对学生机房管助手7.2的简单分析

最近发现学生机房管理助手更新了7.2版本,机房杀手 (电子教室终结者) 部分功能失效,故开始分析。

先在虚拟机中安装7.2版本,设置好后重启。解禁任务管理器,浏览进程列表,发现可疑进程。

image-2-1024x576.webp

经过比对,可以得出结论:这个可疑进程就是机房管理助手的 prozs.exe


先用 Exeinfo PE 查壳,得到以下信息

[ Linker 80 ] - MS Visual C# / Basic.NET - **IntelliLock v.1.5 - 2.8 ( .NET Reactor )** - www.eziriz.com ] - EP Token : 06000001

使用 NetReactorSlayer (Version 4.0.0.0) 进行脱壳。将脱壳后的文件载入 DnSpy32 (便于调试32位程序)。

在搜索程序集中键入关键字 Program Files ,可以找到在 b2UvvUMZb 函数中有生成“随机”路径并将 prozs.exe 复制的相关语句。

// WindowsApplication1.Form1
// Token: 0x0600002D RID: 45 RVA: 0x00002D34 File Offset: 0x00000F34
private void LD1NpDR6K(object \u0020, EventArgs \u0020)
{
    int num8;
    checked
    {
        int num2;
        object obj2;
        try
        {
            IL_00:
            int num = 1;
            base.Hide();
            IL_08:
            ProjectData.ClearProjectError();
            num2 = 1;
            IL_0F:
            num = 3;
            object objectValue = RuntimeHelpers.GetObjectValue(Interaction.CreateObject("wscript.shell", ""));
            IL_28:
            num = 4;
            object obj = RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(objectValue, null, "regread", new object[] { "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\\prozs" }, null, null, null));
            IL_51:
            num = 5;
            if (!Operators.ConditionalCompareObjectEqual(obj, "", false))
            {
                goto IL_8B;
            }
            IL_62:
            num = 6;
            obj = RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(objectValue, null, "regread", new object[] { "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\\prozs" }, null, null, null));
            IL_8B:
            num = 7;
            this.mvYW8NImi = Strings.Mid(Conversions.ToString(obj), 1, Strings.Len(RuntimeHelpers.GetObjectValue(obj)) - 10);
            IL_AF:
            num = 8;
            int num3 = DateAndTime.Month(DateAndTime.Now) + DateAndTime.Day(DateAndTime.Now);
            IL_C8:
            num = 9;
            int num4 = num3 % 7;
            IL_D1:
            num = 10;
            int num5 = num3 % 9;
            IL_DB:
            num = 11;
            int num6 = num3 % 5;
            IL_E4:
            num = 12;
            if (num3 % 2 != 0)
            {
                goto IL_134;
            }
            IL_ED:
            num = 13;
            string text = Conversions.ToString(Strings.Chr(97 + num4)) + Conversions.ToString(Strings.Chr(109 + num5)) + Conversions.ToString(Strings.Chr(101 + num6)) + Conversions.ToString(Strings.Chr(48 + num5));
            goto IL_179;
            IL_134:
            num = 15;
            text = Conversions.ToString(Strings.Chr(103 + num5)) + Conversions.ToString(Strings.Chr(111 + num4)) + Conversions.ToString(Strings.Chr(107 + num6)) + Conversions.ToString(Strings.Chr(48 + num4));
            IL_179:
            num = 16;
            this.IBEPYMU3i = text;
            IL_183:
            num = 17;
            this.fakt4AjXE = text + ".exe";
            IL_198:
            num = 18;
            string text2 = "C:\\Program Files\\temp" + Conversions.ToString(Strings.Chr(107 + num5)) + Conversions.ToString(Strings.Chr(101 + num4)) + Conversions.ToString(Strings.Chr(104 + num6));
            IL_1D5:
            num = 19;
            if (Strings.InStr(Application.StartupPath, "C:\\Program Files", CompareMethod.Binary) != 0)
            {
                goto IL_25D;
            }
            IL_1EB:
            num = 20;
            this.Lp2LU6jK07().Visible = false;
            IL_1FA:
            num = 21;
            if (Directory.Exists(text2))
            {
                goto IL_211;
            }
            IL_206:
            num = 22;
            Directory.CreateDirectory(text2);
            IL_211:
            num = 23;
            FileSystem.FileCopy(Application.StartupPath + "\\prozs.exe", text2 + "\\" + this.fakt4AjXE);
            IL_23C:
            num = 24;
            Process.Start(text2 + "\\" + this.fakt4AjXE);
            ProjectData.EndApp();
            IL_25D:
            goto IL_313;
            IL_262:
            int num7 = unchecked(num8 + 1);
            num8 = 0;
            @switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num7);
            IL_2D4:
            goto IL_308;
            IL_2D6:
            num8 = num;
            @switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num2);
            IL_2E6:;
        }
        catch when (endfilter((obj2 is Exception) & (num2 != 0) & (num8 == 0)))
        {
            Exception ex = (Exception)obj3;
            goto IL_2D6;
        }
    }
    IL_308:
    throw ProjectData.CreateProjectError(-2146828237);
    IL_313:
    if (num8 != 0)
    {
        ProjectData.ClearProjectError();
    }
}

将以上原始代码精炼后,得到生成“随机”文件名的代码段

int 月份与第几日之和 = DateAndTime.Month(DateAndTime.Now) + DateAndTime.Day(DateAndTime.Now);
int num4 = 月份与第几日之和 % 7;
int num5 = 月份与第几日之和 % 9;
int num6 = 月份与第几日之和 % 5;
if (月份与第几日之和 % 2 == 0)    // 月份与第几日之和 是偶数
    string 文件名 = Conversions.ToString(Strings.Chr(97 + num4)) + Conversions.ToString(Strings.Chr(109 + num5)) + Conversions.ToString(Strings.Chr(101 + num6)) + Conversions.ToString(Strings.Chr(48 + num5));
else 
    string 文件名 = Conversions.ToString(Strings.Chr(103 + num5)) + Conversions.ToString(Strings.Chr(111 + num4)) + Conversions.ToString(Strings.Chr(107 + num6)) + Conversions.ToString(Strings.Chr(48 + num4));
string 程序目录 = "C:\\Program Files\\temp" + Conversions.ToString(Strings.Chr(107 + num5)) + Conversions.ToString(Strings.Chr(101 + num4)) + Conversions.ToString(Strings.Chr(104 + num6));
string 程序路径 = text2 + "\\" + 文件名 + ".exe";

本文链接:

https://blog.nkxingxh.top/archives/104/
正在加载验证组件
1 + 9 =
快来做第一个评论的人吧~
0:00