Go Binary Analysis with gftrace

逆向病毒分析 6个月前 admin

83 0 0

Background 背景

Napper 午睡者

In the Napper box from HackTheBox, the target has decided to build their own custom LAPS solution to rotate an administrative password. It works by running a Go binary, a.exe, every 5 minutes. This binary will use a seed value to seed the Go random number generator and generate an encryption key. It then encrypts a long random string, storing the seed and the encrypted value in an ElasticSearch instance. Finally, it updates the backup user’s password to be the long random string.
在 HackTheBox 的 Napper 框中，目标已决定构建自己的自定义 LAPS 解决方案来轮换管理密码。它的工作原理是每 5 分钟运行一次 Go 二进制文件 a.exe 。此二进制文件将使用种子值来为 Go 随机数生成器提供种子并生成加密密钥。然后，它加密一个长随机字符串，将种子和加密值存储在 ElasticSearch 实例中。最后，它将备份用户的密码更新为长随机字符串。

gftrace

gftrace is available at this GitHub repo. There’s a lot of good detail in the README.md. Golang uses a single function asmstdcall to interact with the Window API. gftrace runs the program while watching all calls and returns from this function, and logs them to the terminal.
gftrace 可在此 GitHub 存储库中找到。中 README.md 有很多很好的细节。Golang 使用单个函数 asmstdcall 与 Window API 进行交互。 gftrace 在监视此函数的所有调用和返回的同时运行程序，并将它们记录到终端。

This raises the most important point for using gftrace – IT IS RUNNING THE BINARY. For cases like Napper, this turns out to be very useful. But if working with real malware, be very careful to run in a contained environment with snapshots and a controlled network.
这提出了使用 gftrace 最重要的一点 – 它正在运行二进制文件。对于像 Napper 这样的情况，这非常有用。但是，如果使用真正的恶意软件，请非常小心地在具有快照和受控网络的封闭环境中运行。

gftrace + Napper

Getting Full Run 全面运行

Missing .env 缺少 .env

I’ll download the latest gftrace release, and run it pointing to a.exe:
我将下载最新版本 gftrace ，并运行它，指向 a.exe ：

PS > C:\tools\gftrace64\gftrace.exe a.exe

- CreateFileW(".env", 0x80000000, 0x3, 0x0, 0x3, 0x2000001, 0x0, 0x0, 0x0) = 0xffffffff (-1)
- GetTimeZoneInformation(0xc0000cb774, 0x0, 0x0) = 0x2 (2)
2024/05/07 07:04:12 Error loading .env file


[+] Trace finished! Press "Enter" to close...

Right away it is showing CreateFileW called on .env, and the return value is -1, which means it failed. It also calls GetTimeZoneInformation.
它立即显示 CreateFileW called on .env ，返回值为 -1，这意味着它失败了。它还调用 GetTimeZoneInformation .

Missing Tunnel 缺少隧道

I’ll copy the .env file from Napper into the same directory as a.exe:
我会将 .env 文件从 Napper 复制到与以下 a.exe 目录相同的目录中：

ELASTICUSER=user
ELASTICPASS=DumpPassword$Here
ELASTICURI=https://127.0.0.1:9200

On running again, it gets further:
再次运行时，它会走得更远：

PS > C:\tools\gftrace64\gftrace.exe a.exe

- CreateFileW(".env", 0x80000000, 0x3, 0x0, 0x3, 0x2000001, 0x0, 0x0, 0x0) = 0x180 (384)
- ReadFile(0x180, 0xc00020a000, 0x200, 0xc0001436ac, 0x0, 0x0) = 0x1 (1)
- ReadFile(0x180, 0xc000168452, 0x3ae, 0xc0001436ac, 0x0, 0x0) = 0x1 (1)
- WSASocketW(0x2, 0x1, 0x0, 0x0, 0x0, 0x81) = 0x188 (392)
- socket(0x2, 0x1, 0x6) = 0x190 (400)
- WSAIoctl(0x190, 0xc8000006, 0x106ab00, 0x10, 0x10bba90, 0x8, 0xc00011ad9c, 0x0, 0x0) = 0x0 (0)
- WSASocketW(0x2, 0x1, 0x0, 0x0, 0x0, 0x81) = 0x188 (392)
- WSASocketW(0x2, 0x1, 0x0, 0x0, 0x0, 0x81) = 0x1a0 (416)
- WSASocketW(0x2, 0x1, 0x0, 0x0, 0x0, 0x81) = 0x1a4 (420)
- GetTimeZoneInformation(0xc00014376c, 0x0, 0x0) = 0x2 (2)
2024/05/07 07:10:29 Error getting response: dial tcp 127.0.0.1:9200: connectex: No connection could be made because the target machine actively refused it.

