星图日志分析工具逆向

Intro

出于一点点兴趣及学习的目的,发现这款工具已经很久没更新了,于是想拿来看一眼
http://wangzhan.360.com/Activity/xingtu
从网页中的下载提示信息可以看到软件运行需要JRE环境,说明工具是用Java编写的。下载解压后,目录结构如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Xingtu
├── bin
│   ├── ip.dat
│   ├── js
│   │   ├── jquery.min.js
│   │   └── plug-in.js
│   ├── xingtu.exe
│   └── xingtu.exe.vmoptions
├── conf
│   ├── config.ini
│   └── rules.ini
├── cron.bat
├── logs
│   └── output.log
├── start.bat
├── tail.exe

发现主程序是一个PE文件,随便拿Strings看了一眼,是EXE4J打包的。这里不用去费劲脱Exe4J这层,直接在不按照JRE的环境中运行即可,这样会提示一些错误,直接从%Temp%就可以找到解压出来的Jar包了。

Reverse

反汇编出来的Jar的Mainfest信息如下:

1
2
3
4
5
6
Manifest-Version: 1.0
Archiver-Version: Plexus Archiver
Created-By: Apache Maven
Built-By: luoxiaolong
Build-Jdk: 1.7.0_71
Main-Class: com.qihoo.wzws.rzb.single.AnalyzeSingle

找到AnalyzeSingle类,我们来看一看入口函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
...
public static void main(String[] args) throws SystemConfigException {
System.out.println("");
for(int i = 3; i > 0; --i) {
try {
Thread.currentThread();
Thread.sleep(1000L);
} catch (InterruptedException var35) {
var35.printStackTrace();
}
}
long start = System.currentTimeMillis();
String binPath = (new File("")).getAbsolutePath();
basePath = binPath.substring(0, binPath.length() - 4);
System.out.println("运行前检查...");
...

我们的目标很简单,其一主要找出星图分析日志的原理,以及通过观察目录文件我们知道,其是存在 rules.ini 这个文件的,从文件名可以看出里面保存的就是相关规则了,将规则解密也是我们的目标之二。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
String rules = basePath + File.separator + "conf" + File.separator + "rules.ini";
|
|
|
File rulesFile = new File(rules);
|
|
|
ValidateConfig.validateRuleConf(rules);
|
|
|
public static void validateRuleConf(String rulePath) throws SystemConfigException {
ConfigUtil.initRuleConf(rulePath);
}

到这儿即可找到配置文件的解密过程,核心函数如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
public static void initRuleConf(String configPath) {
File file = new File(configPath);
SignatureManager signatureManager = SignatureFactory.getSignature("0001");
BufferedReader reader = null;
try {
reader = new BufferedReader(new InputStreamReader(new FileInputStream(file), "utf-8"));
String line = null;
while((line = reader.readLine()) != null) {
try {
byte[] decryptData = signatureManager.decrypt(Base64.decodeBase64(line));
String source = new String(decryptData, "utf-8");
if (!source.startsWith("#")) {
rules.add(source);
}
} catch (Exception var16) {
var16.printStackTrace();
}
}
reader.close();
} catch (IOException var17) {
var17.printStackTrace();
} finally {
if (reader != null) {
try {
reader.close();
} catch (IOException var15) {
;
}
}
}
}

看到这里,最快速的解密方式是直接调用其写好的解密函数,然后Dump出来。直接调用的Java代码如下:

1
2
3
4
5
6
7
8
9
10
//by iswin
import com.qihoo.wzws.rzb.util.ConfigUtil;
public class Main {
public static void main(String[] args) throws Exception {
ConfigUtil.initRuleConf("/Users/iswin/Downloads/rules.ini");
for(String line:ConfigUtil.rules)
System.out.println(line);
}
}

