对学生机房管助手7.2的简单分析
最近发现学生机房管理助手更新了7.2版本,机房杀手 (电子教室终结者) 部分功能失效,故开始分析。
先在虚拟机中安装7.2版本,设置好后重启。解禁任务管理器,浏览进程列表,发现可疑进程。
经过比对,可以得出结论:这个可疑进程就是机房管理助手的 prozs.exe
先用 Exeinfo PE 查壳,得到以下信息
[ Linker 80 ] - MS Visual C# / Basic.NET - **IntelliLock v.1.5 - 2.8 ( .NET Reactor )** - www.eziriz.com ] - EP Token : 06000001
使用 NetReactorSlayer (Version 4.0.0.0) 进行脱壳。将脱壳后的文件载入 DnSpy32 (便于调试32位程序)。
在搜索程序集中键入关键字 Program Files ,可以找到在 b2UvvUMZb 函数中有生成“随机”路径并将 prozs.exe 复制的相关语句。
// WindowsApplication1.Form1
// Token: 0x0600002D RID: 45 RVA: 0x00002D34 File Offset: 0x00000F34
private void LD1NpDR6K(object \u0020, EventArgs \u0020)
{
int num8;
checked
{
int num2;
object obj2;
try
{
IL_00:
int num = 1;
base.Hide();
IL_08:
ProjectData.ClearProjectError();
num2 = 1;
IL_0F:
num = 3;
object objectValue = RuntimeHelpers.GetObjectValue(Interaction.CreateObject("wscript.shell", ""));
IL_28:
num = 4;
object obj = RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(objectValue, null, "regread", new object[] { "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\\prozs" }, null, null, null));
IL_51:
num = 5;
if (!Operators.ConditionalCompareObjectEqual(obj, "", false))
{
goto IL_8B;
}
IL_62:
num = 6;
obj = RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(objectValue, null, "regread", new object[] { "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\\prozs" }, null, null, null));
IL_8B:
num = 7;
this.mvYW8NImi = Strings.Mid(Conversions.ToString(obj), 1, Strings.Len(RuntimeHelpers.GetObjectValue(obj)) - 10);
IL_AF:
num = 8;
int num3 = DateAndTime.Month(DateAndTime.Now) + DateAndTime.Day(DateAndTime.Now);
IL_C8:
num = 9;
int num4 = num3 % 7;
IL_D1:
num = 10;
int num5 = num3 % 9;
IL_DB:
num = 11;
int num6 = num3 % 5;
IL_E4:
num = 12;
if (num3 % 2 != 0)
{
goto IL_134;
}
IL_ED:
num = 13;
string text = Conversions.ToString(Strings.Chr(97 + num4)) + Conversions.ToString(Strings.Chr(109 + num5)) + Conversions.ToString(Strings.Chr(101 + num6)) + Conversions.ToString(Strings.Chr(48 + num5));
goto IL_179;
IL_134:
num = 15;
text = Conversions.ToString(Strings.Chr(103 + num5)) + Conversions.ToString(Strings.Chr(111 + num4)) + Conversions.ToString(Strings.Chr(107 + num6)) + Conversions.ToString(Strings.Chr(48 + num4));
IL_179:
num = 16;
this.IBEPYMU3i = text;
IL_183:
num = 17;
this.fakt4AjXE = text + ".exe";
IL_198:
num = 18;
string text2 = "C:\\Program Files\\temp" + Conversions.ToString(Strings.Chr(107 + num5)) + Conversions.ToString(Strings.Chr(101 + num4)) + Conversions.ToString(Strings.Chr(104 + num6));
IL_1D5:
num = 19;
if (Strings.InStr(Application.StartupPath, "C:\\Program Files", CompareMethod.Binary) != 0)
{
goto IL_25D;
}
IL_1EB:
num = 20;
this.Lp2LU6jK07().Visible = false;
IL_1FA:
num = 21;
if (Directory.Exists(text2))
{
goto IL_211;
}
IL_206:
num = 22;
Directory.CreateDirectory(text2);
IL_211:
num = 23;
FileSystem.FileCopy(Application.StartupPath + "\\prozs.exe", text2 + "\\" + this.fakt4AjXE);
IL_23C:
num = 24;
Process.Start(text2 + "\\" + this.fakt4AjXE);
ProjectData.EndApp();
IL_25D:
goto IL_313;
IL_262:
int num7 = unchecked(num8 + 1);
num8 = 0;
@switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num7);
IL_2D4:
goto IL_308;
IL_2D6:
num8 = num;
@switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num2);
IL_2E6:;
}
catch when (endfilter((obj2 is Exception) & (num2 != 0) & (num8 == 0)))
{
Exception ex = (Exception)obj3;
goto IL_2D6;
}
}
IL_308:
throw ProjectData.CreateProjectError(-2146828237);
IL_313:
if (num8 != 0)
{
ProjectData.ClearProjectError();
}
}
将以上原始代码精炼后,得到生成“随机”文件名的代码段
int 月份与第几日之和 = DateAndTime.Month(DateAndTime.Now) + DateAndTime.Day(DateAndTime.Now);
int num4 = 月份与第几日之和 % 7;
int num5 = 月份与第几日之和 % 9;
int num6 = 月份与第几日之和 % 5;
if (月份与第几日之和 % 2 == 0) // 月份与第几日之和 是偶数
string 文件名 = Conversions.ToString(Strings.Chr(97 + num4)) + Conversions.ToString(Strings.Chr(109 + num5)) + Conversions.ToString(Strings.Chr(101 + num6)) + Conversions.ToString(Strings.Chr(48 + num5));
else
string 文件名 = Conversions.ToString(Strings.Chr(103 + num5)) + Conversions.ToString(Strings.Chr(111 + num4)) + Conversions.ToString(Strings.Chr(107 + num6)) + Conversions.ToString(Strings.Chr(48 + num4));
string 程序目录 = "C:\\Program Files\\temp" + Conversions.ToString(Strings.Chr(107 + num5)) + Conversions.ToString(Strings.Chr(101 + num4)) + Conversions.ToString(Strings.Chr(104 + num6));
string 程序路径 = text2 + "\\" + 文件名 + ".exe";