·½£¬ÒÔ·À±»ÖÕÖ¹¡£È»¶ø½«Ö÷³ÌÐò¹ÒÆð£¬ÓÃProcess Explorer´ò¿ªËü£¬¹Û²ìÄڴ棬ͨ¹ý¼ì²â£¬·¢ÏÖÁËһЩIDA stringsδ¿´µ½µÄÄÚÈÝ£º
´óµ¨²Â²âһϣ¬ÎÒÈÏΪÕâ»õ»á¼ì²éÕâЩ³ÌÐò£¬Èç¹û·¢ÏÖËüÃÇÔËÐоÍÇ¿ÖƽáÊøËüÃÇ¡£Õâ¾Í½âÊÍÁ˵±¸Ã³ÌÐòÔËÐÐʱ£¬process explorerΪɶ¾Í±»ÖÕÖ¹ÁË¡£ÒªÔËÐÐÕâЩ¹¤¾ß¾ÍÓеãÄÑÁË£¬ÓÐregedit£¬LordPE£¬wireshark£¬regmon£¬filemon£¬procmon£¬tcpview£¬taskmgrÒÔ¼°Windows Defender¡£ºðºð£¬ÎÒû¿´µ½Process ExplorerµÄС»ï°éProcess Hacker°¡¡£
ÔÙÀ´ËµÄڴ棬ÉÏÃæ±íÃ÷³ÌÐòҪôÊÇ»ìÏýÁËÄÇЩ×Ö·û´®£¬ÒªÃ´¾ÍÊǽøÐÐÁËÔٴεÄѹËõ¡£²»¹ÜÄĸö£¬°ÑËü¾¾³öÀ´¡£
¶ÔÄÇЩÎÒÃÇÔÚProcess ExplorerÖп´µ½µÄ×Ö·û´®½øÐÐunicode¸ñʽµÄËÑË÷£¬¿ÉÒÔ¿´µ½‘taskmgr’ÔÚ.data½ÚÖС£ ¹ØÓÚÕâЩ×Ö·û´®£¬ÄѵÀIDAÆÁËÎÒÃÇ£¿ÍêÈ«²»ÊÇÕâÑùµÄ¡£ÔÙ¿´Ò»±é£¬ÂýÂýµÄÀûÓöþ·Ö·¨ËÑË÷Ò»±é£¬µÄÈ·¿ÉÒÔ¿´µ½ÕâЩ×Ö·û´®¡£ ÎÒ²ÂIDA½øÐÐËÑË÷ʱ£¬Ä¬ÈϵIJ»ÏÔʾunicode×Ö·û´®¡£Äã¿ÉÒÔÔÚIDAÖÐͨ¹ý’alt+A’ ¿ì½Ý¼ü£¬Ñ¡Ôñ6Ñ¡ÏîÀ´¸ü¸Ä¡£
¼ì²éÕâЩеÄunicode×Ö·û´®£¬Ëƺõ¸Ã¶ñÒâÈí¼þ»¹Óиü¶àµÄ¹¦ÄÜ¡£
Õâ²ÅÓÐȤ°¡¡£ÒòΪÕâ»õ×èÖ¹ÁËWiresharkµÄÔËÐУ¬ ÎÒÃÇÐèÒª¶¨Î»µ½¸ºÔðÖÕÖ¹¹¦Äܵĵط½£¬²¢½øÐÐÐÞ¸´¡£Õ¦×öÄØ£¿¶ÔTerminateProcess() APIµ÷ÓýøÐж¨Î»¡£ÕâÔÚIDAÀïºÜÈÝÒ×¾ÍÄÜ×öµ½¡£ÔÚµ¼Èë½Ú±íÀïÎÒÃÇ¿´µ½Ò»¸ö¶ÔTerminateProcessµÄÒýÓá£
ËƺõÊǶÎÑ»·£¬ÀûÓÓCreateToolhelp32Snapshot”API±éÀú½ø³ÌÃû³Æ£¬Èç¹ûÂú×ãÌõ¼þ£¬¾ÍÖÕÖ¹µôËüÃÇ¡£ÄÇЩÎÒÃÇ֮ǰ¿´µ½µÄºÚÃûµ¥ËƺõÑéÖ¤ÁËÕâÒ»µã¡£
