Shulou(Shulou.com)06/01 Report--

Foreword:

  has studied pyinstaller and pyc bytecode formats following a blog post entitled "partial sample Analysis of Xbash". Although the relevant information is relatively small, it does not affect access to new knowledge.

  has to say that pyinstaller is the culprit for the cross-platform execution of Xbash series of malware. PyInstaller supports multi-platform executable file conversion, such as Linux, Windows, Apple macOS and so on. It means that the virus can run compatible on multiple platforms. Although python development and maintenance of viruses is less difficult and short cycle, it is also a good thing for analysts, such as extracting executable files into python source code.

Pyinstallerpyc malicious code analysis environment building and using pyc format to parse (part) Python malicious code

✃  

1. Pyinstaller:

 ☛ introduces pyinstaller. As the preface says, pyinstaller will read the python script you wrote, and it will analyze it itself, based on the modules and libraries needed for export and execution, of course. Collect these files, including the active interpreter, and put them in a folder.

  This section covers the basic ideas of PyInstaller. These ideas apply to all platforms. Options and special cases are covered below, under Using PyInstaller.

  PyInstaller reads a Python script written by you. It analyzes your code to discover every other module and library your script needs in order to execute. Then it collects copies of all those files-including the active Python interpreter!-and puts them with your script in a single folder, or optionally in a single executable file.

The above reference to   is derived from the pyinstaller manual: https://pyinstaller.readthedocs.io/en/stable/index.html

In other words, when using pyinstaller, we will automatically retrieve the libraries and modules and interpreters needed in our code, package them together, and generate executable files according to different parameters. Of course, we are not studying how to convert to pe format and elf format, because it takes a long time.

  but we need to know how to execute pyinstaller when it is packaged into a folder. First pyinstaller will load myscript.exe, which is the core file, and then boot the loader to the active platform binary executable. It boots the loader, loads the python environment, and makes it easy for the python interpreter to import modules and libraries in myscript.

When   starts, it creates a temporary folder name _ MEIxxxxxx in the corresponding folder of the operating system, and the boot loader is exactly the same as the single folder package in the context of the temporary folder. When the binding code terminates, the boot loader will delete the temporary folder. Please refer to the official documentation for details.

Some parameters of ✍ about pyinstaller, as follows:

  Picture 1: pyinstaller parameter

1.-F,-- onefile create a file bundle executable 2,-w,-- windowed,-- noconsole pe format window program GUI 3,-c,-- console,-- nowindowed pe format console program 4,-a,-- ascii does not contain unicode support 5,-D,-- onedir creates a single folder containing executable files

Such as and install pyinstaller? Quite simply, the command is as follows:

System Centos if you do not have pip installed, refer to the following: 1. Install epel extension: yum-yinstall epel-release 2, install pip:yum-yinstall python-pip, install pyinstaller: reference under pip install pyinstallerWindows is also the same

How to use pyinstaller? It is divided into the following major steps, as follows:

  1. First of all, you need to write a py file. Of course, you can write code in multiple files. Except for the special module that needs to tell pyinstaller the location, the rest will be customized to help you analyze the module and library. The test code is as follows:

  Picture 2: python Test Code

2. Use the pyinstaller command to package, as follows:

  Picture 3: pyinstaller package

3. View the generated data, as shown below:

  Picture 4: dist/xxx

The elf program generated by   works fine, and pyinstaller maintains the data file in PYZ format as shown in the figure above, appended to the end of the executable file, followed by the format beginning with PYZ.

  officially provides the corresponding script to extract pyc, which is called archive_viewer.py Code download: https://github.com/pyinstaller/pyinstaller/blob/develop/PyInstaller/utils/cliutils/archive_viewer.py

4. Paste the code from the above website, touch a file, and copy it with + x permission, as shown below:

  Picture 5: archive_viewer.py

5. We found that there is a lot of data below. The name in the s flag segment we need to pay attention to is our own file name:

  Picture 6: s Segment Mark data

6. What are the parameters of archive_viewer.py? A simple analysis of the source code is as follows:

  Picture 7: command Analysis

7. Start extracting pyc, as shown below:

  Picture 8: extract command

8. At this time, let's take a look at the extracted pyc,widnows and use 010. Under linux, you can use xxd to observe, as shown below:

  Picture 9: extract pyc data for observation

Is the extraction of   9 and pyc correct after all? How to confirm? At this point, we need to use the py_compile module in python, where the method compile can generate py into pyc, so we can compare it with each other, as shown below:

  Picture 10: py_compile

Code: import py_compile py_compile.compile (r 'path') Note: sometimes a _ _ pycompile__ folder will be generated, which will contain pyc, and sometimes pyc will be generated under the input path. Be careful to overwrite the pyc extracted in elf.

