summary refs log tree commit diff
path: root/_posts/2024-11-02-trojan.md
diff options
context:
space:
mode:
authormayx2025-04-10 01:19:10 +0000
committermayx2025-04-10 01:19:10 +0000
commitc7cabd991a2ca69cf00f4daf9a663de53deaf5d6 (patch)
treee6c284c2b902e39916c0118ce9ca6eee45de0a25 /_posts/2024-11-02-trojan.md
parent9382acdabd740565b5a9a34bf6e79af7abf0e40c (diff)
Update 2 files AR-Backup-2025.04.10
- /_posts/2024-11-02-trojan.md
- /_posts/2019-02-01-history.md
Diffstat (limited to '_posts/2024-11-02-trojan.md')
-rw-r--r--_posts/2024-11-02-trojan.md24
1 files changed, 11 insertions, 13 deletions
diff --git a/_posts/2024-11-02-trojan.md b/_posts/2024-11-02-trojan.md
index 60c7c37..5c6af0c 100644
--- a/_posts/2024-11-02-trojan.md
+++ b/_posts/2024-11-02-trojan.md
@@ -15,17 +15,10 @@ tags: [Python, 木马, 病毒]
   pyinstaller解包还是挺简单的,用[PyInstaller Extractor](https://github.com/extremecoders-re/pyinstxtractor)就可以,首先我在我的电脑上尝试解包,不过因为Python版本不对,里面的PYZ文件不能解包,并且提示我使用Python 2.7的环境再试一次。我找了台装有Python 2.7环境的服务器又执行了一次之后就全部解包完了。想不到这个木马居然没有加密😂,直接就能解压,不过就算加密了我之前看过一篇[文章](https://www.cnblogs.com/liweis/p/15891170.html)可以进行解密。   
   不过现在得到的文件都是字节码pyc文件,还需要反编译才能看到源代码,这个步骤也很简单,安装个[uncompyle6](https://github.com/rocky/python-uncompyle6)工具就可以。它的主程序名字叫“ii.py”,于是我反编译了一下,不过看起来作者还整了一些混淆,但是极其简单,就把几个函数换成一串变量而已,所以写了个简单的脚本给它还原回去了,最终处理的结果如下(里面有个[混淆过的PowerShell版mimikatz](https://github.com/DanMcInerney/Invoke-Cats),太长了所以我给删掉了):
 
-<script>
-  function showcode() { 
-  $('.showbutton').toggle();
-  $('.language-python').toggle();
-  }
-</script>
-<style>
-.language-python{ display:none; }
-</style>
-<button onclick="showcode()" class="showbutton">Show Code</button>
-<button onclick="showcode()" class="showbutton" style="display:none;">Hide Code</button>
+<details markdown="1">
+<summary markdown="span">
+Show Code
+</summary>
 
 ```python
 # uncompyle6 version 3.9.2
@@ -1505,10 +1498,14 @@ while var == 1:
 
 # global h_one ## Warning: Unused global
 ```
+</details>
+
   里面有两个不是公开的库,mysmb和psexec,其中mysmb看起来是[永恒之蓝RCE中的代码](https://github.com/0xsyr0/OSCP/blob/main/exploits/CVE-2017-0144-EternalBlue-MS17-010-RCE/mysmb.py),psexec有找到几个相似的但是没找到一样的,所以代码也放上来:
 
-<button onclick="showcode()" class="showbutton">Show Code</button>
-<button onclick="showcode()" class="showbutton" style="display:none;">Hide Code</button>
+<details markdown="1">
+<summary markdown="span">
+Show Code
+</summary>
 
 ```python
 # uncompyle6 version 3.9.2
@@ -1881,6 +1878,7 @@ class PSEXEC:
                 s.deleteFile(installService.getShare(), 'temp\\tmp.vbs')
             return False
 ```
+</details>
 
 # 行为分析
   那这个代码都干了些什么呢?首先动态分析一下吧,我用微步云沙箱检查了一下,不过好像有人已经上传过了,[这个是报告](https://s.threatbook.com/report/file/60b6d7664598e6a988d9389e6359838be966dfa54859d5cb1453cbc9b126ed7d)。好像也没啥特别的,先给445端口开了个防火墙,估计是防止其他人利用永恒之蓝入侵,然后整了几个请求几个“beahh.com”域名的定时任务,另外就是同网段扫描啥的,应该是找其他机器继续尝试用漏洞入侵感染这个木马。