本文主要是介绍【父子进程/AES/XTEA/SMC】赛后复盘,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
官方wp:
进程重影技术:
进程重映像利用了Windows内核中的缓存同步问题,它会导致可执行文件的路径与从该可执行文件创建的映像节区所报告的路径不匹配。通过在一个诱饵路径上加载DLL,然
后卸载它,然后从一个新路径加载它,许多Windows API将返回旧路径。这可能可以欺骗安全产品,使其在错误的路径上查找加载的映像。
主要创建方式就是先打开一个新文件,然后把这个文件挂到删除列表上,在关闭文件句柄后文件就会被删除,但是在还没有关闭的时候此时文件还未删除,此时能向文件中写入数据,然后再把这个文件映射到内存上,再关闭文件句柄,此时文件删除,但是内存
中还有文件的映像,达到一定的迷惑杀软的目的。
如果是做题的话,直接用IDA附加开启的子进程,然后发现XTEA,解密得到flag
如果是学技术的话,还是要研究一下 “进程重影” 技术思路。
本文两者都会介绍的。
考点:AES\XTEA\进程与子进程\SMC\进程重影
分析
DIE打开,发现是pe64位,无壳
拖进IDA进行分析
习惯操作,先用FindCrypto扫一下,有没有加密
发现AES加密
跟踪main函数,看看它到底要干什么
int __cdecl main_0(int argc, const char **argv, const char **envp)
{j___CheckForDebuggerJustMyCode(&unk_1400A80B9);// vs2022调试debug版c++程序会出现该函数,我也不知道啥用sub_140001FF0(*argv);return 0;
}
AES核心加密逻辑函数
__int64 __fastcall sub_13F887480(char *a1, char *a2, unsigned int a3, __int64 a4, __int64 a5)
{__int64 result; // raxunsigned __int64 i; // [rsp+28h] [rbp+8h]unsigned __int8 v7; // [rsp+44h] [rbp+24h]j___CheckForDebuggerJustMyCode(&unk_13F92800D);v7 = a3 % 0x10;if ( a4 ){qword_13F91D188 = a4;sub_13F888EA0();}if ( a5 )qword_13F91D240 = a5;for ( i = 0i64; i < a3; i += 16i64 ){sub_13F889C80(a2);j_memmove(a1, a2, 0x10ui64);qword_13F91D180 = (__int64)a1;sub_13F887850();qword_13F91D240 = (__int64)a1;a2 += 16;a1 += 16;}result = v7;if ( v7 ){j_memmove(a1, a2, v7);qword_13F91D180 = (__int64)a1;return sub_13F887850();}return result;
}
跟进了sub_14000A700函数
signed int __fastcall sub_14000A700(const char *a1)
{char *v1; // rdi__int64 i; // rcxDWORD LastError; // eaxsigned int result; // eaxHANDLE CurrentProcess; // raxsize_t v6; // raxDWORD dwCreationDisposition; // [rsp+20h] [rbp-40h]char v8; // [rsp+60h] [rbp+0h] BYREFCHAR FileName[48]; // [rsp+68h] [rbp+8h] BYREF__int64 v10[4]; // [rsp+98h] [rbp+38h] BYREFHANDLE hObject; // [rsp+B8h] [rbp+58h]unsigned int v12; // [rsp+D4h] [rbp+74h]char v13[36]; // [rsp+F4h] [rbp+94h] BYREFint v14[12]; // [rsp+118h] [rbp+B8h] BYREF__int64 (__fastcall *v15)(HANDLE, int *, char *, __int64, int); // [rsp+148h] [rbp+E8h]HRSRC hResInfo; // [rsp+168h] [rbp+108h]DWORD v17; // [rsp+184h] [rbp+124h]HGLOBAL hResData; // [rsp+1A8h] [rbp+148h]void *Src; // [rsp+1C8h] [rbp+168h]DWORD NumberOfBytesWritten; // [rsp+1E4h] [rbp+184h] BYREFDWORD nNumberOfBytesToWrite[8]; // [rsp+204h] [rbp+1A4h] BYREFsize_t Size; // [rsp+224h] [rbp+1C4h]void *Block; // [rsp+248h] [rbp+1E8h]LPCVOID lpBuffer[4]; // [rsp+268h] [rbp+208h] BYREF__int64 (__fastcall *v25)(__int64 *, __int64, _QWORD, _QWORD, int, int, HANDLE); // [rsp+288h] [rbp+228h]__int64 v26[3]; // [rsp+2A8h] [rbp+248h] BYREFunsigned int v27[9]; // [rsp+2C4h] [rbp+264h] BYREFHANDLE hHandle[4]; // [rsp+2E8h] [rbp+288h] BYREF__int64 (__fastcall *v29)(HANDLE *, __int64, _QWORD, HANDLE, DWORD, __int64, _QWORD, _QWORD); // [rsp+308h] [rbp+2A8h]char v30[76]; // [rsp+328h] [rbp+2C8h] BYREFint v31; // [rsp+374h] [rbp+314h]__int64 (__fastcall *v32)(HANDLE, _QWORD, char *, __int64, _QWORD); // [rsp+398h] [rbp+338h]char *Str; // [rsp+3B8h] [rbp+358h]int v34; // [rsp+3D4h] [rbp+374h]int v35; // [rsp+3F4h] [rbp+394h]int v36; // [rsp+414h] [rbp+3B4h]wchar_t *Dest; // [rsp+438h] [rbp+3D8h]__int64 v38[63]; // [rsp+460h] [rbp+400h] BYREF__int64 v39; // [rsp+658h] [rbp+5F8h]__int64 v40[4]; // [rsp+678h] [rbp+618h] BYREF__int64 (__fastcall *v41)(__int64 *, __int64, _QWORD, HANDLE, __int64, _QWORD, _DWORD, _QWORD, _QWORD, _QWORD, _QWORD); // [rsp+698h] [rbp+638h]int v42; // [rsp+9A4h] [rbp+944h]v1 = &v8;for ( i = 404i64; i; --i ){*(_DWORD *)v1 = -858993460;v1 += 4;}j___CheckForDebuggerJustMyCode(&unk_1400A80B9);strcpy(FileName, "VNctf2023");v10[0] = 0x616C7972723073i64;hObject = CreateFileA(FileName, 0xC0010000, 0, 0i64, 2u, 0x80u, 0i64);// 创建一个文件if ( hObject == (HANDLE)-1i64 ){ // 失败LastError = GetLastError();return sub_14000257C("Failed - Error Code %08X\r\n", LastError);}else{v13[0] = 1; // 创建成功v15 = (__int64 (__fastcall *)(HANDLE, int *, char *, __int64, int))sub_1400016B3("NtSetInformationFile");v12 = v15(hObject, v14, v13, 1i64, 13);if ( v14[0] >= 0 ){hResInfo = FindResourceA(0i64, (LPCSTR)0x66, "shell");// 寻找指定类型和名称的资源位置v17 = SizeofResource(0i64, hResInfo); // 资源大小hResData = LoadResource(0i64, hResInfo); // 加载资源Src = LockResource(hResData);NumberOfBytesWritten = 0;nNumberOfBytesToWrite[0] = 0;LODWORD(Size) = v17 - 4;Block = j_j_j__malloc_base(v17 - 4);j_memmove(Block, Src, (unsigned int)Size);j_memmove(nNumberOfBytesToWrite, (char *)Src + (unsigned int)Size, 4ui64);GlobalUnlock(hResData);lpBuffer[0] = 0i64;NumberOfBytesWritten = sub_1400030BC(Block, v10, lpBuffer, (unsigned int)Size); //关键函数,好像对shell资源进行了 AES加密if ( NumberOfBytesWritten >= nNumberOfBytesToWrite[0]&& lpBuffer[0]&& WriteFile(hObject, lpBuffer[0], nNumberOfBytesToWrite[0], &NumberOfBytesWritten, 