當前位置：首頁 > news >正文

香港做網(wǎng)站公司哪家好/平臺推廣策劃方案

news 2025/7/1 20:59:13

香港做網(wǎng)站公司哪家好,平臺推廣策劃方案,吉安做網(wǎng)站公司,做網(wǎng)站網(wǎng)絡公司概述在上一篇《以中國為目標的DinodasRAT Linux后門剖析及通信解密嘗試》文章中，筆者對DinodasRAT Linux后門的功能及通信數(shù)據(jù)包進行了簡單剖析，實現(xiàn)了對DinodasRAT Linux后門心跳數(shù)據(jù)包的解密嘗試。雖然目前可對DinodasRAT Linux后門的通信數(shù)據(jù)包進…

概述

在上一篇《以中國為目標的DinodasRAT Linux后門剖析及通信解密嘗試》文章中，筆者對DinodasRAT Linux后門的功能及通信數(shù)據(jù)包進行了簡單剖析，實現(xiàn)了對DinodasRAT Linux后門心跳數(shù)據(jù)包的解密嘗試。

雖然目前可對DinodasRAT Linux后門的通信數(shù)據(jù)包進行解密，但筆者認為目前對DinodasRAT Linux后門的了解還不是很充分。

因此，為了能夠更進一步的對DinodasRAT Linux后門的攻擊活動進行剖析，筆者準備從如下幾個角度復現(xiàn)DinodasRAT Linux后門的攻擊場景及攻擊利用過程中的DinodasRAT Linux后門的通信模型：

后門攻擊場景復現(xiàn)：基于模擬構建的DinodasRAT Linux后門控制端程序，復現(xiàn)DinodasRAT Linux后門的遠控攻擊場景；
關鍵代碼分析：梳理分析DinodasRAT Linux后門通信模型相關的關鍵代碼；
后門通信模型剖析：梳理DinodasRAT Linux后門各遠控指令的通信模型；
模擬構建DinodasRAT Linux后門控制端：通過模擬構建DinodasRAT Linux后門控制端程序以實現(xiàn)與DinodasRAT Linux后門的交互效果；
后門攻擊場景復現(xiàn)

為了能夠更好的還原DinodasRAT Linux后門的攻擊利用場景，筆者嘗試模擬構建了一款DinodasRAT Linux后門控制端程序，目前可有效的與DinodasRAT Linux后門進行交互，相關運行效果如下：

