Simple Reverse - 0x17(2023 Lab - WinMalware - sub_140001030)
Description
分析 eductf-lab.exe 中的 function sub_140001030 在做什麼,並找出其行為所對應的 MITRE ATT&CK technique ID。 Flag format: FLAG{T1234}
Background
Source code
- sub_140001030
:::spoiler IDA Source Code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31int waitUntil20231118() { HANDLE Result; // rax HANDLE hTimer; // [rsp+30h] [rbp-38h] SYSTEMTIME SystemTime; // [rsp+38h] [rbp-30h] BYREF struct _FILETIME FileTime; // [rsp+48h] [rbp-20h] BYREF LARGE_INTEGER DueTime; // [rsp+50h] [rbp-18h] BYREF SystemTime.wYear = 2023; SystemTime.wMonth = 11; SystemTime.wDay = 18; SystemTime.wDayOfWeek = 6; SystemTime.wHour = 0; SystemTime.wMinute = 0; SystemTime.wSecond = 0; SystemTime.wMilliseconds = 0; LODWORD(Result) = SystemTimeToFileTime(&SystemTime, &FileTime); if ( Result ) { DueTime = FileTime; Result = CreateWaitableTimerW(0i64, 0, 0i64); hTimer = Result; if ( Result ) { LODWORD(Result) = SetWaitableTimer(Result, &DueTime, 0, 0i64, 0i64, 0); if ( Result ) LODWORD(Result) = WaitForSingleObject(hTimer, 0xFFFFFFFF); } } return Result; }:::
Recon
攻擊者的完整意圖
- 設定一個時間(2023/11/18 0:0:0)
- 開啟一個waitable timer
- 設定waitable timer為一開始的截止時間
- 開始等待
根據以上的流程很明顯他是要一直等待直到11/18號那一天才會往下執行,這樣對修課生的壞處是沒辦法交作業,所以對我們來說是一大難處,他必須要符合時間等到11/18這個條件才會開始執行$\to$Execution Guardrails
Exploit
從Att&CK - Defense Evasion Execution Guardrails (T1480)可以看到
Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.
常見的條件有: 漏洞、系統語言、時間、Hostname…
Flag: FLAG{1480}