GandCrab介绍
GandCrab是由一个十分猖狂的团队研发的勒索软件病毒,2018年开始活跃,一年内勒索了将近20亿美元。2019年可谓臭名远扬的勒索软件之王:GandCrab背后的运营团队在俄语论坛中发表官方声明称,GandCrab勒索病毒将停止更新。
为什么停止更新了呢?答案竟是,钱赚够了。然而这么猖狂的犯罪团伙,至今都没有被找到幕后团伙是谁。这就是GandCrab勒索软件的神奇传说。
今天分享就分析个去年写的GandCrab v4.0工具。
GandCrab勒索软件分析
白名单目录:
\ProgramData
\IETldCache\
\Boot
\Program Files
\Tor Browser
\All Users\
\Local Settings
\Windows\
白名单文件
desktop.ini
autorun.inf
ntuser.dat
iconcache.db
bootsect.bak
boot.ini
ntuser.dat.log
thumbs.db
KRAB-DECRYPT.html
KRAB-DECRYPT.txt
CRAB-DECRYPT.txt
ntldr
NTDETECT.COM
Bootfont.bin
加密特征
所有被加密文件的后缀都会被改为.KRAB。
密钥公开
FBI公布GandCrabv4.0原始RSA2048公钥链接:(需访问国外网站)
FBI公布的密钥
加密流程分析
解密GandCrab的流程图
GandCrab4.0解密工具
// SALSA20.cpp : 定义控制台应用程序的入口点。
//
#include<cryptopp/cryptlib.h>
#include<iostream>
#include<cryptopp/secblock.h> //包含SecByteBlock算法的头文件
#include<cryptopp/hex.h> //包含HexEncoder算法的头文件
#include<cryptopp/files.h> //包含FileSink算法的头文件
#include<cryptopp/osrng.h> //包含AutoSeededRandomPool算法的头文件
#include<cryptopp/salsa.h> //包含Salsa20算法的头文件
#include <Windows.h> //CRYPTO必须品
#include <WinCrypt.h> //CRYPTO必须品
#include "stdafx.h"
using namespace std;
using namespace CryptoPP;
void QueryRegister(BYTE*QUERYDATA);
BOOL RsaEncrypt(BYTE *pPublicKey, DWORD dwPublicKeyLength, BYTE *pData, DWORD &dwDataLength, DWORD dwBufferLength);
HCRYPTPROV RsaDecrypt1(BYTE *pPrivateKey, DWORD dwPrivateKeyLength, BYTE *pData, DWORD &dwDataLength);
void ShowError(char *pszText);
BOOL RsaDecrypt2(HCRYPTPROV hCryptProv,BYTE *pPrivateKey, DWORD dwPrivateKeyLength, BYTE *pData, DWORD &dwDataLength);
BYTE privatekey[] = {
//FBI公布的BLOB格式RSA2048私钥
0x07, 0x02, 0x00, 0x00, 0x00, 0xA4, 0x00, 0x00, 0x52, 0x53, 0x41, 0x32, 0x00, 0x08, 0x00, 0x00
, 0x01, 0x00, 0x01, 0x00, 0xBB, 0xEF, 0x02, 0x46, 0x0B, 0x5E, 0x8C, 0x72, 0x8E, 0xA0, 0xA0, 0x31
, 0xAE, 0x95, 0x33, 0x82, 0xD6, 0x67, 0x89, 0x32, 0xB2, 0xED, 0x92, 0xA8, 0x16, 0x0A, 0xBC, 0x28
, 0xC1, 0x4D, 0x3E, 0x00, 0xA3, 0xDC, 0x48, 0x47, 0x3D, 0xE9, 0x9A, 0xC1, 0x31, 0xAE, 0x41, 0xC5
, 0xE8, 0x22, 0x70, 0x6A, 0x7F, 0x75, 0x98, 0x8F, 0xC6, 0xEB, 0xEE, 0x65, 0x9B, 0x1B, 0x96, 0xD3
, 0x4D, 0xAA, 0x3F, 0x75, 0x0B, 0xA5, 0x75, 0xE7, 0x71, 0xCD, 0x88, 0xA0, 0x77, 0xE0, 0xCB, 0x2F