ÄÇÎÒÃÇÄÜ×öµãɶÄØ£¿¸Ä±ä³ÌÐòµÄÔËÐÐÂß¼£¬Ê¹Æä²»ÔÙµ÷ÓÃTerminateProcess£¬Ò²¾ÍûɶӰÏìÁË¡£¼ì²é¸Ã²¿·ÖµÄÍⲿÒýÓã¨Xref’s, eXternal REFerenceS), ¿ÉÒÔ¿´µ½º¯ÊýΪ00401D2AËùµ÷Óá£Óиö‘jnz’Ö¸ÁÔð¾ö¶¨ÊÇ·ñµ÷ÓÃÄǶθºÔð²éѯ¡¢ÖÕÖ¹½ø³ÌµÄ¹ý³Ì´¦Àí¡£Èç¹ûÎÒÃÇÄÜÐÞ¸´Õâ¶Î³ÌÐò£¬Ê¹Æä²»ÔÙµ÷Ó㬽«ÆäÌø¹ý£¬¾Í¿ÉÒÔÔËÐкÚÃûµ¥ÉϵijÌÐòÀ²¡£
¿ª¸ã°É¡£ ÎұȽÏϲ»¶ÓÃimmunity½øÐÐÐÞ¸´£¬Ò»ÊÇËü¼òµ¥£¬¶þÀ´ÎÒÒ²±È½ÏÊìϤ¡£¶¨Î»µ½ÔËÐгÌÐòµÄ×Ó¹ý³Ì²¿·Ö£¬½øÐÐÌõ¼þÌøתµÄÖ¸ÁîÔÚ‘0x00401d4e’¡£½«ÄÇƬÇøÓò½øÐÐnopÌî³ä£¬Ê¹µÃÖ¸ÁîÁ÷·µ»Ø£¬¶ø²»ÊÇÌøתµ½ÖÕÖ¹ºÚÃûµ¥½ø³ÌµÄ00401d2c´¦¡£
¼ÌÐøÔËÐгÌÐò£¬¿ªÆôÒ»¸ö±»ºÚÃûµ¥µÄ³ÌÐò½øÐвâÊÔ¡£“regedit”Ò²¿ÉÒÔÕý³£ÔËתÁË£¬“process explorer”ҲûÓб»ÖÕÖ¹£¬ÎÒÃdzɹ¦ÁË¡£
ÏÖÔÚÎÒÃÇ¿ÉÒÔÀûÓÃwireshark½øÐÐ×ÐϸµÄÍøÂçÐÐΪ·ÖÎöÁË£¬ÎļþºÍ×¢²á±íµÄ·ÖÎöÀûÓÃprocmon£¬ºÃºÃµÄ°ÚŪProcess Explorer´¦Àí°É¡£
ÓÃProcess Explorer¿´µ½³ÌÐòͨ¹ý80¶Ë¿ÚÏòÎÒÃÇÇ°ÃæÍÚ¾ò³öµÄC&C·þÎñÆ÷·¢ËÍÒ»¸ösyn°ü¡£
WiresharkÏÔʾµÄ¸ü¶à¡£¿ÉÒÔ¿´µ½·¢ÏòHTTP C&C·þÎñÆ÷µÄsyn°ü£¬Ò²ÓÐÒ»´®µÄÏòδ֪ÓòÃûµÄDNSÇëÇó¡£ÕâÊÇÕ¦»ØÊ£¿
·þÎñÆ÷»á¼ÌÐø»Øµ÷£¬µ«ÎÒ²»ÏëÈÃËüÕâÑù¡£¿ÉÒÔÐ޸ēgolden_egg.exe”ÖеÄ×ÊÔ´½Ú±í£¬Ê¹ÆäÖ¸ÏòÎÒ×Ô¼ºµÄHTTP·þÎñÆ÷£¬¼ì²éËüµÄ¹¦ÄÜ¡£»¹Óкܶà¿ÉÒԸɵģ¬ÏÖÔÚÎÒÃÇÒѾ»ñµÃËùÐèÒªµÄÁË£¬ÓÐÁËC&CµØÖ·£¬½âѹÁ˳ÌÐò£¬Ò²ÓÐÁËËüµÄHTTPÌØÕ÷ÒÔ¼°ËüµÄÐÐΪ¡£°¸×Ó¾ÍÕâÑù½áÊøÁË