10. Let's take a look at the bytecode pyc generated by the original compilation of python as follows:

  Picture 11: compile compiling pyc

If you compare   Picture 9 with Picture 11, you will certainly lose 8 bytes of data at the beginning. Note that the python2.7.5 used in the current compilation environment lacks 8 bytes of data, and the byte coding bytes in front of python3 are also different.

  is tested and observed in the current environment, so the pyc extracted by archive_viewer.py in pyinstaller lacks 8 bytes of data than the normally compiled bytecode, what is missing? Let's take a look at pyc format parsing.

✃  

Second, pyc format parsing:

  Picture 12: data Analysis in partial pyc format

 , of course, the format of pyc is not only so many of the above, but only a part of it is listed. To introduce the parameters in detail is not an article or can be studied and understood in a short time, so let's look at some important data.

  1, MAGIC, Magic head, note that the version is different, so the value of the Magic head is different. For example, python2 is generally 03f30d0a 33790d0a 3.6, occupying 4 bytes, the first two bytes are version, and the last two bytes are 0d0a two flag bits.

  2. Magic is followed by MTIME, which takes up four bytes of time.

  3, TYPE_CODE, represents a PyCodeObject object, occupies a byte size, and the flag bit is c, which is actually the code object PyCodeObject generated by the compilation process in Pyton. Write PyCodeObject to the binary file, which is .pyc.

  4. We find that the value of co_code in the picture is actually each field in the PyCodeObject structure, and each attribute occupies one long byte.

  5. The following three attributes, Type_string and size values values, are co_code corresponding to PyCodeObject.

  6, Type_List, which occupies one byte, is a type linked list.

  7 and co_consts size represent the number of elements and occupy four bytes.

  8, Type_INT and co_consts [0] are a × × ×.

  also has many properties. For more detailed data, please refer to https://www.2cto.com/kf/201504/395067.html.

Through the above description,  ✉ has a basic understanding of pyc's data format and simply knows the meaning of those bytes and the role of the foundation.

  so that we can easily know that when the pyinstaller is packaged, the unzipped Pyc is missing 8 bytes, which are the Magic and MTIME field properties, and the MTIME field we can fill to 0 (it doesn't matter).

  determines the format of the magic header according to the current environment (pyinstaller should extract the magic header as the version determination method when packaging, so there will be a lack of bytes). We try to add the actual data to c, which is just before the PyCodeObject object, to make up 8 bytes of data, as follows:

  Picture 13: make up the data

  Note: complete the data before the PyCodeObject object, not modify it on the original data! Otherwise, an error will be reported when converting py.

After   completes the data, what we need to do is to decompile it into py files with tools. A software called EasyPythonDecompiler.exe is recommended under wdinows, and numerous under linux, so here we can use linux under the name uncompyle2, decompyle2 a lot. The following demonstration uses EasyPythonDecompiler.exe to transform py, as shown below:

  Picture 14: Decompile Success

After the   conversion is completed, the mypy.pyc_dis file will be generated. If the format of the pyc is incorrect, it will fail and generate mypy.pyc_dis.failure. At this time, we will import the IDE to see whether the python source code is the same as the source code in figure 2, as shown below:

  picture 15: match is successful

  has been able to successfully convert pyinstaller packaged elf format files into py, what is the use? Also remember that the Xbash series of viruses include viruses packaged by pyinstaller, as follows:

  Picture 16: extract malicious Code

✃ 

3. Python malicious code analysis:

➀weak user and password Dictionary:

  Picture 17: weak users and weak passwords

➁ public network request and initialization scan IP and trace port:

  Picture 18: request and Port initialization

➂ initializes the malicious thread environment and starts the thread:

  Picture 19: create a Startup Thread

➃ thread callback analysis:

  Picture 20: thread callback Analysis

➄ WEB scan and database scan:

  Picture 21: pass_crack

  Picture 22: check_pass

  Picture 23: check_pass

  Picture 24: mysql

  picture 25: mysql deletes library for extortion

  picture 26: postgresql deletes library for extortion

  picture 27: mongodb deletes library for extortion

  picture 28: redis deletes library for extortion

  picture 29: hadoop Yarn Rm executes the command

  Picture 30: MQ uses the implementation of put

⑥ intranet scan:

  Picture 31: intranet scan

  Picture 32: intranet scan

  through the analysis of the above malicious code, the most abominable thing is to delete the library without any backup, and deceive 0.02BTC, even if you pay the other side, sorry that your database can not be restored, the other side will use your heart to ask for more BTC.

There are a large number of weak accounts and passwords in the   server, which brings benefits to the virus. Scan the web and create a thread in the intranet. Once the dictionary match is found, the database will be destroyed.

How to prevent  ? If your server and database account names, password standardized management (complexity and length), change frequently, do not use these weak passwords and weak accounts, even if you break through the security protection, do not misbehave during dictionary scanning and cracking, then XbashY sample analysis comes to an end.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.