, 0x33, 0xA2, 0x0D, 0xAB, 0xE4, 0xE3, 0x40, 0x82, 0x3F, 0xD9, 0x95, 0x50, 0xA4, 0x92, 0x56, 0xAA
, 0x77, 0x61, 0x05, 0x75, 0xF2, 0x25, 0x81, 0xDA, 0xA1, 0xBE, 0x30, 0xA7, 0xCB, 0xDA, 0x2B, 0xA3
, 0x9E, 0x85, 0xAB, 0x03, 0x8D, 0xBB, 0xD3, 0xF0, 0xBB, 0x9C, 0x71, 0x9A, 0xD4, 0x98, 0xCF, 0xC6
, 0xC2, 0xA8, 0x62, 0x84, 0x32, 0x85, 0x4C, 0x1B, 0x2C, 0xFF, 0xE4, 0xD8, 0xD9, 0xE5, 0x2A, 0xBB
, 0x18, 0x06, 0x08, 0x6A, 0xF4, 0xD8, 0xD1, 0x8D, 0x00, 0xE3, 0x41, 0xFC, 0xE7, 0xC5, 0x20, 0x25
, 0xD2, 0xDD, 0x47, 0xFF, 0x27, 0x09, 0x1F, 0x6D, 0x34, 0x6C, 0x8A, 0x0A, 0xEB, 0xAB, 0x13, 0x48
, 0x09, 0xF6, 0x24, 0x24, 0x98, 0x84, 0x22, 0xDD, 0xC1, 0xA1, 0x1C, 0x60, 0x63, 0x06, 0x71, 0xEE
, 0x00, 0x4A, 0x21, 0xBA, 0x1F, 0xAF, 0x4C, 0x03, 0xD2, 0xC7, 0x3F, 0xBA, 0x64, 0x39, 0x35, 0xB4
, 0x44, 0x0B, 0x17, 0x5F, 0xB5, 0x2C, 0x8C, 0x4E, 0xB2, 0xE6, 0x61, 0xB2, 0x23, 0x21, 0x4D, 0xAD
, 0xFB, 0xD4, 0x1D, 0x96, 0x4B, 0xA1, 0xFC, 0x7F, 0xBF, 0x98, 0x78, 0xBB, 0xD3, 0x72, 0xF1, 0xE3
, 0x46, 0x1F, 0x03, 0x4C, 0x05, 0x18, 0x96, 0xC1, 0x47, 0xC0, 0xA0, 0x6F, 0x17, 0x07, 0x11, 0x10
, 0x2B, 0x2D, 0xD4, 0xC8, 0x79, 0xBF, 0xB4, 0x83, 0x75, 0x3D, 0x68, 0x60, 0x33, 0xBB, 0xA4, 0x7A
, 0xC8, 0x52, 0x66, 0x2E, 0xE6, 0xFA, 0x44, 0x32, 0x4A, 0xAE, 0x06, 0xAB, 0x5A, 0x9F, 0xBE, 0x29
, 0x1D, 0x3D, 0xB8, 0xA6, 0xC0, 0xCA, 0x0B, 0x10, 0x38, 0xA4, 0x52, 0x27, 0xBA, 0x61, 0xAC, 0x0A
, 0x3B, 0x0E, 0x86, 0x8F, 0x7A, 0xAF, 0xBA, 0x89, 0x9D, 0x4A, 0x52, 0x33, 0x81, 0x74, 0x6B, 0xDE
, 0x61, 0x26, 0xA5, 0xB4, 0x53, 0xA5, 0x48, 0x47, 0x8E, 0xA8, 0xD7, 0x01, 0x08, 0xA5, 0xDF, 0xF2
, 0x06, 0xDD, 0xD5, 0x45, 0xDC, 0xF3, 0xE0, 0xAD, 0xCB, 0xFD, 0x1E, 0x55, 0x2C, 0x08, 0x63, 0xE2
, 0xF0, 0x5B, 0x39, 0x81, 0x75, 0x50, 0xFB, 0x5C, 0x7E, 0x36, 0x2C, 0x13, 0xBD, 0x8F, 0x6F, 0xE2
, 0xAE, 0xBC, 0xA3, 0x1D, 0x0D, 0x96, 0x2D, 0x91, 0x88, 0xE4, 0x8F, 0x39, 0xE0, 0x99, 0x71, 0x09
, 0xE0, 0xE3, 0x80, 0xEE, 0xD3, 0x57, 0xEF, 0x91, 0x53, 0x3C, 0x5D, 0x00, 0x30, 0x7C, 0x7B, 0x00
, 0x0D, 0x66, 0x28, 0x7E, 0xC9, 0xEA, 0x67, 0x18, 0xAE, 0xD2, 0xC2, 0xB6, 0x25, 0xDD, 0xA4, 0xB7
, 0x1D, 0x92, 0x7A, 0x53, 0xA1, 0xBB, 0xD3, 0xA2, 0x31, 0xF8, 0x2E, 0x49, 0x50, 0x6E, 0xF8, 0x8E