解密出来的规则如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#by iswin
WebCruiser扫描:WCRTESTINPUT000000
Unknown扫描:z9v8|this_is_exist_on_this_server|XbzkCZSQcvPAHxIiqBno|/aaaa/bbbb/ccccc/${@phpinfo()}|
w3af扫描:ping+
WVS扫描:vulnweb.com|acunetix
360Webscan扫描:vul_webscan
安恒Web扫描:dbappsecurity|dbappsec|dbapp|"%d5'|%21(()%26%26%21%7c*%7c*%7c|(()))******
BashShellShock漏洞:() {|true <<EOF|decode_base64()|
SQL盲注攻击探测:and%20'1'='1|and%20'%25'='|%25'%20and%201=1|%20and%201=2|88888b'|88888a'|%20and%201=1|%20and%201=1%20and%20'%25'='|%20and%201=2%20and%20'%25'='|pg_sleep|benchmark(|sleep(|if(|shutdown|
敏感文件探测:access.log|install.php|phpinfo.php|/info.php|aaa.php|fckeditor/editor/filemanager/browser/default/browser.html|data/dvbbs8.mdb|extras/ipn_test_return.php|.svn/entries|extras/curltest.php?url=http://baike.baidu.com/robots.txt|pass.txt|password.txt|passwords.txt|users.txt|users.ini|admin.cfg|install.log|database.inc|common.inc|db.inc|connect.inc|conn.inc|sql.inc|.bash_history|.bashrc|Web.config|Global.asax|Global.asa|Global.asax.cs|test.asp|test.php|test.jsp|test.aspx|admin.asp|data.mdb|domcfg.nsf|names.nsf|log.nsf|domlog.nsf|
Struts2远程代码执行攻击:\u0023_memberAccess|xwork.MethodAccessor.denyMethodExecution|java.lang.Runtime|applicationScope
远程代码执行漏洞攻击:shell|%26dir%26|%7Cdir|%26dir|%3Bdir|%3Cdir|%00dir%00|allow_url_include|auto_prepend_file|php://input|%29%3B|cat%20|print%208|%5B%5D|
CSRF漏洞攻击探测:%0d%0a%20SomeCustomInjectedHeader%3Ainjected_by_wvs|%0a%20SomeCustomInjectedHeader%3Ainjected_by_wvs|
可疑文件访问:.asa|.asax|.bak|.BAK|.zip|.ZIP|.tar|.backup|.tmp|.temp|.save|.orig|.php~|.php~1|.java|.class|.vimrc|web.xml|hack%2Ephp|
文件包含漏洞攻击:http://some-inexistent-website.com|some_inexistent_file_with_long_name|../|cmd.exe|..\|.\|/etc|.../|boot.ini|%00|/etc/passwd|win.ini|%2e%2F|/environ|/proc|/hosts|bash_history|bashrc|config[root_dir]=|appserv_root=|path[docroot]=|GALLERY_BASEDIR=|_SERVER[DOCUMENT_ROOT]|_CONF[path]|mosConfig_absolute_path=|
LDAP漏洞攻击:!(%28%29&%26%21%7C*%7C%2A%7C|!(%28%29&%26%21%7C*|%2A%7C|
SQL注入攻击:%2527|%bf%27|%20and%201=1|%20and%201=2|'%20and%20'1'='1|%25'%20and%201=1%20and%20'%25'=|\x5C\x22|JyI%3D|%20anD%20|information_schema|%20from%20|SeLect*
异常HTTP请求探测:jsky_test.txt|TRACE_test|Jsky_test_no_exists_file.txt|

Detection Method

主要的分析过程在如下三个类当中

1
2
3
RoutineAnalyze routine = new RoutineAnalyze();
AttackAnalyzeSingle attack = new AttackAnalyzeSingle();
CCAnalyzeSingle cc = new CCAnalyzeSingle();

比较感兴趣是如何进行攻击分析的,其实从如上解析出的规则已经能够猜出个大概了,但是代码说话,让我们继续阅读下源码。分析攻击的类在 AttackAnalyzeSingle 的 execute 方法中,代码较长就不贴了,大致逻辑如下:

  1. 排除静态链接
  2. 分析带参数链接
  3. 分析状态码
  4. 判断超长链接
  5. 分析User-Agent
  6. 对Rules.ini中的规则进行正则匹配