Lesi sihloko siyingxenye yochungechunge lwe-Fileless Malware. Zonke ezinye izingxenye zochungechunge:
- I-Adventures ye-Elusive Malware, Ingxenye IV: I-DDE ne-Word Document Fields (sikhona)
Kulesi sihloko, bengizocwila esimweni sokuhlasela okungenafayela esiyinkimbinkimbi kakhulu sezigaba eziningi ngokuphina ohlelweni. Kepha ngabe sengihlangana nokuhlasela okulula ngendlela emangalisayo, okungenakhodi—akudingeki iZwi noma i-Excel macros! Futhi lokhu kufakazela ngempumelelo kakhulu umbono wami wasekuqaleni osekelwe kulolu chungechunge lwezihloko: ukwephula umjikelezo wangaphandle wanoma iyiphi inhlangano akuwona neze umsebenzi onzima.
Ukuhlasela kokuqala engizokuchaza kusebenzisa ukuba sengozini kwe-Microsoft Word okusekelwe kukho isiphelelwe yisikhathi (DDE). Wayesevele . Okwesibili kusebenzisa ukuba sengozini okuvamile ku-Microsoft COM namandla okudlulisa into.
Emuva esikhathini esizayo nge-DDE
Ukhona omunye okhumbula i-DDE? Mhlawumbe ababaningi. Kwakungezinye zokuqala izinqubo zokuxhumana ezivumela izinhlelo zokusebenza namadivayisi ukuthi adlulise idatha.
Ngiyazi kahle mina ngoba bengijwayele ukuhlola futhi ngivivinye okokusebenza kwe-telecom. Ngaleso sikhathi, i-DDE yavumela, isibonelo, opharetha besikhungo sezingcingo ukuthi badlulisele umazisi womshayi kuhlelo lwe-CRM, olugcine luvule ikhadi lekhasimende. Ukuze wenze lokhu, bekufanele uxhume ikhebula le-RS-232 phakathi kwefoni yakho nekhompyutha yakho. Kwakuyizinsuku lezo!
Njengoba kuvela, iMicrosoft Word isekhona I-DDE.
Okwenza lokhu kuhlasela kuphumelele ngaphandle kwekhodi ukuthi ungakwazi ukufinyelela iphrothokholi ye-DDE ngqo kusuka ezinkambini ezizenzakalelayo kudokhumenti ye-Word (ivala i-SensePost ye Mayelana nakho).
Amakhodi enkundla esinye isici sakudala se-MS Word esikuvumela ukuthi wengeze umbhalo oguquguqukayo kanye nohlelo oluthile kudokhumenti yakho. Isibonelo esisobala kakhulu inkambu yenombolo yekhasi, engafakwa ngaphansi kusetshenziswa inani elithi {PAGE *MERGEFORMAT}. Lokhu kuvumela izinombolo zekhasi ukuthi zenziwe ngokuzenzakalelayo.
Ithiphu: Ungathola into yemenyu yeNdawo ngaphansi kokuthi Faka.
Ngikhumbula ukuthi lapho ngiqala ukuthola lesi sici ku-Word, ngamangala. Futhi kuze kube yilapho isiqeshana siyikhubaza, i-Word yisasekela inketho yezinkambu ze-DDE. Umqondo wawuwukuthi i-DDE izovumela i-Word ukuthi ixhumane ngokuqondile nohlelo lokusebenza, ukuze idlulise okuphumayo kohlelo kube idokhumenti. Kwakuwubuchwepheshe obuncane kakhulu ngaleso sikhathi - ukusekela ukushintshaniswa kwedatha nezinhlelo zokusebenza zangaphandle. Kamuva yathuthukiswa yaba ubuchwepheshe be-COM, esizobuye siyibuke ngezansi.
Ekugcineni, abaduni babona ukuthi lolu hlelo lokusebenza lwe-DDE lungaba igobolondo lomyalo, okuyinto eyethula i-PowerShell, futhi kusukela lapho abaduni bangenza noma yini abayifunayo.
Isithombe-skrini esingezansi sibonisa ukuthi ngisebenzise kanjani le ndlela yokukhohlisa: iskripthi esincane se-PowerShell (kamuva esibizwa ngokuthi i-PS) esivela kunkambu ye-DDE silayisha esinye iskripthi se-PS, esiqala isigaba sesibili sokuhlasela.
Sibonga iWindows ngesixwayiso se-pop-up sokuthi inkambu eyakhelwe ngaphakathi ye-DDEAUTO izama ngokuyimfihlo ukuqalisa igobolondo.
Indlela ekhethwayo yokusebenzisa ubungozi ukusebenzisa okuhlukile ngenkambu ye-DDEAUTO, eqalisa ngokuzenzakalelayo umbhalo. uma uvula Idokhumenti yegama.
Ake sicabange ukuthi yini esingayenza ngalokhu.
Njengesigebengu se-novice, ungakwazi, isibonelo, ukuthumela i-imeyili yobugebengu bokweba imininingwane ebucayi, wenze sengathi uvela ku-Federal Tax Service, futhi ushumeke inkambu ye-DDEAUTO ngombhalo we-PS wesigaba sokuqala (i-dropper, empeleni). Futhi awudingi ngisho nokwenza noma iyiphi ikhodi yangempela yama-macros, njll., njengoba ngenza kuwo
Isisulu sivula idokhumenti yakho, iskripthi esishumekiwe siyasebenza, futhi isigebengu sigcina singaphakathi kukhompyutha. Endabeni yami, iskripthi esikude se-PS simane siphrinte umlayezo, kodwa singase sethule kalula iklayenti le-PS Empire, elizohlinzeka ngokufinyelela kwegobolondo elikude.
