动态解密flash网马

作者:Inking

今天看到黑哥这篇文章《Flash封装的网马》,出差实在是太无聊了,稍微扯点~

在公司有时候也有解密这些网马的需求(ps:黑哥说的“终于出现了”有点夸张了,其实早就有很多~~ 目前的防挂马产品中,大部分都是基于特征的,估计很难抓到),当时首选的也是hp的swfscan,但是郁闷的是从来没有解出来过,估计是我自己用得不对 吧,最后就有今天说的这个办法。

思路很简单,在flash加载之前hook住常用的函数,在一般的网马中光是hook一个eval函数就能解密全部了。放demon,加载flash的代码直接从Adobe flash cs4中拷贝修改的,所以显得很冗余,错误应该也不少,凑合着看吧。

===========================================================

<html>
<head>
<title>Dynamic Flash Decoder - Inking</title>
<script language="JavaScript" type="text/javascript">
<!--
//v1.7
// Flash Player Version Detection
// Detect Client Browser type
// Copyright 2005-2008 Adobe Systems Incorporated. All rights reserved.
var isIE = (navigator.appVersion.indexOf("MSIE") != -1) ? true : false;
var isWin = (navigator.appVersion.toLowerCase().indexOf("win") != -1) ? true : false;
var isOpera = (navigator.userAgent.indexOf("Opera") != -1) ? true : false;
function ControlVersion()
{
var version;
var axo;
var e;
// NOTE : new ActiveXObject(strFoo) throws an exception if strFoo isn't in the registry
try {
// version will be set for 7.X or greater players
axo = new ActiveXObject("ShockwaveFlash.ShockwaveFlash.7");
version = axo.GetVariable("$version");
} catch (e) {
}
if (!version)
{
try {
// version will be set for 6.X players only
axo = new ActiveXObject("ShockwaveFlash.ShockwaveFlash.6");

// installed player is some revision of 6.0
// GetVariable("$version") crashes for versions 6.0.22 through 6.0.29,
// so we have to be careful.

// default to the first public version
version = "WIN 6,0,21,0";
// throws if AllowScripAccess does not exist (introduced in 6.0r47)
axo.AllowScriptAccess = "always";
// safe to call for 6.0r47 or greater
version = axo.GetVariable("$version");
} catch (e) {
}
}
if (!version)
{
try {
// version will be set for 4.X or 5.X player
axo = new ActiveXObject("ShockwaveFlash.ShockwaveFlash.3");
version = axo.GetVariable("$version");
} catch (e) {
}
}
if (!version)
{
try {
// version will be set for 3.X player
axo = new ActiveXObject("ShockwaveFlash.ShockwaveFlash.3");
version = "WIN 3,0,18,0";
} catch (e) {
}
}
if (!version)
{
try {
// version will be set for 2.X player
axo = new ActiveXObject("ShockwaveFlash.ShockwaveFlash");
version = "WIN 2,0,0,11";
} catch (e) {
version = -1;
}
}

return version;
}
// JavaScript helper required to detect Flash Player PlugIn version information
function GetSwfVer(){
// NS/Opera version >= 3 check for Flash plugin in plugin array
var flashVer = -1;

