for recommended malicious PDF parsers.)
shows object 9 0 from this PDF. This object contains JavaScript that will be executed when the document is opened.
unescape function with a long text string. The unescape function works by translating each % character as follows:If the
%is followed by au, it takes the next four characters, treats them as ASCII hex, and translates this into 2 bytes. The output order will be byte-swapped due to its endianness.If the
%is not followed by au, it takes the next two characters, treats them as ASCII hex, and translates this into 1 byte.
to manually unescape the shellcode payload and turn it into a binary file suitable for further analysis, or you can use the file Lab19-03_sc.bin, which contains the decoded contents provided with the labs.
call/pop technique to obtain a pointer to the global data starting at ❶.findKernel32Base and findSymbolByHash functions defined in and in . As in , the shellcode loops over the symbol hashes, resolves them, and stores them back to create a function pointer array. This is done 14 times for kernel32 at ❶. The shellcode then creates the string shell32 on the stack by pushing two DWORD values at ❷ to use as an argument to LoadLibraryA. A single export from shell32.dll is resolved and added to the function pointer array at ❸.GetFileSize function in a loop. Given an open handle, this function returns the file size the handle corresponds to. It initializes the handle value to 0 at ❶ and adds 4 to it on each iteration at ❷. The result is compared against the value stored at offset 0x3c in the shellcode’s embedded data. This value is 0xC602, and it is the exact size of the malicious PDF. This is how the shellcode will find the existing open handle to the PDF document that Adobe Reader had opened prior to the exploit launching. (It is common to store encoded data in malicious media files because media files can be fairly large without raising suspicions.) The malware requires an open handle to the malicious media file to work as expected, which is why the –r flag to shellcode_launcher.exe must be provided for this sample to perform any work.GetTempPathA at ❶, and then appends the string foo.exe.CreateProcessA at ❷, creating a new process from the file just written to disk.writeBufferToDisk at ❷ decodes the file contents using the mask value 0x4a, and writes it to %TEMP%\bar.pdf.ShellExecuteA at ❶. It passes in the command string "open" at ❷ and the path to the PDF at ❸, which causes the system to open the specified file with the application registered to handle it.Example C-208. Opening the second file and exiting
000002E8 xor ecx, ecx 000002EA lea eax, [ebp-168h] ; scratch space, for ShellExecute lpOperation verb 000002F0 mov dword ptr [eax], 6E65706Fh ; "open" ❷ 000002F6 mov byte ptr [eax+4], 0 000002FA push 5 ; SW_SHOWNORMAL | SW_SHOWNOACTIVATE 000002FF push ecx 00000300 push ecx 00000301 lea eax, [ebp-124h] ; output PDF filename ❸ 00000307 push eax 00000308 lea eax, [ebp-168h] ; ptr to "open" 0000030E push eax 0000030F push ecx 00000310 call dword ptr [ebx+38h] ; ShellExecuteA ❶ 00000313 loc_313: 00000313 call dword ptr [ebx+0Ch] ; GetCurrentProcess 00000316 push 0 0000031B push eax 0000031C call dword ptr [ebx+8] ; TerminateProcess
It is common for malicious media files to contain legitimate files that are extracted and opened by the shellcode in an attempt to avoid raising suspicion. The expectation is that users will simply think that any delay is due to a slow computer, when actually the exploit has just launched a new process, and then opened a real file to cover its tracks.
Войти в систему
Войти с помощью соц. сетей:
