Ngalesi sihloko siqala uchungechunge lokushicilelwe mayelana nohlelo olungayilungele ikhompuyutha. Izinhlelo zokugebenga okungenafayela, ezaziwa nangokuthi izinhlelo zokugebenga ezingenafayili, ngokuvamile zisebenzisa i-PowerShell kumasistimu e-Windows ukuze ziqhube imiyalo buthule ukucinga nokukhipha okuqukethwe okubalulekile. Ukuthola umsebenzi we-hacker ngaphandle kwamafayela anonya kuwumsebenzi onzima, ngoba... ama-antivirus kanye nezinye izinhlelo eziningi zokuhlonza zisebenza ngokusekelwe ekuhlaziyweni kwesiginesha. Kodwa izindaba ezinhle ukuthi isofthiwe enjalo ikhona. Ngokwesibonelo, , ekwazi ukuthola umsebenzi onobungozi ezinhlelweni zamafayela.
Ngesikhathi ngiqala ukucwaninga isihloko sabaduni ababi, , kodwa amathuluzi nesofthiwe kuphela etholakala kukhompyutha yesisulu, ngangingazi ukuthi lokhu kwakuzoba indlela ethandwayo yokuhlasela. Ochwepheshe Bezokuphepha ukuthi lokhu kuba umkhuba, futhi - ukuqinisekiswa kwalokhu. Ngakho-ke, nginqume ukwenza uchungechunge lwezincwadi ezikhuluma ngalesi sihloko.
I-PowerShell Enkulu futhi Enamandla
Ngike ngabhala mayelana neminye yale mibono ngaphambi kokuthi , kodwa okuningi kusekelwe kumqondo wetiyetha. Kamuva ngafika , lapho ungathola khona amasampula ohlelo olungayilungele ikhompuyutha “abanjwe” endle. Nginqume ukuzama ukusebenzisa leli sayithi ukuze ngithole amasampula ohlelo olungayilungele ikhompuyutha olungenafayela. Futhi ngaphumelela. Nokho, uma ufuna ukuya ohambweni lwakho lokuzingela uhlelo olungayilungele ikhompuyutha, kuzodingeka uqinisekiswe yile sayithi ukuze bazi ukuthi wenza umsebenzi njengochwepheshe bezigqoko ezimhlophe. Njenge-blogger yezokuphepha, ngiyidlulise ngaphandle kokubuza. Ngiqinisekile nawe ungakwenza.
Ngaphezu kwamasampula ngokwawo, kusayithi ungabona ukuthi lezi zinhlelo zenzani. Ukuhlaziywa kwe-Hybrid kusebenzisa uhlelo olungayilungele ikhompuyutha ku-sandbox yakhona futhi kuqaphe amakholi esistimu, ukuqhuba izinqubo nomsebenzi wenethiwekhi, futhi kukhiphe izintambo zombhalo ezisolisayo. Okwamabhanari namanye amafayela asebenzisekayo, i.e. lapho ungeke ukwazi ngisho nokubheka ikhodi yangempela yezinga eliphezulu, ukuhlaziya okuxubile kunquma ukuthi isofthiwe inonya noma nje isolisa ngokusekelwe emsebenzini wayo wesikhathi sokusebenza. Futhi ngemva kwalokho isampula isivele ihloliwe.
Endabeni ye-PowerShell nezinye izikripthi zesampula (Visual Basic, JavaScript, njll.), ngikwazile ukubona ikhodi ngokwayo. Isibonelo, ngithole lesi sibonelo se-PowerShell:
Ungaphinda usebenzise i-PowerShell ekubhaleni ngekhodi kwe-base64 ukuze ugweme ukutholwa. Qaphela ukusetshenziswa kwamapharamitha Angasebenzisananga futhi Afihliwe.
Uma ukufundile okuthunyelwe kwami ku-obfuscation, uyazi-ke ukuthi i--e inketho icacisa ukuthi okuqukethwe kufakwe ikhodi ye-base64. Ngendlela, ukuhlaziywa kwe-hybrid nakho kuyasiza ngalokhu ngokuhlehlisa yonke into emuva. Uma ufuna ukuzama ukuqopha i-base64 PowerShell (ngemuva kwalokhu ebizwa nge-PS) ngokwakho, udinga ukusebenzisa lo myalo:
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText))Hamba ujule
Nginqume iskripthi sethu se-PS ngisebenzisa le ndlela, ngezansi umbhalo wohlelo, nokho ulungiswe yimina kancane:
Qaphela ukuthi iskripthi siboshelwe kudethi yangomhla ka-Septhemba 4, 2017 futhi sasakazwa amakhukhi weseshini.