, 0x07, 0x86, 0x16, 0x01, 0x15, 0x47, 0x05, 0x2F, 0x89, 0xBA, 0xD5, 0xE4, 0x8C, 0x29, 0x61, 0xEB
, 0x6E, 0x72, 0x62, 0x47, 0x56, 0xF3, 0x96, 0x70, 0x5C, 0x70, 0xA3, 0x2E, 0x7F, 0x9F, 0x52, 0x66
, 0x54, 0xDD, 0xB2, 0xD0, 0x6A, 0xA8, 0xE0, 0x70, 0xE0, 0xF6, 0xE9, 0xEC, 0x8A, 0xAF, 0x67, 0x10
, 0x9B, 0x7F, 0xBA, 0x32, 0x4D, 0x33, 0xCA, 0xB3, 0xC4, 0x9B, 0xB6, 0x66, 0xDE, 0x62, 0x17, 0x21
, 0x20, 0x90, 0x0C, 0x37, 0x16, 0x50, 0x77, 0x98, 0xDA, 0x50, 0xE0, 0xF7, 0xB5, 0x84, 0xAB, 0x1C
, 0xFB, 0xC0, 0x8F, 0xD7, 0xF1, 0x11, 0x84, 0xE0, 0x8C, 0x1D, 0x57, 0xB0, 0x6D, 0x6E, 0x82, 0x96
, 0x1E, 0xCC, 0x78, 0xBD, 0x3B, 0xA9, 0xC3, 0x83, 0x7C, 0xD5, 0x3F, 0x8F, 0x93, 0xAD, 0xB7, 0x8A
, 0x45, 0x96, 0x21, 0xA6, 0xD5, 0x1D, 0x5D, 0xDC, 0x50, 0x3C, 0x39, 0x71, 0x53, 0xC1, 0x71, 0xE3
, 0x60, 0x42, 0x11, 0x07, 0x06, 0xC1, 0x01, 0xEE, 0x56, 0x5D, 0xED, 0xCA, 0x78, 0xD2, 0x4C, 0xC4
, 0xBE, 0x40, 0x35, 0x9B, 0x54, 0x27, 0x3E, 0x82, 0xE7, 0x48, 0x37, 0xCD, 0x72, 0x3A, 0x95, 0xF9
, 0x8E, 0x25, 0x70, 0x62, 0x98, 0x59, 0xD2, 0x9D, 0x71, 0x06, 0x74, 0xE3, 0x32, 0xA8, 0x1E, 0xB6
, 0xB6, 0x91, 0x64, 0xCD, 0xDC, 0x35, 0x42, 0x1C, 0xDA, 0x57, 0xCB, 0x1F, 0x12, 0x23, 0x21, 0x53
, 0xF4, 0xC6, 0xD5, 0x10, 0x13, 0x24, 0x6C, 0x82, 0x11, 0x63, 0x15, 0xB1, 0x78, 0x61, 0x4E, 0x6D
, 0x87, 0x69, 0xEA, 0x4D, 0xAB, 0xED, 0xF4, 0x2A, 0xB3, 0xB6, 0xE0, 0x6D, 0xDF, 0x20, 0x1F, 0x04
, 0xF4, 0x56, 0xCC, 0xC8, 0xD9, 0x4B, 0x32, 0x3F, 0x9E, 0x10, 0x54, 0xA4, 0xA5, 0xFF, 0xC5, 0x01
, 0x8E, 0xF3, 0x3C, 0x9F, 0xB1, 0x8B, 0x4D, 0xAE, 0x25, 0x94, 0x87, 0x80, 0x70, 0x18, 0xFA, 0xA8
, 0x45, 0xA4, 0x0D, 0xC5, 0xF2, 0xE3, 0x67, 0x08, 0xF8, 0x54, 0x30, 0xF6, 0x9E, 0x3A, 0x05, 0x39
, 0xE4, 0xE8, 0x72, 0x51, 0x47, 0x2F, 0x81, 0x41, 0xF2, 0xE3, 0xE9, 0xEE, 0x9F, 0x76, 0xA3, 0xBC
, 0x94, 0x08, 0xB5, 0x46, 0x11, 0x12, 0x13, 0xBA, 0x53, 0xB0, 0xB6, 0x67, 0xF0, 0xE5, 0x2E, 0x0A
, 0xCA, 0xB2, 0x57, 0x26, 0x2C, 0xCC, 0x2E, 0x19, 0x50, 0xDA, 0xD2, 0x4A, 0xBD, 0xDA, 0x69, 0xEC
, 0xA7, 0x01, 0xD7, 0x95, 0x98, 0x92, 0x49, 0xB4, 0xD6, 0x41, 0x09, 0x1A, 0x39, 0x04, 0x89, 0xD6
, 0xDA, 0xC2, 0x49, 0xB9, 0xDE, 0x98, 0xDB, 0x43, 0x51, 0x66, 0x80, 0x85, 0x6E, 0xA3, 0x11, 0x05