0i64)// 加密后shell 写到资源到文件&& (j_free(Block), // 释放j_free((void *)lpBuffer[0]),v25 = (__int64 (__fastcall *)(__int64 *, __int64, _QWORD, _QWORD, int, int, HANDLE))sub_1400016B3("NtCreateSection"),// 创建节对象v12 = v25(v26, 983071i64, 0i64, 0i64, 2, 0x1000000, hObject),(v12 & 0x80000000) == 0) ) // 猜测上面的代码,就是把shell 资源 写到一个叫 vnctf2023的文件里面{result = sub_14000347C(hObject, v27, nNumberOfBytesToWrite[0]);if ( result ) // 写入成功{CloseHandle(hObject);hHandle[0] = 0i64;v29 = (__int64 (__fastcall *)(HANDLE *, __int64, _QWORD, HANDLE, DWORD, __int64, _QWORD, _QWORD))sub_1400016B3("NtCreateProcess");// 启动进程CurrentProcess = GetCurrentProcess();LOBYTE(dwCreationDisposition) = 1;result = v29(hHandle, 0x1FFFFFi64, 0i64, CurrentProcess, dwCreationDisposition, v26[0], 0i64, 0i64);v12 = result;if ( result >= 0 ){memset(v30, 0, 0x30ui64);v31 = 0;v32 = (__int64 (__fastcall *)(HANDLE, _QWORD, char *, __int64, _QWORD))sub_1400016B3("NtQueryInformationProcess");result = v32(hHandle[0], 0i64, v30, 48i64, 0i64);v12 = result;if ( result >= 0 ){Str = (char *)j_j_j__malloc_base(4ui64);sub_1400039C2(Str, "%x", NumberOfBytesWritten);v34 = j_strlen(FileName);v35 = j_strlen(a1);v36 = j_strlen(Str);j_strcat(FileName, " ");j_strcat(FileName, a1);j_strcat(FileName, " ");j_strcat(FileName, Str);v34 += v35 + v36 + 2;v42 = v34 + 1;v6 = (unsigned int)(2 * (v34 + 1));if ( !is_mul_ok(2u, v34 + 1) )v6 = -1i64;Dest = (wchar_t *)j_j_j__malloc_base(v6);sub_140003175(Dest, 0i64, 2 * v34 + 2);j_mbstowcs(Dest, FileName, v34);result = sub_140003DBE(hHandle[0], v30, Dest);if ( result ){j_free(Dest);memset(v38, 0, 0x1B8ui64);result = sub_140002176(hHandle[0], v30, v38);if ( result ){v38[59] = v38[2];v39 = v38[2] + v27[0];v40[0] = 0i64;v41 = (__int64 (__fastcall *)(__int64 *, __int64, _QWORD, HANDLE, __int64, _QWORD, _DWORD, _QWORD, _QWORD, _QWORD, _QWORD))sub_1400016B3("NtCreateThreadEx"); //启动线程result = v41(v40, 0x1FFFFFi64, 0i64, hHandle[0], v39, 0i64, 0, 0i64, 0i64, 0i64, 0i64);v12 = result;if ( result >= 0 )return WaitForSingleObject(hHandle[0], 0xFFFFFFFF);}}}}}}else{return CloseHandle(hObject);}}else{sub_14000257C("Failed - Error Code %08X\r\n", v12);return CloseHandle(hObject);}}return result;
}
关键函数 sub_140009E20,就是那个对shell资源进行处理的函数
