- 浏览: 278676 次
文章分类
- 全部博客 (276)
- burp+hydra暴力破解 (1)
- kali linux工具集 (6)
- kali (59)
- linux (54)
- password (14)
- web (63)
- 渗透测试 (50)
- windows (40)
- metasploit (9)
- 信息收集 (32)
- burp suit (4)
- 安全审计 (9)
- https://github.com/secretsquirrel/the-backdoor-factory (0)
- nmap (4)
- arachni (2)
- 工具 (5)
- sql (3)
- 网络 (2)
- 后渗透测试 (10)
- 内网 (5)
- 无线 (2)
- C (3)
- bios (1)
- RoR (12)
- mongodb (1)
- linxu (1)
- gdb (1)
- linux,虚拟化 (1)
- python (4)
最新评论
原文地址:http://blog.didierstevens.com/2014/12/23/oledump-extracting-embedded-exe-from-doc/
RECHNUNG_vom_18122014.dochttps://www.virustotal.com/en/file/d3672a6b3bc839d76b1d4c2e98ab8c3ef84cb9e928fc3cadad3f4144aa5f8e29/analysis/是一个含有恶意VBA宏用来提取创建一个exe的word文档。本文主要用来介绍oledump如何工作
首先看一下数据流(我把word文档使用密码加密zip,用来绕过AV,oledump可以处理这类文件)
Stream 7含有VBA宏,来查看一下:
当文档打开的时候,Subroutine v45自动执行。它会创建一个临时文件,搜索word文件中ActiveDocument.Range.Text里面的"1234",然后把1234后面的加密bytes写到磁盘,然后执行。
如果查看stream 14来检查内容,将会看到:
1234后面将会看到&H4d&H5a&h90…
&Hxx是VBA中十六进制的语法。我们可以使用解码器进行转换。解码器(python)使用正则搜索&Hxx,把xx转换成字符把他们连接成字符串。
使用下面的命令来调用解码器分析嵌入的文件:
根据MZ和PE头,可以识别它是一个PE文件,我们可以使用pecheck来检查
pecheck介绍:http://blog.didierstevens.com/2013/04/19/3462/
下载地址:http://didierstevens.com/files/software/pecheck_v0_3_0.zip
RECHNUNG_vom_18122014.dochttps://www.virustotal.com/en/file/d3672a6b3bc839d76b1d4c2e98ab8c3ef84cb9e928fc3cadad3f4144aa5f8e29/analysis/是一个含有恶意VBA宏用来提取创建一个exe的word文档。本文主要用来介绍oledump如何工作
首先看一下数据流(我把word文档使用密码加密zip,用来绕过AV,oledump可以处理这类文件)
Stream 7含有VBA宏,来查看一下:
当文档打开的时候,Subroutine v45自动执行。它会创建一个临时文件,搜索word文件中ActiveDocument.Range.Text里面的"1234",然后把1234后面的加密bytes写到磁盘,然后执行。
如果查看stream 14来检查内容,将会看到:
1234后面将会看到&H4d&H5a&h90…
&Hxx是VBA中十六进制的语法。我们可以使用解码器进行转换。解码器(python)使用正则搜索&Hxx,把xx转换成字符把他们连接成字符串。
#!/usr/bin/env python __description__ = '&H decoder for oledump.py' __author__ = 'Didier Stevens' __version__ = '0.0.1' __date__ = '2014/12/19' """ Source code put in public domain by Didier Stevens, no Copyright https://DidierStevens.com Use at your own risk History: 2014/12/19: start Todo: """ import re class cAmpersandHexDecoder(cDecoderParent): name = '&H decoder' def __init__(self, stream, options): self.stream = stream self.options = options self.done = False def Available(self): return not self.done def Decode(self): decoded = ''.join([chr(int(s[2:], 16)) for s in re.compile('&H[0-9a-f]{2}', re.IGNORECASE).findall(self.stream)]) self.name = '&H decoder' self.done = True return decoded def Name(self): return self.name AddDecoder(cAmpersandHexDecoder)
使用下面的命令来调用解码器分析嵌入的文件:
引用
oledump.py -s 14 -D decoder_ah.py RECHNUNG_vom_18122014.doc.zip
根据MZ和PE头,可以识别它是一个PE文件,我们可以使用pecheck来检查
引用
oledump.py -s 14 -D decoder_ah.py -d RECHNUNG_vom_18122014.doc.zip | pecheck.py
pecheck介绍:http://blog.didierstevens.com/2013/04/19/3462/
下载地址:http://didierstevens.com/files/software/pecheck_v0_3_0.zip
发表评论
-
[图] windows 10
2015-08-18 20:37 284网上下载的图片,忘了来源 -
windows提权集合
2015-06-30 00:23 541https://blog.netspi.com/5-ways- ... -
[转]Access to every PC and become local Admin
2015-06-29 21:50 509原文地址:http://www.gosecure.it/blo ... -
[转]Top Five Ways SpiderLabs Got Domain Admin on Your Internal Network
2015-06-29 21:46 1476原文地址:https://www.trustwave.com/ ... -
[转]如何获得window管理员权限
2015-06-29 21:21 448引用A tutorial on how to get into ... -
Window提权基本步骤
2015-06-03 22:00 754原文地址: http://www.fuzzysecurity. ... -
[转]malware persistence
2015-05-06 23:46 384原文地址:http://jumpespjump.blogspo ... -