, 0x5B, 0x9F, 0xC3, 0x55, 0x77, 0x7B, 0xC9, 0xE0, 0x52, 0x9E, 0xCE, 0x0A, 0x08, 0xBC, 0x05, 0xE1
, 0xC0, 0xA7, 0x29, 0x3D, 0xB5, 0x2F, 0x8E, 0x3D, 0x84, 0xB8, 0xBD, 0xDF, 0x38, 0x49, 0x65, 0xB4
, 0x1F, 0xB0, 0xC2, 0xEE, 0x7B, 0x57, 0xFE, 0x39, 0x8D, 0x93, 0x12, 0x1E, 0xFB, 0x16, 0x7E, 0x2F
, 0xAF, 0x07, 0x60, 0x78, 0xD9, 0x72, 0x22, 0x53, 0x4C, 0xB4, 0x96, 0xB6, 0xFC, 0xA0, 0x51, 0x45
, 0x2C, 0x1C, 0x81, 0x34, 0x26, 0xE2, 0xA9, 0xF9, 0xA4, 0x20, 0x3F, 0x6B, 0x9B, 0xA4, 0xD8, 0x33
, 0x8C, 0xDC, 0x7F, 0x9D, 0x62, 0xCD, 0x0A, 0xFE, 0x17, 0x6C, 0xC4, 0xCB, 0x7D, 0x46, 0xD9, 0x68
, 0x29, 0x71, 0x9A, 0x7C, 0x8C, 0x3B, 0xCA, 0xCA, 0xA3, 0x62, 0x85, 0x95, 0x6F, 0x7D, 0xE8, 0xAC
, 0xEC, 0x71, 0x6D, 0xE2, 0x61, 0xBA, 0x75, 0x74, 0xCB, 0xE6, 0xBD, 0x80, 0x4D, 0x54, 0x6B, 0x32
, 0xC6, 0x89, 0x24, 0x49, 0x3B, 0xB2, 0xF2, 0x6F, 0xE4, 0xCF, 0x34, 0xDA, 0x19, 0x45, 0xBE, 0x0E
, 0x65, 0x10, 0x0A, 0x4A, 0x0D, 0xD2, 0xFA, 0x51, 0x1B, 0x9B, 0x1D, 0xCE, 0xE2, 0xA9, 0xC8, 0xC0
, 0xFF, 0xFC, 0x63, 0x8D, 0xDE, 0x9E, 0x08, 0xF4, 0xAB, 0x10, 0xCB, 0x30, 0x3C, 0xFE, 0x93, 0x37
, 0x68, 0xFD, 0x08, 0x10, 0x2F, 0x5B, 0x84, 0x28, 0xEB, 0x8F, 0xDC, 0xFB, 0xD8, 0xEC, 0xDB, 0x63
, 0xD5, 0xEF, 0xCB, 0xAC, 0x84, 0xEA, 0x30, 0x92, 0x86, 0xF8, 0xC0, 0x2A, 0x7D, 0xD2, 0x42, 0xB2
, 0x66, 0xC1, 0x0B, 0xB1, 0x88, 0xCF, 0xD7, 0x9A, 0x02, 0x60, 0xC9, 0x05, 0x04, 0x4F, 0x25, 0xB1
, 0x70, 0xBA, 0x8B, 0x96, 0xCE, 0xFF, 0xB0, 0x52, 0x19, 0x70, 0xCD, 0x6E, 0xF5, 0x73, 0xE2, 0x45
, 0x7F, 0x84, 0x23, 0x81, 0xDD, 0x8B, 0x2A, 0xC1, 0x4D, 0x88, 0x17, 0x8F, 0xCC, 0x13, 0x71, 0x11
, 0x0E, 0x13, 0x3A, 0xDB, 0x3A, 0xCD, 0x65, 0xE0, 0x32, 0x51, 0xFE, 0xBA, 0x04, 0x2E, 0x8B, 0x1A
, 0x2C, 0xF1, 0xC7, 0xF8, 0x31, 0x9B, 0xDA, 0x12, 0x9F, 0x60, 0x37, 0x17, 0x6E, 0x0B, 0x51, 0xCD
, 0x68, 0x1F, 0x0A, 0xE9, 0x5B, 0xC1, 0x4B, 0x23, 0x1D, 0xCB, 0x53, 0x4B, 0xC1, 0xB0, 0x7D, 0x7B
, 0xDC, 0x6A, 0x5F, 0x3B, 0xED, 0xD6, 0x48, 0xA8, 0xDB, 0xAB, 0xD9, 0xD4, 0x5D, 0x1F, 0x9C, 0xCA
, 0x6E, 0x83, 0x06, 0x5B, 0xAD, 0xB2, 0xBB, 0x5A, 0x7E, 0xB7, 0xF5, 0x48, 0xAE, 0xB9, 0x76, 0x06
, 0x79, 0xE5, 0x62, 0x07, 0xC7, 0x7E, 0x09, 0xC2, 0x1E, 0x45, 0x12, 0x35, 0xDA, 0x13, 0xC8, 0x77
