初めに 首先
どうも、クソ雑魚のなんちゃてエンジニアです。 您好,我是一名杂项工程师。
本記事は CyberDefenders (以下リンク参考)の「BlackEnergy」にチャレンジした際のWriteupになります
本文是针对 CyberDefenders 的“BlackEnergy”挑战的文章
※本チャレンジについてはRed側のペネトレというよりはBlue側の分析力を問われるものになります。
* 这个挑战将是对蓝方分析能力的考验,而不是对红方的渗透能力的考验。
Which volatility profile would be best for this machine?
哪种波动率曲线最适合这台机器?
imageinfoで出ます。 imageinfo 我会出来的。
remnux@remnux:~/Downloads$ vol.py -f CYBERDEF-567078-20230213-171333.raw imageinfo
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/remnux/Downloads/CYBERDEF-567078-20230213-171333.raw)
PAE type : No PAE
DTB : 0x39000L
KDBG : 0x8054cde0L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2023-02-13 18:29:11 UTC+0000
Image local date and time : 2023-02-13 10:29:11 -0800
How many processes were running when the image was acquired?
获取映像时,有多少个进程正在运行?
pslistでもいいのですが、このコマンドで出ない隠蔽されているProcessも考慮してpsxviewで確認します。
pslist 没关系,但请考虑此命令中未出现的隐藏进程并将其签入 psxview 。
remnux@remnux:~/Downloads$ vol.py -f CYBERDEF-567078-20230213-171333.raw --profile=WinXPSP2x86 psxview
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
0x09a88da0 winlogon.exe 616 True True True True True True True
0x09aa0020 lsass.exe 672 True True True True True True True
0x0994a020 msmsgs.exe 636 True True True True True True True
0x097289a8 svchost.exe 1108 True True True True True True True
0x09982da0 VBoxTray.exe 376 True True True True True True True
0x09a9f6f8 svchost.exe 968 True True True True True True True
0x09aab590 svchost.exe 880 True True True True True True True
0x09aaa3d8 VBoxService.exe 832 True True True True True True True
0x09694388 wscntfy.exe 480 True True True True True True True
0x09730da0 svchost.exe 1060 True True True True True True True
0x097075d0 spoolsv.exe 1608 True True True True True True True
0x099adda0 svchost.exe 1156 True True True True True True True
0x09938998 services.exe 660 True True True True True True True
0x0969d2a0 alg.exe 540 True True True True True True True
0x09a0fda0 DumpIt.exe 276 True True True True True True True
0x09733938 explorer.exe 1484 True True True True True True True
0x09a0d180 notepad.exe 1432 True True False True False False False 2023-02-13 18:28:40 UTC+0000
0x09a18da0 cmd.exe 1960 True True False True False False False 2023-02-13 18:25:26 UTC+0000
0x099e6da0 notepad.exe 1444 True True False True False False False 2023-02-13 18:28:47 UTC+0000
0x096c5020 notepad.exe 528 True True False True False False False 2023-02-13 18:27:46 UTC+0000
0x099dd740 rootkit.exe 964 True True False True False False False 2023-02-13 18:25:26 UTC+0000
0x09c037f8 System 4 True True True True False False False
0x09a98da0 csrss.exe 592 True True True True False True True
0x09a0b2f0 taskmgr.exe 1880 True True False True False False False 2023-02-13 18:26:21 UTC+0000
0x09965020 smss.exe 368 True True True True False False False
remnux@remnux:~/Downloads$
What is the process ID of cmd.exe?
cmd.exe 的进程 ID 是什么?
前の問題のコマンドで確認できます。 您可以使用上一个问题中的命令进行检查。
What is the name of the most suspicious process?
最可疑的进程的名称是什么?
1つrootkitのようなProcessがありますね。
有一个像 rootkit 这样的进程。
Which process shows the highest likelihood of code injection?
哪个进程显示代码注入的可能性最高?
malfindコマンドで確認できます。 malfind 您可以使用命令检查它。
remnux@remnux:~/Downloads$ vol.py -f CYBERDEF-567078-20230213-171333.raw --profile=WinXPSP2x86 malfind
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
Process: csrss.exe Pid: 592 Address: 0x7f6f0000
Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE
Flags: Protection: 6
0x000000007f6f0000 c8 00 00 00 84 01 00 00 ff ee ff ee 08 70 00 00 .............p..