__int64 __fastcall sub_140009E20(__int64 a1, const char *a2, void **a3, unsigned int a4)
{char *v4; // rdi__int64 i; // rcxsize_t v6; // raxchar v8; // [rsp+20h] [rbp+0h] BYREFchar v9[44]; // [rsp+28h] [rbp+8h] BYREFunsigned int v10; // [rsp+54h] [rbp+34h]BOOL v11; // [rsp+74h] [rbp+54h]int j; // [rsp+94h] [rbp+74h]size_t Size; // [rsp+168h] [rbp+148h]v4 = &v8;for ( i = 42i64; i; --i ){*(_DWORD *)v4 = -858993460;v4 += 4;}j___CheckForDebuggerJustMyCode(&unk_1400A80B9, a2, a3);v11 = a4 % 0x10 != 0;v10 = 16 * (v11 + a4 / 0x10);v6 = v10 + 1;if ( v10 == -1 )v6 = -1i64;*a3 = j_j_j__malloc_base(v6);sub_140003175(*a3, 0i64, v10 + 1); sub_140003175(v9, 0i64, 16i64);if ( j_strlen(a2) <= 0x10 )Size = j_strlen(a2);elseSize = 16i64;j_memmove(v9, a2, Size);for ( j = 0; 16 * j < a4; ++j )sub_140002DE7(16 * j + a1, v9, (char *)*a3 + 16 * j, 16i64);// AES解密函数 我思考了一下,如果shell进行加密,那么shell还能运行吗?反之,只有解密,才可以正常运行return v10;
}
根进观察一下
__int64 __fastcall sub_140007620(const void *a1, __int64 a2, void *a3, unsigned int a4)
{j___CheckForDebuggerJustMyCode(&unk_1400A800D, a2, a3);j_memmove(a3, a1, a4);qword_14009D180 = (__int64)a3;qword_14009D188 = a2;sub_140008EA0();return sub_1400078E0();
}
发现了一堆函数,一个一个看看
最后发现sub_1400078E0函数的代码,长得特别像AES加密函数。
帮助网安学习,全套资料S信免费领取:
① 网安学习成长路径思维导图
② 60+网安经典常用工具包
③ 100+SRC分析报告
④ 150+网安攻防实战技术电子书
⑤ 最权威CISSP 认证考试指南+题库
⑥ 超1800页CTF实战技巧手册
⑦ 最新网安大厂面试题合集(含答案)
⑧ APP客户端安全检测指南(安卓+IOS)
从 confuse_us 那题就可以发现,这些代码长得很像.就是AES加密套路
__int64 __fastcall sub_1400078E0(__int64 a1, __int64 a2, __int64 a3)
{__int64 v3; // rcxunsigned __int8 i; // [rsp+24h] [rbp+4h]j___CheckForDebuggerJustMyCode(&unk_1400A800D, a2, a3);LOBYTE(v3) = 10;sub_140007760(v3);for ( i = 9; i; --i ){sub_140008980();sub_140008DF0();sub_140007760(i);sub_140007970();}sub_140008980();sub_140008DF0();return sub_140007760(0i64);
}
跟进sub_140007760 函数,发现就是addroundkey()
__int64 __fastcall sub_140007760(unsigned __int8 a1, __int64 a2, __int64 a3)
{__int64 result; // raxunsigned __int8 i; // [rsp+24h] [rbp+4h]unsigned __int8 j; // [rsp+44h] [rbp+24h]j___CheckForDebuggerJustMyCode(&unk_1400A800D, a2, a3);for ( i = 0; ; ++i ){result = i;if ( i >= 4u ) //这不就是 addroundkey() 函数吗?break;for ( j = 0; j < 4u; ++j )*(_BYTE *)(qword_14009D180 + 4i64 * i + j) ^= byte_14009D190[16 * a1 + 4 * i + j]; //对比confuse_us那题,发现没有魔改 ^0x23}return result;
}
其余函数也就不用再分析了,可以断定这是AES加密函数。
对shell资源进行AES解密,然后shell程序跑起来
运行该程序,发现我追踪的进程居然挂掉了,又跑起来了另一个进程
可以断定,父进程开子进程
子进程输入flag
我再次运行,发现jiji.exe没了???