, 0x7F, 0xE6, 0xFC, 0x1C, 0x4A, 0x24, 0xE6, 0x5C, 0x0A, 0xA0, 0xEF, 0x1C, 0x53, 0xA3, 0xBE, 0xDD
, 0xE7, 0x1D, 0xB1, 0xA3 };
BYTE mykey[] = {
0x3E, 0xEF, 0x1E, 0x4E, 0x0B, 0xC9, 0xD3, 0x92, 0xFA, 0xE3, 0xA7, 0xEF, 0xF5, 0xAF, 0x4F, 0xD4,
0x07, 0x4F, 0x61, 0x02, 0x5A, 0x96, 0xE8, 0x8D, 0xD9, 0xCC, 0x23, 0x80, 0xB2, 0xCF, 0x75, 0xBF };//不要用引号,那是字符
BYTE myiv[] = {
0xCB, 0x72, 0x42, 0x60, 0x86, 0x25, 0x0B, 0x91 };//不要用引号,那是字符
BYTE* salsa20A(string &cipher);
BYTE* salsa20B(string cipher, BYTE * filebuffer, DWORD FileSize,HANDLE hFile);
BYTE SALSA20KEY2[32] = {
0 }; //存放解密出来的salsa20key,该密钥用于加密随机生成的RSA私钥
BYTE SALSA20IV2[8] = {
0 }; //存放解密出来的salsa20iv
BYTE RSA2048PRIVATE[1172] = {
0 };
//BYTE Filebuffer[1000000] = { 0 }; //997KB 全局变量定义一百万数组已经是极限,或者局部变量用堆定义new int[1000000];
BYTE SALSA20KEYFINAL[32] = {
0 }; //存放解密出来的加密文件的salsa20key
BYTE SALSA20IVFINAL[8] = {
0 }; //存放解密出来的加密文件的salsa20iv
int main()
{
int i = 0;
BYTE QUERYDATA[1688] = {
0 };
BYTE SALSA20KEY[256] = {
0 };
BYTE SALSA20IV[256] = {
0 };
//进程会自己退出并删除,也没有自启动项,无需删除
//1.读取注册表 HKEY_CURRENT_USER\Software\keys_data\data内容
QueryRegister(QUERYDATA);
printf("被rsa2048加密的salsa20key:\n");
for (i = 4; i < 260; i++) //取4h到104h共100字节内容
{
printf("%x", QUERYDATA[i]);
SALSA20KEY[i-4] = QUERYDATA[i];
}
printf("\n被rsa2048加密的salsa20iv:\n");
for (i = 260; i < 516; i++) //取104h到204h共100字节内容
{
printf("%x", QUERYDATA[i]);
SALSA20IV[i - 260] = QUERYDATA[i];
}
printf("\n被salsa20加密的randomrsa2048privatekey:\n");
for (i = 516; i < 1688; i++) //取剩余字节内容为RSA私钥
{
printf("%x", QUERYDATA[i]);
RSA2048PRIVATE[i - 516] = QUERYDATA[i];
}
//2.利用RSA公钥解密salsa20的密钥
DWORD dwDataLength = MAX_PATH; //其实本来有108字节,但是iv生成时有前8字节被iv覆盖掉,所以总共是208字节。但这样并不影响解密
DWORD privatesize = sizeof(privatekey);
HCRYPTPROV hCryptProv1, hCryptProv2;
hCryptProv1 = RsaDecrypt1(privatekey, privatesize, SALSA20KEY, dwDataLength);
printf("\n解密出slasa20key:\n");
for (i = 0; i < 32; i++) //存储20字节key
{
printf("%x", SALSA20KEY[i]);
SALSA20KEY2[i] = SALSA20KEY[i]; //从这里取出salsa20key。。。。。。。。。。。。。。。。。。。。。。。。。。
}
DWORD dwDataLength2 = MAX_PATH; //这里必须重新定义一次,因为解密salsa20key以后dwDataLength变了