Futhi ngaphambi kokuba isisulu sibe nesikhathi sokusho okuthile, abaduni bazoba yintsha ecebe kakhulu endaweni.
Igobolondo lethulwe ngaphandle kokuncane ukubhala ikhodi. Ngisho nengane ingakwenza lokhu!
I-DDE nezinkambu
IMicrosoft kamuva yakhubaza i-DDE ku-Word, kodwa hhayi ngaphambi kokuthi inkampani isho ukuthi lesi sici sisetshenziswe kabi. Ukungabaza kwabo ukushintsha noma yini kuyaqondakala. Ngokuhlangenwe nakho kwami, mina ngokwami ngibone isibonelo lapho ukuvuselela izinkambu lapho kuvulwa idokhumenti kunikwe amandla, kodwa i-Word macros ikhutshazwe yi-IT (kodwa ibonisa isaziso). Ngendlela, ungathola izilungiselelo ezihambisanayo esigabeni sezilungiselelo ze-Word.
Nokho, ngisho noma ukubuyekezwa kwenkundla kunikwe amandla, i-Microsoft Word iphinde yazisa umsebenzisi lapho inkambu icela ukufinyelela kudatha esusiwe, njengoba kwenzeka nge-DDE ngenhla. I-Microsoft iyakuxwayisa ngempela.
Kodwa kungenzeka ukuthi, abasebenzisi basazoziba lesi sexwayiso futhi benze isibuyekezo sezinkambu sisebenze ku-Word. Leli elinye lamathuba angavamile okubonga i-Microsoft ngokukhubaza isici esiyingozi se-DDE.
Kunzima kangakanani ukuthola uhlelo lwe-Windows olungapeyishiwe namuhla?
Kulokhu kuhlola, ngisebenzise i-AWS Workspaces ukuze ngifinyelele ideskithophu ebonakalayo. Ngale ndlela ngithole umshini we-MS Office ongaphekiwe owangivumela ukuthi ngifake inkambu ye-DDEAUTO. Angingabazi ukuthi ngendlela efanayo ungathola ezinye izinkampani ezingakazifaki iziqephu zokuphepha ezidingekayo.
Imfihlakalo yezinto
Ngisho noma usifakile lesi siqeshana, kunezinye izimbobo zokuphepha ku-MS Office ezivumela abaduni ukuba benze okuthile okufana kakhulu nalokho esikwenzile nge-Word. Esimweni esilandelayo sizofunda sebenzisa i-Excel njengesiyengo sokuhlasela kobugebengu bokweba imininingwane ebucayi ngaphandle kokubhala noma iyiphi ikhodi.
Ukuze uqonde lesi simo, masikhumbule Imodeli Yento Yengxenye ye-Microsoft, noma ngamafuphi I-COM (Imodeli Yento Yengxenye).
I-COM ibikhona kusukela ngeminyaka yawo-1990s, futhi ichazwa ngokuthi "imodeli yengxenye yolimi engathathi hlangothi, egxile entweni" esekelwe kumakholi wenqubo ekude ye-RPC. Ukuze uthole ukuqonda okujwayelekile kwamagama e-COM, funda ku-StackOverflow.
Ngokuyisisekelo, ungacabanga ngohlelo lwe-COM njenge-Excel noma i-Word esebenzisekayo, noma elinye ifayela kanambambili elisebenzayo.
Kuvele ukuthi uhlelo lokusebenza lwe-COM lungasebenza isimo - JavaScript noma VBScript. Ngobuchwepheshe ibizwa ngokuthi umbhalo. Kungenzeka ukuthi usibonile isandiso se-.sct samafayela ku-Windows - lesi isandiso esisemthethweni sama-scriptlets. Empeleni, ziyikhodi yombhalo esongwe ngesonga se-XML:
<?XML version="1.0"?>
<scriptlet>
<registration
description="test"
progid="test"
version="1.00"
classid="{BBBB4444-0000-0000-0000-0000FAADACDC}"
remotable="true">
</registration>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd /k powershell -c Write-Host You have been scripted!");
]]>
</script>
</scriptlet>
Abaduni nabapentesta bathole ukuthi kunezinsiza ezihlukene nezinhlelo zokusebenza ku-Windows ezamukela izinto ze-COM futhi, ngokufanelekile, nama-scriptlets.
Ngingadlulisela i-scriptlet ensizeni yeWindows ebhalwe ku-VBS eyaziwa ngokuthi yi-pubprn. Itholakala ekujuleni kwe-C:Windowssystem32Printing_Admin_Scripts. Ngendlela, kunezinye izinsiza zeWindows ezamukela izinto njengamapharamitha. Ake sibheke lesi sibonelo kuqala.
Kungokwemvelo ukuthi igobolondo lingaqaliswa ngisho nakumbhalo wokuphrinta. Hamba ku-Microsoft!
Njengokuhlola, ngidale i-scriptlet esilawuli kude esivula igobolondo futhi siphrinte umlayezo ohlekisayo, "Usanda kubhalwa!" Empeleni, i-pubprn iqinisa into ye-scriptlet, ivumela ikhodi ye-VBScript ukuthi iqalise ukusonga. Le ndlela inikeza inzuzo ecacile kubaduni abafuna ukungena futhi bacashe ohlelweni lwakho.
Kokuthunyelwe okulandelayo, ngizochaza ukuthi imibhalo ye-COM ingaxhashazwa kanjani ngabaduni besebenzisa amaspredishithi e-Excel.
Ngomsebenzi wakho wesikole, bheka kusuka ku-Derbycon 2016, echaza kahle ukuthi abaduni basebenzise kanjani imibhalo. Futhi ufunde mayelana nama-scriptlets kanye nohlobo oluthile lwe-moniker.
Source: www.habr.com