0x000000007f6f0010 08 00 00 00 00 fe 00 00 00 00 10 00 00 20 00 00 ................
0x000000007f6f0020 00 02 00 00 00 20 00 00 8d 01 00 00 ff ef fd 7f ................
0x000000007f6f0030 03 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 ................
...省略
Process: winlogon.exe Pid: 616 Address: 0x62220000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 4, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x0000000062220000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0000000062220010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0000000062220020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0000000062220030 00 00 00 00 2a 00 2a 00 01 00 00 00 00 00 00 00 ....*.*.........
0x0000000062220000 0000 ADD [EAX], AL
0x0000000062220002 0000 ADD [EAX], AL
0x0000000062220004 0000 ADD [EAX], AL
0x0000000062220006 0000 ADD [EAX], AL
0x0000000062220008 0000 ADD [EAX], AL
0x000000006222000a 0000 ADD [EAX], AL
0x000000006222000c 0000 ADD [EAX], AL
0x000000006222000e 0000 ADD [EAX], AL
0x0000000062220010 0000 ADD [EAX], AL
0x0000000062220012 0000 ADD [EAX], AL
0x0000000062220014 0000 ADD [EAX], AL
0x0000000062220016 0000 ADD [EAX], AL
0x0000000062220018 0000 ADD [EAX], AL
0x000000006222001a 0000 ADD [EAX], AL
0x000000006222001c 0000 ADD [EAX], AL
0x000000006222001e 0000 ADD [EAX], AL
0x0000000062220020 0000 ADD [EAX], AL
0x0000000062220022 0000 ADD [EAX], AL
0x0000000062220024 0000 ADD [EAX], AL
0x0000000062220026 0000 ADD [EAX], AL
0x0000000062220028 0000 ADD [EAX], AL
0x000000006222002a 0000 ADD [EAX], AL
0x000000006222002c 0000 ADD [EAX], AL
0x000000006222002e 0000 ADD [EAX], AL
0x0000000062220030 0000 ADD [EAX], AL
0x0000000062220032 0000 ADD [EAX], AL
0x0000000062220034 2a00 SUB AL, [EAX]
0x0000000062220036 2a00 SUB AL, [EAX]
0x0000000062220038 0100 ADD [EAX], EAX
0x000000006222003a 0000 ADD [EAX], AL
0x000000006222003c 0000 ADD [EAX], AL
0x000000006222003e 0000 ADD [EAX], AL
Process: svchost.exe Pid: 880 Address: 0x980000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 9, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x0000000000980000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0x0000000000980010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x0000000000980020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0000000000980030 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 ................
0x0000000000980000 4d DEC EBP
0x0000000000980001 5a POP EDX
0x0000000000980002 90 NOP
0x0000000000980003 0003 ADD [EBX], AL
0x0000000000980005 0000 ADD [EAX], AL
0x0000000000980007 000400 ADD [EAX+EAX], AL
0x000000000098000a 0000 ADD [EAX], AL
0x000000000098000c ff DB 0xff
0x000000000098000d ff00 INC DWORD [EAX]
0x000000000098000f 00b800000000 ADD [EAX+0x0], BH
0x0000000000980015 0000 ADD [EAX], AL
0x0000000000980017 004000 ADD [EAX+0x0], AL
0x000000000098001a 0000 ADD [EAX], AL
0x000000000098001c 0000 ADD [EAX], AL
0x000000000098001e 0000 ADD [EAX], AL
0x0000000000980020 0000 ADD [EAX], AL
0x0000000000980022 0000 ADD [EAX], AL
0x0000000000980024 0000 ADD [EAX], AL
0x0000000000980026 0000 ADD [EAX], AL
0x0000000000980028 0000 ADD [EAX], AL
0x000000000098002a 0000 ADD [EAX], AL
0x000000000098002c 0000 ADD [EAX], AL
0x000000000098002e 0000 ADD [EAX], AL
0x0000000000980030 0000 ADD [EAX], AL
0x0000000000980032 0000 ADD [EAX], AL
0x0000000000980034 0000 ADD [EAX], AL
0x0000000000980036 0000 ADD [EAX], AL
0x0000000000980038 0000 ADD [EAX], AL
0x000000000098003a 0000 ADD [EAX], AL
0x000000000098003c f8 CLC
0x000000000098003d 0000 ADD [EAX], AL
0x000000000098003f 00 DB 0x0
remnux@remnux:~/Downloads$
4d 5a 90 00のマジックナンバーはPEの実行ファイルで見られるもので、PAGE_EXECUTE_READWRITEのパーミッションからもインジェクトされている可能性が高いことが分かります。
4d 5a 90 00 在 PE 可执行文件中找到了幻数,可以看到它很可能是从 PAGE_EXECUTE_READWRITE 的权限中注入的。
こいつに注入されてそうですね。 看起来它已经被注射到这个家伙身上了。
There is an odd file referenced in the recent process. Provide the full path of that file.