传递的参数
FileName
VNctf2023
C:\Users\Le\Desktop\jijiji.exe
16000s0rryla
附加下子进程
搜索字符串,但是无法找到关键函数
直接dump解密后的exe文件
断点下在此处,然后运行,找到解密后的文件,dump下来
D键转地址
跳转到MZ头部,发现这就是解密后的程序
把它dump下来
def main():begin = 0x23F8CB49290 # #需对应修改size = 0x16000 # #需对应修改list1 = []for i in range(size):byte_tmp = get_bytes(begin + i,1)list1.append(ord(byte_tmp))if (i + 1) % 0x1000 == 0:print("All count:{}, collect current:{}, has finish {}".format(hex(size), hex(i + 1), float(i + 1) / size))print('collect over')file = "C:\\Users\\Le\\Desktop\\WASS.exe" #需对应修改#print(bytearray(list1))buf = bytearray(list1)with open(file, 'wb') as fw:fw.write(buf)print('write over')if __name__=='__main__':main()
得到dump下来的程序
分析dump下来的程序
根据关键字符串定位关键函数
__int64 __fastcall sub_1400064F0(__int64 a1, __int64 a2)
{char *v2; // rdi__int64 i; // rcxconst char *v4; // raxDWORD LastError; // eaxchar v7[32]; // [rsp+0h] [rbp-20h] BYREFchar v8; // [rsp+20h] [rbp+0h] BYREFHANDLE hSnapshot; // [rsp+28h] [rbp+8h]PROCESSENTRY32 pe; // [rsp+50h] [rbp+30h] BYREFBOOL v11; // [rsp+194h] [rbp+174h]unsigned int v12; // [rsp+1B4h] [rbp+194h]DWORD CurrentProcessId; // [rsp+1D4h] [rbp+1B4h]DWORD th32ProcessID; // [rsp+1F4h] [rbp+1D4h]char v15[536]; // [rsp+220h] [rbp+200h] BYREFchar v16[64]; // [rsp+438h] [rbp+418h] BYREFLPVOID lpAddress; // [rsp+478h] [rbp+458h]DWORD flOldProtect[9]; // [rsp+494h] [rbp+474h] BYREFLPCSTR lpFileName; // [rsp+4B8h] [rbp+498h]char v20[64]; // [rsp+718h] [rbp+6F8h] BYREFchar v21[64]; // [rsp+758h] [rbp+738h] BYREFchar v22[48]; // [rsp+798h] [rbp+778h] BYREF__int64 v23; // [rsp+7C8h] [rbp+7A8h]__int64 v24; // [rsp+7D0h] [rbp+7B0h]__int64 v25; // [rsp+7D8h] [rbp+7B8h]__int64 v26; // [rsp+7E0h] [rbp+7C0h]__int64 v27; // [rsp+7E8h] [rbp+7C8h]__int64 v28; // [rsp+7F0h] [rbp+7D0h]v2 = &v8;for ( i = 362i64; i; --i ){*(_DWORD *)v2 = -858993460;v2 += 4;}sub_14000148D(&unk_1400180F5);hSnapshot = CreateToolhelp32Snapshot(2u, 0);v11 = Process32First(hSnapshot, &pe);v12 = -1;CurrentProcessId = GetCurrentProcessId();while ( v11 ){if ( CurrentProcessId == pe.th32ProcessID ){th32ProcessID = pe.th32ProcessID;v12 = sub_140001267(pe.th32ProcessID);}v11 = Process32Next(hSnapshot, &pe);}if ( v12 != -1 ){sub_140001479(v12, v15, 10i64);v23 = sub_140001217(v20, " > nul");v24 = v23;v25 = sub_140001217(v21, "taskkill -f /pid ");v26 = v25;v27 = sub_14000143D(v22, v25, v15);v28 = v27;sub_140001069(v16, v27, v24);sub_1400010F0(v22);sub_1400010F0(v21);sub_1400010F0(v20);v4 = (const char *)sub_14000106E(v16);system(v4);sub_1400010F0(v16);}lpAddress = (LPVOID)sub_140001357(sub_1400010C3);VirtualProtect(lpAddress, 0x400ui64, 0x40u, flOldProtect);lpFileName = *(LPCSTR *)(a2 + 8);qword_140014470 = *(_QWORD *)(a2 + 16);if ( !DeleteFileA(lpFileName) ){LastError = GetLastError();sub_14000123A("%d", LastError);}sub_1400010FF(sub_1400010C3, qword_140014470);sub_1400010C3();sub_1400013C5(v7, &unk_1400101C8);return 0i64;
