网络安全 on Akkuman 的技术博客 https://www.hacktech.cn/tags/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/ Recent content in 网络安全 on Akkuman 的技术博客 Hugo -- 0.155.3 zh-cn Fri, 10 Dec 2021 07:41:00 +0000 识别SigFlip生成的恶意文件 https://www.hacktech.cn/post/2021/12/identify-sigflip-file/ Fri, 10 Dec 2021 07:41:00 +0000 https://www.hacktech.cn/post/2021/12/identify-sigflip-file/ <p>最近在移植 <a href="https://github.com/med0x2e/SigFlip">med0x2e/SigFlip</a> 的过程中发现了一个有意思的点,可以用来作为检测的手段</p> <p>在 SigFlip 项目的 <a href="https://github.com/med0x2e/SigFlip#detectprevent">Detect/Prevent</a> 一节中作者有提到一些检测防御手段</p> <blockquote> <p><a href="https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2014/2915720?redirectedfrom=MSDN">https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2014/2915720?redirectedfrom=MSDN</a></p> </blockquote> <blockquote> <p>Once the patch is installed and proper registry keys are set, No system restarts are required, you only need to restart the Cryptographic Services. The Applocker service will be also restarted as it depends on the cryptographic services.(@p0w3rsh3ll)</p> </blockquote> <blockquote> <p>Yara rule by Adrien; <a href="https://twitter.com/Int2e_/status/1330975808941330432">https://twitter.com/Int2e_/status/1330975808941330432</a></p> </blockquote> <p>从 SigFlip 源码中,其实也能发现一个点</p> <p>SigFlip 依赖一串特定的字节来定位shellcode的位置,详见 <a href="https://github.com/med0x2e/SigFlip/blob/e24a1fcde8ab27f58c35935f65078b47b20eca43/Native/SigLoader/SigLoader/SigLoader.cpp#L102">Native/SigLoader/SigLoader/SigLoader.cpp#L102</a> 和 <a href="https://github.com/med0x2e/SigFlip/blob/e24a1fcde8ab27f58c35935f65078b47b20eca43/Native/SigFlip/SigFlip/SigFlip.cpp#L232">Native/SigFlip/SigFlip/SigFlip.cpp#L232</a></p> <div class="highlight"><div style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"> <table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;"> <pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1 </span><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2 </span><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3 </span><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4 </span><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">5 </span><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">6 </span><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">7 </span></code></pre></td> <td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%"> <pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">for</span> (_index <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; _index <span style="color:#f92672">&lt;</span> _CertTableSize; _index<span style="color:#f92672">++</span>) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">*</span>(_pePtr <span style="color:#f92672">+</span> _index) <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xfe</span> <span style="color:#f92672">&amp;&amp;</span> <span style="color:#f92672">*</span>(_pePtr <span style="color:#f92672">+</span> _index <span style="color:#f92672">+</span> <span style="color:#ae81ff">1</span>) <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xed</span> <span style="color:#f92672">&amp;&amp;</span> <span style="color:#f92672">*</span>(_pePtr <span style="color:#f92672">+</span> _index <span style="color:#f92672">+</span> <span style="color:#ae81ff">2</span>) <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xfa</span> <span style="color:#f92672">&amp;&amp;</span> <span style="color:#f92672">*</span>(_pePtr <span style="color:#f92672">+</span> _index <span style="color:#f92672">+</span> <span style="color:#ae81ff">3</span>) <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xce</span>) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">printf</span>(<span style="color:#e6db74">&#34;[*]: Tag Found 0x%x%x%x%x&#34;</span>, <span style="color:#f92672">*</span>(_pePtr <span style="color:#f92672">+</span> _index), <span style="color:#f92672">*</span>(_pePtr <span style="color:#f92672">+</span> _index<span style="color:#f92672">+</span><span style="color:#ae81ff">1</span>), <span style="color:#f92672">*</span>(_pePtr <span style="color:#f92672">+</span> _index<span style="color:#f92672">+</span><span style="color:#ae81ff">2</span>), <span style="color:#f92672">*</span>(_pePtr <span style="color:#f92672">+</span> _index<span style="color:#f92672">+</span><span style="color:#ae81ff">3</span>)); </span></span><span style="display:flex;"><span> _dataOffset <span style="color:#f92672">=</span> _index <span style="color:#f92672">+</span> <span style="color:#ae81ff">8</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">break</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"> <table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;"> <pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1 </span><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2 </span></code></pre></td> <td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%"> <pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#a6e22e">memcpy</span>(_encryptedData, <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\xFE\xED\xFA\xCE\xFE\xED\xFA\xCE</span><span style="color:#e6db74">&#34;</span>, <span style="color:#ae81ff">8</span>); </span></span><span style="display:flex;"><span><span style="color:#a6e22e">crypt</span>((<span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">char</span><span style="color:#f92672">*</span>)_data, _dataSize, _key, _keySize, (<span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">char</span><span style="color:#f92672">*</span>)_encryptedData <span style="color:#f92672">+</span> <span style="color:#ae81ff">8</span>); </span></span></code></pre></td></tr></table> </div> </div><p>也就是说我们在证书表中定位到 <code>\xFE\xED\xFA\xCE\xFE\xED\xFA\xCE</code> 这段特征就可以断定它疑似 SigFlip 生成的 payload 了,想要更精准一些可以结合 <a href="https://twitter.com/Int2e_/status/1330975808941330432">https://twitter.com/Int2e_/status/1330975808941330432</a> 中提到的长度特征。</p>