相關通信數(shù)據(jù)包截圖如下：

相關操作流程如下：

被控端執(zhí)行UninstallMm指令（卸載自身）前運行情況

被控端執(zhí)行UninstallMm指令（卸載自身）后運行情況

控制端

F:\GolandProjects\awesomeProject5>awesomeProject5.exe
Server started. Listening on 0.0.0.0:80
請選擇需執(zhí)行的功能:help、DirClass、DelDir、EnumProcess、DealExShell、UninstallMm
>help
********支持功能如下********
DirClass：查看目錄
DelDir：刪除目錄
EnumProcess：查看進程
DealExShell：執(zhí)行shell命令
UninstallMm：卸載自身
**************************
請選擇需執(zhí)行的功能:help、DirClass、DelDir、EnumProcess、DealExShell、UninstallMm
>DealExShell
DealExShell指令-請輸入需執(zhí)行的shell命令：
>ifconfig
*******************DealExShell:ifconfig*******************
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 192.168.153.133  netmask 255.255.255.0  broadcast 192.168.153.255inet6 fe80::51d9:b9bf:4800:15b1  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:7a:63:b6  txqueuelen 1000  (Ethernet)RX packets 117418  bytes 10766685 (10.2 MiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 127228  bytes 56957898 (54.3 MiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536inet 127.0.0.1  netmask 255.0.0.0inet6 ::1  prefixlen 128  scopeid 0x10<host>loop  txqueuelen 1000  (Local Loopback)RX packets 4  bytes 240 (240.0 B)RX errors 0  dropped 0  overruns 0  frame 0TX packets 4  bytes 240 (240.0 B)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0請選擇需執(zhí)行的功能:help、DirClass、DelDir、EnumProcess、DealExShell、UninstallMm
>DirClass
DirClass指令-請輸入需查看的目錄路徑：
>/tmp/
*******************DirClass:/tmp/*******************
.X0-lock        1       11      2023-07-20 21:07:38     2
.XIM-unix       0       0       2023-07-20 21:07:37     2
systemd-private-07e721d8e32643438b178572cb153efe-colord.service-Oil9iv  0       0       2023-07-20 21:08:35     2
vmware-root_484-868851811       0       0       2023-07-20 21:07:38     2
.font-unix      0       0       2023-07-20 21:07:37     2
.xfsm-ICE-V8T571        1       398     2023-07-20 21:08:33     2
ssh-XXXXXXVA2uMv        0       0       2023-07-20 21:08:33     2
systemd-private-07e721d8e32643438b178572cb153efe-systemd-logind.service-3sTMOv  0       0       2023-07-20 21:07:38     2
systemd-private-07e721d8e32643438b178572cb153efe-haveged.service-hyFQUI 0       0       2023-07-20 21:07:37     2
systemd-private-07e721d8e32643438b178572cb153efe-upower.service-OpfV78  0       0       2023-07-20 21:08:34     2
.X11-unix       0       0       2024-05-06 02:04:10     2
systemd-private-07e721d8e32643438b178572cb153efe-ModemManager.service-r0SmEk    0       0       2023-07-20 21:07:38     2
VMwareDnD       0       0       2024-04-29 21:59:26     2
.ICE-unix       0       0       2023-07-20 21:08:33     2請選擇需執(zhí)行的功能:help、DirClass、DelDir、EnumProcess、DealExShell、UninstallMm
>EnumProcess
*******************EnumProcess:*******************
systemd         root    1
kthreadd                root    2
rcu_gp          root    3
rcu_par_gp              root    4
slub_flushwq            root    5
netns           root    6
kworker/0:0H-events_highpri             root    8
mm_percpu_wq            root    10
rcu_tasks_kthread               root    11
rcu_tasks_rude_kthread          root    12
rcu_tasks_trace_kthread         root    13
ksoftirqd/0             root    14
rcu_preempt             root    15
migration/0             root    16
cpuhp/0         root    18
cpuhp/1         root    19
migration/1             root    20
ksoftirqd/1             root    21
cpuhp/2         root    24
migration/2             root    25
ksoftirqd/2             root    26
kworker/2:0H-events_highpri             root    28
cpuhp/3         root    29
migration/3             root    30
ksoftirqd/3             root    31
kworker/3:0H-events_highpri             root    33
kdevtmpfs               root    38
inet_frag_wq            root    39
kauditd         root    40
khungtaskd              root    42
oom_reaper              root    43
writeback               root    44
kcompactd0              root    45
ksmd            root    46
khugepaged              root    47
kintegrityd             root    48
kblockd         root    49
blkcg_punt_bio          root    50
tpm_dev_wq              root    51
edac-poller             root    52
devfreq_wq              root    53
kworker/0:1H-kblockd            root    54
kswapd0         root    55
kthrotld                root    64
irq/24-pciehp           root    66
irq/25-pciehp           root    67
irq/26-pciehp           root    68
irq/27-pciehp           root    69
irq/28-pciehp           root    70
irq/29-pciehp           root    71
irq/30-pciehp           root    72
irq/31-pciehp           root    73
irq/32-pciehp           root    74
irq/33-pciehp           root    75
irq/34-pciehp           root    76
irq/35-pciehp           root    77
irq/36-pciehp           root    78
irq/37-pciehp           root    79
irq/38-pciehp           root    80
irq/39-pciehp           root    81
irq/40-pciehp           root    82
irq/41-pciehp           root    83
irq/42-pciehp           root    84
irq/43-pciehp           root    85
irq/44-pciehp           root    86
irq/45-pciehp           root    87
irq/46-pciehp           root    88
irq/47-pciehp           root    89
irq/48-pciehp           root    90
irq/49-pciehp           root    91
irq/50-pciehp           root    92
irq/51-pciehp           root    93
irq/52-pciehp           root    94
irq/53-pciehp           root    95
irq/54-pciehp           root    96
irq/55-pciehp           root    97
acpi_thermal_pm         root    98
xenbus_probe            root    99
mld             root    100
ipv6_addrconf           root    101
kstrp           root    106
zswap-shrink            root    111
kworker/u65:0-hci0              root    112
kworker/1:1H-kblockd            root    160
kworker/2:1H-kblockd            root    171
kworker/3:1H-kblockd            root    172