hCryptProv2=RsaDecrypt1(privatekey, privatesize, SALSA20IV, dwDataLength2);
printf("\n解密出slasa20IV:\n");
for (i = 0; i < 8; i++) //存储8字节iv
{
printf("%x", SALSA20IV[i]);
SALSA20IV2[i] = SALSA20IV[i]; //从这里取出salsa20iv。。。。。。。。。。。。。。。。。。。。。。。。。。。。
}
//3.利用salsa20的密钥解密出随机申请的RSA私钥
string cipher;
BYTE *KEY;
KEY = salsa20A(cipher);
BYTE RANDOMRSAKEY[sizeof(RSA2048PRIVATE)] = {
0 };
printf("\n解密出的随机生成的RSA公钥:\n");
for (i = 0; i < sizeof(RSA2048PRIVATE); i++) //存储8字节iv
{
printf("%x", *(KEY+i));
RANDOMRSAKEY[i] = *(KEY + i);
}
//4.全盘文件遍历,判断文件后缀是否为.KARB,这是文件感染的标志
//封装处,下面5.6步均需写入到文件遍历判断成功后
//5.读取每个文件末尾处后200字节内容,解密出加密每个文件用的不同salsa20密钥,删除同目录下的txt文件
BYTE bufferreadkey[256] = {
0 }; //读取末尾208字节,其中前100字节可以解密出SALSA20KEY
BYTE bufferreadiv[264] = {
0 }; //后108字节可以解密出SALSA20IV
DWORD NumberOfBytesRead = 0x80;
HANDLE hfile = CreateFile(L"C:\\example.KRAB", GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
DWORD FileSizeHigh;
SetFilePointer(hfile, -264, 0, FILE_END);
ReadFile(hfile, bufferreadiv, sizeof(bufferreadiv), &NumberOfBytesRead, 0);
SetFilePointer(hfile, -520, 0, FILE_END);
ReadFile(hfile, bufferreadkey, sizeof(bufferreadkey), &NumberOfBytesRead, 0);
dwDataLength = MAX_PATH;
RsaDecrypt2(hCryptProv1,RANDOMRSAKEY, sizeof(RANDOMRSAKEY), bufferreadkey, dwDataLength);
printf("\n解密出slasa20key:\n");
for (i = 0; i < 32; i++) //存储20字节key
{
printf("%x", bufferreadkey[i]);
SALSA20KEYFINAL[i] = bufferreadkey[i];
}
dwDataLength = MAX_PATH; //必须重定义
RsaDecrypt2(hCryptProv2,RANDOMRSAKEY, sizeof(RANDOMRSAKEY), bufferreadiv, dwDataLength);
printf("\n解密出slasa20iv:\n");
for (i = 0; i < 8; i++) //存储20字节key
{
printf("%x", bufferreadiv[i]);
SALSA20IVFINAL[i] = bufferreadiv[i];
}
//6.用salsa20密钥解密出原文件内容,删除文件的KRAB后缀,删除后面208个字节
DWORD FileSize;
FileSize = GetFileSize(hfile, &FileSizeHigh);
DWORD RealFileSize = FileSize - 520;
BYTE * filebuffer = new BYTE[FileSize];//申请大空间
HANDLE hFile = CreateFile(L"C:\\Gandcrab4.clean", GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL);
// while (TOTALDECRYPT < FileSize)//不能循环解密,不是从头开始的解密结果都是错的,第二次调用就是错的
// {
SetFilePointer(hfile, 0, 0, FILE_BEGIN);
ReadFile(hfile, filebuffer, RealFileSize, &NumberOfBytesRead, 0);//这个时候读取的全部文件的buffer