[+] Trace finished! Press "Enter" to close...

The return value from CreateFileW is the handle to the file (rather than -1). It reads the .env file, and is starting to make network connections. Putting in the constants for WSASocketW as defined here gives WSASocketW(AF_INET, SOCK_STREAM, 0, 0, 0, WSA_FLAG_OVERLAPPED|WSA_FLAG_NO_HANDLE_INHERIT).
返回 CreateFileW 值是文件的句柄（而不是 -1）。它读取 .env 文件，并开始建立网络连接。输入此处定义的 WSASocketW 常量得到 WSASocketW(AF_INET, SOCK_STREAM, 0, 0, 0, WSA_FLAG_OVERLAPPED|WSA_FLAG_NO_HANDLE_INHERIT) 。

It’s a bit lacking in that I don’t see it actually trying to make the connection.
它有点缺乏，因为我没有看到它实际上试图建立联系。

Full Run 全运行

In this scenario, I’ll need to use Chisel to create a tunnel to the Elastic instance listening on localhost:9200 on Napper (see the blog post on Napper for details).
在此场景中，我需要使用 Chisel 创建一条通往 Elastic 实例的隧道，该实例在 Napper localhost:9200 上侦听（有关详细信息，请参阅有关 Napper 的博客文章）。

Once I have that in place, it will run the full binary:
一旦我准备好了，它将运行完整的二进制文件：

PS Z:\hackthebox\napper-10.10.11.240 > C:\tools\gftrace64\gftrace.exe a.exe

- CreateFileW(".env", 0x80000000, 0x3, 0x0, 0x3, 0x2000001, 0x0, 0x0, 0x0) = 0x178 (376)
- ReadFile(0x178, 0xc000112000, 0x200, 0xc0000cb6ac, 0x0, 0x0) = 0x1 (1)
- ReadFile(0x178, 0xc000070452, 0x3ae, 0xc0000cb6ac, 0x0, 0x0) = 0x1 (1)
- WSASocketW(0x2, 0x1, 0x0, 0x0, 0x0, 0x81) = 0x180 (384)
- socket(0x2, 0x1, 0x6) = 0x188 (392)
- WSAIoctl(0x188, 0xc8000006, 0x140ab00, 0x10, 0x145ba90, 0x8, 0xc00009ed9c, 0x0, 0x0) = 0x0 (0)
- setsockopt(0x180, 0xffff, 0x7010, 0xc00005d410, 0x8, 0x0) = 0x0 (0)
- setsockopt(0x180, 0x6, 0x1, 0xc00009f22c, 0x4, 0x0) = 0x0 (0)
- setsockopt(0x180, 0xffff, 0x8, 0xc00009f22c, 0x4, 0x0) = 0x0 (0)
- WSAIoctl(0x180, 0x98000004, 0xc00009f284, 0xc, 0x0, 0x0, 0xc00009f274, 0x0, 0x0) = 0x0 (0)
- WSASend(0x180, 0xc00005d528, 0x1, 0xc00005d518, 0x0, 0xc00005d4e8, 0x0, 0x0, 0x0) = 0x0 (0)
- WSARecv(0x180, 0xc00005d458, 0x1, 0xc00005d448, 0xc00005d4c8, 0xc00005d418, 0x0, 0x0, 0x0) = 0xffffffff (-1)
- WSARecv(0x180, 0xc00005d458, 0x1, 0xc00005d448, 0xc00005d4c8, 0xc00005d418, 0x0, 0x0, 0x0) = 0x0 (0)