cryptd          root    181
ata_sff         root    182
scsi_eh_0               root    183
scsi_tmf_0              root    184
mpt_poll_0              root    185
scsi_eh_1               root    187
mpt/0           root    188
scsi_tmf_1              root    189
irq/16-vmwgfx           root    204
card0-crtc0             root    206
card0-crtc1             root    207
card0-crtc2             root    208
card0-crtc3             root    209
card0-crtc4             root    210
card0-crtc5             root    212
card0-crtc6             root    214
card0-crtc7             root    215
scsi_eh_2               root    268
scsi_tmf_2              root    269
kworker/1:2H-kblockd            root    278
jbd2/sda1-8             root    309
ext4-rsv-conver         root    310
systemd-journal         root    364
vmware-vmblock-         root    381
systemd-udevd           root    390
haveged         root    462
vmtoolsd                root    484
irq/56-vmw_vmci         root    588
irq/57-vmw_vmci         root    590
kworker/u65:2-hci0              root    668
dbus-daemon             message+        811
polkitd         polkitd 814
systemd-logind          root    816
rpciod          root    817
xprtiod         root    818
NetworkManager          root    819
cron            root    835
ModemManager            root    838
lightdm         root    858
Xorg            root    872
agetty          root    873
rtkit-daemon            rtkit   997
lightdm         root    1461
systemd /usr/lib/systemd/systemd        kali    1467
(sd-pam)                kali    1468
pipewire        /usr/bin/pipewire       kali    1483
wireplumber     /usr/bin/wireplumber    kali    1484
pipewire-pulse  /usr/bin/pipewire       kali    1485
dbus-daemon     /usr/bin/dbus-daemon    kali    1487
gnome-keyring-d /usr/bin/gnome-keyring-daemon   kali    1488
xfce4-session   /usr/bin/xfce4-session  kali    1498
ssh-agent               kali    1567
at-spi-bus-laun /usr/libexec/at-spi-bus-launcher        kali    1578
dbus-daemon     /usr/bin/dbus-daemon    kali    1585
at-spi2-registr /usr/libexec/at-spi2-registryd  kali    1596
gpg-agent               kali    1608
xfwm4   /usr/bin/xfwm4  kali    1610
gvfsd   /usr/libexec/gvfsd      kali    1614
gvfsd-fuse      /usr/libexec/gvfsd-fuse kali    1620
xfsettingsd     /usr/bin/xfsettingsd    kali    1635
upowerd         root    1639
xfce4-panel     /usr/bin/xfce4-panel    kali    1645
Thunar  /usr/bin/thunar kali    1650
xfdesktop       /usr/bin/xfdesktop      kali    1661
panel-1-whisker /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0       kali    1665
panel-13-cpugra /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0       kali    1670
xiccd   /usr/bin/xiccd  kali    1671
panel-14-systra /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0       kali    1672
panel-15-genmon /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0       kali    1676
xfce4-notifyd   /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd   kali    1678
panel-16-pulsea /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0       kali    1686
colord          colord  1698
panel-17-notifi /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0       kali    1701
nm-applet       /usr/bin/nm-applet      kali    1703
xcape   /usr/bin/xcape  kali    1708
panel-18-power- /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0       kali    1711
light-locker    /usr/bin/light-locker   kali    1716
panel-22-action /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0       kali    1722
dconf-service   /usr/libexec/dconf-service      kali    1725
polkit-gnome-au /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1  kali    1727
xfce4-power-man /usr/bin/xfce4-power-manager    kali    1752
agent   /usr/libexec/geoclue-2.0/demos/agent    kali    1755
blueman-applet  /usr/bin/python3.11     kali    1782
vmtoolsd        /usr/bin/vmtoolsd       kali    1783
obexd   /usr/libexec/bluetooth/obexd    kali    2006
gvfs-udisks2-vo /usr/libexec/gvfs-udisks2-volume-monitor        kali    2019
udisksd         root    2023
gvfs-mtp-volume /usr/libexec/gvfs-mtp-volume-monitor    kali    2038
gvfs-afc-volume /usr/libexec/gvfs-afc-volume-monitor    kali    2043
gvfs-gphoto2-vo /usr/libexec/gvfs-gphoto2-volume-monitor        kali    2049
gvfs-goa-volume /usr/libexec/gvfs-goa-volume-monitor    kali    2054
gvfsd-trash     /usr/libexec/gvfsd-trash        kali    2068
gvfsd-metadata  /usr/libexec/gvfsd-metadata     kali    2074
qterminal       /usr/bin/qterminal      kali    2211
zsh     /usr/bin/zsh    kali    2214
linux_server64  /home/kali/Desktop/linux_server64       kali    6586
zsh     /usr/bin/zsh    kali    6611
kworker/3:2-mm_percpu_wq                root    666030
kworker/2:0-events              root    671000
kworker/1:1-mm_percpu_wq                root    676828
kworker/0:0-cgroup_destroy              root    687692
kworker/u64:0-flush-8:0         root    693826
kworker/2:1-mm_percpu_wq                root    696046
kworker/2:2-mpt_poll_0          root    698531
kworker/1:2-ata_sff             root    699316
kworker/u64:2-flush-8:0         root    699787
kworker/0:2-events              root    699926
kworker/u64:3-events_unbound            root    699928
kworker/3:0-cgroup_destroy              root    699936
tumblerd        /usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd    kali    700635
kworker/1:0-ata_sff             root    702014
test    /home/kali/Desktop/test kali    702951
sh      /usr/bin/dash   kali    702959
test    /home/kali/Desktop/test kali    702960請選擇需執(zhí)行的功能:help、DirClass、DelDir、EnumProcess、DealExShell、UninstallMm
>UninstallMm
*******************UninstallMm:*******************
UninstallMm okF:\GolandProjects\awesomeProject5>