在最近的进程中引用了一个奇怪的文件。提供该文件的完整路径。
上記のインジェクトされているプロセスのダンプを取ります。
对上面注入的进程进行转储。
remnux@remnux:~/Downloads$ vol.py -f CYBERDEF-567078-20230213-171333.raw --profile=WinXPSP2x86 memdump -p 880 -D out
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
************************************************************************
Writing svchost.exe [ 880] to 880.dmp
その後はフルパスで正規表現でgrepをかけるだけです。
之后,您所要做的就是使用具有完整路径的正则表达式进行 grep。
What is the name of the injected dll file loaded from the recent process?
从最近的进程加载的注入的dll文件的名称是什么?
ldrmodulesで確認できます。インジェクトされているProcessの880に対してフィルターかけます。
ldrmodules 您可以在以下位置查看: 对注入过程的 880 进行过滤。InLoad InInit InMemのどこかにFalseが混じってると怪しいですね。
InLoad InInit InMem 如果某处混有 False,那就很可疑了。
remnux@remnux:~/Downloads$ vol.py -f CYBERDEF-567078-20230213-171333.raw --profile=WinXPSP2x86 ldrmodules -p 880
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
Pid Process Base InLoad InInit InMem MappedPath
-------- -------------------- ---------- ------ ------ ----- ----------
880 svchost.exe 0x6f880000 True True True \WINDOWS\AppPatch\AcGenral.dll
880 svchost.exe 0x01000000 True False True \WINDOWS\system32\svchost.exe
880 svchost.exe 0x77f60000 True True True \WINDOWS\system32\shlwapi.dll
880 svchost.exe 0x74f70000 True True True \WINDOWS\system32\icaapi.dll
880 svchost.exe 0x76f60000 True True True \WINDOWS\system32\wldap32.dll
880 svchost.exe 0x77c00000 True True True \WINDOWS\system32\version.dll
880 svchost.exe 0x5ad70000 True True True \WINDOWS\system32\uxtheme.dll
880 svchost.exe 0x76e80000 True True True \WINDOWS\system32\rtutils.dll
880 svchost.exe 0x771b0000 True True True \WINDOWS\system32\wininet.dll
880 svchost.exe 0x76c90000 True True True \WINDOWS\system32\imagehlp.dll
880 svchost.exe 0x76bc0000 True True True \WINDOWS\system32\regapi.dll
880 svchost.exe 0x77dd0000 True True True \WINDOWS\system32\advapi32.dll
880 svchost.exe 0x76f20000 True True True \WINDOWS\system32\dnsapi.dll
880 svchost.exe 0x77be0000 True True True \WINDOWS\system32\msacm32.dll
880 svchost.exe 0x7e1e0000 True True True \WINDOWS\system32\urlmon.dll
880 svchost.exe 0x68000000 True True True \WINDOWS\system32\rsaenh.dll
880 svchost.exe 0x722b0000 True True True \WINDOWS\system32\sensapi.dll
880 svchost.exe 0x76e10000 True True True \WINDOWS\system32\adsldpc.dll
880 svchost.exe 0x76b40000 True True True \WINDOWS\system32\winmm.dll
880 svchost.exe 0x773d0000 True True True \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
880 svchost.exe 0x71a50000 True True True \WINDOWS\system32\mswsock.dll
880 svchost.exe 0x5b860000 True True True \WINDOWS\system32\netapi32.dll
880 svchost.exe 0x00670000 True True True \WINDOWS\system32\xpsp2res.dll
880 svchost.exe 0x76e90000 True True True \WINDOWS\system32\rasman.dll
880 svchost.exe 0x77a80000 True True True \WINDOWS\system32\crypt32.dll
880 svchost.exe 0x71ab0000 True True True \WINDOWS\system32\ws2_32.dll
880 svchost.exe 0x77cc0000 True True True \WINDOWS\system32\activeds.dll