- WSASend(0x180, 0xc00005d528, 0x1, 0xc00005d518, 0x0, 0xc00005d4e8, 0x0, 0x0, 0x0) = 0x0 (0)
- WSARecv(0x180, 0xc00005d458, 0x1, 0xc00005d448, 0xc00005d4c8, 0xc00005d418, 0x0, 0x0, 0x0) = 0xffffffff (-1)
- WSASend(0x180, 0xc00005d528, 0x1, 0xc00005d518, 0x0, 0xc00005d4e8, 0x0, 0x0, 0x0) = 0x0 (0)
- WSARecv(0x180, 0xc00005d458, 0x1, 0xc00005d448, 0xc00005d4c8, 0xc00005d418, 0x0, 0x0, 0x0) = 0xffffffff (-1)
- WSASend(0x180, 0xc00005d528, 0x1, 0xc00005d518, 0x0, 0xc00005d4e8, 0x0, 0x0, 0x0) = 0x0 (0)
- GetTimeZoneInformation(0xc0000cb48c, 0x0, 0x0) = 0x2 (2)
- WSASocketW(0x2, 0x1, 0x0, 0x0, 0x0, 0x81) = 0x1b0 (432)
- setsockopt(0x1b0, 0xffff, 0x7010, 0xc0000ce790, 0x8, 0x0) = 0x0 (0)
- setsockopt(0x1b0, 0x6, 0x1, 0xc00009f22c, 0x4, 0x0) = 0x0 (0)
- setsockopt(0x1b0, 0xffff, 0x8, 0xc00009f22c, 0x4, 0x0) = 0x0 (0)
- WSAIoctl(0x1b0, 0x98000004, 0xc00009f284, 0xc, 0x0, 0x0, 0xc00009f274, 0x0, 0x0) = 0x0 (0)
- WSASend(0x1b0, 0xc0000ce8a8, 0x1, 0xc0000ce898, 0x0, 0xc0000ce868, 0x0, 0x0, 0x0) = 0x0 (0)
- WSARecv(0x1b0, 0xc0000ce7d8, 0x1, 0xc0000ce7c8, 0xc0000ce848, 0xc0000ce798, 0x0, 0x0, 0x0) = 0xffffffff (-1)
- WSARecv(0x1b0, 0xc0000ce7d8, 0x1, 0xc0000ce7c8, 0xc0000ce848, 0xc0000ce798, 0x0, 0x0, 0x0) = 0x0 (0)
- WSASend(0x1b0, 0xc0000ce8a8, 0x1, 0xc0000ce898, 0x0, 0xc0000ce868, 0x0, 0x0, 0x0) = 0x0 (0)
- WSARecv(0x1b0, 0xc0000ce7d8, 0x1, 0xc0000ce7c8, 0xc0000ce848, 0xc0000ce798, 0x0, 0x0, 0x0) = 0xffffffff (-1)
- WSASend(0x1b0, 0xc0000ce8a8, 0x1, 0xc0000ce898, 0x0, 0xc0000ce868, 0x0, 0x0, 0x0) = 0x0 (0)
- CreateFileW("NUL", 0x80000000, 0x3, 0x0, 0x3, 0x2000001, 0x0, 0x0, 0x0) = 0x1b4 (436)
- CreateProcessW("C:\Windows\System32\cmd.exe", "C:\Windows\System32\cmd.exe /c net user backup FIOGIcvUoslXiDffknKDzwTtoLRVmxvDRDFCBteG", 0x0, 0x0, 0x1, 0x80400, "=::=::\", 0x0, 0xc0000cb818, 0xc0000cb6f8, 0x0, 0x0) = 0x1 (1)
- ReadFile(0x1bc, 0xc00019c400, 0x200, 0xc0001bbcfc, 0x0, 0x0) = 0x1 (1)
- ReadFile(0x1bc, 0xc000266023, 0x3dd, 0xc0001bbcfc, 0x0, 0x0) = 0x1 (1)
- ReadFile(0x1bc, 0xc00026605b, 0x3a5, 0xc0001bbcfc, 0x0, 0x0) = 0x0 (0)
2024/05/07 07:17:19 exit status 2

[+] Trace finished! Press "Enter" to close...