關鍵代碼分析

通信框架

在《以中國為目標的DinodasRAT Linux后門剖析及通信解密嘗試》文章的“DinodasRAT通信解密嘗試”章節(jié)，筆者對DinodasRAT Linux后門的通信加解密原理進行了詳細的剖析，因此，這里筆者將不再對DinodasRAT Linux后門中的通信加解密技術進行描述。

為了能夠快速了解DinodasRAT Linux后門的通信邏輯，筆者又對DinodasRAT Linux后門的反編譯代碼進行了詳細的分析梳理，發(fā)現(xiàn)：

DinodasRAT Linux后門運行后，將循環(huán)發(fā)送心跳通信
DinodasRAT Linux后門運行后，將從控制端循環(huán)接收控制指令，成功執(zhí)行遠控指令后，將返回執(zhí)行結果信息

相關代碼截圖如下：

?DinodasRAT Linux后門通信數(shù)據(jù)接收函數(shù)代碼截圖如下：

DinodasRAT Linux后門通信數(shù)據(jù)發(fā)送函數(shù)代碼截圖如下：

遠控功能與遠控指令編號的對應關系梳理如下：

遠控函數(shù)	遠控功能	遠控編號
DirClass	列目錄	0x02
DelDir	刪除目錄	0x03
UpLoadFile	上傳文件	0x05
StopDownLoadFile	停止上傳文件	0x06
DownLoadFile	下載文件	0x08
StopDownFile	停止下載文件	0x09
DealChgIp	修改C&C地址	0x0E
CheckUserLogin	檢查已登錄的用戶	0x0F
EnumProcess	枚舉進程列表	0x11
StopProcess	終止進程	0x12
EnumService	枚舉服務	0x13
ControlService	控制服務	0x14
DealExShell	執(zhí)行shell	0x18
DealProxy	執(zhí)行指定文件	0x1A
StartShell	開啟shell	0x1B
ReRestartShell	重啟shell	0x1C
StopShell	停止當前shell的執(zhí)行	0x1D
WriteShell	將命令寫入當前shell	0x1E
DealFile	下載并更新后門版本	0x27
DealLocalProxy	發(fā)送“ok”	0x28
ConnectCtl	控制連接類型	0x2B
ProxyCtl	控制代理類型	0x2C
Trans_mode	設置或獲取文件傳輸模式（TCP/UDP）	0x2D
UninstallMm	卸載自身	0x2E