tinyxml.dll dll劫持下载器

目录

• 基本信息
  • pdb信息
• dllmain
• 流程
  • 创建服务
  • 检查到360和卡巴斯基进程
  • 未检测到
    • 通过sRDI(原dllTools.dll)调用CreateHollowedProcess
    • 第二次通过sRDI执行http下载工作，代码与tinyxml.dll中一致
• 字符串混淆方式
• 载荷存储服务器

基本信息

QQExternal.exe加载tinyxml.dll

伪造证书

pdb信息

E:\其它文件\InternetRedirectNew\tinyxmlHook\Release\tinyxml.pdb

dllmain

流程

创建服务

服务信息:
MicrosoftSetupSystemTask
Microsoft Setup Update System Network Task
Microsoft 安装更新系统任务。请勿阻止或禁用这项服务，否则无法更新系统网络。
C:\ProgramData\Microsoft\Setup\QQExternal.exe

检查到360和卡巴斯基进程

直接发送http请求进入下一阶段
http请求:
http://[www.proxyconsole.com->ip]:8250/api.php?act=get_run_core&app=10001
(http://www.proxyconsole.com:8250/api.php?act=get_run_core&app=10001)
响应

eyJGaXJzdFNlbGVjdCI6MiwiQ29yZUZpbGUiOlt7IlR5cGUiOjEsIkVuYWJsZSI6dHJ1ZSwiQWRkcmVzcyI6Imh0dHBzOi8vcHJvLXJlczEub3NzLWNuLWhhbmd6aG91LmFsaXl1bmNzLmNvbS9SdW4vUHVwcGV0TGliLmRsbCIsIkhhc2giOiI1NjczNzZBMDJFMDBBNTk1ODc0RjU3NzY3ODRFMjM4RCJ9LHsiVHlwZSI6MiwiRW5hYmxlIjp0cnVlLCJOYW1lIjoiUVFFeHRlcm5hbC5leGUiLCJBZGRyZXNzIjoiaHR0cHM6Ly9wcm8tcmVzMS5vc3MtY24taGFuZ3pob3UuYWxpeXVuY3MuY29tL1J1bi9RUUV4dGVybmFsLmV4ZSIsIkhhc2giOiJBODI1M0E4NDJDMEFENkM0MDZEMDc3MEMxNDgzQjkwRCIsIlJlbHlPbk5hbWUiOiJDaGFuZ1RvQXZpRGxsUW1lV2ViLmRsbCIsIlJlbHlPbkFkZHJlc3MiOiJodHRwczovL3Byby1yZXMxLm9zcy1jbi1oYW5nemhvdS5hbGl5dW5jcy5jb20vUnVuL0NoYW5nVG9BdmlEbGxRbWVXZWIuZGxsIiwiUmVseU9uSGFzaCI6IjcwRTYwMThDQTA4OUJGN0IwM0FBREVDMTQ5RDk4NkZEIn0seyJUeXBlIjozLCJFbmFibGUiOnRydWUsIk5hbWUiOiJEaXMuZXhlIiwiQWRkcmVzcyI6Imh0dHBzOi8vcHJvLXJlczEub3NzLWNuLWhhbmd6aG91LmFsaXl1bmNzLmNvbS9SdW4vRGlzLmV4ZSIsIkhhc2giOiI3QzQ3N0IzNzg1RUMxOTgwMDE0QjZDQURENEM2MEMwOCIsIkNvbW1hbmRMaW5lIjoiR29Hb0dvIn1dfQ==

base64解码后

{
    "FirstSelect": 2,
    "CoreFile": [{
        "Type": 1,
        "Enable": true,
        "Address": "https://pro-res1.oss-cn-hangzhou.aliyuncs.com/Run/PuppetLib.dll",
        "Hash": "567376A02E00A595874F5776784E238D"
    }, {
        "Type": 2,
        "Enable": true,
        "Name": "QQExternal.exe",
        "Address": "https://pro-res1.oss-cn-hangzhou.aliyuncs.com/Run/QQExternal.exe",
        "Hash": "A8253A842C0AD6C406D0770C1483B90D",
        "RelyOnName": "ChangToAviDllQmeWeb.dll",
        "RelyOnAddress": "https://pro-res1.oss-cn-hangzhou.aliyuncs.com/Run/ChangToAviDllQmeWeb.dll",
        "RelyOnHash": "70E6018CA089BF7B03AADEC149D986FD"
    }, {
        "Type": 3,
        "Enable": true,
        "Name": "Dis.exe",
        "Address": "https://pro-res1.oss-cn-hangzhou.aliyuncs.com/Run/Dis.exe",
        "Hash": "7C477B3785EC1980014B6CADD4C60C08",
        "CommandLine": "GoGoGo"
    }]
}

未检测到

通过sRDI(原dllTools.dll)调用CreateHollowedProcess

第二次通过sRDI执行http下载工作，代码与tinyxml.dll中一致

在第二次sRDI加载的pe中出现json库信息
E:\其它文件\InternetRedirectNew\Puppet

字符串混淆方式

字符串混淆方式：
非常明显的“C++编译时字符串加密”，国外很早就讨论了c++ - Compile-time string encryption - Stack Overflow

def xorfunc(buf:bytes,count:int,xorx,xory):
    ret=b''
    x,y=tuple(struct.pack('<2B',xorx,xory))
    for i in range(count):
        ret+=struct.pack('<B',x^((buf[i]-y)&0xff))
    return ret

载荷存储服务器

https://pro-res1.oss-cn-hangzhou.aliyuncs.com