}
动调调试走到flag验证的地方
动态调试跟进去
成功到达关键的地方,如果不是这么清晰的话,需要U+C键来调
__int64 sub_140005B40()
{char *v0; // rdi__int64 i; // rcxchar v3[32]; // [rsp+0h] [rbp-20h] BYREFchar v4; // [rsp+20h] [rbp+0h] BYREFchar v5[60]; // [rsp+28h] [rbp+8h] BYREFint v6; // [rsp+64h] [rbp+44h]int v7[11]; // [rsp+88h] [rbp+68h]int j; // [rsp+B4h] [rbp+94h]int k; // [rsp+D4h] [rbp+B4h]int *v10; // [rsp+F8h] [rbp+D8h]unsigned int v11; // [rsp+114h] [rbp+F4h]unsigned int v12; // [rsp+134h] [rbp+114h]unsigned int v13; // [rsp+154h] [rbp+134h]int v14; // [rsp+174h] [rbp+154h]int m; // [rsp+194h] [rbp+174h]int n; // [rsp+1B4h] [rbp+194h]v0 = &v4;for ( i = 110i64; i; --i ){*(_DWORD *)v0 = -858993460;v0 += 4;}sub_14000148D(&unk_1400180F5);memset(v5, 0, 0x21ui64);v6 = 0;v7[0] = 98;v7[1] = 111;v7[2] = 109;v7[3] = 98;sub_14000123A("your flag:");sub_1400010BE("%s", v5);for ( j = 0; v5[j]; ++j );if ( j != 32 )sub_14000123A("bad, ji~ji~ji\n");for ( k = 0; k < 4; ++k ){v10 = (int *)&v5[8 * k];v11 = *v10;v12 = v10[1];v13 = 0;v14 = -2009038745;for ( m = 0; m < 33; ++m ){v11 += v13 ^ (v7[v13 & 3] + v13) ^ (v12 + ((v12 >> 5) ^ (16 * v12)));v12 += (v7[(v13 >> 11) & 3] + v13) ^ (v11 + ((v11 >> 5) ^ (16 * v11)));v13 += v14;}*v10 = v11;v10[1] = v12;}for ( n = 0; n < 32; ++n ){if ( v5[n] != byte_140014000[n] ){v6 = 1;break;}}if ( v6 == 1 ){sub_14000123A("bad, ji~ji~ji\n");}else if ( !v6 ){sub_14000123A("yesssss \n");}return sub_1400013C5(v3, &unk_140010160);
}
XTEA加密
#include <stdio.h>
#include <stdlib.h>void decrypt(unsigned int* v, unsigned int* key,unsigned int round) {unsigned int l = v[0], r = v[1], sum = 0, delta = 0x88408067;sum = delta * round;for (size_t i = 0; i < round; i++) {sum -= delta;r -= (((l << 4) ^ (l >> 5)) + l) ^ (sum + key[(sum >> 11) & 3]);l -= (((r << 4) ^ (r >> 5)) + r) ^ (sum + key[sum & 3])^sum;}v[0] = l;v[1] = r;
}
int main()
{unsigned int v[11] = { 0xADD4F778, 0xA6D7F132, 0x61813290, 0x2D4A40A6, 0x00B05F11, 0xB6D59424, 0x231BBFC6, 0xCD405B31, 0x03020100, 0x00C30504};unsigned int key[4] = {98,111,109,98};for(int i=0;i<4;i++){decrypt(v+i*2,key,33);}for(int i=0;i<8;i++){printf("%c%c%c%c",*((char*)&v[i]+0),*((char*)&v[i]+1),*((char*)&v[i]+2),*((char*)&v[i]+3));}return 0;
}
//2d326e43eb8fea8837737fc0f50f83f2
flag{2d326e43eb8fea8837737fc0f50f83f2}
这篇关于【父子进程/AES/XTEA/SMC】赛后复盘的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
