PhpStudy BackDoor2019 深度分析( 二 ) _PhpStudy

首先分析spprintf()函数代码处功能，因为其对eval()函数进行了处理
spprintf(&v42, 0, aSEvalSS, v36, aGzuncompress, v42);spprintf(&v41, 0, aEvalSS, aGzuncompress, v41);spprintf函数是php官方自己封装的函数，此处实际上实现的是字符串拼接功能，实际代码如下：
@eval(%s(',27h,'%s',27h,'));@eval(gzuncompress(',27h,’v42′,27h,')); @eval(gzuncompress(',27h,’v41′,27h,')); ps:eval()函数中第一个%s位格式化字符串、第二个%s为字符串传参
可以看到上述代码主要对v41、v42数据进行解压执行操控，可以初步猜想恶意代码存在于v41和v42数据中，同理按照思路流程向上去找v41、v42数据内容，
对v41的处理代码
if ( strlen(byte_100127EC) == 0 ) sub_100044E0(byte_100127EC); v8 = &byte_10012884; v9 = asc_1000D028; v41 = &byte_10012884; v10 = 0; v11 = asc_1000D028; while ( 1 ) { if ( *(_DWORD *)v11 == 39 ) { v8[v10] = 92; v41[v10 + 1] = *v9; v10 += 2; v11 += 8; } else { v8[v10++] = *v9; v11 += 4; } v9 += 4; if ( (signed int)v9 >= (signed int)&unk_1000D66C ) break; v8 = v41; }对v42的处理代码
if ( !v12 ) { v13 = &byte_10012884; v14 = (char *)&unk_1000D66C; v42 = &byte_10012884; v15 = &unk_1000D66C; while ( 1 ) { if ( *v15 == 39 ) { v13[v12] = 92; v42[v12 + 1] = *v14; v12 += 2; v15 += 2; } else { v13[v12++] = *v14; ++v15; } v14 += 4; if ( (signed int)v14 >= (signed int)&unk_1000E5C4 ) break; v13 = v42; }分析代码可知v41数据内容是1000D028-1000D66C(基地址为10000000)范围内的数据，v42数据内容是1000D66C-1000E5C4(基地址为10000000)范围内的数据，使用010edit查看发现其均位于.data数据块

文章插图

文章插图

由于.data为dword类型每个值占用4个字节，代码处将其转换为char类型进行存储，然后使用php内置函数gzuncompress对其解压执行
使用微步情报局公开的解密脚本进行两段数据的提取解压
# -*- coding:utf-8 -*- # !/usr/bin/env Python import os, sys, string, shutil, re import base64 import struct import pefile import ctypes import zlib # import put_family_c2 def hexdump(src, length=16): FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or '.' for x in range(256)]) lines = [] for c in xrange(0, len(src), length): chars = src[c:c + length] hex = ' '.join(["%02x" % ord(x) for x in chars]) printable = ''.join(["%s" % ((ord(x) <= 127 and FILTER[ord(x)]) or '.') for x in chars]) lines.Append("%04x %-*s %sn" % (c, length * 3, hex, printable)) return ''.join(lines) def descrypt(data): try: # data = https://www.isolves.com/it/aq/fwq/2019-11-15/base64.encodestring(data) # print(hexdump(data)) num = 0 data = zlib.decompress(data) # return result return (True, result) except Exception, e: print(e) return (False, "") def GetSectionData(pe, Section): try: ep = Section.VirtualAddress ep_ava = Section.VirtualAddress + pe.OPTIONAL_HEADER.ImageBase data = pe.get_memory_mapped_image()[ep:ep + Section.Misc_VirtualSize] # print(hexdump(data)) return data except Exception, e: return None def GetSecsions(PE): try: for section in PE.sections: # print(hexdump(section.Name)) if (section.Name.replace('/x00', '') == '.data'): data = GetSectionData(PE, section) # print(hexdump(data)) return (True, data) return (False, "") except Exception, e: return (False, "") def get_encodedata(filename): pe = pefile.PE(filename) (ret, data) = GetSecsions(pe) if ret: flag = "gzuncompress" offset = data.find(flag) data = data[offset + 0x10:offset + 0x10 + 0x567 * 4].replace("/x00/x00/x00", "") decodedata_1 = zlib.decompress(data[:0x191]) print(hexdump(data[0x191:])) decodedata_2 = zlib.decompress(data[0x191:]) with open("decode_1.txt", "w") as hwrite: hwrite.write(decodedata_1) hwrite.close with open("decode_2.txt", "w") as hwrite: hwrite.write(decodedata_2) hwrite.close def main(path): c2s = [] domains = [] file_list = os.listdir(path) for f in file_list: print f file_path = os.path.join(path, f) get_encodedata(file_path) if __name__ == "__main__": # os.getcwd() path = "php5.4.45" main(path)运行结果生成两个数据文件分别对应v41、v42，查看数据内容是经过base64编码过的，对其解码
v41数据
@ini_set("display_errors","0"); error_reporting(0); $h = $_SERVER['HTTP_HOST']; $p = $_SERVER['SERVER_PORT']; $fp = fsockopen($h, $p, $errno, $errstr, 5); if (!$fp) { } else { $out = "GET {$_SERVER['SCRIPT_NAME']} HTTP/1.1rn"; $out .= "Host: {$h}rn"; $out .= "Accept-Encoding: compress,gziprn"; $out .= "Connection: Closernrn"; fwrite($fp, $out); fclose($fp); }v41脚本：使用fsockopen模拟GET发包

PhpStudy BackDoor2019 深度分析( 二 )

推荐阅读

最新趣闻|不思进取的黄政民和自甘堕落的李政宰！

笔记本电脑桌面图标不见能怎么样解决

澎湃新闻|【社论】发展新个体经济，向改革要活力

如何自制书架？

『凌子看世界』与队伍产生矛盾，或将远走西甲，尤文的贝尔代纳斯基

还得等等，广汽丰田凌尚或明年中旬上市

20岁的女生可以通过哪些渠道来提升穿衣品味和，学会打扮自己

江西宁都小布岩茶是绿茶吗产地特点工艺介绍

如果心有颜色|巩俐穿吊带裙现身街头，素颜微胖却气质难挡，秀起恩爱也很甜

青岩梦罢|看到任嘉伦与自己妻子的合照，二人真的很配

个股期权如何交易(股市期权交易细则)

原呵呵 Swift5（2020）初步评测：轻奢电脑，适合旅行，宏基

6个最适合冬天旅行的目的地冬天适合去哪里旅游

心领悟|太穷了，12星座存不到钱的原因！，在十二星座中

#徐晓冬#昨晚！武僧一龙连线王洪祥，终于说出不愿和徐晓冬比赛的真正原因

Miss西里|赵露思扎丸子头简直清纯甜妹本人，怼脸拍也是胶原蛋白满满

台州是哪个省的城市哪个市,台州是哪个省的城市

共享电梯能装吗？超过300台企业会赔本儿

搜狐新闻每天揉腹三次，坚持一段时间后，3个惊喜变化或许在路上！

体育大学僧|为何会被交易到休城搭档姚明？有2个原因，麦迪在魔术正值巅峰期