This is very cool. While the networking stuff isn’t great, the CreateProcessW call details are awesome!
这很酷。虽然网络的东西不是很好， CreateProcessW 但通话细节很棒！

- CreateProcessW("C:\Windows\System32\cmd.exe", "C:\Windows\System32\cmd.exe /c net user backup                                      FIOGIcvUoslXiDffknKDzwTtoLRVmxvDRDFCBteG", 0x0, 0x0, 0x1, 0x80400, "=::=::\", 0x0, 0xc0000cb818, 0xc0000cb6f8, 0x0, 0x0) = 0x1 (1)

It shows the call to cmd.exe with the full command line. In fact, this would be enough to solve Napper without and other reverse engineering or coding, as I can see the password being set.
它显示使用完整命令行的调用 cmd.exe 。事实上，这足以解决 Napper 而无需其他逆向工程或编码，因为我可以看到正在设置的密码。

Configuration File 配置文件

Default 违约

gftrace comes with a gftrace.cfg file that must be in the same directory as gftrace.exe that specifies what system calls to log. It’s important to know this, because other calls will not show up:
gftrace 附带一个 gftrace.cfg 文件，该文件必须与 gftrace.exe 指定要记录的系统调用所在的目录位于同一目录中。了解这一点很重要，因为其他调用不会显示：

CreateFileW,ReadFile,WriteFile,MoveFileW,DeleteFileW,SetFilePointerEx,CopyFileW,FindFirstFileW,SetFileAttributesW,GetCurrentDirectoryW,GetUserProfileDirectoryW,SetCurrentDirectoryW,GetTempPathW,GetModuleFileNameW,RemoveDirectoryW,GetSystemDirectoryW,GetFullPathNameW,WSASocketW,socket,setsockopt,gethostbyname,WSARecvFrom,WSASendTo,DnsQuery_W,WSAIoctl,WSASend,WSASendTo,WSARecv,GetAddrInfoW,WinHttpAddRequestHeaders,WinHttpOpen,WinHttpConnect,WinHttpOpenRequest,WinHttpSendRequest,WinHttpReceiveResponse,WinHttpReadData,WinHttpSetOption,WinHttpSetTimeouts,WinHttpGetIEProxyConfigForCurrentUser,WinHttpGetProxyForUrl,WinHttpGetDefaultProxyConfiguration,OpenProcess,CreateProcessW,CreateProcessAsUserW,TerminateProcess,GetCurrentProcessId,ReadProcessMemory,WriteProcessMemory,ConvertSidToStringSidW,CreateMutexW,CreateToolhelp32Snapshot,QueryFullProcessImageNameW,OpenProcessToken,GetTokenInformation,CheckTokenMembership,AdjustTokenPrivileges,LookupAccountSidW,CreateNamedPipeW,ShellExecuteW,WTSGetActiveConsoleSessionId,WTSQuerySessionInformationW,GetLogicalDrives,GetDriveTypeW,GetLogicalDriveStringsW,GetVolumeInformationW,RegCreateKeyExW,RegOpenKeyExW,RegQueryValueExW,RegSetValueExW,RegDeleteKeyW,GetComputerNameExW,LookupAccountNameW,NetUserGetInfo,GetAdaptersAddresses,GetTimeZoneInformation,GetMonitorInfoW,EnumDisplaySettingsW,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,BitBlt,GetDIBits,SelectObject,GetSystemTimes,RegisterServiceCtrlHandlerExW

I don’t love this, as I would prefer to have the option to pass parameters into the command line rather than changing the full config for different runs.
我不喜欢这个，因为我更愿意选择将参数传递到命令行中，而不是更改不同运行的完整配置。