if (navigator.plugins != null && navigator.plugins.length > 0) {
if (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]) {
var swVer2 = navigator.plugins["Shockwave Flash 2.0"] ? " 2.0" : "";
var flashDescription = navigator.plugins["Shockwave Flash" + swVer2].description;
var descArray = flashDescription.split(" ");
var tempArrayMajor = descArray[2].split(".");
var versionMajor = tempArrayMajor[0];
var versionMinor = tempArrayMajor[1];
var versionRevision = descArray[3];
if (versionRevision == "") {
versionRevision = descArray[4];
}
if (versionRevision[0] == "d") {
versionRevision = versionRevision.substring(1);
} else if (versionRevision[0] == "r") {
versionRevision = versionRevision.substring(1);
if (versionRevision.indexOf("d") > 0) {
versionRevision = versionRevision.substring(0, versionRevision.indexOf("d"));
}
}
var flashVer = versionMajor + "." + versionMinor + "." + versionRevision;
}
}
// MSN/WebTV 2.6 supports Flash 4
else if (navigator.userAgent.toLowerCase().indexOf("webtv/2.6") != -1) flashVer = 4;
// WebTV 2.5 supports Flash 3
else if (navigator.userAgent.toLowerCase().indexOf("webtv/2.5") != -1) flashVer = 3;
// older WebTV supports Flash 2
else if (navigator.userAgent.toLowerCase().indexOf("webtv") != -1) flashVer = 2;
else if ( isIE && isWin && !isOpera ) {
flashVer = ControlVersion();
}
return flashVer;
}
// When called with reqMajorVer, reqMinorVer, reqRevision returns true if that version or greater is available
function DetectFlashVer(reqMajorVer, reqMinorVer, reqRevision)
{
versionStr = GetSwfVer();
if (versionStr == -1 ) {
return false;
} else if (versionStr != 0) {
if(isIE && isWin && !isOpera) {
// Given "WIN 2,0,0,11"
tempArray          = versionStr.split(" "); // ["WIN", "2,0,0,11"]
tempString         = tempArray[1];     // "2,0,0,11"
versionArray       = tempString.split(","); // ['2', '0', '0', '11']
} else {
versionArray       = versionStr.split(".");
}
var versionMajor       = versionArray[0];
var versionMinor       = versionArray[1];
var versionRevision    = versionArray[2];
// is the major.revision >= requested major.revision AND the minor version >= requested minor
if (versionMajor > parseFloat(reqMajorVer)) {
return true;
} else if (versionMajor == parseFloat(reqMajorVer)) {
if (versionMinor > parseFloat(reqMinorVer))
return true;
else if (versionMinor == parseFloat(reqMinorVer)) {
if (versionRevision >= parseFloat(reqRevision))
return true;
}
}
return false;
}
}
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}
function AC_Generateobj(parantObj, objAttrs, params, embedAttrs)
{
var str = '';
if (isIE && isWin && !isOpera)
{
str += '<object ';
for (var i in objAttrs)
{
str += i + '="' + objAttrs[i] + '" ';
}
str += '>';
for (var i in params)
{
str += '<param name="' + i + '" value="' + params[i] + '" /> ';
}
str += '</object>';
}
else
{
str += '<embed ';
for (var i in embedAttrs)
{
str += i + '="' + embedAttrs[i] + '" ';
}
str += '> </embed>';
}
parantObj.innerHTML += str;
}
function AC_FL_RunContent(){
var ret =
AC_GetArgs
( arguments, "", "movie", "clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
, "application/x-shockwave-flash"
);
AC_Generateobj(arguments[0], ret.objAttrs, ret.params, ret.embedAttrs);
}
function AC_SW_RunContent(){
var ret =
AC_GetArgs
( arguments, "", "src", "clsid:166B1BCA-3F9C-11CF-8075-444553540000"
, null
);
AC_Generateobj(arguments[0], ret.objAttrs, ret.params, ret.embedAttrs);
}
function AC_GetArgs(args, ext, srcParamName, classid, mimeType){
var ret = new Object();
ret.embedAttrs = new Object();
ret.params = new Object();
ret.objAttrs = new Object();
for (var i=0; i < args.length; i=i+2){
try
{
var currArg = args[i].toLowerCase();
}
catch (e)
{
continue;
}