string cipher2;
BYTE *KEY2 = NULL;
KEY2 = salsa20B(cipher2, filebuffer, RealFileSize,hFile);
// };
printf("\n解密示例完毕!");
CloseHandle(hFile);
CloseHandle(hfile);
getchar();
return 0;
}
void QueryRegister(BYTE *QUERYDATA)
{
HKEY hKey;
long lRet;
if (lRet = RegOpenKeyEx(HKEY_CURRENT_USER, L"Software\\keys_data\\data", 0, KEY_WRITE | KEY_QUERY_VALUE, &hKey))
{
printf("%d\n", GetLastError());
printf("未发现GandCrabv4.0感染!!是否继续?");
}
else
printf("主机已被GandCrabv4.0感染!!\n");
//if (lRet = RegSetValueEx(hKey, L"private", 0, REG_BINARY, (BYTE *)value, sizeof(value)))
// printf("%d", GetLastError()); //自己添加注册表
DWORD cbData = 1688;
DWORD dwFlag = RegQueryValueEx(hKey, L"private", 0, 0, QUERYDATA, &cbData);
RegCloseKey(hKey);
}
HCRYPTPROV RsaDecrypt1(BYTE *pPrivateKey, DWORD dwPrivateKeyLength, BYTE *pData, DWORD &dwDataLength)
{
BOOL bRet = TRUE;
HCRYPTPROV hCryptProv = NULL;
HCRYPTKEY hCryptKey = NULL;
do
{
if (!CryptAcquireContext(&hCryptProv, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
{
DWORD lassErr = GetLastError();
cout << endl << hex << lassErr << endl;
if (lassErr == NTE_BAD_KEYSET)
{
if (!CryptAcquireContext(&hCryptProv, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET | CRYPT_VERIFYCONTEXT))
{
DWORD lassErr = GetLastError();
cout << hex << lassErr << endl;
exit(0);
}
else{
cout << "yes2" << endl;
}
}
else{
cout << "非 NTE_BAD_KEYSET 错误" << endl;
exit(0);
}
}
else{
cout << "yes1" << endl;
}
//导入私钥
bRet = CryptImportKey(hCryptProv, pPrivateKey, dwPrivateKeyLength, NULL, 0, &hCryptKey);
if (FALSE == bRet)
{
ShowError("CryptImportKey");
break;
}
//解密数据
bRet = CryptDecrypt(hCryptKey, NULL, TRUE, 0, pData, &dwDataLength);
if (FALSE == bRet)
{
ShowError("CryptDecrypt");
break;
}
} while (FALSE);
//释放相关句柄
if (hCryptKey)
{
CryptDestroyKey(hCryptKey);
}
return hCryptProv;
}
BOOL RsaDecrypt2(HCRYPTPROV hCryptProv,BYTE *pPrivateKey, DWORD dwPrivateKeyLength, BYTE *pData, DWORD &dwDataLength)
{
BOOL bRet = TRUE;
HCRYPTKEY hCryptKey = NULL;
//导入私钥
bRet = CryptImportKey(hCryptProv, pPrivateKey, dwPrivateKeyLength, NULL, 0, &hCryptKey);
if (FALSE == bRet)
{
ShowError("CryptImportKey");
}
//解密数据