[转]backdoor a windows domain
2015-05-06 22:56 474原文地址:http://jumpespjump.blogspo ... -
[译]解密MSSQL密码
2015-03-26 00:43 2821原文地址: https://blog.ne ... -
[转]badsamba
2015-03-20 00:55 301原文地址:http://blog.gdssecurity.co ... -
window增加硬盘性能方法
2015-02-05 01:03 337参考地址:http://way2h.blogspot.com/ ... -
shello shock集会
2015-01-28 22:15 401https://github.com/mubix/shells ... -
[译]Skeleton Key Malware & Mimikatz
2015-01-28 20:29 771原文地址: http://adsecurity.org/?p= ... -
绕过PowerShell执行策略的15种方法
2015-01-28 02:27 847https://blog.netspi.com/15-ways ... -
[工具]volatility----Windows内存取证
2015-01-04 22:01 1518下载地址:https://github.com/volatil ... -
[译]Windows提权:ahcache.sys/NtApphelpCacheControl
2015-01-03 21:12 1006原文地址:https://code.google.com/p/ ... -
[译]使用Volatility从memory dump获得密码
2014-12-30 12:27 3740原文地址:https://cyberarms.wordpres ... -
vmss2core将VMware镜像转换成memory dump
2014-12-26 23:59 0参考:http://kb.vmware.com/selfser ... -
Windows工具集
2014-12-25 00:54 502参考:https://community.rapid7.com ... -
Kerberos攻击
2014-12-18 01:39 595参考: 1. http://securityweekly.co ...
相关推荐
Sparse Representation of Brain Aging: Extracting Covariance Patterns from Structural MRI
ExtRA: Extracting Prominent Review Aspects from Customer Feedback.pdf
MACBSE: Extracting signals with linear autocorrelations
A hybrid approach for extracting informative content from web pages
title={CCNet: Extracting High Quality Monolingual Datasets from Web Crawl Data}, author={Wenzek, Guillaume and Lachaux, Marie-Anne and Conneau, Alexis and Chaudhary, Vishrav and Guzm{\'a}n, ...
Extracting Structured Data from Web Pages
旋转矩阵转四元数
银行卡识别器 基于Keras的深度学习,从银行卡中提取数字。 包括自动和手动位置,带有GUI的号码识别。 中文博客: 路线图 cnn_blstm_ctc EAST /手动定位 图形用户界面 ... pip install requirements ...
In this paper, we study the problem of automatically extracting the database values from such templategenerated web pages without any learning examples or other similar human input. We formally ...
Denoising and extracting background. The paper proposes a 2D generalization to the midpoint-based empirical mode decomposition algorithm (MBEMD).
PHP操作excel类(PHPExcel) 1.7.7PHP操作excel类(PHPExcel) 1.7.7
Chapter 4 Component Refactorings:Extracting Components out of Components Chapter 5 From Ball of Mud to First Components Chapter 6 Component-Based Rails in Relation to Other Patterns Chapter 7 ...
- algorithm.js 类Alignment:表示一个句子的对齐方式,以bigraph的形式。 - data.js 类 Sentences:表示一个句子列表。 它的构造函数接收一个字符串并将它们拆分成句子。 class Diff:代表一个diff文件。...
Spark2.1官方文档的翻译:Extracting, transforming and selecting features => Spark特征抽取、特征转换、特征选择
FLASHRELATE: Extracting Relational Data from Semi-Structured Spreadsheets Using ExamplesDaniel W. Barowy University of Massachusetts Amherstdbarowy@cs.umass.eduSumit Gulwani Ted Hart Benjamin ...
信息安全_数据安全_Extracting Secrets from Locked P 水坑攻击 态势感知 安全建设 数据泄密 安全响应
Review mining has recently received a lot of attention, which aims to discover the valuable information from the massive product reviews. Product feature extraction is one of the basic tasks of ...
Delineates best practices for extracting data from scattered sources removing redundant and inaccurate data transforming the remaining data into correctly formatted data structures and then loading ...
Extracting Article Text from the Web with Maximum Subsequence Segmentation 论文 MMS算法。
A Morphological Model for Extracting Road Networks from High-Resolution Satellite Images