Ngabhala ngalesi sitayela sokuhlasela ku , lapho iskripthi esifakwe ikhodi ye-base64 silayisha khona engekho uhlelo olungayilungele ikhompuyutha kwenye isayithi, kusetshenziswa into ye-WebClient yomtapo we-Net Framework ukuze uphakamise kanzima.
Lokhu kwenzelwa ini?
Ukuze isofthiwe yokuvikeleka iskena amalogi omcimbi we-Windows noma izindonga zokuvikela, umbhalo we-base64 uvimbela iyunithi yezinhlamvu ethi "WebClient" ekubonweni ngephethini yombhalo ongenalutho ukuze ivikeleke ekwenzeni isicelo esinjalo sewebhu. Futhi njengoba bonke “ububi” bohlelo olungayilungele ikhompuyutha bube sekulandwa futhi budluliselwe ku-PowerShell yethu, le ndlela isivumela ukuba sigweme ngokuphelele ukutholwa. Noma kunalokho, yilokho engangikucabanga ekuqaleni.
Kuvele ukuthi ngeWindows PowerShell Advanced Logging enikwe amandla (bona indatshana yami), uzokwazi ukubona umugqa olayishiwe kulogi yomcimbi. Ngifana ) Ngicabanga ukuthi iMicrosoft kufanele inike amandla leli zinga lokungena ngokuzenzakalelayo. Ngakho-ke, ngokungena okunwetshiwe kunikwe amandla, sizobona kulogi yomcimbi we-Windows isicelo sokulanda esiqediwe esivela kuskripthi se-PS ngokwesibonelo esixoxile ngaso ngenhla. Ngakho-ke, kunengqondo ukuyivula, awuvumi?
Ake sengeze ezinye izimo
Ngobuhlakani izigebengu zifihla ukuhlaselwa kwe-PowerShell kumamakhro e-Microsoft Office abhalwe nge-Visual Basic nezinye izilimi zokubhala. Umbono ukuthi isisulu sithola umlayezo, isibonelo ovela kusevisi yokulethwa, onombiko onamathiselwe ngefomethi ye-.doc. Uvula le dokhumenti equkethe i-macro, futhi igcina yethula i-PowerShell enonya ngokwayo.
Imvamisa iskripthi se-Visual Basic ngokwaso siyafiphala ukuze sigweme ngokukhululeka i-antivirus nezinye izikena ze-malware. Ngomoya walokhu okungenhla, nginqume ukufaka ikhodi ye-PowerShell engenhla ku-JavaScript njengomsebenzi. Ngezansi imiphumela yomsebenzi wami:
I-JavaScript efihlisiwe efihla i-PowerShell yethu. Abaduni bangempela benza lokhu kanye noma kabili.
Lena enye indlela engiyibone intanta kuwebhu: isebenzisa i-Wscript.Shell ukuze usebenzise i-PowerShell enekhodi. Ngendlela, iJavaScript ngokwayo ukulethwa kwe-malware. Izinguqulo eziningi ze-Windows zakhelwe ngaphakathi , yona ngokwayo engasebenzisa i-JS.
Esimweni sethu, isikripthi esinonya se-JS sishumekwe njengefayela elinesandiso se-.doc.js. I-Windows ngokuvamile izobonisa isijobelelo sokuqala kuphela, ngakho sizovela kohlukunyezwayo njengedokhumenti ye-Word.
Isithonjana se-JS sivela kuphela kusithonjana sokuskrola. Akumangazi ukuthi abantu abaningi bazovula lesi sinanyathiselwa becabanga ukuthi idokhumenti ye-Word.
Esibonelweni sami, ngiguqule i-PowerShell ngenhla ukuze ngilande iskripthi kuwebhusayithi yami. Isikripthi se-PS esikude simane siphrinte "Uhlelo olungayilungele ikhompuyutha olubi". Njengoba ubona, akayena nhlobo omubi. Yiqiniso, abaduni bangempela banesithakazelo sokuthola ukufinyelela kwi-laptop noma iseva, yithi, ngokusebenzisa igobolondo lomyalo. Esihlokweni esilandelayo, ngizokukhombisa ukuthi ungakwenza kanjani lokhu usebenzisa i-PowerShell Empire.
Ngithemba ukuthi ngesihloko sokuqala esiyisingeniso asizange sijule kakhulu esihlokweni. Manje ngizokuvumela ukuthi uphefumule, futhi ngokuzayo sizoqala ukubheka izibonelo zangempela zokuhlasela kusetshenziswa uhlelo olungayilungele ikhompuyutha olungenafayela ngaphandle kwamagama ayisingeniso angadingekile noma ukulungiselela.
Source: www.habr.com