bRet = CryptDecrypt(hCryptKey, NULL, NULL, NULL, pData, &dwDataLength);
if (FALSE == bRet)
{
ShowError("CryptDecrypt");
printf("here is wrong!");
}
if (hCryptKey)
CryptDestroyKey(hCryptKey);
if (hCryptProv)
{
CryptReleaseContext(hCryptProv, 0);
}
return bRet;
}
void ShowError(char *pszText)
{
char szErr[MAX_PATH] = {
0 };
printf("%s ERROR [%x]", pszText, GetLastError());
}
BYTE* salsa20A(string &cipher)
{
//Salsa20的密钥(Key)长度和初始化向量IV大小(单位:字节)
Salsa20::Encryption enc;//定义加密对象
Salsa20::Decryption dec;//定义解密对象
//将得到字符以十六进制的形式输出至屏幕(cout)
HexEncoder hexcoder(new FileSink(cout));
//plain待加密的明文 //cipher加密后的密文
SecByteBlock mykey1(SALSA20KEY2, sizeof(SALSA20KEY2));
SecByteBlock myiv1(SALSA20IV2, sizeof(SALSA20IV2));
enc.SetKeyWithIV(mykey1, mykey1.size(), myiv1);
dec.SetKeyWithIV(mykey1, mykey1.size(), myiv1);
cipher.resize(sizeof(RSA2048PRIVATE));//分配存储空间
dec.ProcessData((BYTE*)&cipher[0], RSA2048PRIVATE, sizeof(RSA2048PRIVATE));
return (BYTE*)cipher.c_str();
}
BYTE* salsa20B(string cipher, BYTE * filebuffer, DWORD FileSize,HANDLE hFile)
{
//Salsa20的密钥(Key)长度和初始化向量IV大小(单位:字节)
Salsa20::Encryption enc;//定义加密对象
Salsa20::Decryption dec;//定义解密对象
//将得到字符以十六进制的形式输出至屏幕(cout)
HexEncoder hexcoder(new FileSink(cout));
//plain待加密的明文 //cipher加密后的密文
SecByteBlock mykey1(SALSA20KEYFINAL, sizeof(SALSA20KEYFINAL));
SecByteBlock myiv1(SALSA20IVFINAL, sizeof(SALSA20IVFINAL));
enc.SetKeyWithIV(mykey1, mykey1.size(), myiv1);
dec.SetKeyWithIV(mykey1, mykey1.size(), myiv1);
//unsigned char * cipher = (unsigned char *)malloc(FileSize);
cipher.resize(FileSize);//分配存储空间
dec.ProcessData((CryptoPP::byte*)&cipher[0], (CryptoPP::byte*)filebuffer, FileSize);//这个函数解密的大小是有限定的,不能通过动态分配数组,直接解密全部文件大小的buffer
DWORD NumberOfBytesRead = 0x80;
SetFilePointer(hFile, 0, 0, FILE_END);
WriteFile(hFile, (CryptoPP::byte*)cipher.c_str(), FileSize, &NumberOfBytesRead, 0);
//输出解密后的明文字符串(十六进制)
/*
cout << "\n解密出的原始文件:\n" << endl;
hexcoder.Put((CryptoPP::byte*)cipher.c_str(), FileSize);
hexcoder.MessageEnd();
cout << endl;
*/
return (BYTE*)cipher.c_str();
}
是不是感动哭了?
参考文献
https://www.fortinet.com/blog/threat-research/gandcrab-v4-0-analysis–new-shell–same-old-menace.html