I thought perhaps that the config was why I wasn’t seeing any kind of connection in the results, but I tried adding all the calls I could think of that might have been missed, and none of them came out on running. I wish this config were a bit more configurable. Not sure if a show all or show all except this list would be possible given how the tool works, but that would be awesome.
我想也许配置是我在结果中没有看到任何联系的原因，但我尝试添加所有我能想到的可能错过的调用，但它们都没有在运行时出现。我希望这个配置更可配置一些。考虑到该工具的工作原理，不确定是否可以全部显示或显示除此列表之外的所有内容，但那会很棒。

Limited 有限

Still, I can tailor what I want to see for this binary. For example, here the network stuff isn’t very useful, so I can update the config to just show the file and process related calls:
不过，我可以为这个二进制文件定制我想看到的内容。例如，这里的网络内容不是很有用，所以我可以更新配置以仅显示文件并处理相关调用：

CreateFileW,CreateProcessW

Now when I run, it just shows these lines:
现在，当我运行时，它只显示以下几行：

PS > C:\tools\gftrace64\gftrace.exe a.exe test.cfg

- CreateFileW(".env", 0x80000000, 0x3, 0x0, 0x3, 0x2000001, 0x0, 0x0, 0x0) = 0x180 (384)
- CreateFileW("NUL", 0x80000000, 0x3, 0x0, 0x3, 0x2000001, 0x0, 0x0, 0x0) = 0x1ac (428)
- CreateProcessW("C:\Windows\System32\cmd.exe", "C:\Windows\System32\cmd.exe /c net user backup oXzLKiYHpyiRmkjAPfzLXSMzoOqMzHoVcinVwISa", 0x0, 0x0, 0x1, 0x80400, "=::=::\", 0x0, 0xc000187818, 0xc0001876f8, 0x0, 0x0) = 0x1 (1)
2024/05/07 07:43:41 exit status 2

[+] Trace finished! Press "Enter" to close...

Under The Hood 引擎盖下

Overview 概述

gftrace is broken into two projects, injector and tracer:
gftrace 分为两个项目， injector 并且 tracer ：

Each has an MSBuild project file (.vcxproj) file.
每个文件都有一个 MSBuild 项目文件（ .vcxproj ）文件。

injector 注射器

injector has only three files:
injector 只有三个文件：

injector.c is the interesting one. It has a single main function that handles the arguments. It makes sure there’s at least two arguments (the binary name itself plus the binary to run), and then gets the full command line string, and throws away up to the first space:
injector.c 是有趣的一个。它有一个处理参数的函数 main 。它确保至少有两个参数（二进制名称本身加上要运行的二进制文件），然后获取完整的命令行字符串，并丢弃第一个空格：

Next it uses the new CmdLine string (which is basically all the arguments except the first, which would be gftrace.exe) to create a new process in a suspended state:
接下来，它使用新 CmdLine 字符串（基本上是除第一个参数之外的所有参数） gftrace.exe 创建一个处于挂起状态的新进程：

Then it does a bunch of checks and eventually gets the file gftrace.dll and the address of LoadLibraryA from kerneldll.32:
然后它做一堆检查，最终 LoadLibraryA 从以下 kerneldll.32 位置获取文件 gftrace.dll 和地址：

It makes space for the new DLL in the process and writes the DLL in:
它为进程中的新 DLL 腾出空间，并将 DLL 写入：

It then starts a thread in the process loading the new DLL, waits for it, resumes the process, and runs:
然后，它在加载新 DLL 的进程中启动一个线程，等待它，恢复进程，然后运行：

Effectively this has started the process as passed in (including any arguments), injected gftrace.dll into that process and loaded it in a thread.
实际上，这已经启动了传入的进程（包括任何参数），注入 gftrace.dll 该进程并将其加载到线程中。

tracer 示踪

Overview 概述

tracer is a bit more complicated, with multiple .c and .h files for different parts of the functionality:
tracer 有点复杂，有多个 .c 和 .h 文件用于功能的不同部分：

utils.c

utils.c includes a function InitTargetFuncList (source), responsible for reading in the config and parsing it into a data structure of function names. It does this by getting the full path to the DLL:
utils.c 包括一个函数 InitTargetFuncList （源），负责读取配置并将其解析为函数名称的数据结构。它通过获取 DLL 的完整路径来实现此目的：