switch (currArg){
case "classid":
break;
case "pluginspage":
ret.embedAttrs[args[i]] = args[i+1];
break;
case "src":
case "movie":
args[i+1] = AC_AddExtension(args[i+1], ext);
ret.embedAttrs["src"] = args[i+1];
ret.params[srcParamName] = args[i+1];
break;
case "onafterupdate":
case "onbeforeupdate":
case "onblur":
case "oncellchange":
case "onclick":
case "ondblclick":
case "ondrag":
case "ondragend":
case "ondragenter":
case "ondragleave":
case "ondragover":
case "ondrop":
case "onfinish":
case "onfocus":
case "onhelp":
case "onmousedown":
case "onmouseup":
case "onmouseover":
case "onmousemove":
case "onmouseout":
case "onkeypress":
case "onkeydown":
case "onkeyup":
case "onload":
case "onlosecapture":
case "onpropertychange":
case "onreadystatechange":
case "onrowsdelete":
case "onrowenter":
case "onrowexit":
case "onrowsinserted":
case "onstart":
case "onscroll":
case "onbeforeeditfocus":
case "onactivate":
case "onbeforedeactivate":
case "ondeactivate":
case "type":
case "codebase":
case "id":
ret.objAttrs[args[i]] = args[i+1];
break;
case "width":
case "height":
case "align":
case "vspace":
case "hspace":
case "class":
case "title":
case "accesskey":
case "name":
case "tabindex":
ret.embedAttrs[args[i]] = ret.objAttrs[args[i]] = args[i+1];
break;
default:
ret.embedAttrs[args[i]] = ret.params[args[i]] = args[i+1];
}
}
ret.objAttrs["classid"] = classid;
if (mimeType) ret.embedAttrs["type"] = mimeType;
return ret;
}
// -->
</script>
<Script Language="Javascript">
<!--
function LoadFlash(element, url) {
OutputString("Loading flash: " + url);
AC_FL_RunContent(
element, '',
'codebase', 'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0',
'width', '1',
'height', '1',
'src', url,
'quality', 'high',
'pluginspage', 'http://www.adobe.com/go/getflashplayer_cn',
'align', 'middle',
'play', 'true',
'loop', 'true',
'scale', 'showall',
'wmode', 'window',
'devicefont', 'false',
'id', 'test',
'bgcolor', '#ffffff',
'name', 'test',
'menu', 'true',
'allowFullScreen', 'false',
'allowScriptAccess','always',
'movie', url,
'salign', ''
); //end AC code
}

function OutputString(str) {
var element = document.getElementById("id_content");
element.value += "\n\n";
element.value += str;
element.focus();
}

// hook eval
_eval = eval;
eval = function(content) {
OutputString("[eval]\n" + content);
_eval(content);
}

// hook document.write
_write = document.write;
document.write = function(content) {
OutputString("[document.write]\n" + content);
_write(content);
}

// hook eval
_unescape = unescape;
unescape = function(content) {
OutputString("[unescape]\n" + content);
_unescape(content);
}
//-->
</Script>
</head>
<body>
<textarea rows="15" cols="80" id="id_content">输出信息...</textarea>
<br/>

<input name="flashfile" type="file" size="45" />
<input type="button" value="Load and Decode" onclick="LoadFlash(document.getElementById('id_flash'), window.flashfile.value)" />
<br/>

<input name="flashurl" type="text" size="50" />
<input type="button" value="Download and Decode" onclick="LoadFlash(document.getElementById('id_flash'), window.flashurl.value)" />
<br/>

<div id="id_flash">
</div>
</body>
</html>

动态解密flash网马(二)

今天看到LCX大哥转的这篇文章——《关于flash封装JS代码的一些TIPS》,讲的是关于flash网马封装的一些技巧,挺受学习的(比如返回一个假的网马来进行欺骗)。在文章中看到了部分关于绕过“脚本hook来得到网马内容”的一些方法,和我上次的文章有些关联,引用如下:

JS代码可以由FLASH进行任意加密,调用之前当然会需要解密,看上去没什么区别。但是在使用静态分析的朋友的眼里那可就变得更复杂了一些。 因为经过加密后的js代码会被放入flash里一起编译进swf文件里,再对swf文件进行混淆,那个反编译出来的DD还有几个人能看得懂撒?
说到这里,又有朋友说了,我不管你怎么加密,你的js最终还是要通过外部接口交由浏览器执行的,既然你执行,那么肯定会调用eval这个js函数的,那 好,我hook这个函数不就行了吗?~~~我只能说,你很聪明,但还不够聪明。谁说的我执行js代码就非要用eval函数的撒?网上那么流传的而已,我使 用setTimeout函数行不行?你说啥,你要把这个函数也hook了?OK,我使用匿名函数,我看你hook啥去?不相信?look下面的代码:

package{
import flash.external.ExternalInterface;

public class Movie extends Sprite{

public function Movie()    {
var myjs:String="alert('see me?');";//换成你的js
ExternalInterface.call("(function(){"+myjs+"})()");

}
}
}

这样的代码,我看看你再hook啥去?啊?哈哈!除了这个难道就没别的了吗?多啊,匿名对象?toString重载?toValue重载?等等!
其实,作者提到的这个技巧还是能够被拦截的,示例代码如下:

<script language="javascript">

// hook
fnobj = Function;
Function = function(v) {
alert("Hooker said: \r\n\t\r\n\tYou are...\r\n\t\r\n\t" + v);
alert("Begin to execute your codes...");
fn = new fnobj("(" + v + ")()");
fn();
}

// ExternalInterface.call("...")
(function() {
alert("you can not see me");
})();

</script>

动态解密flash网马(三)

先引用下mikawawa同学的留言

非常好啊,重写构造函数的确是个好办法。那如果是匿名对象的话,该怎么HOOK呢,比如:new function() {alert(“you can not see me”);}这样执行,或者直接:{alert(“you can not see me”);}如何hook匿名类的构造函数呢?
关于匿名函数,之前确实没怎么了解过,所以查了点资料。做个测试:

<script language="javascript">
<!--
document.write(function(){alert('xx');}.constructor);
document.write("<br/>");
document.write(new function(){alert('xx');}.constructor);
//-->
</script>

最后的输出为

function Function() { [native code] }
function anonymous() { }

通过上面的结果,我们可以看出,上篇文章所讲的挂钩Function构造函数可以针对 (function() {alert(“you can not see me”);})(); 这种形式的写法进行拦截,但是像 mikawawa 后来所提到的 new function(){alert(‘xx’);} 这种形式就不知道找谁去hook了。

当然,如果确实想获得 ExternalInterface.call 的内容,我们还是可以有办法的——直接从内存中dump出来,只不过在脚本层面是暂时没有方法了。

0023ddd4 "try { __flash__toXML(new functio"
0023de14 "n(){alert('anonymouse function')"
0023de54 ";}()) ; } catch (e) { "<undefine"
0023de94 "d/>"; }"

不过用调试器来截取数据内容确实很不方便,找了下,最终找到一个好工具——IE8。通过IE8的开发人员工具,我们可以在单步调试中获取flash想要执行的脚本的完整内容。比如下面这段代码:

<script language="javascript">
<!--
var test = null;
//-->
</script>
<embed src="test.swf" quality="high" bgcolor="#ffffff" width="550" height="400" name="test" align="middle" allowScriptAccess="sameDomain" allowFullScreen="false" type="application/x-shockwave-flash" pluginspage=http://www.adobe.com/go/getflashplayer_cn />

先在 var test = null; 这里下个断点,在这里断下后继续单步前进,这个时候就能跳入flash所执行的js代码中去了。

4e103f6d0b5b7ad1421694ad.jpg

另外,mikawawa同学所说的用 {alert(“you can not see me”);} 这种匿名类也是可以的。按照我的理解,这个应该是一个语句块,而非匿名类,匿名类的写法应该是 {}(空类)或者 {a:”a”, b:”b”} 这种形式的吧。经过测试 ExternalInterface.call(“{alert(‘you can not see me’);}”) 的执行是失败的。

相关日志

楼被抢了 2 层了... 抢座Rss 2.0或者 Trackback

发表评论