880 svchost.exe 0x71ad0000 True True True \WINDOWS\system32\wsock32.dll
880 svchost.exe 0x774e0000 True True True \WINDOWS\system32\ole32.dll
880 svchost.exe 0x77920000 True True True \WINDOWS\system32\setupapi.dll
880 svchost.exe 0x7e410000 True True True \WINDOWS\system32\user32.dll
880 svchost.exe 0x7c900000 True True True \WINDOWS\system32\ntdll.dll
880 svchost.exe 0x77f10000 True True True \WINDOWS\system32\gdi32.dll
880 svchost.exe 0x77120000 True True True \WINDOWS\system32\oleaut32.dll
880 svchost.exe 0x5cb70000 True True True \WINDOWS\system32\shimeng.dll
880 svchost.exe 0x74980000 True True True \WINDOWS\system32\msxml3.dll
880 svchost.exe 0x009a0000 False False False \WINDOWS\system32\msxml3r.dll
880 svchost.exe 0x77e70000 True True True \WINDOWS\system32\rpcrt4.dll
880 svchost.exe 0x769c0000 True True True \WINDOWS\system32\userenv.dll
880 svchost.exe 0x7c800000 True True True \WINDOWS\system32\kernel32.dll
880 svchost.exe 0x76fd0000 True True True \WINDOWS\system32\clbcatq.dll
880 svchost.exe 0x76b20000 True True True \WINDOWS\system32\atl.dll
880 svchost.exe 0x71bf0000 True True True \WINDOWS\system32\samlib.dll
880 svchost.exe 0x77690000 True True True \WINDOWS\system32\ntmarta.dll
880 svchost.exe 0x77c10000 True True True \WINDOWS\system32\msvcrt.dll
880 svchost.exe 0x760f0000 True True True \WINDOWS\system32\termsrv.dll
880 svchost.exe 0x76fc0000 True True True \WINDOWS\system32\rasadhlp.dll
880 svchost.exe 0x76c30000 True True True \WINDOWS\system32\wintrust.dll
880 svchost.exe 0x7c9c0000 True True True \WINDOWS\system32\shell32.dll
880 svchost.exe 0x77050000 True True True \WINDOWS\system32\comres.dll
880 svchost.exe 0x76eb0000 True True True \WINDOWS\system32\tapi32.dll
880 svchost.exe 0x76a80000 True True True \WINDOWS\system32\rpcss.dll
880 svchost.exe 0x5d090000 True True True \WINDOWS\system32\comctl32.dll
880 svchost.exe 0x71aa0000 True True True \WINDOWS\system32\ws2help.dll
880 svchost.exe 0x776c0000 True True True \WINDOWS\system32\authz.dll
880 svchost.exe 0x76ee0000 True True True \WINDOWS\system32\rasapi32.dll
880 svchost.exe 0x77b20000 True True True \WINDOWS\system32\msasn1.dll
880 svchost.exe 0x75110000 True True True \WINDOWS\system32\mstlsapi.dll
880 svchost.exe 0x77fe0000 True True True \WINDOWS\system32\secur32.dll
What is the base address of the injected dll?
注入的dll的基址是什么?
アドレスはMalfindでみることが出来ます。 地址可以在Malfind找到。
Process: svchost.exe Pid: 880 Address: 0x980000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 9, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x0000000000980000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0x0000000000980010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x0000000000980020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0000000000980030 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 ................
最後に 最后
dll Injectionのよい勉強になりました。
对于dll注入来说,这是一次很好的学习经历。
volatility2はよいなぁ 波动率2 良好
原文始发于@schectman-hell:【CyberDefenders】BlackEnergy【Writeup】
相关文章
暂无评论...
